Hitachi ID Suite

Integration with

Oracle Database, Applications

Internet Directory (OID) and COREid

© 2016 Hitachi ID Systems, Inc. All rights reserved.

Contents

1 Introduction 1

2 Business Drivers for Integration 2

3 Managing Users and Passwords on Oracle Systems 4

3.1 Oracle Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3.2 Oracle Applications and Oracle Financials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3.3 Oracle Internet Directory (OID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3.4 Oracle COREid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Storing Hitachi ID Identity and Access Management Suite User Profile Data in an OracleDatabase 7

5 Example Deployment Scenario 8

5.1 Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.2 Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.3 User Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.4 Access Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.5 Requests to Access Shares, Folders and Printers . . . . . . . . . . . . . . . . . . . . . . . . 9

i

Hitachi ID Suite Integration with Oracle Products

1 Introduction

The Hitachi ID Identity and Access Management Suite is an integrated solution for identity administrationand access governance. It streamlines and secures the management of identities, security entitlementsand credentials across systems and applications. Organizations deploy the Hitachi ID Suite to strengthencontrols, meet regulatory and audit requirements, improve IT service and reduce IT operating cost.

Hitachi ID Suite is compromised of Hitachi ID Identity Manager to create, manage and deactivate useridentities and entitlements; Hitachi ID Password Manager to manage all user credentials and Hitachi IDPrivileged Access Manager to secure access to privileged accounts.

Hitachi ID Suite includes pre-built integrations with a variety of Oracle software products, including:

• The Oracle Database Server.

• Oracle Applications, including Oracle Financials.

• Oracle Internet Directory (OID).

• Oracle (formerly Oblix) COREid.

The rest of this document describes these integrations, in terms of business value, technical details and anexample deployment scenario.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 1

Hitachi ID Suite Integration with Oracle Products

2 Business Drivers for Integration

Most enterprises have deployed a variety of software products, running on different architectures, fromdifferent vendors. In such a heterogeneous environment, data about user identity and access rights isdistributed between multiple system and applications.

A heterogeneous environment is the norm for organizations that have deployed Oracle products, who of-ten also have a Microsoft or Novell network operating system, ERP applications from SAP or PeopleSoft,Groupware and e-mail from IBM or Microsoft, Unix servers, midrange servers or mainframes, and a varietyof custom, vertical and ASP applications.

Distributed identity data is difficult to manage effectively, which creates cost and security problems, asillustrated in Figure 1.

Business processes

Systems and applications with users, passwords, groups, attributes

IT processes

Hire Retire Resign Finish contract

Transfer Fire Start contract

New application

Password expiry

Retire application

Password reset

Operatingsystems

Directory Application Database E-mailsystem

ERP Legacyapp

Mainframe

Figure 1: Managing Each Application in its own Silo

Hitachi ID Identity and Access Management Suite is designed to consolidate identity management pro-cesses, to reduce complexity and thereby make user administration timely and reliable. This is illustrated inFigure 2.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 2

Hitachi ID Suite Integration with Oracle Products

Business processes

Systems and applications with users, passwords, groups, attributes

IT processes

Identity and Access Management System

Hire Retire Resign Finish contract

Transfer Fire Start contract

New application Retire application

Password resetPassword expiry

Operatingsystems

Directory Application Database E-mailsystem

ERP Legacyapp

Mainframe

Figure 2: Externalizing the Management of Identities and Entitlements

© 2016 Hitachi ID Systems, Inc. All rights reserved. 3

Hitachi ID Suite Integration with Oracle Products

3 Managing Users and Passwords on Oracle Systems

Hitachi ID Identity and Access Management Suite is able to manage users and passwords on a wide varietyof systems, including the following:

Directories: Servers: Databases:

Any LDAP, AD, NDS,eDirectory, NIS/NIS+.

Windows 2000–2012,Samba, NDS, SharePoint.

Oracle, Sybase, SQL Server,DB2/UDB, ODBC, Informix,Progress.

Unix: Mainframes: Midrange:

Linux, Solaris, AIX, HPUX,24 more variants.

z/OS with RAC/F, ACF/2 orTopSecret.

iSeries (OS400), OpenVMS.

ERP: Collaboration: Tokens, Smart Cards:

JDE, Oracle eBiz,PeopleSoft, SAP R/3, SAPECC 6, Siebel, BusinessObjects.

Lotus Notes, Exchange,BlackBerry ES.

RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO: Help Desk: HDD Encryption:

CA SiteMinder, IBM TAM,Oracle AM, RSA AccessManager.

BMC Remedy, BMC SDE,ServiceNow, HP ServiceManager, CA Unicenter,Assyst, HEAT, Altiris, Clarify,Track-It!, RSA Envision, MSSCS Manager.

McAfee, CheckPoint(PointSec), Microsoft(BitLocker), Symantec(PGP), Sophos SafeGuard(Sophos).

SaaS: Miscellaneous: Extensible:

Salesforce.com, WebEx,Google Apps, MS Office365, Concur, AWS, vCloud,SOAP (generic).

OLAP, Hyperion, iLearn,Caché, Success Factors,VMware vSphere. CiscoIOS, Juniper JUNOS, F5,iLO cards, DRAC cards,RSA cards, etc.

SSH, Telnet, TN3270,HTTP(S), SQL, LDAP,command-line.

Hitachi ID Suite includes specific integrations with the following Oracle products:

• The Oracle Database Server.

• Oracle Applications, including Oracle Financials.

• Oracle Internet Directory (OID).

