Hitachi ID Management Suite Integration with Oracle Products
Introduction
Hitachi ID Management Suite® is a complete identity management solution enabling organizations to more securely and efficiently manage the user lifecycle across enterprise applications and systems.
Hitachi ID Management Suite combines the power of Hitachi ID's flagship technologies, ID-Synch® for user provisioning and P-Synch® for password management, with more targeted products including ID-Access® to manage user access rights, ID-Certify® to review user rights and clean up stale privileges and ID-Archive™ to securely manage privileged passwords.
Hitachi ID Management Suite creates real business value by increasing productivity for users, reducing IT overhead, strengthening network security and providing internal controls to support compliance with privacy protection and corporate governance regulations.
Hitachi ID Management Suite includes pre-built integrations with a variety of Oracle software products, including:
- The Oracle Database Server.
- Oracle Applications, including Oracle Financials.
- Oracle Internet Directory (OID).
- Oracle (formerly Oblix) COREid.
The rest of this document describes these integrations, in terms of business value, technical details and an example deployment scenario.
Business Drivers for Integration
Most enterprises have deployed a variety of software products, running on different architectures, from different vendors. In such a heterogeneous environment, data about user identity and access rights is distributed between multiple system and applications.
A heterogeneous environment is the norm for organizations that have deployed Oracle products, who often also have a Microsoft or Novell network operating system, ERP applications from SAP or PeopleSoft, Groupware and e-mail from IBM or Microsoft, Unix servers, midrange servers or mainframes, and a variety of custom, vertical and ASP applications.
Distributed identity data is difficult to manage effectively, which creates cost and security problems, as illustrated in Figure [link].
Managing Each Application in its own Silo (1)
Hitachi ID Management Suite is designed to consolidate identity management processes, to reduce complexity and thereby make user administration timely and reliable. This is illustrated in Figure [link].
Managing All Applications Concurrently (2)
Managing Users and Passwords on Oracle Systems
Hitachi ID Management Suite is able to manage users and passwords on a wide variety of systems, including the following:
|
Directories
|
File/print
|
Mainframes |
|
LDAP (any),
Active Directory,
Windows NT domains,
Novell eDirectory,
Novell NDS,
Unix NIS and NIS+,
Kerberos/DCE (any)
|
Windows NT/2000/2003/2008, Novell NetWare, OS2 LanManager, Samba
|
MVS / OS/390 / zOS, RACF, CA-ACF2, CA-TopSecret, VM/ESA, Siemens BS2000, Tandem NonStop, Unisys MCP
|
|
Unix
|
Midrange
|
Database |
|
AIX, DGUX, Digital Unix, HPUX, IRIX, Linux,
NCR, OSF4, SCO OS, Solaris, SunOS, Tru64,
UnixWare, Unisys, passwd, shadow, Trusted
Computing Base
|
HP MPE, OS/400/iSeries, OpenVMS
|
DB2/UDB, Informix, MSSQL, ODBC, Oracle, Sybase
|
|
ERP
|
Messaging
|
WebSSO |
|
SAP R/3 4.0+,
PeopleSoft 7.5+,
Oracle Applications 11i+,
JDE OneWorld
|
MS Exchange 5.5, MS Exchange 2000/03/07, Novell GroupWise, Lotus Domino/HTTP, Lotus Notes/ID files, HP OpenMail
|
IBM TAM, RSA ClearTrust, Entrust getAccess, CA SiteMinder, Oracle COREid, SAP portal
|
|
Flexible agents
|
Hardware tokens and Smartcards
|
Miscellaneous |
|
API (application programming interface) integration,
LDAP attributes,
MQ Series,
SQL commands,
Telnet/TN3270/TN5250 sessions,
Unix/Windows cmd-line integration,
web forms,
web services (SOAP, XML)
|
RSA SecurID, Secure Computing SafeWord, Vasco Digipass, GemPlus, Precise Biometrics
|
RADIUS (various), Local and cached Windows passwords. Peregrine ServiceCenter, Remedy ARS, Clarify eFrontOffice, NAI Magic, Tivoli ADSM, IBM OLAP, IBM Tivoli Access Manager Connected Backup
|
Hitachi ID Management Suite includes specific integrations with the following Oracle products:
- The Oracle Database Server.
