Con8833 access at scale for hundreds of millions of users final

Access at Scale for Hundreds of Millions of UsersVenugopal ShastriSenior Principal Product Manager, IDM

Selva NeelamegamPMTS, IDM Performance


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program Agenda

Overview & Key Capabilities

Architecture & Deployment

Best Practices

250 Million User Benchmark

Customer Panel


Overview & Key Capabilities


Why Is Scalability So Crucial For Access?

Large enterprises with global work-force. Massive Internet deployments – E-Commerce, Government Services

etc Access is mission-critical. Authentication is often the first, critical step. Device Multiplier Effect. Hit the same access infrastructure. Enabling social media further increases traffic.


ORACLE ACCESS MANAGEMENT 11G IS THE MOST COMPREHENSIVE AND SCALABLE ACCESS MANAGEMENT SOLUTION IN THE MARKET TODAY

Oracle Access Management


Access for NextGen Extranet

Scales to hundreds of millions of external users

Ability to secure mobile access for external users

Support for federated users as well as leading social providers

Real-time risk analytics & fraud prevention

Light weight user management and self service

EXTRANET

FOCUS

Federation & SocialIdentity

Self ServiceInternet

Scalability

Extranet User Mgmt

Mobile Security



Server infrastructure – 100 % Java Solution Deployed on a J2EE Container like Oracle WebLogic Cluster Coherence provides distributed caching within a cluster Horizontal Scalability achieved via

– Addition of Nodes to the Cluster within a data center

– Multi-data center Deployment

Tuned and benchmarked on Oracle Exa platform


Deployment Overview

Resource

User StoreAccess Manager Runtime Servers (acting as PDP)

User

Administrator

Audit Logs

Access Mgmt Admin Server (acting as PAP)

Webgates on webservers (acting as PEP)

Policy Store

Access Mgmt cluster

Stores PoliciesManages Policies

Reads Policies

Authenticates against

Stores Audit Info

OAP

Tries to access

Intercepts & Enforces Policies

Allow Or Deny


Deployment Overview – With Mobile

User StoreAccess Manager Runtime Servers (acting as PDP)

Audit Logs

Access Mgmt Admin Server (acting as PAP)

Policy Store

Access Mgmt cluster

Stores Policies

Reads Policies

Authenticates against

Stores Audit Info

Client Layer

Web Gates

Mobile SDK O

WS

M

Mobile clients accessing same server infrastructure


Scaling up within a Data Center

Admin Console on Admin Server

Access Mgmt -Node 1 Access Mgmt -Node 2 Access Mgmt -Node N

User StorePolicy Store

Webgate 1 Webgate 2 SDK Client 1 Client N

Access Mgmt deployed on a WebLogic Cluster

Stores Policies

Read Policies Authenticate against

Clients

Primary Server Secondary

Server

. . .

. . .

SDK Client 2


Scaling up within a Data Center

Admin Console on Admin Server

Access Mgmt -Node 1 Access Mgmt -Node 2 Access Mgmt -Node N

User StorePolicy Store

Webgate 1 Webgate 2 SDK Client 1 Client N

Access Mgmt deployed on a WebLogic Cluster

Stores Policies

Read Policies Authenticate against

Clients

Load Balancer

. . .

. . .

SDK Client 2


Completely integrated with Access Management

Provides high-performance distributed caching

Keeps user session data in sync across cluster nodes

Coherence

Coherence for Distributed Caching


Server Session Management Advanced Session Management across

nodes via Coherence-based caching.

Excellent Reliable performance

Recommended for most deployments, especially internal ones where rich session management features are desirable.

Client Session Management Essentially stateless. Session managed via

browser cookies.

Higher performance compared to Coherence-based approach. Lightweight.

May be appropriate for very large internet deployments where advanced server-side session management may not be required.

