Insync 2010
11g Identity Management
Peter McLarty
Pacific DBMS Pty Ltd
17th August 2010
The most comprehensive Oracle applications & technology content under one roof
Welcome allMention something about the conferenceThank them for coming to the presentation
Dont forget to be human
Everyone who has ever taken a shower has had an idea. It's the person who gets out of the shower, dries off, and does somethingabout it that makes a difference.
-- Nolan Bushnell
I can see some here that did get out of the shower, see how rough people are from prior nights events
Feeling stressed?
I don't know on some days if I feel like the cat or the birdOperation cat cant get to the product on offer Bird - oh god today is not looking so good
Funny thing the bird doesn't care one bit about the cats presence on the cage
Introduction
What are we here for?
Shared Identity
Cloud Security
Single Sign On (Single Point of truth)
This is a run down on Identity Management and we delve into one key component
Sharing across sites both within and outside of the organisation
Securing your cloud applications NSW Gov has recently announced about cloud, Macquarie student email
The old chestnut, still not all that effectively done in places, some very good and some with significant work
Lots of products
Identity Manager
Access Manager
Identity Analytics
Directory Services Plus
Identity Federation
Entitlements Server
Entitlements Server Security Module
Directory Services Plus
Access Manager
Adaptive Access Manager
Identity Federation
Identity Manager
Identity Manager Connector
Role Manager
Information Rights Management
Enterprise Single Sign-On Suite Plus
Access Management Suite Plus
Identity and Access Management Suite Plus
Identity Analytics
Identity Management Enterprise Management
Management Pack Plus for Identity Management
Why do we need it?
Compliance
Security
Cost management (Consolidation)
Meet compliance requirements to say we measure up for lets say our PCI DSS requirementsWe increase our security through the use of a centralised directory of user accounts
Who has had to provision a user in the network for a login set up an email account add them to finance system the list goes on and on?(Not funny)
Directories provide a cost benefit as we don't have to provision a user over and over again for each application they use, One user account across systems ith the details all retained in a common repository.
How is it useful
Access Control
Policy Management
Audit Support
Access Control sets who can do what
Manage those policiies froma central location
Audit support for the our compliance requirements
Controls
Roles
Fine grain access controls
Tracking of events logon - logoff
Set up roles to simply application or system access management Fine grain control is able to use many different attributes eg by entry, by name, By mode
Auditing basic log on and log off
Oracle Directory Services Plus
Oracle Virtual Directory
Oracle Internet Directory
Oracle Directory Server Enterprise Edition
All the ODSP products Directory Server EE is a high performance directory Server, embedded database ; Identity Synchronisation; Resource kit for tuning
Oracle Directory Server
&
Oracle Internet Directory
Now down to a key component the directory Server and more importantly the Oracle Internet Directory OID
What's OID?
LDAP Service
Database Location Service
Data Store used by other Identity Services
LDAP v3 compliantUse it as a way for client systems to obtain connection information for databases
It is often the datastore of choice of other products within the Oracle Identity management offering
Architecture
Database
OIDMON
ODS
ODRS
There is 4 main components Database 10.2.0.4 or above and is certified to use 11.2OIDMONODS the instance provides the LDAP service to the clientsODRS replication service for LDAP replication to other OID on other directory servers.
LDAP Server Instance
Server Processes
Dispatcher Services
Tuning Required
Default Ports3060 Non SSL
3131 SSL
The server processes are the LDAP Instance, OIDMON, OPMN to manage it starting stopping and some other changes.
Out of the box OID is not configured to support any connection load, so you will ned to tune it to maximize its workload capability whole section on this
Default ports no longer well known ports 389 and 636
Metadata
Uses a cache which is built at startup
Directory schema - what is stored
Root DSE - Stores information about the server itself
When OID starts it creates a cache and it is populated with some information, then as caches do it ads content during the life of the cache. Less database callsCache is write throughDirectory schema is the object table of the data types that have been configured for the OID this is people objects, password objects database connection objects alias objects and so it goesAccess Control is configured under a separate section of the directory allowing such things as roles, user passwords.
Root DSE Contains Server data itself, number instances, port info
Metadata
Privilege Groups - Used for Access Control Policies
Contains entries for hosted businesses,password verification,password policy and others
DIT
What is a DIT?Can I have more DIT's?
DIT Directory Information TreeWe search the DIT for our information we requireUnder our DIT should be all the data, there is aliases that can be used for transitional roles.Do you homework for integrating to other Directories if you already have AD or something else then make sure you align your DIT to that one even if you feel integration is a way off, much easier if your DIT is the same.
