Using OpenAM in an Oracle environment
Upcoming SlideShare
Loading in...5
×
 

Using OpenAM in an Oracle environment

on

  • 5,647 views

OpenAM can be valid alternative in an Oracle stack. It can tie together Oracle 9i/10g OSSO based midtiers with newer 11g WLS fusion application tiers and even SAML based authentication.

OpenAM can be valid alternative in an Oracle stack. It can tie together Oracle 9i/10g OSSO based midtiers with newer 11g WLS fusion application tiers and even SAML based authentication.

Statistics

Views

Total Views
5,647
Views on SlideShare
5,558
Embed Views
89

Actions

Likes
3
Downloads
206
Comments
1

10 Embeds 89

https://twitter.com 58
http://www.linkedin.com 15
http://www.slashdocs.com 7
http://tweetminster.co.uk 3
http://www.mefeedia.com 1
http://www.world-news.me 1
https://twimg0-a.akamaihd.net 1
https://si0.twimg.com 1
http://twitter.com 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Using OpenAM in an Oracle environment Using OpenAM in an Oracle environment Presentation Transcript

  • ITStrategic
  • ITStrategic BIO  Who am i  Kurt Van Meerbeeck  Engineer in electronics  Working with Java since 1996 (jdk 1.0.2)  Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)  Currently work for AXI NV/BV  Oracle Partner in the Benelux area (www.axi.be/www.axi.nl)  Oracle rdbms/ias  Author of DUDE  Data Unloader tool (www.ora600.be)  Member of the Oaktable Network  www.oaktable.net
  • ITStrategic A little bit of history Internet Application Server 9i Internet Application Server 10g Fusion Middleware 11g / WLS
  • ITStrategic ORACLE IAS 10g [ Oracle AS Components [ Middle tiers [ OHS – apache 1.3, mod_oc4j, mod_plsql, m od_rewrite, mod_osso, ... [ Webcache [ J2EE [ Forms, Reports, Disco [ Portal
  • ITStrategic ORACLE IAS 10g [ Oracle AS Components [ Infrastructure [ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, .. . [ OID – LDAP [ J2EE [ SSO server [ OCA [ Rdbms – portal, sso, oca and other configuration & meta data
  • ITStrategic OSSO Workflow – not yet authenticated MID.axi.be apache J2ee Mod_osso Mod_oc4j http://my.company.com Mod_plsqlApache virtual host- Make it a SSO partner app apache J2ee- register it Oc4j_security - ptlconfig – portal Mod_osso oca - ossoreg.jar – mod_osso INFRA.axi.be - mod_osso.conf Mod_oc4j OID <location /app> Mod_plsql LDAP require valid-user AuthType basic </location> IASDB
  • ITStrategic OSSO Workflow – not yet authenticated MID.axi.be apache J2ee Partner cookie available ? Mod_osso Mod_oc4j http://my.company.com Mod_plsql infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>NameVirtualHost *:80<VirtualHost *:80> ServerName my.company.com apache J2ee Port 80 Oc4j_security # Include the configuration files # needed for mod_osso Mod_osso oca OssoConfigFile /OH/my_comp_osso.conf</VirtualHost> INFRA.axi.be Mod_oc4j OID SSO cookie ? Mod_plsql LDAP -> Generate Redirect to logon page http://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties IASDB
  • ITStrategic OSSO Workflow – not yet authenticated MID.axi.be apache J2ee Mod_osso Mod_oc4j http://my.company.com Mod_plsql apache J2ee Oc4j_security Mod_osso oca INFRA.axi.be Mod_oc4j OID Mod_plsql LDAP IASDB
