Replicated Credential Vault
Database Architecture Overview
All Hitachi ID Privileged Access Manager components, including user interface screens, reports, service programs and command-line / batch processes access the database using the same architecture:
- A client component calls a client wrapper library.
- The client wrapper library communicates with a Privileged Access Manager database service using an IPC. This may be shared memory (same server, very fast) or TCP/IP socket (remote server, encrypted communication using a shared key).
- The Privileged Access Manager database service authenticates clients, checks what they are allowed to see/do and invokes stored procedures to read from and write to the database.
- Stored procedures, installed on the relational database back end (e.g., Microsoft SQL Server or Oracle Database Server), access data in the local schema and return results.
- Calls to stored procedures which insert, delete or update records are forwarded by the database service to its replicating peers, so that each database instance may be kept up to date.
- Data returned by stored procedures is passed back to the calling program.
This architecture is advantageous for several reasons:
- Built-in data replication makes it easy to configure Privileged Access Manager in a high-availability, fault-tolerant architecture.
- Using stored procedures rather than direct SQL calls significantly improves performance while leaving open the possibility of future schema changes.
- Using a Privileged Access Manager database service to front-end the physical database enables robust access controls and easy-to-manage database replication.
- Wrapping data calls in an encrypted protocol enables secure configuration in a distributed environment, over untrusted network segments.
Privileged Access Manager includes built-in data replication between servers.
Data replication between Privileged Access Manager servers occurs in real time -- all updates to one server's database are queued up and sent to other (peer) servers as well. If a peer server is unavailable, database updates are automatically retried when the server becomes available again.
All replication is performed at the application level, over an encrypted TCP/IP socket. This makes configuration of a replicated environment straightforward and eliminates the need to license and configure a replicated RDBMS server product.
Application-level replication is especially helpful for deployments where Privileged Access Manager servers are physically distant from one another, for example to provide fault tolerance in the event of a disaster at a single data center. Database replication provided by database vendors such as Microsoft or Oracle is very difficult to configure where the network between nodes is insecure, unreliable, low bandwidth or high latency. Since a WAN network normally exhibits all of these problems, Hitachi ID Systems built replication right into Privileged Access Manager to operate reliably under these same constraints.
Privileged Access Manager data replication is secure. Data transmitted between servers is encrypted and each endpoint authenticates the other. Replication uses relatively low bandwidth and is tolerant of high latency, making it suitable for deployment across physically distant sites. Replication is fault tolerant, in that failed transmissions are queued and retried until they succeed.
Privileged Access Manager uses a special form of replication when writing new passwords, called a distributed commit. Essentially, new passwords are written to multiple servers before being updated on target systems. This mechanism is designed to eliminate the possibility that a new password will be written to a target system but lost due to a server crash before it can be written to disk.