I say this about the DIT as from usage there is the ability to have more than one tree for multiple organisations or even having multiple trees within the same organisation. Reasons to not have are great but maybe unavoidable in some cases of migration
Search Process 1
Client connects SSL or non SSL with LDAP protocol
Type of user can be known or anonymous
Filters can be put in place to limit search
User authenticated, bind made, ACL checked
Unless you use an SSL only server can be either
Anonymous bind is available by default but can be disabled
Filters to limit data can be used in the query/update
Once the user is authenticated as gues or user, then the bind is made and ACL is checked as to what objects in the directory are accesible
Search Process 2
LDAP search request is converted to OCI language to interrogate the database
Database retrieves data; passes it back via OCI to the LDAP server
Query result sent back to the database
As the directory uses OCI conversion of the LDAP request is made for OCI transport
Database acts upon the query
Query sent back to OID Server converted to ldap and returned to the user.
Server Chaining
What is it?Why do we want to use it?
How we connect to the other directories E-directory AD (what is IBM's? I don't know, is it part of Tivoli?)
So it is allows us to pass information between different directory offerings
Server Chaining
Server Chaining 2
Server chaining supports the following operations:Bind
Compare
Modify
Search
Why Server chain?
Creating a Server Chaining Entry
Command Line or Directory Services Manager - Create LDIF file
dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au
cn: AD
objectclass: orclcontainer
objectclass: top
Connection to Sun IPlanet
cn=oidsciplanet,cn=OID Server
Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
Connection to Sun IPlanet
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer:
cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer:
cn=iPlanet,cn=groups,dc=oracle,dc=com
Connection to Sun IPlanet
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********
Debugging Server Chaining
Create an LDIF
filedn: cn=oidscad,cn=oid server
chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscDebugEnabled
orcloidscDebugEnabled: 1Execute
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
Designing your implementation
Do Not use clustered hosts - too many issues
If you have the skills use Linux on VM's
Scatter installations across your environment
Use Replication
If you have load balancers use them
Non Oracle Middleware clustering
Linux VM's could be the cheapest option of implementing many of these in your organisation and can make it easy to moving servers
Whilst LDAP is light weight there is good reason to have them closer to end users if you have a highly dispersed user base
Installation
Using default settings the server needs 6GB or greater
Can do small memory with altered Java VM settings
Need to understand 11g path conventions
I found that a server with OEL and just 4GB to be a minimum requirement, I think 6 GB is a better minimum for a production system
You can do small memory footprint but it detunes I will explain how in a second
You need to manage the
Install Notes
Metalink Note 858748.1 Getting Started FAQ
INST errors You will love these if you encounter them
Nodemanager not starting
Configuration
After installing the software configure the instance config.sh
Save configuration before running configuration step at the end
Small memory config
Metalink note 865166.1
-Xrs -XX:MaxPermSize=192m in Admin Console Server Configuration
Replication
Its ImportantWhat model? Fan Out, Multimaster, Single Master?Not guaranteed to be consistent- data different on different nodes
Single Master
One master all others read only
Multimaster
All Nodes can update all other nodes
Fan Out
Its a hybrid
LDAP Replication
Full or PartialPeer to peer, One Way, Two WayMultimaster, Single Master, Fan Out
LDAP Replication
Advanced Replication (Database)
Full replication
Peer to peer
Multimaster
Single by changing all but one to read only
Uses the database to do the replication
Uses command line tools to configure this
remtool
Use it for configuring the advanced replication
Modify or reset replication Bind DN password
Displaying various errors and status information for change log propagation
Convert advanced replication to LDAP replication
Setting up Replica - Command Line
Copy database for new instance; not recommended
Bootstrapping is the better option
What is bootstrapping?
Supplier Node and Replica Node
Use remtool to copy metadata from supplier to replica
Set up the replication with the Replication wizard
Replica Using Replication Wizard
Fusion Middleware Control
Access Manage Replication
Select Replication type
Follow remaining steps Oracle Docs
Bootstrapping issues
Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation; 0 = bootstrap
A number of issues in My Oracle Support for bootstrap
Fusion Middleware and Managing OID
Cannot do if not part of a WLS domain
Fusion Middleware Control uses SSL
Can't start from Console without Nodemanager
To connect use http://host:port/odsm
EM Console
Start ODS
EM Main OIM
Connect ODSM
Sign In
Command Line
Domain Home to manage the Admin Server
Instance Home to manage the OID Server
opmnctl to control the OID server
/oracle/Middleware/IDMinst_1/bin/opmnctl
ods_process_status
Oidmon polls table to check system
Can be used by other scripts to monitor OID
WLST
Weblogic Scripting Tool
Jython based
MBeans
wls:/offline> connect('weblogic','weblogic','t3://localhost:8001')
Weblogic Server Version
The following might be useful when installing new product to an existing server
cat registry.xml | grep version
Questions
[email protected]://www.pacificdbms.com.au
Tell us what you think
http://feedback.insync10.com.au