Radiant Logic Training Part One: Welcome

1
Radiant Logic TrainingPart One Welcome
2
Overview

• Introduction to a Federated Identity Service
  Based on Virtualization
• RadiantOne Global Architecture
• Key Features and Capabilities of VDS

3
Managing a Fragmented InfrastructureOverview?
Introduction to a Federated Identity Service
Based on Virtualization

• User data is spread across disparate identity
  systems, inaccessible to applications because
• They cannot connect to multiple sources
• The data is in a format/accessible through a
  protocol they cant handle
• You must be able to extend access to all users in
  your infrastructure no matter where, or in what
  manner, they are stored.

4
The Need for VirtualizationOverview ?
Introduction to a Federated Identity Service
Based on Virtualization

• The 1 challenge in identity management
• Identity Integration--managing disparate
  populations and their entitlements across
  different data silos.
• Departmental or business unit silos
• Mergers acquisitions
• Multi-tenant services

WAM/Portal/Federation
Security Domain A
Security Domain C
Security Domain B
5
The Challenge Cloud Federation SSO Smart
AuthorizationOverview ? Introduction to a
Federated Identity Service Based on Virtualization
The challenge is two dimensional

• Multiple security domains
• Multiple access protocols (LDAP, SQL, web
  services)
• Multiple security means and multiple
  authentication methods (Passwords, tokens,
  certificates, Kerberos, PKI, etc.)
• Multiple authorization policies (roles, rules,
  groups

• Diverse data structures
• Reading and understanding different schemas
• Understanding different user contexts
• Recognizing same-user accounts across multiple
  systems

• How do you provide
• Integrated identity, common authentication, SSO
• Policy integration
• Consistent authorization policies
• Role management
• You need a way to manage and coordinate security
  means and data structures across silos.

6
The Answer Build a Federated Identity Service
Powered by Virtualization Overview? Introduction
to a Federated Identity Service Based on
Virtualization

• The solution is a federated identity service
  based on virtualization that acts as an identity
  hub, capable of delivering the data from all
  silos to consuming applications (including
  cloud) in a format they understand.
• Building the hub requires a set of features that
  are complex to manage without a guided process.
  VDS 6 introduces a set of tools that walk you
  through implementing these advanced features.

7
Federation and a Federated Identity Service
Overview? Introduction to a Federated Identity
Service Based on Virtualization

• Federation reduces the number of user
  authentication requests by delivering identity
  data in a secure token to applications that
  require information, in order to grant user
  access.
• Since Identity Providers can trust other Identity
  Providers, access to services can quickly and
  easily be extended to new populations- even if
  those users are stored outside of the firewall.

8
Federation and a Federated Identity
ServiceOverview? Introduction to a Federated
Identity Service Based on Virtualization

• In a heterogeneous identity infrastructure that
  could contain duplicate user accounts, the
  inability to handle diverse authentication
  systems makes federation inefficient and often
  impossible.

9
Federation and Federated IdentityOverview
?Introduction to a Federated Identity Service
Based on Virtualization

• A federated identity service based on
  virtualization performs internal and external
  federation through two components
• Identity Hub
• Security Token Service (STS)

10
The RadiantOne SolutionOverview? Introduction to
a Federated Identity Service Based on
Virtualization

• The RadiantOne virtualization layer
• Remaps, aggregates and integrates identity data
  (this includes identity disambiguation, duplicate
  removal and profile extension through joins),
  from different local systems.
• Federates identities into a single access point
  for applications.
• Virtual Directory Server 6 contains a dynamic set
  of tools including
• New audit capabilities for a complete view of all
  VDS information.
• New advanced wizards that guide the user through
  the most common identity use cases.

11
RadiantOne PlatformOverview ? Introduction to a
Federated Identity Service Based on Virtualization

• The RadiantOne Platform is a suite of products
  for directory virtualization and federated
  identity deployment.
• This platform gives you choice and flexibility.
  It delivers a tactical deployment for todays
  needs, and a strategic infrastructure to manage
  tomorrows requirements.
• Version 6 introduces a set of new wizards that
  guide users through RadiantOne features
  addressing common identity management challenges.

12
RadiantOne Global ArchitectureOverview ?
RadiantOne Global Architecture
13
Logical LayersOverview ? RadiantOne Global
Architecture

• Access VDS via multiple protocols
• Multiple protocols to access/link data sources

14
Key CapabilitiesOverview? Key Features and
Capabilities of VDS

• Namespace Flexibility
• Directory aggregation
• Design virtual views
• Reorganize existing directory trees
• Create custom views of multiple objects
• Expose semantic relationships between identities
  and their resources across disparate data sources
  and security domains.
• Identity Integration and Federated Identity
• Correlate identities to build a unique reference
  list/index of all users.
• Data mapping and translation
• Joins to extend user profile
• Group Management
• Dynamic virtual groups
• Easy migration of groups
• Scalability
• High performance and scalability achieved through
  unique persistent caching capability

15
VDS 6.0 Wizards Overview? Key Features and
Capabilities of VDS

• Wizards address the following identity
  challenges
• Virtual Identity Wizard guides the user through
  the creation of a virtual view that contains a
  correlated list of enriched user profiles from
  multiple data sources. This is the key tool to
  create your federated identity infrastructure.

