Les 04 Identity Management High Availability
-
Upload
andreea-doicin -
Category
Documents
-
view
5 -
download
0
description
Transcript of Les 04 Identity Management High Availability
4Copyright © 2009, Oracle. All rights reserved.
Identity Management
Copyright © 2009, Oracle. All rights reserved.5 - 3
Identity Management Product Suites
• These slides are based on the initial 11.1.1.2.0 Release, where there was only one IDM suite•We now have two suites of products:
1. Identity Management (IDM)
Oracle Internet Directory (OID)Oracle Virtual Directory (OVD)Oracle Directory Integration Platform (ODIP)Oracle Directory Services Manager (ODSM)Oracle Identity Federation (OIF)
2. Identity and Access Management (IAM)
Oracle Access Manager (OAM)Oracle Identity Manager (OIM)Oracle Adaptive Access Manager (OAAM)Oracle Identity Navigator (OIN)Oracle Platform Security Services (OPSS)Oracle Authorization Policy Manager (OAPM)
•Also see Considerations When Patching FMW 11g Identity Management Products to 11.1.1.4 or Higher (Doc ID 1298815.1)
Copyright © 2009, Oracle. All rights reserved.5 - 4
OFM 11g IM HA ConsiderationsApplication Characteristic HA Feature UsedJavaEE Components like OIF, DIP, OIM, ORM, OAM
WLS ilities like clustering, loadbalancing, failover etc.
C based components like OID•Clustered deployments against same DB repository
JavaSE applications like OVD•Clustered deployments against same LDAP repository
Persistence Store
RAC DB
WLS Multi DataSource for JavaEE components
TAF for C Components
No special dependency on hostnames, IP Address etc.
•File System based Backup and Recovery•Storage Replication for Disaster Recovery. MMR for OID only deployments
Copyright © 2009, Oracle. All rights reserved.5 - 5
OFM 11g Identity Management HA Architecture
Machine1 Machine2
Machine3
AdminServer
Machine4
OHS OHS
RAC
WLS_ODS WLS_ODS
Hardware LB
Cluster
Runtime Cluster
Machine5 Machine6
OID OIDGOHS
• External Load Balancer used to front-end WebServers
• WebServer cluster is a run time cluster and does not support cluster wide management
• All WLS instances in cluster WLS Cluster
• At least two MW_HOMEs used to support HA Patching (on local or shared storage)
• RAC DB
• CFC for Admin Server protection (optional)
• C Components protected with OPMN
AdminServer
MW_HOME2MW_HOME1
MultiDS
TAF
OVD OVDGOHS
TAF
WLS_OIF WLS_OIFClusterMultiDS
Copyright © 2009, Oracle. All rights reserved.5 - 6
OID Single Node Architecture
• Directory Server: LDAP server• Single dispatcher with one or more
servers• Replication Server: Replicates to other OID
servers. Singleton. **• Database: Directory data and configuration
store• OPMN: Starts/Stops/Monitors OIDMON.• OIDMON: Starts/Stops/Monitors OID
Server and Replication Server processes. Reads ODS_PROCESS_STATE_TABLE
• OIDCTL: Command line utility for server process control. Communicates with OIDMON by placing message in OID server table
Copyright © 2009, Oracle. All rights reserved.5 - 7
OID HA Design Consideration
•C based component
•Active/Active cluster against same DB repository
•Stateless. State stored in DB repository
•Load Balanced connections to DB
•TAF and HA Event Notifications for RAC failover. OID has stale connection detection mechanism. If no DB available, OID processes shut down.
•Clusterwide config change as it is stored in DB. OIDMON polls for changes.
•Metadata cached in server processes. Cluster wide cache sync via notifications and OIDMON
•Can be configured with or without a WebLogic domain
Copyright © 2009, Oracle. All rights reserved.5 - 8
OID HA Architecture
•All nodes in run time cluster
•External hardware LBR
•FAN/OCI events with TAF
Copyright © 2009, Oracle. All rights reserved.5 - 9
OID Failover and Expected Behaviour
•Failover transparent to clients•Load balancer detects OID failure and routes to other instances•Other instance continue to service requests•FAN/OCI/TAF protect against any DB failures
Copyright © 2009, Oracle. All rights reserved.5 - 10
OID Setup Steps
1. RCU DB
2. Install product binaries and configured OID using OUI
3. Register against a WLS Domain (Optional)
Copyright © 2009, Oracle. All rights reserved.5 - 11
IAM HA
• OIM •Uses clustering and whole server migration
•OAM •Uses clustering, coherence
•OAPM •Deployed to Admin server so uses CFC active-passive solution
•OIN •Deployed to Admin server so uses CFC active-passive solution
•OAAM •Uses clustering and DB HA features
Copyright © 2009, Oracle. All rights reserved.5 - 13
OVD Single Node Architecture
• Oracle Virtual Directory is an LDAP version 3 enabled service
• Provides virtualized abstraction of one or more enterprise data sources into a single directory view
• Server is written in Java and internally it is organized into multiple layers.
• Appears as a single complete service to the administrator and to clients.