Session Management & Performance


Multi Data Center Deployment - Conceptual

Supports Active - Active, Active - Passive or Active - Hot Standby deployments

Enables seamless User SSO across data centers with session continuity Independent but identical WebLogic domains in each data center Follows Master-Clone configuration. Policy and configuration changes

synchronized from Master to Clones. Behavior is configurable based on Session Adoption Policy

– Re-authentication Required

– Remote Session Invalidation

– On-Demand Session Data Retrieval



Global Load Balancer

Access Mgmt Cluster in New York Data-Center

(Master)

Access Mgmt Cluster in London Data-Center

(Clone)

User 1 (Based in US)

User 2 (Based in Europe)

ActiveActive Stand-byStand-by

Synchronized

OAM ID CookieCluster=NYCluste

r

OAM ID CookieCluster=LonCluster



Global Load Balancer

Access Mgmt Cluster in New York Data-Center

(Master)

Access Mgmt Cluster in London Data-Center

(Clone)

User 1 (Based in US)

User 2 (Based in Europe)

New York Data-Center is overloaded or down

OAM ID CookieCluster=NYClusterCluster=LonCluster

OAM ID CookieCluster=LonCluster

Retrieve Remote Session Data ?

Back-channel OAP call

Re-authenticate User ?

GLB routes to London Data-Center

Invalidate Remote Session ?

Continue if retrieval fails ?


Multi Data Center Deployment - Detailed


Scaling across Data Centers


Best Practices for Large Deployments



Modeling resources appropriately – Use Excluded over Anonymous, HTTP caching directives etc

Using Agent Caches to improve latency – 11g Agents significantly improve on 10g

Ensuring fast network connections between Web, Middleware and Data Tiers– Scale out requires matching Web Tier scale out and tuning

Tuning the default Agent and Server settings– OAP/LDAP Connection Mgmt, Caching



Follow MAA Deployment Patterns Use of Load Balancers for HTTP, OAP and LDAP

– Leverage hardware acceleration of Crypto and SSL, if available

Leveraging metrics to proactively address issues – DMS Metrics, EM Grid Control Monitoring


250 Million User Benchmark


Benchmark Summary

Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM) were tested to serve extreme loads with 250 million users seeded in the Oracle Internet Directory (OID) and Oracle Database

Mid-tiers were deployed on Oracle Exalogic hardware with Oracle Exalogic Elastic Cloud Software (EECS) and Database on Oracle Exadata hardware.

Demonstrated the ability of the IDM products to serve extreme loads when deployed on Exalogic(EL) and Exadata(ED) hardware.

Identified the scalability characteristics for OAM and OAAM on EL and ED.


To demonstrate the linear scale out, one, two and three server tests were run.

To demonstrate the linear scale up, controlled tests with 4, 8, 16 physical cores as well as 32 logical cores (16 physical cores with hyper-threading) were run on a single server.

OAM Test Cases & Topology

Test Cases


Besides the strong functional improvements and enhancements, OAM showed great performance and linear scaling on multi EL nodes.

3 EL nodes can support up to 16.4 Million Logins/Hour

OAM Scale Out Benchmark

Results

One Server Two Server Three Server0

2000000

4000000

6000000

8000000

10000000

12000000

14000000

16000000

18000000

7.7M

12.5M

16.4M

OAM Login Scale Test


This test was run by limiting the number of cores available to the operating system on a single Exalogic server.

OAM shows a linear scale up in 4, 8,16 and 32* core testing.

OAM Scale Up Benchmark

Results

* - 16 Physical cores with hyper-threading to 32 Logical cores

0 10 20 30 40 50 60 70 80 90 1000

200

400

600

800

1000

1200

1400

1600

1800

2000

2200

32 Core*16 Core8 Core4 Core

CPU %

Logi

ns/S

econ

ds


To demonstrate the linear scale out, one and two server tests were run

Tests were also run with one OAAM server and two OAAM servers in the same EL node.

OAAM Test Cases & Topology

Test Cases


Besides providing an innovative, comprehensive feature set to help organizations prevent fraud and misuse, OAAM shows very robust performance.

