Case Study: DirXML Implementation at Waste Management

Rick WagnerSystems EngineerNovell, Inc.

© March 18, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

© March 18, 2004 Novell Inc.3

The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

Company Background

© March 18, 2004 Novell Inc.5

Company Information

Waste Management, Inc• HQ: Houston, Texas• Employees:

– 55,000 full time– 10,000 - 15,000 contractors

As the leading provider of comprehensive waste management services, Waste Management serves municipal, commercial, industrial and residential customers throughout the United States, Canada and Puerto Rico.

© March 18, 2004 Novell Inc.6

The Situation

History• Significant growth in 1998 through 2000• Acquired an average of one company per day• Each acquisition was run independently• No central application suite

Business Drivers• High level and Consistency of Customer service• Business process enabling• Single sign on • Consistent application of security policies

Formulating a Solution

© March 18, 2004 Novell Inc.8

The Solution

Novell DirXML/eDirectory• eDirectory 8.7 and DirXML 1.1a

PeopleSoft Enterprise Portal• Enterprise Portal 8.4, Upgrading to 8.8• HR 7.5 (Upgrading to HR 8.8)• Financials 8.4 (Upgraded from Financials 7.5)

Netegrity SiteMinder• Policy Server 5.5 SP1

9

Components That Make Up the System

SiteMinder

eDirectory

DirXML

WebServer

Netegrity’s SiteMinder supplies single sign on authentication and policy based resource authorization

IBM HTTP (Apache) and IIS Web Servers serve the applications

eDirectory is the Meta Directory

DirXML is the glue used for aggregating and synchronizing users and application roles

© March 18, 2004 Novell Inc.10

Automated User Provisioning

Users created in Active Directory and pushed to Meta Directory by DirXML

As Active Directory account (including password) is updated the change is automatically pushed to user’s account in eDirectory

Near Future – synchronize user information in PeopleSoft HR with Meta Directory

Future – automated security assignments

© March 18, 2004 Novell Inc.11

Synchronized Role Based Access Control

PeopleSoft security is maintained in the applications (Permission Lists)

Application roles pushed to the Meta Directory using DirXML

User’s role assignment(s) maintained in Meta Directory

© March 18, 2004 Novell Inc.12

Centralized Security Administration

Separation of roles from application access control management

Delegated administration

Consistent application of corporate security policies

Consistent interface minimizes training

Implementing the Solution

14

Putting It All Together

Meta Directory

DirXML

PolicyEngine

Policy Engine ReadsPolicies and Rolesfrom Meta Directory

Application

Security Store

Application Security Administrator defines the Application Roles and the Roles are pushed to the Meta Directory by DirXML

WebServer

User is served appropriatecontent and functionalityfor their Role assignments

Users are assigned Roles in the MetaDirectory using the Administration System

ApplicationServer

Web Server passesRoles to ApplicationServer as header variables

ActiveDirectory

Users are created inActive Directory and pushed to the Meta Directory by DirXML

User Requests access to Application

Policies enforced at web server

15

Security Process

eDirectory

SiteMinder

PolicyEngine

SiteMinder Authenticates theuser against theirDirectory Accountand checks the usersAuthorization forAccessing the Portal

PeopleSoft

Database

If the user is not already authenticated to SiteMinder, the Web Agent automatically logs into the Portal as DEFAULT_USER using a custom login.fcc file

ApacheWeb

Server

PeopleSoftServer

User enters their Useridand password and poststhe credentials to theSiteMinder login.fcc

User Requests http://wmvisorep.wm.comIn their browser

If the user’s account does not exist in the Portal it is created

The Portal Guest Page is displayed

The user is presentedwith theirpersonalizedview of theportal

SignOn PeopleCode in PS App

Server executes. User ID is passed to PS Server as header variable

The user’s roles, permission listsand things like email address and userdescription are dynamically added

Netegrity PeopleSoft Connector checks Portal and SiteMinder sessions to make sure that they are the same user

16

Software ConfigurationWebLogic

ApplicationServers

WebLogic 6.1 SP2

Web Servers

IBM HTTP Server1.3.19

Netegrity Apache Web Agent V5QMR2

SiteMinderPolicy

Servers

NetegritySiteMinder

Policy Server 5.5 SP1

eDirectoryLDAP

Servers

NovelleDirectory 8.7DirXML 1.1a

Database

BatchServer

Oracle 9.2.0.2PeopleTools

8.42.05Tuxedo 6.5

Oracle 9.2.0.2PeopleTools

8.42.05Tuxedo 6.5

Netegrity PeopleSoftConnector 1.2

PeopleSoftApplication

Servers

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.