11g Identity Management - InSync10


Published on

Presentation on Oracle Identity Management from Insync10 conference in Melbourne August 2010. Looks at OID and some of the potential issues around installation and configuration

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Welcome all Mention something about the conference Thank them for coming to the presentation Dont forget to be human
  • I can see some here that did get out of the shower, see how rough people are from prior nights events
  • I don't know on some days if I feel like the cat or the bird Operation – cat – cant get to the product on offer Bird - oh god today is not looking so good Funny thing the bird doesn't care one bit about the cats presence on the cage
  • This is a run down on Identity Management and we delve into one key component Sharing across sites both within and outside of the organisation Securing your cloud applications NSW Gov has recently announced about cloud, Macquarie student email The old chestnut, still not all that effectively done in places, some very good and some with significant work
  • Entitlements Server Entitlements Server Security Module Directory Services Plus Access Manager Adaptive Access Manager Identity Federation Identity Manager Identity Manager Connector Role Manager Information Rights Management Enterprise Single Sign-On Suite Plus Access Management Suite Plus Identity and Access Management Suite Plus Identity Analytics Identity Management Enterprise Management Management Pack Plus for Identity Management
  • Meet compliance requirements to say we measure up for lets say our PCI DSS requirements We increase our security through the use of a centralised directory of user accounts Who has had to provision a user in the network for a login set up an email account add them to finance system the list goes on and on? (Not funny) Directories provide a cost benefit as we don't have to provision a user over and over again for each application they use, One user account across systems ith the details all retained in a common repository.
  • Access Control sets who can do what Manage those policiies froma central location Audit support for the our compliance requirements
  • Set up roles to simply application or system access management Fine grain control is able to use many different attributes eg by entry, by name, By mode Auditing basic – log on and log off
  • All the ODSP products Directory Server EE is a high performance directory Server, embedded database ; Identity Synchronisation; Resource kit for tuning
  • Now down to a key component the directory Server and more importantly the Oracle Internet Directory OID
  • LDAP v3 compliant Use it as a way for client systems to obtain connection information for databases It is often the datastore of choice of other products within the Oracle Identity management offering
  • There is 4 main components Database or above and is certified to use 11.2 OIDMON ODS – the instance – provides the LDAP service to the clients ODRS – replication service for LDAP replication to other OID on other directory servers.
  • The server processes are the LDAP Instance, OIDMON, OPMN to manage it – starting stopping and some other changes. Out of the box OID is not configured to support any connection load, so you will ned to tune it to maximize its workload capability – whole section on this Default ports no longer well known ports 389 and 636
  • When OID starts it creates a cache and it is populated with some information, then as caches do it ads content during the life of the cache. Less database calls Cache is write through Directory schema is the object table of the data types that have been configured for the OID – this is people objects, password objects database connection objects alias objects and so it goes Access Control is configured under a separate section of the directory allowing such things as roles, user passwords. Root DSE Contains Server data itself, number instances, port info
  • DIT Directory Information Tree We search the DIT for our information we require Under our DIT should be all the data, there is aliases that can be used for transitional roles. Do you homework for integrating to other Directories if you already have AD or something else then make sure you align your DIT to that one even if you feel integration is a way off, much easier if your DIT is the same. I say this about the DIT as from usage there is the ability to have more than one tree for multiple organisations or even having multiple trees within the same organisation. Reasons to not have are great but maybe unavoidable in some cases of migration
  • Unless you use an SSL only server can be either Anonymous bind is available by default but can be disabled Filters to limit data can be used in the query/update Once the user is authenticated as gues or user, then the bind is made and ACL is checked as to what objects in the directory are accesible
  • As the directory uses OCI – conversion of the LDAP request is made for OCI transport Database acts upon the query Query sent back to OID Server converted to ldap and returned to the user.
  • How we connect to the other directories E-directory AD (what is IBM's? I don't know, is it part of Tivoli?) So it is allows us to pass information between different directory offerings
  • Why Server chain?
