Case Study: Plus Retail - Moving from the Old World to the New World

1,831 views
1,537 views

Published on

A case study covering Plus Retail's transition from Oracle to ForgeRock's OpenAM, presented by AXI BV/NV Consultant Kurt Van Meerbeeck.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,831
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
59
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Case Study: Plus Retail - Moving from the Old World to the New World

  1. 1. 2013 Open Stack Identity Summit - France OpenAM in an Oracle Environment Case Study
  2. 2. BIO •  Whoami •  Kurt Van Meerbeeck •  •  •  Working with java since 1996 (jdk1.0.x) Working with Oracle products since 1997 (Oracle 7, OAS 3, Forms 3.x) Currently work for AXI NV/BV •  •  •  Oracle | IBM | ForgeRock partner Database & Middleware consultant kvmb@axi.be www.axi.be
  3. 3. History Internet Application Server 9i (IAS9i) Internet Application Server 10g (IAS10g) Fusion Middleware 11g (FMW/WLS) www.axi.be
  4. 4. IAS Architecture •  Infrastructure Tier •  •  OID (LDAP) •  OC4J (Orion J2EE) •  OCA •  SSO Server •  •  OHS : apache 1.3, mod_oc4j, mod_plsql, mod_osso RDBMS Multiple Middle Tiers •  •  OC4J •  Oracle Forms, Reports, Discoverer •  www.axi.be OHS : apache 1.3, mod_oc4j, mod_plsql, mod_osso Oracle Portal
  5. 5. OSSO flow apache J2ee MID.axi.be Mod_osso http://my.company.com Apache virtual host -  Make it a SSO partner app -  ossoreg.jar – mod_osso -  mod_osso.conf <location /app> require valid-user AuthType basic </location> Mod_oc4j Mod_plsql apache J2ee Mod_osso Oc4j_security oca Mod_oc4j Mod_plsql OID LDAP INFRA.axi.be IASDB www.axi.be
  6. 6. OSSO flow apache Partner cookie available ? http://my.company.com J2ee MID.axi.be Mod_osso Mod_oc4j Mod_plsql infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y> NameVirtualHost *:80 <VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf </VirtualHost> SSO cookie ? -> Generate Redirect to logon page http://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties www.axi.be apache J2ee Mod_osso Oc4j_security oca Mod_oc4j Mod_plsql OID LDAP INFRA.axi.be IASDB
  7. 7. OSSO flow apache J2ee MID.axi.be Mod_osso http://my.company.com Mod_oc4j Mod_plsql apache J2ee Mod_osso Oc4j_security oca Mod_oc4j Mod_plsql OID LDAP INFRA.axi.be IASDB www.axi.be
  8. 8. OSSO flow apache J2ee MID.axi.be Mod_osso http://my.company.com HTTP POST -  Username Generate Partner cookie -  Password Generate redirect to the original URL -  Site-token (sitetoken) Check credentials in LDAP/OID Mod_oc4j Mod_plsql apache J2ee Mod_osso Oc4j_security oca Mod_oc4j If OK Mod_plsql - Generate SSO cookie (SSO_ID) - Generate redirect to http://my.company.com/osso_login_success?urlc=<sitetoken> www.axi.be OID LDAP INFRA.axi.be IASDB
  9. 9. Custom Plugins IPASAuthInterface apache implements SSOServerA uth Custom Plugin Mod_osso Mod_oc4j Mod_plsql http://my.company.com extends SSOX509CertA uth J2ee SSOKerbeAuth apache J2ee Mod_osso Oc4j_security oca Mod_oc4j Mod_plsql OID LDAP Custom Plugin Important for integration - Custom plugins by subclassing OSSO server www.axi.be MID.axi.be INFRA.axi.be IASDB
  10. 10. Oracle 11g FMW / WLS •  Problem FMW •  •  www.axi.be No Infrastrure tier No SSO/OID/WNA
  11. 11. Desupport notice •  Premier Support for Oracle Single Sign-On 10gR3 ends on December 31, 2011 •  Limited Extended Support for Oracle Single Sign-On from January 2012 through December 2012 •  It is strongly recommended that you use this additional time to integrate your single sign-on deployment with Oracle Access Manager www.axi.be
  12. 12. Oracle Access Manager Extra licenses and server [  [  Oracle Weblogic Server [  www.axi.be Oracle Access Manager Directory Services Plus
  13. 13. www.axi.be
  14. 14. PLUS Retail Migrating to OpenAM Customer Case www.axi.be
  15. 15. Requirements -  integrate with legacy IAS/OSSO -  Portal 10g -  Forms 10g -  OC4J -  OBIEE 10g -  integrate with Forms 11g (FMW/WLS) -  special case as Forms *needs* OID -  integrate with OBIEE 11g (FMW/WLS) -  integrate with J2EE apps (FMW/WLS) -  integrate apps in the cloud using federated authentication www.axi.be
