deployment panel: planning and implementing for the big day daniel arrasjid [email protected]...

Deployment Panel:Deployment Panel:Planning and Implementing for the Planning and Implementing for the

Big DayBig Day

Daniel Arrasjid

[email protected]

University at Buffalo

Copyright Daniel Arrasjid 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for

non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that

the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

CAMP Directory Workshop Feb 3-6, 2004

University at BuffaloUniversity at Buffalo

Doctoral/research extensive university NY's largest and must comprehensive

public university 27,000+ students 13,000+ employees Two main campuses Part of the SUNY system


Prevalent UB DriversPrevalent UB Drivers

Technology and Business Drivers– Critical Technology Specific Directory (DCE) set to

retire– Business Continuity and Disaster Recovery– Server Consolidation– Virtualization of services, dynamic provisioning– Staff resource issues– SUNY-wide Federation– Applications seeking more robust attributes– Library resource access management


UB Brief HistoryUB Brief HistorySome HighlightsSome Highlights

1986 SSN eliminated as primary key – replaced by “Person Number” 1990 White Pages 1993 developed primitive provisioning system for unix accounts, with University-

wide unix namespace. Mid 1990s major projects/initiatives

– Access ’99 – transition mainframe to distributed computing, culture change– 1995 Data Warehouse - Data access policies, stewards, trustees, process– 1995 Multi-purpose Identification Card System - Final linkage of single public identifier

HR/Student– 1996 Web-based Workflow & Paperless Processing – Major initiative in culture change,

and re-tooling staff, for distributed computing 1997 initial Identity Management System(it wasn’t called that), and DCE

– Person registry, biz rules, data transformation, provisioning of services and directories, self-service, special “affiliations”, data Access, security, acceptable use policy

2001 MyUB Portal 2002 Business Continuity & DR, Geographically distributed data center, SAN 2003 Kerberos 5, Active Directory, eduPerson-based Sun ONE DS


Example Services Leveraging Example Services Leveraging the 1997-based Infrastructurethe 1997-based Infrastructure

Central e-mail - (IMAP/POP3/Webmail/filters)

MyUB Portal UB Business apps Wings web service protected files Whitepages LDAP service Library public access

workstations UBUNIX time-sharing Blackboard Telephony Applications UB Business Portal Open Ports, Wireless, VPN,

Firewall, ResNet

Usenet News Web password change Web registration Web grading Web address & declared major

change Web Parking hang-tags e-payment Public Sites workstations Software distribution Distributed File System Dept. Public Workstations and

other applications Exchange, SQL Server, MS apps


1997 idM Drivers1997 idM Drivers

NIS+ out of steam Web-based Workflow & Paperless

Processing requirements Enterprise File Service


1997 idM Communication1997 idM Communication

Infrastructure change intended to be transparent Proposals, executive briefs, technical documents Campus News Outlets

– Web– Newspaper

Campus IT Stakeholders Campus Forums

– IT Fair– Distributed Computing Consultants

Data Custodians


1997 idM Training1997 idM Training

No published roadmap or best practices Leveraged experience from prior related activities

– Earlier provisioning system– Data Warehouse– Operational Datastore– Campus ID Card

Intensive Training Program– 6 support staff, approx 18 person-weeks

Transparent change to applications AuthN/AuthZ modules/libraries for campus use


1997 idM Technology 1997 idM Technology ConsiderationsConsiderations

High Availability 24x7 requirement Meta-Directory

– Oracle for repository and queues, w/Stand-by system– Perl Scripts & “C” programs for processing– Delegation of account management, based on roles– Automated monitoring tools, log analysis– DR

Physical Directory– DCE Replicas distributed across several subnets– Private network for replication– Automated monitoring tools– DR

AuthN/AuthZ modules/libraries for campus use


1997 idM Costs & System 1997 idM Costs & System ConfigurationsConfigurations

Physical Directory– 8 physical directory replicas, Sun Enterprise Systems,

Solaris, DCE

Meta-Directory– 1 primary system, 1 stand-by system, Sun Enterprise

Systems, Solaris, Oracle.

Total Cost– Approx $250,000– Approx 3.0 FTE x 9 Months


What problems were we trying to solve What problems were we trying to solve with “I2” DS and Shibboleth?with “I2” DS and Shibboleth?

