Sentra for SafeSign (SSAS)
The Sentra for SafeSign module will allow users to create a centralised database of performance data from one or more e-Security SafeSign Authentication Server or cryptographic environments and analyse the information in real time.
Using standard SQL reporting tools, such as Microsoft SQL Reporting Servicesâ„¢, an analysis of the performance data will provide a set of Service Management facilities and Management Information views. These will be displayed as a collection of web views that represent the environments being monitored and show real-time performance information, service level alerts with graphs representing the behaviour of nominated metrics, and management reports to monitor the Business objectives of the SafeSign Authentication Server service.
The Sentra for SafeSign module can :
- Read the contents of any e-Security SSAS log
- Read log file and table information directly from the SSAS SQL Database
- Read JMX performance counters and attributes from the Daemon process
- Read hardware performance data, subsystem performance data such as SQL performance metrics, and event log information
- Poll the cryptographic, HSM devices at a user defined interval and retrieve performance data relating to device memory status and certificate storage
- Display web view analysis of the environments being monitored and show real-time performance information.
The Benefits of Implementing the Sentra for SafeSign module :
- Single Point of Contact for Monitoring & Alerting
- Restricted Access to Sentra Functions
- Simple Access to Disparate Data
- Real Time Alerting to Potential Issues
- Automated Issue Resolution
- No Access to Sensitive Information
- Minimal processing overhead on the SafeSign Authentication Server e-security environment
Benefits :
There are many benefits to deploying Sentra to monitor and manage your SafeSign Authentication Server e-Security environment. A number of these are summarised below.
Single Point of Contact for Monitoring & Alerting
The Sentra application provides the system administrators, security administrators and business users with a single point of contact for all their monitoring and alerting requirements.
Hypervisor views can be configured that will provide individual user groups with access to information that is specific to their business needs. Further drill down views will provide more detailed performance or management information views.
Restricted Access to Sentra Functions
Access to the functions of the Sentra console, to the Sentra Web application and to the various Hypervisor views can be restricted to specific groups of users.
Additionally, only certain user groups will have privilege access rights to amend rules, acknowledge alerts and control applications. Sentra also uses its own layer of security, tightly integrated with that of the SQL Server environment, to further secure access to configuration and control options and Hypervisor views.
Simple Access to Disparate Data
Once deployed, Sentra will provide simple, easy access to data that was previously difficult to access without first installing a number of different applications and utilities within the SafeSign Authentication Server environment.
JMX performance counters can be viewed alongside disparate information such as log file entries, system event logs and server performance counters. This allows performance and log information from the SafeSign Authentication Server application, the cryptographic modules, the SafeSign Database and the server platform to be combined into a unified ‘service’ overview.
Real-Time Alerting to Potential Issues
Because the data collected from the SafeSign Authentication Server environment is evaluated as soon as it is collected, issues that may potentially impact upon the performance of the environment can be quickly and easily identified. Rules can be configured to target specific information such as low transaction throughput on specific channels.
Alternatively, rules can be combined to alert against a seemingly unrelated set of circumstances that may affect the overall performance of the SafeSign Authentication Server environment. Alerts can be generated using a number of methods and if not acknowledged within a certain time frame, can be automatically escalated to the next level of support.
Automated Issue Resolution
The Sentra application is capable of automatically executing applications, batch and script files in response to an alert.
For example, a Daemon process can be automatically re-started if it is inadvertently stopped, or temporary disk files can be archived if disk space becomes an issue. These automated tasks can reduce the amount of manual intervention required by operations staff and significantly improve service availability.
No Access to Sensitive Information
The Sentra extraction clients will only collect data from the SafeSign Authentication Server environment that relates to performance or log files. Also, any performance data collected from the cryptographic devices will relate to memory utilisation and numbers and types of certificates. No sensitive information, such as certificate or transaction details, is collected by Sentra or exposed to the end user.
Performance
Once information has been collected by the extraction clients it is stored and manipulated ‘offline’ on the Sentra server. There is only a minimal additional processing overhead on the SafeSign Authentication Server e-security environment attributed to the extraction clients.
Sentra Installation - Clients :
Typically, Sentra is installed on its own Windows server with an attached SQL database. A number of extraction clients are then installed at various locations inside and outside of the SafeSign Authentication Server environment. These extraction clients will either eavesdrop on the flow of information within the SafeSign Authentication Server environment, or will actively request status information and performance data from various points within SafeSign.
Five extraction clients can be installed in a SafeSign Authentication Server e-security environment, each performing a different function. These are explained in greater detail below :
Extraction Client A
This extraction client is installed within the SafeSign Authentication Server environment and will read the contents of any SafeSign Authentication Server log that is written to disk as a text file. The contents of each log file entry are parsed into their component parts, such as timestamp, channel or service name and message. This information is then written to tables in the Sentra SQL Database for evaluation and reporting.