  16. 16. Overview Legacy environment LDAP sync OpenAM OpenDJ AXI OSSO-OpenAM Integration (custom osso plugin) Linux Server (cluster) Tomcat J2EE Server Custom plugins SSO using SAMLv2 LDAP sync Oracle SSO Server SSO using OpenAM Policy agents Oracle 10g Infrastructure New environment SSO using Oracle SSO server J2EE Policy agent LAMP in de CLOUD •  SAMLv2 •  Service Provider www.axi.be Oracle 11g Weblogic •  Forms 11g •  J2EE •  OBIEE 11g Oracle 10g Midtiers •  Forms 10g •  Portal 10g •  J2EE •  OBIEE 10g
  17. 17. Create an HA OpenAM Environment www.axi.be
  18. 18. sso.axi.be:80 http loadbalancer snsrv615:8080 Master-master replication snsrv616:8080 ldap.axi.be:389 Tcp loadbalancer snsrv615:1389 www.axi.be Master-master replication snsrv616:1389
  19. 19. Logical Overview Active/passive cluster Sync config Apache2.2 RP Apache2.2 RP L7 LB HAProxy Active/passive cluster Active/active cluster Session replication OpenAM OpenAM HAProxy L4 LB Active/active cluster Multimaster replication OpenDJ www.axi.be OpenDJ
  20. 20. Integrate OSSO using a custom plugin www.axi.be
  21. 21. Legacy environment LDAP sync OpenAM OpenDJ Linux Server (cluster) Tomcat J2EE Server AXI OSSO-OpenAM Integration (custom osso plugin) LDAP sync Oracle SSO Server public class OpenAMAuth extends SSOServerAuth Oracle 10g Infrastructure IPASAuthInterface SSO using Oracle SSO server implements SSOServer Auth Custom Plugin extends SSOX509Cert Auth SSOKerbeAuth Custom Plugin www.axi.be Oracle 10g Midtiers •  Forms 10g •  Portal 10g •  J2EE •  OBIEE 10g
  22. 22. Legacy environment LDAP sync OpenAM OpenDJ Linux Server (cluster) Tomcat J2EE Server AXI OSSO-OpenAM Integration (custom osso plugin) LDAP sync Oracle SSO Server Oracle 10g Infrastructure SSO using Oracle SSO server Oracle 10g Midtiers •  Forms 10g •  Portal 10g •  J2EE •  OBIEE 10g www.axi.be
  23. 23. Integrate Forms 11g www.axi.be
  24. 24. Oracle Forms •  RAD – Oracle Developer / Designer - productivity •  Large install base •  Many incarnations •  Server-side character based (terminal) •  C/S •  Web based www.axi.be
  25. 25. Oracle Forms Browser Java plugin Forms Client OHS J2ee Forms Runtime Mod_osso Forms Servlet Forms Runtime Mod_oc4j Mod_plsql www.axi.be Forms Runtime RDBMS
  26. 26. Oracle Forms Forms is *SPECIAL* -  It will check the version of OID in SSO mode ! -  What if you want to get rid of OID ??? Osso-user-dn Osso-subscriber-dn Extra LDAP queries [ RAD’s [ Root DSE orcldirectoryversion www.axi.be
  27. 27. Oracle Forms •  Forms is *SPECIAL* -  Forms 11g can be plugged into an OID LDAP -  What if we could mimic OID using OpenDJ 1.  Recreate OID LDAP schema in OpenDJ (ldapsearch) 2.  Add orcldirectoryversion to OpenDJ root DSE 3.  Plugin Forms11g into OpenDJ !!! www.axi.be
  28. 28. Oracle Forms Forms is *SPECIAL* but can make use of OpenAM/OpenDJ without OID Osso-user-dn Osso-subscriber-dn Extra LDAP queries [ RAD’s [ Root DSE orcldirectoryversion www.axi.be
  29. 29. Integrate OBIEE 11g www.axi.be
  30. 30. OBIEE 11g •  OBIEE 11g runs on top of WLS -  Makes use of Oracle Platform Security Services -  Switch from embedded ldap to OpenDJ (iplanetAuthenticator) -  Configure http header identity asserter (Generic SSO) -  Configure OpenDJ (OBIEE groups / BIAuthor, BIAdministrators, etc) -  Deploy OpenAM J2EE Policy Agent -  Modify OIBIEE analytics war to add J2EE filter (redeploy) -  Resync identity GUID attribute with OpenDJ -  Modify RPD to use LDAP in initialisation blocks www.axi.be
  31. 31. OBIEE 11g http header id asserter Generic SSO OBIEE 11g / WLS 6 1 2 Apache rp/ssl 5 DefaultAuthenticator OPSS ID store Policy store Credential store OBI OpenAM J2EE policy agent (J2EE filter) IPlanetAuthenticator 3 7 OpenAM www.axi.be 4 OpenDJ OpenDJ LDAP LDAP Embedded LDAP
  32. 32. Integrate Cloud Applications www.axi.be
  33. 33. OpenAM as SAML IdP •  PLUS Retail & cloud applications •  MS .NET (fedlet) •  LAMP (SimpleSAMLphp) •  MS Azure (ADFS) •  Custom SAML attribute mapper •  Using JDBC <-> Oracle RDBMS www.axi.be
  34. 34. OpenAM as SAML IdP At this point … Users logged on to legacy Oracle applications Policy Agents Policy Agents Policy Agents Internal app servers … SAML Identity Provider (IdP) OpenAM cluster https://idp.axi.nl can seamlessly log on to new cloud based apps using SSO !!! www.axi.be AXI SAML based SSO External app servers SAML SP SAML SP SAML SP
  35. 35. In conclusion •  Open solution for PLUS providing extreme flexibility •  Hooks – custom SAML attribute mapper •  Custom Auth modules •  Bridging between •  legacy and new Oracle applications •  Internal and cloud based applications www.axi.be
  36. 36. www.axi.be

×