Improving Access to EPA Servers

Modernizing TSSMS

Rebecca Astin

EPA Web Workgroup

April 15, 2010

Agenda

• What Is TSSMS?

• Types of TSSMS Users

• Hosting Environments That Use TSSMS

• How TSSMS Works

• Current Request and Fulfillment Processes

• How TSSMS Services Are Billed

• Issues with Current System

• Recommendations for Improvement

• Next StepsPg 1

TSSMS

• Time Sharing Services Management System

• Developed in the early 1980’s to manage users on EPA’s

mainframe

• Is a FOCUS application that runs on the Mainframe

(unsupported by vendor)

• Is a user and account registration system

– Not an identity management and authentication system

– Users do not authenticate log-in credentials against TSSMS

• Types of “TSSMS” Accounts / IDs:

– 3-character User ID

– 8-character Account

– 4-character AccountPg 2

TSSMS Accounts/ IDs

• 3-Character TSSMS ID– “User Name” for an individual

– A user must be associated with at least one TSSMS account

– Free of charge for all servers except www.epa.gov (U03), intranet.epa.gov

(U02), staging.epa.gov (U07)

– User IDs are unique for only as long as the ID is active; UIDs can be

reassigned if not used in 455 days

• 8-Character TSSMS Account– Name of physical directory on the static Web and FTP servers

– Used to allocate disk space on the static Web and FTP servers

– Only Used for billing purposes on Oracle and OAS servers

– Accounts belong to an “Account Owner”, usually the ADP Coordinator

• 4-Character TSSMS Account– Name of physical directory on the mainframe

Pg 3

Types of TSSMS Users

• UNIX System Administrators

– Server administrators who need access to the server

– Users must change their password every 90 days

• Other “Server Users”

– Server login for Application and Web Site Developers

– FTP or Telnet access

– Users must change their password every 90 days

– Sometimes misused for server-to-server communications

• Application Users

– Application user ID and password for a handful of applications and High Performance

Computing (HPC)

– e.g., AQS, ICIS, RCRA

– Users must change their password every 90 days

• Server-to-Server Communications

– Unapproved use of TSSMS accounts/ IDs – but happens as a “work around”Pg 4

Hosting Environments that Use TSSMS

• Static Web Servers– www.epa.gov (U03)

– Intranet.epa.gov (U02)

– Staging.epa.gov (U07)

• Application Servers– Oasstage.epa.gov (U11)

– Oasint.epa.gov (U12)

– Oaspub.epa.gov (U13)

– Oasext.epa.gov (U04)

Pg 5

Hosting Environments that Use TSSMS

• Database Servers– Oracle database (ORC)

• FTP Servers– Inmoor.epa.gov (U15)

– Exmoor.epa.gov (U16)

• High Performance Computing– Amber (HPC)

• Mainframe

Pg 6

Hosting Environments that Do NOT Use TSSMS

• ColdFusion

• Domino

• Windows-based Dedicated Environments

• Developer access for Dedicated Unix Systems– Uses TSSMS ID, but not associated with a TSSMS Account

on that server

– RISKY, Potential Identity Conflicts

Pg 7

Applications that Use TSSMS

– RCRA

– AQS

– ICIS

– TRIS

– TMDL

– IGOR

– IRMS

– WIS

– All Mainframe Applications (including IFMS)

– Possibly Others?

Pg 8

How TSSMS Works - UNIX

• One-to-one relationship between TSSMS Account and directory

on the server

• Log-in authentication against local password file

• Feedback Loops– Failure to change password after 95 days will cause the user to be unable to

log into the server

– Users must log into their account at least every 455 days or they will be

flagged for deletion from the system

– If there are no more users associated with a TSSMS Account, the UNIX team

will notify “Group TSSMS” to contact the ADP Coordinator responsible for that

account

– Files will be deleted after 30 days if no action is taken by the ADP

Coordinator when notified that their TSSMS account will be deleted

Pg 9

Application Owners / Users

Start

Need: Request for user / account management

Receive request; approval decisions

ADPs and delegations

TSSMS

Process Request

Perform nightly jobs

Manage GID / UID

RACF DB

RSA Toolsapproval procedures

RSA’s

FOCUS DB, Flat Files

Ownership DB

TSSMS Staff

Public Files / Reports for TSSMS accounts

Billing people

Servers (Application, Database, Dedicated, IBM)

