MARK HAAS & ASSOCIATES

UNISYS -- THE LEADER IN X.500 TECHNOLOGY

After nearly ten years of development, the International Telecommunications Union (ITU) X.500 global directory specification is poised to provide one of the key integrating technologies required for today's enterprise networks. Initially attracting commercial and government organizations as a way to simplify communications between heterogeneous electronic mail systems, corporations now see X.500 as a solution for integrating all corporate information, and as a way to enhance and expand electronic commerce.
Unisys has built a family of commercial-grade products implementing the 1993 ITU X.500 Directory Services standard, including full DISP replication and access controls, and is offering them for major commercial platforms, including HP, Sun and Windows NT. These object-oriented, native implementations are the only X.500 products on the market to utilize the most popular commercial database technology -- Oracle, Informix and SQL Server -- for unsurpassed scalability and ease of integration with existing corporate databases.
The Unisys commitment to interoperability, as evidenced through its long-standing presence in the government open systems market and its close relationship with a broad range of government agencies, has enabled Unisys to take the lead in providing new levels of performance and support for X.500 solutions.

The Market for X.500 Products

As corporations, government agencies and other large organizations continue to integrate local-area networks throughout their enterprises, small, independent, homogeneous systems now are becoming parts of much larger, interdependent, heterogeneous systems. As a result, proprietary directory services, once limited to discrete domains, must now be integrated and synchronized as network managers attempt to integrate message-based applications across their enterprises.
X.500 Directory Services are emerging as a key component in addressing this need. Besides linking proprietary email directories, however, the global access, local administration and controlled access capabilities of X.500 are gaining favor as a way to better manage all the resources across a network, as well as implementing forms-based and work group applications and enhancing an organization's electronic commerce.
According to researchers at the Radicati Group, the market for X.500 products is expected to grow from $___ million in 1995 to nearly $_____ million by 199__.

Finding the Right Number

When telephones were first installed, it was possible simply to pick up the receiver and tell the operator to connect you to Fred Teller at the National Bank on Main Street. The introduction of dialing technology greatly improved communication, making it faster and easier to use the phone, but it also created a problem, too: You had to know the party's phone number before you could call them. Thus the need telephone directory services.
Using the phone company's directory services was simple: provide the name of the party, and perhaps their address, to the operator who retrieved the corresponding phone number. You could also look up the number yourself in the printed phone book.
But as local phone services grew and were tied together over wider areas, directory services began to show their limitations. To find someone's number now, you have to know not only their name, but also their city or location, and you have to call directory assistance in that location. There is no single directory service number covering all locations. It is more difficult to resolve the correct number when there are multiple listings under the same name. The information in a printed phone directory can be as much as a year old, and the phone company's internal directory can be as much as two weeks out of date. Finally, while businesses can include additional information in a Yellow Pages listing, that extra information is not available through directory assistance.

The Problem with Proprietary Directories

Users of computer networks today face similar problems. Communication within small departmental or divisional local-area networks, or within the same email service such as MCI Mail, is relatively easy. A local directory of users makes it easy to look up anyone's email address. In many cases, the LAN administrator has set up aliases for the actual email addresses, making it possible to send email addressed just to "Fred," and it is relatively easy to distinguish between two Freds. Private email services like MCI Mail also provide a directory to help users find email addresses.
But as organizations begin to link discrete LANs in their branch offices into wide-area enterprise internetworks, sending email between these systems becomes much more difficult. The directory for one email system still cannot access the contents of the directories of the other email systems, and so the user of one email system cannot directly access information in another email system's directory. There is no single directory containing information from all the proprietary directories. Consequently, network managers must duplicate each directory's contents in all other directories, and periodically update them. This situation is so widespread and so inefficient, it has spawned an entire email integration industry to address this problem.

