deployment panel: planning and implementing for the big day daniel arrasjid [email protected]...
TRANSCRIPT
Deployment Panel:Deployment Panel:Planning and Implementing for the Planning and Implementing for the
Big DayBig Day
Daniel Arrasjid
University at Buffalo
Copyright Daniel Arrasjid 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that
the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
CAMP Directory Workshop Feb 3-6, 2004
University at BuffaloUniversity at Buffalo
Doctoral/research extensive university NY's largest and must comprehensive
public university 27,000+ students 13,000+ employees Two main campuses Part of the SUNY system
CAMP Directory Workshop Feb 3-6, 2004
Prevalent UB DriversPrevalent UB Drivers
Technology and Business Drivers– Critical Technology Specific Directory (DCE) set to
retire– Business Continuity and Disaster Recovery– Server Consolidation– Virtualization of services, dynamic provisioning– Staff resource issues– SUNY-wide Federation– Applications seeking more robust attributes– Library resource access management
CAMP Directory Workshop Feb 3-6, 2004
UB Brief HistoryUB Brief HistorySome HighlightsSome Highlights
1986 SSN eliminated as primary key – replaced by “Person Number” 1990 White Pages 1993 developed primitive provisioning system for unix accounts, with University-
wide unix namespace. Mid 1990s major projects/initiatives
– Access ’99 – transition mainframe to distributed computing, culture change– 1995 Data Warehouse - Data access policies, stewards, trustees, process– 1995 Multi-purpose Identification Card System - Final linkage of single public identifier
HR/Student– 1996 Web-based Workflow & Paperless Processing – Major initiative in culture change,
and re-tooling staff, for distributed computing 1997 initial Identity Management System(it wasn’t called that), and DCE
– Person registry, biz rules, data transformation, provisioning of services and directories, self-service, special “affiliations”, data Access, security, acceptable use policy
2001 MyUB Portal 2002 Business Continuity & DR, Geographically distributed data center, SAN 2003 Kerberos 5, Active Directory, eduPerson-based Sun ONE DS
CAMP Directory Workshop Feb 3-6, 2004
Example Services Leveraging Example Services Leveraging the 1997-based Infrastructurethe 1997-based Infrastructure
Central e-mail - (IMAP/POP3/Webmail/filters)
MyUB Portal UB Business apps Wings web service protected files Whitepages LDAP service Library public access
workstations UBUNIX time-sharing Blackboard Telephony Applications UB Business Portal Open Ports, Wireless, VPN,
Firewall, ResNet
Usenet News Web password change Web registration Web grading Web address & declared major
change Web Parking hang-tags e-payment Public Sites workstations Software distribution Distributed File System Dept. Public Workstations and
other applications Exchange, SQL Server, MS apps
CAMP Directory Workshop Feb 3-6, 2004
1997 idM Drivers1997 idM Drivers
NIS+ out of steam Web-based Workflow & Paperless
Processing requirements Enterprise File Service
CAMP Directory Workshop Feb 3-6, 2004
1997 idM Communication1997 idM Communication
Infrastructure change intended to be transparent Proposals, executive briefs, technical documents Campus News Outlets
– Web– Newspaper
Campus IT Stakeholders Campus Forums
– IT Fair– Distributed Computing Consultants
Data Custodians
CAMP Directory Workshop Feb 3-6, 2004
1997 idM Training1997 idM Training
No published roadmap or best practices Leveraged experience from prior related activities
– Earlier provisioning system– Data Warehouse– Operational Datastore– Campus ID Card
Intensive Training Program– 6 support staff, approx 18 person-weeks
Transparent change to applications AuthN/AuthZ modules/libraries for campus use
CAMP Directory Workshop Feb 3-6, 2004
1997 idM Technology 1997 idM Technology ConsiderationsConsiderations
High Availability 24x7 requirement Meta-Directory
– Oracle for repository and queues, w/Stand-by system– Perl Scripts & “C” programs for processing– Delegation of account management, based on roles– Automated monitoring tools, log analysis– DR
Physical Directory– DCE Replicas distributed across several subnets– Private network for replication– Automated monitoring tools– DR
AuthN/AuthZ modules/libraries for campus use
CAMP Directory Workshop Feb 3-6, 2004
1997 idM Costs & System 1997 idM Costs & System ConfigurationsConfigurations
Physical Directory– 8 physical directory replicas, Sun Enterprise Systems,
Solaris, DCE
Meta-Directory– 1 primary system, 1 stand-by system, Sun Enterprise
Systems, Solaris, Oracle.
