Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | august-curtis-powell |
View: | 217 times |
Download: | 0 times |
Improving Access to EPA Servers
Modernizing TSSMS
Rebecca Astin
EPA Web Workgroup
April 15, 2010
Agenda
• What Is TSSMS?
• Types of TSSMS Users
• Hosting Environments That Use TSSMS
• How TSSMS Works
• Current Request and Fulfillment Processes
• How TSSMS Services Are Billed
• Issues with Current System
• Recommendations for Improvement
• Next StepsPg 1
TSSMS
• Time Sharing Services Management System
• Developed in the early 1980’s to manage users on EPA’s
mainframe
• Is a FOCUS application that runs on the Mainframe
(unsupported by vendor)
• Is a user and account registration system
– Not an identity management and authentication system
– Users do not authenticate log-in credentials against TSSMS
• Types of “TSSMS” Accounts / IDs:
– 3-character User ID
– 8-character Account
– 4-character AccountPg 2
TSSMS Accounts/ IDs
• 3-Character TSSMS ID– “User Name” for an individual
– A user must be associated with at least one TSSMS account
– Free of charge for all servers except www.epa.gov (U03), intranet.epa.gov
(U02), staging.epa.gov (U07)
– User IDs are unique for only as long as the ID is active; UIDs can be
reassigned if not used in 455 days
• 8-Character TSSMS Account– Name of physical directory on the static Web and FTP servers
– Used to allocate disk space on the static Web and FTP servers
– Only Used for billing purposes on Oracle and OAS servers
– Accounts belong to an “Account Owner”, usually the ADP Coordinator
• 4-Character TSSMS Account– Name of physical directory on the mainframe
Pg 3
Types of TSSMS Users
• UNIX System Administrators
– Server administrators who need access to the server
– Users must change their password every 90 days
• Other “Server Users”
– Server login for Application and Web Site Developers
– FTP or Telnet access
– Users must change their password every 90 days
– Sometimes misused for server-to-server communications
• Application Users
– Application user ID and password for a handful of applications and High Performance
Computing (HPC)
– e.g., AQS, ICIS, RCRA
– Users must change their password every 90 days
• Server-to-Server Communications
– Unapproved use of TSSMS accounts/ IDs – but happens as a “work around”Pg 4
Hosting Environments that Use TSSMS
• Static Web Servers– www.epa.gov (U03)
– Intranet.epa.gov (U02)
– Staging.epa.gov (U07)
• Application Servers– Oasstage.epa.gov (U11)
– Oasint.epa.gov (U12)
– Oaspub.epa.gov (U13)
– Oasext.epa.gov (U04)
Pg 5
Hosting Environments that Use TSSMS
• Database Servers– Oracle database (ORC)
• FTP Servers– Inmoor.epa.gov (U15)
– Exmoor.epa.gov (U16)
• High Performance Computing– Amber (HPC)
• Mainframe
Pg 6
Hosting Environments that Do NOT Use TSSMS
• ColdFusion
• Domino
• Windows-based Dedicated Environments
• Developer access for Dedicated Unix Systems– Uses TSSMS ID, but not associated with a TSSMS Account
on that server
– RISKY, Potential Identity Conflicts
Pg 7
Applications that Use TSSMS
– RCRA
– AQS
– ICIS
– TRIS
– TMDL
– IGOR
– IRMS
– WIS
– All Mainframe Applications (including IFMS)
– Possibly Others?
