GettingToKnow OID v2
-
Upload
mohammad-zaheer -
Category
Documents
-
view
241 -
download
0
Transcript of GettingToKnow OID v2
-
8/13/2019 GettingToKnow OID v2
1/42
Oracle Internet Directory 11g
Oracle Directory Integration Platform 11g
Oracle Authentication Services for OS 11g
Olaf Stullich
Product Manager
-
8/13/2019 GettingToKnow OID v2
2/42
2
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not berelied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracles
products remains at the sole discretion of Oracle.
-
8/13/2019 GettingToKnow OID v2
3/42
3
Agenda
Overview
Architecture
Future Roadmap
DemoQ&A
-
8/13/2019 GettingToKnow OID v2
4/42
4
Oracle Fusion Middleware
-
8/13/2019 GettingToKnow OID v2
5/42
5
Oracle Identity ManagementOracle + Sun Combination
Oracle Platform Security Services
Access Management*Identity Administration Directory Services
Access Manager
Adaptive Access Manager
Enterprise Single Sign-On
Identity Federation
Entitlements Server
Identity Manager Directory Server EE
Internet Directory
Virtual Directory
Identity Analytics
Management Pack For Identity Management
Operational Manageability
Identity & Access Governance
*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet
-
8/13/2019 GettingToKnow OID v2
6/42
6
Oracle Directory Services Strategy
The complete picture
-
8/13/2019 GettingToKnow OID v2
7/427
Oracle Directory Services Strategy
A complete offering of directory virtualization, storage and
synchronization solutions
Virtual directory for enterprise standard identity access layer
Highly scalable directory servers for storage and consolidation
Meta directory capabilities enable synchronization
Support on-premise and in-the-cloud scenarios
Directory data access
OVD virtualization and Directory Proxy Server (DPS) to converge
Directory data storage and synchronization
DSEE for heterogeneous environment
OID for Oracle environment
Directory Integration Platform (DIP) for meta-directory synchronization
-
8/13/2019 GettingToKnow OID v2
8/428
OID Overview
LDAP storage built upon Oracle database
Full functional meta directory with Directory Integration
Platform (DIP) component
Integrated into Oracle Fusion Middleware and applications
High performance and scalability with 2-billion-entry
benchmark
Maximum availability with multi-layer HA including LDAP
replications and Oracle RAC etc
Extreme security with database vault and encryption in
addition to LDAP access control
-
8/13/2019 GettingToKnow OID v2
9/429
Agenda
Overview
Architecture
Future Roadmap
DemoQ&A
-
8/13/2019 GettingToKnow OID v2
10/4210
Components of Oracle Internet Directory
-
8/13/2019 GettingToKnow OID v2
11/4211
Understanding OID in OFM
-
8/13/2019 GettingToKnow OID v2
12/4212
Oracle Internet Directory Architecture
Novell eDirectory
Oracle InternetDirectory
DirectoryReplication
Server
DirectoryIntegration Server
DirectoryReplication
Server
Sun JSDS
Microsoft AD
MS AD LDS
OpenLDAP
Tivoli Directory Server
Oracle DirectoryServices Manager
Oracle FMWControl
Applications
-
8/13/2019 GettingToKnow OID v2
13/4213
Oracle Internet Directory Node
One or more LDAP server processes
One Replication Server only per node
DB can be on same node
Oracle Process Manager and
Notification Server (OPMN) Invokes oidmon as required
OID Monitor initiates, monitors, and terminates the LDAP
and replication server processes
Oracle Directory Services Manager administrates OID or OVD installed locally with OID / OVD or on a
remote node
-
8/13/2019 GettingToKnow OID v2
14/4214
Scalability
Unique Server Architecture
Multi-threaded using DB connection pooling
Multi-processing to utilize existing CPUs
Multi-instance directory server using multiple HW nodes
Scalability with the number of CPUs in SMP HW architectures
Scalability with the number of nodes in HW cluster architectures
Scalability to Terabytes of Directory data
Best performance on very large groups (>1M users)
High speed bulk tools
-
