Directory services are a critical military component, used for tactical and strategic systems. Military directories, standardized in ACP 133, are used to provide information services, support of military messaging, and as supporting infrastructure for other applications such as PKI (Public Key Infrastructure).
Military Directory Architecture
A military directory, as illustrated below is provided by a number of directory servers. A key goal of a military directory is that the data needed by a client will be in its local directory server and replication of data between servers achieves this. This means that a client is only dependent on the local directory server and not on external network access. This provides high resilience and survivability.
A military directory supports a range of applications, including direct user access (e.g., white pages service), application by desktop applications (e.g., mail clients) and access by applications (e.g., military messaging servers). Access to a military directory usually uses the LDAP (Lightweight Directory Access Protocol). Other protocols for a military directory are specified by ACP 133 and discussed below.
There is a requirement to administer data in the military directory, and security is critical to both data and directory administration.
Directory data is shared with partners (cross domain), so the replication model of a military directory extends to support partner directories. Data should not be changed between directories – consistent naming is important to enable communication and essential for secure applications relying on digital signatures. Only selected data is replicated externally, to save resource and to share information on a "need to know" basis.
What Isode Provides
Isode provides all of the servers and management tools needed to build a military directory:
- Directory Server. Isode's M-Vault
directory server is the core component of Isode’s
military directory solution providing:
- ACP 133 Conformance.
- Flexible replication.
- Security features.
- Secure Administration. Isode's Sodium (Secure Open Data, Identity & User Manager) provides secure GUI management of data in a military directory.
- Directory Provisioning, provided by general purpose tools and by Isode’s messaging and XMPP application management tools.
- Directory Synchronization with partner organizations and local directories using Sodium Sync.
- Operational Management. Isode provides tools for operating directory services, and integration with standard network management systems.
Together, these provide a full military directory solution.
Conformance is critical for military directories. The primary definition of military conformance is ACP (Allied Communication Publication) 133 "Common Directory Services and Procedures". ACP 133 is based on the ISO/ITU X.500 Directory Standard, and makes use of X.500 protocols for replication and directory management. LDAP, the Internet Standard Lightweight Directory Access Protocol is also based on X.500, and is generally the preferred protocol for military clients and military applications to read data from an ACP 133 directory. Data updates are usually done using X.500 DAP, as this offers additional security features.
Further information on the ACP 133 directory is provided in the Isode white paper ACP 133: The Military Directory Standard.
Directory Security & Strong Authentication
Security features are an important element of ACP 133 directory and Isode's solution. Strong authentication and related capabilities using digital signatures are central to directory security. All of the directory protocols used by M-Vault make use of digital signatures based on X.509 PKI (Public Key Infrastructure) to provide peer authentication and signed operations. PKI based security has a number of advantages for military directory:
- It provides a higher level of security than using passwords.
- It can be used with smart cards to provide two factor authentication.
- It enables security features, such as signed operations, that cannot be achieved with other mechanisms.
- It reduces administrative costs, particularly for server to server configuration.
More information on strong authentication is provided in two Isode white papers:
- Why Strong Authentication for Directory?
- The Security and Administrative Benefits of using X.509 PKI based Strong Authentication
Signed operations enable digital signatures to be applied to every operation and to returned results and errors. Isode recommends use of signed operations for all directory updates, and this is straightforward to configure in M-Vault. Further information is given in the Isode white paper: Directory Signed Operations.
Complementing the PKI based authentication and signed operations, Isode provides a number of important security features including:
- Access Control. X.500 gives flexible access control that is used in conjunction with authentication to control access to and update of data.
- Security Label based access control, described in the white paper "Using Security Labels for Directory Access Control and Replication Control".
- Audit Logging. Isode provides detailed audit logging, which is important for a secure environment.
Replication and Distribution
A key benefit of using a directory is that data can be highly distributed. In a commercial environment, distribution is primarily used to optimize performance and to avoid single point of failure. In a military environment, there are more stringent resilience requirements, and it is critical that local systems have minimum external dependencies. This leads to four key points about the structure of a military directory:
- Chaining (protocol connection between two directory servers), using X.500 DSP (Directory System Protocol), is often not used. Directory servers are configured to either return data or to pass responsibility back to the client.
- Need to always have a directory. Applications and users that require directory access should not have to rely on availability of a remote directory. This will generally mean that a military deployment will use a larger number of servers than a commercial one, in order to provide servers at all locations.
- Data is highly replicated, using X.500 DISP (Directory Information Shadowing Protocol). The goal is to ensure that all data required is held in the local server. This means that military directories will generally make extensive use of replication.
- Security. Replication must be secure, and the strong authentication and signed operation capabilities of DISP make it ideal.
A simplistic interpretation of this approach would lead to all data in all servers. There are two reasons why this is not done in practice:
- Need to know. Data on people and resources should not be replicated onto servers where there is no requirement for users to have access to that data.
- Bandwidth and resource constraints. Often servers will be connected with slow links. It is undesirable to spend resource on replicating data which is not needed on the remote server.
