Contact: LaVonn Creighton

Introduction

Rapid change in the computing industry and the related technology products has left the Virginia Community College System, like most enterprises, with a growing collection of heterogeneous hardware platforms supporting a growing collection of heterogeneous software. Some of these databases, software packages, and applications have been purchased while others were developed in-house. Each of these information resources adds an intrinsic value to the organization. Additional value can be created by integrating these information resources, making them work together as elements of an overall business process. The pressure on the Information Technology Department to provide new and expanded services has fueled the requirement to leverage these existing information resources. The purpose of this model is to define the process that will be used to provide customer authentication and security services.

Most organizations understand the value of integrating information resources. However, few understand the full complexity of such an effort. Many have relied heavily on internal IT staff while others have acquired the services of a professional system integrator. Both alternatives can be effective when properly implemented; however, too often they have not generated the desired results and can be cost prohibitive. The VCCS has elected to use a third alternative, Middleware.

Middleware has grown up and has achieved "adult" status. Instead of committing a large number of dollars to hire consultants or hire additional staff, the companies are purchasing software to ease the complexity of information resources integration. The VCCS has determined that message broker software can do work flow, data transformation, routing, messaging, etc. necessary to support conversion, interfacing and integration of the various information resources. The message broker technology can also aid in developing new and/or expanded applications and services. Capitalizing on this new technology will enable the VCCS to provide its colleges with the opportunity to develop new administrative and instructional capabilities, such as distance learning, which may dramatically alter the concept of a campus and fundamentally change the methods used to provide instruction.

The VCCS Problem

As the VCCS plans to conduct business using the Internet, the addition of network authentication services and secured applications become essential to do business securely on the open network, as well as the VCCS Intranet. Benefits of implementing this service include the ability to securely provide services to customers without compromising the VCCS network infrastructure and related resources.

Three security features are required for conducting business on an open network without compromising security: authentication, message integrity and message privacy. For the greatest level of security, these features need to be available at the application level, rather than the network level.

Authentication verifies the identity of an individual or application (also known as principals) trying to access services. Message integrity ensures messages (which contain a cryptographic checksum to be verified on the receiving end) are not tampered with when sent across the network. Message privacy ensures messages sent are not visible to network eavesdroppers. Messages are encrypted prior to transmission, and decrypted at the receiving end.

Our strategy is to provide students, staff members, and approved partners with a Customer ID that may be used to access the Controlled and Secured area of the VCCS Intranet. Students are those who have been admitted to a community college. Staff members are those with active appointments. Approved partners are individuals or organizations working on a project or partnership benefiting a community college as determined by the President or the Chancellor. This strategy requires a robust technology that can support the interfacing of existing applications and the building of some new components to include a web-interface for interfacing the customer. VCCS elected to use the message broker product from ActiveSoftware as part of a pilot project to deliver required services while validating the effectiveness of the message broker technology.

The Pilot Project

VCCS selected Message Broker as the central control for authentication and directory services. The Message Broker resides on a server and mediates requests to and from networked clients, automatically queuing, filtering and routing events and guaranteeing delivery. Its scalable architecture simplifies systems integration - all collaborating systems communicate with the Message Broker, not with each other.

The Message Broker is a standard unit for capturing, analyzing, and exchanging information based on business process engineering. It embraces nearly every imaginable kind of information resource running on every kind of platform, including legacy applications, packaged software products, custom applications, databases and the Internet. Rather than replacing these systems, it uses Adapters to integrate them. As part of the pilot project, the VCCS has, as a primary requirement, to interface the following applications and network services:

• VIVA (Virtual Library of Virginia)
• GDS (Global Directory Service)
• Directory
• White Pages
• Email
• CAAM (Customer Account Administrative Manager)
• DAM (Directory Administrative Manager)
• SIS (PeopleSoft's Student Administration System)

See Figure 1 below for a graphical representation of how the components are expected to communicate.

