What is CzechIdM?
The CzechIdM Identity Manager is a tool providing central and automatic management of all user identities (accounts, groups etc.) in the whole network, with no negative impact on the work of the current system. CzechIdM communicates with end systems in their native protocols (LDAP, JDBC, SSH, …). CzechIdM is usually connected to end systems by special connectors written in Java. You can find the list of supported systems below under „List of connectable systems“. CzechIdM is a purely open-source software. It can be adapted to almost all networks and all end systems. You can think of CzechIdM as a powerful engine wrapped in a set of forms, workflows and rules.
What is CzechIdM not?
CzechIdM is not a substitute for a central directory (LDAP server, Active Directory) or a central database for storing information on users and their authentication. It is a tool of an entirely different kind and should rather be seen as an efficient and tireless administrator.
The Architecture of CzechIdM
CzechIdM is written in Java, using J2EE platform. Its requirements are quite modest: data storage space and an application server. CzechIdM can be accessed through a web browser with Java plugin. Hardware requirements are low: the minimum is 2GiB RAM and a modern processor. Requirements in a specific situation always depend on how many users are to be administered. CzechIdM also requires at least 2GiB of free hard disk space.
The application itself consists of a few separate, indepedent modules (tiers):
The presentation tier
The presentation tier uses the JSF 1.2 (Java Server Faces) web framework and a set of RichFaces framework components. With the help of the AJAX technology we created a user-friendly interface which does not overload the server with unnecessary data. We did our best while writing CzechIdM; that is why it is possible to adjust the layout and functionality for each customer.
The application tier
The application tier is written in EJB 3.0 (Enterprise Java Bean). We developed our own framework which provides a very effective loading (checkout) and saving (checkin) of so called „views“ (data structures in which all data is being transferred).
We have also implemented the jBPM workflow engine. As a result, the source code of all processes can be saved into a text file and stored in the database to be loaded in runtime. This enables us to modify all processes according to the customer`s wish with no need for a redeploy of the whole application.
The data tier
The core of the data tier is the Hibernate framework, providing relational-object mapping. The data tier is fully separated from the application tier, which enables us to use almost any relational database to store our data.
The CzechIdM system usually works with private data. Hence access security and data protection is our top level priority.
There are several security levels:
Before any action – for example viewing, saving, updating or deleting data – the system checks whether the user who is currently logged in has the right for data manipulation.
In each row of the database, there is a field containing a hash value of all other fields in the row. That makes direct changes of data in the database almost impossible.
CzechIdM provides a wide range of defining user rights. Any user can be granted access to as much information as is needed.
In the CzechIdM system, it is possible to set up a password policy and define the password format, e.g. necessary length, letter and digit count, inconvenient sequences and expiration period.
Each data operation committed by any user is strictly audited. All information about all user actions is stored and can be used to reconstruct the sequence of all committed data operations.
List of connectable systems
Almost any system with known identity structure which is accessible via a network can be connected to CzechIdM. If you cannot find the system you want to connect in the list below, do not panic. We can develop a connector (Resource Adapter) for your end system. It takes about 10 days for our skilled programmers to develop a complex connector for a system like SAP . Here is the list of connectable systems:
Certification authorities in The Czech Republic:
CRM and ERP:
ICZ eSPIS – document management systems
SAP Enterprise Portal
IBM Lotus Domino
Domain controllers and directory services:
Microsoft Active Directory
Oracle Access Manager
Red Hat Directory
Microsoft SQL Server
Linux – Red Hat, Debian, SuSE,…
all versions of Microsoft Windows
Web Single Sign On (SSO):
IBM/Tivoli Access Manager
Oracle Acces Manager
Sun Java System Access Manager
TESCO SW FaMa
Magic Web – PACS
Database Table – universal JDBC adapter
Flat File ActiveSync – adapter for file synchronization
Microsoft Identity Integration Server
Remedy Help Desk
Sun Java™ System Communications Services
If you are interested in this topic, please contact us on e-mail address email@example.com