4.5 Tech Spec

DirectorySmart Product Review Guide v0.2

OpenNetwork Technologies®

13577 Feather Sound Dr.Suite 390Clearwater, FL 33762727.561.9500 www.opennetwork.com

Enha

nced

Secu

rity W

eb Ac

cess

Cont

rol an

d Po

rtal Se

rvice

s Role

-Bas

ed Po

licy M

anag

emen

t De

legat

ed Au

thor

ity M

easu

remen

t and A

nalys

is W

eb Sin

gle S

ign-

on Fin

e-Gr

ain Ac

cess

Cont

rol January 15, 2001

4.5V E R S I O N

OVERVIEW ..........................................................................................................................................................................................................................1

NOTE TO REVIEWERS ......................................................................................................................................................................................................1

Included in this package ................................................................................................................................................................................................1

KEY EVALUATION CRITERIA .........................................................................................................................................................................................1

Cost of Ownership ...................................................................................................................................................................................................1

Scalability ...................................................................................................................................................................................................................2

Deployment Time ....................................................................................................................................................................................................2

Integration of the Security Infrastructure .......................................................................................................................................................2

Directory Based Security Infrastructure ..........................................................................................................................................................2

SECURE EBUSINESS INFRASTRUCTURE HIGH-LEVEL REQUIREMENTS ......................................................................................................2

DirectorySmart Secure eBusiness Infrastructure ..................................................................................................................................................3

Centralized User Identity Repository ........................................................................................................................................................................4

Authentication ..........................................................................................................................................................................................................4

Authorization ............................................................................................................................................................................................................4

Password Management .........................................................................................................................................................................................4

Password Policies .....................................................................................................................................................................................................4

Role Based Policy Management ..................................................................................................................................................................................5

User Interface ............................................................................................................................................................................................................5

Organizational Management ..............................................................................................................................................................................5

Streamlined Web Application Rollout ..............................................................................................................................................................5

Multiple Roles for Individual Users ....................................................................................................................................................................5

Organizational Ownership of Roles ..................................................................................................................................................................5

Configurable Advanced Searches ......................................................................................................................................................................5

Configurable User Management User Interface ...........................................................................................................................................6

Web Access Control .........................................................................................................................................................................................................6

Web Access Control with Plug-In Technology ...............................................................................................................................................6

Web Single Sign-On ................................................................................................................................................................................................6

Robust Login Functionality ..................................................................................................................................................................................6

Session Timeout .......................................................................................................................................................................................................7

Fault Tolerant Directory Connection Support ...............................................................................................................................................7

Support for Public Pages Access ........................................................................................................................................................................7

Delegated Authority and User Management.........................................................................................................................................................7

Multiple Levels of Delegation for Policy Management Across Unlimited Sites ................................................................................7

Point-and-Click Web-Based Interface for Delegated User Management ............................................................................................7

Policy Security Management Extended to External Administrators .....................................................................................................7

Self-Service Capabilities for User and Policy Management ......................................................................................................................8Product Review Guide i

Fine-Grain Access Control .............................................................................................................................................................................................8

C/C++ and Java API’s for Customization and Enterprise Integration ....................................................................................................8

Portal Services and Personalization ...........................................................................................................................................................................8

Personalized Web-Based User Portal ................................................................................................................................................................8

Internationalized User Interface for Login and Portal Services...............................................................................................................8

Point-and-Click Customization of Web Interface per Organization ......................................................................................................9

Reporting, Measurement and Analysis ....................................................................................................................................................................9

Reporting Usage: Security and Marketing .....................................................................................................................................................9

Lockout and Security Alert Notification Enhancements ...........................................................................................................................9

Security Audit Trails ................................................................................................................................................................................................9

Targeted Messaging ...............................................................................................................................................................................................9

ARCHITECTURE AND INTEGRATION ..................................................................................................................................................................... 10

Multiple Platforms ................................................................................................................................................................................................ 10

LDAP Directories ................................................................................................................................................................................................... 10

Web Servers ............................................................................................................................................................................................................ 10

DirectorySmart APIs ............................................................................................................................................................................................ 10

Multiple Authentication Methods .................................................................................................................................................................. 10

ARCHITECTURE IMPACTS .......................................................................................................................................................................................... 11

Scalability ......................................................................................................................................................................................................................... 11

Availability ....................................................................................................................................................................................................................... 11

Manageability ................................................................................................................................................................................................................. 11

LOWEST COST OF OWNERSHIP .............................................................................................................................................................................. 11

Initial Deployment ........................................................................................................................................................................................................ 11

Ease of Use ....................................................................................................................................................................................................................... 11

Delegation of Authority .............................................................................................................................................................................................. 12

HOW DIRECTORYSMART IS USED: AN EXAMPLE ............................................................................................................................................. 00

SPECIFICATIONS AND COMPONENTS .................................................................................................................................................................. 12

DirectorySmart Web Access Control Agents – Supported Web Servers ................................................................................................... 12

DirectorySmart LDAP Centralized Policy Store - Supported Directory Servers ...................................................................................... 12

DirectorySmart User Role Based Policy Management – Supported Platforms ....................................................................................... 12

DirectorySmart API - Supported Development Environments .................................................................................................................... 12

DIRECTORYSMART PRODUCT DESCRIPTIONS ................................................................................................................................................. 12

ABOUT OPENNETWORK TECHNOLOGIES ........................................................................................................................................................... 13

Product Review Guide ii

O V E R V I E W

Enterprises are under increasing competitive, cost and regulatory pressures to deliver

more and more services to potentially millions of users via the web. Underlying these

increasing pressures is the question of how to deliver these services to a complex

range of business partners, employees and customers while maintaining security and

without overburdening internal resources. Enterprises must have a proven, scalable

solution to ensure security in the face of this increasing volume and complexity.

Organizations require a reusable, flexible, efficient and comprehensive security solu-

tion for protecting distributed Web applications.

