Technology Architecture

Password Management Architecture

P-Synch® is designed for:

• Security:

  P-Synch is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes.

• Scalability:

  Multiple P-Synch servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.).

• Openness:

  Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.).

• Flexibility:

  Both the P-Synch user interface and all functionality can be customized to meet enterprise requirements.

• Low TCO:

  P-Synch is easy to set up and requires minimal ongoing administration.

    Network architecture diagram (1)

Figure (_label_fig:combined-net-arch) illustrates the P-Synch network architecture:

• Users normally access P-Synch using HTTPS from a web browser.

• Multiple P-Synch servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution.

• Native user password changes on some systems ([link]) may trigger transparent password synchronization. A password change interceptor DLL, library or exit may capture such changes and initiate transparent password synchronization.

• Users may call an IVR (interactive voice response) system with a telephone and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset.

• P-Synch connects to most target systems using their native APIs (application programming interfaces) and protocols and thus requires no software to be installed locally on those systems.

• Local agents are provided and recommended for Unix servers and OS/390 mainframes. Use of these agents improves transaction security, speed and concurrency.

• A local agent is mandatory on RSA SecurID servers.

• Where target systems are remote and communication to them is slow, insecure or both, an P-Synch proxy server may be co-located with the target system in the remote location. In this case, servers in the main P-Synch server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols.

• P-Synch can look up and update user profile data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

• P-Synch can send e-mails to users asking them to register or to notify them of events impacting their profiles. Over 163 events can trigger e-mail notification.

• P-Synch can send write tickets to most common help desk systems, either recording completed activity or requesting assistance (security events, user service follow-up, etc.). Over 163 can trigger ticket integration. Binary integrations are available for 15 and open integration is possible using mail, ODBC, SQL and web services.

© Hitachi ID Systems, Inc. 2008. All rights reserved.