Transition from DCE Make more information available to support Authorization decisions Biz continuity and service resiliency Ease integration of applications into campus idM/middleware

infrastructure Be mainstream Reduce vendor dependency Authenticated Anonymous access, Privacy issues Include non-institutional attribute data Data co-location in a single directory Ability to do groups as well as individual attributes Single/Initial log-on Inter–institutional log-on


Existent Prior to Deployment ofExistent Prior to Deployment of“I2” DS“I2” DS

Project Management Culture Campus Governance, Prioritization, Resource Process “Identity Management”-awareness “Service”-based culture w/ SLAs/SLSs Data access, security, and appropriate use policies w/roles

and responsibilities Opaque and persistent identifiers(see

http://middleware.internet2.edu/earlyharvest/DA-EH.ppt ) Identity Management System

– Oracle-based registry– Perl and C programs to process intelligence and business rules– Automatic provisioning of services and directories– Large set of existing user attributes/profiles(groups)

http://middleware.internet2.edu/earlyharvest/DA-EH.ppt


RoadmapRoadmap

Completed– ASAB(Governance) support for activity– Discussions with ASAB infrastructure committee,

members of the campus community, and peer institutions

– Proposal to the Campus, and demonstration– Seek feedback

Outstanding– Determine schema governance model– Develop policies – biz rules, privacy, security,

management, attribute ownership– Integrate applications– Continuous process


2003 “I2” DS Communication2003 “I2” DS Communication

Help from campus– Other UB IT folks following I2 middleware and NMI

Governance/Prioritization– Initiation Proposal to ASAB– Proposal to ASAB Infrastructure

Key Campus IT Stakeholders– 1-on-1’s to the discuss proposal and issues– Discussed proposal with IT Coordinating Committee

Campus Forum– Proposal, Demo, and Ken. – Sought Feedback and held follow-up discussions


2003 “I2” DS Training2003 “I2” DS Training

Existing expertise with Sun ONE DS Leveraged existing infrastructure Books, Roadmaps, Recipes New modules, libraries, APIs Just another physical DS Either cost “a lot” or “fairly little”

– When do you start tallying the cost, 1995?– Or just for this quiet deployment of yet another physical

directory


2003 “I2” DS Technology 2003 “I2” DS Technology ConsiderationsConsiderations

Meta-Directory– Leveraged infrastructure, added new feed

Production, but no anticipated production use for 8 months Service Level Agreements Physical Directory

– High Availability– Load testing(collaborate with App Group, web-load, Jmeter, SAR)– Replicas across geographically distributed data center– Health Monitoring(Big Brother, Spectrum, RRD/mrtg, auto-paging)– Security(Firewalls, VPN, etc)– Layer 4 switches(Cisco local directors)

Infrastructure Costs – $54,000 Some director-switch issues

– Combining LDAP farm and Shibboleth farm behind same switch, currently have work-around.


Costs & System ConfigurationsCosts & System Configurations

LDAP– 394 Hours– 4x Sun Enterprise 280 systems, 2Gig RAM, 2x900MHz CPUs,

Sun crypto accelerator cards, Solaris 9, Sun ONE DS, $54,000 Kerberos

– 365 Hours– 4x Sun V120 systems with 512Meg RAM and 650MHz CPUs,

Solaris 9, Kerberos 5, $14,000 Shibboleth Origin/AA/Cosign

– 407 Hours– Test w/ 2x Dell 6650 systems, 4x1.9GHz CPUs, 2Gig RAM,

Redhat Advanced Server 2.1a.– Production, scaleable app farm with probably at least 4 systems