OpenNetwork partnered with leading Fortune 500 companies to understand their

needs for a secure eBusiness infrastructure and applied these requirements to the

development of DirectorySmart, a software infrastructure for securing web applica-

tions and managing eBusiness security policies. DirectorySmart’s integrated security

infrastructure combines the efficiency of directory-based user definition and authenti-

cation with the effectiveness of delegated user management and role and policy-

based Web access control.

Fortune 500 companies recognize that by utilizing the DirectorySmart secure infra-

structure they can focus their scarce internal IT resources on their own core compe-

tencies and strategies. Utilizing the DirectorySmart security infrastructure they can

reduce time to production for their eBusiness strategies, and lower their cost of

ownership for their overall eBusiness infrastructure. DirectorySmart is specifically

designed to install easily into existing customer environments and has been in pro-

duction with Fortune 500 enterprises for almost 3 years. The technological strength

of DirectorySmart has been recognized by the market and has attracted GE, Chase

Capital, MedEquity and SI Ventures to join with OpenNetwork to bring our solutions

to a larger customer audience.

N O T E T O R E V I E W E R S

OpenNetwork Technologies thanks you for the opportunity to participate in your

review process. We wish to be supportive of your review process. To aid you in your

review, we are including the complete set of product documentation that would be

sent a new client.

Included in this package:• The DirectorySmart User Guide

• The DirectorySmart Installation Guide

• The DirectorySmart Configuration Guide

• The DirectorySmart Application Developer’s Guide.

Each of these documents will provide you with in-depth information about Directory

Smart. Additionally, you may feel free to contact Susan Nelson-Crowley, Directory

Smart Product Manager, at 727-561-9500, ext. 302 for any questions that arise during

your evaluation.

Product Review Guide 1

K E Y E V A L U A T I O N C R I T E R I A

Many vendors have embraced the security opportunity evolving from the explosion

of eBusiness initiatives. In addition to the inherent functional characteristics of the

product, it is important to evaluate the following attributes as well:

Cost of OwnershipCost of ownership can be influenced by the product’s architecture, ease of use, and

the efficiency of the business processes required or enabled by the system. Flexible

pricing schemes, and the chosen product’s ability to plug in to the existing corporate

IT infrastructure are highly desirable attributes. The chosen product should minimize

the need for additional single-use hardware dedicated to the support of the product.

For example some systems require separate additional policy enforcement servers

(see Architecture section for further detail).

Scalability Scalability is the ability to efficiently and cost effectively deploy to millions of users

and has a significant impact on the total cost of ownership. Efficient scalability is

based on both the hardware and software required, as well as the efficient business

processes required or supported by the system. The ability of the system to easily

and quickly define organizations and user roles, coupled with a robust delegated

management approach, is necessary to support the efficient scaling of the business

processes related to the system. These capabilities ensure the minimal burden on

centralized resources for user management and allow the organization to minimize

the administrative time and cost of deployment required for the system. Robust

delegated authority allows an enterprise to delegate user management out to the

lowest logical level while providing a greater level of customer service to their users.

Deployment Time The reusability of security components allows an enterprise to minimization deploy-

ment time and allows them to reap the benefits of their eBusiness strategy more

rapidly. With the optimal solution, Web access control plug-ins and APIs can directly

leverage an enterprise’s established security infrastructure to speed the deployment

of new web applications in a secure environment. Effective functionality such as role

based policy management allows an enterprise to make a security policy decision

once, and implement that policy across the enterprise with eBusiness speed.

Integration of the Security InfrastructureThe most desirable solution is one that addresses all enterprise requirements with one

product, at a value based cost. eBusiness security can only be completely managed

when Authentication, Authorization, Access Control and Auditing can be addressed

with a single, well integrated approach.

Directory-Based Security InfrastructureUtilizing an LDAP directory as the central repository for security policy allows a

security infrastructure to make the most of the native characteristics of LDAP—high

performance, availability and robust scalability.


S E C U R E E B U S I N E S S I N F R A S T R U C T U R E

High-level RequirementsCompanies are under tremendous pressure to leverage the benefits of eBusiness

internally with diverse divisions and employees, and externally with their range of

business partners and customers.

There are two drivers for companies that eventually force them to purchase a secure

eBusiness infrastructure product: an increasing number of applications to which

access must be controlled, and diverse user communities that can range into the

millions. The complexity of managing the increasing number of security policies to

enforce the proper business relationships demands that a secure eBusiness infrastructure:

• be based on solid security principles

• streamline the management of complex eBusiness security relationships

• allow for integration with existing applications and support rapid application

deployment

• support scalability for future applications and users communities

• support increasingly rigorous security auditing and reporting requirements.

Authentication and AuthorizationWeb access control has at its roots the basic concepts of authentication and authori-

zation assuring that web users are clearly identified so that they are allowed access to

only those applications and functions defined by the organization’s eBusiness security

policies.

Delegated User and Security Policy Management To manage users and security policies in enterprise and Internet-scale environments,

companies engaging in eBusiness must be able to delegate these administrative tasks

appropriately to diverse divisions internally, and externally to customers, suppliers,

partners, and vendors. The cost-savings in the ideal flexible security infrastructure

are balanced against the need to securely delegate this authority such that individual

Administrators can assign no greater access and capability than that which they are

authorized to assign.

Web Application and Fine Grain Access Control Existing Web-enabled applications must be able to be rapidly integrated and rolled

out within the secure eBusiness infrastructure. As new applications are developed

or existing applications upgraded, fine grain access control and personalization func-

tions must be available to application developers so that they can increase the

security and extend the usability of their applications.

Scalability Web-enabled systems must be able to handle the high transaction rates and numbers

of users that are common in deployments ranging from enterprise-wide up to Busi-

ness to Consumer deployments, where transaction rates can range into the millions

of transactions per day.


Security Audit SupportWith the Internet, it is essential that companies be able to audit all aspects of

their system security. This includes active notification of specified events, passive

measurement and reporting, and user accountability. Government regulations in

specific markets [such as health care with the HIPAA regulations] are placing specific

rigorous demands on enterprises engaged in eBusiness. The chosen secure eBusiness

infrastructure must support these requirements.