16
VDS 6.0 WizardsOverview? Key Features and
Capabilities of VDS

• Groups Builder automates the definition of
  dynamic groups to use for authorization and
  delegated administration.

17
VDS 6.0 WizardsOverview? Key Features and
Capabilities of VDS

• Groups Migration Wizard virtualizes existing
  groups from backend repositories into the VDS
  namespace (by auto-translating group member DNs
  to match the virtual namespace).

18
VDS 6.0 WizardsOverview? Key Features and
Capabilities of VDS

• Merge Tree Wizard merges multiple data sources
  into a single VDS naming context, while
  maintaining the underlying directory hierarchy.

19
Common Use Cases for VDSOverview? Key Features
and Capabilities of VDS

• Four Common Scenarios
• Leveraging investment in Active Directory
• Standard LDAP emulation on top of an AD
  infrastructure
• Provide authentication/authorization service
  across multiple Forests/AD domains where trust is
  not/cannot be enabled
• Providing a single source for applications that
  require LDAP authentication
• VDS offers a single location to search (identify)
  and authenticate users (check credentials)
  existing in multiple LDAP data sources.
• Enabling fine-grained authorization policies for
  WAM and portal products (CA SiteMinder, RSA
  Access Manager, Tivoli Access Manager, Microsoft
  SharePoint)
• Consolidate/join identities into global profiles
  (aggregate based on pre-existing common key)
• Providing a Single Source for Identity Providers
  (IDPs) in a Federation Architectures
• VDS offers a single source for an IDP to search
  (identify), and authenticate (credential
  checking) users existing in multiple identity
  data sources.

20
Design Considerations Data Sources
Layer Overview? Key Features and Capabilities of
VDS

• What types of data sources do you want to
  virtualize in order to create a federated
  identity service (LDAP, SQL, web services)?
• How many users are in your infrastructure?
• Is there identity overlap?
• If yes, is there an existing common identifier
  that can be used to correlate the same-user
  accounts existing across all data sources? To
  make a union set of identities, will you need to
  define correlation logic?

21
Radiant Logic TrainingPart Two Getting Started
22
Overview

• Installation
• Control Panel
• Admin Console
• Defining a Data Source

23
Installer OverviewGetting Started ? Installation

• Platforms available
• Windows
• Linux
• Solaris
• Installation modes
• GUI
• Text-mode

24
Launching the InstallerGetting Started ?
Installation

• Windows
• Log-in as Administrator
• Double-click the installer file
• Unix
• Log-in as user/account that will run VDS
• Make sure installer file is executable
• Execute installer file
• GUI vs. Text-mode
• Add parameter -i console when running installer
  file

25
Installation ProcessGetting Started ?
Installation

• Step 1 Introduction
• Step 2 License Agreement
• Step 3 Installation Folder
• Step 4 Setup Preferences
• Step 5 VDS Configuration
• Step 6 Installation Summary
• Step 7 Installation
• Step 8 Logout/Re-login
• Optional Configure VDS as service/daemon

26
Installation VDS ConfigurationGetting Started ?
Installation

• You will configure several aspects of the VDS
  during installation. The first configuration is
  for the Virtual Directory Server itself.

27
Installation VDS ConfigurationGetting Started ?
Installation

• The second VDS configuration is for the two local
  storage LDAP directories (OpenDJ) which are
  included with the VDS for persistent cache. You
  must configure both.

28
Installation VDS ConfigurationGetting Started ?
Installation

• Next, configure the Jetty web server, which hosts
  the web-based administration tools, contained in
  the VDS Control Panel.

29
Installation VDS Configuration Getting Started
? Installation

• Finally, you will be prompted to enter your
  license key. You may also skip this step and copy
  your license.lic file into the proper location
  (RLI_HOME/vds_server) later.

30
Control PanelGetting Started ? VDS Control Panel

• VDS Control Panel is a web-based console that
  hosts the tools for administering and monitoring
  the VDS.
• Enter administrator credentials to log in to the
  VDS Control Panel.

31
DashboardGetting Started? VDS Control Panel

• Control Panel opens to the Dashboard tab, where
  you can start the VDS server. No administrative
  tools can be used unless VDS is running. This tab
  shows memory and connection usage, as well as
  server details.

32
Tools TabGetting Started? VDS Control Panel

• The Tools tab contains links to the VDS Admin
  Console and the Synchronization Monitoring
  Consolethe web-based console for administering
  and monitoring connectors.

33
Wizards TabGetting Started? VDS Control Panel

• The four new VDS 6 wizards include Virtual
  Identity, Groups Builder, Groups Migration, and
  Merge Tree

34
Tasks TabGetting Started? VDS Control Panel

• The Tasks list

35
VDS Server Monitoring TabGetting Started? VDS
Control Panel

• The VDS Server Monitoring tab displays more
  detailed monitoring information.

