View
874
Download
0
Category
Preview:
Citation preview
CA Single Sign-On (CA SSO),The Innocent Bystander
Alec Cartwright
Security
BT PLC
Identity Services Architect
SCX14S
#CAWorld
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
You may be familiar with the refrain “I can’t login, it must be my single sign on that’s failed.”
In this presentation I will take a look at BT’s experience of running a CA Single Sign-On (CA SSO) infrastructure; what we have done to reduce the chance of failures and to quickly diagnose issues to get them to the right people who can fix them.
Alec Cartwright
BT
Identity Services Architect
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
WHERE DOES BT USE CA SSO
HOW DO WE STAY CALM
WE CAN ALWAYS GET MORE
SUMMARY
1
2
3
4
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
BT Overview
Communication Services and Broadcaster
• BT operates in 170 countries
• Revenue 18 bn (£ GBP)
User Identities
• 150,000 employees and partners
• 27M+ online customer
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where is CA SSO Used
450+ applications
• Customer facing portals
• Internal applications
50+ federations
• Services behind customer products
• Employee services
Includes many critical to BT’s ability to trade
• Cost BT
• Impact BT’s brand
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
So When Things Go Wrong…..
It’s easy to blame CA SSO
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Availability Requirements
Must always be available
• 99.995% availability target
• No scheduled down time
• There are some “very hot” times
Transaction volumes
• 30M transactions per day
• Peaks of 7,000+ TPS
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
We Needed to…
Architect CA SSO for maximum availability
Know the health of the infrastructure
Have processes that
• Quickly identify issues
• Send details to the people who can fix the problem
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Policy Server – Local Resilience
Single build for all policy servers
Cluster of 3 policy servers
Use web agent load balancing
Service still resilient if one is lost
Allows in service upgrades
Application Web Server
Policy Servers
Web Agent Load Balancing
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Policy Servers – Geographic Resilience
Agent failover across all sites
Be careful – don’t configure failover storms
Site 1 Site 2 Site 3 Site 4 Site 5
Policy Servers
Web Agent Failover
Application Web Server
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
We Need to Always Take Orders
Split consumer / employee applications
One will always be working
Separate policy stores
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Other Stuff
Components
• Federation servers
• Policy/Key/Session store database
• Login servers
• Admin servers
• Load balancers and switches
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Set Thresholds
All is OK
Attention
Its getting criticalALERT
WARNING
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Basic Monitoring
CPU Memory
Disk usage Processes
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Policy Servers
Oneview Monitor
• Server Queue Length
• Priority Queue Length
Log files
• “Connection Dead”
• “Timeout Expired”
• “Failed to connect to datasource”
• “Unexpected Network Error”
• “Wait Timeout. Code is”
• “Delete of tombstone failed”
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Test Page
On CA SSO team’s
infrastructure
Simple policy – a page protected
for all users
Confirms infrastructure is
working
Helpdesk can walk users
though access
26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
More to Do
CA APM being deployed
• Improved level of monitoring
• Identify baseline
• Set alerts
Deploy CA Directory
• Improved policy store resilience
28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What We Have Achieved
100% availability for
the service
We proactively warn about developing
issues
CA SSO is seen as the
“Innocent Bystander”
30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT05SRoadmap: CA Advanced Authentication and CA Single
Sign-On11/18/2015 04:30 PM
SCT30S Panel: Securing you in the Cloud 11/19/2015 02:00 PM
32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15
Recommended