D I R E C T O R Y S M A R T S E C U R E E B U S I N E S S I N F R A S T R U C T U R E

DirectorySmart’s key components provide a robust security infrastructure that can be

used flexibly to map to an enterprise’s specific security, IT architecture and business

model needs. These key components include:

• LDAP directory as an authoritative centralized source for user identity attributes, to

ensure authentication, authorization and access privileges

• DirectorySmart User Management system for user identity and role-based policy

management

• DirectorySmart Menu of Services system for providing personalized portal services

• DirectorySmart Web Access Control Agents (WACs) to protect resources on a

particular web server

• DirectorySmart APIs for use by application developers to leverage the Directory

Smart infrastructure to deliver fine grain access control within a web application

These DirectorySmart components provide companies with a comprehensive system

to define their security infrastructure, secure web applications and manage eBusiness

security policies. The key features and benefits of the resulting system include the

following.

• Centralized User Identity Repository

• Role Based Policy Management

• Web Access Control

• Web Single Sign-On

• Delegated Authority and User Management

• Fine-Grain Access Control

• Reporting, Measurements and Analysis

Centralized User Identity Repository

AuthenticationAuthentication is the means by which users are identified and validated within a

security infrastructure. Typical installations require user ID/password combinations.

DirectorySmart allows companies to easily deploy a variety of authentication mecha-

nisms across the infrastructure. DirectorySmart extends the security of each of

these credential types by allowing for the chaining, or combination, of multiple

types of authentication depending on the resource or user requesting authentication

and authorization. DirectorySmart supports a wide variety of 3rd party authorization

products. DirectorySmart supports native LDAP user ID/password authentication


LDAPDirectory

Browser Memory

User

DirectorySmartMenu of Services

DirectorySmartUser & Policy Management

LDAP RDBMS

ODBC

LDAPReplica

Internet

Firewall

Security Audit & Business Metric

Reporting

DSAC

HTTPS HTTPS HTTPS

Audit & Access Logger

AAL

PrimaryCommunication

Logging

Back UpCommunication

DSMOS

AAL

Key to Symbols

DSAC

API

DSUM

DirectorySmart Audit Access & Logger

DirectorySmart API

DirectorySmart Authentication Cookie


DirectorySmartUser & Policy Plug-in

DirectorySmart Web Access ControlWAC

DirectorySmart Basic Configuration

web appweb app

WAC

Web Server

web app

web app

API

WAC

Web Server

DSMOS DSUM

WAC

Web Server

w w w. o p e n n e t w o r k . c o m


against the leading LDAP directory vendors. DirectorySmart also supports single-

factor authentication using X.509 compliant digital certificates such as those from

Baltimore Technologies, Entrust, RSA, Microsoft, Netscape, and Verisign.

AuthorizationAuthorization defines how users are either granted or denied the ability to access a

particular Web application or particular function within an application. DirectorySmart

provides authorization using multiple parameters including role-based entitlements,

session timeouts, and user authentication.

Password ManagementPasswords submitted by the DirectorySmart user are passed across an SSL-encrypted

channel. Once the password reaches a Web server, DirectorySmart communicates

with the directory using an SSL-encrypted LDAP session to authenticate the user.

Passwords are stored in the directory using encryption algorithms provided by the

directory. At no time is the password passed in an un-encrypted manner.

Password PoliciesPassword policy is an integral piece of any comprehensive security policy. It is

important that passwords be secure as possible as they are the most common

method of user authentication. DirectorySmart provides a set of comprehensive ser-

vices that help an enterprise define the appropriate password policies for their busi-

ness model(s). DirectorySmart password policies are independent modules that allow

enterprises to tailor the policies to meet their specific needs.

Length – Password minimum and maximum lengths are configurable to prevent

brute force attacks against passwords.

Syntax – Password syntax (valid characters, format, and character exclusion) is

configurable via Javascript to prevent dictionary attacks, provide particular formats,

and prevent characters which may cause problems in a particular environment.

Dictionary Search – The dictionary policy uses a list of common words which are

checked against all new passwords. If a password matches a dictionary entry, it is

rejected, and an alternative requested.

Validity Period – The longer a password is valid, the greater the chance of

compromise. DirectorySmart provides for password validity time period to be

defined at a system level and at the role level to provide the greatest flexibility

possible.

Role Based Policy ManagementIn order to easily manage millions of users, DirectorySmart provides security manage-

ment using role-based policies. Roles are logical groups of users who perform similar

business functions and hence share a common security profile. Individuals that have

been defined as administrators are able to define multiple roles to segment the

security profiles of their users as they best see fit. Through the use of roles, administra-


tors can easily modify security profiles of large numbers of users simply by modifying

the security privileges associated with a role common to each of the users. Individual

users are easily assigned to one or more roles and are subsequently managed and

given access to specifically designated Web services.

Roles may include administrative capabilities such as Super Administrator, Delegated

Administrators of various levels, and End Users of different types. Roles may also have

a business context such as Customer Support Representative or Agent.

User InterfaceDirectorySmart’s browser-based user interface allows organizations to administer

the user and policy management system through the Web. The DirectorySmart user

interface features simple ‘point and click’ screens which allow administrators to

create and manage users, organizational management structures, and Web services

quickly and easily with minimal training required.

Organizational ManagementBy streamlining the management of organizational hierarchies, DirectorySmart pro-

vides administrators with the ability to easily manage complex and diverse organiza-

tional structures in a secure fashion. Realms of authority can be managed through the

creation of different organizations which have access to different Web applications

and content.

Multiple Roles for Individual UsersIndividual users can be assigned to one or more roles. This function allows users to

retain a single login ID while performing multiple types of functions (e.g. a person can

be both Customer Service Representative and also a Claims Processor).