36
Data Source Monitoring TabGetting Started? VDS
Control Panel

• The Data Source Monitoring tab shows the status
  of data sourceswhether VDS can connect to them,
  and if not, the related error.

37
Reports TabGetting Started? VDS Control Panel

• The Reports tab contains a link to the VDS
  web-based reporting and auditing tool.

38
Starting the VDS Admin ConsoleGetting Started ?
Settings Tab

• The Settings tab allows you to set up and change
  the server configuration

39
Starting the VDS Admin ConsoleGetting Started ?
VDS Administration Console

• The RadiantOne VDS Admin Console is the tool used
  to provide remote administration access to VDS.
• The Admin Console can be reached from the Tools
  tab of the VDS Control Panel.

40
How to Define a Data Source from the VDS Admin
ConsoleGetting Started ? Defining a Data Source

• In VDS 6, there are two ways to create a new Data
  Source
• Manually from the Admin Console.
• Within the Virtual Identity Wizard, which is
  covered in part five.
• From the Configuration tab, navigate below the
  Data Sources node and right-click LDAP or
  Database to select which data source you want to
  define. Then choose to Add Data Source.

41
Add a Data SourceGetting Started ? Defining a
Data Source

• Enter the connection information for the data
  store you want to use as a data source in VDS,
  and click Ok.

42
View the Data SourceGetting Started ? Defining a
Data Source

• You can view and edit the new data source from
  the Data Sources node.

43
Radiant Logic Training Part Three
Authentication
44
Overview

• Introduction/Challenges
• Aggregation
• Duplicate Identity Removal
• Union
• Joins
• Regular Joins
• Extended Joins
• Data Mapping and Translation
• Authentication Flows

45
Authentication Challenges Overview? Introduction
to Virtualization

• User logs in with username and password
• Identification
• Identities spread across multiple data sources
  (multiple AD domains/forests, etc.)
• Identities are described differently in each
  source (FirstName vs. fname vs. givenName)
• Credential Checking
• Different encryption of passwords and schema
  elements (userPassword vs. unicodePwd, etc.)
• Existing internal user IDs, passwords in Active
  Directory
• External users credentials may be stored
  elsewhere (SunOne, Oracle, etc.)
• How does a virtualization layer help solve the
  authentication problem?
• Aggregates users from multiple data sources,
  allowing applications to search one common
  namespace to find the user.
• Offers flexibility for credential checking, which
  can be handled at the virtual directory layer, or
  by the underlying source in delegated
  authentication.

46
How the Virtualization Layer HelpsUse Case
Authentication ? Introduction / Challenges
Step Problem Can be solved by
Identification Identities spread across multiple sources Aggregating users from multiple sources
Identification Identities described differently in each source Object and attribute mapping to provide a common schema
Credential Checking Different encryption of passwords and schema elements Providing a single form of authentication to application, and the flexibility to delegate the credential checking to the backend or customize some other validation mechanism
47
Aggregating Existing RepositoriesUse Case
Authentication ? Aggregation

• Solving the challenge of Identification, the
  first step required for authentication

48
Aggregation of Data SourcesUse Case
Authentication ? Aggregation

• VDS aggregates directories and database tables
  into a single LDAP-accessible virtualized source.
• You can represent an entire source or a subset,
  excluding branches as necessary.

49
The Union Challenge A Key Factor in Federated
Identities Use Case Authentication ? The Union
Challenge

• Union is the ability to create a global list
  where each user is represented once and only
  once, even if that user has multiple accounts
  spread across the identity infrastructure.
• For example, there could be one user listed
  numerous times, or multiple users with the same
  name spread across disparate data silos.

50
Correlating Duplicate Identities Use Case
Authentication ? The Union Challenge

• You have overlapping identities in your identity
  stores.
• In order to create a global list without
  duplicate identities, you need to correlate and
  disambiguate the identities.

51
Correlate and Disambiguate Users Use Case
Authentication ? Correlate and Disambiguate Users

• If you have overlapping identities in your data
  silos, you must define an attribute, or
  combination of attributes, that can be used as a
  global identifier. This global, unique identifier
  will be used to link duplicate accounts, and then
  create a unified entry.

52
Links to Local Accounts Use Case Authentication
? The Union Challenge

• Correlating same-users across various data
  sources enables the creation of a global profile.
  
• The global profile maintains links to local
  accounts, pulling in attributes from all sources
  for a complete view of users.

53
Global Profile Use Case Authentication ? The
Union Challenge

• The global list can contain global profiles of
  each identity. This global profile can contain
  all attributes about a user, no matter where they
  are stored.
• It can be used for business initiatives,
  authentication, or enforcing fine-grained
  authorization policies.

54
Joins to Enrich User ProfilesUse Case
Authentication ? Joins

• Profiles can be extended
• to include attributes from
• multiple sources.
• Attributes can be inclusive
• to create multi-valued
• attributes.

