Identity Management 2.2

Identity Management 2.2

The follow up part of the IDM2 project allowed the implementation of new administration and security functions in IdM.


The objective of the next part of the IdM2 project was to develop new administration and user functions to facilitate using the IdM application and allow its full deployment within the entire CEZ Group. Besides, program accounts of the connected applications were to be newly registered and new applications were to be connected to IdM.

A secondary (but internally important) objective, which will bring new implementation opportunities to the CEZ Group, was the Proof of Concept of the central administration of SSH keys for Unix OS.


The project started at the end of the last year (11/2010) with a new project manager (PM) for CEZ ICT Services. The PM had to familiarize himself with the project; together with the Christmas holidays, this caused a delay in the project right from the beginning. Nevertheless, during the following work on the project, the new CEZ PM turned out to be very beneficial. After the preliminary analysis and approval of the Target Concept, the implementation of stages 4, 5 and 6 started; this was completed with Release 12 in June this year.

Stages 4 and 5 were contracted as fix‑price jobs and were successfully and completely finished. Stage 6 was contracted as a T&M job (utilization of resources) and it was shortened by the customer by approx. 40 MDs due to insufficient financial resources.

Apart from the new PM, mainly traditional members participated in the project team for the customer (for example, a security procedure expert, an IDM administrator, an infrastructure administrator, a SD operator and user management), together with new members specialized in security and SAP base.

In the AMI’s project team, the technical part of the project was traditionally guaranteed by Martin Lízner, but the senior IDM experts Jiří Vitinger and Petr Čvančar also took part.


The following parts were added to the existing IdM application in the CEZ Group:

  • Universal SSH adapter – an adapter allowing connection of any Unix OS to IDM; otherwise, the adapter can only be connected by SSH keys. Within the delivery, control scripts for AIX, RedHat, HP‑UX trusted mode and HP‑UX non‑trusted mode were created. Through this adapter, the AIX NIM_T system was connected to the production environment of IdM.
  • Bulk import – a function which allows administrators to add and withdraw roles in batches without any approval process. Within this functionality, there are a number of exceptions for SAP systems, in which roles are assigned regardless of their validity period, which is sent to SAP together with the role; SAP’s time limit is applied to these roles.
  • Adjustments of user interface – owing to this functionality, requests for role assignment and role withdrawal were merged into one request. This request works similarly for the shopping cart; this means the request can be composed and roles can be replaced and changed, and then the request is sent for approval. Within this functionality, the approval process had to be modified as well; now it first takes into account the roles being assigned and then withdraws them so that no withdrawal occurs prior to assignment.
  • User blocking in the event of an invalid password – this functionality was started with the slight displeasure of SD operators. If the user does not change his password within the due time period (their password expires), a new password is generated; this is repeated every 180 days if the password is not used during this period. For initiation of the functionality, an initial dynamic amnesty was created to avoid overload of SD.
  • Register of program accounts – a register of the program accounts of the connected applications was created. These accounts are now coupled to IDM. Possible differences in the existence of the accounts are reported to the security department and user management, which ensures their replacement by the end system administrators. This functionality allowed omitting manual registration by an IdM administrator.
  • Control role assignment in accordance with rules – the first of the series of rules which ensure the possibility of assigning or having assigned a role based on the value of an attribute. Six rules were implemented in the production environment. Other rules are expected within the follow‑up project and within service.
  • Connection of ISM – connection of a system for security monitoring, which includes all users and all user attributes. It serves for reporting of security accidents and contact between the relevant people.
  • Automatic role withdrawal on change of company – a functionality demanded based on the results of the security audit. This functionality limits the validity period of all permissions of the user to 30 days when the user moves to another company (organization within the CEZ Group); the user has to request new permission for his new position.
  • Change of password for other KPJM  – owing to this functionality, it is possible to change the password for the multiple KPJMs of a single person in the user interface of IdM. This means that the user can change his password for multiple virtual accounts in IdM.
  • And other small adjustments.

Within the project, the preparation for the following replacement of Access Manager was also carried out; furthermore, the SPNEGO library, which will ensure Single Sign‑On to IdM, was tested using a demo application. Within the tests, the concept of this authentication in IdM was also created. The tests were carried out during full operation of CEZ (browsers and OS).

Another independent part was the Proof of Concept for the central administration of SSH keys for access to UNIX systems. The solution consisted of the central maintenance and supervision of SSH keys (both the private and public parts) for access to Unix OS, control of key generation, thereby annulling some strength of the pass phrase (with the use of diceware), the possibility for users of sharing SSH keys across connections to individual servers, facilitation of distribution of SSH keys (public part) to servers, safe supervision and non‑sharing of SSH keys (private part). As a result of the above, the user can log into a Unix OS after a single login using a SSH key with a pass phrase. This key cannot be retrieved from the client and is not stored on the drive – this means that it cannot be stolen or misused. KDC manages the distribution of the public parts of SSH keys to the target servers as well as their expiry. Finally, the whole process should be controlled from IDM, assuming that KDC is connected to IDM and access to individual servers is resolved by application roles.

The Proof of Concept addressed the following issues:

  • Target Solution Concept
  • Data Solution Concept
  • Installation of components (OS RedHat, KDC scripts, RSA PAM module, Diceware)
  • KDC administration scripts (for basic creation and editing of user, creation and expiry of keys, logging in, connection of service and servers and key generation)
  • Client part (configuration of putty and OpenSSH clients, configuration of SSHd)
  • Interactive user interface
  • Connection of 2 end systems (AIX, RedHat)
  • Sample configurations of end systems and client settings
  • Connection of non‑interactive tasks (applications using SSH connection)
  • Logging in and actual identification of logged‑in user
  • Description of development requirements (integration with IdM, user account management, high availability mode, problem of known hosts)



  • HTML
  • Java
  • JavaScript

Other projects for the client

Related products

Related services

Related solutions

Přejít na začátek stránky


© Copyright 1998-2011 AMI Praha a.s., powered by AMIGO CMS