www.novell.com

Using Novell eDirectory™ to Unify Cross-Platform Authentication at Florida Hospital

Using Novell eDirectory™ to Unify Cross-Platform Authentication at Florida Hospital

Stephen LynchProject ManagerFlorida HospitalStephen.Lynch@flhosp.org

Tom TuroDirector of Information SystemsFlorida HospitalTom.Turo@flhosp.org

Florida Hospital’s Purpose:

“... we exist to assist in restoring and promoting the health and quality of life of those we serve ...”

Florida Hospital’s mission:

“…to extend the healing ministry of Christ...”

Florida Division—Florida Hospital

FH Kissimmee

FH Orlando

FH Altamonte

FH Apopka

FH East

FH Celebration

FH Winter Park

• Seven hospitals 1,792 licensed beds 14,700 employees Largest U.S. hospital

(as single-licensed system with over 92,956 inpatient admissions and 1,500,000 outpatient visits annually)

Largest U.S. cardiac system (over 15,500 procedures in 2001)

Second-largest cancer center in the U.S.

Largest Medicare provider in the U.S.

A Complex Environment A Plethora of Applications

Novell eDirectory™

Application distribution

File and print services

Web hosting

Lanier transcription

Ansos Nurse scheduling

Cbord POS

Laboratory

Blood bank

Scheduling

Home health

Physician applications

Trendstar HBOC, DSS

Web hosting

Clinical systems (16)

Tracking and patient

Financial systems (14)

Patient systems (17)

Data mining

Intel (Novell/NT)Mid-Range (UNIX)Mainframe (S/390)

What’s the Problem

• Too many user IDs for users to remember• Too many passwords for users to remember• Systems are being added daily• Security exposures result from inability to remember• Systems have different rules for passwords• Help desk/admin burden to reset passwords• Users are confused about which “system” they are

using• Help desk contributes to problem using “broadcast

reset”

Technologies Available

• Single Sign-on (SSO)• One master login screen• Password re-direct• Native authentication with central• Password store

Single Sign-on

• User signs into one screen, has access to all systems

• Password changes get “blasted out” to other systems

• Pros Single point of access Prompted one time for password Passwords as difficult as system allows

Single Sign-on

• Cons Leaves all systems “open”

• HIPAA issue User may not know each system’s password Dependent on SSO system being operational Gives users another “system” to learn

Authentication Re-direct

• Passwords are synchronized in the background

Pros• Passwords in each system are identical• User interface is not changed• Still available if system is unattached

Cons• Password is “least common denominator”• User must sign in each time

eDirectory Authentication Services

• Use eDirectory to authenticate users and applications on heterogeneous operating systems

• Use eDirectory to secure applications on traditionally non-NetWare® systems

• Host OS integration• Easy-to-use eDirectory API

Centralized Authentication for Heterogeneous Systems

eDirectory

System 1 System 2 System 3 System 4

eDirectory

System 1 System 2 System 3 System 4

ID=.BOB.SALES.TAMPA.ACMEPassword=BR549

BOBBR549

BOBBR549

BOBBR549

BSMITHBR549

NDS-AS Framework

NDS/AS Solves

• Users only need one password• Authenticates to one authority without being

intrusive• Allow all systems to apply password and

account management rules as defined by the central authority

• Eliminate multiple help desk/admin password resets

OS/390 Integration

?

NDS-AS ClientRACF

RACF API

SAFSAF

DB2DB2 TSOTSO CICSCICSIDMSIDMSApplicationsApplications

NDS-AS Agent

eDirectory

Started Task Install Checklist…

• Test using ASCTEST• Establish INCLUDE/EXCLUDE lists• Install System Security Exits• IPL• Add ASCLIENT to system startup/shutdown

procedures

EXCLUDE APPDBA* ; Exclude the DBA groupEXCLUDE SYSUTIL,ROOT,HSM ; Exclude utility user IDsINCLUDE * ; Everyone else uses NDS

EXCLUDE APPDBA* ; Exclude the DBA groupEXCLUDE SYSUTIL,ROOT,HSM ; Exclude utility user IDsINCLUDE * ; Everyone else uses eDirectory

EXCLUDE SYSP001 ; Boss isn’t using NDSINCLUDE SYSP%%% ; Include systems programmersINCLUDE APP* ; Include the applications groupEXCLUDE APPDBA* ; except the DBAsINCLUDE APPDBA3 ; One DBA uses NDSEXCLUDE * ; all other users use local security

EXCLUDE SYSP001 ; Boss isn’t using eDirectoryINCLUDE SYSP%%% ; Include systems programmersINCLUDE APP* ; Include the applications groupEXCLUDE APPDBA* ; except the DBAsINCLUDE APPDBA3 ; One DBA uses eDirectoryEXCLUDE * ; all other users use local security

Client Include/Exclude Support

Local Security System Fail-over

• Successful password checks and changes result in the password being “pushed” into RACF/ACF2

• If network all NDS-AS agents, or eDirectory itself fails, NDS-AS enters “local authentication” mode

• During “local authentication” the user will still be able to authenticate using the last successful password

• During “local authentication”, password change is disabled and passwords are not expired

Load/Performance Balance

eDirectory

NDS-ASClient

NDS-ASClient

AgentAgent AgentAgent AgentAgent

Install NDS/AS on eDirectory

• Install NDS/AS agent on agent server(s) Originally used one server

• Installed Resolver• Installed Manager• Added test users/contexts/groups to NDS/AS

census

Tested NDS/AS

• Changed passwords in both systems• Revoked account in RACF

Account was reactivated by eDirectory

• Password must be eight characters or less for RACF

• Users not in census used RACF authentication normally

NDS/AS Implementation

• Include all RACF users in the OS390 client• Add specific contexts to NDS/AS census

(in eDirectory)• Add “RACF only” users to eDirectory

Set as disabled with AS password

• Run census—verify it is being used

“UNUSUAL” USER ACCOUNTS

• RACF, eDirectory e-mail/token/firewall only No login to eDirectory

• Has an eDirectory password that does not expire

NDS/AS “Fall-Out”

• Communication is KEY One department made 47 help desk calls 45 were solved by “try your eDirectory

password”

• Some employees had “unknown” eDirectory accounts

• NDS/AS census must be run after eDirectory changes

• Verify new census is in use

New Initiatives Utilizing NDS/AS

• Change password via the Internet Changes NDS/e-mail/firewall/RACF

• New account creation for agency nurses by nurse admin