  • ITStrategic OSSO Workflow – not yet authenticated MID.axi.be apache J2ee Mod_osso Mod_oc4j http://my.company.com Mod_plsql HTTP POST - Username Generate Partner cookie - Password Generate redirect to the original URL - Site-token (sitetoken) Check credentials in apache J2ee LDAP/OID Oc4j_security Mod_osso oca INFRA.axi.be Mod_oc4j OID If OK -Generate SSO cookie (SSO_ID) Mod_plsql LDAP -Generate redirect to http://my.company.com/osso_login_success?urlc=<sitetoken> IASDB
  • ITStrategic OSSO Workflow – not yet authenticated IPASAuthInterface MID.axi.be apache J2ee implements Mod_osso SSOServerA Custom uth Plugin Mod_oc4j http://my.company.com Mod_plsql extends SSOX509CertA SSOKerbeAuth uth apache J2ee Custom Oc4j_security Plugin Mod_osso oca INFRA.axi.be Mod_oc4j OID Mod_plsql LDAP Important for integration - Custom plugins by subclassing OSSO server IASDB
  • ITStrategic ORACLE 11g FUSION / WEBLOGIC [ Problem [ No infrastructure tier [ No SSO/OID/WNA
  • ITStrategic ORACLE 11g FUSION / WEBLOGIC [ Premier Support for Oracle Single Sign-On 10gR3 ends on December 31, 2011 [ Limited Extended Support for Oracle Single Sign-On from January 2012 through December 2012 [ It is strongly recommended that you use this additional time to integrate your single sign-on deployment with Oracle Access Manager
  • ITStrategic ORACLE 11g FUSION / WEBLOGIC Extra licenses and server [ Oracle Access Manager [ Oracle Weblogic Server [ Directory Services Plus
  • ITStrategic ORACLE 11g FUSION / WEBLOGIC
  • ITStrategic ORACLE 11g FUSION / WEBLOGIC
  • ITStrategic Introducing OpenAM [ Open Source alternative [ OpenAM (ForgeRock) [ Based on SUN’s OpenSSO - open sourced before Oracle aqcuisition - most of OpenSSO team quit and started ForgeRock [ Makes use of OpenDJ (based on Sun’s OpenDS) for data store
  • ITStrategic Concept [ Concept for most access managers is the same Access ID store AM Web DB Manager LDAP Agent App Server Server OSSO OID Mod_osso Apache1.3 OC4J OpenAM OpenDJ Policy Agent [ So the work is mostly the same –complex  [ But not the license costs ! [ And the platform support and features !
  • ITStrategic OpenAM product support [ OpenAM server runs on • Apache Tomcat 6.x / 7.x • GlassFish v2 • JBoss Enterprise Application Platform 4.x, 5.x • JBoss Application Server 7.x • Jetty 7 • Oracle WLS 11g • Oracle WLS 12c [ OpenAM policy agents • Apache 2.0, 2.2, 2.4 • MS IIS 6, 7 • GlassFish v2, v3 • Jetty 6.1, v7 • Tomcat v6 • WebSphere v6.1 • Weblogic v10
  • ITStrategic OpenAM authentication [ Out-of-the-box • Active Directory Auth • Adaptive Risk Auth • Certificate Auth • HTTP Basic Auth • HMAC OTP Auth • JDBC Auth (example database table) • LDAP Auth • OATH Auth (OpenAuth RFC 4226/6238) • Oauth 2.0 Auth • RADIUS Auth • SecureID Auth • Windows Desktop SSO Auth • WSS Auth • Federation (SAML, SAMLv2, WS-Fed 1.1) • …. • Custom Auth plugins
  • ITStrategic OpenAM authorization [ Authorization • Policy engine • Identity membership • LDAP filter • Time • Resource/location/IP • … • Custom plugins • Entitlements • eXtensible Access Control Markup Language (XACML) • OpenAM : policy admin & decision point (PAP/PDP)
  • ITStrategic OpenAM architecture
  • ITStrategic Integration
  • ITStrategic Use Case [ User Case - requirements - integrate with legacy IAS/OSSO - Portal 10g - Forms 10g - OC4J - OBIEE 10g - integrate with Forms 11g (FMW/WLS) - special case as Forms *needs* OID - integrate with OBIEE 11g (FMW/WLS) - integrate with J2EE apps (FMW/WLS) - integrate apps in the cloud using SAMLv2