Pg 8
How TSSMS Works - UNIX
• One-to-one relationship between TSSMS Account and directory
on the server
• Log-in authentication against local password file
• Feedback Loops– Failure to change password after 95 days will cause the user to be unable to
log into the server
– Users must log into their account at least every 455 days or they will be
flagged for deletion from the system
– If there are no more users associated with a TSSMS Account, the UNIX team
will notify “Group TSSMS” to contact the ADP Coordinator responsible for that
account
– Files will be deleted after 30 days if no action is taken by the ADP
Coordinator when notified that their TSSMS account will be deleted
Pg 9
Application Owners / Users
Start
Need: Request for user / account management
Receive request; approval decisions
ADPs and delegations
TSSMS
Process Request
Perform nightly jobs
Manage GID / UID
RACF DB
RSA Toolsapproval procedures
RSA’s
FOCUS DB, Flat Files
Ownership DB
TSSMS Staff
Public Files / Reports for TSSMS accounts
Billing people
Servers (Application, Database, Dedicated, IBM)
Server / Business Processes that
Necessitate Change
Bills / Billing reports
Pay
Produce
Oracle DB
authenticate
authenticate
Logo
n an
d w
ork
Server Admins
RSAs
Manage accounts on servers per flat files and reports
Non-IBM Flows
IBM Flows
Authentication Flows
User
ADP / Delegations TSSMS Staff
Server Admins
RSA’s
Billing PplApp. Owners
Actor Legend
UNIX/ Mainframe Workflow
How TSSMS Works - Mainframe
Pg 11
• A new users contacts their ADP Coordinator to obtain a 3-character user ID
on the mainframe
• ADP Coordinator creates the ID and associates it with an account on the
IBM hardware code
• Nightly TSSMS processes add the user to the RACF database
• Users must contact their RSA to “claim ownership” of them in the RACF
database
• RSA must associate the user with an account in the RACF database
• IDs associated with the IBM hardware code are flagged for deletion after
365 days of inactivity
• Users logging into the mainframe, authenticate against the RACF database
How TSSMS Works – OAS
Pg 13
• New TSSMS Accounts for a new application must be obtained by contacting the
application owner’s ADP coordinator
• OAS administrators receive nightly reports that show all new TSSMS accounts on U11,
U12, U13, U04
• The TSSMS account name is given to the OAS team during the ADC process
• The OAS team notifies the billing team to associate the application with the name of the
TSSMS account in the WLC database
• The OAS team receives nightly reports showing all users added to or removed from each
TSSMS account
• The OAS team adds/ removes users to/from the authentication database based on these
reports
• The OAS team also add/s removes users based on individual request or requests during
the ADC process (i.e., bypassing TSSMS)
• Users logging into the staging server are authenticated against an Oracle database on the
server
• There are no automatic feedback loops to notify TSSMS when a user or account is
removed from the authentication database or server
How TSSMS Works – ORC
Pg 13
• New TSSMS Accounts for a new database must be obtained by contacting the application
owner’s ADP coordinator
• Oracle DBAs receive nightly reports that show all new TSSMS accounts registered to
hardware code ORC
• The TSSMS account name is given to the Oracle team during the ADC process
• The Oracle DBAs notify the billing team to associate the database with the name of the
TSSMS account in the WLC database
• The Oracle DBAs receive nightly reports showing all users added to or removed from
each TSSMS account
• The Oracle DBAs add/ remove users to/from the local authentication database based on
these reports
• The Oracle DBAs also add/ remove users based on individual requests or requests during
the ADC process (i.e., bypassing TSSMS)
• Users logging into their database are authenticated against an Oracle database on the
server
• There are no automatic feedback loops to notify TSSMS when a user or account is
removed from the authentication database or server
How TSSMS Works - Databases
Pg 14
• The Oracle DBAs receive nightly reports showing all users added to or removed
from each TSSMS account
• The Oracle DBAs add/ remove users to/ from the local authentication database
based on these reports -
• The Oracle DBAs “just know”, based on experience, which TSSMS account
goes to which application
• Users logging into their database are authenticated against an Oracle database
on the server
• There are no automatic feedback loops to notify TSSMS when a user or account