Organizational Ownership of RolesDirectorySmart allows individual organizations to customize roles within the organi-

zation to suit their needs. With DirectorySmart, each organization can define the

entitlements of the role to match their definition and requirements.

Configurable Advanced Searches DirectorySmart allows Administrators to do simple and advanced searches based on

Web services or applications, organizations, roles and users. Simple searches are

available by default with advanced searches accessible at the push of a button. This

function is configurable to allow for complex search capabilities. An enterprise is

able to configure these advanced searches to balance the needs for flexibility and

performance.

Configurable User Interface All of the DirectorySmart User and Policy Management interfaces for Web services

and applications, organizations, roles and users are configurable to allow an organi-

zation to define the specifics of the screens presented to the Administrative user

including the attributes, labels and input controls.


Web Access ControlBy keeping track of user profiles, roles and information entitlements in the central

directory via the DirectorySmart user management system, DirectorySmart ensures

that users are authenticated and authorized before allowing access to specific Web

services. A web access control agent secures each web server and validates each

request before allowing access to a protected resource.

Web Access Control with Plug-In TechnologyDirectorySmart Web Access Control is implemented as a plug-in to each Web server

(NSCP, IIS, IBM HTTP) that it protects. The plug-in works in sync with each server and

examines every HTTP request that the server processes.

Web Single Sign-OnDirectorySmart handles security for multiple domains within an enterprise or between

an enterprise and its partners. DirectorySmart allows users to sign on once for access

to multiple Web services for which they are authorized even if these services are

located on multiple domains or on a domain operated by an ASP partner.

DirectorySmart supports Web single sign-on using an encrypted session cookie. The

cookie is created for each user after the user’s first successful authentication. The

cookie contains the user’s credentials and is passed to the WAC agent, eliminating the

need for multiple logins by the user. The cookie is shared by all DirectorySmart WAC

agents and allows them to confirm the authentication of the user at each request. The

DirectorySmart authentication cookie is protected at the client in three ways:

• Cookies are stored in the browser memory, never to the hard drive.

• Cookies contain IP-specific information that is checked to see whether it comes

from the address that it was created for, preventing the cookie from being hijacked

by a malicious user.

• Cookies have inactivity thresholds that render them unusable after a configurable

period of inactivity. These inactivity thresholds are set on a role, Web application

or system level.

• Cookies are encrypted using 128-bit Blowfish algorithms.

For added protection, the Web server should run with SSL encryption on to protect

all data transmitted from the server to the browser, which is supported by Directory-

Smart.

Secure Password Storage and TransmissionPasswords submitted by the DirectorySmart user are passed across an SSL-encrypted

channel. Once the password reaches a Web server, DirectorySmart communicates

with the directory using an SSL-encrypted LDAP session to authenticate the user.

Passwords are stored in the directory using encryption algorithms provided by the

directory. At no time is the password transmitted in an un-encrypted manner.

Session TimeoutSession timeout can be defined on a per Web service, role, user or access control

agent basis. An enterprise can configure the precedence of enforcing the session

timeouts (i.e., role supersedes Web service, Web service supersedes user).

Fault Tolerant Directory Connection SupportDirectorySmart Web access control system handles cases where one directory server

is unavailable by rolling over to secondary directory servers. In order for this rollover

to occur, the appropriate directory service implementation must be in place, which

includes replication across the primary and secondary servers.

Support for Public Pages AccessDirectorySmart’s Web Access Control supports the concept of ‘public’ pages. For

example, specific areas under DirectorySmart protection or specific file types can be

defined as accessible by the general public without the need for user authentication

via login.

Delegated Authority and User ManagementOne of the most powerful DirectorySmart capabilities is that it allows a Delegated

Administrator to securely create, modify and change a paritcular organization’s indi-

vidual user information. The enhanced delegated authority feature allows companies

to delegate user management out to the lowest logical level, decreasing the central-

ized management burden of user roles and profiles. This feature provides tremendous

cost savings and a greater level of customer service for companies using Directory

Smart.

DirectorySmart is specifically designed to enable organizations to manage security

for millions of users and dozens of Web applications. Each administrator of the

system can develop organizational management structures, create administrator roles

in each organization, and allow these ‘Delegated Administrators’ to take responsibility

for the management of their particular user communities. In this way, the responsibil-

ity and time required for management is distributed across the system thereby defray-

ing the administrative impact to the central enterprise. Take note that the drive for

cost-savings in no way impacts security in that authority is securely delegated such

that Delegated Administrators can assign no greater access and capability than that

which they are authorized to assign.

Multiple Levels of Delegation for Policy Management Across Unlimited SitesOrganizational realms of management and security are supported within Directory

Smart and allow the organization administrators to create subordinate organizations

for delegation and delineation of user and policy information.

Point-and-Click Web-Based Interface for Delegated User ManagementThe user interface for delegated user management is designed for maximum ease of

use, using familiar point and click features. This maximizes usability and minimizes

training and supports costs.


Policy Security Management Extended to External AdministratorsThrough Delegated Authority, DirectorySmart provides enterprises with the ability

to allow internal organizations as well as external partner, supplier, vendor and

customer administrators to manage their own user sets. This feature provides tremen-

dous cost savings to an enterprise using DirectorySmart as it effectively “outsources”

an internal administrative task to the external users of the system. This feature pro-

vides tremendous cost savings and a greater level of customer service for enterprises

using DirectorySmart.

Self-Service Capabilities for User and Policy ManagementDirectorySmart provides simple self-service functionality to users. This functionality

extends DirectorySmart’s Delegated Authority system beyond Administrators to the

end users themselves, thereby allowing DirectorySmart to easily support the adminis-

tration of millions of users. Through self-registration and password policy functions,

DirectorySmart enables the enterprise to allow users to register for and manage

their own access to the web applications as appropriate and as determined by the

enterprise’s security requirements.

