Hitachi ID Password Manager supports multiple, load-balanced servers.
Each server can host multiple Password Manager instances, each with its own users, target systems, features and policies.
Password Manager instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.
High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Password Manager includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID Systems also provides these tools for Unix/BIND with traditional DNS.
There is no coded limit to the number of concurrent, replicated servers. With more than 10 servers, replication may become slow. Since the three largest customers of Hitachi ID Systems run with just two production servers each, this is only a theoretical problem.
Password Manager must be installed on a Windows 2012 or Windows 2012/R2 server.
Installing on a Windows server allows Password Manager to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Password Manager to manage passwords and accounts on target systems without installing a server-side agent.
Each Password Manager application server requires a web server. IIS is used as it comes with the Windows 2012 Server OS.
Password Manager is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Password Manager servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):
Each Password Manager server requires a database instance. Microsoft SQL 2012 is the recommended choice, Microsoft SQL 2014 will be officially supported in 2016. Oracle database is supported on versions up to 9.0.x and is not supported on 10.0 or later releases.
As mentioned before, Password Manager requires SQL Server, typically with one database instance per application server. In most environments, the Microsoft SQL Server software is installed on the same hardware or VM as the Password Manager software, on each Password Manager server node. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution.
Be sure to install the following components that come with Microsoft SQL Server 2012:
Database I/O performance on a virtualized filesystem (e.g., VMDK or equivalent) is slow. If the database server software runs on a VM, please use a fast, nearby NAS or SAN to store the actual data files.
Password Manager can leverage an existing database server cluster, but Hitachi ID Systems recommends a dedicated database server instance:
The Password Manager replicating data service can be configured to use the following SQL database engines as its physical data store: