2015

Enterprise Directory

LDAP

  • Disabled SSLv3 ciphers
  • Migrated to F5 load balancer, which added IPv6 support

Replication

  • ED groups replication to active directory

DAT

  • Released DATng for limited use

CAS

  • Began the process of decommissioning this service

Login

  • Deployed new service, based on IDPv3, into production
  • Researched Duo and deployed websdk implementation

LAA

  • Kafka research and deployment
  • Throughput testing
  • Developed data model and designed role-based access control system

Infrastructure

  • Deployed host with no SAN dependencies for high availability
  • GitLab server patched and upgraded on a regular basis
  • Began transition away from dokuwiki to Jekyll based website
  • Jenkins continuous integration server patched and upgraded on a regular basis

Open Source

  • New version of mod_auth_cas (v1.1) released
  • v1.1.0 of ldaptive released
  • v1.1.0 of passay released
  • v1.1.0 of cryptacular released

Uptime Statistics

July 1, 2015 - June 30, 2016

ED-Auth 99.999%
ED-Lite 99.999%
ED-ID   99.999%
webapps 99.998%
msg     99.997%
shib     99.999%
cas     99.999%

2014

Enterprise Directory

LDAP

  • Added passwordExpirationDate attribute to the schema
  • Configured support for SHA-2 passwords in OpenLDAP
  • Migrated to the MDB backend as part of the OpenLDAP 2.4 upgrade
  • Created cn=authstats accesslog which will replace UDP based authstats service
  • Added support for ED services to perform simple binds

Replication

  • Removed the last vestiges of replication to the old VT mail system

Scheduled Tasks

  • Implemented PID password expiration warnings
  • Removed deletion check against the old VT mail system in email expiration

Research & Development

  • Evaluated JBoss 7 & 8 for our next generation Java platform
  • Evaluated and selected Spring as the next generation Java platform

CAS

  • Transitioned to a stateless active-active architecture, which improves availability and positions the Web SSO platform for seamless growth to remote locations in support of disaster recovery efforts.
  • Developed software components to support password expiration warnings.
  • Improved CAS management software used by IMS for integration and support.

Shibboleth

  • Added several federated services to the VT Shibboleth IdP.
  • Developed a facility to leverage Enterprise Directory entitlements for controlling access to federated services

Infrastructure

  • Added support perfect forward secrecy on our Apache webservers
  • GitLab server patched and upgraded on a regular basis
  • All servers patched for heartbleed vulnerability

Open Source

  • Refactored vt-crypt into our next generation Java cryptography library called cryptacular.
  • Contributed patch for Apache mod_ldap
  • Contributed patch for dokuwiki authplaincas to support SAML validation
  • Contributed many improvements to the ldaptive library; helped with it’s inclusion in the CAS and Shibboleth projects

CAS 4.0

  • Contributed the authentication subsystem API
  • Contributed documentation

Shibboleth IDPv3

  • Developed prototype CAS protocol plugin.
  • Contributed to the authentication and storage subsystems.

Uptime Statistics

July 1, 2013 - June 30, 2014

ED-Auth 99.999%
ED-Lite 99.999%
ED-ID   99.999%
webapps 99.996%
msg     99.998%
shib     99.993%
cas     99.995%

2013

Enterprise Directory

Google

  • Software development to support Google apps for everyone
  • Software development to support the first phase of Google groups

Network Password

  • Developed business logic components to manage the network password

LDAP

  • Update to use shared memory keys to avoid disk I/O issues
  • Deceased people now suppressed in ED-Lite
  • Added networkPassword attribute
  • Development and pre-production LDAPs now behind the load balancer for improved testing
  • On-going evaluation of the following technologies:
    • mdb database
    • SSHA512 passwords
    • bcrypt passwords

Replication

  • Software development related to the deprovisioning of the iPlanet mail server

DAT

  • Support for display records from external datasources like Active Directory and Google
  • Improvements to the mail creation interface
  • Support for Google groups
  • Support for managing network passwords