55
Extended JoinsUse Case Authentication ? Joins
These extended attributes can be stored in any
source
56
Overlapping AttributesNaming Contexts ?
Overlapping Attributes

• Overlapping attributes occur when a join brings
  together all the attributes from users local
  profiles into their virtual entry/global profile.
  Sometimes there will be multiple values for the
  same attribute in the virtual entry. VDS has
  several approaches for dealing with the challenge
  of overlapping attributes.

57
Overlapping Attributes Solutions Naming
Contexts ? Overlapping Attributes

• VDS offers the following options
• Map attributes to unique names
• Map phone from LDAP Directory to businessPhone
  and phone from database to homePhone
• Return attribute as multi-valued
• So user profile will contain two values for
  phone one from the LDAP Directory and one from
  the database.
• Return the attribute from the source that has
  been configured with the highest priority
• Priority levels can be set to determine which
  sources are authoritative for specific
  attributes.
• The user profile will only contain the most
  authoritative attributes.

58
Bind OrderNaming Contexts ? Round-Robin
Authentication

• If a user is stored in multiple locations, you
  can configure VDS to attempt to authenticate the
  user against those sources in a defined order,
  using the credentials passed to VDS in the bind
  request.
• The most authoritative data store can be
  attempted first, then the second most
  authoritative, and so on, until there is a
  successful bind.
• Users can gain access to applications, without
  having to remember all their various
  logins/passwords.

59
Data Mapping and TranslationUse Case
Authentication ? Data Mapping and Translation
60
Identification Step LDAPUse Case
Authentication ? Authentication Flow ? Directory
Proxy
61
Identification Step Databases Use Case
Authentication ? Authentication Flow? Database
Proxy
62
Delegating Credentials CheckingUse Case
Authentication ? Authentication Flow

• Solving the challenge of Credential Checking, the
  second step required for authentication

63
Handling AuthenticationUse Case Authentication
? Authentication Flow

• Although this activity is transparent for client
  applications that are authenticating users, the
  logic behind the scenes is different for LDAP and
  database backends
• LDAP Bind is delegated to the backend.
• Database Compare operation validates the
  password received in the bind request matches the
  value in the database.

64
Credential Checking LDAP Use Case
Authentication ? Authentication Flow? Directory
Proxy
65
Credential Checking DatabasesUse Case
Authentication ? Authentication Flow? Database
Proxy
66
Credential Checking DatabasesUse Case
Authentication ? Authentication Flow? Database
Proxy

• VDS connects to the database with the
  user/password configured in the connection string
  and searches for the user record.
• VDS compares the value that was received in the
  bind request to the attribute that has been
  mapped to userPassword in the database. If the
  values match, the user will be authenticated. If
  not, authentication fails.

Example of an attribute mapped to userPassword
Interception script may be required here to
encrypt the password using the proper algorithm
before VDS performs the comparison.
67
Radiant Logic TrainingPart Four Authorization
68
Overview

• Authorization Introduction / Challenges
• ABAC
• Multiple Views

69
Authorization Challenges Overview? Introduction
to Virtualization

• Authorization Challenges
• Profile information exists in multiple data
  sources
• Data sources have their own schema elements
  (objectclasses and attributes)
• group/member (AD)
• groupOfUniqueNames/uniquemember (Sun)
• Inflexible group definition
• Static (hard-coded) group members
• Rely on client application logic to build members
  via an extra search (based on memberURL
  attribute)
• Existing tree structure too limited
• Different/deeper hierarchy desired for delegated
  administration

70
Authorization Challenges Overview? Introduction
to Virtualization

• How does VDS help solve the authorization
  challenges?
• Provides a common searchable schema
• Aggregates profile information to provide more
  context about a user
• WAM products can base policy decisions on the
  information available in the VDS
• The more attributes available, the finer-grained
  the policies
• Offers flexibility in group definitions
• Aggregate/map existing groups
• Build new group definitions with dynamic members
• Presents multiple hierarchical views derived from
  existing static trees

71
Attribute Based Access ControlUse Case
Authorization? ABAC

• Externalized systems for managing and enforcing
  access control
• Authorization within applications based on
  attributes
• The more you know about a person, the easier it
  is to decide whether you can trust that person.
• The more attributes you have from a person, the
  more fine-grained you can make an authorization
  decision.
• Need for a single access point that delivers all
  identities and for each identity, all of their
  attributes.

72
Finer Grained AuthorizationUse Case
Authorization? Regular Joins

• Solving the challenges of Authorization, based on
  attributes of the user profile

Virtual Entry
VDS
userID12952 cnjohn_smith titlemanager
Primary Object
OfficeSeattle Phone555-1354
Secondary Object 1
NTDOMAIN west email john_at_acme.com
Secondary Object 2
Active Directory
Database
LDAP Directory
EmployeeID 12952 samAcountNamejsmith NTDOMAIN
west Email john_at_acme.com
Phone
Office
LNAME
Emp_ID
userID 12952 cnjohn_smith titlemanager
555-1354
Seattle
Smith
12952
Primary Object
Secondary Object 1
Secondary Object 2
Join to extend virtual entry from the LDAP
directory with attributes in Active Directory and
a database.
73
Virtual Views from LDAP Backends Use Case
Authorization? Multiple Views

