Technology Architecture

Hitachi ID Management Suite Architecture

High-Availability Password Storage

Once deployed, ID-Archive™ becomes an essential part of an organization's IT infrastructure, since it alone houses administrative credentials to thousands of networked devices. An outage in ID-Archive would mean that administrative access to a range of devices is interrupted -- a major outage to IT service.

Since servers occasionally break down, ID-Archive supports load balancing and data replication between multiple physical servers. Any data updates written to its credential database are replicated, in real time, across all servers.

In short, ID-Archive incorporates a highly available, replicated, multi-master architecture.

To provide out-of-the-box data replication, ID-Archive includes a built-in database engine, which stores the same data tables, including encrypted credentials, on each server. These files are in an industry standard format (.DBF), accessible by almost every spreadsheet and reporting program available. Data replication is handled by this built-in engine, making it both simple and advisable for organizations to build a highly-available ID-Archive server cluster, spanning multiple servers, with each server placed in a different physical site.

This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for additional servers, and with little administrative effort.

    ID-Archive Network Architecture Diagram (1)

Scaling to Support Thousands of Workstations

To manage workstation administrator credentials, ID-Archive includes a service, which installs on each workstation and which contacts a central server and coordinates each workstation password update.

This architecture has several important advantages:

• The workstation service uses only HTTPS to communicate with the central server and works even when the workstation is connected behind NAT devices, firewalls or application proxies.
• The workstation service does not randomize credentials unless it has established connectivity with the central credential server. This avoids a situation where the central server does not know the new password value for a workstation.
• Dynamic IP addresses have no impact on this architecture.
• Physical relocation and long periods of detached network connectivity may delay updates to local passwords, but do not introduce a failure whereby the credentials for a workstation are unknown.

ID-Archive is a component of Hitachi ID Management Suite®. The following architectural description applies to the entire Hitachi ID Management Suite:

Hitachi ID Management Suite is designed for:

• Security:

  Hitachi ID Management Suite is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes.

• Scalability:

  Multiple Hitachi ID Management Suite servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.).

• Openness:

  Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.).

• Flexibility:

  Both the Hitachi ID Management Suite user interface and all functionality can be customized to meet enterprise requirements.

• Low TCO:

  Hitachi ID Management Suite is easy to set up and requires minimal ongoing administration.

    Network architecture diagram (2)

Figure (_label_fig:combined-net-arch) illustrates the Hitachi ID Management Suite network architecture:

• Users normally access Hitachi ID Management Suite using HTTPS from a web browser.

• Multiple Hitachi ID Management Suite servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution.

• Native user password changes on some systems ([link]) may trigger transparent password synchronization. A password change interceptor DLL, library or exit may capture such changes and initiate transparent password synchronization.

• Users may call an IVR (interactive voice response) system with a telephone and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset.

• Hitachi ID Management Suite connects to most target systems using their native APIs (application programming interfaces) and protocols and thus requires no software to be installed locally on those systems.

• Local agents are provided and recommended for Unix servers and OS/390 mainframes. Use of these agents improves transaction security, speed and concurrency.

• A local agent is mandatory on RSA SecurID servers.

• Where target systems are remote and communication to them is slow, insecure or both, an Hitachi ID Management Suite proxy server may be co-located with the target system in the remote location. In this case, servers in the main Hitachi ID Management Suite server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols.

• Hitachi ID Management Suite can look up and update user profile data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

• Hitachi ID Management Suite can send e-mails to users asking them to register or to notify them of events impacting their profiles. Over 163 events can trigger e-mail notification.

• Hitachi ID Management Suite can send write tickets to most common help desk systems, either recording completed activity or requesting assistance (security events, user service follow-up, etc.). Over 163 can trigger ticket integration. Binary integrations are available for 15 and open integration is possible using mail, ODBC, SQL and web services.

© Hitachi ID Systems, Inc. 2008. All rights reserved.