Insync 2010

11g Identity Management
Peter McLarty
Pacific DBMS Pty Ltd
17th August 2010

The most comprehensive Oracle applications & technology content under one roof

Welcome allMention something about the conferenceThank them for coming to the presentation

Dont forget to be human

Everyone who has ever taken a shower has had an idea. It's the person who gets out of the shower, dries off, and does somethingabout it that makes a difference.

-- Nolan Bushnell

I can see some here that did get out of the shower, see how rough people are from prior nights events

Feeling stressed?

I don't know on some days if I feel like the cat or the birdOperation cat cant get to the product on offer Bird - oh god today is not looking so good

Funny thing the bird doesn't care one bit about the cats presence on the cage

Introduction

What are we here for?

Shared Identity

Cloud Security

Single Sign On (Single Point of truth)

This is a run down on Identity Management and we delve into one key component

Sharing across sites both within and outside of the organisation

Securing your cloud applications NSW Gov has recently announced about cloud, Macquarie student email

The old chestnut, still not all that effectively done in places, some very good and some with significant work

Lots of products

Identity Manager

Access Manager

Identity Analytics

Directory Services Plus

Identity Federation

Entitlements Server

Entitlements Server Security Module

Directory Services Plus

Access Manager

Adaptive Access Manager

Identity Federation

Identity Manager

Identity Manager Connector

Role Manager

Information Rights Management

Enterprise Single Sign-On Suite Plus

Access Management Suite Plus

Identity and Access Management Suite Plus

Identity Analytics

Identity Management Enterprise Management

Management Pack Plus for Identity Management

Why do we need it?

Compliance

Security

Cost management (Consolidation)

Meet compliance requirements to say we measure up for lets say our PCI DSS requirementsWe increase our security through the use of a centralised directory of user accounts

Who has had to provision a user in the network for a login set up an email account add them to finance system the list goes on and on?(Not funny)

Directories provide a cost benefit as we don't have to provision a user over and over again for each application they use, One user account across systems ith the details all retained in a common repository.

How is it useful

Access Control

Policy Management

Audit Support

Access Control sets who can do what

Manage those policiies froma central location

Audit support for the our compliance requirements

Controls

Roles

Fine grain access controls

Tracking of events logon - logoff

Set up roles to simply application or system access management Fine grain control is able to use many different attributes eg by entry, by name, By mode

Auditing basic log on and log off

Oracle Directory Services Plus

Oracle Virtual Directory

Oracle Internet Directory

Oracle Directory Server Enterprise Edition

All the ODSP products Directory Server EE is a high performance directory Server, embedded database ; Identity Synchronisation; Resource kit for tuning

Oracle Directory Server
&
Oracle Internet Directory

Now down to a key component the directory Server and more importantly the Oracle Internet Directory OID

What's OID?

LDAP Service

Database Location Service

Data Store used by other Identity Services

LDAP v3 compliantUse it as a way for client systems to obtain connection information for databases

It is often the datastore of choice of other products within the Oracle Identity management offering

Architecture

Database

OIDMON

ODS

ODRS

There is 4 main components Database 10.2.0.4 or above and is certified to use 11.2OIDMONODS the instance provides the LDAP service to the clientsODRS replication service for LDAP replication to other OID on other directory servers.

LDAP Server Instance

Server Processes

Dispatcher Services

Tuning Required

Default Ports3060 Non SSL

3131 SSL

The server processes are the LDAP Instance, OIDMON, OPMN to manage it starting stopping and some other changes.

Out of the box OID is not configured to support any connection load, so you will ned to tune it to maximize its workload capability whole section on this

Default ports no longer well known ports 389 and 636

Metadata

Uses a cache which is built at startup

Directory schema - what is stored

Root DSE - Stores information about the server itself

When OID starts it creates a cache and it is populated with some information, then as caches do it ads content during the life of the cache. Less database callsCache is write throughDirectory schema is the object table of the data types that have been configured for the OID this is people objects, password objects database connection objects alias objects and so it goesAccess Control is configured under a separate section of the directory allowing such things as roles, user passwords.

Root DSE Contains Server data itself, number instances, port info

Metadata

Privilege Groups - Used for Access Control Policies

Contains entries for hosted businesses,password verification,password policy and others

DIT

What is a DIT?Can I have more DIT's?

DIT Directory Information TreeWe search the DIT for our information we requireUnder our DIT should be all the data, there is aliases that can be used for transitional roles.Do you homework for integrating to other Directories if you already have AD or something else then make sure you align your DIT to that one even if you feel integration is a way off, much easier if your DIT is the same.

