Czech Technical University (CTU) is significantly heterogeneous environment from the view of information systems. It counts tens to hundreds standalone services and applications, which are used by tens of thousands users – students, employees and hosts. What is specific for CTU environment is splitting administration and service of IT between university and faculty departments.
System Kerberos was introduced to CTU as modern and safe system of central authentication and authorization enabling user to use one password to all systems across the whole environment of CTU. Creating, updating and deleting of user accounts is done automatically by identity manager Oracle Waveset (IdM), which is administrated and developed by BCV solutions s.r.o. Goal of introducing system Kerberos was to set central authentication point, which will be used by all university and faculty systems.
Basic request to solution was to completely automate life cycle of user account at Kerberos system. To every user, who is created in some of source systems at CTU, for example to database of students or to personal system, is created new account at Kerberos through IdM. In the moment, when user ends study or job, is his account automatically deactivated.
Stand-alone chapter of task was administrating of passwords. Used solution enables changing of password through web interface of IdM, which was adjusted to customer’s needs. Besides of basic users there are users with advanced privileges, so called administrators of passwords. These administrators can change password to every user from their scope – for example faculty or department. Every new password is checked for security reasons; administrator can set policy, which password needs to fullfil.
All communication is done only by encrypted channels: HTTPS or SSH.
Schedule of deployment
2013/02 – Start of project, analysis
2013/03 – Implementation, adjustment of user interface, testing
2013/04 – Accepted by customer, used in production environment
Benefits for customer
- Centralization – change of password is propagated to more applications only by one web form.
- Security – all communication is done by safe protocols.
- User autonomy – student can change his password by himself
In this case study you have chance to get know process of deployment Kerberos at Czech Technical University. If this basic summary is not enough for you and you want to know more, email me at: firstname.lastname@example.org