Skip to main content

LinkedIn Twitter Facebook YouTube
Hitachi ID certification

Product Sites

Runtime Requirements

Server components

Depending on the features deployed and the architecture of the Hitachi ID Systems customer network, the runtime environment for Hitachi ID Identity and Access Management Suite may incorporate multiple servers, each of which serves a different function:

Server

Function

Runtime requirements
Application servers

Run the core Hitachi ID Identity and Access Management Suite application software.

  • Windows 2012(R2) with IIS 8.5 and all available updates.
  • Most customers opt for at least two replicated, load balanced servers, to provide fault tolerance in the event of a hardware problem or site-wide disaster.
  • SSL/TLS certificates are required.
Database servers

House configuration, user profile and historical data.

  • Microsoft SQL Server 2012 with all available updates.
  • Most commonly on the same servers as the application, as this reduces cost and improves performance.
  • One DB instance per application server.
  • The Hitachi ID Identity and Access Management Suite application replicates data between instances -- no DB-native replication or clustering is required.
  • SQL Standard Edition is appropriate for most organizations.
  • Small production systems or test/development instances can be deployed using SQL Express (no cost).
  • SQL Enterprise Edition is suitable for very large implementations, where database partitioning is required to scale up.
Proxy servers

These servers provide connectivity to target systems which are otherwise unreachable (firewall, NAT, routing or name resolution problems) or where connectivity is slow or insecure. Core Hitachi ID Identity and Access Management Suite servers connect to the proxies over an arbitrarily numbered TCP/IP port, using an encrypted, efficient protocol. Connectors are run on the proxy to connect to target systems.

  • Windows 2012(R2) with all available updates.
  • Typically deployed on relatively small VMs.
  • No web server or database server required.
Cloud proxy servers

Mediate communication between on-premise application servers and Internet-attached phones and tablets. Required if users will sign into Hitachi ID Identity and Access Management Suite from their Android or iOS devices.

  • Hitachi ID Systems can host this on behalf of customers for a monthly fee.
  • Customers may host this on Internet-accessible servers (DMZ, IaaS).
  • Runs on Linux + Apache with the latest updates.
  • Multiple servers can be load balanced.
  • SSL/TLS certificates are required.
Hitachi ID Telephone Password Manager servers

Offer users a voice phone call user interface, suitable for password or PIN reset and self-service unlock of encrypted filesystems.

  • Windows 2012(R2) with IIS 8.5 and all available updates.
  • Requires either Dialogic hardware cards, to plug into a physical private branch exchange (PBX) phone system or Dialogic VoIP software, for Internet telephony.
  • Can be installed on the same servers as the core Hitachi ID Password Manager application.
HTML5 session proxy servers

Enable users to launch SSH or RDP sessions, with injected credentials from the Hitachi ID Privileged Access Manager vault, using only their browser.

  • Runs on Linux + Tomcat with the latest updates.
  • Users must be able to connect to HTTPS on these servers.
  • These servers need to be able to connect, using SSH or RDP, to managed systems.
  • Multiple servers can be load balanced.
  • SSL/TLS certificates are required.

 

Load balancing across multiple application servers

Hitachi ID Identity and Access Management Suite supports multiple, load-balanced servers.

Each server can host multiple Hitachi ID Identity and Access Management Suite instances, each with its own users, target systems, features and policies.

Hitachi ID Identity and Access Management Suite instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.

High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Hitachi ID Identity and Access Management Suite includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID Systems also provides these tools for Unix/BIND with traditional DNS.

There is no coded limit to the number of concurrent, replicated servers. In practice, with more than 10 servers, replication may become slow. Since the three largest customers of Hitachi ID Systems run with just two production servers each, this is only a theoretical problem.

Virtualizing any/all server components

Hitachi ID Identity and Access Management Suite is compatible with VMware, Xen and Virtual Box virtual machine platforms. It can also be deployed on IaaS, including AWS. It generally works well with other virtualization platforms, but Hitachi ID Systems primarily tests with these. Hitachi ID Systems officially supports running Hitachi ID Identity and Access Management Suite on these virtual servers and will make a best effort to support customers who run on other virtualization platforms.

So long as the database server that hosts the Hitachi ID Identity and Access Management Suite back-end has access to reasonably fast disk I/O (e.g., NAS or similar), and so long as connectivity between the Hitachi ID Identity and Access Management Suite application sever and the database is fast and low latency (e.g., 1Gbps/1ms) there should is no adverse performance impact when comparing Hitachi ID Identity and Access Management Suite installed on hardware vs. Hitachi ID Identity and Access Management Suite installed on a similarly-equipped virtual server.

The key point above is to ensure sufficient I/O capacity for the database (MSSQL or Oracle). If the database server is virtualized, using network attached storage (NAS) is recommended, as virtualized disk I/O (files emulating an HDD image) is often substantially slower than physical disk I/O.

Even where customers choose to deploy the main Hitachi ID Identity and Access Management Suite servers on raw hardware, virtual machines are an excellent platform for proxy servers, test servers, development servers and model PCs.

A related question is often "how large can the deployment get before we have to move from a VM to hardware?" Unfortunately, there is no simple, universal answer:

  1. Virtual servers vary in capabilities -- they may have a 32-bit or a 64-bit CPU, may have 1, 2, 4 or 8 CPU cores allocated, may have different amounts of memory and may link to different types of storage infrastructure.
  2. The load created by the application also varies -- is there complex business logic? Do users access the application at random times or all at once? Are there just a few or thousands of integrations?

This variability means that the safest bet is to use benchmark results, using a configuration as similar as possible to the production setup, to gauge the performance of Hitachi ID Identity and Access Management Suite on representative physical and virtual servers.

Hardware/VM specifications for individual application servers

Production Hitachi ID Identity and Access Management Suite application servers are normally configured as follows:

  • Hardware requirements or equivalent VM capacity:
    • An Intel Xeon or similar CPU. Multi-core CPUs are supported and leveraged.
    • At least 8GB RAM -- 16GB or more is typical for a server.
    • At least 500GB disk, preferably configured as RAID for reliability and preferably larger for retention of more historical and log data. More disk is always better, to increase log retention.
    • At least one Gigabit Ethernet NIC.

  • Operating system:
    • Windows 2012R2 Server, with current service packs.
    • The server should not normally be a domain controller and in most deployments is not a domain member.

  • Installed and tested software on the server:
    • TCP/IP networking, with a static IP address and DNS name.
    • IIS web server with an SSL certificate.
    • At least one web browser and PDF viewer.

  • A database instance is required to host the Hitachi ID Identity and Access Management Suite schema. Microsoft SQL Server 2012 is recommended (Oracle 11gR2 is supported on 9.0.x releases but has been be discontinued as of the 10.0 release). The SQL Server database software can be deployed on the same server as the Hitachi ID Identity and Access Management Suite application, as this reduces hardware cost and allows application administrators full DBA access for troubleshooting and performance tuning purposes.
page top page top