Identity as a Powered by NetIQ Solution Overview Guide July 2015 www.netiq.com/documentation
Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. 2015 NetIQ Corporation. All Rights Reserved. For information about NetIQ trademarks, see https://www.netiq.com/company/legal/.
Contents About this Book and the Library 5 About NetIQ Corporation 7 1 Solution Overview 9 2 Identity as a Powered by NetIQ Solution Architecture 13 2.1 The s Director............................................................. 13 2.2 NetIQ Architecture............................................ 14 2.3 NetIQ Account Management Architecture....................................... 15 2.4 NetIQ Privileged Account Manager Architecture.................................. 16 3 Deployment Scenarios 17 3.1 Only........................................................ 17 3.2 with Account Management................................ 18 Contents 3
4 Identity as a Powered by NetIQ Solution Overview Guide
About this Book and the Library The Identity as a Powered by NetIQ Solution Overview Guide provides conceptual information, architecture, and deployment scenarios about the Identity as a Powered by NetIQ solution. Intended Audience This book provides information for individuals responsible for hosting and deploying the Identity as a Powered by NetIQ solution for their tenants. The providers of this solution must understand firewalls, ports, networking, and virtual machines. Other Information in the Library The library provides the following information resources: Identity as a Powered by NetIQ s Director Installation Guide Provides detailed planning and installation information for the s Director. Identity as a Powered by NetIQ Provider Administration Guide Provides step-by-step guidance for the many tasks a provider performs for tenants. The guide also contains information on how to manage and maintain your s Director. Identity as a Powered by NetIQ Tenant Administration Guide Provides step-by-step guidance for the tasks a tenant performs. Identity as a Powered by NetIQ Installation Guide Provides detailed installation information for the appliance. Identity as a Powered by NetIQ Configuration and Administration Guide Provides detailed configuration and administration information for the appliance. Identity as a Powered by NetIQ Connectors Guide Provides detailed installation and configuration information for the connectors that you use with the appliance. Identity as a Powered by NetIQ Mobile Users QuickStart Contains basic steps for users to configure and use the MobileAccess service that is part of the. Identity as a Powered by NetIQ Account Management Installation and Administration Guide Provides detailed installation and configuration information for the Account Management appliance. About this Book and the Library 5
Identity as a Powered by NetIQ Privileged Account Manager Guide Provides installation and configuration information on how to make NetIQ Privileged Account Manager a service that the s Director hosts. Identity as a Powered by NetIQ Technical References Provide more detailed information about different features of the Identity as a Powered by NetIQ solution. Help Provides context-sensitive information and step-by-step guidance for common tasks. 6 Identity as a Powered by NetIQ Solution Overview Guide
About NetIQ Corporation We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk and how we can help you control them. Our Viewpoint Adapting to change and managing complexity and risk are nothing new In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments. Enabling critical business services, better and faster We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex. Our Philosophy Selling intelligent solutions, not just software In order to provide reliable control, we first make sure we understand the real-world scenarios in which IT organizations like yours operate day in and day out. That's the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results. And that's so much more rewarding than simply selling software. Driving your success is our passion We place your success at the heart of how we do business. From product inception to deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post-deployment; and you need someone that is truly easy to work with for a change. Ultimately, when you succeed, we all succeed. Our Solutions Identity & Access Governance Access Management Security Management Systems & Application Management Workload Management Management About NetIQ Corporation 7
Contacting Sales Support For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team. Worldwide: www.netiq.com/about_netiq/officelocations.asp United States and Canada: 1-888-323-6768 Email: Website: info@netiq.com www.netiq.com Contacting Technical Support For specific product issues, contact our Technical Support team. Worldwide: www.netiq.com/support/contactinfo.asp North and South America: 1-713-418-5555 Europe, Middle East, and Africa: +353 (0) 91-782 677 Email: Website: support@netiq.com www.netiq.com/support Contacting Documentation Support Our goal is to provide documentation that meets your needs. The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at www.netiq.com/ documentation. You can also mail Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you. Contacting the Online User Community NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit http://community.netiq.com. 8 Identity as a Powered by NetIQ Solution Overview Guide