8/13/2019 GettingToKnow OID v2
15/4215
Two Billion Entries
Single DirectoryInformation Tree, SingleDirectory ServerInstance
OID v10.1.4.0.1, OracleDatabase v10.2.0.3
SGI Altrix 4700 Server
32 1.6 Dual Core Itanium2Processors
256 GB RAM
SGI IS4500 RAID Array
SLAMD load generationtest tool
SPECIFICATION
2 Billion Entries Benchmark
RESULTS CONCLUSION
Data loaded in 5 hrs, DBindexing in 19.5 hrs
100,000+ LDAP searchops/sec with 2.5 msecaverage latency
80,000+ LDAPauthentications/sec with9 msec average latency
14,000 LDAP updateops/sec with 16 msecaverage latency
99,000+ ops/sec with16,000 concurrent clients
High speed data load
High throughput of LDAPoperations with lowlatency both for readand write operations
Scalable to very largedirectory sizes
Scalable to 10s ofthousands of concurrentclients
Ability to scale on large
hardware CPUs, RAM
Superior datamanagement capabilities
-
8/13/2019 GettingToKnow OID v2
16/42
16
Performance
Start small
Low HW requirements Entries in the directory
E.g. manage Oracle databases in OID
Use existing DB HW and scale as needed
No need to switch directory service when requirements saturates HW Upgrade HW as needed and leverage OIDs flexible deployment architecture
Use OID Server Cache Usually for small deployments less 300K entries
No cluster configuration used
-
8/13/2019 GettingToKnow OID v2
17/42
17
High Availability
Most comprehensive set of HAconfigurations
Local HAActive/Passive OID cluster configuration
Active/Active OID cluster configuration
Local DataGuard
Geographic HA and Disaster RecoveryMulti-master replicationDataGuard based DR configuration
Sample High Availability Environment
-
8/13/2019 GettingToKnow OID v2
18/42
18
When to Choose OID Cluster
Local active/active Availability on multiple hardware
nodes
Scalability of IdM on more than one hardware node
Oracle RAC database for Availability, Scalability and
Manageability of the Directory Store
Solutions that require protection from node failure
-
8/13/2019 GettingToKnow OID v2
19/42
19
OID HA Directory Replication
Multi-Master Replication No practical limit on the number of replicas
LDAP and Database replication
LDAP replication
flexible, very granular approach to select namingcontexts
wizard based setup from Enterprise Manager FMWcontrol
not supported for Oracle SSO
Fan-out Replication
Read-only and Updateable replicas
Fractional and Partial replication
subset of MMR
-
8/13/2019 GettingToKnow OID v2
20/42
20
When to Choose Replication?
Low entry cost for IdM HA deployment
Customer looking for Rolling Upgrade support
Requirements for IdM with Geographic Availability
Solutions that does not require HA of all Application
Server components but IdM
-
8/13/2019 GettingToKnow OID v2
21/42
21
Database Vault Integration
Restrict DBAs to access OID data directlyfrom the database
Transparent Data Encryption
IntegrationPrevent unauthorized data retrieval from file
systems
Secure LDAP attributes in OIDConfigurable list of encrypted attributes
BenefitsEnhanced securityImproved compliance
Reports
ODS Protection Realm
Multi-Factor
Authorization
Separation
of Duty
Command
Rules
OID Data Security
-
8/13/2019 GettingToKnow OID v2
22/42
22
11g Deployment Accelerators
How to improve administrator productivity? Roll out new service quickly Reduce administrative learning curve
Simplify complex admin tasks
Limit number of tools to use
Leverage: Oracle Directory Services Manager (ODSM)
Manages OID and OVD
Use intelligent wizards and templates for
Replication
Sizing and Tuning
Directory Synchronization Presenting user and group information
Accessible via FMW console
-
8/13/2019 GettingToKnow OID v2
23/42
23
11g EM FMW Control & ODSM
FMW console Homepage with vital
systems statics
Customizable dashboard
ODSM accessible via FMWconsole or standalone
ODSM Used for specific LDAP
related tasks
User creation
Schema management
Security management
-
8/13/2019 GettingToKnow OID v2
24/42
24
11g Auditing
