This article describes the external connections
that Lotus Mobile Connect depends on: configuration store, authentication,
active session table (AST), and accounting.
- Configuration store. Accessed
at system start up, dynamic configuration change, and to store pseudo-records
used for Lotus Mobile Connect-specific user information, such as failed
log in attempts or other user related configuration items.
Connections to the configuration store database are persisted and can be
dropped if the maximum idle time for external connections is not zero.
This database (whether it be LDAP or SQL) should be part of a monitoring
and backup scheme specific to the software being used. If
the Connection Manager has difficulty accessing the configuration store,
error or warn level log messages are generated. If SNMP trap generation
is enabled, traps are generated and sent to the network management station.
Problems accessing this datastore can lead to failed access
attempts by clients.
- Authentication. Authentication
comes in two forms, a primary authentication (if enabled) that requires
access to the configuration store (or a separate LDAP V3 compliant user
store, if configured) and a secondary authentication protocol such as LDAP
BIND (used by the integrated login GINA), RADIUS/SECUREID, or X.509 certificate
processing. Each method has its own external connection dependencies
that can require monitoring and recovery procedures.
All connection related failures, authentication failures and reason codes,
and statistics are logged and SNMP traps generated where appropriate.
If the Connection Manager detects abnormal response times from external
authentication servers, warning messages and traps are generated.
- Active session table (AST). The
AST uses an external SQL database as a storage mechanism. This
database can be separate from the configuration store or exist as a separate
table in the same database. The AST records are inserted after authentication
and deleted at log out time. This database does not need to
be backed up. Failure to access the AST does not affect client
log-in capabilities, but can limit some functions, such as roaming, when
configured in cluster mode. All access failures are logged
and SNMP traps are generated.
- Accounting. The accounting database
stores records of various events generated by VPN sessions such as log-in,
log-out, roam, and session statistics. This information can
be useful for generating usage reports, tracking client version and operating
system usage information. The SQL table information is available in the
Accounting levels are associated with the mobile network interface resources
defined for a given Connection Manager. The following accounting
option would be useful for the Exelon architecture:
Session. The session level of accounting enables record generation
for all session-related events including login, logout, failedlogin, roam,
and keyrotation. The wg_acct command line utility can be used to
query and format data extracted from the accounting database. The
SQL record formats are detailed in the Administrator's Guide in Appendix
B, if more elaborate report generation tools are needed. The
IBM CIO built an extensive interface based on BRIO that might be of interest
Additional levels include NAT, SMS, and IP Packet level accounting.