- Oracle Applications, including Oracle Financials.
- Oracle Internet Directory (OID).
- Oracle COREid.
Oracle Database
Hitachi ID Management Suite can bind to any Oracle Database server (any version) using SQL*Net and issue PLSQL commands to enumerate users (SELECT), validate current passwords (test bind or SELECT) and reset passwords (ALTER USER, UPDATE or invoke a stored procedure).
The Hitachi ID Management Suite administrator can specify alternate SQL commands, and so can manage application passwords as well as database connect passwords.
ID-Synch can create, delete, enable, disable, modify and rename system users in any specified Oracle Database server. It creates new Oracle users by cloning existing ones, copying and adjusting their role memberships and tablespace rights in the process. It can also manage the membership of Oracle Database users in Oracle Database roles.
Oracle DBMS security roles are mapped to Hitachi ID Management Suite managed groups. Hitachi ID Management Suite can manage role assignment, using the its built in group-membership-management semantics.
The same ID-Synch agent that manages Oracle Database users can be configured with target-specific SQL code, in order to manage users defined wholly inside an application tablespace, rather than as database-level users. All the same operations (create, delete, enable, disable, rename, change attribute, change group membership) are supported in this configuration.
Oracle Applications and Oracle Financials
Hitachi ID Management Suite can manage passwords on Oracle Applications / Oracle Financials by connecting to the Oracle Database server using SQL*Net, and using the existing stored procedures on the server to update user profiles.
No agent software is installed on the Oracle Applications server or the back end database.
ID-Synch can create, delete, enable, disable, modify and rename Oracle Applications users in one or more instances of Oracle Applications. All the basic operations are supported by calling the appropriate PLSQL user management stored procedures included by default in all Oracle Applications installations.
Oracle Internet Directory (OID)
Oracle Internet Directory is a standards-compliant LDAP directory server.
Hitachi ID Management Suite manages passwords on LDAP v2 and LDAP v3 directories by directly binding to the LDAP or LDAPS service and issuing LDAP commands to modify user objects. The LDAP bind operation itself is used to validate current passwords and LDAP search is used to enumerate users.
ID-Synch can create, delete, enable, disable, modify, rename and move LDAP users in any specified directory or OU. It creates new LDAP users by cloning existing ones, copying and adjusting attributes in the process. It can also manage the membership of LDAP users in LDAP groups.
Oracle COREid
\WebSSOIntegrationSpecificProduct{COREid}
Storing Hitachi ID Management Suite User Profile Data in an Oracle Database
Hitachi ID Management Suite is able to manage user profile data externally, in an LDAP directory or Oracle Database.
Hitachi ID Management Suite includes batch data loading programs (e.g., to load user profiles, Q-A (Question-and-Answer) data, login ID aliases) and data extraction programs (e.g., to dump the contents of any table as a CSV file).
Hitachi ID Management Suite also includes a number of plug-in points that allow it to look up user profile data in an external database or directory at run-time, as required. These are used to externalize user profile data -- for example, to an LDAP directory, to Active Directory or to an database.
Finally, Hitachi ID Management Suite includes a number of plug-in points that allow it to update user profile data, such as user attributes, login ID reconciliation or Q-A (Question-and-Answer) information, on an external directory or database, at run-time. Such updates are normally the result of user registration processes.
Putting this flexibility together, an example deployment might authenticate users signing into Hitachi ID Management Suite using their LDAP login ID and password and store user profile data, such as a list of login IDs to various systems and personal Q-A (Question-and-Answer) data, in the same or another LDAP directory.
Example Deployment Scenario
The following scenario describes a fictitious organization, Acme Inc., that has deployed both Oracle and other, unrelated products as part of its IT infrastructure. Use of Hitachi ID Management Suite to streamline identity management is described.
Network Environment
Acme has 10,000 users, distributed across multiple offices and countries.
