www.novell.com using novell edirectory™ to unify cross-platform authentication at florida hospital...
TRANSCRIPT
www.novell.com
Using Novell eDirectory™ to Unify Cross-Platform Authentication at Florida Hospital
Using Novell eDirectory™ to Unify Cross-Platform Authentication at Florida Hospital
Stephen LynchProject ManagerFlorida [email protected]
Tom TuroDirector of Information SystemsFlorida [email protected]
Florida Hospital’s Purpose:
“... we exist to assist in restoring and promoting the health and quality of life of those we serve ...”
Florida Hospital’s mission:
“…to extend the healing ministry of Christ...”
Florida Division—Florida Hospital
FH Kissimmee
FH Orlando
FH Altamonte
FH Apopka
FH East
FH Celebration
FH Winter Park
• Seven hospitals 1,792 licensed beds 14,700 employees Largest U.S. hospital
(as single-licensed system with over 92,956 inpatient admissions and 1,500,000 outpatient visits annually)
Largest U.S. cardiac system (over 15,500 procedures in 2001)
Second-largest cancer center in the U.S.
Largest Medicare provider in the U.S.
A Complex Environment A Plethora of Applications
Novell eDirectory™
Application distribution
File and print services
Web hosting
Lanier transcription
Ansos Nurse scheduling
Cbord POS
Laboratory
Blood bank
Scheduling
Home health
Physician applications
Trendstar HBOC, DSS
Web hosting
Clinical systems (16)
Tracking and patient
Financial systems (14)
Patient systems (17)
Data mining
Intel (Novell/NT)Mid-Range (UNIX)Mainframe (S/390)
What’s the Problem
• Too many user IDs for users to remember• Too many passwords for users to remember• Systems are being added daily• Security exposures result from inability to remember• Systems have different rules for passwords• Help desk/admin burden to reset passwords• Users are confused about which “system” they are
using• Help desk contributes to problem using “broadcast
reset”
Technologies Available
• Single Sign-on (SSO)• One master login screen• Password re-direct• Native authentication with central• Password store
Single Sign-on
• User signs into one screen, has access to all systems
• Password changes get “blasted out” to other systems
• Pros Single point of access Prompted one time for password Passwords as difficult as system allows
Single Sign-on
• Cons Leaves all systems “open”
• HIPAA issue User may not know each system’s password Dependent on SSO system being operational Gives users another “system” to learn
Authentication Re-direct
• Passwords are synchronized in the background
Pros• Passwords in each system are identical• User interface is not changed• Still available if system is unattached
Cons• Password is “least common denominator”• User must sign in each time
eDirectory Authentication Services
• Use eDirectory to authenticate users and applications on heterogeneous operating systems
• Use eDirectory to secure applications on traditionally non-NetWare® systems
• Host OS integration• Easy-to-use eDirectory API
Centralized Authentication for Heterogeneous Systems
eDirectory
System 1 System 2 System 3 System 4
eDirectory
System 1 System 2 System 3 System 4
ID=.BOB.SALES.TAMPA.ACMEPassword=BR549
BOBBR549
BOBBR549
BOBBR549
BSMITHBR549
NDS-AS Framework
NDS/AS Solves
• Users only need one password• Authenticates to one authority without being
intrusive• Allow all systems to apply password and
account management rules as defined by the central authority
• Eliminate multiple help desk/admin password resets
OS/390 Integration
?
NDS-AS ClientRACF
RACF API
SAFSAF
DB2DB2 TSOTSO CICSCICSIDMSIDMSApplicationsApplications
NDS-AS Agent
eDirectory
Started Task Install Checklist…
• Test using ASCTEST• Establish INCLUDE/EXCLUDE lists• Install System Security Exits• IPL• Add ASCLIENT to system startup/shutdown
procedures
EXCLUDE APPDBA* ; Exclude the DBA groupEXCLUDE SYSUTIL,ROOT,HSM ; Exclude utility user IDsINCLUDE * ; Everyone else uses NDS
EXCLUDE APPDBA* ; Exclude the DBA groupEXCLUDE SYSUTIL,ROOT,HSM ; Exclude utility user IDsINCLUDE * ; Everyone else uses eDirectory
EXCLUDE SYSP001 ; Boss isn’t using NDSINCLUDE SYSP%%% ; Include systems programmersINCLUDE APP* ; Include the applications groupEXCLUDE APPDBA* ; except the DBAsINCLUDE APPDBA3 ; One DBA uses NDSEXCLUDE * ; all other users use local security
EXCLUDE SYSP001 ; Boss isn’t using eDirectoryINCLUDE SYSP%%% ; Include systems programmersINCLUDE APP* ; Include the applications groupEXCLUDE APPDBA* ; except the DBAsINCLUDE APPDBA3 ; One DBA uses eDirectoryEXCLUDE * ; all other users use local security
Client Include/Exclude Support
Local Security System Fail-over
• Successful password checks and changes result in the password being “pushed” into RACF/ACF2
• If network all NDS-AS agents, or eDirectory itself fails, NDS-AS enters “local authentication” mode
• During “local authentication” the user will still be able to authenticate using the last successful password
• During “local authentication”, password change is disabled and passwords are not expired
Load/Performance Balance
eDirectory
NDS-ASClient
NDS-ASClient
AgentAgent AgentAgent AgentAgent
Install NDS/AS on eDirectory
• Install NDS/AS agent on agent server(s) Originally used one server
• Installed Resolver• Installed Manager• Added test users/contexts/groups to NDS/AS
census
Tested NDS/AS
• Changed passwords in both systems• Revoked account in RACF
Account was reactivated by eDirectory
• Password must be eight characters or less for RACF
• Users not in census used RACF authentication normally
NDS/AS Implementation
• Include all RACF users in the OS390 client• Add specific contexts to NDS/AS census
(in eDirectory)• Add “RACF only” users to eDirectory
Set as disabled with AS password
• Run census—verify it is being used
“UNUSUAL” USER ACCOUNTS
• RACF, eDirectory e-mail/token/firewall only No login to eDirectory
• Has an eDirectory password that does not expire
NDS/AS “Fall-Out”
• Communication is KEY One department made 47 help desk calls 45 were solved by “try your eDirectory
password”
• Some employees had “unknown” eDirectory accounts
• NDS/AS census must be run after eDirectory changes
• Verify new census is in use
New Initiatives Utilizing NDS/AS
• Change password via the Internet Changes NDS/e-mail/firewall/RACF
• New account creation for agency nurses by nurse admin