SAN Storage

SAN Storage

SAN Core Edge Switching

Transaction System

IBM Mainframe

EFS servers

Data Warehouse

Transaction System

Blackboard

EFS Servers

Network

Blackboard

E-mail Servers

E-mail Servers

Data Warehouse

Disk array

Disk array

Main Site A

DR Site B

Web and/orapplication servers

Web and/orapplication servers

Tape

Tape

Libary servers servers

Library servers

Basic Infrastructure Services

(examples)DNS

Authentication/authorizationSoftware/Documentation

Problem TrackingSystem monitoringCentral Staff VPN

System ImageTest equipment

Basic Infrastructure and Services

(examples)DNS

Authentication/authorizationSoftware/Documentation

Central Staff VPNSystem Image

Problem TrackingSystem monitoringEmergency Web

Emergency e-mailTest equipment

Older spare equipment

Architecting for Business ContinuityArchitecting for Business Continuity


SANData Net

Satelite A

Main Site B Main Site A

Satellite B

SANData Net

Data Net

Data NetSAN

TapeLib

TSMServer

DNSServer

Authentication/Authorization Services

DNSServer

Authentication/Authorization

Services

VPN Server

SoftwareRepository

EmergencyWeb

EmergencyE-mailSystem Image

backupConsoleServer

SANStorage

SANStorage

Dedicated Fiber

TSM Server

TapeLib

ConsoleServer

Firewall Firewall

Firewall

Blackboard

Admin Oracle


Services

Software Repository

Web Service

E-mail Service

System Image backup

Console Server

Portal Service

IBM mainframe

InfoSource Service

Filesystem Service

DNS Service

Win2K AD

ID Card System

Firewall

Blackboard

Admin Oracle

DNS MasterServer


Services

Software Repository

Web Service

E-mail Service

System Imagebackup

Console Server

Portal Service

Data WarehouseService

Filesystem Service

DNS Service

ID Card System

Other services

Workflow Service

Workflow Service

Cluster Private Interconnect

Win2K AD

Win2K AD

ProblemTracker

System Monitoring& Paging

Scheduler

Admin & Blkbrd App Srvs

Admin & Blkbrd App Srvs

Scheduler System Monitoring& Paging

DNS Master Server

VPN Server

ProblemTracker

3 sites

2 sites

1 site

4 sites

Key:service distribution level

Listserv Service

Listserv Service

Other Services

Some Services to be recovered withnewly purchased equipment, some are

consolidation candidates

Other Services

Some services notincluded.

Phase I

Phase II & IIIPhase IV

Phase I

Satellite C

ClusterQuoramDevice

Scheduler

Architecting for Business ContinuityArchitecting for Business Continuity


Architecting for Business ContinuityArchitecting for Business ContinuityData backup and

restoration service

Oracle Parallel ServerTransactional

Load balancing/ webserver redundancy

service

Oracle Parallel ServerTransactional

Helper Servers

For example:

ProxiesAutheticationSingle sign-on

Oracle Parallel ServerOperational Data

Store

Oracle Parallel ServerOperational Data Store

Storage AreaNetwork(400 GB)

Load balancing/ webserver redundancy

service

Helper Server

Helper Server

Helper Server

QA environment

Developmentenvironment

System Image ImageFlash service

Oracle Parallel ServerCourse Management

Storage AreaNetwork

later expansion

Web/Applicationserver (dedicated,shared or pooled)







Applications:

PortalVarious Student

PaymentAddress Change

Biz PortalCourse Management

Data WarehousePhone billing

Alumni DevelopmentOthers as appropriate

Central e-mail

e-mail load balancing/web server

redundancy service

(4 TB)

Central e-mail

Central e-mail

Central e-mail

IBM Mainframe

(400 MB)

Storage AreaNetwork(3 TB)

400 MB Admin400MB

Mainframe2.2TB e-mail

Storage AreaNetwork

later expansion

Client workstation& Browser

Web only server(dedicated,

shared or pooled)

Web only server(dedicated, shared

or pooled)

Web only server(dedicated, shared

or pooled)

Oracle Parallel ServerCourse Management

HA NFS server




Brocade Switching Fabric

DR SiteMain Site

LDAP

Shibboleth

Kerberos

LDAP

Shibboleth

Kerberos

Shibboleth

Authenticationand authorization

Shibboleth




Shibboleth



Internet

InCommonJSTORElsavier State Federation


Meta-Directory DataflowMeta-Directory Dataflow


Meta-Directory DataflowMeta-Directory DataflowA Nice DiagramA Nice Diagram


Meta Directory - Technology Neutral Data Repository(objects, policies and attributes)

InstitutionalAdmin

databases -Faculty, staff& students

Otherdata

sources Meta-dataOracle DB

OracleDB

UBCard CardManagement

System

InfoSourceData

Warehouse

DCE


Phasing out byJan 2005

Oracle data tables forquery purposes

Meta Directory - Authoritative UBitNameassignment, UNIX uid assignment, affiliation,authorization grouping, biographical info, statistics

