Introduction – WHY b2bsys
- Any (rest) service of a B2B application hosted in the B2X-Appl-Zone can be configured on the b2bsys reverse proxies to be accessible from the Internet, the B2X-Appl-Zone, the Intranet and/or PFN.
- No matter where the request comes from, it always contains the same authentication tokens, this applies to both system accesses and web browser access. This means that a B2B application does not have to implement different authentication mechanisms for system access and human access.
- Cloud applications and other external hosted applications (e.g. software as a service, SAAS) need to communicate with applications hosted in the classic B2B environment. There are already different services but till now they are only available inside the application network zone (B2X-Appl-Zone). b2bsys is a proxy, which makes these services accessible for external applications.
- Also applications inside the B2X-Appl-Zone have the security requirement to use Mutual-SSL to connect other services. b2bsys will be the B2B access point for this inside the application network zone.
Authentication / Security
Cause b2bsys is reachable via Internet, we have high requirements about authentication and encryption:
- direction only from (external) application to b2bsys - no communication initiated by b2bsys
- only TLSv1.2
- only client certificates signed by VW-CA-ROOT-05 are accepted
(Volkswagen PKI CA certificates could be downloaded from certdist.volkswagen.de) - Mutual-SSL always required. But there are two different kinds of certificates accepted by b2bsys:
- VW PKI certificates belonging to a real person or a system user (Soft-PSE). Here b2bsys directly matches the certificate to an ldap entry. This should be the standard setup for system-to-system communcation.
- VW certificates belonging to DNS-Entries (server certificates also usable for client authentication).
Here b2bsys initiates a basic auth handshake to get an userid that has to match an ldap entry.
This should only be used if it is not possible to assign a separate system user with a Soft-PSE
to each client application. (e.g. ASIC)
A use case for this kind of connection could be a library or fat client that is delieved with a contained certificate for the mutual SSL connetion. The user is identified by basic auth. Nice feature: the library or fat client has to be renewed before the contained certificate expires.
- A JWT Identity token is added to each request where authentication is required. This token could by evaluated and verified by attached backends. (e.g.: B2B-UMS Info Bean does need this token.)
- Which system user is authorized to access which service depends on his B2B-K-LDAP resources. The B2B-K-LDAP resources are depending directly on Solutions or Assignable Roles in B2B-UMS. So the access is granted or revoked by granting or revoking roles in B2B-UMS.
Certificates
The B2BSYS-Proxy uses different certificates for the client and server side: B2BSYS x.509 certificate setup
Avaliable (planned) Stages
| DNS (classic) | Stage | Zone | State | DNS (Split-IP) |
|---|---|---|---|---|
| b2bsys-prod.vwgroup.com 2) | productive | Internet | running | b2bsys-prod.vwgroup.com |
| b2bsys-prod.vw.vwg | productive | Intranet | running | b2bsys-prod.vwgroup.com 1) |
| b2bsys-prod.pfn.vwg | productive | PFN | running | b2bsys-prod.vwgroup.com 1) |
| b2bsys-prod.b2x.vwg | productive | B2X-Appl-Zone-2 | running | b2bsys-prod.vwgroup.com 1) |
| b2bsys-pl.vw.vwg | PL | Intranet | running | b2bsys-pl.vwgroup.com 1) |
| b2bsys-pl.qs2x.vwg | PL | QS2X-Appl-Zone-2 | running | b2bsys-pl.vwgroup.com 1) |
| b2bsys-qsi.vwgroup.com 2) | QSI | Internet | running | b2bsys-qsi.vwgroup.com |
| b2bsys-qsi.vw.vwg | QSI | Intranet | running | b2bsys-qsi.vwgroup.com 1) |
| b2bsys-qsi.qs2x.vwg | QSI | QS2X-Appl-Zone-2 | running | b2bsys-qsi.vwgroup.com 1) |
| b2bsys-ti.vw.vwg | Test-Integration | Intranet | running | b2bsys-ti.vwgroup.com 1) |
| b2bsys-dev.vw.vwg:11441 | Development | Intranet | upcomming | b2bsys-dev.vwgroup.com 1) |
1) The Spit-IP DNS is a future feature that is not available now.
So actually the classic DNS entries have to be configured.
2) not registered in proxy.pac of Volkswagen Browsers. So access via Browser
only possible from Internet.
Avaliable Services
Not every Service is intended to by available in every Zone.
| Service | available in Zone | Comment |
|---|---|---|
| ASIC | Intranet, Internet | PPS-ASIC (Simple-X) FAT-Client |
| B2B-UMS | every | UMSInfo-Services 3) |
| GFC | Intranet,B2X-Appl-Zone | GroupFindCore Rest-API |
| GLOBE | Intranet | Backend for GlobalSourcing FAT-Client |
| GOCAT | every | Translation Service - only Core-API |
| HAMON | every | Halbleiterdatenbank Rest-API |
| KPMQDX | Intranet, Internet | Konzernproblemmanagement QDX Rest-API |
| LDBWS | every | Supplier Company Data |
| LIVAS | every | Literaturverarbeitung FAT-Client |
| LKWControl | Internet | only lkwcx<ID> Services |
| Odis Creator | Intranet | FAT-Client |
| PPS | Intranet, B2X-Appl-Zone, PFN | Document- and MailerService |
| SDLTRADOS | every | Translation Service |
| STAR & MMSTAR | Intranet | STAR Services |
| SUDOCUWS | Intranet, B2X-Appl-Zone | Supplier Documents |
3)
Systempropertie values for de.volkswagen.ums.info.environment
doesn't change but the new UMSInfo-Bean (Version 4.0 and newer) will have an additional
initializer to attach the b2bsys via mutual SSL.