SECTION 5 - PART B-31

Access Management
Functional Requirements
i. These Access Management requirements will primarily be for Authentication,
Authorization, Access and single sign-on for web based applications for users based
on their roles to access application resources, IN, VAS and content hosted on the
streaming solution and the Service Delivery Platform.
ii. Access Management shall provide a centralized Authentication, authorization and Access
and Single Sign-On for users requesting for accessing various applications as per their
roles and policy.
iii. Access management software shall be integrated with Identity management Server for
user Provisioning.
iv. Access management solution shall take care of signing the user for all required
applications by providing a method requiring a single set of authentication credentials
(rather than one set for each application).
v. Access management shall have mechanism for Authentication and Authorization of users
based on their roles to access hardware and application resources in the data center.
The authentication shall be based on a PKI mechanism as well as username &
password in an encrypted manner.
vi. The Access Management shall be provided for not only the users accessing the
applications from PCs but also from other devices such as PDAs, Mobile phones etc.
vii. The Access management shall have X.500 and LDAP compliant directory system for
storing user data and other attributes.
viii. The solution shall adhere to standards for ease-of-integration with existing systems and
future IT investments. Native support for known industry standards, such as aznAPI,
JAAS, J2EE, LDAP, PKIX, x.509v3, Triple-DES encryption, SSL and WAP is necessary.
ix. The solution shall be highly scalable to adapt to growth in users, applications and access
methods.
x. The solution shall support multiple methods of authentication, including:
a. Secure ID token and PIN functionality
b. Certificates with certificate revocation list (CRL) checking
c. Custom HTTP header
d. Wireless devices
e. Pluggable authentication for unique authentication requirements, such as
biometrics
f. Single sign-on (SSO) capabilities for both single domain and cross domain
g. Federated identity capability. It should support SAML protocol
h. Automatic assignment of unique universal identifiers to users, avoiding errorprone manual settings.
xi. The solution shall support the following authorization features:
a. Encryption of all transmitted data
b. Authentication and authorization in pure Java 2, JAAS and J2EE environments
c. Unauthenticated users and role-based authorization

d. Control of access to dynamic Web content

e. Time-based,
day-of-week-based,
location-based
and
group-based
authorization
f. Ability to create rule for access management without writing codes.
g. Granularity, enabling a single template to assign different permissions to
different users and groups
h. Automatic replication of policy changes to security enforcement points
i. Dynamic roles
xii. The solution shall be able to secure any Web server running on any platform.
xiii. The solution shall enable components to run on all major operating systems, including
Microsoft Windows NT, Microsoft Windows2000, IBM AIX, Sun Solaris, HP-UX and
Linux.
xiv. The solution shall provide comprehensive security for key Web products, including portal,
customer relationship management, enterprise resource planning etc.
xv. Integration and certification with security products (e.g., PKI, firewalls, identity
management and risk management) from the same and different vendors, in order to
easily construct an end-to-end security solution.
xvi. Integration with industry-leading Web application servers, such as WebSphere
Application Server and BEA WebLogic Server.
xvii. Support for the latest Web standards, such as Transport Layer Security (TLS), SOAP
transactions and Web Services Security.
xviii. The solution should provide a GUI interface for management.
AAA Server
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.

x.
xi.

The AAA server provides Authentication, Authorization and Accounting services for
network users dialing into the network from various nodes via the Remote Access
Servers.
The AAA server shall support standard RADIUS features. It shall be able to
interoperate with any RADIUS compliant clients.
It shall support an internal embedded database as well as support common
RDBMS through ODBC (Open Database Connectivity)
It shall have support for LDAP (Lightweight Directory Access Protocol).
The AAA server shall support extension points for integration with third party
products using custom scripts or programming language like C/C++.
The AAA server shall be capable of tracking user sessions and enforcing session
limits on a per-user or per-group basis.
The AAA server shall support interactive configuration. It shall also be possible to
automate configuration and integrate with the NMS/OSS system deployed in the
network.
The AAA server shall support allocation of IP addresses to users from a shared
pool.
The AAA server shall support high availability architecture. AAA servers shall be
deployed in N+1 redundant mode such that if the primary AAA server fails, the
client shall switch over to the secondary server. The primary server shall
automatically replicate its configuration to the secondary server to maintain
synchronization of data.
The AAA server shall be capable of creating and storing accounting records in a
single file or multiple files.
The AAA server shall maintain log files for all processes. It shall support audit log
of all configuration changes and logging of files to a syslog server.

Secured ID token system

i. Authentication should support a PASSCODE (combination of a 4 9 digit
numeric/alphanumeric PIN and a pseudorandom token no.) using AES algorithm.
ii. The hardware token should be tamper proof and not have any changeable parts.
iii. The solution should offer multiple form factors for One Time passwords including
hardware, software tokens (web browser toolbar/application/mobile phones/ Windows
Mobile/Blackberry/JAVA ME/ Symbian OS etc) and USB tokens with OTP and digital
certificate support.
iv. BSNL would decide the usage of the form factors as derived by business requirements.
System shall provide One Time Passwords for lost tokens and not static passwords.
v. System shall Support for a multi-tier architecture comprising end user authenticator,
target application / device Agent and an Authentication Server. It shall support for a
multiple failover servers and scale up to multiple replica servers.
vi. It shall support for encrypted communication between the components including the
primary and failover servers with the encryption key to change every few minutes.
vii. It shall support Multi-platform support for the authentication server (Like Windows
2000/2003, Solaris 8 & 9, HP Unix 11i, AIX 5 etc.)
viii. Authentication Server should be able to synchronize data with system such as Active
Directory / Sun One Server and Novell eDirectory
ix. It shall support to define access based on time of day, day of week or by group or userdefined access.