1 1Solution Overview Cloud computing provides enterprises with the opportunity to quickly deploy applications and infrastructure at lower costs while maximizing resource utilization in the face of declining budgets and IT staff, but there is the fear that sensitive data can be compromised in the cloud. In addition, as more and more applications move to the cloud, managing these applications can add more complexity and administration costs. NetIQ provides a framework for service providers, consisting of a series of product offerings designed to provide multi-tenant management and per-tenant usage-based licensing and audit reporting. The framework allows providers to host NetIQ products as services for their tenants. The NetIQ s Director is the framework. The s Director works comfortably in a public or private cloud, and has the ability to support a mix of cloud and enterprise deployment scenarios. It fits in to your existing infrastructure. Solution Overview 9
Figure 1-1 Overview Privileged Account Manager Agent Public Cloud Private Cloud Account Management Provid er H o sted Servic Privileged Account Manager es NetIQ s Director Tenant Management Delegated Administration Subscription Design Usage Metering Health Monitoring N N N Tenant A N Tenant B N Tenant N As a service provider, you set up the secure environment for accessing cloud services such as Salesforce, or NetIQ Privileged Account Manager to manage and audit administrative access across your tenants environments. As your tenants need access to these services, you assign the appropriate services to them through the s Director. The s Director helps you centralize the management of your tenants and their access to Web services. It also ensures that all sensitive information is handled securely. 10 Identity as a Powered by NetIQ Solution Overview Guide
Using the s Director provides the following benefits: Delegated Administration: The s Director allows you to delegate administration to other provider administrators or to tenant administrators, in turn allowing tenants to administer their own services and systems. You can also assign different levels of administration. For more information, see Managing Administrators in the Identity as a Powered by NetIQ Provider Administration Guide. Health Monitoring: The s Director provides the ability to see the health of the different components. The health tool is embedded throughout the administration consoles. You can see the health of your system and the health of the tenants from one interface, called the provider console. The provider console also contains a list of recommended actions and alerts to show you what you must do to either complete configuration tasks or address issues to keep the system healthy. Subscription Design: The s Director allows you, as a provider, to assign services to tenants on a subscription basis. This helps you manage your tenants and the services you provide to them. Tenant Management: The s Director provides multi-tenant management through a single interface, the provider console, which saves a lot of time and effort. You can add tenants and new services all through the provider console. Usage Metering: The s Director provides per-service metering that allows you to monitor what services each tenant uses. This allows you to generate tenant-specific reports and maintain security for your tenants from one console. Solution Overview 11
12 Identity as a Powered by NetIQ Solution Overview Guide
2 2Identity as a Powered by NetIQ Solution Architecture The s Director is the framework that supports the services you want to host. You must always have the s Director installed and configured before installing any additional services. The s Director currently supports the, Account Management, and NetIQ Privileged Account Manager. The following sections describe the s Director and the separate services architecture: Section 2.1, The s Director, on page 13 Section 2.2, NetIQ Architecture, on page 14 Section 2.3, NetIQ Account Management Architecture, on page 15 Section 2.4, NetIQ Privileged Account Manager Architecture, on page 16 2.1 The s Director The s Director controls administration and operation functions. It consists of components depicted in the following graphic. Figure 2-1 s Director NetIQ s Director Remote Database s Director A provider console for provider administrators. From this console, you can manage and configure tenants, import application connectors, delegate administration functions, manage security, and configure auditing. A tenant console for tenant administrators. From this console, tenants can manage the secure tunnel, specify required roles and attributes, and manage reports and auditing. A remote MySQL database for storing provider configuration information such as the provider name, the DNS name of the s Director appliance, the definitions for auditing services, connector templates, connector configurations, and tenant records. Most of the information you configure in the provider console is stored in this database. The s Director virtual appliance for storing administration information such as provider and tenant roles (Viewer, Auditor, Admin, or Super Admin), assignments, and access rights (full or read-only). The s Director is clustered for fault tolerance with the L4 switch. Identity as a Powered by NetIQ Solution Architecture 13
For installation information, see the Identity as a Powered by NetIQ s Director Framework Installation Guide. 2.2 NetIQ Architecture The NetIQ allows users to securely authenticate to the web services hosted in the cloud. The consists of multiple components depicted in the following graphic. Figure 2-2 Architecture Users Tenant A Audit User Authentication LDAP/JDBC Identity Source Cluster SalesForce Tenant Administrator Tenant Console s Director s Director Administrator GoogleApps Simple Proxy Accellion Tenant Administrator Tenant Console Tenant B Audit User Authentication LDAP/JDBC Identity Source Cluster Users The clustered s Director provides administration of the system for the provider and the tenants. It also stores configuration information, health statuses, and reporting information for the entire system. The provider administrator assigns the different web services to the different tenants. The users of each tenant can access only the web services that the provider administrator assigned to them. Each tenant administrator accesses the appropriate services through the tenant console. Tenant administrators can see only the web services assigned to them. The clustered appliances provide the authentication for the users to the different web services in the cloud. Users access the web services locally or remotely through many different devices. 14 Identity as a Powered by NetIQ Solution Overview Guide