MicrosoftWindows

ActiveDirectory


KerberosServices

Realm forfaculty, staff &

students

AuthenticationUNIX

Password File

Authentication/AuthorizationSpecific Technology

Directories

Windows loginMS SQLExchange

Public Sites WindowsWorkstations (6/04)

Central e-mail - (IMAP/POP3/Webmail/filters)MyUB PortalUB Business appsWings web service protected filesWhitepages (iPlanet) LDAP serviceLibrary public access workstationsUBUNIX time-sharingUsenet NewsWeb password changeWeb registrationWeb gradingWeb address & declared major changeWeb Parking hang-tagse-paymentPublic Sites UNIX workstationsSoftware distributionDistributed File System-direct Windows,UNIX & web accessDept. Public Workstations and other applicationsBlackboard (to Kerberos July '03)Public Sites Windows Workstations (to AD 6/04)Public sites Linux Workstations to Kerberos (Jan '04)Telephony Applications

(Radius Server) VPN Dial-in ResNet

WhitePages

(iPlanet)LDAP

Service

Name/address/e-maillookup from: Web UNIX command line e-mail client access

Transition to overallLDAP Directory

Jan '04

Various UBweb apps

ExternalLibrary

Patron DB

Add:Prospective

Students

AuthenticationWinter '03/04

Kerberos/LDAPCurrently:

Public site Linux workstationsBlackboard

----------------------------------Other affiliated persons initially:

Prospective students

Potentially later:Library Patrons

Alumni Gifted math

Summer programs Senior auditors

VolunteersResearch Subjects

Resource creation

(mailbox, file space,UNIX shell, et al)

What functionpeformed or controlled

Card # used forpart of initialpassword sharedsecret

Current Authentication/Authorization Architecture at the University at Buffalo

PKI - x.509 certificateservices

Authentication

Web-baseduser

passwordchange

Native Password Synchronization

Transactionsigning

LDAP DirectoryAuthorization

PublicCertificates

LDAP SchemaOrganization

topperson

organizationPersoninetOrgPersonposixaccounteduPerson

ubeduPersonprospectUBPerson

and later maybeothers later like:

gridPersonsunyPerson

alumniPerson

Web-basedDistributed Maintenanceof Respository objects

Web-based selective userdata change

Exists

PlanningProposed/Committed

Italic text denotes services to be migrated toa DCE replacement during 2004

Considering

I2 Shibboleth

Authorizationfor SAML andweb-basedapplications

I2 WebISO(using cosign)

AuthenticationCredential

exchange forweb-basedapplications

I2 Web/ Federated Authentication & SAMLAuthorization Used for Single Sign-On

I2 WAYF Service

ProspectiveStudents

Various UBapps

Implementing

Key:

Browser

Inter-institutional trustrelationships

Web-based Distributed Maintenancefor roles and Entitlements

Roles and Entitlements ProcessingAuthorization Individual and

group role andentitlementattributesthroughregular LDAPdata feed

OracleDB

Oracle role tables

I2

ApplicationRole and

EntitlementSupport

Roles &Entitlements

Info

people, groups,systems


Meta Directory - Technology Neutral Data Repository(objects, policies and attributes)

InstitutionalAdmin

databases -Faculty, staff& students

Otherdata

sources Meta-dataOracle DB

OracleDB

UBCard CardManagement

System

InfoSourceData

Warehouse

Oracle data tablesfor query purposes

Meta Directory - Authoritative UBitNameassignment, UNIX uid assignment, affiliation,authorization grouping, biographical info,statistics

MicrosoftWindows

ActiveDirectory


KerberosServices

Authentication

Realm includesall

faculty, staff &students (after

1996)and

other affiliatedpersons

UNIXPassword File


LegacySpecific Technology

Directories

Windows loginMS SQLExchangeOther Windows Applications

Public Sites Windows Workstations

Central e-mail - (IMAP/POP3/Webmail/filters)MyUB PortalUB Business appsWings web service protected filesWhitepages (iPlanet) LDAP serviceLibrary public access workstationsUBUNIX time-sharingUsenet NewsWeb password changeWeb registrationWeb gradingWeb address & declared major changeWeb Parking hang-tagse-paymentPublic Sites UNIX workstationsSoftware distributionDistributed File System-direct Windows,UNIX & web accessDept. Public Workstations and other applicationsBlackboardTelephony ApplicationsUBFS SpaceLibrary Resources