Suite-wide auditability
ECID propagation
Audit records in DB schema
Out-of-box reports using BIpublisher
Policies forUser sessions
Authorization
Data Access
Account Managemement
LDAP entry access
-
8/13/2019 GettingToKnow OID v2
25/42
25
11g Logging
Suite wide log messages format
Diagnostic Logging information
OID, OID replication server, DIP
Flexible logging options / levels
View trace messages
severity and order of importance
Execution Context Identifiers(ECID)
propagation
-
8/13/2019 GettingToKnow OID v2
26/42
26
Directory Integration Platform
Oracle Internet DirectoryCentral repository for identities & support for external authentication
Directory Integration ServerExecutes a set of connectors for synchronization
Connector support for:MS AD, AD LDS, Sun Java Enterprise Directory, Novell eDirectory, IBM Tivoli, OpenLDAP and custom agents
Used for synchronization between OID and other Directories
DIP ProfilesTemplates for data mapping / transformation
-
8/13/2019 GettingToKnow OID v2
27/42
27
Directory Integration Platform
Directory IntegrationPlatform (Synchronization)
Time for action -Application deployment time.- Directory synchronization is needed for connecteddirectories requiring synchronization with OID
Communicationdirection
Either one-way or two-waythat is, either from
Oracle Internet Directory to connected directories,the reverse, or both
Type of data Any data in a directory
Examples Oracle Human Resource Oracle DB
Microsoft Active Directory
SUN Enterprise Directory
Novell eDirectory
-
8/13/2019 GettingToKnow OID v2
28/42
28
Enterprise User SecurityOracle Authentication Services for Operating Systems
(OAS4OS)
Use Cases
-
8/13/2019 GettingToKnow OID v2
29/42
29
Enterprise User Security
User Management for Compliance Centralized User Management
Map users to shared database schemas
Requires Oracle Directory Services
Enterprise Roles
Centralized user role management Authentication Methods
Password
Kerberos (Microsoft, MIT)
PKI (x.509v3)
Heterogeneous Directory Support Oracle Virtual Directory connectivity to
Active Directory, Sun, Novell
-
8/13/2019 GettingToKnow OID v2
30/42
30
EUS with OID and AD Integration
-
8/13/2019 GettingToKnow OID v2
31/42
32
Oracle Authentication Services for OS
What is it?End-to-end centralized authentication solution
Built on open interfaces without proprietary agents
Automated integration with directory services
What are the key benefits?Manage users centrally using existing tools and processes
Reduce risk by centralizing audit logs, ensuring accountability
for changes to accounts and privileges
Improve compliance by ensuring consistent password policies
and account locking across systemsObliterate identity data silos by integrating directly with
application and database security mechanism
-
8/13/2019 GettingToKnow OID v2
32/42
33
Oracle Authentication Services for OS
End-to-end centralizedauthentication solution
Built on open interfaces
without proprietary agents
PAM_LDAP
NSS_LDAPAutomated integration
with directory services
Automated user migration
tools from local files and
NIS servers
-
8/13/2019 GettingToKnow OID v2
33/42
34
Key Functions
Scripts to automate client configuration, including SSL
Easy Migration from Linux/Unix files
Easy Migration from NIS to LDAP
Centralized Password Policies and Lockout Control
Support
UID and GID uniqueness and provisioning support
Centralized Sudo policy management
Active Directory Integration
Cross Platform SupportLinux Redhat and Oracle Enterprise Linux, Suse Linux,
Unix Solaris, HPUX, AIX
-
8/13/2019 GettingToKnow OID v2
34/42
35
Agenda
Overview
Architecture
Future Roadmap
DemoQ&A
-
8/13/2019 GettingToKnow OID v2
35/42
36
Oracle Identity Management
Roadmap Timelines
11gR1Internet DirectoryVirtual Directory
Identity FederationWeb Services Manager
Platform Security Services
11g Patchset 2
Internet DirectoryVirtual Directory
Identity FederationWeb Services Manager
Platform SecurityServices
