More than 30 IDM realisations in Czech Republic and abroad

AMI Praha Reference IdM Development 2012

IdM Development 2012


Continued development work has enabled new administration options and security functionalities in IdM.

Project goal

The aim of the continued development work was to develop new administration and user functions that will facilitate the use of the IdM application and enable its full deployment throughout the CEZ Group. In addition, the program accounts of connected applications were to be newly registered and new applications were to be connected to IdM.

A secondary objective, but internally important, which brings new opportunities for implementation at CEZ Group, was the Proof of Concept of central SSH key management for Unix OS.

Project description

The project started at the end of last year (11/2010) with a new project manager (PM) on the ČEZ ICT Services side. His familiarization with the project and the Christmas holidays brought delays to the project right at the beginning. However, the new CEZ PM proved to be very beneficial in the continuation of the project. After the initial analysis and the approved Target Concept, the implementation of Phases 4, 5 and 6 started and ended with Release 12 in June this year.

Stage 4 and 5 were designed as a fix-price and were successfully and fully completed. Stage 6 was completed as a T&M (drawdown) and was cut short by the customer by approximately 40 MDs due to lack of funding.

On the customer side, the project team, apart from the new PM, included mostly traditional members (among others, security methodologist, IDM administrator, infrastructure administrator, SD operator and user management) and new members of the SAP security and base.

From the AMI project team, Martin Lízner traditionally covered the technical side of the project, but all senior IDMs Jiří Vitinger and Petr Čvančar also joined.

Solution description

The following parts were added to the existing IdM application in the CEZ Group:

  • Universal SSH adapter – an adapter through which it is possible to connect any Unix OS to IdM, otherwise it is possible to connect the adapter only using SSH keys. Control scripts for AIX, RedHat, HP-UX trusted mode and HP-UX non-trusted mode were also created as part of the delivery. The AIX system NIM_T was connected to the IdM production environment with this adapter.
  • Bulk import – functionality that allows administrators to add and remove roles in bulk without an approval process. There are many exceptions to this functionality for SAP systems where roles are assigned regardless of the time validity that is sent with the role to SAP and roles are only governed by SAP time constraints.
  • User Interface Modifications – This functionality has unified the role assignment request with the role removal request into one. This acts like a shopping cart so that the request can be put together, roles can be changed and replaced and then sent for approval. As part of this functionality, the approval process had to be modified to first take into account the roles being allocated and then remove them so that they are not removed before they are allocated.
  • User lockout for invalid passwords – this functionality was triggered somewhat with the reluctance of the SD operators. If the user does not change their password within a given timeframe (password expires), it is regenerated to a different password and this is repeated every 180 days when that password is not used. An initial dynamic amnesty has been created for the trigger to avoid a large load on SD.
  • Program account logging – a log of program accounts of connected applications has been created. These are now paired to the IDM. Any differences in existence are reported to the Security and User Administration department who will arrange for replacements with the end system administrators. The functionality has saved the IdM administrator from the previous manual record keeping.
  • Rule-based role assignment control – the first in a series of rules that guard the ability to assign or have assigned a role based on the value of an attribute. Six rules have been implemented in the production environment. More rules are expected in a subsequent project and in the service.
  • ISM Connection – Connecting a security monitoring system that contains all users and all user attributes. It is used to report security incidents and contact the appropriate people.
  • Automatic removal of roles when a company changes – functionality demanded by the result of a security audit. This functionality cuts all existing permissions of a user for 30 days when changing the company (organization within the CEZ group) (the user has to request new permissions for his/her new position).
  • Change password for different KPJMs – this functionality allows changing password for multiple KPJMs of one person in the IdM user interface. This means that a user can change the password for multiple of their virtual accounts in IdM.
  • And other minor modifications.

The project also included preparation for the subsequent replacement of Access Manager and the SPNEGO library was tested on a demo application, which will provide Single Sign On to IdM. As part of the testing, the concept of this authentication in IdM was also devised. Testing was performed on real CEZ operations (browsers and OS).

Another independent part was Proof of Concept for central SSH key management for access to UNIX systems. The essence of the solution was to centrally maintain and guard SSH keys (private and public part) for accesses to Unix OS, to control key generation and thus reset a certain strength of pass phrase (diceware used), to allow users to share SSH keys across connections to individual servers, to allow distribution of SSH keys (public part) to servers, to securely guard and not share SSH keys (private part). This allows the user to log on to the Unix OS after a single login with a passphrase SSH key. This key cannot be removed from the client and is not stored on disk – so it cannot be stolen or misused. The KDC then takes care of distributing the public portions of the SSH keys to the target servers and also takes care of their expiration. This whole process should be target controlled from the IDM by having the KDC connected to the IDM and accesses to individual servers handled by application roles.

The proof of concept addressed the following points:

  • Target solution concept
  • the data model of the solution
  • installation of components (RedHat OS, KDC scripts, RSA PAM module, Diceware)
  • KDC administration scripts (for basic user creation and editing, key creation and expiration, logging, service and server connection, key generation)
  • client part (configuration of putty and OpenSSH clients, configuration of SSHd PAM)
  • interactive user interface
  • connection of 2 end systems (AIX, RedHat)
  • sample configurations of end systems and client settings
  • connection of non-interactive tasks (applications using SSH connection)
  • logging and proving the real identity of the logged-in user
  • description of development requirements (integration with IdM, user account management, high availability mode, known hosts issues

Another projects for the client

Are you interested in this reference?