• Virtual Views from LDAP Backends
• Hierarchical view Flat view

74
Virtual Views from Databases Use Case
Authorization? Multiple Views

• Virtual Views from Database Backends
• Hierarchical view Flat view

75
Virtual View Based on LocationUse Case
Authorization? Multiple Views
Country
State
City
76
Virtual View Based on Org Chart (Recursive
Relationship)Use Case Authorization? Multiple
Views
Top Manager
Full Management Hierarchy
77
Virtual View Based on Role, Location, and
TerritoryUse Case Authorization? Multiple Views
Role
Location
Territory
78
Radiant Logic TrainingPart Five Naming Contexts
79
Overview

• Design Considerations
• Custom Scripting
• Types of backends (e.g. SPML, DSML)
• Local store

80
Advanced Design CapabilitiesNaming Contexts?
Design Considerations

• Reorganize existing directory trees to build new
  custom trees based on different contexts required
  for authorization.
• Create custom views of multiple objects to build
  global identity profiles for fine-grained
  authorization, user-management, and other IdM and
  security initiatives.
• Correlate Identities to build a unique reference
  list/index of all users.
• High performance and scalability achieved through
  unique Persistent Caching capability
• Auto-generated groups to create groups (names and
  members) dynamically based on user information in
  multiple heterogeneous data sources.

81
Design ConsiderationsNaming Contexts? Design
Considerations

• There are several components to take into account
  when designing virtual views
• What structure and content the client application
  expects
• Flat/hierarchical?
• Which attributes?
• What objectclass?
• Data and structure in backends
• What kinds of backends is the data required
  stored in?
• Are there required attributes that dont exist
  yet?
• If joins will be used, what is attribute
  precedence?
• Bind order
• Custom scripting needs
• Caching needs

82
LDAP BackendsNaming Contexts ? Types of Backends

• The hierarchy builder utility assists you in
  modeling context-driven virtual views based on
  the existing metadata in your directory.
• This means that the hierarchy of the virtual view
  is based on attributes of an LDAP objectclass.
  Attributes from any object extracted with the
  Schema Manager can be used to build a virtual
  directory hierarchy (as long as all entries have
  a value for this attribute).
• This is an easy way to turn a relatively flat
  LDAP directory tree into a hierarchical
  structure.

83
JBDC-Accessible BackendsNaming Contexts ? Types
of Backends

• A JDBC backend is any JDBC-accessible database.
  This includes, but is not limited to, Oracle,
  DB2, Sybase, and Microsoft SQL Server.
• The information available in the related database
  objects can be used to build the virtual
  directory entries. The VDS entries shown below
  reflect a virtual view based on the database
  schema/data shown below.

84
Custom BackendsNaming Contexts ? Types of
Backends

• Custom data sources can also be called as a web
  service, using DSML or SPML.
• VDS will query the DSML/SPML service when clients
  request information from this particular
  branch/naming context.

85
Local StoreNaming Contexts ? Local Store

• The VDS offers an LDAP v3-compliant local store
  that can be used to store any LDAP entries.
• After the root naming context is created, the
  local store can be populated from an LDIF file or
  manually on the Directory Tab.

86
Radiant Logic TrainingPart Six Configuration
Tools and Utilities
87
Overview

• Configuration/Modeling tools
• Context Builder
• Schema Manager
• Inventory existing identity sources with Schema
  Manager
• View Designer
• Design directory views/DITs with the View
  Designer
• Groups Migration Wizard
• Groups Builder Wizard
• Virtual Identity Wizard
• Merge Tree Wizard

88
Design Considerations Application
Layer Overview? Key Features and Capabilities of
VDS

• VDS 6 comes with a set of tools to help design
  your tree in the format needed by the
  application.
• What kind of hierarchy does the application
  expect?
• Will a flat tree work? (?Virtual Identity Wizard)
  
• Is an entirely new hierarchy needed? (? Context
  Builder Tool)
• Can you reuse an existing hierarchy, but insert
  some additional branches or information? (? Merge
  Tree Wizard)

89
Schema Manager RoleConfiguration Tools and
Utilities? Context Builder? Schema Manager

• Extracting Schemas
• Databases (anything JDBC/ODBC accessible)
• Directories (anything LDAP accessible)
• Creating Custom Schemas
• Custom schemas must be created for anything
  accessible through a Java API or as a web service
• Managing Metadata
• Declaring keys and relationships
• Mapping to LDAP objects/attributes

90
Configuration StepsConfiguration Tools and
Utilities? Context Builder? Schema Manager
Extracting Schemas

1. Use the Schema Extraction Wizard to extract
   either a database or directory schema

1. If database, enter a data source name (will store
   the connection information), select the
   appropriate driver and enter the correct URL,
   user name and password if needed. If directory,
   enter the server, port, base dn, user, and
   password.