11g Patchset 3
Internet DirectoryVirtual Directory
Identity FederationWeb Services Manager
Platform SecurityServices
11g Patchset 4
Internet DirectoryVirtual Directory
Identity FederationWeb Services Manager
Platform SecurityServices
July 2009
April 2010
Jan 2011
H2CY2011
-
8/13/2019 GettingToKnow OID v2
36/42
37
11gR1 OID/DIP PatchSet 2
OID
Security Enhancements (e.g. support configurable set of hashed
attributes, log client IP address for change ops)
Server Enhancements (e.g. preserve case for attributes, new
attributes (lastloginattempt, lastloginsuccess), fine grained statistics,
enhanced logging for requested attributes)
Replication Server (e.g. fine grained replication frequency at seconds
level)
DIP
Support for OID SSL mode 2 (mutual authentication)
CLI export and import profiles (test production)
Integration of DIPTESTER advanced mode
ODSMUI enhancement to manage list of secure attributes and hashed
attributes
-
8/13/2019 GettingToKnow OID v2
37/42
38
11gR1 Patchset 2
Oracle Authentication Services for OSFull integration with Fusion Middleware Release 11g R1 PS2
Extended client OS support
New configuration scripts to enable PAM proxy user based access to
OID for enhanced security
Easy configuration of OID SSL using customer provided certificates forproduction deployments, or use of self signed certificates to test OID
SSL connections
Restricting client access based on IP address
Easy reset of client configuration to support testing
-
8/13/2019 GettingToKnow OID v2
38/42
39
OID/DIP 11gR1 Patchset 3
OID
New LDAP Protocol Features (e.g. memberof support, additionalcontrols)
Performance And Scalability Enhancements (e.g footprint
reduction, RAC write optimization)
Security Enhancements (e.g. IP based access control, new
hashing and encryption schemes SHA2, AES)Replication Enhancements (e.g. LDAP MMR rolling upgrade
support)
DIP
OOTB diagnostic enhancements (aka DIPTESTER)
32/64bit password filter availability in software media
ODSM
SSO using OAM
OID / DIP P t h t 4 ( l d f t )
-
8/13/2019 GettingToKnow OID v2
39/42
408
OID / DIP Patchset 4 (planned features)
OID
Exadata support Initial integration and Benchmark
Performance improvement Priority Replication, automatic OID tuning
OAS4OS Uptake SSL automation tool
HA/LDAP failover support
ODSEE support
DIP
DSEE sync OIA synchronization support
Bi-directional DB synchronization Additional DB connectors
-
8/13/2019 GettingToKnow OID v2
40/42
41
Agenda
Overview
Architecture
Future Roadmap
Demo
Q&A
-
8/13/2019 GettingToKnow OID v2
41/42
42
Demos
EM Fusion Middleware Control
Oracle Directory Services Manager
Oracle Authentication Services for Operating Systems
(short)
Oracle Authentication Services for Operating Systems
(long available on OTN)
Directory Integration Platform (OID ODSEE)
Database Management
Enterprise User Security
http://adc2100029.us.oracle.com:7001/emhttp://adc2100029.us.oracle.com:7005/odsmhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OAS4OS-OID/dssodsdemo2010oas4osoid_viewlet_swf.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/learnmore/oas4os11113demo-196337.swfhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OID-DIP/dssodsdemo2010oiddip_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-2010-DBMgMt-OID/dssodsdemo2010dbmgmtoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-EUS-OID/dssodsdemoeusoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-EUS-OID/dssodsdemoeusoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-2010-DBMgMt-OID/dssodsdemo2010dbmgmtoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OID-DIP/dssodsdemo2010oiddip_viewlet_swf.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/learnmore/oas4os11113demo-196337.swfhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OAS4OS-OID/dssodsdemo2010oas4osoid_viewlet_swf.htmlhttp://adc2100029.us.oracle.com:7005/odsmhttp://adc2100029.us.oracle.com:7001/em -
8/13/2019 GettingToKnow OID v2
42/42