Technology ID-Synch Server Requirements

ID-Synch Server Requirements

Multiple, Load-Balanced Servers

ID-Synch® supports multiple, load-balanced servers.

Each server can host multiple ID-Synch instances, each with its own users, managed systems, features and policies.

Different instances of ID-Synch can be separate or inter-related as required. This is accomplished by having instances share some data and maintain other data separately.

For example, two instances can be configured to share data about help desk staff. If this is done, a help desk user defined in one instance automatically gains access to the other, with no duplicate setup required.

As another example, two instances may share password history data. When this is done, a password chosen for a user on the systems managed by one instance cannot be reused on the systems managed by the other instance. This is an effective way to enforce a rule requiring passwords to be different on separate groups of systems.

It only takes a few minutes to add an instance to an ID-Synch server, and a few more to configure it to either share data with another instance or automatically copy a subset of that other instance's data.

ID-Synch instances can and normally do span multiple servers. Every server hosting a given instance is functionally identical. User traffic is load balanced between servers supporting the instance. Load balancing may be accomplished using DNS (round-robin is built into most DNS servers) or at the IP level with a device from Cisco, F5, etc.

High availability is accomplished by combining load balancing with server health monitoring and automatic fail-out. ID-Synch includes server monitoring tools that can be configured on each server to monitor its peers and when a failure is detected to trigger an alarm (e.g., by e-mail) and to automatically update DDNS records to remove the failed server from circulation. Hitachi ID also provides these tools for Unix/BIND with traditional DNS.

There is no coded limit to the number of concurrent, replicated servers. In practice, with more than 10 servers, replication may become slow. Since Hitachi ID's three largest customers run with just two production servers each, this is only a theoretical problem.

Server Platform

ID-Synch must be installed on a Windows 2003 server.

Installing on Windows 2003 allows ID-Synch to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for ID-Synch to manage passwords and accounts on target systems without installing a server-side agent.

The ID-Synch server must also be configured with a web server. Since the ID-Synch application is implemented as CGI executables, any web server will work. The ID-Synch installation program is aware of and can automatically configure IIS, Apache and Sun ONE web servers for use with ID-Synch.

ID-Synch is a security server and should be locked down accordingly. Please refer to the Hitachi ID document about hardening ID-Synch servers to learn how to do this.

Server Configuration

(1) Each ID-Synch server is configured as follows:

• Hardware requirements:
  • A Pentium-IV class or better x86 CPU (preferably hardware - VMs appear to have performance problems due to slow I/O).
  • At least 1GB RAM -- more is better.
  • At least 36GB SCSI hard disk, preferably RAID for reliability, preferably larger to hold more history data and log files.

• Operating system:
  • Windows 2003 Server at current service packs
  • The server should not be a domain controller
  • The server should not belong to a domain

• Installed and tested software on the server:
  • TCP/IP networking, with a static IP address and DNS name entry
  • Web server (Apache/Win32, IIS or Sun ONE)
  • Client software: web browser, Acrobat reader (to read the manual) native clients for the systems that ID-Synch needs to interface with
  • Cryptographic certificate

© Hitachi ID Systems, Inc. 2008. All rights reserved.