Server / Business Processes that

Necessitate Change

Bills / Billing reports

Pay

Produce

Oracle DB

authenticate

authenticate

Logo

n an

d w

ork

Server Admins

RSAs

Manage accounts on servers per flat files and reports

Non-IBM Flows

IBM Flows

Authentication Flows

User

ADP / Delegations TSSMS Staff

Server Admins

RSA’s

Billing PplApp. Owners

Actor Legend

UNIX/ Mainframe Workflow

How TSSMS Works - Mainframe

Pg 11

• A new users contacts their ADP Coordinator to obtain a 3-character user ID

on the mainframe

• ADP Coordinator creates the ID and associates it with an account on the

IBM hardware code

• Nightly TSSMS processes add the user to the RACF database

• Users must contact their RSA to “claim ownership” of them in the RACF

database

• RSA must associate the user with an account in the RACF database

• IDs associated with the IBM hardware code are flagged for deletion after

365 days of inactivity

• Users logging into the mainframe, authenticate against the RACF database

How TSSMS Works – OAS

Pg 13

• New TSSMS Accounts for a new application must be obtained by contacting the

application owner’s ADP coordinator

• OAS administrators receive nightly reports that show all new TSSMS accounts on U11,

U12, U13, U04

• The TSSMS account name is given to the OAS team during the ADC process

• The OAS team notifies the billing team to associate the application with the name of the

TSSMS account in the WLC database

• The OAS team receives nightly reports showing all users added to or removed from each

TSSMS account

• The OAS team adds/ removes users to/from the authentication database based on these

reports

• The OAS team also add/s removes users based on individual request or requests during

the ADC process (i.e., bypassing TSSMS)

• Users logging into the staging server are authenticated against an Oracle database on the

server

• There are no automatic feedback loops to notify TSSMS when a user or account is

removed from the authentication database or server

How TSSMS Works – ORC

Pg 13

• New TSSMS Accounts for a new database must be obtained by contacting the application

owner’s ADP coordinator

• Oracle DBAs receive nightly reports that show all new TSSMS accounts registered to

hardware code ORC

• The TSSMS account name is given to the Oracle team during the ADC process

• The Oracle DBAs notify the billing team to associate the database with the name of the

TSSMS account in the WLC database

• The Oracle DBAs receive nightly reports showing all users added to or removed from

each TSSMS account

• The Oracle DBAs add/ remove users to/from the local authentication database based on

these reports

• The Oracle DBAs also add/ remove users based on individual requests or requests during

the ADC process (i.e., bypassing TSSMS)

• Users logging into their database are authenticated against an Oracle database on the

server

• There are no automatic feedback loops to notify TSSMS when a user or account is

removed from the authentication database or server

How TSSMS Works - Databases

Pg 14

• The Oracle DBAs receive nightly reports showing all users added to or removed

from each TSSMS account

• The Oracle DBAs add/ remove users to/ from the local authentication database

based on these reports -

• The Oracle DBAs “just know”, based on experience, which TSSMS account

goes to which application

• Users logging into their database are authenticated against an Oracle database

on the server

• There are no automatic feedback loops to notify TSSMS when a user or account

is removed from the authentication database or server

• Applications use TSSMS differently, i.e., RCRAInfo registers users to hardware

code SVC while ICIS registers users to ORC. HPC takes the word of the user

and does not require them to register to the HPC hardware code if they already

have a TSSMS ID associated to another hardware code

RPIO

eBusiness Accounts

ADPs / delegationsTSSMS

Process Request

Manage GID / UID

Perform nightly jobsTSSMS

Staff

FOCUS DB, Flat Files

Ownership DB

RACF DB

RSA’s

Public Files / Reports

Others Server Admins

App. Owners / Users

National Computer Center (NCC)

IBM MainFrame (IBM)

FOCUS

Ownership DB

UARS (a.k.a. TSSMS)

Public Files

RSA Tools

Oracle App Server(U04, U11, U12, U13)

Applications

Oracle DB (ORC)