  • ITStrategic Use Case Legacy environment LDAP sync OpenAM OpenDJ AXI Linux Server (cluster) OSSO-OpenAM LDAP sync Tomcat J2EE Server Integration (custom osso plugin) Oracle Custom policy plugin SSO SSO using SAMLv2 Server SSO using OpenAM Policy agents Oracle 10g Infrastructure New environment SSO using Oracle SSO server J2EE Policy agent Oracle 10g Midtiers LAMP in de CLOUD Oracle 11g Weblogic • Forms 10g • SAMLv2 • Forms 11g • Portal 10g • Service Provider • J2EE • J2EE • OBIEE 11g • OBIEE 10g
  • ITStrategic Integration
  • ITStrategic OpenAM HA Server Architecture sso.axi.be:80 http loadbalancer snsrv615:8080 Master-master replication snsrv616:8080 ldap.axi.be:389 Tcp loadbalancer snsrv615:1389 snsrv616:1389 Master-master replication
  • ITStrategic OpenAM HA Server Architecture [ Linux cluster - Keepalived cluster manager - RHEL of Ubuntu based [ HAProxy loadbalancer - L4 – ldap loadbalancing - L7 – http loadbalancing [ Apache2.2 reverse proxy - In front of tomcat - For complex solutions (like integrating osso) [ OpenAM / Tomcat J2EE - Session failover - Multimaster replication [ OpenDJ - Multimaster replication
  • ITStrategic OpenAM HA Server Architecture Active/passive cluster Sync config Apache2.2 RP Apache2.2 RP L7 LB HAProxy Active/passive cluster Active/active cluster Session replication OpenAM OpenAM HAProxy L4 LB Active/active cluster Multimaster replication OpenDJ OpenDJ
  • ITStrategic Integration OSSO
  • ITStrategic Integration OSSO Legacy environment LDAP sync OpenAM OpenDJ AXI Linux Server (cluster) OSSO-OpenAM LDAP sync Tomcat J2EE Server Integration (custom osso plugin) Oracle SSO Serverpublic class OpenAMAuth extends SSOServerAuth Oracle 10g Infrastructure IPASAuthInterface SSO using Oracle SSO server implements SSOServer Custom Auth Plugin extends Oracle 10g Midtiers SSOX509Cert SSOKerbeAuth • Forms 10g Auth • Portal 10g • J2EE Custom • OBIEE 10g Plugin
  • ITStrategic Integration OSSO Legacy environment LDAP sync OpenAM OpenDJ AXI Linux Server (cluster) OSSO-OpenAM LDAP sync Tomcat J2EE Server Integration (custom osso plugin) Oracle SSO Server Oracle 10g Infrastructure SSO using Oracle SSO server Oracle 10g Midtiers • Forms 10g • Portal 10g • J2EE • OBIEE 10g
  • ITStrategic Integration Forms 11g
  • ITStrategic Integration Forms 11g[ Forms is *SPECIAL* - It will check the version of OID in SSO mode ! - What if you want to get rid of OID ??? Osso-user-dn Osso-subscriber-dn Extra LDAP queries [ RAD’s [ Root DSE orcldirectoryversion
  • ITStrategic Integration Forms 11g[ Forms is *SPECIAL* - Forms 11g can be plugged into an OID LDAP - What if we could mimic OID using OpenDJ 1. Recreate OID LDAP schema in OpenDJ (ldapsearch) 2. Add orcldirectoryversion to OpenDJ root DSE 3. Plugin Forms11g into OpenDJ !!!
  • ITStrategic Integration Forms 11g[ Forms is *SPECIAL* but can make use of OpenAM/OpenDJ without OID Osso-user-dn Osso-subscriber-dn Extra LDAP queries [ RAD’s [ Root DSE orcldirectoryversion
  • ITStrategic Integration OBIEE 11g