I say this about the DIT as from usage there is the ability to have more than one tree for multiple organisations or even having multiple trees within the same organisation. Reasons to not have are great but maybe unavoidable in some cases of migration

Search Process 1

Client connects SSL or non SSL with LDAP protocol

Type of user can be known or anonymous

Filters can be put in place to limit search

User authenticated, bind made, ACL checked

Unless you use an SSL only server can be either

Anonymous bind is available by default but can be disabled

Filters to limit data can be used in the query/update

Once the user is authenticated as gues or user, then the bind is made and ACL is checked as to what objects in the directory are accesible

Search Process 2

LDAP search request is converted to OCI language to interrogate the database

Database retrieves data; passes it back via OCI to the LDAP server

Query result sent back to the database

As the directory uses OCI conversion of the LDAP request is made for OCI transport

Database acts upon the query

Query sent back to OID Server converted to ldap and returned to the user.

Server Chaining

What is it?Why do we want to use it?

How we connect to the other directories E-directory AD (what is IBM's? I don't know, is it part of Tivoli?)

So it is allows us to pass information between different directory offerings

Server Chaining

Server Chaining 2

Server chaining supports the following operations:Bind

Compare

Modify

Search

Why Server chain?

Creating a Server Chaining Entry

Command Line or Directory Services Manager - Create LDIF file

dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au
cn: AD
objectclass: orclcontainer
objectclass: top

Connection to Sun IPlanet

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********

Connection to Sun IPlanet

orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com

Connection to Sun IPlanet

orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********

Debugging Server Chaining

Create an LDIF

filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscDebugEnabled
orcloidscDebugEnabled: 1Execute

$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file

Designing your implementation

Do Not use clustered hosts - too many issues

If you have the skills use Linux on VM's

Scatter installations across your environment

Use Replication

If you have load balancers use them

Non Oracle Middleware clustering

Linux VM's could be the cheapest option of implementing many of these in your organisation and can make it easy to moving servers

Whilst LDAP is light weight there is good reason to have them closer to end users if you have a highly dispersed user base

Installation

Using default settings the server needs 6GB or greater

Can do small memory with altered Java VM settings

Need to understand 11g path conventions

I found that a server with OEL and just 4GB to be a minimum requirement, I think 6 GB is a better minimum for a production system

You can do small memory footprint but it detunes I will explain how in a second

You need to manage the

Install Notes

Metalink Note 858748.1 Getting Started FAQ

INST errors You will love these if you encounter them

Nodemanager not starting

Configuration

After installing the software configure the instance config.sh

Save configuration before running configuration step at the end

Small memory config

Metalink note 865166.1

-Xrs -XX:MaxPermSize=192m in Admin Console Server Configuration

Replication

Its ImportantWhat model? Fan Out, Multimaster, Single Master?Not guaranteed to be consistent- data different on different nodes

Single Master

One master all others read only

Multimaster

All Nodes can update all other nodes

Fan Out

Its a hybrid

LDAP Replication

Full or PartialPeer to peer, One Way, Two WayMultimaster, Single Master, Fan Out

LDAP Replication

Advanced Replication (Database)

Full replication

Peer to peer

Multimaster

Single by changing all but one to read only

Uses the database to do the replication

Uses command line tools to configure this

remtool

Use it for configuring the advanced replication

Modify or reset replication Bind DN password

Displaying various errors and status information for change log propagation

Convert advanced replication to LDAP replication

Setting up Replica - Command Line

Copy database for new instance; not recommended

Bootstrapping is the better option

What is bootstrapping?

Supplier Node and Replica Node

Use remtool to copy metadata from supplier to replica

Set up the replication with the Replication wizard

Replica Using Replication Wizard

Fusion Middleware Control

Access Manage Replication

Select Replication type

Follow remaining steps Oracle Docs

Bootstrapping issues

Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation; 0 = bootstrap

A number of issues in My Oracle Support for bootstrap

Fusion Middleware and Managing OID

Cannot do if not part of a WLS domain

Fusion Middleware Control uses SSL

Can't start from Console without Nodemanager

To connect use http://host:port/odsm

EM Console

Start ODS

EM Main OIM

Connect ODSM

Sign In

Command Line

Domain Home to manage the Admin Server

Instance Home to manage the OID Server

opmnctl to control the OID server

/oracle/Middleware/IDMinst_1/bin/opmnctl

ods_process_status

Oidmon polls table to check system

Can be used by other scripts to monitor OID

WLST

Weblogic Scripting Tool

Jython based

MBeans

wls:/offline> connect('weblogic','weblogic','t3://localhost:8001')

Weblogic Server Version

The following might be useful when installing new product to an existing server

cat registry.xml | grep version

Questions

peter.mclarty@pacificdbms.com.auhttp://www.pacificdbms.com.au

Tell us what you think

http://feedback.insync10.com.au