Pre-Deployment Considerations

Sun^™ ONE Identity Server 6.1 enables large organizations with a heterogeneous hardware, software and application infrastructure to successfully deploy an identity management solution for their employees, contractors, customers and suppliers. This chapter provides a high-level technical overview of the issues related to this process. It contains the following sections:

Deployment Options

There are several key factors that an organization should consider when planning for an Identity Server deployment. These considerations generally deal with risk assessment and a growth strategy. For example,

In addition, the architecture should provide a foundation for the objectives detailed in the following sections.

Security

There are a number of options to consider when providing for a secure internal and external networking environment. They include:

High Availability

IT deployments strive for no single point of failure (SPOF) as well as continous availability to its users. Different products achieve availability in different ways; for example, clustering or multi-master replication. The desired high availability refers to a system or component that is continuously operational for a desirably long length of time. It is generally accomplished with multiple server machines that appear to the user as a single highly available system. In a deployment that meets the minimal requirements (all applications on one machine), the SPOFs might include:

As most of these issues can be waylaid, much planning for high availability centers around backup and failover processing as well as data storage and access. For storage, a redundant array of independent disks (RAID) is one approach. For any system to be highly available, the parts of the system should be well-designed and thoroughly tested before they are used. For example, a new application program that has not been thoroughly tested is likely to become a frequent point-of-breakdown in a production system.

Clustering

Clustering is the use of multiple computers to form a single, highly available system. Clustering isn’t used for Sun ONE Identity Server however, it is crucial within the underlying Sun ONE Directory Server data store. For example, a clustered MMR server pair can increase the availability of each master instance by ensuring availability.

Scalability


Note	In a high availability scenario, the encryption key needs be filled out identically for all installs of Identity Server.

Horizontal scaling is achieved by connecting multiple server machines so they work as one unit. A load balanced service is considered horizontally scaled as it increases the speed and availabilty of the service. Vertical scaling, on the other hand, is increasing the capacity of exisitng hardware by adding resources within one server machine. The types of resources that may be scaled include CPUs, memory, and storage. Horizontal scaling and vertical scaling are not mutually exclusive; they can work hand-in-hand. Typically, servers in an environment are not installed at full capacity, so vertical scaling is used to improve performance. When a machine approaches full capacity, horizontal scaling can be used to distribute the load among a larger number of servers.

Hardware Requirements

The hardware on which Identity Server will be installed must meet certain requirements. At a minimum, Identity Server needs to be installed in tandem with Sun ONE Directory Server 5.2 (to be used as a data store) and a web container in which it will be deployed. It is recommended that Directory Server and Identity Server be installed on different machines.

The detailed requirements are high-level, based on a default configuration of the components: one instance of Identity Server (deployed by Sun ONE Web Server), and one instance of Directory Server. Please review the Directory Server Installation And Tuning Guide and the Deployment Guide, as well as the documentation from the web container of choice before installing Identity Server.

It is recommended that Identity Server be run on a 100 MB or greater Ethernet network. The minimum configuration for an Identity Server deployment is a machine with both Identity Server and Sun ONE Web Server installed on it. It should be a machine with one or more CPUs, with greatly diminshing returns on processor investment after four. Two to four CPUs per server is highly recommended. A minimum of 256 MB of RAM is necessary for basic testing of the software. For an actual deployment scenario, 1 GB of RAM is recommended for threads, the SDK, the HTTP server, and other internals; 2 GBs for basic operation, and object allocation space, and 100 MBs per 10,000 concurrent sessions. Each Identity Server is recommended to cap out at 100,000 concurrent sessions, after which horizontal load balancing should be applied (assuming the 4GB memory limitation of 32bit applications).


Note	The recommended procedure is to consult Sun ONE Professional Services or a Sun ONE-certified system integrator before designing and deploying a Sun ONE Identity Server.


Note	Typically, directory resource requirements are high although they may differ based on customer specific data and usage.

Software Requirements

The systems on which Identity Server will be installed must also meet minimum software and operating system requirements.