Unisys X.500 Technology -- In a Class by Itself

Among world-class vendors, Unisys has been providing commercial-grade X.500 technology longer than any other company. Today, that experience has culminated in the Unisys TransIT 500 family of products, the only commercial-grade implementations of the ITU 1993 X.500 directory standards, including replication, extensible schemas and access control. Available on the most popular commercial platforms in use today, and as portable source code for other platforms, Unisys TransIT 500 products are designed for performance, scalability, conformance and interoperability for enterprise-wide use.
The TransIT 500 family includes the transport-independent TransIT 500 Directory Services, an ITU 1993 X.500 directory system agent; the TransIT 500 Browser, a graphical, Windows-based directory user agent; TransIT Graphical Administration, the first Windows-based directory manager; and TransIT Connect, which provides transport integration services over TCP/IP (RFC 1006) and OSI.

TransIT 500 Directory Services

The Unisys TransIT 500 DSA includes many features required by today's enterprise for global access and mission-critical applications. In addition to conforming to the 1993 ITU X.500 Directory Services and ISO 9594 standards, the TransIT 500 DSA offers unprecedented scalability, supports all popular industry-standard APIs and interfaces (DAP, LDAP, DSP, DISP, XDS, XOM, XAP, and the T.61 character set), and has been tested for interoperability with DSAs from other world-class vendors. It provides full 1993 replication services, including full DISP support (primary and secondary shadowing), and absolute, default and entry-specific access control. TransIT 500's multithreaded, multitasking implementation easily handles synchronous and asynchronous operation requests from DUAs and other DSAs.
TransIT 500 Directory Services is the only DSA to integrate the X.500 directory model with relational database technology, a technological feat many believed was impossible. Currently available utilizing Oracle and Informix RDBMS engines on Unix platforms and SQL Server on Windows NT platforms, TransIT 500 Directory Services is easily integrated with corporate databases through the Unisys automated data import facility.
TransIT 500 Directory Services is an object-oriented, native implementation written in C++ and is available for HP 9000 systems running HP-UX, Sun Solaris-based systems, including the Unisys SMP 5400 multiprocessor system, Windows NT-based systems and Unisys 6000 Series Unix systems. It is also available as a source code product for porting to other platforms.

TransIT Graphical Administrator

TransIT Graphical Administrator is the first fully graphical X.500 directory management tool. Designed to assist administrators in all directory administration, maintenance and security functions, including knowledge information, schema management, replication agreements and security. Multiple DSAs can be managed simultaneously, and changes can be propagated across DSAs.

TransIT 500 Browser

The TransIT 500 Browser is a powerful Windows-based information retrieval tool designed to make navigating directories as simple as possible. The graphical interface is tailored for detailed or simple searching, multiple browser windows can be opened simultaneously, and the browser can access multiple DSAs. Icons mapped to specific object classes enhance ease of use and sophisticated searching tools and filters offer greater flexibility for data retrieval.
The TransIT 500 Browser provides two interfaces to the directory: a graphical, split-screen browser interface for detailed directory searches and retrieval, and a directory lookup interface for extra ease of use for simple lookups. The browser interface features a graphical depiction of the directory tree, much like Windows File Manager, and supports both simple and advanced searching capabilities, search and read configuration, the use of filters and other advanced tools. The directory lookup interface provides a directory drop-down box for quick lookups. Through the use of search filters and sort specifications, results are displayed in graphical tables.
The TransIT 500 Browser offers a number of sophisticated searching tools, including scope specification, synchronous and asynchronous searches, and a variety of searches on types and values. A graphical filter-build dialog window makes the creation of filters and sub-filters quick and easy. Controls include Boolean and arithmetic operators, and filters can be saved for later retrieval.

TransIT Connect

TransIT Connect provides the network services required to support applications wishing to communicate over TCP/IP or OSI networks. Through its use of industry-standard APIs and protocols, TransIT Connect allows these applications to be written independently of the underlying transport. As a result, the Unisys TransIT family of products as well as third-party software supporting the XAP interface can use TransIT Connect's ACSE (XAP) or Rose (XAP-Rose) APIs to communicate over TCP/IP and OSI networks.