X.500 DISP provides capabilities, which make it straightforward to provide selective replication and meet these two requirements. This includes attribute filtering (to remove attributes not needed), and "chop", which enables entries and parts of the directory information tree to be selectively replicated. This is a powerful part of the X.500 architecture, which is useful for building a military directory, and is implemented in M-Vault.
Some military directory deployments have suggested use of directory synchronization products (meta-directories) to achieve complex replication scenarios. These techniques generally use LDIF (LDAP Data Interchange Format), which relies on common interpretation of string formats, which may not be standardized. Isode believes that this approach adds unnecessary complexity and will reduce robustness and security. Isode strongly recommends use of advanced X.500 DISP replication to build robust replicated directory deployment using open standards.
Further information on use of X.500 DISP for replication to meet military requirements is discussed in the Isode whitepaper [Building a Highly Replicated Directory: The case for X.500 DISP].
M-Vault provides a failover capability to provide live backup for a master directory. This is described in [M-Vault Failover and Disaster Recovery].
Finally, M-Vault provides for a multi-master capability. This provides benefits in many scenarios and is described in ACID Multi-Master Replication in M-Vault Directory.
While directory synchronization is not the best choice for core directory replication, it is an important part of many military directory deployments, due to the need to integrate data from multiple directories and to support LDAP directories that do not support open standard replication.
Where there is a need to share directory information with partner organizations, or to integrate information from systems that do not support ACP 133 and X.500 DISP, Sodium Sync provides flexible data sharing. This includes synchronization by email and over air gap as described in Directory Replication by Email and over 'Air Gap'.
Client and User Access
Client protocol access to a military directory may use either X.500 DAP or LDAPv3. M-Vault supports both of these protocols. For applications that make updates to the directory, Isode recommends use of X.500 DAP, using strong authentication and signed operations. This approach, with its security benefits, is supported by all Isode tools that modify data in the directory.
LDAP is widely supported in many applications and LDAP provides good functionality to access the directory, provides data confidentiality (using Transport Layer Security (TLS)), and gives a range of authentication mechanisms, including strong authentication when used in conjunction with Simple Authentication and Security Layer (SASL). For applications that only read data from the directory, LDAP is generally a good choice.
Data can be accessed by Web applications, and Isode's DSI (Directory Services Interface) gives flexible end user Web access to ACP 133 directory data. A number of phone book and directory search capabilities are provided, along with options for Web management of user passwords.
The ACP 133 directory can also support other client applications. Isode’s Military XMPP solution makes use of users configured in the directory to provide lookup information. A good example of this is Isode’s military messaging solution makes use of the ACP 133 directory to provide user, white pages and user capability information. The screenshot above shows the Harrier military messaging client making use of directory information for address lookup.hold configuration information. Generally this access is using LDAP, complemented by messaging configuration management tools that use X.500 DAP with signed operations to make configuration changes.
Managing Data in a Military Directory
A military directory holds data that needs to be managed. The tool to do this is often referred to as an ADUA (Administrative Directory User Agent). Sodium (Secure Open Directory, User and Identity Manager) is Isode’s ADUA. Sodium provides a flexible GUI for data administration with features of particular importance for Military use:
- Use of Strong Authentication and Signed Operations may be chosen for all operations.
- Support for the entire ACP 133 schema, so that any military information may be conveniently extended.
- Display of data based on XML templates that may be adapted for local requirements.
- Templates for convenient entry and display of structured attributes.
- Integrated management of PKI (X.509) data and associated identity management.
Isode’s applications also provide provisioning capabilities. For military messaging, MConsole provides capabilities for STANAG 4406 and SMTP mailbox management with capability and white pages information. M-Link Console supports directory provisioning for XMPP usage.
In order to set up a distributed military directory, it is necessary to set up individual directory servers, and to manage replication agreements. This configuration can become complex. Isode provides the M-Vault Console GUI that is used for setting up single servers and for configuring distributed operations, security, and replication.
The military directory is critical infrastructure that is important in itself and as support for other applications. It is important to monitor servers for availability and correct operation. Isode provides two approaches to achieve this.
This first approach is use of SNMP (Simple Network Management Protocol) for this. Isode's M-Vault X.500 can be monitored with standard SNMP Management tools. The advantage of SNMP is that it enables operational management to be integrated with management of networks and other components with a single operator interface.
The second approach is Isode's M-Vault Console tool, which provides GUI monitoring of one or more M-Vault directory servers. M-Vault Console also has knowledge of directory replication and can monitor replication agreements from both ends. This is important to ensure that all servers are up to date with the most recent information.
In conclusion: Why Isode?
Isode provides a complete solution for Military directory. Important characteristics of the Isode solution:
- Comprehensive security, including strong authentication for all directory protocols and signed operations, identity based access control and security label based access control.
- Full ACP 133 support and conformance, including GUI support for data administration.
- Replications options including X.500 DISP and Multi-Master
- Flexible directory synchronization with LDAP directories.
- Comprehensive management and operational tools.
- Mature and robust products deployed for many years in demanding operational environments.