Operating System Requirements

Patch Clusters for Solaris

When running Directory Server on a Solaris 8 operating system, the recommended patch cluster must be installed. Patch clusters are identified by two numbers, for example, 108827-15. The first number (108827) identifies the patch itself. The second number identifies the version of the patch (15). The latest patches should be installed in order to benefit from the latest fixes. Overall patch information and recommended patches can be downloaded from the SunSolve Patch Support Portal. (Patch clusters are required for Sun ONE Directory Server, Sun ONE Web Server and Sun ONE Application Server.)


Note	The command showrev -p can be used to list the patches currently installed on a Solaris machine. .

Following are a list of patches that should be installed before installation of Identity Server. See the Sun Java Enterprise System 2003Q4 Installation Guide for more complete information on the required patches.

Table 4-1 Recommended Patch List For Identity Server Installation
112396-02	111293-04	109888-20
108869-18	109326-10	108725-12
109147-21	112218-01	108981-10
108949-07	108434-10	109885-09
108435-10	110458-02	112237-07
111325-02	109898-05	109234-09
110075-01	110901-01	109134-27
108901-06	112325-01	108968-08
110662-11	110943-01	108975-06
110898-08	109324-05	108875-13
111111-03	110916-04	110460-26
109091-05	110387-03	108727-22
110283-06	109277-03	109318-31
110951-03	111234-01	108985-03
110903-05	112138-01	109238-02
109320-06	109470-02	109793-14
109783-02	109951-01	111299-04
110453-04	110945-07	110934-11
111071-01	111232-01	108997-03
110700-01	110939-01	109007-09
111548-01	111570-02	108974-25
108652-65	110322-02	110386-02
110286-10	111504-01	108987-12
111606-02	109882-06	109805-15
111069-01	110615-08	108827-40
110668-03	110670-01	108993-13
111826-01	111874-06	110723-05
111659-07	111596-03	111327-05
109667-04	110957-02	108977-01
111626-03	111085-02	110380-04
108919-17	110838-06	108528-19
112254-01	112459-01	108989-02
111879-01	112611-01	111881-03
112425-01	112668-01	109657-09
111958-02	112796-01	111883-14
112846-01	112279-02	114152-01
108806-15	110842-10	111310-01
111321-03	109328-03	111098-01
113792-01	109862-03	113650-01
110896-02	108899-04	109223-02

Java™ Requirement

Identity Server requires Java version 1.3.1. It is recommended though that Java version 1.4.1 is used.

Resource Web Server Requirements

Supported web containers for Identity Server are Sun ONE Web Server 6.1 and Sun ONE Application Server 7.0. When policy agents are installed on these web containers, they use approximately 10MB of disk space. This must be taken into account when configuring the web container that serves content. For detailed information, see the Sun ONE Identity Server Web Policy Agents Guide or the Sun ONE Identity Server J2EE Policy Agents Guide.

Web Browser Requirements

Administrators and end users use web browsers to perform user management tasks. Identity Server supports the following web browsers:

Understanding the Identity Server Schema

In general, a schema is a set of rules imposed on data that serves to define how it is stored. Directory Server contains a Lightweight Directory Access Protocol (LDAP) schema that defines how its data is stored. Object classes define attributes in a LDAP schema. In Directory Server, each data entry must have one or more object class(es) to specify the type of object the entry describes and define the set of attributes it contains. Each entry then is basically a set of attributes and their corresponding values and the list of object classes to which these attributes correspond.

Identity Server uses Directory Server as the data repository for all its identity profiles, entitlement definitions, and deployment configuration information. Towards this end, Identity Server has its own schema which extends the Directory Server schema. When Identity Server is installed, the Identity Server schema, detailed in ds_remote_schema.ldif and sunone_schema2.ldif, is integrated with the Directory Server schema. ds_remote_schema.ldif details LDAP object classes and attributes that are specifically used by Identity Server; these object classes and attributes are generally holdovers from previous versions of Identity Server. sunone_schema2.ldif loads the Identity Server-specific LDAP schema object classes and attributes defined by Sun Microsystems’ new internal schema document. For reference, ds_remote_schema.ldif and sunone_schema2.ldif are reproduced in Code Example 4-1 and Code Example 4-2, respectively.