Standardizing Directory Services

As an ITU specification, X.500 defines a set of standard services and communication protocols that allow the creation of "one-stop shop" global directories. X.500 also defines a directory structure that enables information to be easily distributed across a network and independent of the underlying method of storing information, usually some form of database. But to the user, all the information appears to reside in one large directory. As a result, X.500 is an attractive, standardized way to develop very effective enterprise directory services.
X.500's major benefits are:

Distributed operation -- The distributed nature of X.500 allows the directory to be split up physically, with each part stored and administered at local sites. Department or divisions are responsible for maintaining only their part of the directory, making changes to the directory easier and faster, and providing more accurate information through the global directory. The distributed nature of X.500 also means that enterprises can implement directories incrementally and connect them together to provide a single logical service that spans the department, division, organization, region or the world, as appropriate. X.500 communication protocols make them appear to users as one large directory.
Powerful searching capabilities -- X.500 defines standard ways to read, list and search for information in the directory. Reading retrieves information for a specific object (user, printer, application, etc.). Lists provide information such as the location of all people in a particular department. Searches are more powerful, enabling objects to be found based on arbitrarily complex queries, such as all people with salaries above a certain amount in the Paris office.
Security -- X.500 provides two levels of security for restricting access to the directory to protect personal privacy and other confidential information, a critical requirement for electronic commerce.
Standards based -- X.500 provides a standardized method for users and applications in heterogeneous systems to store and access information about objects in a common directory in a uniform manner regardless of where they are based or currently running.

Although prompted by the specific need for email directory services across heterogeneous systems, a lot of experimentation with other uses currently is underway, and X.500 has already proven itself in many applications requiring object and location association. Network managers are using X.500 directories to store information about their network hardware and software, including location, specifications, network ID, service history, version numbers, patches, etc. X.500 directories can give network users location independence by enabling them to log onto the network from any workstation, not just one connected to their local server. And X.500 directories can enhance the use of electronic data interchange (EDI) for electronic commerce applications by allowing companies to access product information they need from their vendors to complete electronic invoices while providing a way for the vendor to restrict access to confidential information.

X.500 Components

An X.500 directory is made up of collections of entries. Each of these collections of entries -- people, hardware, software, etc. -- is called an object class, and each object class has clearly defined attributes, some of which are mandatory and some of which are optional. Each entry contains information about one object, such as a person, printer or dictionary, and is built from a collection of attributes, each of which holds a single piece of information about the object. Some attributes used to build an entry for a person, for example, might be "last name," "first name," "phone number" and "email address." In addition, each attribute contains only the type of information defined for it (such as text or numbers).
Entries are arranged hierarchically in a tree-like structure, the directory information tree (DIT). The top of the structure is the called the root, which branches out into countries, then into organizations and finally into people. Entries are found by navigating through the directory information tree. This structure also allows each entry in the directory to have a unique name based on its location in the directory tree that combines the names of all the objects above it along the path back to the root.
The DIT, and all the entries it contains, may be physically divided and distributed across the network on several computers in multiple locations. Each portion of the DIT is stored in a database at each location, and each database is controlled by a directory system agent (DSA) server. The DSA implements the X.500 interfaces and protocols to provide standardized access to the information not only in the local database, but in the databases controlled by all the other DSAs that comprise the DIT.
Users or applications access the information stored in the databases by using a directory user agent (DUA) client application to send requests to a nearby DSA in a client-server arrangement. A request may be for a single entry or a group of entries meeting a specific criteria such as "all members of the sales department in Cleveland." After receiving a request, the DSA searches for the desired information in its own database, communicating with other DSAs across the network to search their databases, if necessary, until the information is located and returned to the user, or it is determined that there is no information matching the request. In this manner, a DUA connection to a single DSA gives the user (or application) transparent access to the entire directory tree, and the user perceives the entire directory to be accessible from the local workstation.

Ongoing Development

The development of the X.500 standard is ongoing, having already experienced three stages of evolution. The original standard was published in 1988, and described the basic elements of a global directory. There were some important technical gaps in the 1988 standard, however, particularly in the critical area of directory information access and control.
In 1990, programmers at the University College of London developed an implementation of the 1988 standard called QUIPU. QUIPU was notable because it went beyond the functionality of the 1988 standard to include a proprietary form of access control and a method of replicating on a local DSA information frequently accessed on a remote DSA. Replication was an important development because it not only improved performance by limiting network transport overhead, but also provided a degree of redundancy throughout the network.

