11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th  August 2010 The most comprehensive Oracle applications &...
Feeling stressed?
Introduction <ul><li>What are we here for?
Shared Identity
Cloud Security
Single Sign On (Single Point of truth) </li></ul>
Lots of products <ul><li>Identity Manager
Access Manager
Identity Analytics
Directory Services Plus
Identity Federation </li></ul>
Why do we need it? <ul><li>Compliance
Security
Cost management (Consolidation) </li></ul>
How is it useful <ul><li>Access Controls
Policy Management
Audit Support </li></ul>
Controls <ul><li>Roles
Fine grain access controls
Tracking of events – logon - logoff </li></ul>
Oracle Directory Services <ul><li>Oracle Virtual Directory
Oracle Internet Directory
Oracle Directory Server </li></ul>
Oracle Internet Directory & Oracle Directory Server
What's OID? <ul><li>LDAP Service
Database Location Service
Data Store used by other Identity Services </li></ul>
Architecture <ul><li>Database
OIDMON
ODS
ODRS </li></ul>
LDAP Server Instance <ul><li>Server Processes
Dispatcher Services
Tuning Required
Default Ports </li><ul><li>3060 Non SSL
3131 SSL </li></ul></ul>
Metadata <ul><li>Uses a cache which is built at startup
Directory schema - what is stored
Control of who access what – ACP
Root DSE - Stores information about the server itself </li></ul>
Metadata <ul><li>Privilege Groups - Used for Access Control Policies
Contains entries for hosted businesses,password verification,password policy and others </li></ul>
DIT What is a DIT? Can I have more DIT's?
Search Process 1 <ul><li>Client connects SSL or non SSL with LDAP protocol
Type of user can be known or anonymous
Filters can be put in place to limit search
User authenticated, bind made, ACL checked </li></ul>
Search Process 2 <ul><li>LDAP search request is converted to OCI language to interrogate the database
Upcoming SlideShare
Loading in …5
×

Under the Hood 11g Identity Management

2,271 views

Published on

Oracle Identity Management presentation for 2010 Conference presented by Peter McLarty, looks at installation issues, planning and design, overall view of 11g Identity Management, more detailed look at installation and configuration of the Oracle Internet Directory.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,271
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
73
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Oidmon Ors
  • Why Server chain?
  • Under the Hood 11g Identity Management