Web Services

  • Support for managing the networkPassword attribute

CAS

  • Developed a new Git-based deployment process with enhancements for QAV testing
  • Developed application health monitoring facility to provide analytics into system components as a measure of overall system health
  • Developed dashboard to report on authentication statistics

Shibboleth

  • Provided support to bring several new service providers online
  • Refined the concept of the Hokies federation to support Shibbolized services internal to Virginia Tech

Infrastructure

  • Evaluated GitHub Enterprise (not selected)
  • Evaluated GitLab (selected for Enterprise use)
  • Moved middleware projects from subversion to git
  • Upgraded www.middleware.vt.edu (dokuwiki)

Open Source

  • Contributed a new open source LDAP API called ldaptive
  • Contributed a next-generation authentication API for CAS 4.0 that provides native support for multi-factor authentication
  • Contributed a new LDAP subsystem based on ldaptive for CAS 4.0 with a number of new features that dramatically improved performance and reliability
  • Contributed documentation for CAS 4.0
  • Contributed Shibboleth IdPv3 authentication and storage subsystems

Uptime Statistics

July 1, 2012 - June 30, 2013

ED-Auth 99.993%
ED-Lite 99.993%
ED-ID   99.993%
webapps 99.977%
msg     99.986%
shib     99.985%
cas     99.986%

2012

Enterprise Directory

Deployment

  • Created a new build and deployment environment that leverages filesystem encryption to secure sensitive data at rest
  • Updated and added tests to improve test coverage

Google

  • Software development to support self service provisioning of Google accounts

LDAP

  • Upgraded OpenLDAP to 2.4.30
  • Began using tcmalloc for more efficient memory allocation
  • Began using back-hdb, slight improvements over back-bdb

Replication

  • Upgraded HornetQ to 2.2.14, which included several bug fixes
  • Deployed end-to-end health checking for messages

DAT

  • Updates to support Google transition
  • Requirements gathering and technology research for the next version of the DAT
  • Many minor bugs identified and corrected

Web Services

  • Support for entitling Services

Logging

  • Extensive code review to improve logging and eliminate the logging of sensitive data
  • Auditing data now stored as JSON, rather than XML

CAS

  • Designed and deployed an improved system architecture based on a redundant memcached storage facility that improved throughput by up to 500% while improving availability and fault tolerance
  • Added support for authenticating Enterprise Directory guest users
  • Designed and implemented an interactive help system to assist users with forgotten user names and passwords

Shibboleth

  • Architected the authentication and assurance framework for Shibboleth/CAS in support of InCommon Silver certification

Open Source

  • Installed and configured various LDAP environments to support testing
    • ApacheDS
    • OpenLDAP
    • Active Directory
  • Contributed mod_auth_cas authorization fix
  • Developed a number of improvements to Jasig CAS that are beneficial to Virginia Tech
    • Performance enhancements to the memcached integration components
    • Extensible monitoring framework for integration with enterprise monitoring software
  • Implemented support for elliptic-curve crytography algorithms in the vt-crypt project

Uptime Statistics

July 1, 2011 - June 30, 2012

ED-Auth 99.993%
ED-Lite 99.963%
ED-ID   99.987%
webapps 99.965%
msg     99.898%
shib     99.879%
cas     99.971%

2011

LDAP

  • Added attributes studentLevel, studentLevelCode, confidentialFlag, accountRecoveryMaintenanceDate
  • Modified ACLs for VT-EMPLOYEE-EMERITUS
  • Exposed passwordState attribute
  • Add VT-LCI-AFFILIATE affiliation
  • Removed finger.vt.edu
  • Research and testing for IPv6 support
  • Uptime data is now collected and stored

Application Servers

  • Uptime data is now collected and stored

Software Development

  • Improved data validation on J2EE entities and user input
  • Updated password validation logic1

Replication

  • Support for unicode characters in Banner replication stream

DAT

  • Exposed Password attributes1
  • Exposed Email Account attributes
  • Management functions for Group relation expiration (group member expiration)
  • Management functions for account recovery2