1. If database, select the appropriate tables. If
   directory, select the appropriate object class.

1. Save the schemas in XML files (they will have a
   .orx extension).

91
View Designer RoleConfiguration Tools and
Utilities? Context Builder? View Designer

• Model Virtual Directory Trees
• Create new flat trees from existing trees
• if you want hierarchical trees from existing
  entries, use Hierarchy Builder
• Create trees based on existing relationships
• Build many different views to accommodate various
  application needs

92
Configuration StepsConfiguration Tools and
Utilities? Context Builder? View Designer
Designing Virtual Views

1. Create a new virtual view using a schema that has
   been extracted

1. Design hierarchy based on available objects from
   the schema.

1. Fine tune the configuration exposed attributes,
   filters, interception scripts, joins

1. Double check the result (run time view tab) and
   save the views in XML files (they will have a
   .dvx extension).

93
Components of a Virtual TreeConfiguration Tools
and Utilities? Context Builder? View Designer

• Virtual directory views can consist of
• Labels - A Label node is a container whose only
  attribute is a text label. You use labels when
  you want to separate different types of
  information for display.
• Containers - A Container Object is a node that
  can have descendants. A container is created from
  an underlying object. You can declare the
  attributes for a container based on the
  underlying attributes of the object.
• Contents - A Content Object is a node that has no
  descendants. It is a leaf or terminal node in
  the directory tree. A content is created from an
  underlying object. You can declare the
  attributes for a content based on the underlying
  attributes of the object.
• Link - Links are a special kind of node that
  allows you to point to a specific sub tree
  defined by a directory view definition file.
  Links allow you aggregate multiple virtual
  directory trees into one .dvx file.

94
Declaring Content of Virtual TreesConfiguration
Tools and Utilities? Context Builder? View
Designer

• Primary Object Tab
• For Container and Content nodes, you have the
  option of selecting the attributes you want to
  expose, joining tables from the same schema,
  adding a filter and performing other
  customizations (such as complex filters and
  changing the Parent DN for virtual views built
  from LDAP sources).

Joining objects from the same schema
Attributes selected to expose in the virtual
entry.
Handling Case Sensitive Databases
Advanced Customizations
Filter
95
Testing the Virtual TreeConfiguration Tools and
Utilities? Context Builder? View Designer

• Runtime Preview Tab
• A quick glimpse of what the instantiated tree
  will look like at run time (limited number of
  entries just for testing).

Model of the Tree
Runtime Preview
96
Virtual Identity WizardThe Union Challenge?
Virtual Identity Wizard

• The Virtual Identity wizard should be used in
  situations where applications require a single
  source to locate all users required for
  authentication and/or need to access a complete
  user profile for attribute-based authorization.
• It should be used in cases where the data sources
  contain overlapping users whether or not there is
  a single existing common identifier.
• It can also be used in cases where there is no
  overlapping users but a complete aggregated flat
  list of users is required.

97
Groups Builder Wizard Configuration Tools and
Utilities? Groups Builder Wizard

• User-defined group names are explicitly listed
  for the group entry. A user-defined group may be
  named anything and have members that are either
  statically defined or dynamically created based
  on a specific rule.
• Dynamic group names are automatically generated
  based on attribute values for specific entries.
  The attribute values to determine the group names
  can be pulled from any virtual entries.

98
Merge Tree WizardThe Union Challenge? Merge Tree
Wizard

• The Merge Tree Wizard is used for merging
  multiple data sources into a single VDS naming
  context, while maintaining the underlying
  directory hierarchy.

99
Groups Migration WizardUse Case Authorization?
Reuse Existing Groups

• VDS 6 includes a wizard which guide the user
  through the migration of existing groups into the
  virtualized namespace. Client applications will
  receive group information as though it were
  coming from the underlying backend.

100
Radiant Logic TrainingPart Seven Settings
Deployment
101
Overview

• Server Settings
• Hostname, Ports, Web Server
• Delegated Administration
• SSL/TLS, Certificates
• Access Controls
• Memory Cache
• Configuration / Properties tab
• Configuration / Security tab
• Configuration / Administration tab
• Configuration / Limits tab
• Configuration / Policies tab
• Schema
• Deployment

102
Accessing Server SettingsServer Settings?
Hostname, Port, Web Server

• Server Settings
• Access to server settings in the VDS Admin
  Console

103
Super UserServer Settings? Delegated
Administration

• Directory Manager (Super User)
• default user cndirectory manager
• password is secret can set during install
• Restrict access to the server (by the super user)
  from specific/allowed IP addresses
• No limits apply to this user (no acls no
  limits.etc)

104
Delegated AdministrationServer Settings?
Delegated Administration

• Delegated Administration
• Admins can manage VDS parameters based on a
  predefined roles
• Directory Administrator Role - members of this
  group can perform all operations.
• Namespace Administrator Role Members of this
  group can create, update, or delete naming
  contexts or backend mappings.
• Bulk Operations Role Members of this group can
  initialize, backup/restore/ and index local
  stores.
• Schema Administrator Role Members of this group
  can modify schema objects (objectclass and
  attributes)
• ACI Administrator Role Members of this group
  can manage access permissions for the VDS
  namespace.