Figure 1

Intranet & Global Directory Server

The Virtual Library of Virginia (VIVA) mission is to provide, in an equitable cooperative and cost effective manner, enhanced access to library and information resources for the Commonwealth of Virginia's academic libraries serving the higher education community. The VCCS uses Intranet security methods to provide authentication for all licensed databases from VIVA when the user is connecting from a desktop computer within the VCCS. The VCCS also provides access to these databases from off-campus locations (i.e., home, local library, etc.) through a proxy server. The proxy server, when correctly configured in a web browser, provides the necessary authentication for database access. To use the proxy server a customer must logon using a valid username and password. When a customer enters this information via the proxy server, it is validated against the Global Directory Server (GDS). The GDS is an X.500 directory that stores a customer's email address in its userid attribute and birth month, birthday and last four digits of the social security number in its password attribute. The GDS will be used during the initial implementation of this service. The Global Directory defined below will eventually replace the GDS.

Directory

The VCCS will utilize an Oracle table to store a customer's application profile and related information to include name, employee id, social security number, work telephone number, etc. and security information (what application a customer can access, userid, etc.). The Oracle table will be referred to as the "Directory". The "Directory" will be used to authorize customers to use applications within the VCCS Intranet. Customer records will be automatically created in the Directory using college business rules defined to the Message Broker. For examples, student records when be added and/or deleted based on their status at the college.

The "Directory" holds the following information about each customer:

• Employee id
• Social security number
• Personnel type
• First name
• Last name
• Middle initial
• Suffix
• Agency
• Campus
• Department
• Email address
• Telephone number
• Fax number
• Pager number
• Building
• Room number
• Date record first created
• Date last modified
• Customer id
• Password
• Birth month/birth date/last four digits of social security number
• Authorization for email
• Authorization for SIS
• Authorization for VIVA
• Date email authorized, activated, expired and deleted
• Date SIS authorized, activated and deleted
• SIS classes
• SIS role
• SIS generic operator id
• PIN number
•  

White Pages

The VCCS requires a facility for identifying e-mail addresses and other pertinent information about students, faculty and staff. The white pages are accessible from any web browser and can be used to retrieve an individual's information. The white pages only include faculty, staff and students that have e-mail accounts. The white pages include customer information that is contained in the Directory. The white pages searches individuals by location code, personnel type and last name. It can also do wildcard searches on the last name of a customer. A successful search of the white pages displays the following information:

• Full name
• College
• Telephone number
• Email address

Customer Account Administrative Manager

Customer id
The VCCS Customer Account Administrative Manager (CAAM) is a web interface used by customers to create a customer id and/or email account. The customer id is required to access all VCCS system-wide application and services. Through the CAAM, the customer can create a customer id, password, change a customer id and change a password.

The information entered by the customer is passed from the web browser by the Message Broker and verified against information pre-entered in the "Directory". If all information is valid in the "Directory", the chosen customer id and password are passed from the web browser by the Message Broker and entered in the "Directory". The customer can now use the customer id and password to access VCCS Intranet services and applications.

Email
The CAAM is also used to allow students, faculty or staff to create an email account, change an email password, re-enable use of an expired account, create a new email password and delete their own email accounts on the appropriate college server.

The same validation information as above (from customer id) is needed to create an email account. If all information is valid in the "Directory", the Message Broker passes the email address and email password from the web browser to the Nplex E-mail Server of the appropriate college and an email account is established. The email address is also passed to the "Directory". The customer can now use the email address to access the VCCS email services.

Colleges electing to use e-mail packages other than the Nplex can also use these new services via the Message Broker. Each package will need to be reviewed in order to determine what custom developed interfaces may be required.

Directory Administrative Manager

The Directory Administrative Manager (DAM) is an application used to maintain information in the "Directory". The DAM allows updates and deletes to the "Directory". An authorized college representative can access a customer's information via the DAM.

