360 likes | 614 Views
IBM Directory Strategy. Rick Mayo IBM Directory Brand Manager mayor@us.ibm.com. Agenda. Directory Services Past, Present and Future Key Assumptions IBM Directory Strategy What About... Summary. Directories Past. Many different vendors have created their own directory services:
E N D
IBM Directory Strategy Rick Mayo IBM Directory Brand Manager mayor@us.ibm.com
Agenda • Directory Services • Past, Present and Future • Key Assumptions • IBM Directory Strategy • What About... • Summary
Directories Past • Many different vendors have created their own directory services: • They often targeted only a single area, e.g., • Notes Name & Address Book: support for Notes infrastructure • DCE Cell Directory Service: applications • Users installed them • The result: • Chaos!
Directory Installed Base E-mail NT Domain Netware NDS Mainframe Netware Binderies Packaged Apps Homegrown Apps Database Apps Unix Other 82% 78% 66% 52% 46% 42% 38% 34% 26% 42% Interviews with 50 Fortune 1000 companies (multiple responses accepted) Source: Forrester
Directories Today • The problem: • Every organization has too many directory services installed • The solution: • Simplify • Reduce the number of directory servers
GlobalOrganization Integration Electronic Marketplace Extranet (Convergence/Connection) Work GroupCollaboration CustomerService InformationManagement BroadcastMedium InternalE-Mail &Data Posting ExternalE-Mail &Browsing Internet Progression Intranet Progression Directories in the Future "The Internet/Intranet expansion will have a significant impact on our directories. We have 36,000 employees to manage in our directories, and now we'll be adding 8 million customers!" (Forrester)
LDAP Becomes The Standard Directory Access Method • The Lightweight Directory Access Protocol (LDAP) has arrived • It standardizes client access to a directory service • It's derived from X.500's Directory Access Protocol (DAP), but: • It runs over TCP/IP • It's much simpler
An Aside: The Role of the Standards • The day of wholly proprietary directory services is over • Standards have arrived • The Internet is the most important source of standards today • The IETF has become very important • IBM, Lotus and Tivoli are actively involved with the IETF and DMTF to drive and enhance: • PKIX • DEN • Access Control • Replication • Common Schema
Common Schema • The schema defines the kinds of information that can be stored in the directory • It's defined as: • Object classes • For example: Person • Attributes • Common name, telephone number, password, . . . • A common schema is being developed by IBM in concert with CIM initiative at the DMTF • Enables applications to share the same objects • Provides a common/consistent store
A Single Directory Won't Win • There is a well-described link between solving business challenges with Information Technology • It is not sufficient to solve heterogeneous business problems with homogeneous information technology • multiple platforms • multiple operating systems • multiple applications • multiple directories...
Big Picture Requirements Common Administration Enterprise Directory/ Certificate store • Single sign-on • Directory enabled apps. • Directory synchronization and management • Customers and employees • Access controls • Certificates • Products and services
Directory Requirements • Will it scale to meet my needs? • Does it provide high levels of reliability? • How much does it cost? • What applications use it? • Can you provide worldwide support? • Can I get help implementing it?
Billing DB2 Ordering Oracle People Soft Informix Data and Applications SAP Sybase Lotus Notes Ingres IBM Clients and Servers Vines IPX Communication Protocols NetBios TCP/IP Physical Networks Directory Support for e-business SNA • eNetwork LDAP directory across our operating systems and bundled with solutions • LDAP exploitation by: • Applications • Security • Networking • ISV and OEM support • Robust management and administrative capabilities
IBM IBM eNetwork LDAP Directory Clients and Servers Wide Range of Platform Support Scale to millions of entries • Directory will be bundled with operating systems or solutions • Available today for: • AIX, OS/390, OS/400 • Web download for: • NT, Solaris • Features: • Proven relational database store • Client, Server and Java client • SSL V3 encryption and authentication • Replication • Access Control • HTTP Gateway • Web-based administration
Why DB2 as a Data Store for IBM eNetwork Directory? • Highly scaleable data store • Atomic transaction • On-line backup and restore facility • Alternative replication support • Fast database loading facility • Powerful query engine
IBM eNetwork LDAP Directory • Authentication options • none • clear text pass words • encrypted using SSL - server certificates / SSL • Access Control • Per Object and Attribute • Replication • LDAP or use DB2 replication • API support • LDAP C/C++, JNDI • Additional features: • Bulk load via LDIF • Supports LDAP Referrals
DB1 DB2 LDAP Server DB3 Single Client / Multiple Server LDAP Client • Every database resides on one network node • LDAP server can connect to a number of networked databases for directory information • LDAP server stores all information without knowing in which database the data is actually stored • LDAP server is freed from managing physical storage
NetworkDispatcher DB/2 Client +LDAP Server LDAP Clients Multiple Clients / Multiple Servers DB/2 Servers • Database clients can connect to any database server for directory information • The collection of database servers form a single image • More than one LDAP server can access the directory information • Network dispatcher deployed to route requests among the LDAP servers
NetworkDispatcher DB/2 Client +LDAP Server LDAP Clients Multiple Clients / Parallel Super Server DB/2 Server • Solution to store huge amounts of information in a single database (tera-bytes) • DB2 PE automatically partitions the database into different machines (instead of partitioning the database from the application level • DB2 PE divides queries into smaller independent tasks that execute concurrently • Accommodates growth through appropriately sized resources
