FORTRESS is a standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
What's in it?¶
Included are the following components:
- Core - Java Access Management SDK
- Realm - Java EE security for Apache Tomcat
- Rest - HTTP protocol wrappers for the APIs
- Web - HTML pages for the APIs
It's released under terms of the Apache License 2.0.
How Does It Work?¶
To learn, check out the quickstarts:
- README-QUICKSTART-APACHEDS.md - Install Core for use with APACHEDS
- README-QUICKSTART-SLAPD.md - Install Core for use with OPENLDAP
- REALM-HOST-SETUP.md - Configure Tomcat Global Security using Realm
- REALM-CONTEXT-SETUP.md - Configure Tomcat Local Security using Realm
- README-QUICKSTART.md - Install Fortress Rest to Tomcat
- README-QUICKSTART.md - Install Fortress Web to Tomcat
- README-MULTITENANCY.md - How Fortress Multitenancy works
- README-CONFIG.md - How the Fortress Config subsystem works
What technologies at play?¶
Fortress products run on open system hardware and software platforms supporting LDAPv3, HTTP & Java.
What standards apply?¶
The following standards are implemented...
ANSI Role-Based Access Control (INCITS 359)¶
There is more to RBAC than assigning users to groups and applying ACL policies within directories or databases. RBAC systems provide selective Role activation/deactivation, role hierarchies, and constraints over separation of duty. The RBAC component provides APIs to add, update, delete, and search the directory data
More info can be found on Intro to ANSI RBAC Page
Java EE Platform (tm) Security¶
Used for SSL, X.509 mutual authentication, form-based container authentication, authorization and SSO. Works within compliant Java Web apps like Fortress Rest and Web.
The ARBAC model explains how RBAC can be extended with organizational controls to govern policies regarding the security administration process. ARBAC helps by allowing administrative tasks be delegated to end users who fall outside typical datacenter operations.
IETF Password Policies¶
OpenLDAP has supported this draft since 2005. Fortress adds by integrating with its administrative and access control APIs. These APIs enable outside apps to participate and manipulate OpenLDAP password policies without understanding the specifics of how they work. Fortress provides services for setting up new policies and ensuring password policies are tracked and enforced across all avenues.
Fortress audits use OpenLDAP's slapd access log overlay.
The Fortress audits rely on slapd events to track its data exchanges performed within its own APIs. Change event tracking includes adds, updates, and deletes of Fortress entities. Read and search events tracked include user authentication, authorization, and policy interrogations. Full historical data change tracking is maintained and may be searched later with APIs to be used for monitoring, reporting, and undo. The log may be retrieved later to synch with outside database for long-term regulatory and compliance concerns.
The Fortress Temporal model allows Users and Roles to carry time and date Constraints which govern when activations may occur. Role constraints are checked on every call into Fortress. The user constraint applied only at session creation.
ANSI RBAC Policy-Enhanced (INCITS-494-2012)¶
What services are available?¶
Over one hundred services divided across the Manager components.
A description of these managers follow along with their associated javadoc links that describe the apis...
- AccessMgr.html - Performs runtime access control operations on objects that are provisioned RBAC entities that reside in LDAP directory.
- AdminMgr.html - Performs administrative functions to provision Fortress RBAC entities into the LDAP directory.
- ReviewMgr.html - The review functions on RBAC entities in LDAP.
- DelAccessMgr.html - Runtime delegated access control operations on objects that are provisioned Fortress ARBAC entities that reside in LDAP.
- DelAdminMgr.html - Policy administration of Fortress ARBAC entities in LDAP.
- DelReviewMgr.html - Policy review ops of ARBAC entities in LDAP.
PW Policies Manager¶
- PwPolicyMgr.html - Used to perform admin and review functions on the PWPOLICIES data sets.
- AuditMgr.html - Methods used to search OpenLDAP's slapd access log for fortress events.
- ConfigMgr.html - CRUD methods used to manage properties stored within LDAP.
Where is it?¶
Source is managed by Apache's GIT repo: