Password synchronization architecture and workflow

The Security Directory Integrator password synchronizer architecture consists of four layers, which we can combine to build the required password synchronization solutions.

There are several layers in the SDI Password Synchronizer architecture as shown in the following picture. SDI password synchronizer architecture

The Target System in the diagram depicts the software system where you want to intercept password changes. The Password Synchronizer component hooks into the Target System with custom interfaces provided by the Target System. The Password Synchronizer component intercepts password changes as they occur in the Target System and before the password is hashed irreversibly.

The Java Proxy component is a proxy, which receives passwords from the server plug-in and redirects them to the Password Storage component. The proxy acts as a container for the Password Storage component. This component manages the lifecycle of the Password Storage component and handles inter-process communication with the SDI plug-ins.

The Java Proxy logs errors, if any, in the configured log file. If an initialization error is raised, the Java Proxy fails to load it. If a run time error occurs, the error is logged for later investigation. However, the server continues to run and thus provides high availability in a temporary environment change or failure.

The Password Storage component is deployed on the Target System. When the Password Synchronizer intercepts a password change, it sends the password to the Password Store by using the Java Proxy process. The Password Store encrypts the password and sends it to a Password Storage.

The Password Storage component is the second layer in the architecture. It represents a persistent storage system, for example, an LDAP directory, or the IBM WebSphere® MQ Everyplace®. In the storage system, the intercepted and the encrypted passwords are stored in a form and location that are accessible from SDI. We can have the Password Storage on the Target System or on another network system.

The SDI, the third layer of the architecture, uses a Connector component to connect to the Password Storage and retrieves the stored passwords. In the SDI, the passwords are decrypted and made available to the AssemblyLine. The AssemblyLine synchronizes passwords with other systems. We can deploy the SDI on a system different from the Target System and thePassword Storage systems.

The systems where passwords are synchronized with the Target System represent the next layer in the architecture, in the data flow direction. The password synchronization AssemblyLine is responsible to connect to these systems and to update the passwords.

• Java Proxy process authentication
  Java Proxy receives passwords from the Password Synchronizers and redirects them to the Password Store component. The Java Proxy manages lifecycle of the Password Storage component and handles the inter-process communication with SDI plug-ins.
• Password store interface
  Password Store is the place where Java Proxy stores the received passwords.
• Architecture options
  We can build a password synchronization solution to intercept password changes on several Target Systems by using a layered password synchronization architecture.
• Security
  We can use the public-private key infrastructure to provide secure transport and intermediate storage of password data.
• Reliability
  Functions for preventing and dealing with possible password de-synchronization is built into the password synchronization workflow.

Parent topic:

Introduction to password synchronization plug-ins