
b38fca649524aa88cd10055a85cddec2.ppt
- Количество слайдов: 36
IBM Directory Strategy Rick Mayo IBM Directory Brand Manager mayor@us. ibm. com
Agenda Directory Services –Past, Present and Future n Key Assumptions n IBM Directory Strategy n What About. . . n Summary n
Directories Past l. Many different vendors have created their own directory services: l They often targeted only a single area, e. g. , l l Notes Name & Address Book: support for Notes infrastructure DCE Cell Directory Service: applications l. Users installed them l. The result: l Chaos!
Directory Installed Base E-mail NT Domain Netware NDS Mainframe Netware Binderies Packaged Apps Homegrown Apps Database Apps Unix Other 82% 78% 66% 52% 46% 42% 38% 34% 26% 42% Interviews with 50 Fortune 1000 companies (multiple responses accepted) Source: Forrester
Directories Today l. The problem: l Every organization has too many directory services installed l. The solution: l Simplify l Reduce the number of directory servers
Directories in the Future Global Organization Integration Extranet (Convergence/ Connection) Work Group Collaboration Information Management Internal E-Mail & Data Posting Intranet Progression Electronic Marketplace Customer Service Broadcast Medium External E-Mail & Browsing Internet Progression "The Internet/Intranet expansion will have a significant impact on our directories. We have 36, 000 employees to manage in our directories, and now we'll be adding 8 million customers!" (Forrester)
LDAP Becomes The Standard Directory Access Method l The Lightweight Directory Access Protocol (LDAP) has arrived l It standardizes client access to a directory service l. It's derived from X. 500's Directory Access Protocol (DAP), but: l It runs over TCP/IP l It's much simpler
An Aside: The Role of the Standards l. The day of wholly proprietary directory services is over l Standards have arrived l. The Internet is the most important source of standards today l The IETF has become very important l. IBM, Lotus and Tivoli are actively involved with the IETF and DMTF to drive and enhance: l l l PKIX DEN Access Control Replication Common Schema
Common Schema l. The schema defines the kinds of information that can be stored in the directory l It's defined as: l Object classes u l For example: Person Attributes u Common name, telephone number, password, . . . l. A common schema is being developed by IBM in concert with CIM initiative at the DMTF l Enables applications to share the same objects l Provides a common/consistent store
A Single Directory Won't Win n There is a well-described link between solving business challenges with Information Technology – It is not sufficient to solve heterogeneous business problems with homogeneous information technology è multiple platforms è multiple operating systems è multiple applications Ù multiple directories. . .
Big Picture Requirements Common Administration Enterprise Directory/ Certificate store Single sign-on l. Directory enabled apps. l Directory synchronization and management l Customers and employees l. Access controls l. Certificates l. Products and services l
Directory Requirements l. Will it scale to meet my needs? l. Does it provide high levels of reliability? l. How much does it cost? l. What applications use it? l. Can you provide worldwide support? l. Can I get help implementing it?
Directory Support for e-business DB 2 Oracle Data a Appl nd icatio ns Informix Sybase Billing Ordering People Soft SAP Ingres 3 e. Network LDAP directory across our operating systems and bundled with solutions 3 LDAP exploitation by: Lotus Notes IBM Clien t Serv s and ers 3 SNA Com IPX mun ica Phys ic Netw al orks Vines tion Proto cols TCP/IP Net. Bios 3 3 Applications Security Networking 3 ISV and OEM support 3 Robust management and administrative capabilities
IBM e. Network LDAP Directory IBM Clien t Serv s and ers Wide Range of Platform Support Scale to millions of entries èDirectory will be bundled with operating systems or solutions èAvailable today for: è AIX, OS/390, OS/400 èWeb download for: è NT, Solaris èFeatures: è Proven relational database store è Client, Server and Java client è SSL V 3 encryption and authentication è Replication è Access Control è HTTP Gateway è Web-based administration
Why DB 2 as a Data Store for IBM e. Network Directory? l. Highly scaleable data store l. Atomic transaction l. On-line backup and restore facility l. Alternative replication support l. Fast database loading facility l. Powerful query engine
IBM e. Network LDAP Directory l. Authentication options l none l clear text pass words l encrypted using SSL - server certificates / SSL l. Access Control l Per Object and Attribute l. Replication l LDAP or use DB 2 replication l. API support l LDAP C/C++, JNDI l. Additional features: l Bulk load via LDIF l Supports LDAP Referrals
Single Client / Multiple Server DB 1 DB 2 LDAP Client LDAP Server DB 3 l. Every database resides on one network node l. LDAP server can connect to a number of networked databases for directory information l. LDAP server stores all information without knowing in which database the data is actually stored l. LDAP server is freed from managing physical storage
Multiple Clients / Multiple Servers Network Dispatcher DB/2 Servers DB/2 Client + LDAP Server LDAP Clients l Database clients can connect to any database server for directory information l The collection of database servers form a single image l More than one LDAP server can access the directory information l Network dispatcher deployed to route requests among the LDAP servers
Multiple Clients / Parallel Super Server Network Dispatcher DB/2 Server DB/2 Client + LDAP Server LDAP Clients l Solution to store huge amounts of information in a single database (tera-bytes) l DB 2 PE automatically partitions the database into different machines (instead of partitioning the database from the application level l DB 2 PE divides queries into smaller independent tasks that execute concurrently l Accommodates growth through appropriately sized resources
Directories and Security (1) l There's a strong natural synergy between the two l Both store and access information of various kinds (some of it the same) l Both can benefit from replication of that information l. Examples: l Information about user accounts l Certificates