Code Example 4-1 ds_remote_schema.ldif


add: objectClasses

objectClasses: ( 2.16.840.1.113730.3.2.175 NAME 'iplanet-am-session-service' DESC 'Session Service OC' SUP top AUXILIARY MAY ( iplanet-am-session-max-session-time $ iplanet-am-session-max-idle-time $ iplanet-am-session-max-caching-time $ iplanet-am-session-get-valid-sessions $ iplanet-am-session-destroy-sessions $ iplanet-am-session-add-session-listener-on-all-sessions $ iplanet-am-session-service-status ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.176 NAME 'iplanet-am-user-service' DESC 'User Service OC' SUP top AUXILIARY MAY ( iplanet-am-user-auth-modules $ iplanet-am-user-login-status $ iplanet-am-user-admin-start-dn $ iplanet-am-user-auth-config $ iplanet-am-user-alias-list $ iplanet-am-user-success-url $ iplanet-am-user-failure-url $ iplanet-am-user-federation-info-key $ iplanet-am-user-federation-info $ iplanet-am-user-password-reset-options $ iplanet-am-user-password-reset-question-answer $ iplanet-am-user-password-reset-force-reset $ sunIdentityServerDiscoEntries ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.177 NAME 'iplanet-am-web-agent-service' DESC 'Web Agent Service OC' SUP top AUXILIARY MAY ( iplanet-am-web-agent-access-allow-list $ iplanet-am-web-agent-access-deny-list $ iplanet-am-web-agent-access-not-enforced-list $ iplanet-am-web-agent-service-status ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.179 NAME 'iplanet-am-managed-role' DESC 'Managed Role OC' SUP top AUXILIARY MAY ( iplanet-am-role-type $ iplanet-am-role-description $ iplanet-am-role-aci-description $ iplanet-am-role-aci-list $ iplanet-am-role-service-options $ iplanet-am-role-any-options $ iplanet-am-role-managed-container-dn $ iplanet-am-role-display-options) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.180 NAME 'iplanet-am-managed-group' DESC 'Managed Group OC' SUP top AUXILIARY MAY ( iplanet-am-group-subscribable $ inetgroupstatus ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.181 NAME 'iplanet-am-managed-filtered-group' DESC 'Managed Filter Group OC' SUP iplanet-am-managed-group AUXILIARY X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.182 NAME 'iplanet-am-managed-assignable-group' DESC 'Managed Assignable Group OC' SUP iplanet-am-managed-group AUXILIARY X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.183 NAME 'iplanet-am-managed-static-group' DESC 'Managed Static Group OC' SUP iplanet-am-managed-group AUXILIARY X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.184 NAME 'iplanet-am-managed-person' DESC 'Managed Person OC' SUP top AUXILIARY MAY ( iplanet-am-modifiable-by $ iplanet-am-static-group-dn $ iplanet-am-user-account-life ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.186 NAME 'iplanet-am-managed-org-unit' DESC 'Managed OrganizationalUnit OC' SUP top AUXILIARY MAY ( sunPreferredDomain $ associatedDomain $ sunPreferredOrganization $ sunAdditionalTemplates $ sunOverrideTemplates $ iplanet-am-service-status ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.187 NAME 'iplanet-am-managed-people-container' DESC 'Managed People Container OC' SUP top AUXILIARY X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.189 NAME 'iplanet-am-managed-group-container' DESC 'Managed Group Container OC' SUP top AUXILIARY X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.166 NAME 'iplanet-am-managed-policy' DESC 'Managed Name Policy OC' SUP top AUXILIARY MAY iplanet-am-named-policy-dn X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 