Major systems that all users log into include:
- Microsoft Active Directory (AD), including 20 domain controllers and 50 Windows file servers. 10,000 users.
- Microsoft Exchange, including 50 mail servers. 10,000 users.
- Oracle Financials.
- PeopleSoft HR.
- 200 home-grown applications, each of which has its own Oracle Database back-end, using native Oracle security.
- A VPN system, authenticating remote users against OID.
- A RAS dial-up system, authenticating remote users against AD.
Password Management
Users get advance warning of password expiry on Windows by e-mail, with an embedded URL to a web page where they can pre-emptively change all of their passwords. This is particularly helpful to remote and traveling users, who do not see the Windows password expiration notices at login time.
Whenever users change their AD password natively (e.g., Control-Alt-Del), P-Synch automatically intercepts the change on the nearest DC, and propagates it to all other accounts belonging to the same user, including Oracle Databases, Oracle Financials and OID.
If users forget their password, they access a self service P-Synch web page, either from their desktop login prompt (login as HELP, no password to get a hardened kiosk-mode web browser), or from another computer's web browser. They can authenticate by answering a random subset of 10 personal questions, and can then administratively reset their own forgotten password on any combination of their login accounts.
These processes are system-independent. With P-Synch deployed, users only have to remember one ID and password, for all the systems they access. They use a single method to change all of their passwords, and to resolve any password problems.
User Provisioning
New employees and contractors are provisioned with a variety of new accounts using ID-Synch. Managers sign into the Acme ID-Synch web portal, and submit requests to setup new users. Requests are automatically routed to upper management and to application owners for approval. Approved requests are trigger account creation.
When users leave the organization, either their managers or HR staff sign into ID-Synch and request access termination. These requests are again routed to appropriate managers to review and approve, and trigger access deactivation.
Auditors sign into the ID-Synch portal to generate security access reports -- "Who has what" and access change history.
Users sign into the ID-Synch portal to update personal information, such as their home phone number, and to request additional access rights, such as group membership to access shared files and folders. Some requests are automatically approved (self service), while others are routed to suitable authorizers for review and approval.
The common thread in all of these processes is that they span every system in the network, including Oracle Databases, Oracle Applications and OID. The practice of managing each application in its own "silo" is eliminated, thereby making administration fast and simple.
Access Audits
Periodically, security managers launch an access certification round using ID-Certify -- a component of Hitachi ID Management Suite. ID-Certify uses org-chart data automatically pulled from PeopleSoft HR to identify managers, and sends each manager in the organization an e-mail, asking that manager to sign in and review the access privileges of their subordinates.
Managers receive automatic reminders until they actually do sign in and complete their certifications.
When they sign in, managers review a list of their direct subordinates, and each of those users' security privileges. Managers either certify that each user or privilege is still appropriate, or ask that it be revoked. Managers are then required to sign off on their review, indicating completion. Sign-off is normally implemented by retyping their primary network password.
Managers cannot sign off until their subordinate managers have likewise done so. This creates downwards pressure, starting from the CEO or CFO, to complete the process, in order to comply with regulatory requirements.
Requests to Access Shares, Folders and Printers
With 50 file servers, hundreds of shares, hundreds of shared printers and thousands of shared folders, Acme users generate a substantial volume of requests to gain access to different network resources.
Technically, these are all requests for AD group membership, but users don't generally know that. Consequently, these requests are somewhat costly to service, as the process always starts by a support technician figuring out exactly which AD security groups a user requires, and then figuring out whose authority is needed to attach that user to that group.
By deploying ID-Access, Acme is able to the request input, authorizer routing and approvals processes to business users, eliminating any IT involvement in group membership management. Users browse the network, through the ID-Access web GUI, for resources including shares, folders, printers and mail distribution lists.
Users simply select a resource and an available set of privileges, which causes ID-Access to automatically find the appropriate group and authorizer, and submit a security change request into its workflow engine. Authorizers are asked to respond by e-mail, and respond via authenticated and encrypted web page. Approved requests trigger user-group attachment and thank-you e-mails.