• OPMN is used to start, monitor, and manage the Oracle Virtual Directory process (JavaSE Process)
• Has LDAP and HTTP listeners
Copyright © 2009, Oracle. All rights reserved.5 - 14
OVD HA Design Consideration
•JavaSE based component
•Active/Active cluster
•Stateless.
•No external dependencies
•Config stored on local file system
•No cluster wide config changes possible
•Can be configured with or without a WebLogic domain
Copyright © 2009, Oracle. All rights reserved.5 - 15
OVD HA Architecture
•All nodes in run time cluster
•External hardware LBR
•Config updated one instance at a time
•Fault tolerance and load balancing for LDAP sources thru a list of host names
•Distinction between read only v/s read write replicas
Copyright © 2009, Oracle. All rights reserved.5 - 16
OVD Failover and Expected Behaviour
•Failover transparent to clients•Load balancer detects OVD failure and routes to other instances•Other instance continue to service requests•Automated failover for proxied LDAP sources
Copyright © 2009, Oracle. All rights reserved.5 - 17
OVD Setup Steps
1. Install product binaries and configured OVD using OUI
2. Use OUI to setup second node
3. Configure load balancer to route to OVD instances
4. Register against a WLS Domain (Optional)
Copyright © 2009, Oracle. All rights reserved.5 - 18
DIP Single Node Architecture
• J2EE application that enables you to integrate applications and directories
• Synchronization and Provisioning service
• Quartz scheduler invokes stateless EJBs for Provisioning or Sync
• Runs on WLS managed server• Metadata stored in OID. Quartz
uses ODSM schema for config
Copyright © 2009, Oracle. All rights reserved.5 - 19
DIP HA Architecture
•Active/Active configuration with WLS Cluster
•DIP is not a singleton anymore
•Multi DS for RAC DB
•LBR to OID
•No cluster wide config changes
Copyright © 2009, Oracle. All rights reserved.5 - 20
DIP Failover and Expected Behaviour
•Failover is transparent to users (background processing)
•Quartz Scheduler invokes EJBs for JOB execution.
•It tags the EJB as executing the job
•In case the EJB fails, the Quartz scheduler marks the job as failed and reschedules it to be executed later by another EJB
•Multi DS for RAC DB connection
•External LBR for OID connection
Copyright © 2009, Oracle. All rights reserved.5 - 21
ODSM Single Node Architecture
• Used to managed OID and OVD
• Replaces ODM (10g)• ADF based JavaEE
application
• Process management using WLS tools
Copyright © 2009, Oracle. All rights reserved.5 - 22
ODSM HA Architecture and Failover
•Active/Active configuration with WLS Cluster
•NO session state replication possible
•Multi DS for RAC DB
•LBR to OID
•No cluster wide config changes
Copyright © 2009, Oracle. All rights reserved.5 - 23
ODSM Failover and Expected Behaviour
•Failover not transparent to users
• For WLS failover, users need to exit browser, launch a new browser and establish connections again
• For ODSM Failure, users will lose their login session and will see a popup stating “Your session is idle…”. Will need to re-connect.
• For OID/OVD failover, a popup is shown (“LDAP Server is down”) while connections are failed over to other LDAP servers. Connections re-established in less than a minute
• For Rac DB Failover, a message (“Failure accessing Oracle database”) is shown that. Connections re-established in less than a minute
Copyright © 2009, Oracle. All rights reserved.5 - 24
DIP & ODSM Setup Steps
1. RCU DB
2. WLS binaries
3. Install and configure DIP and ODSM with Admin Server on Machine1
4. Install and configure DIP and ODSM on machine 2
5. Configure OHS to route to DIP & ODSM
6. Configure load balancer to route to OHS instances
Copyright © 2009, Oracle. All rights reserved.5 - 25
OIF Single Node Architecture
• Federation Server for multi domain authentication and SSO
• JavaEE, runs in WebLogic Server
• DB based message and user session data store
• DB based configuration data store
• LDAP/DB based user data store
• LDAP/DB based federation data store
• Can be configured to use SSO, OAM etc. as Authentication Engine/SP Engines
Copyright © 2009, Oracle. All rights reserved.5 - 26
OIF HA Design Consideration
•JavaEE based component
•State replication not configured OOB. HTTP Session State is short lived. Sticky Routing recommended.
•All data (user, session, config,federation) stored in shared repositories.
•Cluster wide config changes as config stored in shared DB repository
Copyright © 2009, Oracle. All rights reserved.5 - 27
OIF HA Architecture
•Active/Active configuration with WLS Cluster
•Multi DS for RAC DB
•LBR to LDAP stores
Copyright © 2009, Oracle. All rights reserved.5 - 28
OIF Failover and Expected Behaviour
•Failover is seamless to users
•In case of an instance failure, surviving OIF instances will continue to seamlessly process any unfinished transactions started on the failed instance since the state information is in the shared database and is available to all the members in the cluster
Copyright © 2009, Oracle. All rights reserved.5 - 29
OIF Setup Steps
1. RCU DB
2. Install WLS binaries
3. Install and configure OIF with Admin Server on Machine1
4. Install and configure OIF on machine 2
5. Configure OHS to route to OIF
6. Configure load balancer to route to OHS instances