Total Cost– Approx $250,000– Approx 3.0 FTE x 9 Months
CAMP Directory Workshop Feb 3-6, 2004
What problems were we trying to solve What problems were we trying to solve with “I2” DS and Shibboleth?with “I2” DS and Shibboleth?
Transition from DCE Make more information available to support Authorization decisions Biz continuity and service resiliency Ease integration of applications into campus idM/middleware
infrastructure Be mainstream Reduce vendor dependency Authenticated Anonymous access, Privacy issues Include non-institutional attribute data Data co-location in a single directory Ability to do groups as well as individual attributes Single/Initial log-on Inter–institutional log-on
CAMP Directory Workshop Feb 3-6, 2004
Existent Prior to Deployment ofExistent Prior to Deployment of“I2” DS“I2” DS
Project Management Culture Campus Governance, Prioritization, Resource Process “Identity Management”-awareness “Service”-based culture w/ SLAs/SLSs Data access, security, and appropriate use policies w/roles
and responsibilities Opaque and persistent identifiers(see
http://middleware.internet2.edu/earlyharvest/DA-EH.ppt ) Identity Management System
– Oracle-based registry– Perl and C programs to process intelligence and business rules– Automatic provisioning of services and directories– Large set of existing user attributes/profiles(groups)
CAMP Directory Workshop Feb 3-6, 2004
RoadmapRoadmap
Completed– ASAB(Governance) support for activity– Discussions with ASAB infrastructure committee,
members of the campus community, and peer institutions
– Proposal to the Campus, and demonstration– Seek feedback
Outstanding– Determine schema governance model– Develop policies – biz rules, privacy, security,
management, attribute ownership– Integrate applications– Continuous process
CAMP Directory Workshop Feb 3-6, 2004
2003 “I2” DS Communication2003 “I2” DS Communication
Help from campus– Other UB IT folks following I2 middleware and NMI
Governance/Prioritization– Initiation Proposal to ASAB– Proposal to ASAB Infrastructure
Key Campus IT Stakeholders– 1-on-1’s to the discuss proposal and issues– Discussed proposal with IT Coordinating Committee
Campus Forum– Proposal, Demo, and Ken. – Sought Feedback and held follow-up discussions
CAMP Directory Workshop Feb 3-6, 2004
2003 “I2” DS Training2003 “I2” DS Training
Existing expertise with Sun ONE DS Leveraged existing infrastructure Books, Roadmaps, Recipes New modules, libraries, APIs Just another physical DS Either cost “a lot” or “fairly little”
– When do you start tallying the cost, 1995?– Or just for this quiet deployment of yet another physical
directory
CAMP Directory Workshop Feb 3-6, 2004
2003 “I2” DS Technology 2003 “I2” DS Technology ConsiderationsConsiderations
Meta-Directory– Leveraged infrastructure, added new feed
Production, but no anticipated production use for 8 months Service Level Agreements Physical Directory
– High Availability– Load testing(collaborate with App Group, web-load, Jmeter, SAR)– Replicas across geographically distributed data center– Health Monitoring(Big Brother, Spectrum, RRD/mrtg, auto-paging)– Security(Firewalls, VPN, etc)– Layer 4 switches(Cisco local directors)
Infrastructure Costs – $54,000 Some director-switch issues
– Combining LDAP farm and Shibboleth farm behind same switch, currently have work-around.
