Multiple, Load-Balanced Servers
Hitachi ID Identity Manager supports multiple, load-balanced servers.
Each server can host multiple Identity Manager instances, each with its own
users, target systems, features and policies.
Identity Manager instances can and normally do span multiple servers.
Every server hosting a given instance is functionally identical.
User traffic is load balanced between servers supporting the instance.
Load balancing may be accomplished using DNS (round-robin is built into
most DNS servers) or at the IP level with a device from Cisco, F5, etc.
High availability is accomplished by combining load balancing with
server health monitoring and automatic fail-out. Identity Manager includes
server monitoring tools that can be configured on each server to
monitor its peers and when a failure is detected to trigger an
alarm (e.g., by e-mail) and to automatically update DDNS records
to remove the failed server from circulation. Hitachi ID Systems also provides
these tools for Unix/BIND with traditional DNS.
There is no coded limit to the number of concurrent, replicated servers.
In practice, with more than 10 servers, replication may become slow.
Since the three largest customers of Hitachi ID Systems run with just two production
servers each, this is only a theoretical problem.
Identity Manager must be installed on a Windows 2008R2 or 2012 server.
Installing on a Windows server allows Identity Manager to leverage
client software for most types of target systems, which is available
only on the "Wintel" platform. In turn, this makes it possible for
Identity Manager to manage passwords and accounts on target systems without
installing a server-side agent.
The Identity Manager server must also be configured with a web server.
Since the Identity Manager application is implemented as CGI executables,
any web server will work. The Identity Manager installation program
can detect and automatically configure IIS or Apache
web servers, but other web servers can be configured manually.
Identity Manager is a security application and should be locked down accordingly.
Please refer to the Hitachi ID Systems document about hardening Identity Manager
servers to learn how to do this. In short, most of the native
Windows services can and should be removed, leaving a very small
attack surface, with exactly one inbound TCP/IP port (443):
- IIS is not required (Apache is a reasonable substitute).
- No ASP, JSP or PHP are used, so these engines should be disabled.
- .NET is not required on the web portal and in most cases can be
disabled on IIS.
- No ODBC or DCOM are required inbound, so these services should at
least be filtered.
- File sharing should be disabled.
- Remote registry services should be disabled.
- Inbound TCP/IP connections should be firewalled, allowing only port
443 and possibly remote desktop services (often required for some
Each Identity Manager server requires a database instance. SQL 2008R2 or
SQL 2012 are the most common options, but Oracle database is also
Application Server Hardware and Operating System
Production Identity Manager application servers are normally configured
- Hardware requirements or equivalent VM capacity:
- An Intel Xeon or similar CPU.
Multi-core CPUs are supported and leveraged.
- At least 8GB RAM -- 16GB or more is typical for a server.
- At least 500GB disk, preferably configured as RAID for reliability and
preferably larger for retention of more historical and log data.
More disk is always better, to increase log retention.
- At least one Gigabit Ethernet NIC.
- Operating system:
- Windows 2012R2 Server, with current service packs.
- The server should not normally be a domain controller and in
most deployments is not a domain member.
- Installed and tested software on the server:
- TCP/IP networking, with a static IP address and DNS name.
- Web server (usually IIS).
- Client software: web browser, Acrobat or other PDF reader,
native clients for the systems that Identity Manager needs to interface
- SQL Server client or Oracle client to connect to the Identity Manager
- SSL server certificate, for HTTPS connections to the web
portal and SOAP API.
- A database instance is required to host the Identity Manager schema.
Most customers use Microsoft SQL Server 2012, but Oracle 11gR2 is
also supported. The SQL Server database software can be deployed
on the same server as the Identity Manager application, as this reduces
hardware cost and allows application administrators full DBA access
for troubleshooting and performance tuning purposes.
In addition to a web/application server, Identity Manager requires a database
server. In most environments, the database server software (Microsoft
SQL Server or Oracle Database Server) is installed on the same
hardware or VM as the Identity Manager software, on each Identity Manager server node.
This reduces hardware cost, eliminates network latency and reduces
the security surface of the combined solution.
Database I/O performance on a virtualized filesystem (e.g., VMDK or
equivalent) may not be ideal. If a VM is used to host the database
server software, please consider a NAS or SAN solution for disk I/O.
Identity Manager can leverage an existing database server cluster. Hitachi ID Systems
recommends a dedicated database server instance, however, for a number
- The data managed by Identity Manager is extremely sensitive, so it is
desirable to minimize the number of DBAs who can access it (despite
use of encryption).
- MSSQL and Oracle have limited ability to isolate workloads between
database instances on the same server. This means that a burst of
activity from Identity Manager (as happens during nightly auto-discovery)
would cause slow responses in other applications. Conversely, other
applications experiencing high DB load would slow down Identity Manager.
- Identity Manager already includes real-time, fault-tolerant, WAN-friendly,
encrypted database replication between application nodes, each with
its own back-end database. Use of an expensive DB server cluster
is neither required nor beneficial.
The Identity Manager replicating data service can be configured to use
any of the following SQL database engines as its physical
- Oracle 11gR1 or 11gR2, Enterprise Edition.
- Microsoft SQL Server 2008 and 2008R2, Enterprise Edition.
- Microsoft SQL Server 2012 and 2012R2, Standard Edition (64-bit)
- Microsoft SQL Server 2008, Express Edition, with Advanced Services
(free download from http://microsoft.com/).
While the database server may be 32 or 64 bit, a 32-bit DB client is
currently required. Hitachi ID Systems
will switch from 32-bit application
server code to 64-bit server code once adoption of Windows 2008R2
becomes dominant among our customers. This will occur in release 9.0 of
Hitachi ID Identity and Access Management Suite.