Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle 11i OID AD Integration


Published on

Published in: Technology
  • Be the first to comment

Oracle 11i OID AD Integration

  1. 1. Implementing Identity Management without losing your Identity Mahesh Vallampati
  2. 2. About the Speaker <ul><li>Mahesh Vallampati </li></ul><ul><ul><li>Career </li></ul></ul><ul><ul><ul><li>Senior Practice Manager at SmartDog Services </li></ul></ul></ul><ul><ul><ul><li>Senior Sales Consulting Manager at Hotsos (2 years) </li></ul></ul></ul><ul><ul><ul><li>Director of DBA Services at Eagle Global Logistics (2 years) </li></ul></ul></ul><ul><ul><ul><li>Practice Manager at Oracle in Consulting(9 years) </li></ul></ul></ul><ul><ul><li>Papers </li></ul></ul><ul><ul><ul><li>Several papers presented at User Groups </li></ul></ul></ul><ul><ul><ul><li>Published in Oracle Magazine </li></ul></ul></ul><ul><ul><li>Education </li></ul></ul><ul><ul><ul><li>Master’s in Electrical Engineering, Texas A&M University </li></ul></ul></ul>
  3. 3. Upfront <ul><li>What you will learn </li></ul><ul><ul><li>How to manage a successful Identity Management Project? </li></ul></ul><ul><ul><li>What are the dependencies? </li></ul></ul><ul><ul><li>Key Issues you need to watch out for </li></ul></ul><ul><li>What you won’t learn </li></ul><ul><ul><li>Identity Management Concepts </li></ul></ul><ul><ul><li>Identity Management Commands </li></ul></ul><ul><li>If at all you must fail, fail early </li></ul>
  4. 4. Agenda <ul><li>Getting Ready for IM with E-Biz </li></ul><ul><li>Patching and Version Dependencies </li></ul><ul><li>Identity Management Server Installation </li></ul><ul><li>Integration with other Directories </li></ul><ul><li>Deployment Considerations </li></ul><ul><li>Operational Considerations </li></ul><ul><li>Cloning Consideration </li></ul>
  5. 5. Getting Ready for IM with E-Biz
  6. 6. Project Planning <ul><li>Overestimate effort instead of getting it right </li></ul><ul><li>You are going to exceed budget </li></ul><ul><li>Plan for cloning issues </li></ul><ul><li>Get a good PM </li></ul><ul><li>Involve everybody </li></ul><ul><ul><li>Is not just a technology project </li></ul></ul><ul><li>Have a robust cutover plan </li></ul><ul><li>Have a tested rollback plan </li></ul>
  7. 7. 10 IM Project Considerations <ul><li>This is from Oracle itself </li></ul><ul><li>Set Realistic Targets </li></ul><ul><li>Choose the Right Technology </li></ul><ul><li>Focus on Business Value </li></ul><ul><li>Support Your Customer – The Application Owner </li></ul><ul><li>Understand The Scale of Investment </li></ul><ul><li>Address Data Quality Up Front </li></ul><ul><li>Monitor and Protect the Health of Your I&AM Solution </li></ul><ul><li>Create Skills Based Work Teams </li></ul><ul><li>Consolidate Ownership of I&AM </li></ul><ul><li>Provide Strong Project Management and Architecture </li></ul><ul><li>Resources </li></ul>
  8. 8. Project Considerations <ul><li>Set Realistic Targets </li></ul><ul><ul><li>What are you trying to achieve? </li></ul></ul><ul><li>Understand the scale of investment </li></ul><ul><ul><li>License Costs </li></ul></ul><ul><ul><li>Hardware Costs </li></ul></ul><ul><ul><li>Training Costs </li></ul></ul><ul><ul><li>Operational Costs </li></ul></ul><ul><li>What is the payoff? </li></ul><ul><ul><li>Is it really worth the benefit of having to remember using only one password? </li></ul></ul>
  9. 9. Skill Issues <ul><li>Identity Management is another name for Directory Services </li></ul><ul><li>Typically managed by the network/security team </li></ul><ul><li>Historically products in this space have had strong GUI management and administration capabilities </li></ul><ul><li>Oracle GUI management and administration capabilities are slightly harder to learn </li></ul><ul><li>Lot more UNIX scripts and commands </li></ul><ul><li>Lot of cryptic commands </li></ul>
