Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-22 Thread Christian Schneider
On 22.09.2016 13:32, Timothy Ward wrote: On 22 Sep 2016, at 12:16, Christian Schneider wrote: There is one thing I am missing in your description. How do you configure the proxy server that provides the secure endpoint? I think the typical production approach will

Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-22 Thread Timothy Ward
> On 22 Sep 2016, at 12:16, Christian Schneider wrote: > > I think the model I described can be more secure as only the proxy needs > access to the intranet but I clearly see the need for both approaches as you > correctly stated that my approach is more complex. > >

Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-22 Thread Christian Schneider
I think the model I described can be more secure as only the proxy needs access to the intranet but I clearly see the need for both approaches as you correctly stated that my approach is more complex. I agree about the proposed changes in Topology Manager and zookeeper discovery. They should

Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-22 Thread Timothy Ward
Hi Christian, This is very nearly the approach that I suggested, but it adds an additional zone into the mix which I think is unnecessary, and I feel that hides the fact that exactly the same security concerns exist with it. In the layout that you’ve drawn the backend server publishes a

Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-22 Thread Christian Schneider
So lets think about a practical example. We want to expose a REST service that is visible to the inside via its direct url on the server that exposes the service and also via a proxy server where this service will have a different url. So the server side topology manager would detect that the

Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-21 Thread Timothy Ward
Hi Christian, From an RSA perspective this is a Topology Management issue, not a discovery issue. Services should be exposed by the Distribution Provider with multiple ExportRegistrations (and hence multiple EndpointDescriptions), one for the “internal” URL and one for the “proxied” URL The

[Discuss] Support zones for Aries RSA. Also related to cloud support

2016-09-19 Thread Christian Schneider
I just had a discussion with Panu Hämäläinen about the DiscoveryPlugin mechanism. See https://issues.apache.org/jira/browse/ARIES-1613 and https://issues.apache.org/jira/browse/ARIES-1614 . What he needs is to have two zones of services, a backend zone and a frontend zone. The (or some)