ibm directory strategy rick mayo ibm directory brand manager mayor@us.ibm.com
Post on 03-Jan-2016
227 Views
Preview:
TRANSCRIPT
Agenda
Directory Services–Past, Present and Future
Key Assumptions IBM Directory Strategy What About... Summary
Directories Past
Many different vendors have created their own directory services:They often targeted only a single area, e.g.,
Notes Name & Address Book: support for Notes infrastructure
DCE Cell Directory Service: applicationsUsers installed themThe result:
Chaos!
Directory Installed Base
E-mailNT Domain
Netware NDSMainframe
Netware BinderiesPackaged Apps
Homegrown AppsDatabase Apps
UnixOther
78%82%
42%26%
34%38%
42%46%
52%66%
Interviews with 50 Fortune 1000 companies (multiple responses accepted)
Source: Forrester
Directories Today
The problem:Every organization has too many directory
services installedThe solution:
SimplifyReduce the number of directory servers
Directories in the Future
Internet Progression
Extranet (Convergence/
Connection)
CustomerService
BroadcastMedium
Electronic Marketplace
GlobalOrganization Integration
Work GroupCollaboration
ExternalE-Mail &
Browsing
InformationManagement
InternalE-Mail &
Data Posting
Intranet Progression
"The Internet/Intranet expansion will have a significant impact on our directories. We have 36,000 employees to manage in our directories, and now we'll be adding 8 million customers!" (Forrester)
The Lightweight Directory Access Protocol (LDAP) has arrived It standardizes client access to a directory service
It's derived from X.500's Directory Access Protocol (DAP), but: It runs over TCP/IP It's much simpler
LDAP Becomes The Standard Directory Access Method
020406080
100LDAP Clients
(in million
s)
1997
1998
1999
2000
2001
LDAP Client Growth Rate
An Aside: The Role of the Standards
The day of wholly proprietary directory services is over Standards have arrived
The Internet is the most important source of standards today The IETF has become very important
IBM, Lotus and Tivoli are actively involved with the IETF and DMTF to drive and enhance:
PKIX DEN Access Control Replication Common Schema
Common Schema
The schema defines the kinds of information that can be stored in the directory
It's defined as: Object classes
For example: Person Attributes
Common name, telephone number, password, . . .A common schema is being developed by IBM in
concert with CIM initiative at the DMTF Enables applications to share the same objects Provides a common/consistent store
There is a well-described link between solving business challenges with Information Technology
–It is not sufficient to solve heterogeneous business problems with homogeneous information technology
multiple platformsmultiple operating systemsmultiple applicationsmultiple directories...
A Single Directory Won't Win
Big Picture Requirements
EnterpriseDirectory/Certificate
store
Directory synchronization and management
Single sign-on Directory enabled apps.
Customers and employeesAccess controlsCertificatesProducts and services
Common Administration
Will it scale to meet my needs?Does it provide high levels of reliability?How much does it cost?What applications use it?Can you provide worldwide support?Can I get help implementing it?
Directory Requirements
SNAIPX
NetBios
Vines
TCP/IP
Data and Applications
Clients and Servers
Communication Protocols
Physical Networks
IBM
DB2Oracle
InformixSybase
Ingres
Billing
PeopleSoft
Lotus Notes
Ordering
SAP eNetwork LDAP directory across our operating systems and bundled with solutionsLDAP exploitation by:
ApplicationsSecurityNetworking
ISV and OEM supportRobust management and administrative capabilities
Directory Support for e-business
Clients and Servers
IBM
IBM eNetwork LDAP Directory
Features:Proven relational database storeClient, Server and Java clientSSL V3 encryption and authenticationReplicationAccess ControlHTTP GatewayWeb-based administration
Directory will be bundled with operating systems or solutions
Available today for:AIX, OS/390, OS/400
Web download for:NT, Solaris
Wide Range of Platform SupportScale to millions of entries
Why DB2 as a Data Store for IBM eNetwork Directory?
Highly scaleable data storeAtomic transactionOn-line backup and restore facilityAlternative replication supportFast database loading facilityPowerful query engine
IBM eNetwork LDAP Directory
Authentication options none clear text pass words encrypted using SSL - server certificates / SSL
Access Control Per Object and Attribute
Replication LDAP or use DB2 replication
API support LDAP C/C++, JNDI
Additional features: Bulk load via LDIF Supports LDAP Referrals
LDAP Client LDAP Server
DB1
DB2
DB3
Single Client / Multiple Server
Every database resides on one network nodeLDAP server can connect to a number of networked databases for
directory informationLDAP server stores all information without knowing in which
database the data is actually storedLDAP server is freed from managing physical storage
DB/2 Servers DB/2 Client +LDAP Server
LDAP Clients
NetworkDispatcher
Multiple Clients / Multiple Servers
Database clients can connect to any database server for directory informationThe collection of database servers form a single imageMore than one LDAP server can access the directory informationNetwork dispatcher deployed to route requests among the LDAP servers
DB/2 Server DB/2 Client +LDAP Server
LDAP Clients
NetworkDispatcher
Multiple Clients / Parallel Super Server
Solution to store huge amounts of information in a single database (tera-bytes) DB2 PE automatically partitions the database into different machines (instead of partitioning
the database from the application level DB2 PE divides queries into smaller independent tasks that execute concurrently Accommodates growth through appropriately sized resources
Directories and Security (1)
There's a strong natural synergy between the two
Both store and access information of various kinds (some of it the same)
Both can benefit from replication of that information
Examples: Information about user accountsCertificates
Directories and Security (2)
The rise of LDAP parallels the rise of distributed security standardsExample: Secure Sockets Layer (SSL)Example: X.509 certificates
It's not possible to have a solid directory strategy without also having an integrated security strategy
eNetwork LDAP Directory
Directory Exploiters Roadmap
AIX3/98
OS/3903/98
OS/4009/98
NT12/98
Solaris12/98
Platforms:
Web App. Dev. Networking
SecuritySuitesManagement
Websphere- 12/98 Stores users,
groups, passwords and application configuration
Tivoli Directory Mgt.- 9/98
Tivoli User Administration support for LDAP
NT Suites beta 1/99 UDB Comm. Svr. CICS Websphere Suites SSO
Vault Registry- 1Q99 Certificate storage
Communication Server NT 7/98
Communication Server 390 3/99
eNetwork LDAP Directory
Intranet security solution
Dascom
Persistent Systems
Allot Communications
Security Dynamics
Netegrity
enCommerce Inc.Triangulum Software
Security products Network tools and mgmt. apps.