  10. 10. Skill Issues <ul><li>A few questions you need to ask </li></ul><ul><ul><li>Is my DBA team the best team to operate this environment? </li></ul></ul><ul><ul><li>Is it the right priority of work? </li></ul></ul><ul><ul><ul><li>More important than backup/recovery and performance </li></ul></ul></ul><ul><li>An alternative Approach </li></ul><ul><ul><li>Teaming the network/security team and DBA team in this effort </li></ul></ul><ul><ul><li>Send them to training together so they can educate each other on the capabilities of the solution </li></ul></ul><ul><li>Oracle OID may be integrated with Active Directory or other Directory service </li></ul><ul><li>The Oracle OID Team (typically the DBA team) and the Directory services team need to be on the same page </li></ul>
  11. 11. Enter High Availability <ul><li>Identity Management can become the single point of failure for application availability </li></ul><ul><li>Imagine explaining to a business user that the Application is available but they can’t login because identity management server crashed </li></ul><ul><li>Standby and RAC brings an additional layer of complexity </li></ul><ul><li>Remember the database components of Identity Management use </li></ul>
  12. 12. Other security considerations <ul><li>Some companies may have a higher requirement of security considerations </li></ul><ul><ul><li>e.g. Financial Services Companies </li></ul></ul><ul><li>The requirement may be to Secure Socket Layer enable both the Identity Management Application Server and the E-Business Suite </li></ul><ul><li>This consideration could add additional layer of complexity to the project </li></ul>
  13. 13. Patching and Version Dependences
  14. 14. Latest Supported Configuration <ul><li>ATG Rollup 6 </li></ul><ul><li>Oracle Application Server </li></ul><ul><li> </li></ul>
  15. 15. Patching and version dependencies <ul><li>ATG Rollup Patch 6 </li></ul><ul><ul><li>May involve upgrading other family packs </li></ul></ul><ul><ul><li>Can become a pre-requisite for other critical patches </li></ul></ul><ul><ul><li>Treat ATG RUP6 as a sub-project in itself </li></ul></ul><ul><ul><li>Ideally, do it as a separate project before you embark on the Single Sign On Project </li></ul></ul><ul><ul><li>Identify patch tree and get all the patches you need in </li></ul></ul><ul><ul><li>ATG RUP6 adds a lot of feature functionality for the DBA </li></ul></ul>
  16. 16. Can I get away without ATG RUP6? <ul><li>You probably could. </li></ul><ul><li>Oracle Support policy </li></ul><ul><ul><li>Indicates if you have an issue in a prior supported configuration </li></ul></ul><ul><ul><li>And no prior solution exists </li></ul></ul><ul><ul><li>You have to upgrade </li></ul></ul><ul><li>You will probably need ATG RUP6 anyway </li></ul><ul><li>Might as well get it over with </li></ul>
  17. 17. Desktop ADI <ul><li>Single Sign On Architecture does not support Desktop ADI </li></ul><ul><li>Desktop ADI is a favorite tool of the GL Department </li></ul><ul><li>What do we do? </li></ul><ul><ul><li>Reports Manager is the new solution replacing Desktop ADI </li></ul></ul><ul><ul><li>Reports Manager needs to be installed and tested and configured </li></ul></ul><ul><ul><li>Very similar to Web ADI but has got more features </li></ul></ul><ul><ul><li>An important feature of Desktop ADI on drill down excel reports was released later as a patch </li></ul></ul>
  18. 18. A workaround – Desktop ADI <ul><li>There are ways to configure OID and Oracle Applications to support Desktop ADI </li></ul><ul><li>Not clean </li></ul><ul><li>Could cause audit issues </li></ul><ul><li>Difficult to Support </li></ul><ul><li>May need to create generic id’s </li></ul><ul><li>Duplicate Id’s for users </li></ul><ul><ul><li>One for SSO </li></ul></ul><ul><ul><li>One for Desktop ADI </li></ul></ul>
  19. 19. Recommended Patching Sequence <ul><li>ATG Rollup Patch 6 </li></ul><ul><ul><li>Install corresponding supporting family packs for other modules </li></ul></ul><ul><li>Install Single Sign On Patch </li></ul><ul><li>Install Reports Manager </li></ul><ul><li>Get users trained on Reports Manager </li></ul><ul><li>Retire Desktop ADI </li></ul><ul><li>Install DBMS_LDAP on the E-Business Database </li></ul><ul><li>Configure Oracle Applications to use SSL (Optional) </li></ul>
  20. 20. Identity Management Server Installation
