Three integration methods: direct, proxy and local serviceThere are three styles of connectivity between a Hitachi ID Bravura Privilege server and managed systems, as illustrated in Figure [link].
Push-mode, pull-mode and proxies to connect to managed systems
In the figure:
- Direct access is where the Bravura Privilege server runs a connector locally. This connector connects to the target system over the network. This is also called a push mode target system.
- Indirect access via a Bravura Privilege proxy server is where an active Bravura Privilege server connects to a proxy server. The proxy server runs a connector on behalf of the active server. The connector connects to a target system on the network. Proxy servers are typically co-located with one or more distant or firewalled managed systems. Interaction with target systems via a proxy is still considered push mode, because an active Bravura Privilege server initiates each connection.
- Direct or web-proxied connections initiated from a client device, accessing a web services API URL on an active Bravura Privilege server. This is called local service mode and is typically deployed on user laptops, to allow for the fact that they may be powered off, relocated assigned dynamic IP addresses, firewalled, NAT'ed and generally be difficult or unreliable for a central Bravura Privilege server to find.
Pushing updates directly or via a proxy serverFigure [link] illustrates the network communication paths in a typical Bravura Privilege deployment, where Bravura Privilege pushes passwords to fixed target systems -- servers, applications, network devices, etc.
Bravura Privilege Push-mode network architecture
In the diagram:
- Three distinct physical sites are shown, each surrounded by a dotted-line border.
- Two Bravura Privilege servers are deployed, to two different sites. Real-time replication provides for resiliency in the event of a hardware failure on a single server or a complete outage at either site.
- The Bravura Privilege servers run on Windows 2016 and 2012(R2). This platform provides the widest possible range of client software, making Bravura Privilege easy to integrate with many kinds of target systems.
- Stored passwords are encrypted (using AES). The encryption key is kept in the registry of each Bravura Privilege server and is itself encrypted using a key embedded in the Bravura Privilege software.
- Each Bravura Privilege server has a complete, local copy of the entire password database along with all configuration information.
- Data replication traffic between the two servers is encrypted, making it resistant to snooping or tampering by a man-in-the-middle attacker.
- Periodically, each Bravura Privilege server connects to target systems and pushes new passwords to them. The protocol used depends on the type of target system, with two examples shown: LDAPS or NTLM for Windows servers, SSH to Unix or Linux servers and an encrypted TCP/IP connection to Unix targets that do not have an SSH service but do have a local Bravura Privilege listener.
- Some target systems may be unreachable directly, because of intervening firewalls. These may be contacted indirectly using a Bravura Privilege proxy server, co-located with the target system. In this scenario, communication from the primary Bravura Privilege server to the target system is via an arbitrarily-numbered TCP/IP connection and AES encryption using a shared key. The connection is forwarded to the target system by the proxy, using that target system's native protocol.
- Bravura Privilege clients, such as IT workers or applications that use Bravura Privilege in place of embedded passwords, connect to Bravura Privilege over HTTPS. Since multiple Bravura Privilege servers are available and each of them contains a full data set, this connection can be load balanced.
Local service on laptops and rapidly provisioned VMs
When managing passwords on laptops or rapidly provisioned VMs, Bravura Privilege may be configured to operate in "local service mode." This means that a local agent is installed on the endpoint and this agent periodically contacts the central Bravura Privilege server, over HTTPS, to request new administrator passwords.
Once the local password has been set, a confirmation is sent to the Bravura Privilege server, which stores the new value. The new password(s) are encrypted and archived in the Bravura Privilege server's replicated storage, where IT staff may retrieve them.
Local service mode is not used by default. However, there are specific cases where it is preferable to the more common push-style integration:
- On laptops, because a server (i.e., Bravura Privilege) has no way of knowing where or when they will next be attached to the network and may be unable to initiate a connection to the laptop, due to firewalls, NAT, closed ports or other security measures.
- On rapidly provisioned VMs (e.g., IaaS or private cloud), since their entire lifespan may be quite short and it is important to onboard them when first provisioned, rather than waiting for a scheduled, batch auto-discovery process to run.
The Bravura Privilege local workstation service (LWS), which implements "local service mode" integration such that the managed endpoint initiates communication with the Bravura Privilege server, rather than the reverse, is compatible with:
- Windows clients: Windows XP, Windows Vista, Windows 7~10.
- Windows servers: Server 2003, Server 2008/R2 and Server 2012/R2.
- Linux: 32-bit and 64-bit Linux systems.
- Other Unix: Available on demand.