WIXLIB

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020Overview of UrbanCode Deploy securityi

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020Before you use this information and the product it supports, read the information in "Notices" onpage 26. Copyright International Business Machines Corporation 2020.US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corp.ii

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020ContentsIntroduction . 1Overview of UrbanCode Deploy architecture . 1Topologies . 2Core topology.2Multi-region topology .2High-availability clustered topologies .3Disaster recovery topologies .4Blueprint design topology .5Server security . 6TLS technology . 7How TLS works .7TLS mutual authentication .7Other features . 8Tokens 8CodeStation .9Server-agent communication . 9JMS communications . 10End-to-end JMS encryption .10Mutual authentication . 10HTTP/HTTPS server-agent communication . 11Agent verification of server certificate for HTTPS communication .11Securing user-created properties . 12Agents . 13Plug-ins . 14Minimum agent permissions . 14Agent user impersonation . 14Impersonation on Linux/Unix .14Impersonation on Windows .15z/OS agents . 15Agent relays . 15Agent relay artifact caching. 16Agent relays and firewalls . 17Clients . 17Command-line client (CLI) . 17iii

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020REST API . 18Authenticating for REST commands. 18User security model . 18Permissions and security resource types . 19Roles . 19Teams . 19Security resources . 19Authorization and authentication realms . 19Security reports . 20Appendices . 20Key stores and trust stores . 20Key stores used for JMS communication .20Keys stores used for HTTPS communication .21Sharing secured properties among servers .21Supported TLS protocols and ciphers . 21Description of systems . 21Index . 24Notices . 26Trademarks . 28iv

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020IntroductionThis document describes the UrbanCode Deploy security features. It highlights core elementsand examines the available options. The paper also discusses typical architectural topologies andcommunication protocols.Links to related information in the Knowledge Center are provided are provided through thepaper.Overview of UrbanCode Deploy architectureUrbanCode Deploy uses a client-server model with a network of agents and relays thatcommunicate with target systems. The server provides the web-based front-end and coreservices, such as workflow, agent management, and security. Services can be consumed byclients and agents or other services. Deployments are orchestrated by the server and performedby agents distributed throughout the network. Clients access the server through web browsers,the REST API, or the command-line client.Server-agent communication is done with Java Message Service (JMS) and HTTPS protocols.JMS agent is an earlier type, where JMS protocol is used for basic commands and informationthat is exchanged between the server and an agent. HTTPS protocol is used for file transfersbetween the server and agents, such as uploading or downloading component version artifacts.Introduced with UrbanCode Deploy 7.0.0 version, Web agents allows you to use theWebSocket protocol, which is a bi-directional, point-to-point message protocol. WebSocketconnections start as HTTP requests and upgrade to WebSocket protocol.Many services use representational state transfer (REST). REST services are web services thattransfer resources over HTTPS. Resources are transferred by a self-describing format such asXML or JSON (JavaScript Object Notation). The XML and JSON representations typicallymodel resource states at the time of agent and client requests. REST-style services achievestatelessness by ensuring that requests include all the data needed by the server to make acoherent response.The data tier's relational database stores configuration and run-time data. In general, youconfigure security for the database on the database server, not in UrbanCode Deploy. UrbanCodeDeploy communicates with the database by using the Java Database Connectivity (JDBC). Thedata tier's file store, CodeStation, contains versioned artifacts. Reporting tools can connectdirectly to the relational database.1

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020TopologiesUrbanCode Deploy typically includes a server and one or more agents. You can configuremultiple topologies, including ones that use high availability, containerized servers running inIBM Cloud Private, Blueprint Designer, and disaster recovery to meet your needs.Core topologyThe core installation of UrbanCode Deploy includes a server, agents, database, and a licenseserver. Clients access the server through web browsers, the REST API, or the command-lineclient. Agents can be installed on cloud environments, virtual machines (VMs), containers, orphysical systems. With this topology, the server can create environments on clouds that usevirtual system patterns (VSPs), such as IBM Cloud Orchestrator and IBM PureApplication System. To create environments on other clouds such as Amazon Web Services, SoftLayer ,VMware vCenter, and Microsoft Azure, you must install the blueprint design server and at leastone engine, as described in the blueprint design topologies.Figure 1 illustrates the core topology.Figure 1. Core topologyMulti-region topologyIf your environment has multiple security zones that are divided by firewalls, you can use agentrelays to connect agents to the server through the firewalls. You can install an agent relay outsidethe firewall to allow agents on those environments to connect to the server through the firewall,as shown in Figure 2.2