Email Accounts

  • Added email account states
  • Improved logic of mail routing for VE and GE accounts

CAS

  • Developed and deployed CAS 3.4.8 in production
  • Developed password expiration detection capability1
  • Developed customizations for CAS login Web flow2
  • Dramatically improved user experience on mobile platforms including iPhone, iPad, and Android devices
  • Developed high performance X.509 certificate revocation capability in support of VT PKI project that was contributed to Jasig CAS project

Opensource

  • Developed support for handling variety of encrypted private key formats in vt-crypt library
  • Developed performance-minded implementation of password sequence checking for vt-password library1
  • Developed many improvements to the vt-ldap library in support of Shibboleth

Uptime Statistics

June 1 - June 30, 2011

ED-Auth 99.975%
ED-Lite 99.975%
ED-ID   99.975%
webapps 99.935%
msg     99.924%
shib     99.975%
cas     99.975%

1 work related to the Password Change Project
2 work related to the Self Service Password Reset Project


2010

LDAP

  • Upgraded OpenLDAP to version 2.4
  • Removed ou=Accounts,dc=vt,dc=edu branch
  • Added support for external middleware certificates
  • Added attributes mailExternalAddress, udcIdentifier, bannerName
  • Removed legalName attribute

Application Servers

  • Upgraded JBoss to version 5.1.0
  • Switched from JBossMQ to Hornetq as our JMS provider for replication

Software Development

  • Switched build frameworks from Ant to Maven

Google Apps

  • Provided ED integration with VT Google Apps domain for alumni and Carilion e-mail

DAT

  • Added management support for Google Apps accounts
  • Many, many bug fixes and improvements

Shibboleth

  • Provided SSO integration for VT and Carilion Google Apps domains
  • Integrated uApprove in develop to investigate user-driven attribute release as a solution to concerns of data disclosure to third parties

CAS

  • Upgraded CAS server to version 3.4.2
  • Designed and deployed CAS changes for increased performance, security, and availability
  • Added Banner/VT CAS integration

2009

LDAP

  • Maintained and supported production environment
  • Gender attribute added to person
  • Improved overlays and replication processes
  • Tested OpenLDAP 2.4 in preparation for eventual upgrade

Software Development

DAT

  • Improved consistency of display and workflow for all screens
  • Query interfaces updated with pagination support
  • Affiliation added to person query interface
  • Display of gender added to person information for Help Desk support
  • Audit query and display interface added for both authentication and Registry data modifications
  • Person comments added for administrative metadata to be attached to a person
  • Suppressible attribute management interface

CAS

  • Maintained and supported production environment
  • Contributed SAML1.1 support to the mod_auth_cas (Apache) opensource project
  • Contributed SAML1.1 support to the ASP.NET cas opensouce project
  • Contributed SAML1.1 support to the phpCAS opensource project

Shibboleth

  • Maintained and supported production environment

Opensource

  • Moved Middleware projects to Google Code
  • Performed code review on each project before their transition

2008

LDAP

  • Upgrade to version 2.3.39
  • Overlays can be configured with cn=config
  • Services now use serviceDN, making cert revocation easier
  • cn=monitor ORCA graphing now in place
  • Hardware upgraded to 64bit, 8G machines.
    • All of the db now runs in memory
  • Improved employee confidentiality implementation

Software Development

  • Upgraded from EJB2 to EJB3 for all entity beans and session beans
    • added unit tests to all EJB3 beans which greatly improved quality assurance
  • Added entitlement functionality
  • Added guest access functionality
  • Updated group implementation to support additional features:
    • group member suppression
    • person and service managers
    • service administrators
  • Added person delete and archive functionality
  • Updated mail functionality to support local mail delivery and multiple forwards
  • Updated services to support multiple contacts and certificates
  • Refactored scheduled tasks to support new features, such as guests, entitlements, tickets, and person archiving
  • Created new library to support contract first Web service development
    • Exposed group management web services
    • Exposed entitlement management web services
    • Exposed guest management web services
  • Developed Spring web application for group management
  • Developed Spring web application for guest access validation and management