  • Non Oracle Middleware clustering Linux VM's could be the cheapest option of implementing many of these in your organisation and can make it easy to moving servers Whilst LDAP is light weight there is good reason to have them closer to end users if you have a highly dispersed user base
  • I found that a server with OEL and just 4GB to be a minimum requirement, I think 6 GB is a better minimum for a production system You can do small memory footprint but it detunes I will explain how in a second You need to manage the
  • 11g Identity Management - InSync10

    1. 1. 11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th August 2010 The most comprehensive Oracle applications & technology content under one roof
    2. 2. Everyone who has ever taken a shower has had an idea. It's the person who gets out of the shower, dries off, and does something about it that makes a difference. -- Nolan Bushnell
    3. 3. Feeling stressed?
    4. 4. Introduction <ul><li>What are we here for?
    5. 5. Shared Identity
    6. 6. Cloud Security
    7. 7. Single Sign On (Single Point of truth) </li></ul>
    8. 8. Lots of products <ul><li>Identity Manager
    9. 9. Access Manager
    10. 10. Identity Analytics
    11. 11. Directory Services Plus
    12. 12. Identity Federation </li></ul>
    13. 13. Why do we need it? <ul><li>Compliance
    14. 14. Security
    15. 15. Cost management (Consolidation) </li></ul>
    16. 16. How is it useful <ul><li>Access Control
    17. 17. Policy Management
    18. 18. Audit Support </li></ul>
    19. 19. Controls <ul><li>Roles
    20. 20. Fine grain access controls
    21. 21. Tracking of events – logon - logoff </li></ul>
    22. 22. Oracle Directory Services Plus <ul><li>Oracle Virtual Directory
    23. 23. Oracle Internet Directory
    24. 24. Oracle Directory Server Enterprise Edition </li></ul>
    25. 25. Oracle Directory Server & Oracle Internet Directory
    26. 26. What's OID? <ul><li>LDAP Service
    27. 27. Database Location Service
    28. 28. Data Store used by other Identity Services </li></ul>
    29. 29. Architecture <ul><li>Database
    30. 30. OIDMON
    31. 31. ODS
    32. 32. ODRS </li></ul>
    33. 33. LDAP Server Instance <ul><li>Server Processes
    34. 34. Dispatcher Services
    35. 35. Tuning Required
    36. 36. Default Ports </li><ul><li>3060 Non SSL
    37. 37. 3131 SSL </li></ul></ul>
    38. 38. Metadata <ul><li>Uses a cache which is built at startup
    39. 39. Directory schema - what is stored
    40. 40. Root DSE - Stores information about the server itself </li></ul>
    41. 41. Metadata <ul><li>Privilege Groups - Used for Access Control Policies
    42. 42. Contains entries for hosted businesses,password verification,password policy and others </li></ul>
    43. 43. DIT What is a DIT? Can I have more DIT's?
    44. 44. Search Process 1 <ul><li>Client connects SSL or non SSL with LDAP protocol
    45. 45. Type of user can be known or anonymous
    46. 46. Filters can be put in place to limit search
    47. 47. User authenticated, bind made, ACL checked </li></ul>
    48. 48. Search Process 2 <ul><li>LDAP search request is converted to OCI language to interrogate the database
    49. 49. Database retrieves data; passes it back via OCI to the LDAP server
    50. 50. Query result sent back to the database </li></ul>
    51. 51. Server Chaining What is it? Why do we want to use it?
