Introduction

Rapid change in the computing industry and the related technology products has left the Virginia Community College System, like most enterprises, with a growing collection of heterogeneous hardware platforms supporting a growing collection of heterogeneous software. Some of these databases, software packages, and applications have been purchased while others were developed in-house. Each of these information resources adds an intrinsic value to the organization. Integrating these information resources and making them work together as elements of an overall business process can create additional value. The pressure on the Information Technology Department to provide new and expanded services has fueled the requirement to leverage these existing information resources. The purpose of the Directory Services Application is to serve as the hub for integrating VCCS information resources while providing students, faculty and staff a common interface for accessing and administering VCCS applications and services.

Most organizations understand the value of integrating information resources. However, few understand the full complexity of such an effort. Many have relied heavily on internal IT staff while others have acquired the services of a professional system integrator. Both alternatives can be effective when properly implemented; however, too often they have not generated the desired results and can be cost prohibitive. The VCCS has elected to use a third alternative, Middleware.

Middleware has grown up and has achieved "adult" status. Instead of committing a large number of dollars to hire consultants or hire additional staff, the companies are purchasing software to ease the complexity of information resources integration. The VCCS has determined that message broker software can do work flow, data transformation, routing, messaging, etc. necessary to support conversion, interfacing and integration of the various information resources. The message broker technology can also aid in developing new and/or expanded applications and services. Capitalizing on this new technology will enable the VCCS to provide its colleges with the opportunity to develop new administrative and instructional capabilities, such as distance learning, which may dramatically alter the concept of a campus and fundamentally change the methods used to provide instruction.

As VCCS plans to conduct business using the Internet, the addition of network authentication services and secured applications become essential to do business securely on the open network, as well as the VCCS Intranet. Benefits of implementing this service include the ability to securely provide services to customers without compromising the VCCS network infrastructure and related resources.

Three security features are required for conducting business on an open network without compromising security: authentication, message integrity and message privacy. For the greatest level of security, these features need to be available at the application level, rather than the network level.

Authentication verifies the identity of an individual or application (also known as principals) trying to access services. Message integrity ensures messages (which contain a cryptographic checksum to be verified on the receiving end) are not tampered with when sent across the network. Message privacy ensures messages sent are not visible to network eavesdroppers. Messages are encrypted prior to transmission, and decrypted at the receiving end.

The strategy is to provide students, faculty, staff members, and approved partners with a Customer ID, password and pin number that may be used to access the Controlled and Secured area of the VCCS Intranet. Students are those who have been admitted to a community college. Staff members are those with active appointments. Approved partners are individuals or organizations working on a project or partnership benefiting a community college as determined by the President or the Chancellor. This strategy requires a robust technology and supporting application that can support the interfacing of existing information systems and the building of some new components to include a web-interface for interfacing the customer. VCCS elected to use the message broker product from webMethods to provide the base technology.

VCCS selected Message Broker as the central control for authentication and directory services. The Message Broker resides on a server and mediates requests to and from networked clients, automatically queuing, filtering and routing events and guaranteeing delivery. Its scalable architecture simplifies systems integration - all collaborating systems communicate with the Message Broker, not with each other.

The Message Broker also provides a standard unit for capturing, analyzing, and exchanging information based on business process engineering. It embraces nearly every imaginable kind of information resource running on every kind of platform, including legacy applications, packaged software products, custom applications, databases and the Internet. Rather than replacing these systems, it uses Adapters to integrate them. As part of the Directory Services Project, the VCCS has, as a primary requirement, to interface the following applications and network services:

• VIVA (Virtual Library of Virginia)
• GDS (Global Directory Service)
• Directory (Customer Data Base)
• White Pages (Customer Address, Telephone Number, etc.
• Email Services
• CAAM (Customer Account Administration Manager)
• DM (Directory Manager)
• SIS (Student Information System)
• Voice over IP (Off-net to On-net Authentication)
• Interactive Voice Response (IVR)

See Figure 1 below for a graphical representation of the basic Directory Services application how the components are expected to communicate

Figure 1

Figure 2 provides a graphical representation of the Directory Services and the additional applications and services supported at this time.

Figure 2

The Virtual Library of Virginia (VIVA) mission is to provide, in an equitable cooperative and cost effective manner, enhanced access to library and information resources for the Commonwealth of Virginia's academic libraries serving the higher education community.

The VCCS uses Intranet security methods to provide authentication for all licensed databases from VIVA when the user is connecting from a desktop computer within the VCCS. The VCCS also provides access to these databases from off-campus locations (i.e., home, local library, etc.) through a proxy server. The proxy server, when correctly configured in a web browser, provides the necessary authentication for database access. To use the proxy server a customer must logon using a valid userid and pin number. When a customer enters this information via the proxy server, it is validated against the Global Directory Server (GDS).

The GDS is an X.500 directory that stores a customer's email address in its userid attribute and birth month, birthday and last four digits of the social security number in its password attribute. The GDS will be used during the initial implementation of this service. The Directory defined below will eventually replace the GDS.

VCCS will utilize an Oracle table to store a customer's application profile and related information to include name, employee id, social security number, work telephone number, etc. and security information (what application a customer can access, userid, etc.). The Oracle table will be referred to as the "Directory". The "Directory" will be used to authorize customers to use applications within the VCCS Intranet. Customer records will be automatically created in the Directory using college business rules defined to the Message Broker. For examples, student logon id can be added and/or deleted based on the student's status at the college.

