Editor's Note: In the "2021 JumpServer Open Source Fortress Machine City Meeting Suzhou Station" event held on November 20, 2021, Bosch Auto Parts (Suzhou) Co., Ltd. shared a keynote speech entitled "Bosch Automotive JumpServer Practice Sharing". The following content is organized based on this speech.
Bosch is one of the world's largest automotive technology suppliers with subsidiaries and branches in more than 50 countries around the world. Bosch Auto Parts (Suzhou) Co., Ltd. (hereinafter referred to as Bosch Auto Parts) was established in 1999 and is a wholly-owned subsidiary of Bosch Group in China. It consists of four business divisions: Automotive Electronics Division, Chassis Control Division, Automotive Multimedia Division and Equipment Manufacturing Division.
Bosch Group adheres to the concept of "rooted in the local, serving the local", deeply integrated into the development of China's economy, and grows together with the Chinese market. Since 2017, Bosch's business in China has developed rapidly, and its sales have grown significantly, reaching a sales scale of 100 billion.
Security operation and maintenance pain points
The rapid development of business has brought many problems and challenges to the daily operation and maintenance management of Bosch auto parts, which can be briefly summarized as follows:
■ Rapid expansion of IT assets
Bosch Auto Parts has several medium-sized data centers in Suzhou with more than 1,000 computing nodes. It can be seen that its IT infrastructure is relatively large in scale and relatively scattered. Since 2016, Bosch Auto Parts has entered the stage of digital transformation. In addition, the business has grown rapidly, and the scale of IT assets has been expanding exponentially every year, which has caused it to encounter many bottlenecks in operation management and authority allocation. . Therefore, the company needs a bastion machine product that can effectively and uniformly manage and control distributed assets and adapt to the needs of large-scale asset growth ;
■ The original bastion machine system cannot meet the existing needs
The original bastion machine system WTS of Bosch Auto Parts is specially designed for the IT department, mainly for the assignment of administrator rights. After the digital transformation, the company's organizational structure has changed, and each user department has positions such as product managers, project managers, and technical team leaders, all of whom have IT backgrounds. In response to this transformation, it is necessary to allocate some server resources, access rights, and application rights to various business departments. In this way, the original bastion machine system cannot undertake the corresponding functions, cannot meet the actual needs of users, and the usability is greatly reduced;
■ User misoperation is difficult to manage, and user behavior needs to be traced
Every year, the company encounters some failures such as server downtime caused by the misoperation of some users. These failures will directly affect the business and may cause economic losses. Therefore, the traceability of user behavior is also a problem that companies urgently need to solve.
Bastion machine selection ideas
According to the above pain points, after internal discussions, Bosch Auto Parts hopes that the new fortress machine system can achieve the following core functions:
1. Multi-system Web Remote Terminal
The original bastion host system does not have a unified web interface for management. The company hopes that the new bastion host system should preferably be able to carry out unified platform management through the Web, and support unified protocols, including Windows Remote Login Protocol (RDP), SSH, etc. In terms of database, the company currently uses Oracle and SQL Server databases, and hopes that the new bastion machine system can support multiple database systems, and also needs to integrate FTP/SFTP file access rights. In addition, in the past two years, Bosch auto parts have also begun to use the hybrid cloud architecture to deploy IT assets in a multi-cloud environment, such as VMware, Azure, AWS, etc. It is expected that the new bastion machine system can also support the functions of the cloud management platform;
2. User behavior traceability
The company's original WTS bastion machine has no user behavior traceability function. It is hoped that the new bastion machine system can track user behavior and record user behavior on the server. In this way, once the fault occurs, you can check it in time to confirm whether the fault is caused by user behavior, or the problem caused by server configuration or performance, effectively preventing the same problem from recurring. In addition, for those who do not know much about the business background, it is hoped that the new bastion host can support command filtering and dangerous command alarm functions to prevent the adverse impact of user misoperation on system operations;
3. Account Management
Due to the relatively large scale of the company and many departments, it is hoped that a mature organizational management structure can be combined with Windows domain authentication to realize a multi-level organizational management system, including unified AD account login, multi-level AD authority management, etc.;
4. High availability
Usually, the company has less time for systematic maintenance, and the time is relatively scattered. Therefore, it is hoped that the new bastion host system has the characteristics of high availability, simple expansion, easy maintenance, and easy operation, so that all relevant personnel can quickly get started.
Based on these specific needs, after a series of market selections, Bosch Auto Parts also looked at many open source projects. Later, they found JumpServer and found that it is a simple and practical fortress machine product that can meet its actual needs.
JumpServer Architecture Design
In the early stage, Bosch Auto Parts conducted a series of internal tests on JumpServer and found that its core functions could meet their specific needs, so they quickly went online within a week and deployed JumpServer in the production environment.
Bosch Auto Parts designed the deployment architecture of JumpServer according to the needs of the production environment, separated the Web Server and the DB Server, used two virtual IPs as the front end, and made availability based on Keepalived. The concurrency mechanism designed by it can be achieved within 5 seconds if there is a problem with one of the services, the system will automatically switch. At the same time, the system allows 100 users to access at the same time, and the system as a whole can support 1500 IT assets. Later, through a series of stress tests and performance tests, it was confirmed that JumpServer fully met the company's actual requirements.
In addition, the RemoteApp function of JumpServer actually plays the role of Remote Session. Users can directly access the application through JumpServer without the support of the local environment. The company has also tested and deployed functions such as Windows Server remote login, Linux Server remote login, OracleDB remote login, and MariaDB remote login in the internal test environment. After using it as a whole, you can feel that JumpServer's access support for remote operating systems is very good.
Bosch Auto Parts JumpServer Deployment Architecture Design
JumpServer Feature Highlights
After the practical application of JumpServer, among the many functions, Bosch Auto Parts found three relatively eye-catching functions, which greatly improved the efficiency of its IT system operation and maintenance:
■ Decryption plan
JumpServer provides the function of batch password modification, which can periodically modify the system user password on the asset. When the WTS system was used in the past, the approval department needed to regularly audit assets, modify asset passwords, and count IT assets. Different businesses needed to formulate different password policies. Such work is usually carried out every 6 months and is very cumbersome to operate. Now, the operation of password modification through a unified platform such as JumpServer saves a lot of time, which is very practical for the company;
■ RemoteApp remote application
Users can access remote applications through JumpServer in a self-service manner, and can access applications remotely through the client or the Web, without installing related applications in the local environment. Even when you want to access the application, you don't need to enter the user name and password, and you only need to pass the JumpServer user authentication system to connect. Of course, there are still some small limitations in this part of the function, and I look forward to seeing more complete RemoteApp functions in the future;
■ Work order management
Before using JumpServer, the company used the PAM system to approve the permission requirements of each user department, which was very time-consuming and labor-intensive. Now, through the work order management in JumpServer, including authorized work order application, the company has realized the first-level and second-level approval process, and users can apply for the assets or applications that need to be accessed in a self-service manner. After the approval of the approver, the asset or application will be authorized to the corresponding application user, which is very fast and convenient to use, greatly reduces the time cost of IT system operation and maintenance, and improves work efficiency.