Oracle DB

Unix Server(U02, U03, U07)Applications

Access list

U15, U16 – FTPHPC, CDX, SVC

Billing people

Bill

ing

Pro

cess

es

eBusiness

eBiz DB

Server Processes: user / account updates

Administer Requests

Manage Request

Charges

Server Queries / Reports

Push

-

back

Update

sPro

vis

ionin

g, D

e-

pro

vis

ionin

g,

Adm

inis

trati

on

Upd

atin

g R

eco

rds

Billing

Call Center

RACF

Registration, Record Keeping

NCC Services

Funding

Overview of Current Processes (All Platforms)

RPIO

eBusiness Accounts

ADPs / delegationsTSSMS

Process Request

Manage GID / UID

Perform nightly jobsTSSMS

Staff

FOCUS DB, Flat Files

Ownership DB

RACF DB

RSA’s

Public Files / Reports

Others Server Admins

App. Owners / Users

National Computer Center (NCC)

IBM MainFrame (IBM)

FOCUS

Ownership DB

UARS (a.k.a. TSSMS)

Public Files

RSA Tools

Oracle App Server(U04, U11, U12, U13)

Applications

Oracle DB (ORC)

Oracle DB

Unix Server(U02, U03, U07)Applications

Access list

U15, U16 – FTPHPC, CDX, SVC

Billing people

Bill

ing

Pro

cess

es

eBusiness

eBiz DB

Server Processes: user / account updates

Administer Requests

Manage Request

Charges

Server Queries / Reports

Push

-back

Update

s

Call Center

RACF

Overview of Current Processes (All Platforms)

Request and Fulfillment Processes

Pg 17

• Funding

– Users must request new IDs and Accounts via their ADP

Coordinator

• Registration Record Keeping

– The ADP Coordinator accesses the TSSMS system to add, delete,

and modify accounts and users

– A user must be associated with at least one TSSMS account in

order to obtain and ID

– Each TSSMS Account must have at least one registered user

– Updates to TSSMS are batch processed nightly

Request and Fulfillment Processes

• Nightly Reports– Five reports uploaded nightly to the mainframe (a.k.a. Public Files)

• NCC Services– UNIX administrators add and remove users/ accounts based on the printed reports

– Mainframe (decentralized): RSA connects and disconnects users in RACF and claims

ownership in the ownership database; ADP adds and deletes accounts, assigns

account managers and RSAs

– OAS administrators Oracle DBAs add and remove users from Oracle and

applications that use TSSMS based on TSSMS reports and direct communication

from users

• Billing– eBusiness creates billing registrations for new accounts based on the public files

– eBusiness creates “end dates” for deleted TSSMS accounts based on the public files

– CSC submits monthly “workload” to eBusiness (UC: Registration ID, disk space) (U3:

Registration ID, # Users) based on data aggregated from various sources in the

WLC database Pg 18

WCF Costs and Billing Associated with TSSMS

• Disk Space (WCF Code UC)– $7.26 per gigabyte per month

– WCF Code UC is used to bill disk space on the following servers: U03, U02,

U07, U11, U12, U13, U04, ORC, U15, U16

– Disk space allocation is read on the last day of the month

– Disk space is billed based on allocation, not on actual usage

– Servers that do not utilize UC billing, utilize UC-DED billing (due to a

limitation in auto processing between TSSMS and eBusiness)

– Association between applications and TSSMS accounts are stored in the WLC

database

• User Registration (WCF Code U3)– $15.03 per user per month

– WCF Code U3 is used to bill for the number of users per month on the

following servers: U03, U02, U07

– Number of users registered in TSSMS is read on the last day of the monthPg 19

UARSTSSMS Database

(FOCUS)

eBusinesseBusiness Database

Nightly Process:

Produce Public Files

Load Public Files into ETSD

Data Files ETSD: Oracle Data Tables

Extract Accounts with Active Status

From List of Users, Produce

U3 Data for Active Accounts; Load

into WLC

Applies only for:- U02, U03, U07???

Work Load Capture – WLC Database (Oracle)

Run Queries and Extract Usage Data,

for UC / Qx ReportingServers:- U02- U03- U07- ORC- IBM???