2.16.840.1.113730.3.2.167 NAME 'iplanet-am-domain-url-access-service' DESC 'Domain URL Access Service OC' SUP top AUXILIARY MAY iplanet-am-domain-url-access-allow X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.22 NAME 'iplanet-am-saml-service' DESC 'SAML Service OC' SUP top AUXILIARY MAY ( iplanet-am-saml-user $ iplanet-am-saml-password ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.23 NAME 'iplanet-am-auth-configuration-service' DESC 'Authentication Configuration Service OC' SUP top AUXILIARY MAY ( iplanet-am-auth-configuration $ iplanet-am-auth-login-success-url $ iplanet-am-auth-login-failure-url $ iplanet-am-auth-post-login-process-class ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.25 NAME 'sunservice' DESC 'object containing service information' SUP top MUST ou MAY ( labeleduri $ sunserviceschema $ sunkeyvalue $ sunxmlkeyvalue $ sunpluginschema $ description ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.26 NAME 'sunorgservice' DESC 'Service information specific to organizations' SUP top MUST ou MAY ( sunkeyvalue $ sunxmlkeyvalue $ description ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.27 NAME 'sunservicecomponent' DESC 'Sub-components of the service' SUP top MUST ou MAY ( sunserviceid $ sunsmspriority $ sunkeyvalue $ sunxmlkeyvalue $ description ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.28 NAME 'sunserviceplugin' DESC 'Object that stores information specific to plugins' SUP top MUST ou MAY ( sunpluginid $ sunkeyvalue $ sunxmlkeyvalue $ sunsmspriority ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.74 NAME 'iplanet-am-managed-filtered-role' DESC 'Managed Filtered Role OC' SUP iplanet-am-managed-role AUXILIARY X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( sunISManagedOrganization-oid NAME 'sunISManagedOrganization' DESC 'Sun Java System objectclass to identify organizations' SUP top AUXILIARY MAY ( sunOrganizationAlias ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( sunIdentityServerDiscoveryService-OID NAME 'sunIdentityServerDiscoveryService' DESC 'Discovery Service OC' SUP top AUXILIARY MAY ( sunIdentityServerDynamicDiscoEntries ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( sunIdentityServerLibertyPPService-oid NAME 'sunIdentityServerLibertyPPService' DESC 'sunIdentityServerLibertyPPService OC' SUP top AUXILIARY MAY ( sunIdentityServerPPCommonNameCN $ sunIdentityServerPPCommonNameALTCN $ sunIdentityServerPPCommonNameFN $ sunIdentityServerPPCommonNameSN $ sunIdentityServerPPCommonNamePT $ sunIdentityServerPPCommonNameMN $ sunIdentityServerPPInformalName $ sunIdentityServerPPLegalIdentityLegalName $ sunIdentityServerPPLegalIdentityDOB $ sunIdentityServerPPLegalIdentityMaritalStatus $ sunIdentityServerPPLegalIdentityGender $ sunIdentityServerPPLegalIdentityAltIDType $ sunIdentityServerPPLegalIdentityAltIDValue $ sunIdentityServerPPLegalIdentityVATIDType $ sunIdentityServerPPLegalIdentityVATIDValue $sunIdentityServerPPEmploymentIdentityJobTitle $sunIdentityServerPPEmploymentIdentityOrg $ sunIdentityServerPPEmploymentIdentityAltO ) X-ORIGIN 'Sun Java System Identity Management' )
objectClasses: ( sunIdentityServerDevice-OID NAME 'sunIdentityServerDevice' DESC 'Device OC' SUP top AUXILIARY MAY ( cn $ uid $ sunIdentityServerDeviceVersion $ sunIdentityServerDeviceType $ userpassword $ sunIdentityServerDeviceKeyValue $ sunxmlkeyvalue $ description $ sunIdentityServerDeviceStatus ) X-ORIGIN 'Sun Java System Identity Management' )

