No Slide Title

Download Report

Transcript No Slide Title 

Using Novell eDirectory™ to Unify
Cross-Platform Authentication
at Florida Hospital
www.novell.com
Stephen Lynch
Project Manager
Florida Hospital
[email protected]
Tom Turo
Director of Information Systems
Florida Hospital
[email protected]
Florida Hospital’s Purpose:
“... we exist to assist in restoring and promoting the
health and quality of life of those we serve ...”
Florida Hospital’s mission:
“…to extend the healing ministry of Christ...”
Florida Division—Florida Hospital
FH Altamonte
FH East
FH Orlando
FH Kissimmee
FH Celebration
FH Apopka
FH Winter Park
• Seven hospitals
1,792 licensed beds
 14,700 employees
 Largest U.S. hospital
(as single-licensed system
with over 92,956 inpatient
admissions and 1,500,000
outpatient visits annually)
 Largest U.S. cardiac
system (over 15,500
procedures in 2001)
 Second-largest cancer
center in the U.S.
 Largest Medicare provider
in the U.S.

A Complex Environment
A Plethora of Applications
Mainframe (S/390)
Mid-Range (UNIX)
Intel (Novell/NT)
Clinical systems (16)
Laboratory
Novell eDirectory™
Tracking and patient
Blood bank
Application distribution
Financial systems (14)
Scheduling
File and print services
Patient systems (17)
Home health
Web hosting
Data mining
Physician applications
Lanier transcription
Trendstar
Ansos
HBOC, DSS
Web hosting
Nurse scheduling
Cbord POS
What’s the Problem
•
•
•
•
•
•
•
•
Too many user IDs for users to remember
Too many passwords for users to remember
Systems are being added daily
Security exposures result from inability to remember
Systems have different rules for passwords
Help desk/admin burden to reset passwords
Users are confused about which “system” they are using
Help desk contributes to problem using “broadcast reset”
Technologies Available
•
•
•
•
•
Single Sign-on (SSO)
One master login screen
Password re-direct
Native authentication with central
Password store
Single Sign-on
• User signs into one screen, has access to
all systems
• Password changes get “blasted out” to
other systems
• Pros
 Single
point of access
 Prompted one time for password
 Passwords as difficult as system allows
Single Sign-on
• Cons
 Leaves
all systems “open”
• HIPAA issue
 User
may not know each system’s password
 Dependent on SSO system being operational
 Gives users another “system” to learn
Authentication Re-direct
• Passwords are synchronized in the background
 Pros
• Passwords in each system are identical
• User interface is not changed
• Still available if system is unattached
 Cons
• Password is “least common denominator”
• User must sign in each time
eDirectory Authentication Services
• Use eDirectory to authenticate users and
applications on heterogeneous operating systems
• Use eDirectory to secure applications on
traditionally non-NetWare® systems
• Host OS integration
• Easy-to-use eDirectory API
Centralized Authentication
for Heterogeneous Systems
System 1
System 2
System 3
eDirectory
System 4
NDS-AS Framework
BOB
BR549
System 1
BOB
BR549
System 2
BOB
BR549
System 3
ID=.BOB.SALES.TAMPA.ACME
Password=BR549
eDirectory
BSMITH
BR549
System 4
NDS/AS Solves
• Users only need one password
• Authenticates to one authority without being
intrusive
• Allow all systems to apply password and account
management rules as defined by the central
authority
• Eliminate multiple help desk/admin password
resets
OS/390 Integration
Applications
? DB2 TSO CICS IDMS
eDirectory
SAF
RACF API
NDS-AS Client
RACF
NDS-AS Agent
Started Task Install Checklist…
•
•
•
•
•
Test using ASCTEST
Establish INCLUDE/EXCLUDE lists
Install System Security Exits
IPL
Add ASCLIENT to system startup/shutdown
procedures
Client Include/Exclude Support
EXCLUDE APPDBA*
EXCLUDE SYSUTIL,ROOT,HSM
INCLUDE *
; Exclude
thethe
DBADBA
group
; Exclude
group
; Exclude
utility
user
IDsIDs
; Exclude
utility
user
; Everyone
elseelse
uses
eDirectory
; Everyone
uses
NDS
EXCLUDE SYSP001
INCLUDE SYSP%%%
INCLUDE APP*
EXCLUDE APPDBA*
INCLUDE APPDBA3
EXCLUDE *
Boss isn’t
isn’t using
using NDS
eDirectory
;; Boss
Include systems
systems programmers
programmers
;; Include
Include the
the applications
applications group
group
;; Include
except the
theDBAs
;; except
DBAs
One DBA
DBA uses
uses NDS
eDirectory
;; One
all other
other users
users use
use local
local security
security
;; all
Local Security System Fail-over
• Successful password checks and changes result in
the password being “pushed” into RACF/ACF2
• If network all NDS-AS agents, or eDirectory itself
fails, NDS-AS enters “local authentication” mode
• During “local authentication” the user will still
be able to authenticate using the last successful
password
• During “local authentication”, password change
is disabled and passwords are not expired
Load/Performance Balance
NDS-AS
Client
Agent
Agent
eDirectory
Agent
Install NDS/AS on eDirectory
• Install NDS/AS agent on agent server(s)
 Originally
used one server
• Installed Resolver
• Installed Manager
• Added test users/contexts/groups to NDS/AS
census
Tested NDS/AS
• Changed passwords in both systems
• Revoked account in RACF
 Account
was reactivated by eDirectory
• Password must be eight characters or less for RACF
• Users not in census used RACF authentication
normally
NDS/AS Implementation
• Include all RACF users in the OS390 client
• Add specific contexts to NDS/AS census
(in eDirectory)
• Add “RACF only” users to eDirectory
 Set
as disabled with AS password
• Run census—verify it is being used
“UNUSUAL” USER ACCOUNTS
• RACF, eDirectory e-mail/token/firewall only
 No
login to eDirectory
• Has an eDirectory password that does not expire
NDS/AS “Fall-Out”
• Communication is KEY
 One
department made 47 help desk calls
 45 were solved by “try your eDirectory password”
• Some employees had “unknown” eDirectory
accounts
• NDS/AS census must be run after eDirectory
changes
• Verify new census is in use
New Initiatives Utilizing NDS/AS
• Change password via the Internet
 Changes
NDS/e-mail/firewall/RACF
• New account creation for agency nurses by nurse
admin