Fine-Grain Access ControlDirectorySmart provides the infrastructure to manage application level controls within

a Web service or application. This feature enables companies to provide personalized

security and content within their Web applications through simple API calls to the

DirectorySmart secure infrastructure, thereby enhancing their ability to rapidly bring

applications to the Web in a secure environment.

C/C++ and Java API’s for Customization and Enterprise IntegrationDirectorySmart provides a set of strong Application Programming Interfaces (APIs)

available in C/C++ and Java. These APIs allow Web application developers to take

advantage of the policy management and storage provided by DirectorySmart with no

knowledge of LDAP programming concepts required. The DirectorySmart APIs easily

allow developers to incorporate personalization and detailed security features into

their Web applications based on information stored in the directory and managed by

DirectorySmart.

Portal Services and PersonalizationWorking in conjunction with Web Access Control, DirectorySmart can leverage user

profile, role and information entitlement information to create a personalized “portal”

or view of corporate Internet services based on an individual user’s organization and

role profile.

Personalized Web-Based User PortalDirectorySmart Portal Services utilize the profiles and policies stored in the directory

and creates a custom portal for each user as they log into the system. The user is

presented with the Web services they may access without needing to wade through

services they are not authorized to access.


How Portal Services Can Be Used An insurance company found that when their users logged onto their site they were

shown all applications, even those they were not allowed to access. Utilizing the

DirectorySmart Portal Services and Personalization through the menu of services

feature, the company now provides personalization, authentication and authorization

to specific, user-defined Web services for their users. For example, if a user logs

onto the provider’s DirectorySmart - powered Web site now, the user sees only the

applications and services specific to his or her privileges. They will not see any

applications for which they are not authorized.

Internationalized User Interface for Login and Portal ServicesDirectorySmart provides language localization (Internationalization) support in the

end-user interfaces of the software. When it is detected that a login is required,

DirectorySmart can check the user’s browser settings to determine their language

preference and then present an appropriate HTML page developed in that language

by the enterprise.

Point-and-Click Customization of Web Interface per OrganizationIn conjunction with support for Internationalization, the DirectorySmart portal is built

using XML in conjunction with XSL templates. This architecture and design allows an

organization to build completely personalized portals through custom templates.

Each organization created in DirectorySmart can be configured to have a customized

portal presented to all users in the organization. For example – for an enterprise

with 3 divisions and 4 external partners leveraging the DirectorySmart security infra-

structure, a custom menu of services screen can be developed and presented for

each one of those organizations for appropriate users as they log in, triggered by the

organizational component of the user profile. This allows organizations to ‘brand’ the

interface as they see fit.

Reporting, Measurement and AnalysisDirectorySmart provides activity and usage measurement and analysis that can be

analyzed by organization, individual and Web service. This provides benefits in mul-

tiple key areas: security auditing and reporting, marketing support and communica-

tion, and security alerting.

Reporting Usage: Security and Marketing DirectorySmart Web Access Control agents log every request to protected resources

down to the user ID level, and all directory modifications made using the Direc-

torySmart system. This function allows the Reporting, Measurement and Analysis

system to collect log information and process it against the profile information stored

in the directory. This supports the security auditing requirements of recent govern-

ment regulations through standard and custom reports.

In addition, an enterprise can utilize this information to enhance their marketing strat-

egies by analyzing employee and business partner usage of particular web applica-

tions, interest areas and activity patterns. This information can be utilized to develop


targeted messaging campaigns, to adjust or prioritize particular web services, or to

enhance marketing strategies vis a vis particular user profiles.

Lockout and Security Alert Notification EnhancementsThe ability to lockout users who have exceeded the threshold for consecutive failed

logins is configurable and allows for the automatic notification of interested parties

via email. This feature enhances the security provided by DirectorySmart by allowing

for the real-time notification of security personnel during possible password attacks

against the system.

Security Audit TrailsSecurity audit trails are used to help the system track and record usage and access

to secured resources. DirectorySmart provides strong auditing functions to increase

the overall security of the system. It also provides standard reports which track usage

by user or by Web service. This type of comprehensiveness in auditing provides

accountability and makes troubleshooting and detection of security abnormalities

easier.

Targeted MessagingDirectorySmart allows organizations to identify specific target audiences based on

groups or customized profiles so that targeted communications can be pointed

directly to the audience identified.

A R C H I T E C T U R E A N D I N T E G R A T I O N

Multiple PlatformsDirectorySmart is available on multiple operating systems, thereby minimizing the

impact on a business’ enterprise. By supporting the leading eBusiness platforms

DirectorySmart is able to support the major operating systems in the market today.

DirectorySmart is currently available on Windows NT, Windows 2000, Solaris, and

AIX.

LDAP DirectoriesAt the core of DirectorySmart is the belief in the power of directory services to

provide the necessary scalability and availability required in a security infrastructure.

DirectorySmart utilizes LDAP native functions to store profile and policy information

as well as authenticating and authorizing users and requests. DirectorySmart is in

production with the market leading directory vendors, iPlanet, IBM, Microsoft, and

Novell.

Web ServersDirectorySmart provides two separate components, User and Policy Management, and

Web Access Control Agents which provide policy enforcement. DirectorySmart User

and Policy Management is a Web application which is available to reside on Web

servers from iPlanet, Microsoft, and IBM.


LDAPDirectory

Browser Memory

User


DirectorySmartUser & Policy Management

LDAP RDBMS

ODBC

LDAPReplica

Internet

Firewall

Security Audit & Business Metric

Reporting

web app

web app

API

WAC

Web Server

DSAC

web appweb app

WAC

Web Server

DSMOS DSUM

WAC

Web Server

HTTPS HTTPS HTTPS

Audit & Access Logger

AAL

PrimaryCommunication

Logging

Back UpCommunication

DSMOS

AAL

Key to Symbols

DSAC

API

DSUM

DirectorySmart Audit Access & Logger

DirectorySmart API

DirectorySmart Authentication Cookie


DirectorySmart User & Policy Plug-in

DirectorySmart Web Access Control Plug-inWAC

DirectorySmart: Availability LDAP Deployment& Security Audit & Business Metric Reporting

w w w. o p e n n e t w o r k . c o m

The DirectorySmart Web Access Control (WAC) agents run as web server plug-ins

and sit on the web servers hosting the resources the enterprise wishes to protect.