  21. 21. Identity Mgmt. Server Installation <ul><li>Read the manual thoroughly before starting </li></ul><ul><li>There are some “gotchas” on some of the components </li></ul><ul><ul><li>Some components can only be installed and configured by the installer </li></ul></ul><ul><li>Install the software a few times to get comfortable with the installation </li></ul><ul><li>Understand the various components of the installation </li></ul><ul><ul><li>Components </li></ul></ul><ul><ul><li>Configuration files </li></ul></ul><ul><ul><li>Log Files </li></ul></ul><ul><ul><li>Debug Files </li></ul></ul><ul><ul><li>Trace Files </li></ul></ul>
  22. 22. Identity Management Inst. Types
  23. 23. Identity Mgmt. Server Installation <ul><li>During installation, it is possible to select an option to connect to OID using only SSL </li></ul><ul><li>Choose this option as it is a more secure option </li></ul><ul><li>Remember, the HTTP Server is still non-SSL </li></ul><ul><li>You need to do a separate configuration for that </li></ul><ul><li>Can be a little bit more involved </li></ul><ul><li>You will also need Oracle Wallet Manager </li></ul>
  24. 24. Oracle Certificate Authority <ul><li>A component of identity management that is needed for secure exchange of information between identity entities </li></ul><ul><li>Ensure that you install it during installation </li></ul><ul><li>Installing it later in the same AS Home is not possible </li></ul><ul><li>A separate home has to be created and linked to the Identity Management Server </li></ul><ul><li>Creates additional layer of complexity during troubleshooting </li></ul>
  25. 25. LDAP Commands <ul><li>Get comfortable with the ldap commands </li></ul><ul><li>You will be using a lot of them with different options </li></ul><ul><li>ldap commands are not friendly </li></ul><ul><li>Keep a log of all ldap commands you use </li></ul><ul><li>It will help later </li></ul>
  26. 26. Identity Mgmt. Diagnostics <ul><li>Oracle has several diagnostics script for troubleshooting identity management issues </li></ul><ul><li>Download the scripts, install and play with them </li></ul><ul><li>Understand how to generate various log files and diagnostic files and where these are all located </li></ul><ul><li>Keep a log of these too </li></ul><ul><li>They will come in handy when troubleshooting </li></ul>
  27. 27. Integration with Other Directories
  28. 28. Integration with Other Directories <ul><li>Typically, OID will have to integrate with say </li></ul><ul><ul><li>Microsoft Active Directory </li></ul></ul><ul><ul><li>iPlanet </li></ul></ul><ul><ul><li>Novell Directory Services </li></ul></ul><ul><li>Understand the Directory Hierarchy (namespace) on these systems </li></ul><ul><li>A typical namespace is as follows. </li></ul><ul><ul><li>dc=identity, dc=oracle,dc=com </li></ul></ul><ul><li>The hierarchy is then </li></ul><ul><li>Integration between OID and other directories can be easier if namespaces map </li></ul><ul><li>OID installation allows a custom namespace to be specified during installation </li></ul>
  29. 29. Integration with other Directories <ul><li>Every Directory has a hierarchy for traversing the Directory Tree </li></ul><ul><li>Work with the directory team on understanding how the directory is set up </li></ul><ul><li>A lot of times the existing directory of reference may have to be cleaned up </li></ul><ul><ul><li>Users may be mixed up with resources like printers </li></ul></ul><ul><li>Another sub-project </li></ul><ul><li>The existing directory may have custom fields for resource classification which may impact security settings for E-Business users </li></ul><ul><li>Example, a contractor flag and lockout policy may have to be enforced </li></ul>
  30. 30. Integration with Other Directories <ul><li>Directory Services are mission critical services </li></ul><ul><li>Directory Test System may have their own private domains to isolate them for the overall network </li></ul><ul><li>This may impact your ability to connect and test the systems </li></ul><ul><li>In some cases, we have seen that there are no test directory servers </li></ul><ul><li>They just have a standby server </li></ul>
  31. 31. Integration with Other Directories <ul><li>If you had chosen SSL to connect to OID, the integration between OID and the Directory will have to have a secure handshake </li></ul><ul><li>Digital Certificates will have to be exchanged between OID and the Directory </li></ul><ul><li>Typically, Verisign will be the digital certificate of choice </li></ul><ul><li>These certificates will have to be procured and registered </li></ul>
