First of all, You don't need to know how it is done, this is developers' responsibility.
[Comment], I don't agree. I think it's the right responsibility of architect for the remote secure access. Using RMI over HTTPS tunnel for public network (Internet) access is not a good practice. That's the reason HTTP as a black horse in 1995 led ahead than COBRA and DCOM.
Second, read your assignment carefully. The CUSTOMER need to communicate with you application using SSL. It is not said anything about the travel agent.
[Comment], Agree, be careful to read it. Agents are assumed to keep using the existing private network which was used for 3270 terminal access.
[ August 18, 2006: Message edited by: tony clare ]