CAMP Directory Workshop Feb 3-6, 2004
Costs & System ConfigurationsCosts & System Configurations
LDAP– 394 Hours– 4x Sun Enterprise 280 systems, 2Gig RAM, 2x900MHz CPUs,
Sun crypto accelerator cards, Solaris 9, Sun ONE DS, $54,000 Kerberos
– 365 Hours– 4x Sun V120 systems with 512Meg RAM and 650MHz CPUs,
Solaris 9, Kerberos 5, $14,000 Shibboleth Origin/AA/Cosign
– 407 Hours– Test w/ 2x Dell 6650 systems, 4x1.9GHz CPUs, 2Gig RAM,
Redhat Advanced Server 2.1a.– Production, scaleable app farm with probably at least 4 systems
CAMP Directory Workshop Feb 3-6, 2004
SAN Storage
SAN Storage
SAN Core Edge Switching
Transaction System
IBM Mainframe
EFS servers
Data Warehouse
Transaction System
Blackboard
EFS Servers
Network
Blackboard
E-mail Servers
E-mail Servers
Data Warehouse
Disk array
Disk array
Main Site A
DR Site B
Web and/orapplication servers
Web and/orapplication servers
Tape
Tape
Libary servers servers
Library servers
Basic Infrastructure Services
(examples)DNS
Authentication/authorizationSoftware/Documentation
Problem TrackingSystem monitoringCentral Staff VPN
System ImageTest equipment
Basic Infrastructure and Services
(examples)DNS
Authentication/authorizationSoftware/Documentation
Central Staff VPNSystem Image
Problem TrackingSystem monitoringEmergency Web
Emergency e-mailTest equipment
Older spare equipment
Architecting for Business ContinuityArchitecting for Business Continuity
CAMP Directory Workshop Feb 3-6, 2004
SANData Net
Satelite A
Main Site B Main Site A
Satellite B
SANData Net
Data Net
Data NetSAN
TapeLib
TSMServer
DNSServer
Authentication/Authorization Services
DNSServer
Authentication/Authorization
Services
VPN Server
SoftwareRepository
EmergencyWeb
EmergencyE-mailSystem Image
backupConsoleServer
SANStorage
SANStorage
Dedicated Fiber
TSM Server
TapeLib
ConsoleServer
Firewall Firewall
Firewall
Blackboard
Admin Oracle
Authentication/Authorization
Services
Software Repository
Web Service
E-mail Service
System Image backup
Console Server
Portal Service
IBM mainframe
InfoSource Service
Filesystem Service
DNS Service
Win2K AD
ID Card System
Firewall
Blackboard
Admin Oracle
DNS MasterServer
Authentication/Authorization
Services
Software Repository
Web Service
E-mail Service
System Imagebackup
Console Server
Portal Service
Data WarehouseService
Filesystem Service
DNS Service
ID Card System
Other services
Workflow Service
Workflow Service
Cluster Private Interconnect
Win2K AD
Win2K AD
ProblemTracker
System Monitoring& Paging
Scheduler
Admin & Blkbrd App Srvs
Admin & Blkbrd App Srvs
Scheduler System Monitoring& Paging
DNS Master Server
VPN Server
ProblemTracker
3 sites
2 sites
1 site
4 sites
Key:service distribution level
Listserv Service
Listserv Service
Other Services
Some Services to be recovered withnewly purchased equipment, some are
consolidation candidates
Other Services
Some services notincluded.
Phase I
Phase II & IIIPhase IV
Phase I
Satellite C
ClusterQuoramDevice
Scheduler
Architecting for Business ContinuityArchitecting for Business Continuity
CAMP Directory Workshop Feb 3-6, 2004
Architecting for Business ContinuityArchitecting for Business ContinuityData backup and
restoration service
Oracle Parallel ServerTransactional
Load balancing/ webserver redundancy
service
Oracle Parallel ServerTransactional
Helper Servers
For example:
ProxiesAutheticationSingle sign-on
Oracle Parallel ServerOperational Data
Store
Oracle Parallel ServerOperational Data Store
Storage AreaNetwork(400 GB)
Load balancing/ webserver redundancy
service
Helper Server
Helper Server
Helper Server
QA environment
Developmentenvironment
System Image ImageFlash service
Oracle Parallel ServerCourse Management
Storage AreaNetwork
later expansion
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Applications:
PortalVarious Student
PaymentAddress Change
Biz PortalCourse Management
Data WarehousePhone billing
Alumni DevelopmentOthers as appropriate
Central e-mail
e-mail load balancing/web server
redundancy service
(4 TB)
Central e-mail
Central e-mail
Central e-mail
IBM Mainframe
(400 MB)
Storage AreaNetwork(3 TB)
400 MB Admin400MB
Mainframe2.2TB e-mail
Storage AreaNetwork
later expansion
Client workstation& Browser
Web only server(dedicated,
shared or pooled)
Web only server(dedicated, shared
or pooled)
Web only server(dedicated, shared
or pooled)
Oracle Parallel ServerCourse Management
HA NFS server