(Radius Server) VPN Dial-in ResNet

Or Maybe not

Various UBweb apps

ExternalLibrary

Patron DB

Other affiliated persons initially: Prospective students

Potentially later:Library Patrons

Alumni Gifted math

Summer programs Senior auditors

VolunteersReasearch Subjects

Resource creation

(mailbox, file space,UNIX shell, et al)

What functionpeformed orcontrolled

Card # used for partof initial passwordshared secret

Proposed Authentication/Authorization Architecture at the University at Buffalo

PKI - x.509 certificateservices

Authentication

Web-baseduser

passwordchange

Native password Synchronization

Transactionsigning

LDAP Directory

Authorization

PublicCertificates

Web-based DistributedMaintenance of Respository objects

Web-basedselective userdata change

Exists

PlanningProposed/Committed

Considering

I2 Shibboleth

Authorizationfor SAML andweb-basedapplications

Summer '03

I2 WebISO(using cosign)

AuthenticationCredential

exchange forweb-basedapplications

Summer '03

I2 Web/ Federated Authentication & SAMLAuthorization Used for Single Sign-On

I2 WAYF Service

ProspectiveStudents

Various UBapps

Implementing

Key:

Browser

Inter-institutional trustrelationships

Web-based Distributed Maintenancefor roles and Entitlements

Roles and Entitlements ProcessingAuthorization

OracleDB

Oracle role tables

I2

ApplicationRole and

EntitlementSupport

Fall/Winter'03

Roles &Entitlements

Info

Kerberos/LDAP

people, groups, systemsand attributes


UB LDAP SchemaUB LDAP Schema

Object Name Attribute Name Permissions Example

Top objectClass (required)aci

AnonAdmin

topposixAccountpersonorganizationalPersonInetOrgPersoneduPersonUBEduPerson

PosixAccount uidNumbergidNumberhomeDirectoryloginShellgecos

posixdatposixdatposixdatposixdatposixdat (*)

13012390/home/staff/tks/mruser/bin/tcshMike R User

Person cn (commonName) (required) sn (surname) (required) telephoneNumber

Anon (*)Anon (*)Anon

Mike R UserUser123-4567

OrganizationalPerson ou (organizationUnitName) physicalDeliveryOfficeName title

Anon (*)AnonAnon

Technical Services123 Computing CenterUnix Systems Analyst I


UB LDAP SchemaUB LDAP Schema

InetOrgPerson departmentNumber displayName employeeNumber employeeType givenName labeledURI mail roomNumber uid (userID) userCertificate userSMIMECertificate

Anon (*)Anon (*)AdminAnonAnon (*)AdminAdminAnonAnonAdminAdmin

0790Mike R User

staffMike

123Mruser

eduPerson eduPersonAffiliationeduPersonOrgDNeduPersonOrgUnitDNeduPersonPrimaryAffiliationeduPersonPrincipalNameeduPersonEntitlementeduPersonPrimaryOrgUnitDN

Anon (*)Anon (*)Anon (*)Anon (*)AnonAdminAnon (*)

staffstudentdc=buffalo,dc=eduou=People,dc=buffalo,[email protected]:mace:incommon:entitlement:common:1ou=People,dc=buffalo,dc=edu

UBEduPerson UBEduPersonKswitchUBEduPersonSunycardUBEduPersonPersonNumberUBEduPersonEntityAbbrUBEduPersonPrimaryEntityAbbrUBEduPersonInfoReleaseUBEduPersonDegreeUBEduPersonLibraryBarcodeUBEduPersonSENSHomedir

AdminAdminAdminAnon (*)Anon (*)AdminAdminAdminAdmin

1123456781234567812345678tkscsetksYBS21234123456781/home/sens/foo/mruser


SUNY FederationSUNY Federation

The Four University Centers considering shibboleth on their campuses as part of AuthN/AuthZ infrastructure

Smaller Schools may need various levels of help.

SUNY Central Administration or ITEC – potential outsourcer or consulting services.

NMI “compliant”, eduPerson schema the foundation, SUNYPerson?


SUNY System-Wide StrategySUNY System-Wide Strategy

deployment panel: planning and implementing for the big day daniel arrasjid [email protected]...

Documents

camp directory workshop

active directory

suny system slide

public workstations

ds slide

culture change

distributed data center

ms apps slide