Not Ready for the Enterprise

QUIPU was distributed over the Internet free of charge, and many organizations have experimented with it. But as with most public-domain software, QUIPU was poorly supported and buggy, and development of the software took many paths. The access control and replication offered by QUIPU were not part of the 1988 standard, and interoperability between various flavors of QUIPU was limited. Neither commercial organizations nor government agencies were particularly interested in widespread QUIPU implementation because of the huge development investment it required to become viable for building global directories.
A spin-off organization, the ISODE consortium, was formed to address some of these issues. While their development efforts resulted in improved code, support for commercial implementations was still lacking, the cost of implementation was still too high and commercial users were not satisfied with the pace of updates and feature improvements.

Taking X.500 to the Enterprise

In 1993, the ITU formalized the standards for replication, schema management and access control, greatly improving the prospects for interoperability, all requirements of commercial users of the technology. In order for X.500 technology to achieve wide acceptance in the commercial marketplace, however, X.500 implementations and the solution vendors providing them will have to meet the expectations of MIS professionals not only for commercial-grade software, but also for world-class vendor support. Both items are critical given most organizations' current lack of experience implementing X.500 systems.

Standards Conformance -- Commercial users of X.500 software expect standards conformance, which in the case of X.500 implementations means 1993 ITU X.500 and ISO 9594 specifications, and proven interoperability. The non-standard replication and access control implementations of QUIPU and ISODE IC-R2 fall short on both counts.
Scalability and Multiplatform Support -- Not only must a X.500 implementation be able to scale up to handle very large directories, it must be available to run on a wide range of platforms, from Windows NT-based PC servers to mid-range and mainframe-size machines, and be easily integrated with both OSI and TCP/IP networks. After all, X.500 must operate effectively in a heterogeneous environment, and availability only on a single-platform doesn't make sense.
Widely Accepted Database Technology -- Most large organizations have already standardized and invested heavily in database technology, the most popular products in use today being Oracle and Informix for Unix and Microsoft SQL Server for Windows NT. These organizations are reluctant to introduce non-standard database technology for the purposes of X.500 implementation, and the memory-based and Unix file system-based solutions offered by QUIPU and ISODE implementations are not acceptable solutions to most organizations, either. The ideal solution would be one that utilizes database technology that organizations already understand and trust.
Effective Management and Administration -- Commercial users also need to easily and effectively manage and administer large X.500 implementations from a central site. Effective ways of accomplishing this include SNMP, an effective administrative interface that reflects the current data definition to manage the database and comprehensive reporting, logging and tracing capabilities.
World-Class Vendor Support -- Most large enterprises need the support only a world-class vendor can supply. X.500 is relatively new technology, and even technically sophisticated organizations need help to initially implement X.500 solutions. Very few vendors can provide that level of support, especially on a global basis, and even fewer can provide the kind of X.500 software technology that enterprises are demanding.

Unisys

TransIT X.500 directory services from Unisys set new standards for addressing the needs of the commercial X.500 market. Unisys offers organizations the commercial-grade software, standards conformance, scalability and interoperability and world-class vendor support they have come to expect for their mission-critical systems. Combined with the systems integration expertise Unisys is known for, the TransIT 500 family of products enable new levels of integration and performance in electronic messaging, including email, directory synchronization, workflow, EDI, address book, enterprise-wide security, network and resource management and other applications requiring a flexible and extensible directory facility.
X.500 technology is just the latest addition to the Unisys family of enterprise client-server products, part of its comprehensive enterprise client-server strategy that encompasses PCs, mid-range and enterprise servers, multiple operating systems, interoperability and integration products and systems management solutions, all under an umbrella of world-class global support and services. Together these products and services uniquely position Unisys to help organizations expand beyond their departmental LANs to enterprise-wide client-server networks.
Unisys Corporation is a leading information management company with over 60,000 customers in more than 100 countries. The company is a major supplier of information services and technology to financial services, government, communications, transportation, health information management and other commercial markets.

# # #