Server components

Depending on the features deployed and the architecture of the Hitachi ID Systems customer network, the runtime environment for Hitachi ID Bravura Security Fabric may incorporate multiple servers, each of which serves a different function:



Runtime requirements
Application servers

Run the core Hitachi ID Bravura Security Fabric application software.

  • Windows 2016 or 2012(R2) with IIS and all available updates.
  • Most customers opt for at least two replicated, load balanced servers, to provide fault tolerance in the event of a hardware problem or site-wide disaster.
  • SSL/TLS certificates are required.
Database servers

House configuration, user profile and historical data.

  • Microsoft SQL Server 2016, 2014, or 2012 with all available updates.
  • Most commonly on the same servers as the application, as this reduces cost and improves performance.
  • One DB instance per application server.
  • The Hitachi ID Bravura Security Fabric application replicates data between instances -- no DB-native replication or clustering is required.
  • SQL Standard Edition is appropriate for most organizations.
  • Small production systems or test/development instances can be deployed using SQL Express (no cost).
  • SQL Enterprise Edition is suitable for very large implementations, where database partitioning is required to scale up.
Connector proxies

These servers provide connectivity to target systems which are otherwise unreachable (firewall, NAT, routing or name resolution problems) or where connectivity is slow or insecure. Core Hitachi ID Bravura Security Fabric servers connect to the proxies over an arbitrarily numbered TCP/IP port, using an encrypted, efficient protocol. Connectors are run on the proxy to connect to target systems.

  • Windows 2016 or 2012(R2) with all available updates.
  • Typically deployed on relatively small VMs.
  • No database server required.
Mobile proxies

Mediate communication between on-premises application servers and Internet-attached phones and tablets. Required if users will sign into Hitachi ID Bravura Security Fabric from their Android or iOS devices.

  • Must present a public URL (DMZ or cloud).
  • Hitachi ID can host this on behalf of customers for a monthly fee.
  • Customers may host this on Internet-accessible servers (DMZ, IaaS).
  • Runs on Linux + Apache with the latest updates.
  • Multiple servers can be load balanced.
  • SSL/TLS certificates are required.
Hitachi ID Telephone Password Manager servers

Offer users a voice phone call user interface, suitable for password or PIN reset and self-service unlock of encrypted drives.

  • Windows 2016 or 2012(R2) with IIS and all available updates.
  • Requires either Dialogic hardware cards, to plug into a physical private branch exchange (PBX) phone system or Dialogic VoIP software, for Internet telephony.
  • Can be installed on the same servers as the core Hitachi ID Bravura Pass application.

HTML5 session proxy servers

Enable users to launch SSH or RDP sessions, with injected credentials from the Hitachi ID Bravura Privilege vault, using only their browser.

  • Runs on Linux + Tomcat with the latest updates.
  • Users must be able to connect to HTTPS on these servers.
  • These servers need to be able to connect, using SSH or RDP, to managed systems.
  • Multiple servers can be load balanced.
  • SSL/TLS certificates are required.

Load balancing across multiple application servers

Hitachi ID Bravura Security Fabric supports multiple, load-balanced servers.

Each server can host multiple Hitachi ID Bravura Security Fabric instances, each with its own users, target systems, features and policies.

Hitachi ID Bravura Security Fabric instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.

High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. Hitachi ID Bravura Security Fabric includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID also provides these tools for Unix/BIND with traditional DNS.

There is no coded limit to the number of concurrent, replicated servers. With more than 10 servers, replication may become slow. Since the three largest customers of Hitachi ID run with just two production servers each, this is only a theoretical problem.

Virtualizing any/all server components

Hitachi ID Bravura Security Fabric is compatible with VMware, Xen Project, Microsoft Hyper-V and Oracle VirtualBox virtual machine platforms. It can also be deployed on IaaS, including AWS. It generally works well with other virtualization platforms, but Hitachi ID primarily tests with these. Hitachi ID officially supports running Hitachi ID Bravura Security Fabric on these virtual servers and will make a best effort to support customers who run on other hypervisors.

So long as the database server that hosts the Hitachi ID Bravura Security Fabric back-end has access to reasonably fast I/O (e.g., NAS or similar) and so long as connectivity between the Hitachi ID Bravura Security Fabric application sever and the database is fast and low latency (e.g., 1Gbps/1ms) there should is no adverse performance impact when comparing Hitachi ID Bravura Security Fabric installed on hardware vs. Hitachi ID Bravura Security Fabric installed on a similarly-equipped virtual server.

The key point above is to ensure sufficient I/O capacity for the database (MSSQL). If the database server is virtualized, using network attached storage (NAS) is recommended, as virtualized I/O (files such as VMDK's emulating an HDD image) is often substantially slower than physical I/O.

Even where customers choose to deploy the main Hitachi ID Bravura Security Fabric servers on raw hardware, virtual machines are an excellent platform for proxy servers, test servers, development servers and model PCs.

A related question is often "how large can the deployment get before we have to move from a VM to hardware?" Unfortunately, there is no simple, universal answer:

  1. Virtual servers vary in capabilities -- they may have a 32-bit or a 64-bit CPU, may have 1, 2, 4 or 8 CPU cores allocated, may have different amounts of memory and may link to different types of storage infrastructure.
  2. The load created by the application also varies -- is there complex business logic? Do users access the application at random times or all at once? Are there just a few or thousands of integrations?

This variability means that the safest bet is to use benchmark results, using a configuration as similar as possible to the production setup, to gauge the performance of Hitachi ID Bravura Security Fabric on representative physical and virtual servers.

Hardware/VM specifications for individual application servers

Production Hitachi ID Bravura Security Fabric application servers are normally configured as follows:

  • Hardware requirements or equivalent VM capacity:
    • Intel Xeon or similar CPU. Multi-core CPUs are supported and leveraged. Dual core is a minimum.
    • At least 16GB RAM -- 32GB or more is leveraged and is typical for a server.
    • At least 600GB of HD storage, preferably in an enterprise RAID configuration for reliability and preferably larger for retention of more historical and log data.

      More space is always better, to increase log retention.

    • At least one Gigabit Ethernet NIC.

  • Operating system:
    • Windows Server 2016 (recommended) or 2012 (still supported, but not in the next release).
    • All available service packs and hotfixes should be applied (automatically).
    • It is recommended that the server is not a domain controller.
    • Core mode on Windows Server is supported.

  • Installed and tested software on the server:
    • TCP/IP networking, with a static IP address and DNS name.
    • IIS web server with a valid SSL certificate and the following configured: CGI, HTTP redirect, URL Rewrite, and Dynamic Compression.
    • At least one web browser (i.e. Chrome) and PDF viewer.
    • Python 3.5.3 (64-bit).
    • A Git client (for revision control).

  • A Microsoft SQL Server 2016 (recommended), 2014 or 2012 instance is required to host the Hitachi ID Bravura Security Fabric schema:
    • Normally one database instance per application server.
    • The SQL Server database software can be deployed on the same server as the Hitachi ID Bravura Security Fabric application, as this reduces hardware cost and allows application administrators full DBA access for troubleshooting and performance tuning purposes.
    • SQL Server 2016, 2014 or 2012 Standard is recommended in almost all cases -- SQL Express is acceptable for small deployments and evaluations.