  • ITStrategic Integration OBIEE 11g[ OBIEE 11g runs on top of WLS - Makes use of Oracle Platform Security Services - Switch from embedded ldap to OpenDJ (iplanetAuthenticator) - Configure http header identity asserter (Generic SSO) - Configure OpenDJ (OBIEE groups / BIAuthor, BIAdministrators, etc) - Deploy OpenAM J2EE Policy Agent - Modify OIBIEE analytics war to add J2EE filter (redeploy) - Resync identity GUID attribute with OpenDJ - Modify RPD to use LDAP in initialisation blocks
  • ITStrategic Integration OBIEE 11g http header id asserter Generic SSO OBIEE 11g / WLS DefaultAuthenticator 6 OPSS ID store 1 5 OBI Embedded 2 Policy store LDAP Credential store Apache rp/ssl OpenAM J2EE policy agent (J2EE filter) IPlanetAuthenticator 3 7 4 OpenAM OpenDJ OpenDJ LDAP LDAP
  • ITStrategic Integration cloud applications
  • ITStrategic Integration cloud applications[ OpenAM supports SAMLv2 (and WS-Fed 1.1) and can act as IdP - Agentless WEB SSO - Cross-domain / cross-platform / cross-organisation - Passive – all communcation through user browser - http post/redirect - Provide the app (Service Provider) with all needed info through SAML assertions (attributes) - displayName - Email - Application roles & rights - Custom attribute mapper using jdbc
  • ITStrategic Integration cloud applications[ At this point…. Users logged on in Portal 10g Policy Agents Policy Agents Policy Agents … Internal app servers can seamlessly logon to apps in the cloud using SAML ! SAML Identity Provider (IdP) OpenAM cluster https://idp.axi.nl AXI SAML based SSO External app servers SAML SP SAML SP SAML SP
  • ITStrategic What about …
  • ITStrategic Out of the box mobile app authenticatie with WS-REST (5)logout /identity/logout?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR- SgBkuemF4Cmm5Qg.*AAJTSQABMDE.* https://sso.axi.be (1) Authenticate /identity/authenticate?username=<uname>&password=<passwd> Apache 2.2 SSL/RP server AXI public dmz (2) token.id=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.* https://mobile.axi.be OpenAM OpenDJ Linux Server (keepalived cluster) Apache 2.2 SSL/RP server TOMCAT J2EE Server Mod_security (3) Validate /identity/isTokenValid?tokenid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR- SgBkuemF4Cmm5Qg.*AAJTSQABMDE.* (4) Retrieve attributes (is customer?) /identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR- SgBkuemF4Cmm5Qg.*AAJTSQABMDE.* J2EE Server
  • ITStrategic Use Case REST-WS Legacy environment LDAP sync OpenAM OpenDJ AXI Linux Server (cluster) OSSO-OpenAM LDAP sync Tomcat J2EE Server Integration (custom osso plugin) Oracle Custom policy plugin SSO SSO using SAMLv2 Server SSO using OpenAM Policy agents Oracle 10g Infrastructure New environment SSO using Oracle SSO server J2EE Policy agent Oracle 10g Midtiers LAMP in de CLOUD Oracle 11g Weblogic • Forms 10g • SAMLv2 • Forms 11g • Portal 10g • Service Provider • J2EE • J2EE • OBIEE 11g • OBIEE 10g
  • ITStrategic Conclusion [ Who can benefit from OpenAM • Organisations running IAS9i/10g migrating to 11g WLS • Organisations running multiple web-based apps and want to implement SSO • Organisations wanting to integratie cloud apps using SAMLv2 • Organisations wanting to implement WS Security • Organisations wanting to migrate from Sun OpenSSO to ForgeRock OpenAM [ Benefits • Proven technologie – Sun OpenSSO ! • Easy to customize (auth plugin, policy plugin, saml assertion plugin etc) • Pricing
  • 24/7 Q&A