1 / 36

IBM Directory Strategy

IBM Directory Strategy. Rick Mayo IBM Directory Brand Manager mayor@us.ibm.com. Agenda. Directory Services Past, Present and Future Key Assumptions IBM Directory Strategy What About... Summary. Directories Past. Many different vendors have created their own directory services:

ingo
Download Presentation

IBM Directory Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IBM Directory Strategy Rick Mayo IBM Directory Brand Manager mayor@us.ibm.com

  2. Agenda • Directory Services • Past, Present and Future • Key Assumptions • IBM Directory Strategy • What About... • Summary

  3. Directories Past • Many different vendors have created their own directory services: • They often targeted only a single area, e.g., • Notes Name & Address Book: support for Notes infrastructure • DCE Cell Directory Service: applications • Users installed them • The result: • Chaos!

  4. Directory Installed Base E-mail NT Domain Netware NDS Mainframe Netware Binderies Packaged Apps Homegrown Apps Database Apps Unix Other 82% 78% 66% 52% 46% 42% 38% 34% 26% 42% Interviews with 50 Fortune 1000 companies (multiple responses accepted) Source: Forrester

  5. Directories Today • The problem: • Every organization has too many directory services installed • The solution: • Simplify • Reduce the number of directory servers

  6. GlobalOrganization Integration Electronic Marketplace Extranet (Convergence/Connection) Work GroupCollaboration CustomerService InformationManagement BroadcastMedium InternalE-Mail &Data Posting ExternalE-Mail &Browsing Internet Progression Intranet Progression Directories in the Future "The Internet/Intranet expansion will have a significant impact on our directories. We have 36,000 employees to manage in our directories, and now we'll be adding 8 million customers!" (Forrester)

  7. LDAP Becomes The Standard Directory Access Method • The Lightweight Directory Access Protocol (LDAP) has arrived • It standardizes client access to a directory service • It's derived from X.500's Directory Access Protocol (DAP), but: • It runs over TCP/IP • It's much simpler

  8. An Aside: The Role of the Standards • The day of wholly proprietary directory services is over • Standards have arrived • The Internet is the most important source of standards today • The IETF has become very important • IBM, Lotus and Tivoli are actively involved with the IETF and DMTF to drive and enhance: • PKIX • DEN • Access Control • Replication • Common Schema

  9. Common Schema • The schema defines the kinds of information that can be stored in the directory • It's defined as: • Object classes • For example: Person • Attributes • Common name, telephone number, password, . . . • A common schema is being developed by IBM in concert with CIM initiative at the DMTF • Enables applications to share the same objects • Provides a common/consistent store

  10. A Single Directory Won't Win • There is a well-described link between solving business challenges with Information Technology • It is not sufficient to solve heterogeneous business problems with homogeneous information technology • multiple platforms • multiple operating systems • multiple applications • multiple directories...

  11. Big Picture Requirements Common Administration Enterprise Directory/ Certificate store • Single sign-on • Directory enabled apps. • Directory synchronization and management • Customers and employees • Access controls • Certificates • Products and services

  12. Directory Requirements • Will it scale to meet my needs? • Does it provide high levels of reliability? • How much does it cost? • What applications use it? • Can you provide worldwide support? • Can I get help implementing it?

  13. Billing DB2 Ordering Oracle People Soft Informix Data and Applications SAP Sybase Lotus Notes Ingres IBM Clients and Servers Vines IPX Communication Protocols NetBios TCP/IP Physical Networks Directory Support for e-business SNA • eNetwork LDAP directory across our operating systems and bundled with solutions • LDAP exploitation by: • Applications • Security • Networking • ISV and OEM support • Robust management and administrative capabilities

  14. IBM IBM eNetwork LDAP Directory Clients and Servers Wide Range of Platform Support Scale to millions of entries • Directory will be bundled with operating systems or solutions • Available today for: • AIX, OS/390, OS/400 • Web download for: • NT, Solaris • Features: • Proven relational database store • Client, Server and Java client • SSL V3 encryption and authentication • Replication • Access Control • HTTP Gateway • Web-based administration

