IBM Sterling Secure Proxy

Sterling Secure Proxy and Sterling External Authentication Server

Sterling Secure Proxy 6.0.x series and Sterling External Authentication Server 6.0.x series deliver features and enhancements that improve security for your organization’s MFT file exchanges and provide containers to simplify hybrid cloud deployments.

Certified containers. Take advantage of certified containers to simplify the deployment of Sterling Secure Proxy and Sterling External Authentication Server on hybrid cloud infrastructures. Sterling Secure Proxy certified containers are built to Kubernetes standards and qualified on the Red Hat OpenShift Container Platform.

Sterling Secure Proxy can be used as a proxy with Sterling File Gateway and other HTTP applications and supports a single sign-on connection. Single sign-on (SSO) provides access control that allows a user to log in once to Sterling Secure Proxy, using the HTTP protocol, and then gain access to Sterling File Gateway without logging in again. SSO bypasses normal user authentication in Sterling File Gateway and trusts that Sterling Secure Proxy has authenticated the user.

After you set up the basic single sign-on configuration, trading partners can communicate in a secure environment that provides authentication. The trading partner first connects to Sterling Secure Proxy which then connects to Sterling File Gateway on behalf of the trading partner.

• you can now pull container images from IBM Entitled Registry. For more information, refer to Downloading the Certified Container Software and Downloading the Docker image.
• You can download helm charts from the IBM repository now. For more information, refer to Downloading the Certified Container Software.
• IBM Certified Container Software will be valid till May 2022.
• Dynamic provisioning support is added in IBM Certified Container Software. For more information refer to Creating storage for Data Persistence and Creating Secrets.
• Licensing and Metering are supported using IBM License Operator. For more information refer to IBM Licensing and Metering service.
• The Port range for adapter support has been extended with this release.

Now, support to preserve the client source IP has been extended. For more information, refer to Configuring- Understanding values.YAML.

The components of the Secure Proxy architecture are:

• Secure Proxy Engine—the engine resides in the DMZ and contains the minimum components necessary to manage communications sessions. The engine configuration (Secure Proxy engine properties) is created at Configuration Manager and pushed to the engine. It is stored in active memory and is never stored on a disk in the DMZ. No web services or UI ports are open in the DMZ.
• Configuration Manager (Secure Proxy CM)—Configuration Manager is installed in the trusted zone. Use this tool to configure your environment. When you save a configuration definition (Secure Proxy configuration store) at CM, it is pushed to an engine, using an SSL session. Configuration files are encrypted and stored on the computer where CM is installed.

Before you install Sterling Secure Proxy, review the system requirements. Confirm that your system meets all requirements. Follow the procedures to install or upgrade Sterling Secure Proxy.

Verify your installation by starting CM and the engine, and ensuring that they can communicate.

• The IP and port number to listen on for connections from Configuration Manager
• SSL key certificate, trusted certificate, and encryption cipher used for the connection from Configuration Manager.

Secure Proxy configuration store is the file is encrypted on disk and contains the following information:

• • The user store with information on user credentials
  • The system certificate store with the certificates used for SSL/TLS sessions
  • The key store with the SSH keys
  • The engine configuration store with all configuration information for the engine.

There are 3 components of IBM Sterling Secure Proxy (SSP Engine (SSP), SSP Configuration Manager (SSPcm), and Perimeter Server (PS)). SSP can also make use of the IBM Sterling External Authentication Server (SEAS).

Latest releases of IBM Sterling Secure Proxy 6.0.x and IBM Sterling External Authentication Server 6.0.x

These Versions release the new features,

• Support for certified containers, qualified on Red Hat OpenShift Platform, for deployment flexibility across hybrid cloud environments
• Improved protection against external threats through virus and malware scanning that is executed in the DMZ subnetwork, outside of the trusted zone
• Can deliver IP blocklisting and advanced monitoring by enabling connection to third-party providers to enable validation of IP addresses from suspect sources
• Easily view availability status of Sterling External Authentication Server instances from the Sterling Control Center web console

Sterling Secure Proxy also provides the following security features:

SSL or TLS using certificates—Ensures that the connection between Sterling Secure Proxy and the internal and external nodes uses SSL or TLS.

Support for Hardware Security Modules (HSM)—Stores and protects your certificates.

Support for connection routing—Allows you to route incoming connections using the following methods:

• Direct Routing—Routes incoming connections directly to the trusted company server.
• PNODE routing—Allows the inbound node to determine what SNODE it connects to.
• Certificate-based routing—Allows Sterling Secure Proxy to determine the internal server to route the connection to, based on the distinguished name in the certificate.