Directories and Security (2) l. The rise of LDAP parallels the rise of distributed security standards l Example: Secure Sockets Layer (SSL) l Example: X. 509 certificates l. It's not possible to have a solid directory strategy without also having an integrated security strategy
Directory Exploiters Roadmap Suites Management l Tivoli Directory Mgt. 9/98 l Tivoli User Administration support for LDAP l Security NT Suites beta 1/99 l l l UDB Comm. Svr. CICS Websphere Suites SSO Vault Registry- 1 Q 99 l Networking Web App. Dev. l Websphere- 12/98 l Certificate storage l Stores users, groups, passwords and application configuration e. Network LDAP Directory l Communication Server NT 7/98 Communication Server 390 3/99 Platforms: AIX 3/98 OS/390 3/98 OS/400 9/98 NT 12/98 Solaris 12/98
e. Network LDAP Partners Security Dynamics Dascom l Security products l l en. Commerce Inc. l Netegrity Network tools and mgmt. apps. e. Network LDAP Directory Web access management l Allot Communications Intranet security solution Access control for the web Triangulum Software l DCE CDS to LDAP Persistent Systems l LDAP and RDBMS integration
VPN Policy Direction LDAP Flows with IPSec config data Company security policy: profiles, natural language descriptions, VPN topology, . . . GUI/Schema Mapping e. Network LDAP Directory l Map "Policy" into GUI into VPN Schema l Pre-defined profiles for typical configurations: l Branch Office Interconnect l Supplier Networks l Remote Access l Centralized definition for all IPSec boxes in a given VPN l consistency checking l company-wide definition l Database management: l individual boxes "pull in" their own configuration data
Sample Configuration H 1 H 2 GW 1 Example VPN Policy GW 3 INTERNET 1. GW 1 and GW 2 must encrypt and authenticate from all hosts, except from H 2 and H 3, that flows between GW 1 and GW 2, using DES and HMAC-MD 5. Keys must be refreshed at least once every 20 minutes. 2. Traffic from H 1 to H 2 must be encrypted and authenticated end-to-end using 3 DES and HMAC-SHA 1. Keys must be refreshed at least once very 10 minutes with PFS. 3. Traffic between H 2 nd H 3 must be authenticated by GW 2 and GW 1. Keys must be refreshed with PFS once every 60 minutes. GW 2 H 3
Directory Management IBM Clien t Serv s and ers Tivoli User Administration è Single-action Management è Cross Platform management for: è Domino, NT, Unix and Netware è OS/390 Security Server è LDAP directories
Meta-directory - Direction RACF NW 3. x e. Network LDAP Directory HR DB Suites Security NT Meta-directory Networking . . . Exchg Notes l l . . . NDS Ntscp Provides single logical namespace Imports content & changes from connected directories Exports content & changes to connected directories Propagates content & changes from connected directories to other connected directories
Directory Requirements l. Will it scale to meet my needs? l DB 2 and e. Network Dispatcher l. Does it provide high levels of reliability? l Proven DB 2 reliability l. How much does it cost? l Directory provided at no charge l. What applications use it? l Growing IBM and ISV support l. Can you provide worldwide support? l Backed by IBM software support structure l. Can I get help implementing it? l Supported by IBM Global Services
What About. . . l. DCE l. X. 500 l. Domino l. NT
IBM DCE Evolution Internet Java Network Computing Applications Directory and Security Server è DCE è è è Ease of Use IBM Software Servers Integrated Client/Server Environment Directory, Security, Time, RPC e. Network Computing Services è Integrated Infrastructure
IBM e. Network X. 500 Directory n n n Based on IBM relationship with Telstra Proven scale into the millions of entries High availability through 1993 X. 500 support Network computing accessibility through support for LDAP Shipping on AIX User DUA DSA DSP DAP LDAP DSA DISP The Directory DSA DAP LDAP
Domino's Directory Assistance Novell NDS Public Address Book Master Address Book LDAP Public Address Book Internet Directories LDAP/X. 500 Notes Clients l Access to both Domino Public Address Books and LDAP directory servers l Provides a server proxy for any non-LDAP Notes client i. e. , R 3 or R 4 l Domino R 5 will support LDAP V 3
e. Network and NT Direction l IBM will directory enable our products based on LDAP as defined in our e- business application framework model l e. Network and Microsoft NT Active Directory interoperability l Client to server interoperation l IBM clients to Active Directory l Microsoft clients to e. Network LDAP Directory l Server to server interoperation l Referrals u u e. Network LDAP Directory will accept referrals from MS Active Directory e. Network LDAP Directory will also send referrals to MS Active Directory i it implements the LDAP referral mechanism l Schema and Namespace l l IBM is developing a common schema for its products IBM is actively working to support industry standards through the DMTF and IETF
IBM vs. Microsoft IBM Applications. Java based Tivoli Middleware - IBM, Lotus, 3 rd party LDAP Directory Network - IBM Key Based Security Atlas Cross platform Microsoft Applications MS, etc. SMS Middleware MS, etc. Active Directory Network - Cisco NT 5. 0 Key Based Security Wolfpack
Summary l. IBM is committed to: l Delivering mission critical, high performance, scaleable LDAP l l directories across the leading industry platforms as infrastructure components Directory enabling our middleware and applications to reduce the cost of administration Integrated directory and security offerings to enable e-business Working with standards bodies to advance LDAP and deliver industry standard schemas Providing management tools for seamless administration
For More Information www. software. ibm. com/enetwork/directory l. Directory Product Announcement Information l. Directory Strategy l. Directory Products Brochure l. Security and Directory Industry Solution Guides l. Security and Directory Evaluation Kit l. Directory Reference Materials l Redbooks l Whitepapers (including the scaling guide) l Programming Reference l Administration Guide l Installation/Configuration Guide
b38fca649524aa88cd10055a85cddec2.ppt