  15. Why DB2 as a Data Store for IBM eNetwork Directory? • Highly scaleable data store • Atomic transaction • On-line backup and restore facility • Alternative replication support • Fast database loading facility • Powerful query engine

  16. IBM eNetwork LDAP Directory • Authentication options • none • clear text pass words • encrypted using SSL - server certificates / SSL • Access Control • Per Object and Attribute • Replication • LDAP or use DB2 replication • API support • LDAP C/C++, JNDI • Additional features: • Bulk load via LDIF • Supports LDAP Referrals

  17. DB1 DB2 LDAP Server DB3 Single Client / Multiple Server LDAP Client • Every database resides on one network node • LDAP server can connect to a number of networked databases for directory information • LDAP server stores all information without knowing in which database the data is actually stored • LDAP server is freed from managing physical storage

  18. NetworkDispatcher DB/2 Client +LDAP Server LDAP Clients Multiple Clients / Multiple Servers DB/2 Servers • Database clients can connect to any database server for directory information • The collection of database servers form a single image • More than one LDAP server can access the directory information • Network dispatcher deployed to route requests among the LDAP servers

  19. NetworkDispatcher DB/2 Client +LDAP Server LDAP Clients Multiple Clients / Parallel Super Server DB/2 Server • Solution to store huge amounts of information in a single database (tera-bytes) • DB2 PE automatically partitions the database into different machines (instead of partitioning the database from the application level • DB2 PE divides queries into smaller independent tasks that execute concurrently • Accommodates growth through appropriately sized resources

  20. Directories and Security (1) • There's a strong natural synergy between the two • Both store and access information of various kinds (some of it the same) • Both can benefit from replication of that information • Examples: • Information about user accounts • Certificates

  21. Directories and Security (2) • The rise of LDAP parallels the rise of distributed security standards • Example: Secure Sockets Layer (SSL) • Example: X.509 certificates • It's not possible to have a solid directory strategy without also having an integrated security strategy

  22. Suites Management Security Networking Web App. Dev. Platforms: Solaris 12/98 NT 12/98 OS/390 3/98 OS/400 9/98 AIX 3/98 Directory Exploiters Roadmap eNetwork LDAP Directory • NT Suites beta 1/99 • UDB • Comm. Svr. • CICS • Websphere • Suites SSO • Vault Registry- 1Q99 • Certificate storage • Tivoli Directory Mgt.- 9/98 • Tivoli User Administration support for LDAP • Communication Server NT 7/98 • Communication Server 390 3/99 • Websphere- 12/98 • Stores users, groups, passwords and application configuration

  23. eNetwork LDAP Partners eNetwork LDAP Directory Dascom Security Dynamics Allot Communications • Intranet security solution • Security products • Network tools and mgmt. apps. Triangulum Software enCommerce Inc. • Web access management • DCE CDS to LDAP Netegrity Persistent Systems • Access control for the web • LDAP and RDBMS integration

  24. Company security policy: profiles, natural language descriptions, VPN topology,... GUI/Schema Mapping VPN Policy Direction LDAP Flows with IPSec config data eNetwork LDAP Directory • Map "Policy" into GUI into VPN Schema • Pre-defined profiles for typical configurations: • Branch Office Interconnect • Supplier Networks • Remote Access • Centralized definition for all IPSec boxes in a given VPN • consistency checking • company-wide definition • Database management: • individual boxes "pull in" their own configuration data

  25. H2 H1 H2 GW3 GW1 GW2 H3 Sample Configuration Example VPN Policy INTERNET 1. GW1 and GW2 must encrypt and authenticate from all hosts, except from H2 and H3, that flows between GW1 and GW2, using DES and HMAC-MD5. Keys must be refreshed at least once every 20 minutes. 2. Traffic from H1 to H2 must be encrypted and authenticated end-to-end using 3DES and HMAC-SHA1. Keys must be refreshed at least once very 10 minutes with PFS. 3. Traffic between H2 nd H3 must be authenticated by GW2 and GW1. Keys must be refreshed with PFS once every 60 minutes.

