ibm directory strategy rick mayo ibm directory brand manager [email protected]

36
IBM Directory Strategy Rick Mayo IBM Directory Brand Manager [email protected]

Upload: gavin-chapman

Post on 03-Jan-2016

225 views

Category:

Documents


2 download

TRANSCRIPT

IBM Directory Strategy

Rick MayoIBM Directory Brand [email protected]

Agenda

Directory Services–Past, Present and Future

Key Assumptions IBM Directory Strategy What About... Summary

Directories Past

Many different vendors have created their own directory services:They often targeted only a single area, e.g.,

Notes Name & Address Book: support for Notes infrastructure

DCE Cell Directory Service: applicationsUsers installed themThe result:

Chaos!

Directory Installed Base

E-mailNT Domain

Netware NDSMainframe

Netware BinderiesPackaged Apps

Homegrown AppsDatabase Apps

UnixOther

78%82%

42%26%

34%38%

42%46%

52%66%

Interviews with 50 Fortune 1000 companies (multiple responses accepted)

Source: Forrester

Directories Today

The problem:Every organization has too many directory

services installedThe solution:

SimplifyReduce the number of directory servers

Directories in the Future

Internet Progression

Extranet (Convergence/

Connection)

CustomerService

BroadcastMedium

Electronic Marketplace

GlobalOrganization Integration

Work GroupCollaboration

ExternalE-Mail &

Browsing

InformationManagement

InternalE-Mail &

Data Posting

Intranet Progression

"The Internet/Intranet expansion will have a significant impact on our directories. We have 36,000 employees to manage in our directories, and now we'll be adding 8 million customers!" (Forrester)

The Lightweight Directory Access Protocol (LDAP) has arrived It standardizes client access to a directory service

It's derived from X.500's Directory Access Protocol (DAP), but: It runs over TCP/IP It's much simpler

LDAP Becomes The Standard Directory Access Method

020406080

100LDAP Clients

(in million

s)

1997

1998

1999

2000

2001

LDAP Client Growth Rate

An Aside: The Role of the Standards

The day of wholly proprietary directory services is over Standards have arrived

The Internet is the most important source of standards today The IETF has become very important

IBM, Lotus and Tivoli are actively involved with the IETF and DMTF to drive and enhance:

PKIX DEN Access Control Replication Common Schema

Common Schema

The schema defines the kinds of information that can be stored in the directory

It's defined as: Object classes

For example: Person Attributes

Common name, telephone number, password, . . .A common schema is being developed by IBM in

concert with CIM initiative at the DMTF Enables applications to share the same objects Provides a common/consistent store

There is a well-described link between solving business challenges with Information Technology

–It is not sufficient to solve heterogeneous business problems with homogeneous information technology

multiple platformsmultiple operating systemsmultiple applicationsmultiple directories...

A Single Directory Won't Win

Big Picture Requirements

EnterpriseDirectory/Certificate

store

Directory synchronization and management

Single sign-on Directory enabled apps.

Customers and employeesAccess controlsCertificatesProducts and services

Common Administration

Will it scale to meet my needs?Does it provide high levels of reliability?How much does it cost?What applications use it?Can you provide worldwide support?Can I get help implementing it?

Directory Requirements

SNAIPX

NetBios

Vines

TCP/IP

Data and Applications

Clients and Servers

Communication Protocols

Physical Networks

IBM

DB2Oracle

InformixSybase

Ingres

Billing

PeopleSoft

Lotus Notes

Ordering

SAP eNetwork LDAP directory across our operating systems and bundled with solutionsLDAP exploitation by:

ApplicationsSecurityNetworking

ISV and OEM supportRobust management and administrative capabilities

Directory Support for e-business

Clients and Servers

IBM

IBM eNetwork LDAP Directory

Features:Proven relational database storeClient, Server and Java clientSSL V3 encryption and authenticationReplicationAccess ControlHTTP GatewayWeb-based administration

Directory will be bundled with operating systems or solutions

Available today for:AIX, OS/390, OS/400

Web download for:NT, Solaris

Wide Range of Platform SupportScale to millions of entries

Why DB2 as a Data Store for IBM eNetwork Directory?