is removed from the authentication database or server
• Applications use TSSMS differently, i.e., RCRAInfo registers users to hardware
code SVC while ICIS registers users to ORC. HPC takes the word of the user
and does not require them to register to the HPC hardware code if they already
have a TSSMS ID associated to another hardware code
RPIO
eBusiness Accounts
ADPs / delegationsTSSMS
Process Request
Manage GID / UID
Perform nightly jobsTSSMS
Staff
FOCUS DB, Flat Files
Ownership DB
RACF DB
RSA’s
Public Files / Reports
Others Server Admins
App. Owners / Users
National Computer Center (NCC)
IBM MainFrame (IBM)
FOCUS
Ownership DB
UARS (a.k.a. TSSMS)
Public Files
RSA Tools
Oracle App Server(U04, U11, U12, U13)
Applications
Oracle DB (ORC)
Oracle DB
Unix Server(U02, U03, U07)Applications
Access list
U15, U16 – FTPHPC, CDX, SVC
Billing people
Bill
ing
Pro
cess
es
eBusiness
eBiz DB
Server Processes: user / account updates
Administer Requests
Manage Request
Charges
Server Queries / Reports
Push
-
back
Update
sPro
vis
ionin
g, D
e-
pro
vis
ionin
g,
Adm
inis
trati
on
Upd
atin
g R
eco
rds
Billing
Call Center
RACF
Registration, Record Keeping
NCC Services
Funding
Overview of Current Processes (All Platforms)
RPIO
eBusiness Accounts
ADPs / delegationsTSSMS
Process Request
Manage GID / UID
Perform nightly jobsTSSMS
Staff
FOCUS DB, Flat Files
Ownership DB
RACF DB
RSA’s
Public Files / Reports
Others Server Admins
App. Owners / Users
National Computer Center (NCC)
IBM MainFrame (IBM)
FOCUS
Ownership DB
UARS (a.k.a. TSSMS)
Public Files
RSA Tools
Oracle App Server(U04, U11, U12, U13)
Applications
Oracle DB (ORC)
Oracle DB
Unix Server(U02, U03, U07)Applications
Access list
U15, U16 – FTPHPC, CDX, SVC
Billing people
Bill
ing
Pro
cess
es
eBusiness
eBiz DB
Server Processes: user / account updates
Administer Requests
Manage Request
Charges
Server Queries / Reports
Push
-back
Update
s
Call Center
RACF
Overview of Current Processes (All Platforms)
Request and Fulfillment Processes
Pg 17
• Funding
– Users must request new IDs and Accounts via their ADP
Coordinator
• Registration Record Keeping
– The ADP Coordinator accesses the TSSMS system to add, delete,
and modify accounts and users
– A user must be associated with at least one TSSMS account in
order to obtain and ID
– Each TSSMS Account must have at least one registered user
– Updates to TSSMS are batch processed nightly
Request and Fulfillment Processes
• Nightly Reports– Five reports uploaded nightly to the mainframe (a.k.a. Public Files)
• NCC Services– UNIX administrators add and remove users/ accounts based on the printed reports
– Mainframe (decentralized): RSA connects and disconnects users in RACF and claims
ownership in the ownership database; ADP adds and deletes accounts, assigns
account managers and RSAs
– OAS administrators Oracle DBAs add and remove users from Oracle and
applications that use TSSMS based on TSSMS reports and direct communication
from users
• Billing– eBusiness creates billing registrations for new accounts based on the public files
– eBusiness creates “end dates” for deleted TSSMS accounts based on the public files
– CSC submits monthly “workload” to eBusiness (UC: Registration ID, disk space) (U3:
Registration ID, # Users) based on data aggregated from various sources in the
WLC database Pg 18
WCF Costs and Billing Associated with TSSMS
• Disk Space (WCF Code UC)– $7.26 per gigabyte per month
– WCF Code UC is used to bill disk space on the following servers: U03, U02,
U07, U11, U12, U13, U04, ORC, U15, U16
– Disk space allocation is read on the last day of the month
– Disk space is billed based on allocation, not on actual usage
– Servers that do not utilize UC billing, utilize UC-DED billing (due to a
limitation in auto processing between TSSMS and eBusiness)
– Association between applications and TSSMS accounts are stored in the WLC
database
• User Registration (WCF Code U3)– $15.03 per user per month
– WCF Code U3 is used to bill for the number of users per month on the
following servers: U03, U02, U07
– Number of users registered in TSSMS is read on the last day of the monthPg 19
UARSTSSMS Database
(FOCUS)
eBusinesseBusiness Database
Nightly Process:
Produce Public Files
Load Public Files into ETSD
Data Files ETSD: Oracle Data Tables
Extract Accounts with Active Status
From List of Users, Produce
U3 Data for Active Accounts; Load
into WLC
Applies only for:- U02, U03, U07???
Work Load Capture – WLC Database (Oracle)
Run Queries and Extract Usage Data,
for UC / Qx ReportingServers:- U02- U03- U07- ORC- IBM???
