• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Security, Governance and Regulatory Compliance
  • Reduce IT Support Cost
  • Improve User Service
• Support
  • Shipping products
  • Supported versions
  • Customer Portal
  • Create Incident
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Technology Server Requirements

  

Server Requirements

Multiple, Load-Balanced Servers

Hitachi ID Access Certifier supports multiple, load-balanced servers.

Each server can host multiple Access Certifier instances, each with its own users, managed systems, features and policies.

Different instances of Access Certifier can be separate or inter-related as required. This is accomplished by having instances share some data and maintain other data separately.

For example, two instances can be configured to share data about help desk staff. If this is done, a help desk user defined in one instance automatically gains access to the other, with no duplicate configuration required.

As another example, two instances may share password history data. When this is done, a password chosen for a user on the systems managed by one instance cannot be reused on the systems managed by the other instance. This is an effective way to enforce a rule requiring passwords to be different on separate groups of systems.

It only takes a few minutes to add an instance to a Access Certifier server, and a few more to configure it to either share data with another instance or automatically copy a subset of that other instance's data.

Access Certifier instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.

High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Access Certifier includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID Systems also provides these tools for Unix/BIND with traditional DNS.

There is no coded limit to the number of concurrent, replicated servers. In practice, with more than 10 servers, replication may become slow. Since Hitachi ID Systems three largest customers run with just two production servers each, this is only a theoretical problem.

Server Platform

Access Certifier must be installed on a Windows 2003 or Windows 2008 server.

Installing on Windows 2003 or Windows 2008 allows Access Certifier to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Access Certifier to manage passwords and accounts on target systems without installing a server-side agent.

The Access Certifier server must also be configured with a web server. Since the Access Certifier application is implemented as CGI executables, any web server will work. The Access Certifier installation program can detect and automatically configure IIS or Apache web servers, but other web servers can be configured manually.

Access Certifier is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Access Certifier servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):

1. IIS is not required (Apache is a reasonable substitute).
2. No ASP, JSP or PHP are used, so these engines should be disabled.
3. .NET is not required on the web UI, so should be disabled on IIS.
4. No ODBC or DCOM are required inbound, so these services should at least be filtered.
5. File sharing should be disabled.
6. Remote registry services should be disabled.
7. Inbound TCP/IP connections should be firewalled, allowing only port 443 and possibly terminal services (if required for some configuration tasks).

Application Server Hardware and Operating System

(1) Each Access Certifier server is configured as follows:

• Hardware requirements:
  • A Pentium-IV class or better x86 CPU with at least 1 CPU core. Note that multi-core CPUs are supported and leveraged.
  • At least 4GB RAM -- more is better.
  • At least 100GB disk, preferably configured as RAID for reliability and preferably larger to hold more historical data and log files.
  • At least one Gigabit Ethernet NIC.

  A similarly equipped virtual machine can also be used.

• Operating system:
  • Windows 2003 or Windows 2008 (or R2) Server with current service packs.
  • 32-bit or 64-bit versions are both acceptable.
  • The server should not normally be a domain controller.

• Installed and tested software on the server:
  • TCP/IP networking, with a static IP address and DNS name.
  • Web server (Apache/Windows or IIS or).
  • Client software: web browser, Acrobat reader (to read the manual) native clients for the systems that Access Certifier needs to interface with.
  • SQL Server client or Oracle client to connect to the Access Certifier database.
  • If the Access Certifier database is local (reduces hardware cost), then SQL Server or Oracle Database.
  • SSL server certificate, to support HTTPS UI sessions.

Database Configuration

In addition to a web server, Access Certifier requires a database server. In most environments, the database server software (Microsoft SQL Server or Oracle Database Server) can be installed on the same hardware as the Access Certifier software. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution. In large deployments, a separate database server may be required, so as to distribute the processing load between application and data components. In these cases, the database server is typically configured similarly to the application server and co-located with the application.

The Access Certifier replicating data service can be configured to use any of the following SQL database engines as its physical data store:

• Oracle 10g, Enterprise Edition, R2.
• Oracle 11gR1, Enterprise Edition, so long as the 10gR2 client is used.
• Microsoft SQL Server 2005, Enterprise Edition.
• Microsoft SQL Server 2008, Enterprise Edition, so long as the SQL 2005 client is used.
• Oracle 10g, Express Edition, R2 (free download from http://oracle.com/).
• Microsoft SQL Server 2005, Express Edition, with Advanced Services (free download from http://microsoft.com/).

In all cases, the database client must be 32-bit.

© Hitachi ID Systems, Inc. . All rights reserved.