|
IdF Puts OS/400 at Center of Distributed Identity Management
Published: May 23, 2006
by Alex Woodie
Organizations interested in managing their users' credentials from their iSeries server can now do so with the latest version of the IdF Virtual Gateway from IdentityForge. The company recently launched IdF Gateway version 2.5, which now enables two-way communication between iSeries- and mainframe-based user authentication data, and popular third-party identity management systems. Previously, IBM big iron was supported as a target but not a source of this identity data.
You probably have never heard of Identity Forge, a small development and services outfit based in the iSeries hotspot of Atlanta. That's because the company has taken up the relatively thankless task of connecting enterprise-strength identity management systems, such as those from BMC Software, Compuer Associates, IBM, Microsoft, Oracle, Novell, RSA Security, and Sun Microsystems, to OS/400 and mainframe (OS/390, TopSecret, RACF, and ACF2) security and authentication systems.
"The mainframe has been a loss leader," says Identity Forge's CTO, Phil Lentz. "The reason our product came into existence is identity management systems didn't have robust functionality on the mainframe" and OS/400 servers.
As an "identity proxy server," Identity Forge's IdF Virtual Gateway fills this void. The Java-based product translates LDAP protocol commands from identity management systems running on Windows, Unix, and Linux into native OS/400 and mainframe commands, using host-based adapters. The IdF Gateway itself runs on Windows-, Unix-, or Linux-based servers and connects with third-party identity management using open-standard protocols, such as LDAP, and, in some cases, using vendors' own APIs.
"These guys who have AS/400s and iSeries are buying centralized products to manage users, but these products don't have good iSeries interfaces, so they're using these products in combination with our adapters to provide robust provisioning capabilities that their identity management systems can't provide," Lentz says.
It may come as a surprise, but even IBM's own Tivoli Identity Management product doesn't provide robust OS/400 connectivity, despite the fact that IBM owns the blueprints to the proprietary server. Tivoli Identity Manager can push identity information out to an iSeries, but it can't recognize changes made natively on the OS/400 server, and it can't do other things, such as set up OS/400 user groups or handle permissions, Lentz says.
While Tivoli Identity Manager does have some OS/400 and mainframe capabilities, other vendors had nothing but a basic screen-scraper technique. By incorporating the IdF Gateway and host-based adapters, users could do provisioning of new users and password synchronization for these platforms from the distributed world, Lentz says. That was the first release.
With IdF Gateway 2.5, Identity Forge has opened that previously one-way communication line, to create true two-way communication. So now users can make a change on their iSeries or mainframe servers, such as changing a password or deleting a user ID, and that change is reflected in the identity management system running on Unix, Linux, or Windows. This feature could tremendously reduce the duplication of work at organizations using a mix of iSeries and distributed systems.
Other changes introduced with version 2.5 include support for Directory Services Markup Language (DSML) version 2.0, a Web services specification that applications can use to share user access data. Several major application vendors, such as Oracle and SAP are starting to use DSML in their applications. (Oracle has added DSML to its E-Business Suite, Siebel CRM software, and its J.D. Edwards ERP products, Lentz says.)
IdF Gateway 2.5 also brings support for Server Provisioning Markup Language (SPML), X.509 Digital Certificates, and version 3 LDAP standards, including LDAP Search Filters and LDAP Intelligent Referral.
Performance has also been boosted with this release through the addition of support for multi-threading and Identity Caching. When users are accessing an OS/400 server or a mainframe over a secure connection, the communication line can become somewhat chatty if the application needs to authenticate or bind a user for every step. By creating an intelligence context with Identity Caching, the throughput of the IdF Gateway has tripled, Lentz says.
This release also gains support for password synchronization with Microsoft Active Directory, an important feature, since three-quarters of the world's organizations store at least some user data in Active Directory. Other new features include the capability to capture user change events and modifications to user attributes in real-time, as well as the capability to capture audit events in real-time.
IdF Virtual Gateway version 2.5 is available now. It has been certified on OS/400 V5R4, but not on prior releases. The product costs $15,000 per CPU (a second CPU is recommended when the product is subjected to workloads in excess of 1,000 hits per hour). The iSeries and mainframe adapters cost $40,000 per server or LPAR, with volume licensing deals available. For more information, visit www.identityforge.com.
|