Directories and Security (1) • There's a strong natural synergy between the two • Both store and access information of various kinds (some of it the same) • Both can benefit from replication of that information • Examples: • Information about user accounts • Certificates
Directories and Security (2) • The rise of LDAP parallels the rise of distributed security standards • Example: Secure Sockets Layer (SSL) • Example: X.509 certificates • It's not possible to have a solid directory strategy without also having an integrated security strategy
Suites Management Security Networking Web App. Dev. Platforms: Solaris 12/98 NT 12/98 OS/390 3/98 OS/400 9/98 AIX 3/98 Directory Exploiters Roadmap eNetwork LDAP Directory • NT Suites beta 1/99 • UDB • Comm. Svr. • CICS • Websphere • Suites SSO • Vault Registry- 1Q99 • Certificate storage • Tivoli Directory Mgt.- 9/98 • Tivoli User Administration support for LDAP • Communication Server NT 7/98 • Communication Server 390 3/99 • Websphere- 12/98 • Stores users, groups, passwords and application configuration
eNetwork LDAP Partners eNetwork LDAP Directory Dascom Security Dynamics Allot Communications • Intranet security solution • Security products • Network tools and mgmt. apps. Triangulum Software enCommerce Inc. • Web access management • DCE CDS to LDAP Netegrity Persistent Systems • Access control for the web • LDAP and RDBMS integration
Company security policy: profiles, natural language descriptions, VPN topology,... GUI/Schema Mapping VPN Policy Direction LDAP Flows with IPSec config data eNetwork LDAP Directory • Map "Policy" into GUI into VPN Schema • Pre-defined profiles for typical configurations: • Branch Office Interconnect • Supplier Networks • Remote Access • Centralized definition for all IPSec boxes in a given VPN • consistency checking • company-wide definition • Database management: • individual boxes "pull in" their own configuration data
H2 H1 H2 GW3 GW1 GW2 H3 Sample Configuration Example VPN Policy INTERNET 1. GW1 and GW2 must encrypt and authenticate from all hosts, except from H2 and H3, that flows between GW1 and GW2, using DES and HMAC-MD5. Keys must be refreshed at least once every 20 minutes. 2. Traffic from H1 to H2 must be encrypted and authenticated end-to-end using 3DES and HMAC-SHA1. Keys must be refreshed at least once very 10 minutes with PFS. 3. Traffic between H2 nd H3 must be authenticated by GW2 and GW1. Keys must be refreshed with PFS once every 60 minutes.
IBM Directory Management Clients and Servers Tivoli User Administration • Tivoli User Administration • Single-action Management • Cross Platform management for: • Domino, NT, Unix and Netware • OS/390 Security Server • LDAP directories
RACF NW 3.x Suites eNetwork LDAP Directory HR DB ... Security Meta-directory NT Networking Exchg ... NDS Ntscp Notes Meta-directory - Direction • Provides single logical namespace • Imports content & changes from connected directories • Exports content & changes to connected directories • Propagates content & changes from connected directories to other connected directories
Directory Requirements • Will it scale to meet my needs? • DB2 and eNetwork Dispatcher • Does it provide high levels of reliability? • Proven DB2 reliability • How much does it cost? • Directory provided at no charge • What applications use it? • Growing IBM and ISV support • Can you provide worldwide support? • Backed by IBM software support structure • Can I get help implementing it? • Supported by IBM Global Services
What About... • DCE • X.500 • Domino • NT
IBM DCE Evolution DCE • Integrated Client/Server Environment • Directory, Security, Time, RPC Internet Java Network Computing Applications eNetwork Network Computing Services • Integrated Infrastructure Directory and Security Server • Ease of Use • IBM Software Servers
User DUA DSA DAP LDAP DSP DSP User DSA DSA DISP DAP LDAP DISP DUA The Directory IBM eNetwork X.500 Directory • Based on IBM relationship with Telstra • Proven scale into the millions of entries • High availability through 1993 X.500 support • Network computing accessibility through support for LDAP • Shipping on AIX
Domino's Directory Assistance Novell NDS Public Address Book Master Address Book LDAP LDAP LDAP Public Address Book Internet Directories LDAP/X.500 Notes Clients • Access to both Domino Public Address Books and LDAP directory servers • Provides a server proxy for any non-LDAP Notes client i.e., R3 or R4 • Domino R5 will support LDAP V3
eNetwork and NT Direction • IBM will directory enable our products based on LDAP as defined in our e-business application framework model • eNetwork and Microsoft NT Active Directory interoperability • Client to server interoperation • IBM clients to Active Directory • Microsoft clients to eNetwork LDAP Directory • Server to server interoperation • Referrals • eNetwork LDAP Directory will accept referrals from MS Active Directory • eNetwork LDAP Directory will also send referrals to MS Active Directory if it implements the LDAP referral mechanism • Schema and Namespace • IBM is developing a common schema for its products • IBM is actively working to support industry standards through the DMTF and IETF
IBM vs. Microsoft IBM Applications- Java based Middleware - IBM, Lotus, 3rd party Key Based Security LDAP Directory Atlas Tivoli Network - IBM Cross platform Microsoft Applications - MS, etc. Key Based Security Middleware - MS, etc. Active Directory Wolfpack SMS Network - Cisco NT 5.0
Summary • IBM is committed to: • Delivering mission critical, high performance, scaleable LDAP directories across the leading industry platforms as infrastructure components • Directory enabling our middleware and applications to reduce the cost of administration • Integrated directory and security offerings to enable e-business • Working with standards bodies to advance LDAP and deliver industry standard schemas • Providing management tools for seamless administration
For More Information • Directory Product Announcement Information • Directory Strategy • Directory Products Brochure • Security and Directory Industry Solution Guides • Security and Directory Evaluation Kit • Directory Reference Materials • Redbooks • Whitepapers (including the scaling guide) • Programming Reference • Administration Guide • Installation/Configuration Guide www.software.ibm.com/enetwork/directory