    1. 1. 11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th August 2010 The most comprehensive Oracle applications & technology content under one roof
    2. 2. Feeling stressed?
    3. 3. Introduction <ul><li>What are we here for?
    4. 4. Shared Identity
    5. 5. Cloud Security
    6. 6. Single Sign On (Single Point of truth) </li></ul>
    7. 7. Lots of products <ul><li>Identity Manager
    8. 8. Access Manager
    9. 9. Identity Analytics
    10. 10. Directory Services Plus
    11. 11. Identity Federation </li></ul>
    12. 12. Why do we need it? <ul><li>Compliance
    13. 13. Security
    14. 14. Cost management (Consolidation) </li></ul>
    15. 15. How is it useful <ul><li>Access Controls
    16. 16. Policy Management
    17. 17. Audit Support </li></ul>
    18. 18. Controls <ul><li>Roles
    19. 19. Fine grain access controls
    20. 20. Tracking of events – logon - logoff </li></ul>
    21. 21. Oracle Directory Services <ul><li>Oracle Virtual Directory
    22. 22. Oracle Internet Directory
    23. 23. Oracle Directory Server </li></ul>
    24. 24. Oracle Internet Directory & Oracle Directory Server
    25. 25. What's OID? <ul><li>LDAP Service
    26. 26. Database Location Service
    27. 27. Data Store used by other Identity Services </li></ul>
    28. 28. Architecture <ul><li>Database
    29. 29. OIDMON
    30. 30. ODS
    31. 31. ODRS </li></ul>
    32. 32. LDAP Server Instance <ul><li>Server Processes
    33. 33. Dispatcher Services
    34. 34. Tuning Required
    35. 35. Default Ports </li><ul><li>3060 Non SSL
    36. 36. 3131 SSL </li></ul></ul>
    37. 37. Metadata <ul><li>Uses a cache which is built at startup
    38. 38. Directory schema - what is stored
    39. 39. Control of who access what – ACP
    40. 40. Root DSE - Stores information about the server itself </li></ul>
    41. 41. Metadata <ul><li>Privilege Groups - Used for Access Control Policies
    42. 42. Contains entries for hosted businesses,password verification,password policy and others </li></ul>
    43. 43. DIT What is a DIT? Can I have more DIT's?
    44. 44. Search Process 1 <ul><li>Client connects SSL or non SSL with LDAP protocol
    45. 45. Type of user can be known or anonymous
    46. 46. Filters can be put in place to limit search
    47. 47. User authenticated, bind made, ACL checked </li></ul>
    48. 48. Search Process 2 <ul><li>LDAP search request is converted to OCI language to interrogate the database
    49. 49. Database retrieves data; passes it back via OCI to the LDAP server
    50. 50. Query result sent back to the database </li></ul>
    51. 51. Server Chaining What is it? Why do we want to use it?
    52. 52. Server Chaining 2 <ul><li>Server chaining supports the following operations: </li><ul><li>Bind
    53. 53. Compare
    54. 54. Modify
    55. 55. Search </li></ul></ul>
    56. 56. Creating a Server Chaining Entry <ul><li>Command Line or Directory Services Manager - Create LDIF file
    57. 57. dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au cn: AD objectclass: orclcontainer objectclass: top </li></ul>
    58. 58. Connection to Sun IPlanet cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ********
    59. 59. Connection to Sun IPlanet orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
    60. 60. Connection to Sun IPlanet orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********
    61. 61. Debugging Server Chaining <ul><li>Create an LDIF
    62. 62. filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1Execute
    63. 63. $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file </li></ul>
    64. 64. Designing your implementation <ul><li>Do Not use clustered hosts - too many issues
    65. 65. If you have the skills use Linux on VM's 
    66. 66. Scatter installations across your environment
    67. 67. Use Replication
    68. 68. If you have load balancers use them </li></ul>
    69. 69. Installation <ul><li>Using default settings the server needs 6GB or greater
    70. 70. Can do small memory with altered Java VM settings
    71. 71. Need to understand 11g path conventions </li></ul>
    72. 72. Install Notes <ul><li>Metalink Note 858748.1 Getting Started FAQ </li></ul>
    73. 73. Configuration <ul><li>After installing the software configure the instance – config.sh
    74. 74. Save configuration before running configuration step at the end </li></ul>
    75. 75. Small memory config <ul><li>Metalink note 865166.1
    76. 76. -Xrs -XX:MaxPermSize=192m in Admin Console – Server Configuration </li></ul>
    77. 77. Replication Its Important What model? Fan Out, Multimaster, Single Master?  Not guaranteed to be consistent- data different on different nodes
    78. 78. Single Master <ul><li>One master all others read only </li></ul>
    79. 79. Multimaster <ul><li>All Nodes can update all other nodes </li></ul>
    80. 80. Fan Out <ul><li>Its a hybrid </li></ul>
    81. 81. LDAP Replication Full or Partial Peer to peer, One Way, Two Way Multimaster, Single Master,  Fan Out
    82. 82. LDAP Replication
    83. 83. Advanced Replication (Database) <ul><li>Full replication
    84. 84. Peer to peer
    85. 85. Multimaster 
    86. 86. Single by changing all but one to read only
    87. 87. Uses the database to do the replication 
    88. 88. Uses command line tools to configure this </li></ul>
    89. 89. remtool <ul><li>Use it for configuring the advanced replication 
    90. 90. Modify or reset replication Bind DN password
    91. 91. Displaying various errors and status information for change log propagation
    92. 92. Convert advanced replication to LDAP replication </li></ul>
    93. 93. Setting up Replica - Command Line <ul><li>Copy database for new instance; not recommended
    94. 94. Bootstrapping is the better option </li></ul>
    95. 95. What is bootstrapping? <ul><li>Supplier Node and Replica Node
    96. 96. Use remtool to copy metadata from supplier to replica
    97. 97. Set up the replication with the Replication wizard </li></ul>
    98. 98. Replica Using Replication Wizard <ul><li>Fusion Middleware Control
    99. 99. Access Manage Replication
    100. 100. Select Replication type
    101. 101. Follow remaining steps – Oracle Docs </li></ul>
    102. 102. Bootstrapping issues <ul><li>Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation
    103. 103. A number of problems in My Oracle Support for bootstrap </li></ul>
    104. 104. Fusion Middleware and Managing OID <ul><li>Cannot do if not part of  a WLS domain
    105. 105. Fusion Middleware Control uses SSL
    106. 106. Port configured none or server authentication
    107. 107. To connect  use http://host:port/odsm </li></ul>
    108. 108. Command Line <ul><li>Domain Home to manage the Admin Server
    109. 109. Instance Home to manage the OID Server
    110. 110. opmnctl to control the OID server
    111. 111. /oracle/Middleware/IDMinst_1/bin/opmnctl </li></ul>
    112. 112. ods_process_status <ul><li>Oidmon polls table to check system
    113. 113. Can be used by other scripts to monitor OID </li></ul>
    114. 114. WLST <ul><li>Weblogic Scripting Tool
    115. 115. Jython based
    116. 116. Used for many things
    117. 117. Can script many tasks </li></ul>
    118. 118. Weblogic Server Version <ul><li>The following might be useful when installing new product to an existing server
    119. 119. cat registry.xml | grep version </li></ul>
    120. 120. Questions <ul><li>[email_address]
    121. 121. http://www.pacificdbms.com.au </li></ul>
    122. 122. Tell us what you think… <ul><li>http://feedback.insync10.com.au </li></ul>

    ×