Marker Object Classes

Identity entries created using the Identity Server console and stored in Directory Server are appended with marker object classes. Marker object classes define the designated entries as those which Identity Server will manage. The object classes will not interfere with other aspects of the directory tree, such as servers or hardware. As well, existing identity entries can not be managed using Identity Server until they are modified to include these object classes. More detailed information on the marker object classes can be found in Chapter 5, “Identity Management” in the Sun ONE Identity Server Customization And API Guide. Information on how to migrate existing Directory Server data for use with Identity Server can be found in the Sun ONE Identity Server Migration Guide .

Administrative Roles

Delegated administration of the LDAP entries (mapped to each identity-related object in Identity Server) are implemented through the use of pre-defined roles and access control instructions (ACIs). Default administrative roles and their defined ACIs are created during Identity Server installation, and can be viewed and managed using the Identity Server console. When an Identity Server identity-related object is created, the appropriate administrative roles (and, thus, corresponding ACIs) are also created and assigned to the LDAP entry for that object. The role can then be assigned to an individual user who maintains control of that object’s node. For example, when Identity Server creates a new organization, several roles are automatically created for it and stored in Directory Server:

The assignation of any of these roles to a user gives that user all the permissions accorded that role. Table 4-2 summarizes the Identity Server administrator roles and the scope of write permissions that correspond to eachone.

Table 4-2 Default And Dynamic Roles And Their Permissions
Role	Administrative Suffix	Permissions
Top-level Organization Admin (amadmin)	Root level	Read and write access to all entries (roles, policy, groups, etc.) under top-level organization.
Top-level Organization Help Desk Admin	Root level	Read and write access to all passwords under top-level organization.
Top-level Organization Policy Admin	Root level	Read and write access to policies created under top-level organization only. Used by sub-organizations to delegate referral policy creation.
Organization Admin	Organization only	Read and write access to all entries (roles, policy, groups, etc.) under the created sub-organization only.
Organization Help Desk Admin	Organization only	Read and write access to all passwords under the created sub-organization only.
Organization Policy Admin	Organization only	Read and write access to all policies under the created sub-organization only.
Container Admin	Container only	Read and write access to all entries (roles, policy, groups, etc.) under the created container only.
Container Help Desk Admin	Container only	Read and write access to all passwords under the created container only.
Group Admin	Group only	Read and write access to all entries (roles, policy, groups, etc.) under the created group only.
People Container Admin	People Container only	Read and write access to all entries (roles, policy, groups, etc.) under the created people container only.
User (self-administrator)	User only	Read and write access to all attributes in the user entry only.

Using roles instead of group-based ACIs is more efficient and requires less maintenance. Filtered roles are simplier for LDAP clients, since they can just ask for the nsRole attribute of a user. Roles do suffer though from scope limitations, where a role must be a peer of a parent of a member of that role. More detailed information on the default ACIs can be found in Chapter 14, “Administration Attributes” in the Sun ONE Identity Server Administration Guide.

Schema Limitations

People Containers

In Identity Server, the people container is a parent entry for users only. An organizational unit is typically used as a people container, but any entry may be this type as long as it has the iplanet-am-managed-people-container object class and an Identity Server manageable parent type object, organization or container. When an LDAP entry is marked with iplanet-am-managed-people-container, Identity Server assumes it will only contain sub-people containers or users. Therefore , the people container can only contain sub-people containers or users.

Only One Identity Server Organization Allowed

Only one LDAP object type can be marked as an Identity Server organization. In other words, the iplanet-am-managed-org marker object class can only be added to one LDAP type entry. (This object class is added so Identity Server will manage this entry as if it were an organization.)


Caution	Be aware that the root suffix organization created during installation does not count towards this one organization restriction.

Thus, in Figure 4-1, both the dc and o entries can not be managed as organizations using the Identity Server console.

If you were to add dc=company1 below o=continent1, this tree would be manageable only if dc is marked as a container, not an organization. The iplanet-am-managed-container object class is usually added to all organizational units, however, it can be added to any entry.

In this example, since you cannot mark both o= and ou= entries as organizations you could mark the o= entry as an organization and the ou= entries as containers. Management of both organizations and containers using Identity Server have the same options. People containers, sub-organizations, groups, roles, and users can be created under both of them.

Unsupported Directory Trees

Most existing directory trees can be reconfigured to work with Identity Server although, in some cases, reconfiguration is not recommended. In general, if an existing tree uses more than one type of LDAP entry (examples: dc, o, and ou) to define organizations, the user data will be recognized by Identity Server only under certain conditions. In the following example, you would need three types of organization makers: o, ou, and l. Assuming that l=california and l=alabama are not people containers, this DIT would not work with Identity Server.

In the next example, you would need three types of Identity Server markers (dc, o, ou) plus the people container (ou=people). Under these assumptions, the DIT would not work with Identity Server:

Chapter 4 Pre-Deployment Considerations