  26. IBM Directory Management Clients and Servers Tivoli User Administration • Tivoli User Administration • Single-action Management • Cross Platform management for: • Domino, NT, Unix and Netware • OS/390 Security Server • LDAP directories

  27. RACF NW 3.x Suites eNetwork LDAP Directory HR DB ... Security Meta-directory NT Networking Exchg ... NDS Ntscp Notes Meta-directory - Direction • Provides single logical namespace • Imports content & changes from connected directories • Exports content & changes to connected directories • Propagates content & changes from connected directories to other connected directories

  28. Directory Requirements • Will it scale to meet my needs? • DB2 and eNetwork Dispatcher • Does it provide high levels of reliability? • Proven DB2 reliability • How much does it cost? • Directory provided at no charge • What applications use it? • Growing IBM and ISV support • Can you provide worldwide support? • Backed by IBM software support structure • Can I get help implementing it? • Supported by IBM Global Services

  29. What About... • DCE • X.500 • Domino • NT

  30. IBM DCE Evolution DCE • Integrated Client/Server Environment • Directory, Security, Time, RPC Internet Java Network Computing Applications eNetwork Network Computing Services • Integrated Infrastructure Directory and Security Server • Ease of Use • IBM Software Servers

  31. User DUA DSA DAP LDAP DSP DSP User DSA DSA DISP DAP LDAP DISP DUA The Directory IBM eNetwork X.500 Directory • Based on IBM relationship with Telstra • Proven scale into the millions of entries • High availability through 1993 X.500 support • Network computing accessibility through support for LDAP • Shipping on AIX

  32. Domino's Directory Assistance Novell NDS Public Address Book Master Address Book LDAP LDAP LDAP Public Address Book Internet Directories LDAP/X.500 Notes Clients • Access to both Domino Public Address Books and LDAP directory servers • Provides a server proxy for any non-LDAP Notes client i.e., R3 or R4 • Domino R5 will support LDAP V3

  33. eNetwork and NT Direction • IBM will directory enable our products based on LDAP as defined in our e-business application framework model • eNetwork and Microsoft NT Active Directory interoperability • Client to server interoperation • IBM clients to Active Directory • Microsoft clients to eNetwork LDAP Directory • Server to server interoperation • Referrals • eNetwork LDAP Directory will accept referrals from MS Active Directory • eNetwork LDAP Directory will also send referrals to MS Active Directory if it implements the LDAP referral mechanism • Schema and Namespace • IBM is developing a common schema for its products • IBM is actively working to support industry standards through the DMTF and IETF

  34. IBM vs. Microsoft IBM Applications- Java based Middleware - IBM, Lotus, 3rd party Key Based Security LDAP Directory Atlas Tivoli Network - IBM Cross platform Microsoft Applications - MS, etc. Key Based Security Middleware - MS, etc. Active Directory Wolfpack SMS Network - Cisco NT 5.0

  35. Summary • IBM is committed to: • Delivering mission critical, high performance, scaleable LDAP directories across the leading industry platforms as infrastructure components • Directory enabling our middleware and applications to reduce the cost of administration • Integrated directory and security offerings to enable e-business • Working with standards bodies to advance LDAP and deliver industry standard schemas • Providing management tools for seamless administration

  36. For More Information • Directory Product Announcement Information • Directory Strategy • Directory Products Brochure • Security and Directory Industry Solution Guides • Security and Directory Evaluation Kit • Directory Reference Materials • Redbooks • Whitepapers (including the scaling guide) • Programming Reference • Administration Guide • Installation/Configuration Guide www.software.ibm.com/enetwork/directory

More Related