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Brocade Switching Fabric
DR SiteMain Site
LDAP
Shibboleth
Kerberos
LDAP
Shibboleth
Kerberos
Shibboleth
Authenticationand authorization
Shibboleth
Authenticationand authorization
Web/Applicationserver (dedicated,shared or pooled)
Web/Applicationserver (dedicated,shared or pooled)
Shibboleth
Authenticationand authorization
Web/Applicationserver (dedicated,shared or pooled)
Internet
InCommonJSTORElsavier State Federation
CAMP Directory Workshop Feb 3-6, 2004
Meta-Directory DataflowMeta-Directory DataflowA Nice DiagramA Nice Diagram
CAMP Directory Workshop Feb 3-6, 2004
Meta Directory - Technology Neutral Data Repository(objects, policies and attributes)
InstitutionalAdmin
databases -Faculty, staff& students
Otherdata
sources Meta-dataOracle DB
OracleDB
UBCard CardManagement
System
InfoSourceData
Warehouse
DCE
Authentication/Authorization
Phasing out byJan 2005
Oracle data tables forquery purposes
Meta Directory - Authoritative UBitNameassignment, UNIX uid assignment, affiliation,authorization grouping, biographical info, statistics
MicrosoftWindows
ActiveDirectory
Authentication/Authorization
KerberosServices
Realm forfaculty, staff &
students
AuthenticationUNIX
Password File
Authentication/AuthorizationSpecific Technology
Directories
Windows loginMS SQLExchange
Public Sites WindowsWorkstations (6/04)
Central e-mail - (IMAP/POP3/Webmail/filters)MyUB PortalUB Business appsWings web service protected filesWhitepages (iPlanet) LDAP serviceLibrary public access workstationsUBUNIX time-sharingUsenet NewsWeb password changeWeb registrationWeb gradingWeb address & declared major changeWeb Parking hang-tagse-paymentPublic Sites UNIX workstationsSoftware distributionDistributed File System-direct Windows,UNIX & web accessDept. Public Workstations and other applicationsBlackboard (to Kerberos July '03)Public Sites Windows Workstations (to AD 6/04)Public sites Linux Workstations to Kerberos (Jan '04)Telephony Applications
(Radius Server) VPN Dial-in ResNet
WhitePages
(iPlanet)LDAP
Service
Name/address/e-maillookup from: Web UNIX command line e-mail client access
Transition to overallLDAP Directory
Jan '04
Various UBweb apps
ExternalLibrary
Patron DB
Add:Prospective
Students
AuthenticationWinter '03/04
Kerberos/LDAPCurrently:
Public site Linux workstationsBlackboard
----------------------------------Other affiliated persons initially:
Prospective students
Potentially later:Library Patrons
Alumni Gifted math
Summer programs Senior auditors
VolunteersResearch Subjects
Resource creation
(mailbox, file space,UNIX shell, et al)
What functionpeformed or controlled
Card # used forpart of initialpassword sharedsecret
Current Authentication/Authorization Architecture at the University at Buffalo
PKI - x.509 certificateservices
Authentication
Web-baseduser
passwordchange
Native Password Synchronization
Transactionsigning
LDAP DirectoryAuthorization
PublicCertificates
LDAP SchemaOrganization
topperson
organizationPersoninetOrgPersonposixaccounteduPerson
ubeduPersonprospectUBPerson
and later maybeothers later like:
gridPersonsunyPerson
alumniPerson
Web-basedDistributed Maintenanceof Respository objects
Web-based selective userdata change
Exists
PlanningProposed/Committed
Italic text denotes services to be migrated toa DCE replacement during 2004
Considering
I2 Shibboleth
Authorizationfor SAML andweb-basedapplications
I2 WebISO(using cosign)
AuthenticationCredential
exchange forweb-basedapplications
I2 Web/ Federated Authentication & SAMLAuthorization Used for Single Sign-On
I2 WAYF Service
ProspectiveStudents
Various UBapps
Implementing
Key:
Browser
Inter-institutional trustrelationships
Web-based Distributed Maintenancefor roles and Entitlements
Roles and Entitlements ProcessingAuthorization Individual and
group role andentitlementattributesthroughregular LDAPdata feed
OracleDB
Oracle role tables
I2
ApplicationRole and
EntitlementSupport
Roles &Entitlements
Info
people, groups,systems
CAMP Directory Workshop Feb 3-6, 2004
Meta Directory - Technology Neutral Data Repository(objects, policies and attributes)
InstitutionalAdmin
databases -Faculty, staff& students
Otherdata
sources Meta-dataOracle DB
OracleDB
UBCard CardManagement
System
InfoSourceData
Warehouse
Oracle data tablesfor query purposes
Meta Directory - Authoritative UBitNameassignment, UNIX uid assignment, affiliation,authorization grouping, biographical info,statistics