Highly scaleable data storeAtomic transactionOn-line backup and restore facilityAlternative replication supportFast database loading facilityPowerful query engine

IBM eNetwork LDAP Directory

Authentication options none clear text pass words encrypted using SSL - server certificates / SSL

Access Control Per Object and Attribute

Replication LDAP or use DB2 replication

API support LDAP C/C++, JNDI

Additional features: Bulk load via LDIF Supports LDAP Referrals

LDAP Client LDAP Server

DB1

DB2

DB3

Single Client / Multiple Server

Every database resides on one network nodeLDAP server can connect to a number of networked databases for

directory informationLDAP server stores all information without knowing in which

database the data is actually storedLDAP server is freed from managing physical storage

DB/2 Servers DB/2 Client +LDAP Server

LDAP Clients

NetworkDispatcher

Multiple Clients / Multiple Servers

Database clients can connect to any database server for directory informationThe collection of database servers form a single imageMore than one LDAP server can access the directory informationNetwork dispatcher deployed to route requests among the LDAP servers

DB/2 Server DB/2 Client +LDAP Server

LDAP Clients

NetworkDispatcher

Multiple Clients / Parallel Super Server

Solution to store huge amounts of information in a single database (tera-bytes) DB2 PE automatically partitions the database into different machines (instead of partitioning

the database from the application level DB2 PE divides queries into smaller independent tasks that execute concurrently Accommodates growth through appropriately sized resources

Directories and Security (1)

There's a strong natural synergy between the two

Both store and access information of various kinds (some of it the same)

Both can benefit from replication of that information

Examples: Information about user accountsCertificates

Directories and Security (2)

The rise of LDAP parallels the rise of distributed security standardsExample: Secure Sockets Layer (SSL)Example: X.509 certificates

It's not possible to have a solid directory strategy without also having an integrated security strategy

eNetwork LDAP Directory

Directory Exploiters Roadmap

AIX3/98

OS/3903/98

OS/4009/98

NT12/98

Solaris12/98

Platforms:

Web App. Dev. Networking

SecuritySuitesManagement

Websphere- 12/98 Stores users,

groups, passwords and application configuration

Tivoli Directory Mgt.- 9/98

Tivoli User Administration support for LDAP

NT Suites beta 1/99 UDB Comm. Svr. CICS Websphere Suites SSO

Vault Registry- 1Q99 Certificate storage

Communication Server NT 7/98

Communication Server 390 3/99

eNetwork LDAP Directory

Intranet security solution

Dascom

Persistent Systems

Allot Communications

Security Dynamics

Netegrity

enCommerce Inc.Triangulum Software

Security products Network tools and mgmt. apps.

Web access management

Access control for the web LDAP and RDBMS integration

DCE CDS to LDAP

eNetwork LDAP Partners

VPN Policy Direction

Map "Policy" into GUI into VPN SchemaPre-defined profiles for typical configurations:

Branch Office Interconnect Supplier Networks Remote Access

Centralized definition for all IPSec boxes in a given VPN consistency checking company-wide definition

Database management: individual boxes "pull in" their own configuration data

LDAP Flows with IPSec config data

Company security policy: profiles, natural language descriptions, VPN

topology,...

eNetwork LDAP Directory

GUI/Schema Mapping

Sample Configuration

1. GW1 and GW2 must encrypt and authenticatefrom all hosts, except from H2 and H3, that flowsbetween GW1 and GW2, using DES and HMAC-MD5. Keys must be refreshed at least once every 20 minutes.2. Traffic from H1 to H2 must be encrypted and authenticated end-to-end using 3DES and HMAC-SHA1. Keys must be refreshed at least once very 10 minutes with PFS.3. Traffic between H2 nd H3 must be authenticated by GW2 and GW1. Keys must be refreshed with PFS once every 60 minutes.