Web access management
Access control for the web LDAP and RDBMS integration
DCE CDS to LDAP
eNetwork LDAP Partners
VPN Policy Direction
Map "Policy" into GUI into VPN SchemaPre-defined profiles for typical configurations:
Branch Office Interconnect Supplier Networks Remote Access
Centralized definition for all IPSec boxes in a given VPN consistency checking company-wide definition
Database management: individual boxes "pull in" their own configuration data
LDAP Flows with IPSec config data
Company security policy: profiles, natural language descriptions, VPN
topology,...
eNetwork LDAP Directory
GUI/Schema Mapping
Sample Configuration
1. GW1 and GW2 must encrypt and authenticatefrom all hosts, except from H2 and H3, that flowsbetween GW1 and GW2, using DES and HMAC-MD5. Keys must be refreshed at least once every 20 minutes.2. Traffic from H1 to H2 must be encrypted and authenticated end-to-end using 3DES and HMAC-SHA1. Keys must be refreshed at least once very 10 minutes with PFS.3. Traffic between H2 nd H3 must be authenticated by GW2 and GW1. Keys must be refreshed with PFS once every 60 minutes.
H1H2
H3
GW3GW1
GW2
INTERNETExample VPN Policy
Clients and Servers
IBM
Directory Management
Tivoli User AdministrationTivoli User Administration
Single-action ManagementCross Platform management for:
Domino, NT, Unix and NetwareOS/390 Security ServerLDAP directories
eNetworkLDAP
Directory Security
Suites
Networking...
Notes
RACF NW 3.x
HR DB
NT
Ntscp
NDS
...Exchg
Meta-directory
Meta-directory - Direction
Provides single logical namespace Imports content & changes from connected directories Exports content & changes to connected directories Propagates content & changes from connected directories to other
connected directories
Will it scale to meet my needs? DB2 and eNetwork Dispatcher
Does it provide high levels of reliability? Proven DB2 reliability
How much does it cost? Directory provided at no charge
What applications use it? Growing IBM and ISV support
Can you provide worldwide support? Backed by IBM software support structure
Can I get help implementing it? Supported by IBM Global Services
Directory Requirements
DCE Integrated Client/Server Environment Directory, Security, Time, RPC
Directory and Security Server Ease of Use IBM Software Servers
Internet
Java
Network Computing Applications eNetwork
Network Computing
Services Integrated
Infrastructure
IBM DCE Evolution
IBM eNetwork X.500 Directory
Based on IBM relationship with Telstra Proven scale into the millions of entries High availability through 1993 X.500 support Network computing accessibility through support for LDAP Shipping on AIX
DUA
DSA
DSA
DSAUser
DUA
User
The Directory
DSP DSP
DAPLDAP
DAPLDAP
DISP DISP
NovellNDS
Public Address Book
Notes Clients
Public Address Book
LDAP/X.500
LDAP
InternetDirectories
LDAP
LDAP
Master Address Book
Access to both Domino Public Address Books and LDAP directory servers Provides a server proxy for any non-LDAP Notes client i.e., R3 or R4 Domino R5 will support LDAP V3
Domino's Directory Assistance
eNetwork and NT Direction
IBM will directory enable our products based on LDAP as defined in our e-business application framework model
eNetwork and Microsoft NT Active Directory interoperability Client to server interoperation
IBM clients to Active Directory Microsoft clients to eNetwork LDAP Directory
Server to server interoperation Referrals
eNetwork LDAP Directory will accept referrals from MS Active Directory eNetwork LDAP Directory will also send referrals to MS Active Directory if
it implements the LDAP referral mechanism Schema and Namespace
IBM is developing a common schema for its products IBM is actively working to support industry standards through the DMTF
and IETF
IBM vs. Microsoft
SMS
Applications - MS, etc.
Middleware - MS, etc.
Network - Cisco
NT 5.0
ActiveDirectory
Key BasedSecurity
Wolfpack
Tivoli
Applications-Java based
Middleware - IBM,Lotus, 3rd party
Network - IBM
LDAPDirectory
KeyBasedSecurity
Atlas
IBM
Microsoft
Cross platform
Summary
IBM is committed to: Delivering mission critical, high performance, scaleable LDAP
directories across the leading industry platforms as infrastructure components
Directory enabling our middleware and applications to reduce the cost of administration
Integrated directory and security offerings to enable e-business Working with standards bodies to advance LDAP and deliver
industry standard schemas Providing management tools for seamless administration
Directory Product Announcement InformationDirectory Strategy Directory Products BrochureSecurity and Directory Industry Solution GuidesSecurity and Directory Evaluation KitDirectory Reference Materials
Redbooks Whitepapers (including the scaling guide) Programming Reference Administration Guide Installation/Configuration Guide
For More Information
www.software.ibm.com/enetwork/directory
top related