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020Figure 2. Multi-region topologyRemote agents open connections to the agent relay. Agents in the same network as the servercontinue to communicate directly to the server.High-availability clustered topologiesHigh-availability topologies use multiple servers. These servers can all be running at the sametime to share the load (as in a clustered topology), or they can be waiting for another server tofail (as in a cold standby topology).3

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020Typically, customers who employ a clustered topology use a load balancer to distribute work.Users connect directly to the load balancer, which sends them to an active server. When usingHTTP or HTTPS, agents connect to the load balancer. When using JMS, agents connect toservers or relays through a JMS mesh. The servers store their files on a shared database and filesystem.Disaster recovery topologiesOne way to prepare for disaster recovery is to have a cold standby system, including a stoppedserver and a replicated copy of the database and file system. When the primary system fails, thecold standby is brought online and promoted to primary server. Once online, the standbyreestablishes connections with all agents, performs recovery, and proceeds with any queuedprocesses.4

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020Blueprint design topologyTo work with blueprints on clouds using OpenStack Heat, including OpenStack-based clouds,Amazon Web Services, SoftLayer, VMware vCenter, and Microsoft Azure, you use a topologythat includes the blueprint design server and engine.Installing a standalone engineTo deploy environments to non-OpenStack clouds, such as Amazon Web Services, SoftLayer,VMware, Google Cloud, and Microsoft Azure, you install the blueprint design server and Heatengine through UrbanCode Deploy. The following diagram shows a typical topology for this usecase:5

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020Extending Heat orchestration enginesTo deploy environments to clouds that are based on OpenStack, you install the blueprint designserver and extend the Heat engine that is associated to the cloud. In this case, you do not use theHeat engine that comes with UrbanCode Deploy. The following diagram shows a typicaltopology for this use case:Server securityUrbanCode Deploy uses several technologies to provide security. Some features cannot bedisabled, such as Transport Layer Security (TLS) for JMS communication. Other features can beconfigured to meet your requirements. Some features are enabled by default, such as end-to-endJMS encryption, while others are disabled by default, such as mutual authentication.6

Overview of UrbanCode Deploy securityVersion 6.0Revised 3/27/2020TLS technologyTLS is a standard technology that secures client-server communication by encryptingcommunication. Data are encrypted before being sent and decrypted by the recipient.Communications cannot be deciphered or modified by third-parties.TLS technology uses digital certificates to secure communications. A digital certificate is acryptographically signed document that combines a cryptographic key with an organization'sfully qualified domain name (FQDN).Digital certificates use public key cryptography which works by using two keys to encrypt anddecrypt messages. The public key is stored in the certificate and is available publicly. Messagesthat are encrypted with the public key can only be decrypted with the private key.Digital certificates and private keys are stored separately in the server’s key store. Agents andagent relays also maintain their own key stores. See “Key stores and trust stores.”How TLS worksWhen the server receives a communication request from a user or agent, the server presents itscertificate to the requestor. If the requestor trusts the certificate, it uses the certificate’s publickey to encrypt session messages. The server then uses its private key to decrypt messagesencrypted with its public key.UrbanCode Deploy automatically uses TLS security for JMS-based communications. TLStechnology is automatically activated when you install an agent relay or before you connect tothe relay. TLS technology cannot be turned off for JMS communication.During installation, you also have the option to use TLS technology for HTTPS communications.Most users implement this option unless they install UrbanCode Deploy for a trial or demo. Ifyou do not implement TLS technology for HTTPS during installation, you can implement itlater.You can also configure agents to verify the server’s identity for HTTPS communication. Thisoption prevents agents from connecting to the server over HTTPS unless the certificate’sCommon Name (CN) matches the host name of the server. See, “Agent verification of servercertificate for HTTPS communication.”TLS mutual authenticationWith mutual authentication, messages are still encrypted but clients are also required toauthenticate themselves by providing digital certificates to the server. In mutual authenticationmode, servers, local agents, and agent relays provide digital certificates to one another.UrbanCode Deploy certificates can be self-signed or be from a trusted certificate authority (CA).7