The appliance connects to the remote identity source, whether that is an LDAP directory or a JDBC database. The identity source stores the user accounts that have access to the web services. The appliance allows you to configure audit services for each tenant. The audit information from the appliance can be sent to a syslog server or to a NetIQ Sentinel Log Manager server. For installation and configuration information, see the Identity as a Powered by NetIQ Configuration and Administration Guide. 2.3 NetIQ Account Management Architecture The NetIQ Account Management allows you to import your identity data, more than likely from an HR system, into a flat, defined structure. The following graphic shows how the Account Management solution fits into the Identity as a Powered by NetIQ solution. Figure 2-3 Account Management Tenant A Account Management LDAP Directory JDBC Database Account Management CSV Files CSV Files as an export Tenant Console Tenant Administrator CSV Files as an export CSV Files as an export Tenant Console Tenant Administrator s Director s Director Administrator LDAP Directory JDBC Database Account Management CSV Files Tenant B The Account Management appliance accepts only CSV files. You import the CSV files into the appliance, and then the appliance populates the information to any system you connect to Account Management. You can populate the following systems: JDBC database LDAP directories CSV file Identity as a Powered by NetIQ Solution Architecture 15
Account Management also supports custom NetIQ Identity Manager drivers. You can import the custom Identity Manager drivers to connect the Account Management to almost any system you want. For more information, see the Identity as a Powered by NetIQ Account Management Installation and Administration Guide. 2.4 NetIQ Privileged Account Manager Architecture NetIQ Privileged Account Manager allows you to control the administrative user accounts for Windows and Linux servers. The s Director allows you to manage Privileged Account Manager workloads that contain administrative accounts for your tenants. You can deploy the workloads in to a corporate data center, a private cloud, or a public cloud. Figure 2-4 Privileged Account Manager Architecture NetIQ s Director NetIQ s Director Administration Privileged Account Manager Provider Console Tenant Console Secure Multi-tenant Operations Privileged Account Manager Workloads Privileged Account Manager Workloads Privileged Account Manager Workloads Secure Workload Management Data Center Secure Workload Management Private Cloud Secure Workload Management Public Cloud The s Director allows you to manage the workloads of each tenant that wants to use Privileged Account Manager. For more information, see the Identity as a Powered by NetIQ Privileged Account Manager Installation and Configuration Guide. 16 Identity as a Powered by NetIQ Solution Overview Guide
3 3Deployment Scenarios The following sections describe different possible configuration scenarios for your Identity as a Powered by NetIQ solutions for your tenants. The scenarios contain different components and show where the components reside between the provider s network and the tenants networks. 3.1 Only The following graphic depicts a possible network configuration of the s Director with only the. The graphic shows the tenants network boundaries, L4 switch placements, firewalls, and the s Director network boundaries. Figure 3-1 Network Diagram for Internal DMZ Internet Tenant 1 Network DMZ Provider Network Internal Identity Source Clustered Appliance s Director load balancing rules need to forward ports 80, 443, 61616 s Director 1 Tenant 2 Network s Director 2 Identity Source Clustered Appliance s Director Public s Director 3 Tenant 3 Network Identity Source Clustered Appliance Remote Database In this configuration, the identity sources would always be in the internal network for the tenants. The must be in the DMZ so it can access the SaaS applications and the s Director. The s Director must be in the provider s DMZ and the remote MySQL databases must be in the provider s internal network. You must have ports 80, 443, and 61616 open for the s Director and the to communicate with each other. Deployment Scenarios 17
3.2 with Account Management The following graphic depicts a possible network configuration of the s Director with the and the Account Management deployed. The graphic shows the tenants network boundaries, L4 switch placement, firewalls, and the s Director network boundaries. Figure 3-2 Network Diagram for Account Management and Internal DMZ Internet Tenant 1 Network DMZ Internal Identity Source Account Management Clustered Appliance s Director load balancing rules need to forward ports 80, 443, 61616 Provider Network s Director 1 Tenant 2 Network s Director 2 Identity Source Clustered Appliance s Director Public s Director 3 Account Management Tenant 3 Network Remote Database Identity Source Clustered Appliance Account Management The Account Management is just another identity source for the. The Account Management resides in the tenants internal network along with any other identity sources. The resides in the tenants DMZ so it can communicate with the SaaS applications and the s Director. The s Director resides in the provider s DMZ, and the remote MySQL database resides in the provider s internal network. You must have ports 80, 443, and 61616 open for the s Director and the to communicate with each other. 18 Identity as a Powered by NetIQ Solution Overview Guide