Military DirectoryACP 133 Directory in support of Messaging Services and Other Applications
Directory services are a critical military component, used for tactical and strategic systems. Military directories, standardized in ACP 133, are used to provide information services, support of military messaging, and as supporting infrastructure for other applications such as PKI (Public Key Infrastructure).
What Isode Provides
Isode provides all of the servers and management tools needed to build a military directory.
- Directory Server: The M-Vault directory server (see the main product page for an overview) is the core component of Isode's offering for military directory, providing:
- Directory Synchronisation with partner organizations using Sodium Sync.
Conformance is critical for military directories. The primary definition of military conformance is ACP (Allied Communication Publication) 133 "Common Directory Services and Procedures". ACP 133 is based on the ISO/ITU X.500 Directory Standard, and makes use of X.500 protocols for replication and directory management. LDAP, the Internet Standard Lightweight Directory Access Protocol is also based on X.500, and is generally the preferred protocol for military clients and military applications to read data from an ACP 133 directory. Data updates are usually done using X.500 DAP, as this offers additional security features. Further information on the ACP 133 directory is provided in the Isode white paper [ACP133: The Military Directory Standard].
Directory Security & Strong Authentication
Security features are an important element of ACP 133 directory. Strong authentication and related capabilities using digital signatures are central to directory security. All of the directory protocols used by M-Vault make use of digital signatures based on X.509 PKI (Public Key Infrastructure) to provide peer authentication and signed operations.
Complementing the PKI based authentication and signed operations, Isode provides a number of important security features including:
- Access Control. X.500 gives flexible access control that is used in conjunction with authentication to control access to and update of data.
- Security Label based access control, described in the whitepaper [Using Security Labels for Directory Access Control and Replication Control].
- Audit Logging. Isode provides detailed audit logging, which is important for a secure environment.
Replication & Distribution
A key benefit of using a directory is that data can be highly distributed. In a commercial environment, distribution is primarily used to optimize performance and to avoid single point of failure. In a military environment, there are more stringent resilience requirements, and it is critical that local systems have minimum external dependencies. This leads to four key points about the structure of a military directory:
- Chaining (protocol connection between two directory servers), using X.500 DSP (Directory System Protocol), is often not used. Directory servers are configured to either return data or to pass responsibility back to the client.
- Need to always have a directory. Applications and users that require directory access should not have to rely on availability of a remote directory. This will generally mean that a military deployment will use a larger number of servers than a commercial one, in order to provide servers at all locations.
- Data is highly replicated, using X.500 DISP (Directory Information Shadowing Protocol). The goal is to ensure that all data required is held in the local server. This means that military directories will generally make extensive use of replication.
- Security. Replication must be secure, and the strong authentication and signed operation capabilities of DISP make it ideal.
A simplistic interpretation of this approach would lead to all data in all servers. There are two reasons why this is not done in practice:
- Need to know. Data on people and resources should not be replicated onto servers where there is no requirement for users to have access to that data.
- Bandwidth and resource constraints. Often servers will be connected with slow links. It is undesirable to spend resource on replicating data which is not needed on the remote server.
X.500 DISP provides capabilities, which make it straightforward to provide selective replication and meet these two requirements. This includes attribute filtering (to remove attributes not needed), and "chop", which enables entries and parts of the directory information tree to be selectively replicated. This is a powerful part of the X.500 architecture, which is useful for building a military directory, and is implemented in M-Vault.
Some military directory deployments have suggested use of directory synchronization products (meta-directories) to achieve complex replication scenarios. These techniques generally use LDIF (LDAP Data Interchange Format), which relies on common interpretation of string formats, which may not be standardized. Isode believes that this approach adds unnecessary complexity and will reduce robustness and security. Isode strongly recommends use of advanced X.500 DISP replication to build robust replicated directory deployment using open standards.
Further information on use of X.500 DISP for replication to meet military requirements is discussed in the Isode whitepaper [Building a Highly Replicated Directory: The case for X.500 DISP].
M-Vault provides a failover capability to provide live backup for a master directory. This is described in [M-Vault Failover and Disaster Recovery].
Finally, M-Vault provides for a multi-master capability. This provides benefits in many scenarios and is described in [ACID Multi-Master Replication in M-Vault Directory].
While directory synchronization is not the best choice for core directory replication, it is an important part of many military directory deployments, due to the need to integrate data from multiple directories and to support LDAP directories that do not support open standard replication.
Where there is a need to share directory information with partner organizations, or to integrate information from systems that do not support ACP 133 and X.500 DISP, Sodium Sync provides flexible data sharing. This includes synchronization by email and over air gap as described in [Directory Replication by Email and over Air Gap].
Client and User Access
Client protocol access to a military directory may use either X.500 DAP or LDAPv3. M-Vault supports both of these protocols. For applications that make updates to the directory, Isode recommends use of X.500 DAP, using strong authentication and signed operations. This approach, with its security benefits, is supported by all Isode tools that modify data in the directory.
LDAP is widely supported in many applications and LDAP provides good functionality to access the directory, provides data confidentiality (using Transport Layer Security (TLS)), and gives a range of authentication mechanisms, including strong authentication when used in conjunction with Simple Authentication and Security Layer (SASL). For applications that only read data from the directory, LDAP is generally a good choice.