1. Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit

2. 2 Why customers care about Identity and Security Management 3. Increase efficiency of IT (And therefore save costs) 4. Enable their business (And bring in new revenue streams) 3. Compliance (Because they have to) FIPS201 HSPD-12 SOX PCI HIPAA GLB 2. Risk reduction (To protect money, data, reputation) 1. Compliance (Because they have to) FIPS201 HSPD-12 SOX PCI HIPAA GLB

3. Red Hat and Netscape On December 8, 2004, Red Hat acquired assets from AOL's Netscape Security Solutions business unit, including currently shipping products: Netscape Certificate Management System (Red Hat Certificate System) Netscape Directory Server (Red Hat Directory Server) Initial efforts were focused on building a tighter relationship between the Netscape products and Enterprise Linux. Acquisitions of JBoss, Identyx & Qumranet and new technologies such as MRG now provide an extension for the identity management technologies into the Cloud, Application and Web Services space.

4. Red Hat Directory Server Standards compliant LDAP v2 and v3 Directory Server High performance, availability and scalability through multi-master replication Data redundancy for failover, load balancing Simultaneous update with conflict resolution No single point of failure, Fault tolerance

5. What does Red Hat Directory Server provide? Centrally store vital security data Identity Username, data, password, organization, groups Machine name, groupings Synch info with Microsoft Active Directory Policy Application Settings User Profiles Access Control Information Directory not a database Read optimized Organized around users, machines, and policy LDAP Manage this data GUI or command line Make security data highly available Replicate Authenticate users Widely supported; OS access through NIS or PAM “gateway” Supports Kerberos via SASL Integrated support for X.509 certificates Can call out to databases, legacy systems via plug-in API Control access at a fine level Using external criteria like type of connection, day of week/time, hostname/IP Using groups (“engineering”) or roles (“managers”)

6. *Current plan of record. Release dates and content subject to change due to resource constrains and market factors. Red Hat Directory Server Release Red Hat Directory Server 8.2 – July 27 th 2010 Maintenance and bug fix release Security enhancements Salted MD5 password hash Require secure connections for simple binds Require a minimum security factor for server connections Improved Standards Compliance Syntax validation Updated DN syntax Support for Dereferencing Searches Support for Bitwise Filters

7. *Current plan of record. Release dates and content subject to change due to resource constrains and market factors. Red Hat Directory Services Roadmap Red Hat Directory Server 9.0 – 2 nd Half CY11 Target RHEL 6 Support Add support for OpenLDAP client libraries Extend MMR support from 4 masters to 20 masters Support tree renames (Mod RDN with new superior) Move entry to new container, Move container, Rename container

8. Security Information Situation Today Many security and security management applications store and manage their own vital security information Identity Policy Audit Difficult to analyze across applications, so organizations can't Form a full picture of their security stance Comply with government regulations Protect themselves sufficiently Efficiently enable their operations Example: Identity silos Example: > problem for Policy, Audit

9. What is needed? Vital security information (IPA) should be: Open (You own it) Inter-operable Manageable Need a way to make it possible for vital security information Identity Policy Audit to enable the freedom and efficiency of next generation IT infrastructure To enable this: Maximize freedom Maximize efficiency

10. IPA Overview Open source project www.freeipa.org Started 3 years ago and contributed to by Red Hat But open to all freeIPA versions v1: April 2008. User Identity v2: Machine identity Alpha 3 released May 2010. Complete v2 planned for 2 nd half 2010 Red Hat Product Offering 1 st half 2011

11. IPAv1 provides Single Sign on for users Tie together Directory and Kerberos User Kerberos ticket for SS) to UNIX/Linux, JBoss, other apps Centralized authentication point for IT Unite Directory, Kerberos From Apps, UNIX/Linux, VPNs, WLANs Easy for IT to set up, migrate to, and manage Simple IPA install Intuitive web interface, Command line Tools migrate from NIS Key Data replicated via Directory Services KDCLDAPCLI/GUI IPA Server v1 Unix/LinuxAdmin

12. IPAv2 (Early 2011 target) will provide Identify and group machines, Vms, services Simplified service authentication and establishment of secure communication Client agent: SSSD System Security Service Daemon + IPA Plugin Management of machine certificate Host Based Access Control DNS Integration KDC LDAP CLI/GUI IPA Server v2 Unix/LinuxAdmin PKI DNS

13. System Security Services Daemon System daemon. Already in Fedora, going in to Red Hat Enterprise Linux and hopefully other distributions SSSD provides: Access to identity and authentication remote resource through a common pluggable framework Caching and offline support PAM and NSS modules, as well as D-BUS based interfaces Better database to store local users as well as extended user data

14. How does IPA Interoperate with Active Directory? IPA v1 and v2 Synchronization of User Identity Users, Passwords (optional) IPA manages Linux/Unix policy Each platform managed well by its own native solution IPA v3 Cross realm kerberos trust with AD ADIPA Unix/Linux Windows ADIPA Unix/Linux Windows Sync Trust

15. 15 Questions