• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Under the Hood  11g Identity Management

Under the Hood 11g Identity Management



Oracle Identity Management presentation for 2010 Conference presented by Peter McLarty, looks at installation issues, planning and design, overall view of 11g Identity Management, more detailed look ...

Oracle Identity Management presentation for 2010 Conference presented by Peter McLarty, looks at installation issues, planning and design, overall view of 11g Identity Management, more detailed look at installation and configuration of the Oracle Internet Directory.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Oidmon Ors
  • Why Server chain?

Under the Hood  11g Identity Management Under the Hood 11g Identity Management Presentation Transcript

  • 11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th August 2010 The most comprehensive Oracle applications & technology content under one roof
  • Feeling stressed?
  • Introduction
    • What are we here for?
    • Shared Identity
    • Cloud Security
    • Single Sign On (Single Point of truth)
  • Lots of products
    • Identity Manager
    • Access Manager
    • Identity Analytics
    • Directory Services Plus
    • Identity Federation
  • Why do we need it?
    • Compliance
    • Security
    • Cost management (Consolidation)
  • How is it useful
    • Access Controls
    • Policy Management
    • Audit Support
  • Controls
    • Roles
    • Fine grain access controls
    • Tracking of events – logon - logoff
  • Oracle Directory Services
    • Oracle Virtual Directory
    • Oracle Internet Directory
    • Oracle Directory Server
  • Oracle Internet Directory & Oracle Directory Server
  • What's OID?
    • LDAP Service
    • Database Location Service
    • Data Store used by other Identity Services
  • Architecture
    • Database
    • OIDMON
    • ODS
    • ODRS
  • LDAP Server Instance
    • Server Processes
    • Dispatcher Services
    • Tuning Required
    • Default Ports
      • 3060 Non SSL
      • 3131 SSL
  • Metadata
    • Uses a cache which is built at startup
    • Directory schema - what is stored
    • Control of who access what – ACP
    • Root DSE - Stores information about the server itself
  • Metadata
    • Privilege Groups - Used for Access Control Policies
    • Contains entries for hosted businesses,password verification,password policy and others
  • DIT What is a DIT? Can I have more DIT's?
  • Search Process 1
    • Client connects SSL or non SSL with LDAP protocol
    • Type of user can be known or anonymous
    • Filters can be put in place to limit search
    • User authenticated, bind made, ACL checked
  • Search Process 2
    • LDAP search request is converted to OCI language to interrogate the database
    • Database retrieves data; passes it back via OCI to the LDAP server
    • Query result sent back to the database
  • Server Chaining What is it? Why do we want to use it?
  • Server Chaining 2
    • Server chaining supports the following operations:
      • Bind
      • Compare
      • Modify
      • Search
  • Creating a Server Chaining Entry
    • Command Line or Directory Services Manager - Create LDIF file
    • dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au cn: AD objectclass: orclcontainer objectclass: top
  • Connection to Sun IPlanet cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ********
  • Connection to Sun IPlanet orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
  • Connection to Sun IPlanet orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********
  • Debugging Server Chaining
    • Create an LDIF
    • filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1Execute
    • $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
  • Designing your implementation
    • Do Not use clustered hosts - too many issues
    • If you have the skills use Linux on VM's 
    • Scatter installations across your environment
    • Use Replication
    • If you have load balancers use them
  • Installation
    • Using default settings the server needs 6GB or greater
    • Can do small memory with altered Java VM settings
    • Need to understand 11g path conventions
  • Install Notes
    • Metalink Note 858748.1 Getting Started FAQ
  • Configuration
    • After installing the software configure the instance – config.sh
    • Save configuration before running configuration step at the end
  • Small memory config
    • Metalink note 865166.1
    • -Xrs -XX:MaxPermSize=192m in Admin Console – Server Configuration
  • Replication Its Important What model? Fan Out, Multimaster, Single Master?  Not guaranteed to be consistent- data different on different nodes
  • Single Master
    • One master all others read only
  • Multimaster
    • All Nodes can update all other nodes
  • Fan Out
    • Its a hybrid
  • LDAP Replication Full or Partial Peer to peer, One Way, Two Way Multimaster, Single Master,  Fan Out
  • LDAP Replication
  • Advanced Replication (Database)
    • Full replication
    • Peer to peer
    • Multimaster 
    • Single by changing all but one to read only
    • Uses the database to do the replication 
    • Uses command line tools to configure this
  • remtool
    • Use it for configuring the advanced replication 
    • Modify or reset replication Bind DN password
    • Displaying various errors and status information for change log propagation
    • Convert advanced replication to LDAP replication
  • Setting up Replica - Command Line
    • Copy database for new instance; not recommended
    • Bootstrapping is the better option
  • What is bootstrapping?
    • Supplier Node and Replica Node
    • Use remtool to copy metadata from supplier to replica
    • Set up the replication with the Replication wizard
  • Replica Using Replication Wizard
    • Fusion Middleware Control
    • Access Manage Replication
    • Select Replication type
    • Follow remaining steps – Oracle Docs
  • Bootstrapping issues
    • Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation
    • A number of problems in My Oracle Support for bootstrap
  • Fusion Middleware and Managing OID
    • Cannot do if not part of  a WLS domain
    • Fusion Middleware Control uses SSL
    • Port configured none or server authentication
    • To connect  use http://host:port/odsm
  • Command Line
    • Domain Home to manage the Admin Server
    • Instance Home to manage the OID Server
    • opmnctl to control the OID server
    • /oracle/Middleware/IDMinst_1/bin/opmnctl
  • ods_process_status
    • Oidmon polls table to check system
    • Can be used by other scripts to monitor OID
  • WLST
    • Weblogic Scripting Tool
    • Jython based
    • Used for many things
    • Can script many tasks
  • Weblogic Server Version
    • The following might be useful when installing new product to an existing server
    • cat registry.xml | grep version
  • Questions
    • [email_address]
    • http://www.pacificdbms.com.au
  • Tell us what you think…
    • http://feedback.insync10.com.au