2 EL nodes can support up to 20.6 Million Transactions/Hour

OAAM Benchmark Results

Results

1EL - 1OAAM 1EL - 2OAAM 2EL - 2OAAM 2EL - 4OAAM0

5000000

10000000

15000000

20000000

11M12.3M

18.3M

20.6M


• OS: Oracle Linux Server release 5.8 (Tikanga)

• Exalogic Elastic Cloud Software (EECS) 2.0.4.0.0

• Exalogic Optimized WebLogic Server 10.3.6.0

• JRockit jdk1.6.0_37-R28.2.5-4.1.0

• Oracle Traffic Director (OTD) 11.1.1.7.0

• Oracle Http Server (OHS) 11.1.1.7

• OAM 11.1.2.1

• OAAM 11.1.2.1

• Oracle Internet Directory (OID) 11.1.1.7

Software


Exalogic (X3-2) - ¼ Rack

•Eight Compute Nodes (Intel® Xeon® CPU E5-2690; 2x8 core @ 2.90GHz; 256GB RAM)

•Total 128 Compute Cores

•Total 2TB Compute Node Memory

•One ZFS Storage 7320 Clustered Configuration

•High-Speed InfiniBand Internal Network

•42RU Rack Exposure

Hardware

Exadata (X3-2) - ¼ Rack

•Two Compute Nodes (Intel® Xeon® CPU E5-2690; 2x8 core @ 2.90GHz; 256GB RAM) •Total 512GB Memory •Disk Controller HBA with 512MB Battery Backed Write Cache •4 x 300 GB 10,000 RPM Disks •2 x QDR (40Gb/s) Ports •2 x 10 Gb Ethernet Ports based on the Intel 82599 10GbE Controller •3 x Exadata Storage Servers X 3-2 with 36 CPU cores for SQL processing, 12 x PCI •flash card with 4.8 TB Exadata Smart Flash Cache and, 36 x 600 GB 15,000 RPM •High Performance disks or 3 TB High Capacity disks


Conclusion

The OAM & OAAM Scale Up & Scale Out benchmark tests showcased the extreme scalability and performance over a huge user base of over 250 million users.

Illustrated the linear scalability characteristics for OAM and OAAM on EL and ED hardware.


Customer Panel Discussion


Customer Panel

Nirmal Rahi– Solution Architect, College Board

Chirag Andani– Senior Director, Identity Management Services, Oracle IT


Q & A


Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud

Complete and Integrated

Best-in-class

Open standards

On-premise and Cloud Foundation for Oracle Fusion

Applications and Oracle Cloud

User Engagement

Identity Management

Business Process

Management

Content Management

Business Intelligence

Service Integration Data Integration

Development Tools

Cloud Application Foundation

Enterprise Management

Web Social Mobile


Innovation Awards

Lam Research Theater (Next to Moscone North)

Session ID: CON8082

Session Title: Oracle Fusion Middleware: Meet This Year’s Most Impressive Innovators

Venue / Room: YBCA - Lam Research TheaterDate and Time: Monday Sep 23, 4:45 - 5:45 p.m.

18 Winners Across Eight Categories


Join the Oracle IDM Community

oracle.com/identity

Twittertwitter.com/OracleIDM

Facebookfacebook.com/OracleIDM

Blog

blogs.oracle.com/OracleIDM


Don’t miss these IDM Sessions

CON4535 Monday 09/23, 4:45PM

Moscone West, Room 2012

200M: Real World Large Scale Access and Directory Deployment at Verizon

Verizon Wireless

CON8834 Tuesday, 09/24, 3:45PM


Attract new customer and users by leveraging Bring Your Own Identity (BYOI)

Forest Yin, Oracle

CON8837 Wednesday 09/25, 11:45AM


Leverage Authorization to Monetize Content and Media Subscriptions

Roger Wigenstam, Oracle

CON8836 Thursday 09/26, 11:00AM


Leveraging the Cloud to simplify your Identity Management implementation

Guru Shashikumar, Oracle

CON9024 Thursday 09/26, 2:00PM


Next Generation Optimized Directory - Oracle Unified Directory

Etienne Remillon, Oracle

Con8833 access at scale for hundreds of millions of users final

Technology

Transcript of Con8833 access at scale for hundreds of millions of users final