MicrosoftWindows
ActiveDirectory
Authentication/Authorization
KerberosServices
Authentication
Realm includesall
faculty, staff &students (after
1996)and
other affiliatedpersons
UNIXPassword File
Authentication/Authorization
LegacySpecific Technology
Directories
Windows loginMS SQLExchangeOther Windows Applications
Public Sites Windows Workstations
Central e-mail - (IMAP/POP3/Webmail/filters)MyUB PortalUB Business appsWings web service protected filesWhitepages (iPlanet) LDAP serviceLibrary public access workstationsUBUNIX time-sharingUsenet NewsWeb password changeWeb registrationWeb gradingWeb address & declared major changeWeb Parking hang-tagse-paymentPublic Sites UNIX workstationsSoftware distributionDistributed File System-direct Windows,UNIX & web accessDept. Public Workstations and other applicationsBlackboardTelephony ApplicationsUBFS SpaceLibrary Resources
(Radius Server) VPN Dial-in ResNet
Or Maybe not
Various UBweb apps
ExternalLibrary
Patron DB
Other affiliated persons initially: Prospective students
Potentially later:Library Patrons
Alumni Gifted math
Summer programs Senior auditors
VolunteersReasearch Subjects
Resource creation
(mailbox, file space,UNIX shell, et al)
What functionpeformed orcontrolled
Card # used for partof initial passwordshared secret
Proposed Authentication/Authorization Architecture at the University at Buffalo
PKI - x.509 certificateservices
Authentication
Web-baseduser
passwordchange
Native password Synchronization
Transactionsigning
LDAP Directory
Authorization
PublicCertificates
Web-based DistributedMaintenance of Respository objects
Web-basedselective userdata change
Exists
PlanningProposed/Committed
Considering
I2 Shibboleth
Authorizationfor SAML andweb-basedapplications
Summer '03
I2 WebISO(using cosign)
AuthenticationCredential
exchange forweb-basedapplications
Summer '03
I2 Web/ Federated Authentication & SAMLAuthorization Used for Single Sign-On
I2 WAYF Service
ProspectiveStudents
Various UBapps
Implementing
Key:
Browser
Inter-institutional trustrelationships
Web-based Distributed Maintenancefor roles and Entitlements
Roles and Entitlements ProcessingAuthorization
OracleDB
Oracle role tables
I2
ApplicationRole and
EntitlementSupport
Fall/Winter'03
Roles &Entitlements
Info
Kerberos/LDAP
people, groups, systemsand attributes
CAMP Directory Workshop Feb 3-6, 2004
UB LDAP SchemaUB LDAP Schema
Object Name Attribute Name Permissions Example
Top objectClass (required)aci
AnonAdmin
topposixAccountpersonorganizationalPersonInetOrgPersoneduPersonUBEduPerson
PosixAccount uidNumbergidNumberhomeDirectoryloginShellgecos
posixdatposixdatposixdatposixdatposixdat (*)
13012390/home/staff/tks/mruser/bin/tcshMike R User
Person cn (commonName) (required) sn (surname) (required) telephoneNumber
Anon (*)Anon (*)Anon
Mike R UserUser123-4567
OrganizationalPerson ou (organizationUnitName) physicalDeliveryOfficeName title
Anon (*)AnonAnon
Technical Services123 Computing CenterUnix Systems Analyst I
CAMP Directory Workshop Feb 3-6, 2004
UB LDAP SchemaUB LDAP Schema
InetOrgPerson departmentNumber displayName employeeNumber employeeType givenName labeledURI mail roomNumber uid (userID) userCertificate userSMIMECertificate
Anon (*)Anon (*)AdminAnonAnon (*)AdminAdminAnonAnonAdminAdmin
0790Mike R User
staffMike
123Mruser
eduPerson eduPersonAffiliationeduPersonOrgDNeduPersonOrgUnitDNeduPersonPrimaryAffiliationeduPersonPrincipalNameeduPersonEntitlementeduPersonPrimaryOrgUnitDN
Anon (*)Anon (*)Anon (*)Anon (*)AnonAdminAnon (*)
staffstudentdc=buffalo,dc=eduou=People,dc=buffalo,[email protected]:mace:incommon:entitlement:common:1ou=People,dc=buffalo,dc=edu
UBEduPerson UBEduPersonKswitchUBEduPersonSunycardUBEduPersonPersonNumberUBEduPersonEntityAbbrUBEduPersonPrimaryEntityAbbrUBEduPersonInfoReleaseUBEduPersonDegreeUBEduPersonLibraryBarcodeUBEduPersonSENSHomedir
AdminAdminAdminAnon (*)Anon (*)AdminAdminAdminAdmin
1123456781234567812345678tkscsetksYBS21234123456781/home/sens/foo/mruser
CAMP Directory Workshop Feb 3-6, 2004
SUNY FederationSUNY Federation
The Four University Centers considering shibboleth on their campuses as part of AuthN/AuthZ infrastructure
Smaller Schools may need various levels of help.
SUNY Central Administration or ITEC – potential outsourcer or consulting services.
NMI “compliant”, eduPerson schema the foundation, SUNYPerson?