This page gives a brief overview of how secure requests are made from CloudManager to your on-premise directory. In order for CloudManager to make requests, you must run the CloudManager connector application on your network. The connector application is a servlet-based application that can run on Tomcat or other servlet-based applications.
A request from CloudManager consists of a request header, which includes signed authentication information, and a request body of signed XML which contains the encrypted data. The request process flows as follows:
- Action occurs - an action occurs in CloudManager which triggers an integration request.
- Request is built - CloudManager builds an XML document describing the action, encrypts the data and signs the XML using a private key unique to your organization.
- Request is made - CloudManager adds an authentication header to the request, which comprises data unique to the request, and signs the header using a private key stored securely in App Engine.
- Connector receives request - the connector application receives the request and proceeds to verify its authenticity and origin.
- Request verification - if the request is properly formed and contains the fields the connector application is expecting to see then the connector application makes a request to CloudManager for the public certificates used to sign the request.
- Request verified - when the public certificates are obtained, the request authorisation header is verified. If verification succeeds the connector is sure that the request originated from CloudManager. Data in the header also ensures that the request was made within a small time window.
- XML signature is verified - the XML signature is now verified using a different key to that used to sign the authorisation header. This ensures that the data contained within the request has not been tampered with.
- XML data is decrypted - the data within the XML is decrypted using a secret that is shared between CloudManager and the connector application. At this stage the connector is ready to make changes to your directory based on the information contained within the request.
- Directory update is performed - modifications are made to your directory based on the data contained in the request. Users can be created, updated, moved or otherwise manipulated.
- CloudManager is notified of the result - the connector application makes a response to CloudManager indicating the success or failure of the request. This is logged in CloudManager and email notifications sent to your administrator if required.