To access a record in the "Directory", the college representative will enter the customer's employee id or social security number (or any other information to narrow down the search for the desired customer). The DAM will then display the record for that customer. The college representative can then update the values in the record or delete the record from the "Directory" table.

Student Information System (SIS)

The Virginia Community College System will utilize PeopleSoft's Student Administration System (SIS) to support all its unique information needs. SIS provides the functions of admissions, student records, financial aid, and student financials while supporting information "one-stop shopping" for all students.

A customer must enter SIS with a valid customer id (known as operator id in PeopleSoft) and a password. The customer uses the CAAM to request and maintain their unique customer id and password. When the customer requests to establish a customer id and password and the customer supplied information is verified against the VCCS Directory and automatically updates the appropriate PeopleSoft SIS security tables using the business rules defined in message broker.

The following represents a proposed set of basic rules to govern access and security for students, faculty and staff:

Students

1. Students will always access SIS using either the web interface or the IVR application.
2. The message broker, using information entered via selective PeopleSoft SIS panels, will extract information required to create a student record in the VCCS Directory.
3. All students will be granted student web access to SIS when admitted to a VCCS college.
4. The student web access process will determine the capability of the student to access SIS.
5. A student's security access to SIS will be removed if they are no longer actively enrolled or in admitted status at a college.

Faculty

1. Faculty will access SIS using either the web interface or in selected situations a windows-based client desktop.
2. The message broker, using new appointment information and the appropriate college business rules, will extract information required to place a faculty member in the VCCS Directory.
3. All faculty members will be granted faculty web access to SIS when they receive their appointment.
4. The message broker will remove a faculty member's access to SIS based upon contract termination dates.

Staff

1. Staff will access SIS using either the web interface or in selected situations a windows-based client desktop.
2. The message broker, using new appointment information entered via PMIS and the appropriate college business rule, will extract information required to place a staff member in the VCCS Directory.
3. The message broker will automatically remove a staff member's security access to SIS based upon termination date.

SIS Authentication and Security

The VCCS Authentication and Directory Services defined in this document will provide the automated authentication and security administration for the Student Information System. The reason for automating this service is to minimize the requirement for human involvement and to expedite the delivery of the required services.

All VCCS students, faculty and staff are automatically assigned a default SIS security class and a security role. The security classes and roles will be pre-defined, reviewed by the SIS Steering Committee and entered into the system by the VCCS Security Administrator. This will include the default definitions and those that define the appropriate SIS security levels for all VCCS customers. College administrators or their designee will be able to change the security level assigned to an individual by using the automated Directory Administrative Manager. The DAM will provide an easy "pull down" menu of valid options that can be assigned to an individual.

All customers are required to have a valid Customer ID and password to gain access to the SIS applications. This is the same information described above that is required to access all VCCS system-wide applications and services. Customers desiring access to SIS must supply this information using the Customer Account Administrative Manager prior to accessing the SIS application. Once the customer has successfully entered the required information they will have access to SIS functions defined for their assigned security level.

The customer will access the SIS application from the appropriate interface (web-browser or windows desktop) using the menus supplied with the PeopleSoft application. The actual authentication will be performed against PeopleSoft security tables that are maintained and updated using the automated application defined in this white paper. See the Student Information (SIS) Authentication/Security Model posted on the VCCS home page.

Assumptions:

1. The following information is required for every VCCS student, faculty, or staff:
   • Full name
   • Social security number
   • Birth date
2. All VCCS customers must have a unique customer id and password in order to access any VCCS applications or services. The customer id and password will be used to gain access to the SIS system. Colleges that provide email locally shall provide message broker interfaces to apply college customer ID rules in place of those generally available.
3. In normal circumstances there will be a ten-minute waiting period before the customer id and/or password can be used in SIS after creating or changing them using the web-based interface.
4. Security administration will provide a straw man version of the security class codes and roles for review and comment by the SIS Steering Committee.

---

Return to Projects