M-VaultDirectory Data Access and Management
Isode's Directory products include servers, management tools and APIs. On this page you'll find information about our products for Directory Data Access and Management; Sodium and the Directory Services Interface. Tools for Directory System Management are also available.
Sodium (Secure Open Data, Identiy and User Manager) is used to securely manage the data and secure identities held in M-Vault. It provides information managers and system administrators with an easy to use Graphical User Interface. Although it is part of the M-Vault product set, Sodium can also be used with any directory server which supports X.500 DAP (Directory Access Protocol) or LDAP Lightweight Directory Access Protocol). Some key Sodium capabilities are outlined below:
Support for Kerberos, Strong Authentication and Signed Operations
Sodium's Bind Manager contains configuration details for stored directory server connections. Each configuration contains details of the protocol (LDAP or DAP), address details and the type of authentication being used (Anonymous, Simple, Kerberos or Strong). Sodium also supports Directory signed operations: providing additional security by applying an X.509 digital signature to individual directory operations and to the results returned.
For LDAP, TLS can be configured with either LDAP (using START-TLS) or LDAPS. For both cases, if the server returns a certificate that is not trusted, trust configuration can be set up for the connection or permanently (bind profile). TLS can also be configured for DAP connections.
Certificate checking in the bind profile for DAP and LDAP is RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile) compliant. A trust anchor can be configured for the bind profile, and CRL checking may be used. Kerberos is also provided as an authentication option, which is particularly important for authentication to Active Directory.
X.509 Certificate and Secure Identity Management
Sodium simplifies the process of creating and managing certificate signing requests (CSRs) for an entry in order to create a secure identity as a PKCS#12 file containing a private key. Sodium does this by issuing that CSR to a Certificate Authority (CA) and creating identities from X.509 certificates returned from the CA. Sodium will work with any CA, but is designed to work cleanly with Isode’s Sodium CA, which is designed to handle certificates for Isode products.
Sodium's 'Create Identity' wizard will automatically create a Certificate Signing Request (CSR) for passing on to the CA and, when the certificate has been issued, create a PKCS#12 file representing the identity. Operations can be deferred for later action in situations where the time delay between CSR and the issuing of the certificate makes it impractical to wait.
Sodium provides help generate certificates with the correct SubjectAltName values. The starting point for generating a certificate is to use Sodium's capability to build a PKCS#10 CSR (Certificate Signing Request) that is sent to the Certificate Authority (CA) that generates the Certificate Sodium's starting point for the CSR is a directory entry that holds information on the entity to be certified. The SubjectAltName information will usually be held as attributes in the directory entry, so Sodium makes it straightforward to include SubjectAltName values derived from appropriate attributes in the directory entry. SubjectAltName values can also be manually entered into the CSR.
PKI Display and Checking
There is a close relationship between X.509 PKI (Public Key Infrastructure) and X.500/LDAP directory. It is common practice to store certificates, CRLs (Certificate Revocation Lists) and other PKI information in a directory. For a complex PKI with multiple Certification Authorities (CAs) there will be many entities publishing related information into the directory. This can be complex. Sodium helps to manage PKI information in the directory with two types of target user:
- Those deploying Isode products, which make use of PKI to support digital signatures for a number of peer authentication and other security features. This is part of the management tool set in support of an Isode deployment.
- Those operating a PKI for other purposes, and simply using Isode servers to hold the data.
Sodium provides detailed display of PKI objects and in particular Certificates, Cross Certificate Pairs and CRLs in order to make more useful information available to the manager. It also provides a specialized PKI view, that displays only PKI relevant information (shown above).
As a part of Certificate display, Sodium provides an option to verify the certificate. This will be done using trust anchors and other verification settings from the bind profile, so multiple profiles can be defined to give different checking environments. The checks use the same verification libraries as the Isode client and server products, so this is helpful to diagnose authentication configuration problems with Isode servers, as well as general purpose checking of PKI correctness.
Security Policy, Security Label and Security Clearance Capabilities
Sodium provides support for Security Labels, Security Policy, and Security Clearances. The above screenshot shows how Sodium displays an entry that has a Security Label. The strings displayed on the screen, tooltip, and colour are controlled by the Security Policy of the Security Label. Sodium loads the Security Policy from the M-Vault server it is managing, and can also be used to set or update that Security Policy by use an attribute in the DSA entry. Alternatively, Security Policy can be configured in the bind profile, by reference to a Security Policy entry in the directory. Sodium provides GUI management of:
- Security Labels associated with entries in the directory.
- Security Clearances associated with Directory Users.
- Security controls for the DSA, on Security Labels associated with data that can be stored and Security Clearance of users that can bind to the directory.
Security Labels and Security Clearances can be selected from a Security Catalog, which may be configured along with the Security Policy.
Sodium is Security Policy aware, but not Security Policy enforcing. Security Policy is enforced by M-Vault.
Directory Services Interface
The Directory Services Interface (DSI) consists of four web-based applications, all shipped with Isode's M-Vault Directory Server:
- Personal Information Manager: Enabling personal information management (including password changes and white pages information) together with a contacts and Groups browser
- Directory: An interface to contact details held in the directory
- Phonebook: A simple phonebook listing of contacts in the directory
- Password manager interface for system operators
Support for Password Policy
DSI provides users with flexible access to the Isode directory services, without requiring a directory client to be installed on the desktop. DSI supports password policies set in the directory, including account locking, password aging and the exclusion of special accounts from the password policy.
DSI provides a password manager Web operator interface to enable appropriately privileged operators to reset user passwords.
DSI also provides a Web interface as part of the personal information manager to enable users to reset their own passwords, making use of an email containing a "one time" URL. Details are given in this blog post.