Perform Matching with
eBusiness Database
Produce Results File and Upload into eBusiness
Database
(IBM DataStore)
TSSMS Public Files
5 public filesChecking for changes, new
accounts, etc
IBMOracle
UnixCommon
Billing Processes
Issues with TSSMS as a Cross-Platform Registration System
Pg 21
• One-size does not fit all
• Not all requests for server access are received through TSSMS
• Not all platforms use TSSMS Accounts in the same manner (OAS and
ORC do not use TSSMS as a directory on the server, rather only use it
for “billing purposes”)
• Different systems use different identities (e.g., Domino LDAP, WAM ID,
AD, TSSMS ID)
• No feedback loops for expired User IDs and Accounts on some hosting
environments
• Does not work well for server-to-server communications since TSSMS
accounts must have at least one TSSMS User ID associated with it or it
will be deleted
• HPC does not accurately register users to HPC hardware code, thus
has issues with expiring User IDs
Issues with the Process
• Users must find their ADP in order to request an account or access to a
server
– Generally a verbal conversation or e-mail to ADP
– Often takes a long time to get a request initiated
• Users often don’t know which hardware codes on which servers to
request access (and why they need access on multiple accounts or
servers)
• ADPs often register users incorrectly
• Transferring ownership of an account is cumbersome
• Undocumented business rules / practices incorporated into the current
systems can cause restrictions that may no longer be valid
Pg 22
Proposed Improvements
• Self-service request for access and Web directory
account creation
• Single point of reference for requesting server access
for ALL hosting platforms
• Migrate identities to Web Access Manager (WAM)
• Authenticate against the Oracle Identity Directory (as
opposed to local authentication)
• Better integrate ordering and billing of disk space and
user access with eBusiness
Pg 23
www.newtssmsurl.gov
Process Request
Perform nightly jobs
Manage GID / UID
Place Request - Ticket
Oracle DBService Repository
RPIO
eBusiness Accounts
TSSMS Staff
Ownership DB
RACF DB
RSA’s
Public Files / Reports
Others Server Admins
National Computer Center (NCC)
IBM MainFrame (IBM)
Ownership DB
RACFRSA Tools
Unix Server(U02, U03, U07)Applications
Access list
U15, U16 – FTPHPC, CDX, SVC
Billing people
eBusiness
eBiz DB
Server Processes: user / account updates
Administer Requests
Approval Decision
Charges
Server Queries / Reports
Push
-back
Update
s
Users
App Owner
OID
Reporting Interface
Impr
oved
Bill
ing
Pro
cess
es
Copy of Public Files
Oracle DB (ORC)
Oracle DB
Public Files
Man
age
Req
uest
Manage
Request
Call Center
eBusiness Account Manager
Oracle App Server (U04, U11, U12, U13)
ApplicationsNew TSSMS
Improved Access Processes
Features of New System
• Web-based Interface
• Extranet access
• Reporting interface
• Use WAM ID to validate identity of requestor
• Authorization and approval workflow
• Relational database integrated with OID, eBusiness,
and the ADC system
• Service Repository
Pg 25
Benefits
• Reduce phone calls to support contractors to add or remove users
• Eliminate the role of ADP Coordinator
– eBusiness Account Managers would approve funding
– “Account” or Application owner would create and manage access to
accounts or servers
– Users could self-request access
• Reduce time to deploy databases or applications in the NCC
• Real-time reporting and management of server access
• No need to reset passwords on each server on which a user has an
account (LDAP authentication with single password)
Pg 26
Challenges to Modernization
• Interdependency of User ID and Account
• Complexity of billing processes for data storage (WCF
Service UC – Disk Space) and user account registration
(WCF Service U3)
• Application dependencies on TSSMS ID (must migrate to
WAM or other user registration system before TSSMS
decommission)
• 8-character UID limitation on UNIX systems
• Multiple identity stores across hosting platforms
• Where to Start: Chicken and Egg syndrome
Pg 27
Modernization Milestones
• Migrate to a relational database – Oracle
• Develop Web Interface/ Evaluate third-party software
• Change processes to authenticate log-in attempts
against OID instead of local files or database on server
• Remove shared Oracle database access and disk space billing
from TSSMS
• Develop interim guidance for NCC application hosting Points of
Contacts (POC) to assist in obtaining TSSMS accounts and IDs
until self-registration system is available
Pg 27