Replication

  • Performance improvements increased speed by a factor of 3
  • Removed dependency on Oracle database triggers for Registry replication

DAT

  • Added entitlement management
  • Added guest management
  • Updated group management to support new features
  • Added name reservation management interface
  • Improved query performance
  • Added sorting to many multi-value fields

CAS

  • Collaborated with CNS to add support for mobile devices in CAS UI.
  • Ported the VT CAS project to the Maven 2 build system.

Shibboleth

  • Deployed Shib 2 IDP in standard 3-tier fashion on ASH platform.
  • Contributed several bug fixes to the Shib 2 project
  • Developed wiki documentation for Shib IDP including high-level overview and technical details on attribute release.

Miscellaneous

  • Created crash and burn Registry instance to facilitate testing and development of new features that impact the Registry database schema.
  • Addpartial overlay accepted into OpenLDAP as a contrib module.

2007

LDAP

  • OpenLDAP upgraded from 2.2.x to 2.3.x
  • OpenLDAP performance tuning for faster searching

Software Development

Replication

  • Replaced PL/SQL Banner to Registry replication with Java based solution
  • Wrote code for the eventual replacement of the Registry to Banner replication
  • Updated mail replication for JMM
  • Transferred support of the SynchroV3 project to MIG

Webapps

  • Took ownership of the CAS service
  • Converted the DAT to use the Struts framework (plus many fixes and features)
  • Added JMM data to the DAT
  • DAT and Middleware wiki integrated with CAS

Services

  • Updated PidGen session bean for new PidGen portlet
  • Namearbiter performance tuning and improvements

Miscellaneous

  • Evaluation of Struts
  • Evaluation and some implementation of EJB3.0
  • Installed Oracle 10g for testing purposes
  • Began using JIRA
  • All middleware machines moved to the new Foundry load balancer
  • Updated mail expiration processes to do integrity checking and send notifications to mail team on failure
  • Survived Oracle 10g upgrade in production

2006

LDAP

  • EDLite, EDAuth, and EDID were consolidated into EDUnified.
    • required much testing and the development of several OpenLDAP overlays.
  • VT-STUDENT-FUTURE and VT-STUDENT-RECENT affiliations were added.
  • Authentication statistics are now stored in the Registry.
  • New directory attributes labeledURI, instantmessagingID, fax, mobile, and pager were added.
  • New suppression rules were added for PIDs and e-mail addresses.

Software Development

  • Groups, Services, and Mail accounts now have full lifecycle support. (From provisioning to deprovisioning)
  • Email notices are sent in all cases where something is deprovisioned.
  • Revokable people were added to the Enterprise Directory’s business logic.
  • Multiple e-mail accounts per person is now supported with the addition of Group and Admin type accounts.
  • A dynamic number of e-mail aliases per account is now supported.
  • An edid-proxy service was added for EDID services who can’t support SASL-EXTERNAL.
  • Password resets now required the user to change their password or have the password expire.

Miscellaneous

  • A messaging specific server was added to the ED server farm.

2005

LDAP

  • Conformed all schemas to match the ED-ID schema
  • Investigated data views for ED-ID services
  • Developed and tested a unified ED

Replication

  • Replaced all synchronous replication processes with message based asynchronous Java services
  • Developed new version of the AD synchronization software as a .NET web service that accepts SPML

Software Development

  • Replaced hand coded entity beans with beans dynamically generated from the database schema
  • Wrote reflection based wrapper classes for all beans to ease development and JNDI look ups
  • Updated all session beans and web applications to use new wrapper classes
  • Added permanent reserves to namearbiter
  • Exposed session bean methods as web services for portal integration

Miscellaneous

  • Installed new wiki web site and converted old documentation to the wiki
  • Developed subversion based install process for all applications needed to bring up a J2EE environment