Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.

Products

Isode M-Vault Server: Replication, Data Distribution and Security

Replication

A key benefit of M-Vault is the ability to replicate data. X.500 DISP (Directory Information Shadowing Protocol) provides flexible replication with the following features:

• Total and incremental replication.
• Initiation by consumer or supplier.
• Attribute filtering.
• On demand replication, or timed scheduling options.
• Operator requested connections.
• Automatic recovery from inconsistencies.
• Control of data to be shadowed.
• Secondary shadowing, so that data may be replicated over multiple hops.

M-Vault provides easy to set up replication, with flexible control of the replication options.

Data Distribution

The real power of an X.500 directory is the ability of the servers, or Directory System Agents (DSAs), to perform distributed operations on behalf of client applications. Distributed operations are handled by the Directory System Protocol (DSP), as defined in X.518 and X.519. DSP enables a set of DSAs to appear as a single, coherent directory service, but leverage the benefits of distribution of information.

The configuration of the directory is controlled by knowledge information, which is the mechanism that enables the location of data in the various DSAs to be represented in the directory. The X.500 specifications define a range of knowledge features that enable a distributed directory. The M-Vault directory server provides support for subordinate references and cross-references. In addition, the server is capable of dynamically learning about other servers and automatically constructing knowledge references to those servers. This functionality is core to the operation of an X.500 based directory.

M-Vault also has the unique ability to include LDAP only servers in the distributed directory using LDAP chaining.

Integrating Directory Servers

Using DSP one server can access information held in another via the network. A real world example of this could be where different departments manage and administer their own data in a local M-Vault server. When a user in one department queries their server for data in another department, M-Vault will use its knowledge to access the appropriate remote server to satisfy the query.

Where departments implement an LDAP only server M-Vault can be used to connect these to a X.500 distributed directory. It does this by converting X.500 requests to LDAP requests (and vice versa) as necessary. Clients of the LDAP only server access the wider directory by following a referral to an M-Vault server from the LDAP directory. Similarly clients of servers in the wider directory can access data in LDAP only servers as M-Vault can convert any incoming X.500 to an LDAP request and then pass that request along. Further details of the M-Vault's ability to provide access to a distributed directory for LDAP clients and servers can be found in the M-Vault Connector product pages.

Security

There are three elements to security: confidentiality, authentication and access control. M-Vault implements configurable mechanisms to support each of these.

Authentication

Strong authentication based on X.509 PKI using Isode's strong authentication infrastructure is provided for all X.500 protocols (DAP, DSP, and DISP). Simple authentication is also available.

M-Vault supports the SASL (Simple Authentication and Security Layer) Internet standards for LDAP client authentication. The Isode SASL implementation supports a number of authentication mechanisms. A full description of SASL and its use in M-Vault can be found here.

Signed Operations

M-Vault uses digital signatures based on X.509 PKI to support signed operations in the DAP and DSP protocols. This provides additional integrity and audit security for individual operations and allows chained updates to be authenticated using a digital signature from the originating directory client. M-Vault can be configured to require signed operations for all updates, which is recommended for directory deployments with stringent security requirements. Further information is provided in the Isode White Paper Directory Signed Operations.

Signed operations are also used for the X.500 DISP replication protocol, providing the same per operation security as for DAP and DSP.

Access Control

Support is provided for the full range of X.500 Access Control, covering both Basic Access Control (BAC) and Simple Access Control (SAC). Features include access control applied to a specific directory entry, all entries within an administrative area, and a group of entries. In addition, access control can be defined per attribute (e.g., deny access to the password attribute for all entries).

Rule Based Access Control (Security Labels and Clearances)

M-Vault R14.2 contains the first release of RBAC (X.500 Rule Based Access Control), primarily intended to give customer access to this functionality, to assess future applications and to provide feedback to Isode. Further information is provided in the following whitepapers:

• Security Labels: Access Control using Security Labels & Security Clearance
• Support for Security Clearance: Managing and Securely Determining Security Clearance

Information on using these features will be provided in an evaluation style document, which can be found here (PDF).

Confidentiality

LDAP confidentiality is supported in M-Vault using TLS/SSL protocols. The server supports the Start TLS extended operation of LDAP and LDAPS. The set of cipher suites available is configurable, as is the effective authentication level for a user depending upon whether a suitably confidential cipher suite was negotiated.

Password Policy

M-Vault provides comprehensive capabilities for managing password based authentication. This includes:

• Control of hashing choice, and auto-migration on authentication
• Ability to lock accounts
• Password quality control
• Password ageing
• Password history (controlled by age)
• Force password reset
• Grace login
• Require old password
• DSA generated password
• Prevention of password guessing attacks
• Ability to exclude
• Protocol support for password policy aware clients
• GUI management of password policy using Sodium (see here for screenshots)
• Password policy support in Isode Directory Client APIs
• Password policy aware changing in Isode Web Applications – PIA (Personal Information Administration).

Further details are given in the Isode white paper Password Policy for Directories.