A separate “Policy Enforcement” server is not required (as is the case for some

competitive systems).

DirectorySmart APIsDirectorySmart provides a set of strong Application Programming Interfaces (APIs)

available in C/C++ and Java. These APIs allow Web application developers to take

advantage of the policy management and storage security infrastructure provided

by DirectorySmart without requiring them to know LDAP programming concepts.

The DirectorySmart APIs easily allow developers to incorporate personalization and

fine grain access control features into their Web applications based on information

stored in the directory and managed by DirectorySmart. Determination of a users

authentication, authorization and access profile can be established through simple API

calls to the DirectorySmart security infrastructure.

Multiple Authentication MethodsDirectorySmart supports a wide variety of 3rd party authorization products. Directory

Smart supports native LDAP user ID/password authentication against the leading

LDAP directory vendors. DirectorySmart also supports single-factor authentication

using X.509 compliant digital certificates such as those from Baltimore Technologies,

Entrust, RSA, Microsoft, Netscape, and Verisign.

A R C H I T E C T U R E I M P A C T S

ScalabilityDirectorySmart leverages the inherent capabilities of LDAP to support deployments

of systems supporting millions of users. The WAC agent is a lightweight web server

plug-in which runs inline with the protected web server. As the web server traffic

requires the scaling of the web server through available network technologies, the

DirectorySmart WAC agent, and its use of native LDAP calls for authentication and

authorization, scales as well. By using LDAP directories as the policy and profile store,

DirectorySmart is able to take advantage of standard LDAP deployment strategies to

support millions of users.

AvailabilityThe DirectorySmart architecture is based on the independence of the individual

components to provide high availability in addition to scalability. Each component

can be independently configured in the network to provide high availability. The

DirectorySmart WAC agent is embedded directly into the web server that it is protect-

ing. As long as the web server is available, the WAC agent is available to protect it.

Standard LDAP features of replication provide directory availability.


ManageabilityDirectorySmart is based on a minimal network footprint requirement, thereby result-

ing in a minimal impact on the enterprise. Because of this minimal footprint, com-

posed of the WAC agents, the User and Policy Management system, and the LDAP

directory, IT staffs are able to efficiently manage the system tasks necessary to support

a production environment.

L O W E S T C O S T O F O W N E R S H I P

Initial DeploymentDirectorySmart’s minimal network footprint reduces the time and difficulty of the

installation and configuration of the initial system. DirectorySmart’s User and Policy

Management system provides industry-leading functionality in the initial rollout of

the infrastructure to internal employees and external partners and customers. As the

initial rollout expands to production level sizes, DirectorySmart provides advanced

deployment features that allow organizations to be easily and quickly created.

Ease of UseDirectorySmart’s user interface is designed to support internal and external adminis-

trative users who most likely are not Web application savvy. By providing a simple

‘point and click’ interface the training, maintenance, and support burden on the

IT staff are greatly reduced. Another feature of the DirectorySmart User and Policy

Management interface is the ability to streamline the processes which businesses

follow to rapidly create complex organizational and business relationships.

For most end-users their only interaction with DirectorySmart will be through the

logon screen and resulting menu of services or customized portal. For those individu-

als who are participating as Delegated Administrators, their interaction with the

system is through a simple point and click graphical user interface. This maximizes

ease of use and minimizes training, maintenance, and support costs for the central-

ized IT support staff.

Delegation of AuthorityOne of the most powerful and mature capabilities of DirectorySmart is that it allows

a Delegated Administrator to securely create, modify and change an organization’s

individual user information. The enhanced delegated authority feature allows compa-

nies to delegate user management out to the lowest logical level, decreasing the

centralized management burden of user roles and profiles. This feature provides

tremendous cost savings and a greater level of customer service for companies using

DirectorySmart. Through the easy to use DirectorySmart interface, companies are able

to roll out systems to millions of users more quickly and with less administrative

overhead.



H O W D I R E C T O R Y S M A R T I S U S E D : A N E X A M P L E

In this next section we present the example of a hypothetical health care insurance

company – HealthPlan of America. The have developed a state-of-the-art web site

powered by DirectorySmart that allows them to provide a wide variety of services to

their business partners, internal departments and employees, and customers via the

web in a secure environment.

First we will outline the many types of potential users of the system in this example.

Then we’ll review how the insurance company can leverage the DirectorySmart

security infrastructure to delegate user and role-based policy management out to the

lowest logical level – simultaneously decreasing the centralized burden of managing

the user roles and profiles while improving customer service.

Roles are logical groups of users who perform similar functions and hense share a

common security profile. Individuals who have been defined as administrators are

able to define multiple roles to segment the security profiles of their users as they

best see fit. Through use of roles, administrators can easily modify security profiles

of large numbers of users simply by modifying the security profiles associated with

a role common to each of the users. Individuals users are easily assigned to one or

more roles and are subsequently managed and given access to specifically designated

Web services or applications.

The sample screens we present below are examples of the personalized easy to use

interfaces that would be presented to the various users of the system.

Internal departments and employees of HeathPlan of America itself include:

• customer service

• claims management

• accounting and

• other areas.

Their business partners or ‘Providers’ include:

• hospitals

• clinics

• doctors’ practices and

• pharmacies.

Their business partners’ staff include:

• business manager

• doctor

• billing manager

• new patient and pre-approval clerk.

HealthPlan of America’s ‘customers’ include both the companies that have contracted

with them, and the individual members or ‘insureds’ i.e. employees of the client firm

who have their insurance coverage via a plan managed by the insurance company.

