Under the Hood 11g Identity Management

11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th August 2010 The most comprehensive Oracle applications & technology content under one roof

Feeling stressed?

Introduction
What are we here for?
Shared Identity
Cloud Security
Single Sign On (Single Point of truth)

Lots of products
Identity Manager
Access Manager
Identity Analytics
Directory Services Plus
Identity Federation

Why do we need it?
Compliance
Security
Cost management (Consolidation)

How is it useful
Access Controls
Policy Management
Audit Support

Controls
Roles
Fine grain access controls
Tracking of events – logon - logoff

Oracle Directory Services
Oracle Virtual Directory
Oracle Internet Directory
Oracle Directory Server

Oracle Internet Directory & Oracle Directory Server

What's OID?
LDAP Service
Database Location Service
Data Store used by other Identity Services

Architecture
Database
OIDMON
ODS
ODRS

LDAP Server Instance
Server Processes
Dispatcher Services
Tuning Required
Default Ports
3060 Non SSL
3131 SSL

Metadata
Uses a cache which is built at startup
Directory schema - what is stored
Control of who access what – ACP
Root DSE - Stores information about the server itself

Metadata
Privilege Groups - Used for Access Control Policies
Contains entries for hosted businesses,password verification,password policy and others

DIT What is a DIT? Can I have more DIT's?

Search Process 1
Client connects SSL or non SSL with LDAP protocol
Type of user can be known or anonymous
Filters can be put in place to limit search
User authenticated, bind made, ACL checked

Search Process 2
LDAP search request is converted to OCI language to interrogate the database
Database retrieves data; passes it back via OCI to the LDAP server
Query result sent back to the database

Server Chaining What is it? Why do we want to use it?

Server Chaining 2
Server chaining supports the following operations:
Bind
Compare
Modify
Search

Creating a Server Chaining Entry
Command Line or Directory Services Manager - Create LDIF file
dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au cn: AD objectclass: orclcontainer objectclass: top

Connection to Sun IPlanet cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ********

Connection to Sun IPlanet orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com

Connection to Sun IPlanet orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********

Debugging Server Chaining
Create an LDIF
filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1Execute
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file

Designing your implementation
Do Not use clustered hosts - too many issues
If you have the skills use Linux on VM's
Scatter installations across your environment
Use Replication
If you have load balancers use them

Installation
Using default settings the server needs 6GB or greater
Can do small memory with altered Java VM settings
Need to understand 11g path conventions

Install Notes
Metalink Note 858748.1 Getting Started FAQ

Configuration
After installing the software configure the instance – config.sh
Save configuration before running configuration step at the end

Small memory config
Metalink note 865166.1
-Xrs -XX:MaxPermSize=192m in Admin Console – Server Configuration

Replication Its Important What model? Fan Out, Multimaster, Single Master? Not guaranteed to be consistent- data different on different nodes

Single Master
One master all others read only

Multimaster
All Nodes can update all other nodes

Fan Out
Its a hybrid

LDAP Replication Full or Partial Peer to peer, One Way, Two Way Multimaster, Single Master, Fan Out

LDAP Replication

Advanced Replication (Database)
Full replication
Peer to peer
Multimaster
Single by changing all but one to read only
Uses the database to do the replication
Uses command line tools to configure this

remtool
Use it for configuring the advanced replication
Modify or reset replication Bind DN password
Displaying various errors and status information for change log propagation
Convert advanced replication to LDAP replication

Setting up Replica - Command Line
Copy database for new instance; not recommended
Bootstrapping is the better option

What is bootstrapping?
Supplier Node and Replica Node
Use remtool to copy metadata from supplier to replica
Set up the replication with the Replication wizard

Replica Using Replication Wizard
Fusion Middleware Control
Access Manage Replication
Select Replication type
Follow remaining steps – Oracle Docs

Bootstrapping issues
Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation
A number of problems in My Oracle Support for bootstrap

Fusion Middleware and Managing OID
Cannot do if not part of a WLS domain
Fusion Middleware Control uses SSL
Port configured none or server authentication
To connect use http://host:port/odsm

Command Line
Domain Home to manage the Admin Server
Instance Home to manage the OID Server
opmnctl to control the OID server
/oracle/Middleware/IDMinst_1/bin/opmnctl

ods_process_status
Oidmon polls table to check system
Can be used by other scripts to monitor OID

WLST
Weblogic Scripting Tool
Jython based
Used for many things
Can script many tasks

Weblogic Server Version
The following might be useful when installing new product to an existing server
cat registry.xml | grep version

Questions
[email_address]
http://www.pacificdbms.com.au

Tell us what you think…
http://feedback.insync10.com.au

Under the Hood 11g Identity Management

by InSync Conference

Accessibility

Categories

Upload Details

Usage Rights

Statistics