Extraction Client B
This extraction client performs in exactly the same manner as Extraction Client A, however it reads log file and table information directly from the SafeSign Authentication Server SQL Database.
Extraction Client C
This extraction client is also installed onto the SafeSign Authentication Server environment. It reads JMX performance counters and attributes from the Daemon process. Once collected, this performance data is written to the Sentra SQL Database for evaluation and reporting purposes.
Extraction Client D
This extraction client represents a number of clients that can be installed on the platform where the SafeSign Authentication Server application is running. They can be used to read hardware performance data, subsystem performance data such as SQL Server performance metrics, and event log information. This information is written to the Sentra SQL database for evaluation and reporting purposes.
Extraction Client E
This extraction client can be installed at any location on the network where the cryptographic modules in use by the SafeSign Authentication Server environment are visible. In a secure e-security environment this would typically be on the platform where the SafeSign Authentication Server application has been installed.
The extraction client will poll the cryptographic devices at a user defined interval and retrieve performance data relating to device memory status and certificate storage. In common with the other extraction clients, this information is relayed to the Sentra SQL Database for evaluation and reporting purposes.
Once installed, the extraction clients along with any other critical services can be monitored and managed from the Sentra console.
PCI DSS (Payment Card Industry Data Security Standard) compliance is provided by the native facilities of the Microsoft SQL Server product (Master key, Certificates, Symmetric key, EncryptByKey, DecryptByKey using AES_256, Triple DES etc.) which is the database manager for the Sentra and RTLX environments as well as encryption (including column level encryption), masking and/or blanking of field values by Sentra, e.g. PAN numbers.
Data can be encrypted and compressed if required, as it is relayed from the HP NonStop platform.
The real-time POS visuals and data presented to the user are based on the authorisation level of that user as set-up in Sentra. Further modifications can be automatically applied to data stored in the SQL database such as X’ing out (or blanking out) card numbers, e.g. XXXX-XXXX-XXXX-2207.
Sentra includes a multi-tier security model for users whereby groups are configured to access one or more functions within the product and then users are allocated to one or more Sentra groups. So for example, a user might only gain access to the MI reports group or the POS querying group or both. If they are allocated to a group, they may still be restricted from using certain functions such as restricted query access on the POS querying screen.
Though users may gain a secured level of access to the Sentra product, they of course will not be able to access the MS SQL database directly.
In order for ITL to install Sentra at one of the UK’s largest banks, strict security directives needed to be adhered to and a separate document relating to security considerations is part of the Sentra product evaluation delivery.
Minimum Windows Hardware Requirements
For optimum performance, it is recommended that the minimum specification of your hardware and software is as follows :
- Windows Server 2000 / 2003 / 2008 with the latest service packs
- Microsoft SQL Server 2005 / 2008 with the latest service packs
- Either; Tomcat, IBM WebSphere, JBoss (formerly BEA WebLogic) web application servers (ask ITL about MS Internet Information Services- IIS) - also requires Java SE version 6+ (1.6)
- Browsers; Internet Explorer (IE) ver. 7+, Google Chrome, Safari, Firefox
- Intel Mid to High-End, Multi Core processor
- 16+ GB RAM recommended
- SCSI interface (SCSI2 Ultra-Wide recommended)
- 10 GB Single Drive for operating system and SQL Server software
- *40 GB Single Drive for the SQL server database (RAID 0+1 recommended)
- 20 GB Single Drive for the SQL server log file (RAID 0+1 recommended)
- Graphics resolution 1024 x 768 recommended
- 17" or larger colour monitor is also recommended
The above specification is for guidance only. The specification of your Windows server will be dependent on your individual needs. Please contact the Insider Technologies Helpdesk for assistance in establishing the specification of your server.
SQL Server Versions Supported by Sentra (also install Microsoft SQL Reporting Services)
The Sentra database is compatible with the following variants of SQL Server :
- 2005 / 2008 Standard Edition
- 2005 / 2008 Enterprise Edition
- 2005 / 2008 Developer Edition*
- 2005 / 2008 Express – the default installation on the CD uses SQL Express with Advanced services, so that SQL Reporting Services is available
* Some SQL editions include a concurrent workload governor. Performance degrades when more than five queries are executed concurrently. Sentra will work with these versions of SQL Server but performance may be unacceptably slow and its installation is not recommended for high volume usage.
SQL Express editions support databases with a limited maximum size (4Gb for SQL Express 2005). Users who anticipate large database storage requirements should consider installing the Enterprise edition of Microsoft SQL Server, or contact Insider Technologies for advice.