290 likes | 704 Vues
VACMAN Middleware 3.0. What is it? - Product PositioningStrong Authentication SolutionBased on One-Time-Password technologyHuge variety of supported tokens
E N D
1. ES Product Management | W. Kalny | 2006-11-28 1 VACMAN Middleware 3.0 Product Presentation
3. VACMAN Middleware 3.0 Functionality 2 Major Functional Areas
Supported Authentication Environments
Administration
4. Supported Authentication Environments
5. Supported Authentication Environments
6. Supported Authentication Environments
7. Supported Authentication Environments
9. Supported Authentication Environments
10. Supported Authentication Environments
11. VACMAN Middleware Data Model Following Record Types are provided by VM:
DIGIPASS Record
DIGIPASS User Account Record
Component Record
Policy Record
Back-End Server Record
Domain Record
Organizational Unit Record
12. VACMAN Middleware Data Model DIGIPASS Record
for each DIGIPASS in use and contains:
DIGIPASS serial number and model
Names and paramaters of applications in DIGIPASS
Status of various options (e.g. lock, etc.)
13. VACMAN Middleware Data Model DIGIPASS User Account Record
for each DIGIPASS user and contains
Authentication Settings
DIGIPASS assignment
Using Active Directory:
DIGIPASS User Account Record is attached to the AD user account as an auxiliary class.
DIGIPASS User Account Record is not required for administration (AD account is used)
Using ODBC Database:
DIGIPASS User Account Record stored in standard database table
Administrative Privileges assigned to User Account, therefore necessary
14. VACMAN Middleware Data Model Component Record
Created to represent:
Authentication servers
Authentication Client Components (RADIUS Clients, IIS Modules)
Administration Client Components (when required)
Main purposes for Component Records:
For authentication clients to indicate that it is permitted to process an authentication request from that client and to specify an authentication policy
For RADIUS clients to hold the shared secret
To hold the license key for authentication servers and IIS Modules
15. VACMAN Middleware Data Model Policy Record
Contains settings that affects the user authentication process, e.g.:
Whether Windows or RADIUS authentication should be used
Whether various automatic management features should be used
The DIGIPASS application types required
Backup Virtual DIGIPASS settings
16. VACMAN Middleware Data Model Back-End Server Record
Required when a RADIUS server is used by VM for authentication.
Possible to create more than one back-end server for fail-over purposes
Possible to allocate different back-end RADIUS servers for different user domains
17. VACMAN Middleware Data Model Domain Record
Active Directory Environment:
Each DIGIPASS and DIGIPASS User must belong to one of the pre-existing AD domains
User-ID must be unique within a domain
DIGIPASS Configuration Domain is required for installation purposes
ODBC or Embedded Database Environments:
Domains are included to:
Mirror the AD domain structure
Provide ability to limit administrative activities (delegated administration)
Allocate un-assigned DIGIPASS records to different domains
Master Domain required for default DIGIPASS assignment and administrative purposes
18. VACMAN Middleware Data Model Organizational Units Records
Active Directory Environment:
DIGIPASS User Accounts and DIGIPASS records are stored in organizational units or the user container
Special container called DIGIPASS pool created during installation for unassigned DIGIPASSes
Administration dutied to be assigned to administrators per organizational unit
ODBC or Embedded Database Environments:
Domains are included to:
Mirror the AD domain structure
Provide ability to limit administrative activities (delegated administration)
Allocate un-assigned DIGIPASS records to different organizational units
19. The Authentication Process Policy Based Authentication
For every authentication request, a Policy is identified that controls the process and defines the authentication features to be used.
Policy to be used based on client component and organizational unit
All policy settings now in one location (Policy Record)
Additional flexibility through:
Windows Group Check can be used for RADIUS
For RADIUS Authentication, the RADIUS server or Windows can be checked only for certain events (not for every login)
A RADIUS server can be used for IIS Modules
For IIS Modules, Windows or the RADIUS server can be checked for every login.
Policies may be set in hierarchies including inheriting attributes from one level to the other.