Users therefor might include staff and employees across a variety of departments and

organizations:

• COO

• HR Director

• HR Manager

• Benefits Manager

• Benefits Co-ordinator

• HR Assistant

• Employees


Hos

pita

l Cor

p of

Tam

pa

Cit

rus

Hill

s H

osp

ital

No

rth

Tam

pa

Ho

spit

alB

oca

Cie

ga

Ho

spit

al

So

uth

Clin

icS

un

Clin

ic

No

rth

Clin

ic

Tam

pa

Clin

icC

itru

s C

linic

ER

Mat

ern

ity

Hea

lth

Pla

no

f A

mer

ica

Co

rpo

rate

Cu

sto

mer

s S

ervi

ce C

ente

r

Eas

t C

oast

AC

ME

M

anu

fact

uri

ng

Was

her

Div

isio

nD

ryer

Div

isio

nO

ven

Div

isio

n

Pla

nt

3P

lan

t 4

He

alt

hP

lan

of

Am

eri

ca

Off

ice

Man

ager

Pre

-Ap

pro

val C

lerk

Cla

ims

Pro

cess

or

Bill

ing

Cle

rk

Wes

t C

oas

tC

entr

al

Dep

t. 1

Dep

t. 2

Pla

nt

1P

lan

t 2

Cla

ims

Man

agem

ent

Bu

sin

ess

Pa

rtn

ers

Cu

sto

me

rs

ww

w.o

pe

nn

etw

ork

.co

m

Bu

sin

ess

Man

ager

HR

Dir

ecto

r

HR

Ben

efit

s M

anag

er

HR

Co

ord

inat

or

Res

taur

at

Com

pany

of

Am

eric

a

Ste

akho

use

Cha

inP

izza

Cha

inS

alad

Xpr

ess

Cha

in

Ho

w D

ire

cto

ryS

ma

rt i

s U

se

d:

An

Ex

am

ple

Pla

nt

4 10

,000

Insu

red

E

mp

loye

es

Create and Modify an Organization

How Delegation Begins

The sample screen we present below are examples of the personalized user interfaces

that would be presented to the various users of the example system.

Super AdministratorA ‘super administrator’ at the insurance company can create organizations and create

delegated administrators for each of those organizations based on their business

model and chosen security policies. The super administrator can determine what

capabilities to allow to each of these delegated administrators. They can specify

access to a particular functions such as add, modify, view or delete for organization

profiles, user profiles, web service profiles and other functions.


Delegated AdministratorA delegated administrator will have a certain scope of authority that has been

specifically delegated to them by the administrator ‘above’ them in the hierarchy. If

the super administrator has delegated ‘add organization’ capability to a delegated

administrator, then the delegated administrator may in-turn create additional sub-

organizations to match their business model, and may chose to add additional

delegated administrator(s) below them as appropriate. In this way DirectorySmart can

map to the specific requirements of many varied business models and provide as

many levels as necessary in the security infrastructure. The Delegated Administrator

can (if allowed) create new users and assign roles to users.


Modify Role


Create User

Pre Approval Clerk

New Patient and Pre-approval ClerkThis person might be in effect the receptionist at a Clinic who

has been defined by the Delegated Administrator above them as

having access to the HealthPlan of America’s New Patient Web

enabled application as well as the Web application that checks

Authorization Status. This clerk has not been given access to any

other functions.


Billing Clerk


Billing ClerkThe Billing Clerk role has been defined as having an expanded suite of responsibilities

and thus this role has been given access to additional functionality in this example,

including Eligibility Status, Deductible Status, Claims Status and Other Health Insur-

ance Status, in addition to Authorization Status. Note that this role has not been

defined as having the ability to create new patients so that function is not presented

to them.


Benefits Manager

HealthPlan of America’s customers include hundreds of client companies and the

thousands of insured individuals who work for those companies. In our example

diagram we have indicated two representative client companies: one a manufacturer,

the other a restaurant corporation.

In our example HealthPlan of America has delegated certain member management

capabilities to the Acme Manufacturing Company. Acme Manufacturing has many

divisions and plants and has chosen to delegate out the member management to the

HR departments of each of these huge plants. This is efficient because they empower

the benefits management staff to have direct access to the appropriate Web enabled

applications.

Benefits ManagerThis allows, for example, the HR staff at Plant 4 to add a new employee immediately

and modify an employee’s eligibility and authorization status, and check on claims

directly. This is very efficient and provides the convenience of an immediate response

and doesn’t require the use of phone, fax, or email to a call center or utilize some

other support mechanism. The benefits management staff at Plant 3 have access to

the applications and functions specifically assigned to them by the Acme and only

for their organization.


Insured Employee

Each of Acme Manufacturing’s plants has thousands of employees, each of whom

is insured by plans offered by HealthPlan of America. Acme Manufacturing has

chosen to allow employees access to certain Web enabled applications provided by

HealthPlan of America. Acme has defined an employee or member role that gives

access to the following functions:

ID Card Request, Eligibility Status, Choose a Primary Physician, and Ask Customer

Service. Thus insured employees are provided access to the appropriate support and

services directly via the Web without having to go through either their HR department

or through a HealthPlan of America call center.

S P E C I F I C A T I O N S A N D C O M P O N E N T S

DirectorySmart Web Access Control Agents – Supported Web ServersiPlanet Enterprise Server

Microsoft IIS

IBM

DirectorySmart LDAP Centralized Policy Store - Supported Directory Servers:IBM SecureWay

iPlanet Directory Server

Microsoft Active Directory

DirectorySmart User and Policy Management – Supported PlatformsSolaris

AIX

Windows NT

Windows 2000

DirectorySmart API - Supported Development EnvironmentsC/C++

Java

D I R E C T O R Y S M A R T P R O D U C T D E S C R I P T I O N S

25 words:OpenNetwork Technologies’ flagship product, DirectorySmart offers the most compre-

hensive, proven solution for securing Web applications and managing eBusiness

security policies.

