Novell eDirectory™ Deployment at Hydro Quebec Richard Cabana Enterprise Technology Account Manager Novell Canada Ltd. Benoit Moreau Senior Consultant Hydro Quebec

Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Who Is Hydro Quebec? Canada’s largest crown corporation Over 20,000 employees servicing 3.5 million citizens Assets of $40 billion Annual sales of $8 billion International sales and engineering of Hydro Power

Hydro Quebec Divisions Hydro Quebec distribution  Dedicated to maintaining power to Quebec residents and commercial/private companies and institutions Trans-energy  International expertise on power distribution and transmission networks

Hydro Quebec Divisions (cont.) Production  Generation of over 32,274 megawatts of power Engineering  Consultation internationally on all aspects of power distribution

Putting It into Context No unique data source for interrogation Existence of too many directories Redundant information and data entry Very difficult to administrate Information had various levels of accuracy Increased operational costs

Goal of the Corporate Directory Corporate directory should regroup all information that would be potentially re-usable in other applications or directories Provide Hydro Quebec with a unique authentication and directory lookup Ensure the availability and access of the integrated information Reduce overall costs of adding new applications

Process of Evaluation Do the different operating systems have databases that can be treated as directories? All major operating systems and applications contain a database which could be used to manage users and their access privileges

The Road to a Unified Directory Is there a product that would permit Hydro Quebec to administer a single directory across all of their main operating systems? Novell eDirectory™

The Birth of a New Directory Strategy Hydro Quebec decides the first phase of their directory strategy  Regrouping their disparate operating systems under one unifying directory: Workforce Directory

Workforce Directory Unify user IDs of the different operating systems Increase overall security by increasing to the highest possible denominator Reduce overall OS management costs Reduce the number of management consoles Simplify the management of user privileges

Corporate Directory Corporate repository where all systems, applications, and information concerning individuals, groups, roles, and application definitions reside In brief, the corporate directory contains the information and definitions in which the enterprise will need to interact

Workforce Directory Regrouping of the identities of multiple operating systems into one unifying directory The workforce directory permits the management of Sun, RS 6000, Windows NT or other operating systems within Hydro Quebec’s workforce

Workforce Directory (cont.) In summary...  The workforce directory manages rights and access privileges to all informatics exploited by Hydro Quebec

DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Novell 3.12, 4.11, 5.1 OS390 SolarisAIX Structure Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Administration Centralized administration Uniform security for all operating systems Administration of Access databases

DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Centralized administration Uniform security for all operating systems Administration of Access databases Workforce directory NDS 8.5 Structure Administration

DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Centralized administration Uniform security for all operating systems Administration of Access databases Workforce directory NDS 8.5 Structure Administration

DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Centralized administration Uniform security for all operating systems Administration Logical structure Physical structure Corporate directory (eDirectory) Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Workforce directory NDS 8.5 Administration

DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Centralized administration Uniform security for all operating systems Administration Logical structure Physical structure Corporate directory (eDirectory) Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Workforce directory NDS 8.5 Administration

Evolution of Hydro Quebec’s Directory Strategy Multiple heterogeneous directories Information was subsequently regrouped by enterprise Operating systems and their directories were then consolidated One large corporate directory to which all other directories synchronize

Synchronization Is there a tool that exists that is based on industry standards and that could synchronize data to and from multiple sources? Introducing DirXML™

But First…XML XML is an industry standard that defines the protocol of exchange of information (data) between different heterogeneous sources

Products Available on the Market DirXML MMS (Microsoft Metadirectory Services) Few others

Hydro Quebec’s Metadirectory Comprises two main directories and synchronization tools  Corporate Directory (administration and white pages)  Workforce Directory (authentication and rights)  DirXML and connectors

DirXML (synchronization rules) DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Centralized administration Uniform security for all operating systems Administration Logical structure Physical structure Corporate tree NDS 8.5 Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Workforce tree NDS 8.X Bidirectional synchronization Administration

DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Users Recuperation of corporate access Simplification of user credentials and login Administrators Authentication Access Centralized administration Uniform security for all operating systems Administration Logical structure Physical structure DirXML (synchronization rules) Corporate tree NDS 8.5 Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Workforce tree NDS 8.X Access to Public Key Information (PKI) Administration Authentication Bidirectional synchronization

AD Root IREQ Directory Supplies group Directory Access DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Users Recuperation of corporate access Simplification of user credentials and login Administrators Access Centralized administration Uniform security for all operating systems Administration DirXML (synchronization rules) Logical structure Physical structure Corporate tree NDS 8.5 Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Workforce tree NDS 8.X Access to Public Key Information (PKI) Administration Authentication Bidirectional synchronization

Supplies group Infra- bureautique Infra-NT IREQ Trans-Energie DBA Subsico Entrust LiveLink GetAccess Cognos Exchange Access Users Recuperation of corporate access Simplification of user credentials and login Administrators Access Centralized administration Uniform security for all operating systems Administration Logical structure Physical structure AD Root IREQ Directory DirXML (synchronization rules) Corporate tree NDS 8.5 Department Novell 3.12, 4.X, 5.X NDS 8.5 OS390 NDS 8.5 Solaris NDS 8.5 AIX NDS 8.5 Workforce tree NDS 8.X Access to Public Key Information (PKI) Administration Authentication Bidirectional synchronization

What Did Hydro Quebec Gain? Centralized administration Data is always “fresh” and integrated Increased control over security Reduced costs for managing their infrastructure User benefits by single ID Simplified administration Can define the lifecycle of an object

Single Sign-on Challenges  Over 45 passwords per employee (on average)  Multiple trees (ADS and eDirectory)  Different support groups  Too many administrators

Solution: Secure Login Three month pilot/prototype Testing to be done on Entrust, Microsoft Exchange Success measurements  Ease of administration  Ease of use for clients  Integration with Novell Modular Authentication Services (NMAS™)  Integration with Hydro Quebec Client Shell

Challenges Hydro Quebec had wanted to make Entrust PKI X.509 certificates the default standard for network authentication Additionally, all users would be given Entrust client side encryption as a standard desktop configuration

Solution: NMAS™ But wait...  The login method for Entrust PKI didn’t exist

NMAS Project Six-month prototype Entrust method developed for Hydro Quebec  Development time took half a day for alpha prototype Method now included in NMAS Enterprise edition Allows login credentials to be handled by Entrust Authority

Proposed Secure Login/NMAS Architecture