Group location
105
SSL/TLSServer Settings? SSL/TLS, Certificates

• SSL/TLS
• Mutual Authentication
• RequiredIf this option is checked, it will force
  a mutual authentication. If the client fails to
  provide a valid certificate which can be trusted
  by VDS, authentication will fail, and the TCP/IP
  connection will be dropped.
• RequestedIf mutual authentication is not
  required, but you would like the VDS to request a
  certificate from the client, check the Requested
  option. In this scenario, the clients
  certificate will be checked by VDS. If the client
  provides a valid certificate, a mutual
  authentication SSL will be established. If the
  certificate presented is invalid, the
  authentication will fail. If no certificate is
  presented, the SSL connection will continue
  (using a simple LDAP bind), but will not be
  mutual authentication SSL
• None (the default)If you do not want the VDS to
  request a client certificate at all, check the
  None option.

106
CertificatesServer Settings? SSL/TLS,
Certificates

• Certificates
• Server (for VDS itself contains private key)
• Client (certificates VDS will use when accessing
  backend sources)

107
Access ControlsServer Settings? Access Controls

• Entry Level
• Entry this keyword means the permissions
  apply to the entire entry object. The following
  permissions are allowed for entries.
• v View
• a Add
• d Delete
• Attribute Level
• all this keyword means the permissions apply
  to all attributes. Individual attributes can be
  listed here if all are not desired. The
  following permissions are allowed for attributes.
• r Read
• w Write (modify or add a value)
• o Obliterate (modify to delete a value)

108
Caching LevelsServer Settings? Memory Cache

• Why cache?
• To offer guaranteed performance
• Cache Options
• Memory (stored solely in memory)
• Persistent (stored in either VDS local LDAP store
  or in another LDAP directory of your choice)

109
Performance Challenges of the Traditional Virtual
DirectoryServer Settings? Cache
Heterogeneity of Data Sources
Performance Av Queries/sec
1,000 to 10,000
200 to 1,000
50 to 200
Multiple Directories
Multiple Directories Databases
Multiple Directories Databases Web Services
110
Features/Benefits of Memory CacheServer
Settings? Memory Cache

• In this approach, cached entries are stored
  solely in memory. In terms of implementation,
  this approach has the advantage of simplicity.
  However in practice, this solution may present
  many potential issues depending on the use case.
  In most cases, memory cache will work when the
  volume of entries and the complexity of the
  queries are modest.
• The greatest risks with a memory cache result
  when the query pattern is not predictable and the
  data set volume exceeds the size of memory.

111
Persistent CacheServer Settings? Persistent
Cache

• Features
• Automatic real-time granular cache refresh
• As changes happen on the backend sources
• As changes happen through VDS
• Local or remote storage
• Cache image can either be local to the VDS or
  stored remotely in another server (for
  scalability).
• Benefits
• Addresses the challenges of traditional virtual
  directories in terms of performance (as depicted
  on two previous slides)
• Offers a guaranteed level of performance (no
  warm-up/preload required, when the VDS starts,
  optimal performance is reached)
• Scalable

112
Persistent Cache vs Memory CacheServer Settings?
Persistent Cache

• Why is memory cache insufficient for large
  numbers of entries?
• Requires preload before you get the expected
  speed
• Never know what is or is not in cache at a
  specific time (based on different refresh times
  due to time-to-live strategy)
• Refresh is not granular. Only time-to-live
  refresh capabilities available, so if the backend
  data changes, you dont get the new image until
  specified time has been reached.
• Memory intensive and fragile (if the server
  crashes, your cache is gone and must be filled
  again before desired performance levels are
  reached).
• Query dependant in order to benefit from the
  cache, the request must be exactly the same every
  time (same exact user, scope, filteretc)
• Not scalable.

113
Persistent Cache Refresh OptionsServer Settings?
Persistent Cache

• Automatic refresh for changes flowing through VDS
• ? Propagating incoming change to the underlying
  source
• Complete refresh
• ? Scheduled cache rebuild (daemon, ant task)
• Backend event detection (Real-Time)
• ? Using connectors

114
ConnectorsServer Settings? Persistent Cache

• Changes occurring at the back end
• Automatically updated in real-time using event
  detecting connectors

115
Failover and Load BalancingDeployment? Load
Balancing and Failover

• Failover and Load Balancing Options
• RadiantOne Access Router (software load balancer)
• LDAP-aware Hardware load balancer (ex Big IP)
• Mix of both hardware solution and Access Router

116
Hardware Load Balancer Deployment? Load Balancing
and Failover
117
Combining Hardware Load Balancer and
Router Deployment? Load Balancing and Failover
118
MonitoringDeployment? Monitoring
Usage Statistics
Monitoring tab (VDS availability/memory
usage/connection usage, backend availability)
119
AlertsDeployment? Monitoring

• Alerts (configuration)