Perform Matching with

eBusiness Database

Produce Results File and Upload into eBusiness

Database

(IBM DataStore)

TSSMS Public Files

5 public filesChecking for changes, new

accounts, etc

IBMOracle

UnixCommon

Billing Processes

Issues with TSSMS as a Cross-Platform Registration System

Pg 21

• One-size does not fit all

• Not all requests for server access are received through TSSMS

• Not all platforms use TSSMS Accounts in the same manner (OAS and

ORC do not use TSSMS as a directory on the server, rather only use it

for “billing purposes”)

• Different systems use different identities (e.g., Domino LDAP, WAM ID,

AD, TSSMS ID)

• No feedback loops for expired User IDs and Accounts on some hosting

environments

• Does not work well for server-to-server communications since TSSMS

accounts must have at least one TSSMS User ID associated with it or it

will be deleted

• HPC does not accurately register users to HPC hardware code, thus

has issues with expiring User IDs

Issues with the Process

• Users must find their ADP in order to request an account or access to a

server

– Generally a verbal conversation or e-mail to ADP

– Often takes a long time to get a request initiated

• Users often don’t know which hardware codes on which servers to

request access (and why they need access on multiple accounts or

servers)

• ADPs often register users incorrectly

• Transferring ownership of an account is cumbersome

• Undocumented business rules / practices incorporated into the current

systems can cause restrictions that may no longer be valid

Pg 22

Proposed Improvements

• Self-service request for access and Web directory

account creation

• Single point of reference for requesting server access

for ALL hosting platforms

• Migrate identities to Web Access Manager (WAM)

• Authenticate against the Oracle Identity Directory (as

opposed to local authentication)

• Better integrate ordering and billing of disk space and

user access with eBusiness

Pg 23

www.newtssmsurl.gov

Process Request

Perform nightly jobs

Manage GID / UID

Place Request - Ticket

Oracle DBService Repository

RPIO

eBusiness Accounts

TSSMS Staff

Ownership DB

RACF DB

RSA’s

Public Files / Reports

Others Server Admins

National Computer Center (NCC)

IBM MainFrame (IBM)

Ownership DB

RACFRSA Tools

Unix Server(U02, U03, U07)Applications

Access list

U15, U16 – FTPHPC, CDX, SVC

Billing people

eBusiness

eBiz DB

Server Processes: user / account updates

Administer Requests

Approval Decision

Charges

Server Queries / Reports

Push

-back

Update

s

Users

App Owner

OID

Reporting Interface

Impr

oved

Bill

ing

Pro

cess

es

Copy of Public Files

Oracle DB (ORC)

Oracle DB

Public Files

Man

age

Req

uest

Manage

Request

Call Center

eBusiness Account Manager

Oracle App Server (U04, U11, U12, U13)

ApplicationsNew TSSMS

Improved Access Processes

Features of New System

• Web-based Interface

• Extranet access

• Reporting interface

• Use WAM ID to validate identity of requestor

• Authorization and approval workflow

• Relational database integrated with OID, eBusiness,

and the ADC system

• Service Repository

Pg 25

Benefits

• Reduce phone calls to support contractors to add or remove users

• Eliminate the role of ADP Coordinator

– eBusiness Account Managers would approve funding

– “Account” or Application owner would create and manage access to

accounts or servers

– Users could self-request access

• Reduce time to deploy databases or applications in the NCC

• Real-time reporting and management of server access

• No need to reset passwords on each server on which a user has an

account (LDAP authentication with single password)

Pg 26

Challenges to Modernization

• Interdependency of User ID and Account

• Complexity of billing processes for data storage (WCF

Service UC – Disk Space) and user account registration

(WCF Service U3)

• Application dependencies on TSSMS ID (must migrate to

WAM or other user registration system before TSSMS

decommission)

• 8-character UID limitation on UNIX systems

• Multiple identity stores across hosting platforms

• Where to Start: Chicken and Egg syndrome

Pg 27

Modernization Milestones

• Migrate to a relational database – Oracle

• Develop Web Interface/ Evaluate third-party software

• Change processes to authenticate log-in attempts

against OID instead of local files or database on server

• Remove shared Oracle database access and disk space billing

from TSSMS

• Develop interim guidance for NCC application hosting Points of

Contacts (POC) to assist in obtaining TSSMS accounts and IDs

until self-registration system is available

Pg 27

Contact

Rebecca AstinNCC Hosting and Operations

Astin.rebecca@epa.gov919-541-3074

Pg 29