In January 2009 JoshuaTree along with help from its partner Symas, began work on a new suite of Identity & Access Management products. These products would build on OpenLDAP's native capabilities.
Key objectives of the development project that ensued mandated use of pre-existing open source products, common and accepted standards, and to write new code only when necessary. This emphasis on not reinventing the wheel enabled us to focus on team strengths (LDAP, authentication, RBAC) and cherry pick the best from the rest.
Since that time, three IAM products have been created and released to the open source community (Fortress, EnMasse, Sentry), and three more are either in active development (Commander), or inception (Perimeter, Patroller).
All of JoshuaTree's products are released under the corporate friendly BSD-style license. Click here for the terms.
More on products...
A standards based Identity and Access Management SDK, written in Java. It communicates LDAPv3 protocol to directory servers or Representational state transfer over the Web. It is fully compliant with ANSI RBAC (INCITS 359-2004) and includes programming APIs to add, update, delete, and search RBAC entitities and policies in addition to performing run-time policy enforcement. This is the core of the other components: EnMasse, Sentry and Commander.
EnMasse™ (Policy Server)
EnMasse is a web application that implements RESTful Web services to interface with Fortress/OpenLDAP. It was built using established Open Source technologies including Apache CXF (web services stack), Spring Framework (glue), Maven (dependencies) and JAXB (data binding layer) and runs inside any reasonably compliant Java Servlets container. The EnMasse service access decisions are made using declarative Java EE
and CXF interceptor
hooks that are wired to connect back to the Fortress RBAC component which points to centralized OpenLDAP server.
Sentry™ (Policy Enforcement connectors for common platforms)
Sentry is where the integration occurs between Fortress' policy server and the system or application that must be securely operated. This product provides run-time policy enforcement plug-ins to perform security authentication, authorization and auditing. Today there are connectors to support the Java EE specification for security enforcement on Web platforms. Tomorrow will be plug-ins for Linux written in C and PHP.
Commander Server™ (Fortress Admin GUI) (release date October 2013)
Commander™ runs on Apache Tomcat (or any compliant Servlet) container to provide administration and configuration functions to the end user. Built on Apache Wicket Web UI framework, it provides an extensible way to control the Fortress data being stored and retrieved. This Web interface provides the ability to control (limit) what functions administrators are allowed using the ARBAC02 delegation model. All functions executed by this Web app are logged within a persistent and centralized audit log stored in OpenLDAP's Memory-Mapped Database (MDB). This audit allows both security (who/what/when) and historical (before/after) views of data.
Perimeter™ (SSO Server) (release date April 2014)
Perimeter™ will use agents to provide Web access management within the enterprise datacenter. The agents provide the linkage between the User, logged onto the workstation, and the business application running in the trusted datacenter.
Patroller™ (Audit Viewer) (release date October 2014)
Drives Fortress™ Audit API to monitor and interrogate Fortress™/ OpenLDAP audit log with Web UI. Patroller™ events include:
authentication - shows who authenticated and the outcome
invalid user authentication - logs attempts made to authenticate with invalid userId's
session creation - tracks which roles were activated, IP address of incoming request and more
authorization - tracks what Users are doing in your system while logged on
history - all modifications to OpenLDAP data are tracked including before/after data elements along with who performed action