120
Command Line Monitoring ScriptsDeployment?
Monitoring

• Command Line Monitoring Scripts
• Memory Monitor (memoryMonitoring script)This
  script is used to monitor the VDS memory usage
  and can email alerts when specific thresholds are
  reached (percentage of available memory is
  reached).
• Connection Monitor (connectionMonitoring
  script)This script is used to monitor if the
  number of active connections to the VDS exceeds
  the defined threshold. If it has, email alert
  will be sent.
• VDS and LDAP Backend Monitor (ldapBackendMonitorin
  g script)This script is used to monitor if the
  VDS, or one of the configured LDAP backends are
  available or not. If not, an email alert will be
  sent.
• Database Backend Monitor (dbBackendMonitoring
  script)This script is used to monitor if one of
  the configured database backends are available or
  not. If not, an email alert will be sent.
• All Data Source Backends (checkDataSources
  script)This script is used to check the status
  of all data sources (or only the ones listed in
  the command) and prints their status either to
  the console or a specified file. The status will
  be either OK (indicating that nothing was found
  to be wrong with accessing the data source) or
  FAILED specific error (indicating that is
  something wrong with accessing the data source).
• Disk Space Monitor (diskSpaceMonitoring
  script)This script is used to monitor the disk
  space by checking the available disk space at
  every poll interval for a specific threshold.
  Once the threshold is reached the process will
  send an email alert. The threshold is specified
  in of disk space available.

121
Log Level and File LocationDeployment?
Troubleshooting

• Log level (threshold)
• FATAL
• ERROR
• WARNING
• ACCESS (supported for server level, but not for
  tools level logging)
• INFO
• DEBUG
• Location (target)
• File
• Tools log is located in RLI_HOME\vds_server\logs
  (named rli.log)
• Server log is located in RLI_HOME\vds_server\logs
  (vds_server_ltdategt.log or vds_server_access.log,
  depending on the log level) .
• Console - Status Tab in the VDS Admin Console

122
Log SettingsDeployment? Troubleshooting
123
Log RolloverDeployment? Troubleshooting

• Log Rollover the access log rolls over when it
  reaches 100MB in size. You can specify how many
  files to rollover and the location of the files.

124
Logging to a DatabaseDeployment? Troubleshooting

• Log2DB Utility (access log written into a
  database)
• Configuration
• ltRLI_HOMEgt/bin/AccessLog2DBconfig.properties
  (Configuration for the database table)
• ltRLI_HOMEgt/bin/runCreateLogTable.bat (creates the
  log table)
• ltRLI_HOMEgt/bin/runDropLogTable.bat (drops the log
  table)
• Run the DB Logger Utility
• ltRLI_HOMEgt/bin/runLog2DB.bat
• Standard reporting tools can consume the database
  content. VDS includes two default reports that
  can be generated based on the content written to
  the database.

125
Performance TestingDeployment? Troubleshooting

• The most frequently used utility to test the
  performance of the VDS is a utility named SLAMD.
  http//www.slamd.com/
• Note - if VDS is used to virtualize an LDAP
  source, you should first determine the
  performance of the underlying LDAP server by
  accessing it directly (using the searchrate
  utility mentioned above).  This will provide you
  with some base performance numbers. Then, run the
  searchrate utility against VDS (on the branch
  built from the underlying LDAP source).  You
  should keep in mind that the following additional
  configurations on your VDS branch could impact
  performance
• Joins
• Interception scripts
• Cache
• Other
• Network delays
• Any VDS logging enabled

126
ReportsDeployment? Reporting

• Two general reports
• Access
• Summary section for each type of operation
• Bind, Base searches, One level searches, Sub tree
  searches, Add, Modify, Delete, Compare
• Results can be in the form of a pie chart, line
  chart, or bar chart.
• Details section for specific operations that
  exceed a configured threshold or return specific
  error codes that have been flagged as important.
• Audit
• Summary of all types of operations performed by a
  specific user during a specific session.
• Sections with details about a specific session
• The user DN that performed the operations.
• A table consisting of all types of operations
  performed by the user
• The total number of times that type of operation
  was performed.

127
TroubleshootingDeployment? Tuning

• Turn off logs
• To achieve optimal performance, the logs should
  either be disabled or kept to a minimum (error
  log level).
• Use Connection Pooling
• This is connection pooling VDS uses when
  connecting to backends
• JNDI
• JDBC
• Configured on the Configuration (main tab),
  Settings tab in the VDS admin console.
• Caching
• If better performance (than just dynamic access
  provides) is required, a persistent cache can be
  configured (Persistent Cache offered in Context
  Edition).
• Indexes
• Verify attributes queried in the LDAP filter are
  indexed in the underlying source.
• For joined sources, verify that ALL attributes
  you are joining on are indexed in the underlying
  sources.
• Memory
• Monitor the VDS memory usage and increase if
  needed.

128
Documentation and Resources

• Knowledge Base and Help Desk accessible from
  Radiant Logic website (http//www.radiantlogic.com
  /support/knowledge-database/ )
• Knowledge base includes troubleshooting tips
  (error messages and their meaning), script
  samples, other useful articles (SSL, Caching,
  Javadocetc).
• Up-to-date version of the documentation found
  here
• Help Desk allows you to send incidents/bugs to
  Radiant Logic Support and track the progress
  online.