50 words:OpenNetwork Technologies’ flagship product, DirectorySmart, offers the most com-

prehensive, proven solution for securing Web applications and managing eBusiness

security policies. DirectorySmart provides large enterprises with an eBusiness security

infrastructure for managing millions of online users while offering the lowest cost of

ownership and fastest time to market.

100 words:DirectorySmart(tm), OpenNetwork Technologies’(r) flagship product, offers the most

comprehensive solution for securing Web applications and managing eBusiness secu-

rity policies. DirectorySmart provides large enterprises with an eBusiness security

infrastructure for managing millions of online users while offering the lowest cost of

ownership and fastest time to market.



Its integrated security infrastructure combines the efficiency of directory-based user

definition and authentication with the effectiveness of delegated user management

and role and policy-based Web access control. DirectorySmart enables streamlining

of complex relationships, consolidates user and policy management, and securely

extends access to Web applications and resources to diverse customers and partners.

250 words:DirectorySmart offers the most comprehensive, proven solution for securing Web

applications and managing eBusiness security policies. Its integrated security infra-

structure combines the efficiency of directory-based user definition and authentication

with the effectiveness of delegated user management and role and policy-based Web

access control.

DirectorySmart enables an enterprise to manage millions of users securely without

overburdening their central resources. The system provides centralized storage of

security policies and the relationships between users, roles, Web applications and

access levels, while delegating out the management of the user profiles to the lowest

logical level.

The DirectorySmart infrastructure provides convenience to users through Web single

sign-on, self-registration, self-service and personalization, and provides rapid scal-

ability and lowest cost of ownership to the enterprise through a small footprint,

reusable infrastructure components and efficient user management. It provides large

enterprises with an eBusiness security infrastructure for managing millions of online

users while offering the lowest cost of ownership and fastest time to market. Directo-

rySmart’s low cost of ownership is driven by its unique architecture, the ease of use

of the software, and by the efficient processes supported by the system, and installs

in a matter of hours.

DirectorySmart enables streamlining of complex relationships, consolidates user and

policy management, and securely extends access to Web applications and resources

to diverse customers and partners. It delivers state-of-the-art and easy-to-use role-

based policy management, delegated authority, fine-grain access control and person-

alization. The enhanced features of DirectorySmart include security audit logging and

reporting, streamlined organizational management and deployment, security alerting,

and Web single sign-on.

A B O U T O P E N N E T W O R K T E C H N O L O G I E S

About OpenNetwork Technologies® Headquartered in Tampa Bay, Fla., OpenNetwork Technologies is a leading provider of

secure eBusiness infrastructure software. OpenNetwork Technologies’ flagship prod-

uct, DirectorySmart™, offers the most comprehensive, proven solution for managing

eBusiness security policies. DirectorySmart enables an enterprise to streamline com-

plex relationships, consolidate user and policy management, and securely extend

access to Web applications and resources to diverse customers and partners.

OpenNetwork has offices across the United States and partners with leading eBusi-

ness companies such as IBM, Microsoft, Radiant Logic, iPlanet and RSA. Open-

Network Technologies has a growing Fortune 500 customer base in the healthcare,

insurance, financial and telecom markets, including Blue Cross Blue Shield of South

Carolina, Empire Blue Cross Blue Shield; Anthem Blue and Cross Blue Shield; Cincin-

nati Financial; Trustmark and First National Bank of Omaha.

The technological strength of DirectorySmart has been recognized by the market and

has attracted GE, Chase Capital, MedEquity and SI Ventures to join with OpenNetwork

to bring our solutions to a larger customer audience.

OpenNetwork’s DirectorySmart provides large enterprises with an eBusiness security

infrastructure for managing millions of online users while offering the lowest cost

of ownership and fastest time to market. DirectorySmart enables streamlining of com-

plex relationships, consolidates user and policy management, and securely extends

access to Web applications and resources to diverse customers and partners.

DirectorySmart delivers state-of-the-art and easy-to-use role-based policy man-

agement, delegated authority, fine-grain access control and personalization. The

enhanced features of DirectorySmart include security audit logging and reporting,

streamlined organizational management and deployment, security alerting, and Web

single sign-on. DirectorySmart also features an optional bundle that includes iPlanet

Directory Server.

DirectorySmart’s Features Include:• Role-Based Policy Management

• Web Access Control

• Reporting, Measurement

• Delegated Authority

• Fine-Grain Access Control

• Web Single Sign-On

• Enhanced Security

What Makes DirectorySmart Unique?

Lowest Cost of OwnershipDirectorySmart’s low cost of ownership is driven by its unique architecture, the ease of use of the

software, and by the efficient processes supported by the system. Its server plug-in based architecture

for Web access control means that it does not require additional platforms for policy enforcement.

Support costs are minimized through DirectorySmart’s user-friendly delegated user management

capabilities, which allow an enterprise to cost effectively scale to support millions of users. In addition,

DirectorySmart is offered with flexible pricing, allowing a company to choose from server based, user

based, or enterprise wide options based upon their current needs.

Fastest Deployment TimeDirectorySmart installs in a matter of hours and provides an enterprise with reusable security

infrastructure components. These components include Web access control plug-ins and APIs that

can directly leverage the established security infrastructure and thus speed the deployment of Web



applications.

eBusiness Scalability

DirectorySmart scales to manage millions of users and is designed for the largest and

most complex of computing environments.

Fully Integrated Security InfrastructureDirectorySmart’s secure eBusiness infrastructure possesses the unique ability to

model complex business relationships easily and securely, and offers the most com-

prehensive solution for access control in the marketplace. Key components include

authentication, authorization, access control and the support of X.509 PKI certificates.

Directory-Based Security InfrastructureDirectorySmart leverages industry-leading LDAP-compliant directories as a central

repository for security policies and takes advantage of the native characteristics of

LDAP, which include high performance, availability and enhanced scalability. This

allows a company to maximize the benefit of their investment in directory technology.

Copyright © 2000 OpenNetwork Technologies, Inc.3.15.01 v0.2

4.5 Tech Spec

Documents

Transcript of 4.5 Tech Spec