    52. 52. Server Chaining
    53. 53. Server Chaining 2 <ul><li>Server chaining supports the following operations: </li><ul><li>Bind
    54. 54. Compare
    55. 55. Modify
    56. 56. Search </li></ul></ul>
    57. 57. Creating a Server Chaining Entry <ul><li>Command Line or Directory Services Manager - Create LDIF file
    58. 58. dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au cn: AD objectclass: orclcontainer objectclass: top </li></ul>
    59. 59. Connection to Sun IPlanet cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ********
    60. 60. Connection to Sun IPlanet orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
    61. 61. Connection to Sun IPlanet orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********
    62. 62. Debugging Server Chaining <ul><li>Create an LDIF
    63. 63. filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1Execute
    64. 64. $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file </li></ul>
    65. 65. Designing your implementation <ul><li>Do Not use clustered hosts - too many issues
    66. 66. If you have the skills use Linux on VM's 
    67. 67. Scatter installations across your environment
    68. 68. Use Replication
    69. 69. If you have load balancers use them </li></ul>
    70. 70. Installation <ul><li>Using default settings the server needs 6GB or greater
    71. 71. Can do small memory with altered Java VM settings
    72. 72. Need to understand 11g path conventions </li></ul>
    73. 73. Install Notes <ul><li>Metalink Note 858748.1 Getting Started FAQ
    74. 74. INST errors – You will love these if you encounter them
    75. 75. Nodemanager not starting </li></ul>
    76. 76. Configuration <ul><li>After installing the software configure the instance – config.sh
    77. 77. Save configuration before running configuration step at the end </li></ul>
    78. 78. Small memory config <ul><li>Metalink note 865166.1
    79. 79. -Xrs -XX:MaxPermSize=192m in Admin Console – Server Configuration </li></ul>
    80. 80. Replication Its Important What model? Fan Out, Multimaster, Single Master?  Not guaranteed to be consistent- data different on different nodes
    81. 81. Single Master <ul><li>One master all others read only </li></ul>
    82. 82. Multimaster <ul><li>All Nodes can update all other nodes </li></ul>
    83. 83. Fan Out <ul><li>Its a hybrid </li></ul>
    84. 84. LDAP Replication Full or Partial Peer to peer, One Way, Two Way Multimaster, Single Master,  Fan Out
    85. 85. LDAP Replication
    86. 86. Advanced Replication (Database) <ul><li>Full replication
    87. 87. Peer to peer
    88. 88. Multimaster 
    89. 89. Single by changing all but one to read only
    90. 90. Uses the database to do the replication 
    91. 91. Uses command line tools to configure this </li></ul>
    92. 92. remtool <ul><li>Use it for configuring the advanced replication 
    93. 93. Modify or reset replication Bind DN password
    94. 94. Displaying various errors and status information for change log propagation
    95. 95. Convert advanced replication to LDAP replication </li></ul>
    96. 96. Setting up Replica - Command Line <ul><li>Copy database for new instance; not recommended
    97. 97. Bootstrapping is the better option </li></ul>
    98. 98. What is bootstrapping? <ul><li>Supplier Node and Replica Node
    99. 99. Use remtool to copy metadata from supplier to replica
    100. 100. Set up the replication with the Replication wizard </li></ul>
    101. 101. Replica Using Replication Wizard <ul><li>Fusion Middleware Control
    102. 102. Access Manage Replication
    103. 103. Select Replication type
    104. 104. Follow remaining steps – Oracle Docs </li></ul>
    105. 105. Bootstrapping issues <ul><li>Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation; 0 = bootstrap
    106. 106. A number of issues in My Oracle Support for bootstrap </li></ul>
    107. 107. Fusion Middleware and Managing OID <ul><li>Cannot do if not part of  a WLS domain
    108. 108. Fusion Middleware Control uses SSL
    109. 109. Can't start from Console without Nodemanager
    110. 110. To connect  use http://host:port/odsm </li></ul>
    111. 111. EM Console
    112. 112. Start ODS
    113. 113. EM Main OIM
    114. 114. Connect ODSM
    115. 115. Sign In
    116. 116. Command Line <ul><li>Domain Home to manage the Admin Server
    117. 117. Instance Home to manage the OID Server
    118. 118. opmnctl to control the OID server
    119. 119. /oracle/Middleware/IDMinst_1/bin/opmnctl </li></ul>
    120. 120. ods_process_status <ul><li>Oidmon polls table to check system
    121. 121. Can be used by other scripts to monitor OID </li></ul>
    122. 122. WLST <ul><li>Weblogic Scripting Tool
    123. 123. Jython based
    124. 124. MBeans
    125. 125. wls:/offline> connect('weblogic','weblogic','t3://localhost:8001') </li></ul>
    126. 126. Weblogic Server Version <ul><li>The following might be useful when installing new product to an existing server
    127. 127. cat registry.xml | grep version </li></ul>
    128. 128. Questions [email_address] http://www.pacificdbms.com.au
    129. 129. Tell us what you think… <ul><li>http://feedback.insync10.com.au </li></ul>