Skip to main content

Hitachi ID Password Manager server requirements

Multiple, Load-Balanced Servers

Hitachi ID Password Manager supports multiple, load-balanced servers.

Each server can host multiple Password Manager instances, each with its own users, target systems, features and policies.

Password Manager instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.

High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Password Manager includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID Systems also provides these tools for Unix/BIND with traditional DNS.

There is no coded limit to the number of concurrent, replicated servers. In practice, with more than 10 servers, replication may become slow. Since the three largest customers of Hitachi ID Systems run with just two production servers each, this is only a theoretical problem.

Server Platform

Password Manager must be installed on a Windows 2012 or Windows 2012/R2 server.

Installing on a Windows server allows Password Manager to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Password Manager to manage passwords and accounts on target systems without installing a server-side agent.

Each Password Manager application server requires a web server. IIS is used as it comes with the Windows 2012 Server OS.

Password Manager is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Password Manager servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):

  1. No ASP, JSP or PHP are used, so such engines should be disabled.
  2. .NET is not required on the web portal and in most cases can be disabled on IIS.
  3. No ODBC or DCOM are required inbound, so these services should be filtered or disabled.
  4. File sharing (inbound, outbound) should be disabled.
  5. Remote registry services should be disabled.
  6. Inbound TCP/IP connections should be firewalled, allowing only port 443 and possibly remote desktop services (often required for some configuration tasks), plus a handful of port numbers between Password Manager servers, for replication.

Each Password Manager server requires a database instance. Microsoft SQL 2012 is the recommended choice, Microsoft SQL 2014 will be officially supported in 2016. Oracle database is supported on versions up to 9.0.x and is not supported on 10.0 or later releases.

Server Configuration

Production Password Manager application servers are normally configured as follows:

  • Hardware requirements or equivalent VM capacity:
    • An Intel Xeon or similar CPU. Multi-core CPUs are supported and leveraged.
    • At least 8GB RAM -- 16GB or more is typical for a server.
    • At least 500GB disk, preferably configured as RAID for reliability and preferably larger for retention of more historical and log data. More disk is always better, to increase log retention.
    • At least one Gigabit Ethernet NIC.

  • Operating system:
    • Windows 2012R2 Server, with current service packs.
    • The server should not normally be a domain controller and in most deployments is not a domain member.

  • Installed and tested software on the server:
    • TCP/IP networking, with a static IP address and DNS name.
    • IIS web server with an SSL certificate.
    • At least one web browser and PDF viewer.

  • A database instance is required to host the Password Manager schema. Microsoft SQL Server 2012 is recommended (Oracle 11gR2 is supported on 9.0.x releases but has been be discontinued as of the 10.0 release). The SQL Server database software can be deployed on the same server as the Password Manager application, as this reduces hardware cost and allows application administrators full DBA access for troubleshooting and performance tuning purposes.

Database Configuration

In addition to a web/application server, Password Manager requires a database server. In most environments, the Microsoft SQL Server software is installed on the same hardware or VM as the Password Manager software, on each Password Manager server node. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution.

Database I/O performance on a virtualized filesystem (e.g., VMDK or equivalent) is not very performant. Accordingly, if a VM is used to host the database server software, please consider a NAS or SAN solution for the actual data storage.

Password Manager can leverage an existing database server cluster. Hitachi ID Systems recommends a dedicated database server instance, however, for a number of reasons:

  1. The data managed by Password Manager is extremely sensitive, so it is desirable to minimize the number of DBAs who can access it (despite use of encryption).
  2. MSSQL has limited features to isolate workloads between database instances on the same server. This means that a burst of activity from Password Manager (as happens during nightly auto-discovery) would cause slow responses in other applications. Conversely, other applications experiencing high DB load would slow down Password Manager.
  3. Password Manager already includes real-time, fault-tolerant, WAN-friendly, encrypted database replication between application nodes, each with its own back-end database. Use of an expensive DB server cluster is neither required nor beneficial.

The Password Manager replicating data service can be configured to use the following SQL database engines as its physical data store:

  • Microsoft SQL Server 2012, Standard Edition.
  • Microsoft SQL Server 2012, Express Edition, with Advanced Services (free download from -- suitable for development, test and smaller production environments.

Read More:

  • Included Connectors:
    Systems on which Password Manager can manage passwords.
  • Integrations:
    Integrations between Password Manager and other parts of an IT infrastructure.
  • Supported User Interfaces:
    Supported Password Manager user interfaces: web browser, workstation login prompt, mobile phone and telephone call.
  • Helping Locked Out Users:
    Enabling users who forgot their primary password or locked themselves out of their PC to access self-service.
  • Helping Mobile Users:
    Assisting mobile users who forgot their primary password (cached on their PC) while away from the corporate network.
  • Network architecture:
    How users, existing systems and applications and Password Manager servers interact on the network.
  • Scalability:
    How Password Manager can scale to manage passwords across millions of login IDs.
  • Mapping User IDs:
    How Password Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
  • Language Support:
    Languages supported by the Password Manager user interface.
  • Single Sign-on Without a Password Wallet:
    Hitachi ID Login Manager can automatically sign users into their applications without having to store IDs and passwords in a "password wallet."
  • Password Manager server requirements:
    Sizing, configuration and number of servers on which to deploy Password Manager.
page top page top