The "Directory" holds the following information about each customer:

• Employee id (key field)
• Social security number
• Personnel type
• First name
• Last name
• Middle initial
• Suffix
• Agency
• Campus
• Department
• Email address
• Telephone number
• Fax number
• Pager number
• Date record first created
• Date last modified
• Customer id
• Password
• Birth date
• Authorization for email
• Authorization for SIS
• Date email authorized, activated, expired and deleted
• Date SIS authorized, activated and deleted
• SIS generic operator id (SISCopyID)
• PIN number
• Authorization to VoIP

VCCS requires a facility for identifying e-mail addresses and other pertinent information about students, faculty and staff. The white pages are accessible from any web browser and can be used to retrieve an individual's information. The white pages only include faculty, staff and students that have e-mail accounts and will use the customer's information stored in the Directory. The white pages retrieve an individual's information by location code, personnel type and last name. It can also do wildcard searches on the last name of a customer. A successful search of the white pages displays the following information:

• Full name
• College
• Telephone number 
• Mail address

The VCCS Customer Account Administration Manager (CAAM) is a web interface that provides the customers the option of creating a customer account or an e-mail account. The customer account information is required to gain access to all VCCS system-wide applications and services. Through the CAAM, the customer can create customer account, which is comprised of a customer id and pin number. The customer can also change the pin number. The customer id cannot be changed.

The information entered by the customer is passed from the web browser by the Message Broker and verified against information pre-entered in the "Directory". The CAAM provides the customer with the option to accept the account default values (customer id = employee id,  pin number =  birth date) generated by the application or enter new values for all fields. If the information entered is valid, the customer id and pin number are passed from the web browser by the Message Broker and stored in the "Directory". The customer can now use the customer id and pin number to access VCCS network services and applications.

The CAAM also provides a feature to allow a customer to find their employee id, which is required for use of the new SIS. The customer has the option of entering their social security number and pin number or their first name, last name, and pin number to locate and retrieve this information.

Email

The CAAM is also used to enable students, faculty or staff to create an email account on the appropriate college server.

The same validation information required to create the customer account is also needed to create an email account. If all information entered is valid, the Message Broker passes the email address and email password from the web browser to the Nplex E-mail Server of the appropriate college and an email account is established. The email address is also stored in the "Directory". The customer can now use the email address to access VCCS email services. Provisions have been made within the system to allow colleges that have deployed local e-mail servers to develop a customized interface to the application.

The Directory Manager (DM) is an application used to maintain information in the "Directory" and serves as the only interface for administering security in SIS. The DM enables customer account information to be added or updated. The DM can also be used to grant access to individual applications and services by maintaining a customer profile. Anyone authorized by the college can access a customer's information via the DM.

To access a record in the "Directory", the customer's employee id or social security number (or any other information to narrow down the search for the desired customer) must be entered from a windows based client. The DM will then display the record for that customer. The information can be updated or deleted from the "Directory" table.

The Virginia Community College System will utilize PeopleSoft's Student Administration System (SIS) to support all its unique information needs. SIS provides the functions of admissions, student records, financial aid, and student financials while supporting information "one-stop shopping" for all students.

Directory Services as defined in this document will provide the automated security administration for the Student Information System. The reason for automating this service is to minimize the personnel requirements usually associated with administering security for this application and to expedite the delivery of the required security services.

A customer using the SIS application must provide two fields to be authenticated. The two fields that are entered are dependent upon which of the three available interfaces (IVR, web, windows desktop client) the customer elects to use. The IVR requires employee id and pin number while the windows desktop and web client require logon id and pin number.

The customer uses the CAAM to request and maintain their unique customer id and pin number that is stored in the SIS security tables as the logon id and pin number respectively. 

When customers (student, faculty, staff) are initially entered into SIS a record is established in the Directory with a default customer id and pin number (see the CAAM above for a description of these fields). The customer can access SIS using the web or IVR interfaces by entering the default values for logon id (employee id) and pin number (birth date). They also have the option of using the CAAM to change these default values generated by the application before using SIS.

All VCCS students, faculty and staff requiring access to SIS are also assigned a security model operator id that governs their access to the SIS panels. The security classes and model operator ids are pre-defined, reviewed, and entered into the system by the VCCS Information Security Administrator. This includes any default definitions and those that define the appropriate SIS security levels for all VCCS customers. This information is automatically assigned to each customer as the records are generated and entered into the Directory. College administrators or their designee will be able to change the security level assigned to an individual by using the automated Directory Manager. The DM will provide an easy "pull down" menu of valid options that can be assigned to an individual.

The customer will access the SIS application from the appropriate interface (web-browser or windows SIS client) using the menus supplied with the SIS application. The actual authentication will be performed against SIS security tables that are maintained and updated using the automated application defined in this document. See the VCCS Student Information System (SIS) Authentication/Security Model posted on the VCCS home page.

The VoIP services use the Directory and a Radius Server to authenticate customers who are authorized to place telephone calls from an off-net location (off campus location) to an on-net location (a VCCS campus or office). Customers must be in the Directory and will be required to provide their employee id and pin number. Campuses where this service is available must provide a local telephone number and grant the access by enabling the service in the Directory using the Directory Manager.