How it Works

ActivID Appliance provides the following core sets of services:

Server Architecture

ActivID Appliance can run in a clustered application server environment. However, it is recommended that you use a hardware load-balancer for load distribution between instance nodes and failover in case of node failure.

Note: An application is a set of modules with some added glue that binds them together into a complete integrated application. The modules can be web applications, Enterprise JavaBeans (EJBs), or application clients. An application also contains meta-information about the application, as well as shared libraries.

ActivID Appliance can use either a Hardware Security Module (HSM) or a software Java Cryptography Extension (JCE) provider for encryption, decryption, and data row signing.

Each ActivID Appliance has a number of properties files containing the system configuration parameter definitions.

Important: Physical access to ActivID Appliance must be restricted.

Server Database

ActivID Appliance uses an industry-standard Oracle database to store all operational data (such as user credentials and devices, authentication records, and authorization policies), configuration data, and audit information.

Applications and Portals

The ActivID Appliance solution can be installed in various scenarios involving all or only some of the following components:

  • ActivID Authentication Services – consists of the following applications:
    • ActivID Authentication Server – the core server that provides the authentication infrastructure to meet cross-channel requirements.
    • About the ActivID Authentication Portal – the portal that provides the logon interface for service provider authentication (including the ActivID Management Console and ActivID Self-Service Portal).
  • About the ActivID Management Console – the web-based interface to manage the authentication system.
  • ActivID Console - a pre-installed component on the appliance that allows you to initialize and configure the appliance.
  • ActivID UNIX Terminal - a pre-installed component of the appliance that is used to perform critical operations such as restarting the appliance. You can access this interface by connecting a monitor and keyboard to the appliance, or through the SSH protocol.
  • About the ActivID Self-Service Portal – the web-based interface that offers end users activation and management services for soft and hardware authentication devices.
  • ActivID RADIUS Front End (RFE) – enables OTP and static password authentication using the RADIUS protocol.
Note:  
  • The ActivID Appliance user interfaces, the ActivID Management Console, ActivID Authentication Portal, and ActivID Self-Service Portal, are browser-based and do not require client installation.
  • The portals support accessibility and are Section 508-compliant according to the US government regulations.

Key Concepts

Credential Management

ActivID Appliance simplifies ongoing credential management through a single point of administration. It ensures segregation of data between different applications, making a variety of types of information extremely secure.

It also provides unified, tamper-evident auditing capabilities.

Security Domains

Multiple data instances can be created in a single deployment. Individual instances are referred to as security domains. Each security domain contains a full data schema comprised of operational data, configuration data, and audit.

The purpose of having security domains is to provide a complete segregation of data for different business units within a single deployment. Multiple domains are also ideal for managed services offerings. Each call to the ActivID Appliance Public API must specify the domain against which the requested transaction is to be applied.

Data stored within the ActivID Appliance database is protected using two mechanisms:

  • Sensitive data, such as passwords, PINs, Security Questions and Answer responses. These device credentials are encrypted.
  • All data records within the database are digitally signed. This prevents an unauthorized user from by-passing the ActivID Appliance access control model by making direct updates to the database.

Hardware Security Module

The Hardware Security Module (HSM) is used to create a secure FIPS 140-2, Level 3-compliant environment for the protection and processing of data. The HSM is responsible for encryption, decryption, key management, and digital signature creation and validation.

There are two HSM form factors:

  • A PCI card physically resident on the application server.
  • A shared network resource accessible by multiple application servers. Network-connected HSMs perform cryptographic functions on behalf of one or more remote servers over a network.

ActivID Appliance also offers an alternative deployment mode wherein the HSM is replaced with a software crypto library. It is recommended deploying production systems with a hardware HSM. Nevertheless, the soft cryptography deployment mode provides good levels of data protection and is suitable for proofs of concept.

Application Server Platform

ActivID Appliance relies on industry standard J2EE technologies, and is deployed within an Application Server.

Multiple application servers can be deployed for scalability and performance, independent of the number of Security Domains. Each application server provides a full set of services for authentication, credentials and device administration, authorization and audit. Each application server connects to all security domains.

Note: More application servers can be added post-deployment to provide additional scalability and resilience.

Application Integration

The ActivID Appliance API preserves backward compatibility with client integration to previous versions of the product.

  • Integration with the ActivID Appliance is achieved via lightweight API clients, which are available for a variety of platforms, including Microsoft Windows and Linux
  • API clients are available for Java, C++/#, and C environments
  • The API client handles all communication with the server, including protection of the message using SSL over HTTPS

Integration can be done directly at the Web Services level.

Additionally, integration adapters can be made available for leading Web access managers, such as IBM Tivoli® Access Manager, Oracle Access Manager, Sun™ Access Manager, CA® Siteminder™ and Novell Access Manager.

Authenticators

The Authenticator is a central concept in the ActivID Appliance as it is the basis for authentication. To create an authenticator for an end user, you need to indicate an authentication policy and a device (if it is a device-based authentication policy). It can be seen as an instantiation of an Authentication Policy for a given user.

The authenticator allows a User to be authenticated by the ActivID Appliance. Without an authenticator, a User cannot authenticate. It can be summarized with this sentence: "A user is allowed to authenticate with an authentication factor (policy) using (or not) a device".

When an authentication policy is attached to a user, an authenticator with the corresponding type is created for the user.

A user can have as many authenticators as there are authentication policies in the ActivID Appliance. However, a user can only have one authenticator per authentication policy.

All of the non-password authenticators (that is, the device-based authenticators) store the secrets and configuration for the authentication secrets in a credential.

A single authenticator can contain multiple credentials.

The authenticator also contains the statistics of authentication for the user, such as the number of succeeded/failed authentications.

For further information, go to User and Authentication Management

How the ActivID Appliance Elements Work Together

The following diagram illustrates how the various elements of the ActivID Appliance configuration work together to provide secure and scalable authentication services.

External Components

The ActivID Appliance interacts with following external components:

  • RADIUS Clients and NAS

  • Load balancer, proxy and firewall

  • LDAP Directories

  • Service Providers (for example, Google® applications) and external trusted identity providers

  • External HSM

  • OOB gateways (SMS, email server)

  • Risk Management Server

  • Customer applications calling the ActivID Appliance APIs

  • Backup storage (external location linked to the appliance via FTP/SFTP)

  • Server Network Management System (SNMP)