20. DIGIPASS Assignment A whole DIGIPASS is assigned to a user (not just one application) user can use all applications in DIGIPASS
More than one DIGIPASS can be assigned to a user user may be assigned a hardware DIGIPASS and a software DIGIPASS for different situations
User accounts can share the same DIGIPASS achieved by linking the two DIGIPASS User Account Records
User Account Locking instead of DIGIPASS application locking
Grace period feature applied to each DIGIPASS (instead to the User Account)
Settings for Backup Virtual DIGIPASS now located in DIGIPASS Record (instead of DIGIPASS User Account Record)
21. Extensive Authentication Settings User Identification by User ID and Domain
Windows Name Resolution
Simple Name Resolution
Separate Domain Login field
Default Domain Setting in Policy
User ID Conventions
Up to 255 characters (all characters allowed) for User ID and passwords (only 128 UTF-8 supported by RADIUS protocol)
Unicode support
22. Extensive Authentication Settings More Features
Forwarding of authentication requests from 3rd RADIUS Server
Supports more than one RADIUS authentication port
Default RADIUS ports are now 1812/1813
Support for event based Digipass (using OATH)
Self-Assignment process
2-Step-Login for Primary Virtual Digipass and Challenge/Response authentication requests
Login Failure Reasons are displayed in form-based IIS Modules
Customizable Realm Name for the Login prompt in basic authentication IIS Module
23. Active Directory Integration Storage of Digipass and User Data in Active Directory
User account settings for VM stored as extension to normal AD user account (using Auxiliary Class)
Digipass data stored with User accounts wherever they are located
Digipass is moved to ist users organizational unit during assignment procedure
Location of unassigned Digipass is kept flexible
Administration Directly with Active Directory
Connectivity to Middleware server not rquired for administration
Admin privileges not controlled by Middleware Server
Middleware user account not required to perform administration
24. Active Directory Integration Delegated Administration
Granular privileges available set up in Active Directory
Property Sets defined for common groupings of attributes
Active Directory Delegation of Control-Wizard shows option for full Digipass adminsitration
Administration Interface
Full property sheet used for Digipass records
Extensive bulk adminsitration operations (like Reset Application, Reset PIN, Force PIN Change)
Administration MMC Interface used for configuration records
Connection Handling
Connections to Active Directory will be closed periodically and checked if another Domain Controller should be used instead.
LDAP requests show excellent performance
25. Extensive ODBC Database Support New embedded Database: PostgreSQL 8.1
Improved Support for Other ODBC Databases
Microsoft SQL Server 2000 and 2005
Oracle 10g
IBM DB2 8.2
Sybase Adaptive Server Anywhere 9.0
Domains and Organizational Units
Where VM user accounts are based on WIN user accounts, Domains can be used to match WIN domains
Domains and Organizational Units allow allocation of Digipass to quotas or geographical reality
Domains and Organizational Units support delegated administration
Service Provider can user Domain and Organizational Units to represent their customers
26. Extensive ODBC Database Support Administration Controls
Improved implementation to support larger scale and service provider environments
Administrative privileges at individual operations level such as View Digipass, Reset Digipass Application, Update Policy
Adminsitrative access to data controlled at the Domain and Organizational Units level
Adminsitrative programs restricted to defined locations
Maximum number of concurrent administrative sessions
Policy for authentication of administrative logons available
New Replication Mechanism
High reliability through maintaining a queu of changes to transmit to disk
Monitoring of replication process with detailed audit messages and monitoring of connection status and queue size
27. Audit System Multiple Audit Methods available and configurable
Text File Ouput
Event Log Output
ODBC Database Output
Live Connection to Audit Viewer
Ability to Analyze / Report on Audit Data
Extensive message documentation
Extensive search and filter functionality
Audit Viewer
Messages from different sources
Flexible filtering
Multiple Document Interface for report comparison
Masseges to be viewed in different time zones
28. TCL Command Line Administration Designed for scripted administration
Implemented as an extension to the TCL scripting language
Complex Bulk Administration Tasks
Reporting of data in a data store
29. Secure Licensing Model License Key to be loaded into the Data Store
Number of users controlled through DPX files
VASCO Licensing Web Site will only permit license keys for the correct number of Middleware Servers
License Key to be obtained for each IIS module
Main Administration MMC Interface provides ability to request and load licenses at any time
30. Pricing Structure 4 Elements for a complete offer:
Token prices (one time fee)
Software Licenses for timely unlimited Usage (one time fee)
Maintenance (annual fees) include support during business hours, software updates and bug fixes, annual user data license fees (were included in token prices in the past)
Any services (one time fee)
VS 6.x, VM 2.x to VM 3.0 upgrades available
For customers with existing maintenance agreement: 70% discount
For customers without existing maintenance agreement: 35% discount
31. Migration Procedure Existing 2.3 customer sends PO to VASCO
Customer receives invoice with respective discount (70% discount with Maintenance, 35% without)
Customer receives software with new serial number
Customer installs software and gets activation request code
Customer activates software at licensing web page using serial number activation request code and receives the encrypted licensing key
Customer copies licensing key into DAT directory of VM installation
32. Available Documents
33. Competition
34. Thank you
Any Questions?
wkalny@vasco.com