Chapter 3. Directory Integrator component structure 67
general, IBM Tivoli Directory Integrator provides high security in this module and
in all of its parts. In IBM Tivoli Directory Integrator multiple password
synchronization plug-ins can share the same MQ queues simplifying setup and
maintenance of multi-domain password synchronization solutions.
3.3 Security capability
Directory Integrator supports distributed environments through a wide range of
communication modes, including TCP/IP, HTTP, LDAP, JDBC, and Java Message
Service (JMS)/message queuing (MQ). SSL and other encryption mechanisms
can be added to any of these methods to secure the information flow.
Additionally, the graphical interfaces (IDE and AMC) can be configured to be
accessed by SSL. SSLv3 encrypts communications on the wire. The Java
Cryptography Extension (JCE) opens a wide range of security capabilities, such
as encrypting information in communications and storage, X.509 certificate, and
key management to integrate with PKI efforts in the enterprise.
The AMC supports client certificate authentication and access rights to the IBM
Tivoli Directory Integrator configuration can be defined per user. The
configuration file can optionally be encrypted by IBM Tivoli Directory Integrator
server using server certificate. The Configuration Editor accesses such
configurations in
remote mode.
In the previous sections we introduced the base components and showed that a
wide range of data sources are supported. We just saw that communication
between different systems can be encrypted. With these elements, hundreds of
different solutions can be set up to fit different requirements. In the following
section we show some general architectural concepts and some examples.
3.4 Physical architecture
IBM Tivoli Directory Integrator can be presented through a number of use cases
that can illustrate the technical capabilities and some of the solutions that can be
architected, but we cannot show all possible architectures with all of the different
data sources and data flows. So we introduce some general considerations
about the use of an enterprise directory and some basic structures of data flow,
not as a comprehensive list, but as frameworks or some mental structures to the
creative mind for further development.
68 Robust Data Synchronization with IBM Tivoli Directory Integrator
3.4.1 Combination with an enterprise directory
There are two major metadirectory models or approaches to integrating existing
enterprise data stores and building an authoritative source for identity information
that exist:
Metaview, which introduces one main central directory store where all data is
aggregated and then synchronizes and publishes data from there back to all
other authoritative repositories.
Point-to-Point synchronization, to avoid the central repository and configure
event driven automatic data flows and reconciliation between the repositories,
based on business rules and technical requirements.
Metadirectories are often used to accomplish the following goals:
Create a single enterprise view of users from attributes stored in network
services.
Enforce business rules that define the authoritative source for attribute values.
Handle naming and schema discrepancies.
Provide data synchronization services between information sources.
Enable network and security administrators to manage large, complex
networks.
Simplify the management of user access to corporate resources.
As the foundation for a metadirectory solution, IBM Tivoli Directory Integrator
supports both solutions and provides a means of managing information that is
stored in multiple directories. It provides
Connectors for collecting information
from many operating system and application specific sources and services, as
well as for integrating the data into a unified namespace. It can provide a central
enterprise directory, as well as integrate distributed directories directly.
By design IBM Tivoli Directory Integrator seems especially suited for the second
approach. As a metadirectory, it extends the directory with services for managing
information that is stored in multiple directories. It acts as the hub for making
changes between the disparate systems, and it has a number of facilities that
enable it to act as the agent for change on these disparate systems. A scenario
based on this architecture is shown in Figure 3-1 on page 43. The important
design decision is on the authoritative data repository; after that it is a matter of
defining the data flows for each
AssemblyLine.
There are two possibilities for the implementation of a centralized enterprise
directory. The architecture can have one directory with different authoritative data
sources for different identity information as shown in Figure 3-8 on page 69, or
you can define your central directory as the authoritative data source. In this
Get Robust Data Synchronization with IBM Tivoli Directory Integrator now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
