Technology
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Server Requirements

Multiple, Load-Balanced Servers

Hitachi ID Group Manager supports multiple, load-balanced servers.

Each server can host multiple Group Manager instances, each with its own users, target systems, features and policies.

Server Platform

Group Manager must be installed on a Windows 2008R2 or 2012 server.

Installing on a Windows server allows Group Manager to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Group Manager to manage passwords and accounts on target systems without installing a server-side agent.

The Group Manager server must also be configured with a web server. Since the Group Manager application is implemented as CGI executables, any web server will work. The Group Manager installation program can detect and automatically configure IIS or Apache web servers, but other web servers can be configured manually.

Group Manager is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Group Manager servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):

  1. IIS is not required (Apache is a reasonable substitute).
  2. No ASP, JSP or PHP are used, so these engines should be disabled.
  3. .NET is not required on the web portal and in most cases can be disabled on IIS.
  4. No ODBC or DCOM are required inbound, so these services should at least be filtered.
  5. File sharing should be disabled.
  6. Remote registry services should be disabled.
  7. Inbound TCP/IP connections should be firewalled, allowing only port 443 and possibly terminal services (often required for some configuration tasks).

Server Configuration

(1) Each Group Manager server is configured as follows:

In addition to a web/application server, Group Manager requires a database server. In most environments, the database server software (Microsoft SQL Server or Oracle Database Server) is installed on the same hardware or VM as the Group Manager software, on each Group Manager server node. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution.

Database I/O performance on a virtualized filesystem (e.g., VMDK or equivalent) may not be ideal. If a VM is used to host the database server software, please consider a NAS or SAN solution for disk I/O.

Group Manager can leverage an existing database server cluster. Hitachi ID Systems recommends a dedicated database server instance, however, for a number of reasons:

  1. The data managed by Group Manager is extremely sensitive, so it is desirable to minimize the number of DBAs who can access it (despite use of encryption).
  2. MSSQL and Oracle have almost zero ability to isolate workloads between database instances on the same server. This means that a burst of activity from Group Manager (as happens during nightly auto-discovery) would cause slow responses in other applications. Conversely, other applications experiencing high DB load would slow down Group Manager.
  3. Group Manager already includes real-time, fault-tolerant, WAN-friendly, encrypted database replication between application nodes, each with its own back-end database. Use of an expensive DB server cluster is neither required nor beneficial.