  32. 32. Directory Plug In <ul><li>For a long time, the Plug-In for Directory Integration was the PL/SQL plug-in </li></ul><ul><li>We encountered some stability issues in the PL/SQL plug-in </li></ul><ul><li>We then used the Java Plug-In and it was stable </li></ul><ul><li>This implies that you have to understand how these plug-ins work and integrate </li></ul><ul><li>The plug-in passes passwords to other directory services and provides authentication services </li></ul>
  33. 33. Deployment Considerations
  34. 34. First Time Integration <ul><li>First Time Login </li></ul><ul><ul><li>When enabling Single-Sign on for the first time, users will be asked to login with the old E-Business passwords and the Single Sign on password </li></ul></ul><ul><ul><li>This is to link the id’s from FND_USER to the new directory userid </li></ul></ul><ul><ul><li>This will cause some confusion for the users </li></ul></ul><ul><li>The URL to login will change </li></ul><ul><ul><li>Bookmarks need to be updated </li></ul></ul><ul><ul><li>A lot of support calls during go live </li></ul></ul>
  35. 35. Operational Considerations
  36. 36. Backup and Recovery <ul><li>Weekly “Cold” Backup </li></ul><ul><ul><li>Identity Management caches information for performance </li></ul></ul><ul><ul><li>The best method to backup the Identity Management Infrastructure is as follows </li></ul></ul><ul><ul><ul><li>Shutdown all Identity Management Services cleanly </li></ul></ul></ul><ul><ul><ul><li>Shutdown the server </li></ul></ul></ul><ul><ul><ul><li>Bring the server backup </li></ul></ul></ul><ul><ul><ul><li>Do a cold backup </li></ul></ul></ul><ul><ul><ul><li>Do a shutdown again </li></ul></ul></ul><ul><ul><ul><li>Startup the Server </li></ul></ul></ul><ul><ul><ul><li>Bring back services up </li></ul></ul></ul>
  37. 37. Single Sign On is down <ul><li>When Single Sign On goes down, it is typically a Sev.1 issue </li></ul><ul><li>First things is see if you can quickly identify from the log files what the issue is </li></ul><ul><ul><li>Have a script to backup the log files and all needed troubleshooting log files </li></ul></ul><ul><ul><li>Shutdown the Services </li></ul></ul><ul><ul><li>Shutdown the Server </li></ul></ul><ul><ul><li>Bring back the Server </li></ul></ul><ul><ul><li>Usually, during startup you will see a lot of information around issues </li></ul></ul><ul><ul><li>Use these to trouble shoot the issues </li></ul></ul><ul><li>Open a Sev.1 SR with Oracle </li></ul>
  38. 38. Cloning Considerations
  39. 39. Cloning Considerations <ul><li>Enabling Single Sign On has additional implications while cloning </li></ul><ul><ul><li>Additional configuration changes around profile options </li></ul></ul><ul><ul><li>Some outside the scope of auto-config </li></ul></ul><ul><li>When you have a lot of Development and test instances </li></ul><ul><ul><li>It is possible to have multiple dev and test instances share one OID/Single Sign On Instance </li></ul></ul>
  40. 40. Cloning Considerations <ul><li>A standard trick used by DBA’s and Sys-admins is to require password resets after clones </li></ul><ul><li>This help users to have a different password for non-PROD instances so they don’t get confused and do the right thing in the wrong instance or vice-versa </li></ul><ul><li>Single Sign On complicates this because there is only one password for Single Sign On from a Production Directory Server </li></ul><ul><li>Some companies have elected to disable Single Sign On and enabling Local Sign On as a part of the cloning process </li></ul>
  41. 41. Walk Through of a Single Sign On Implementation Document / Project Plan
  42. 42. Walkthrough
  43. 43. Summary
  44. 44. Summary <ul><li>Plan Ahead </li></ul><ul><li>Over Budget </li></ul><ul><li>Get ATG Rollup 6 and Reports Manager Issue out of the way </li></ul><ul><li>Involve Directory Services Team </li></ul><ul><li>Become very comfortable with troubleshooting Identity Management Components </li></ul><ul><ul><li>Infrastructure Components </li></ul></ul><ul><ul><li>Other Components </li></ul></ul><ul><li>Test Cloning Strategies </li></ul><ul><li>Over Communicate with the users on the transition </li></ul><ul><li>Have a Plan B </li></ul>