Multiple, Load-Balanced Servers
Hitachi ID Group Manager supports multiple, load-balanced servers.
Each server can host multiple Group Manager instances, each with its own
users, target systems, features and policies.
Group Manager must be installed on a Windows 2012 or Windows 2012/R2 server.
Installing on a Windows server allows Group Manager to leverage
client software for most types of target systems, which is available
only on the "Wintel" platform. In turn, this makes it possible for
Group Manager to manage passwords and accounts on target systems without
installing a server-side agent.
The Group Manager server must also be configured with a web server.
Since the Group Manager application is implemented as CGI executables,
any web server will work. The Group Manager installation program
can detect and automatically configure IIS but Apache can be
manually configured instead if required.
Group Manager is a security application and should be locked down accordingly.
Please refer to the Hitachi ID Systems document about hardening Group Manager
servers to learn how to do this. In short, most of the native
Windows services can and should be removed, leaving a very small
attack surface, with exactly one inbound TCP/IP port (443):
- No ASP, JSP or PHP are used, so such engines should be disabled.
- .NET is not required on the web portal and in most cases can be
disabled on IIS.
- No ODBC or DCOM are required inbound, so these services should
be filtered or disabled.
- File sharing (inbound, outbound) should be disabled.
- Remote registry services should be disabled.
- Inbound TCP/IP connections should be firewalled, allowing only port
443 and possibly remote desktop services (often required for some
configuration tasks), plus a handful of port numbers between Group Manager
servers, for replication.
Each Group Manager server requires a database instance. Microsoft SQL 2012 is the
most common option, Microsoft SQL 2014 will be officially supported in Q1,
2016. Oracle database is also supported in the current release.
** Please note that support for using an Oracle database is being discontinued
as of version 10.0 which is scheduled for release in Q1, 2016.
Production Group Manager application servers are normally configured
- Hardware requirements or equivalent VM capacity:
- An Intel Xeon or similar CPU.
Multi-core CPUs are supported and leveraged.
- At least 8GB RAM -- 16GB or more is typical for a server.
- At least 500GB disk, preferably configured as RAID for reliability and
preferably larger for retention of more historical and log data.
More disk is always better, to increase log retention.
- At least one Gigabit Ethernet NIC.
- Operating system:
- Windows 2012R2 Server, with current service packs.
- The server should not normally be a domain controller and in
most deployments is not a domain member.
- Installed and tested software on the server:
- TCP/IP networking, with a static IP address and DNS name.
- IIS web server with an SSL certificate.
- At least one web browser and PDF viewer.
- A database instance is required to host the Group Manager schema.
Microsoft SQL Server 2012 is recommended (Oracle 11gR2 is supported
but will be discontinued with the 10.0 release).
The SQL Server database software can be deployed on the same server
as the Group Manager application, as this reduces hardware cost and
allows application administrators full DBA access for troubleshooting
and performance tuning purposes.
In addition to a web/application server, Group Manager requires a database
server. In most environments, the Microsoft SQL Server software is
installed on the same hardware or VM as the Group Manager software, on each
Group Manager server node. This reduces hardware cost, eliminates network
latency and reduces the security surface of the combined solution.
Database I/O performance on a virtualized filesystem (e.g., VMDK or
equivalent) is not very performant. Accordingly, if a VM is used to
host the database server software, please consider a NAS or SAN solution
for the actual data storage.
Group Manager can leverage an existing database server cluster. Hitachi ID Systems
recommends a dedicated database server instance, however, for a number
- The data managed by Group Manager is extremely sensitive, so it is
desirable to minimize the number of DBAs who can access it (despite
use of encryption).
- MSSQL has limited features to isolate workloads between
database instances on the same server. This means that a burst of
activity from Group Manager (as happens during nightly auto-discovery)
would cause slow responses in other applications. Conversely, other
applications experiencing high DB load would slow down Group Manager.
- Group Manager already includes real-time, fault-tolerant, WAN-friendly,
encrypted database replication between application nodes, each with
its own back-end database. Use of an expensive DB server cluster
is neither required nor beneficial.
Hitachi ID Suite network architecture.
- Included Connectors:
Systems on which Group Manager can audit and reduce privileges.
- Other Integrations:
Integrations between Hitachi ID Suite and other parts of an IT infrastructure.
- Server Requirements:
Sizing, configuration and number of servers on which to deploy Group Manager
- Language Support:
Languages Supported by the Hitachi ID Identity and Access Management Suite
- Windows Shell Extension:
Intercepting the Windows "Access Denied" error dialog and directing users to a request page.