Hitachi ID Identity Manager supports multiple, load-balanced servers.
Each server can host multiple Identity Manager instances, each with its own users, target systems, features and policies.
Identity Manager instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.
High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Identity Manager includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID Systems also provides these tools for Unix/BIND with traditional DNS.
There is no coded limit to the number of concurrent, replicated servers. In practice, with more than 10 servers, replication may become slow. Since the three largest customers of Hitachi ID Systems run with just two production servers each, this is only a theoretical problem.
Identity Manager must be installed on a Windows 2008R2 or 2012 server.
Installing on a Windows server allows Identity Manager to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Identity Manager to manage passwords and accounts on target systems without installing a server-side agent.
The Identity Manager server must also be configured with a web server. Since the Identity Manager application is implemented as CGI executables, any web server will work. The Identity Manager installation program can detect and automatically configure IIS or Apache web servers, but other web servers can be configured manually.
Identity Manager is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Identity Manager servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):
Each Identity Manager server requires a database instance. SQL 2008R2 or SQL 2012 are the most common options, but Oracle database is also supported.
(1) Each Identity Manager server is configured as follows:
In addition to a web/application server, Identity Manager requires a database server. In most environments, the database server software (Microsoft SQL Server or Oracle Database Server) is installed on the same hardware or VM as the Identity Manager software, on each Identity Manager server node. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution.
Database I/O performance on a virtualized filesystem (e.g., VMDK or equivalent) may not be ideal. If a VM is used to host the database server software, please consider a NAS or SAN solution for disk I/O.
Identity Manager can leverage an existing database server cluster. Hitachi ID Systems recommends a dedicated database server instance, however, for a number of reasons:
The Identity Manager replicating data service can be configured to use any of the following SQL database engines as its physical data store: