This page gives a brief overview of how secure requests are made from CloudM Manage to your on-premise directory. In order for CloudM Manage to make requests, you must run the CloudM Manage connector application on your network. The connector application is a servlet-based application that can run on Tomcat or other servlet-based applications.
A request from CloudM Manage consists of a request header, which includes signed authentication information, and a request body of signed XML which contains the encrypted data. The request process flows as follows:
- Action occurs - An action occurs in CloudM Manage which triggers an integration request.
- Request is built - CloudM Manage builds an XML document describing the action, encrypts the data and signs the XML using a private key unique to your organization.
- Request is made - CloudM Manage adds an authentication header to the request, which comprises data unique to the request, and signs the header using a private key stored securely in App Engine.
- Connector receives request - The connector application receives the request and proceeds to verify its authenticity and origin.
- Request verification - If the request is properly formed and contains the fields the connector application is expecting to see, then the connector application makes a request to CloudM Manage for the public certificates used to sign the request.
- Request verified - When the public certificates are obtained, the request authorisation header is verified. If verification succeeds the connector is sure that the request originated from CloudM Manage. Data in the header also ensures that the request was made within a small time window.
- XML signature is verified - The XML signature is now verified using a different key to that used to sign the authorisation header. This ensures that the data contained within the request has not been tampered with.
- XML data is decrypted - The data within the XML is decrypted using a secret that is shared between CloudM Manage and the connector application. At this stage the connector is ready to make changes to your directory based on the information contained within the request.
- Directory update is performed - Modifications are made to your directory based on the data contained in the request. Users can be created, updated, moved or otherwise manipulated.
- CloudM Manage is notified of the result - The connector application makes a response to CloudManager indicating the success or failure of the request. This is logged in CloudM Manage and email notifications sent to your administrator if required.