Hitachi ID Password Manager server requirements
Multiple, Load-Balanced Servers
Hitachi ID Password Manager supports multiple, load-balanced servers.
Each server can host multiple Password Manager instances, each with its own users, target systems, features and policies.
Password Manager instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.
High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Password Manager includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID Systems also provides these tools for Unix/BIND with traditional DNS.
There is no coded limit to the number of concurrent, replicated servers. In practice, with more than 10 servers, replication may become slow. Since the three largest customers of Hitachi ID Systems run with just two production servers each, this is only a theoretical problem.
Password Manager must be installed on a Windows 2008 or Windows 2008R2 server.
Installing on a Windows server allows Password Manager to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Password Manager to manage passwords and accounts on target systems without installing a server-side agent.
The Password Manager server must also be configured with a web server. Since the Password Manager application is implemented as CGI executables, any web server will work. The Password Manager installation program can detect and automatically configure IIS or Apache web servers, but other web servers can be configured manually.
Password Manager is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Password Manager servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):
- IIS is not required (Apache is a reasonable substitute).
- No ASP, JSP or PHP are used, so these engines should be disabled.
- .NET is not required on the web portal and in most cases can be disabled on IIS.
- No ODBC or DCOM are required inbound, so these services should at least be filtered.
- File sharing should be disabled.
- Remote registry services should be disabled.
- Inbound TCP/IP connections should be firewalled, allowing only port 443 and possibly terminal services (often required for some configuration tasks).
(1) Each Password Manager server is configured as follows:
- Hardware requirements:
- An Intel or AMD X86 CPU. Multi-core CPUs are supported and leveraged.
- At least 4GB RAM -- 8GB or more is typical for a server.
- At least 100GB disk, preferably configured as RAID for reliability and preferably larger for retention of more historical and log data. More disk is always better, to increase log retention.
- At least one Gigabit Ethernet NIC.
A virtual machine with similar specifications and resources allocated may also be used.
- Operating system:
- Windows Windows 2008 (or R2) Server with current service packs.
- The server should not normally be a domain controller and in most deployments is not a domain member.
- Installed and tested software on the server:
- TCP/IP networking, with a static IP address and DNS name.
- Web server (Apache/Windows or IIS or).
- Client software: web browser, Acrobat reader (to read the manual) native clients for the systems that Password Manager needs to interface with.
- SQL Server client or Oracle client to connect to the Password Manager database. Please note that the SQL or Oracle client must include 32-bit client libraries as of the current release.
- If the Password Manager database is local (reduces hardware cost; not recommended on a VM), then SQL Server or Oracle Database.
- SSL server certificate, to support HTTPS connections to the web user interface and SOAP API.
In addition to a web server, Password Manager requires a database server. In most environments, the database server software (Microsoft SQL Server or Oracle Database Server) can be installed on the same hardware as the Password Manager software. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution.
In large deployments, a separate database server may be required, so as to distribute the processing load between application and data components. In these cases, the database server is typically configured similarly to the application server and co-located with the application.
Database performance on a VM with virtualized I/O may not be ideal. If a VM is used to host the DBMS software, please consider a NAS or SAN solution for disk I/O.
Password Manager can leverage an existing database server cluster. Hitachi ID Systems recommends a dedicated database server, however, for a number of reasons:
- The data managed by Password Manager is extremely sensitive, so it is desirable to minimize the number of DBAs who can access it (despite use of encryption).
- MSSQL and Oracle have almost zero ability to isolate workloads between database instances on the same server. This means that a burst of activity from Password Manager (as happens during nightly auto-discovery) would cause slow responses in other applications. Conversely, other applications experiencing high DB load would slow down Password Manager.
- Password Manager already includes real-time, fault-tolerant, WAN-friendly, encrypted database replication between application nodes, each with its own back-end database. Use of an expensive DB server cluster is neither required nor beneficial because of this.
The Password Manager replicating data service can be configured to use any of the following SQL database engines as its physical data store:
- Oracle 11gR1 or 11gR2, Enterprise Edition.
- Microsoft SQL Server 2008 and 2008R2, Enterprise Edition.
- Microsoft SQL Server 2008, Express Edition, with Advanced Services (free download from http://microsoft.com/).