H1H2

H3

GW3GW1

GW2

INTERNETExample VPN Policy

Clients and Servers

IBM

Directory Management

Tivoli User AdministrationTivoli User Administration

Single-action ManagementCross Platform management for:

Domino, NT, Unix and NetwareOS/390 Security ServerLDAP directories

eNetworkLDAP

Directory Security

Suites

Networking...

Notes

RACF NW 3.x

HR DB

NT

Ntscp

NDS

...Exchg

Meta-directory

Meta-directory - Direction

Provides single logical namespace Imports content & changes from connected directories Exports content & changes to connected directories Propagates content & changes from connected directories to other

connected directories

Will it scale to meet my needs? DB2 and eNetwork Dispatcher

Does it provide high levels of reliability? Proven DB2 reliability

How much does it cost? Directory provided at no charge

What applications use it? Growing IBM and ISV support

Can you provide worldwide support? Backed by IBM software support structure

Can I get help implementing it? Supported by IBM Global Services

Directory Requirements

What About...

DCEX.500DominoNT

DCE Integrated Client/Server Environment Directory, Security, Time, RPC

Directory and Security Server Ease of Use IBM Software Servers

Internet

Java

Network Computing Applications eNetwork

Network Computing

Services Integrated

Infrastructure

IBM DCE Evolution

IBM eNetwork X.500 Directory

Based on IBM relationship with Telstra Proven scale into the millions of entries High availability through 1993 X.500 support Network computing accessibility through support for LDAP Shipping on AIX

DUA

DSA

DSA

DSAUser

DUA

User

The Directory

DSP DSP

DAPLDAP

DAPLDAP

DISP DISP

NovellNDS

Public Address Book

Notes Clients

Public Address Book

LDAP/X.500

LDAP

InternetDirectories

LDAP

LDAP

Master Address Book

Access to both Domino Public Address Books and LDAP directory servers Provides a server proxy for any non-LDAP Notes client i.e., R3 or R4 Domino R5 will support LDAP V3

Domino's Directory Assistance

eNetwork and NT Direction

IBM will directory enable our products based on LDAP as defined in our e-business application framework model

eNetwork and Microsoft NT Active Directory interoperability Client to server interoperation

IBM clients to Active Directory Microsoft clients to eNetwork LDAP Directory

Server to server interoperation Referrals

eNetwork LDAP Directory will accept referrals from MS Active Directory eNetwork LDAP Directory will also send referrals to MS Active Directory if

it implements the LDAP referral mechanism Schema and Namespace

IBM is developing a common schema for its products IBM is actively working to support industry standards through the DMTF

and IETF

IBM vs. Microsoft

SMS

Applications - MS, etc.

Middleware - MS, etc.

Network - Cisco

NT 5.0

ActiveDirectory

Key BasedSecurity

Wolfpack

Tivoli

Applications-Java based

Middleware - IBM,Lotus, 3rd party

Network - IBM

LDAPDirectory

KeyBasedSecurity

Atlas

IBM

Microsoft

Cross platform

Summary

IBM is committed to: Delivering mission critical, high performance, scaleable LDAP

directories across the leading industry platforms as infrastructure components

Directory enabling our middleware and applications to reduce the cost of administration

Integrated directory and security offerings to enable e-business Working with standards bodies to advance LDAP and deliver

industry standard schemas Providing management tools for seamless administration

Directory Product Announcement InformationDirectory Strategy Directory Products BrochureSecurity and Directory Industry Solution GuidesSecurity and Directory Evaluation KitDirectory Reference Materials

Redbooks Whitepapers (including the scaling guide) Programming Reference Administration Guide Installation/Configuration Guide

For More Information

www.software.ibm.com/enetwork/directory