• Oracle COREid.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 4

Hitachi ID Suite Integration with Oracle Products

3.1 Oracle Database

Hitachi ID Identity and Access Management Suite can bind to any Oracle Database server (any version)using SQL*Net and issue PLSQL commands to enumerate users (SELECT), validate current passwords(test bind or SELECT) and reset passwords (ALTER USER, UPDATE or invoke a stored procedure).

The Hitachi ID Suite administrator can specify alternate SQL commands and so can manage applicationpasswords as well as database connect passwords.

Hitachi ID Suite connectors can create, delete, enable, disable, modify and rename system users in anyspecified Oracle Database server. It creates new Oracle users by cloning existing ones, copying and ad-justing their role memberships and tablespace rights in the process. It can also manage the membership ofOracle Database users in Oracle Database roles.

Oracle DBMS security roles are mapped to Hitachi ID Suite managed groups. Hitachi ID Suite can managerole assignment, using the its built in group-membership-management semantics.

The same Hitachi ID Suite connector that manages Oracle Database users can be configured with application-specific SQL code, in order to manage users defined wholly inside an application tablespace, rather thanas database-level users. All the same operations (create, delete, enable, disable, rename, change attribute,change group membership) are supported in this configuration, but are implemented via direct SQL calls orcalls to stored procedures.

3.2 Oracle Applications and Oracle Financials

Hitachi ID Identity and Access Management Suite can manage passwords on Oracle eBusiness Suite byconnecting to the Oracle Database server using SQL*Net and using the existing stored procedures on theserver to update user profiles.

No agent software is installed on the Oracle Applications server or the back end database.

Hitachi ID Suite connectors can create, delete, enable, disable, modify and rename Oracle eBusiness Suiteusers in one or more instances of the Oracle eBusiness system. All the basic operations are supportedby calling the appropriate PLSQL user management stored procedures included by default in all OracleApplications installations.

3.3 Oracle Internet Directory (OID)

Oracle Internet Directory is a standards-compliant LDAP directory server.

Hitachi ID Identity and Access Management Suite manages passwords on LDAP v2 and LDAP v3 directo-ries by directly binding to the LDAP or LDAPS service and issuing LDAP commands to modify user objects.The LDAP bind operation itself is used to validate current passwords and LDAP search is used to enumerateusers.

Hitachi ID Suite connectors can create, delete, enable, disable, modify, rename and move LDAP users inany specified directory or OU. It creates new LDAP users by cloning existing ones, copying and adjustingattributes in the process. It can also manage the membership of LDAP users in LDAP groups.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 5

Hitachi ID Suite Integration with Oracle Products

3.4 Oracle COREid

Hitachi ID Identity and Access Management Suite can target WebSSO / WebAM products, including nativeconnector support for COREid. Hitachi ID Suite can also manage users and passwords on the LDAPdirectory that normally supports COREid.

This integration means that Hitachi ID Suite can synchronize and reset COREid passwords and can provi-sion, update, move, deactivate and delete users on COREid.

Hitachi ID Suite can also authenticate incoming users through COREid, eliminating an extra sign-on stepprior to password management or to access to the built-in COREid identity management workflow.

Finally, the Hitachi ID Suite fulfillment engine (a well documented, WSDL-supported SOAP service) can beattached to COREid, to allow the COREid workflow engine to target systems for which it does not havenative support, such as ERP applications, mainframe systems, e-mail servers and more.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 6

Hitachi ID Suite Integration with Oracle Products

4 Storing Hitachi ID Suite User Profile Data in an Oracle Database

Hitachi ID Identity and Access Management Suite is able to manage user profile data externally, in an LDAPdirectory or Oracle Database.

Hitachi ID Suite includes batch data loading programs (e.g., to load user profiles, security questions, loginID aliases) and data extraction programs (e.g., to dump the contents of any table as a CSV file).

Hitachi ID Suite also includes a number of plug-in points that allow it to look up user profile data in anexternal database or directory at run-time, as required. These are used to externalize user profile data – forexample, to an LDAP directory, to Active Directory or to an database.

Finally, Hitachi ID Suite includes a number of plug-in points that allow it to update user profile data, suchas identity attributes, login ID reconciliation or security questions, on an external directory or database, atrun-time. Such updates are normally the result of user registration processes.

Putting this flexibility together, an example deployment might authenticate users signing into Hitachi ID Suiteusing their LDAP login ID and password and store user profile data, such as a list of login IDs to varioussystems and security questions, in the same or another LDAP directory.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 7

Hitachi ID Suite Integration with Oracle Products

5 Example Deployment Scenario

The following scenario describes a fictitious organization, Acme Inc., that has deployed both Oracle andother, unrelated products as part of its IT infrastructure. Use of Hitachi ID Identity and Access ManagementSuite to streamline identity management is described.

5.1 Network Environment

Acme has 10,000 users, distributed across multiple offices and countries.

Major systems that all users log into include:

• Microsoft Active Directory (AD), including 20 domain controllers and 50 Windows file servers. 10,000users.

• Microsoft Exchange, including 50 mail servers. 10,000 users.

• Oracle Financials.

• PeopleSoft HR.

• 200 home-grown applications, each of which has its own Oracle Database back-end, using nativeOracle security.

• A VPN system, authenticating remote users against OID.

• A RAS dial-up system, authenticating remote users against AD.

5.2 Password Management

Users get advance warning of password expiry on Windows by e-mail, with an embedded URL to a webpage where they can pre-emptively change all of their passwords. This is particularly helpful to remote andtraveling users, who do not see the Windows password expiration notices at login time.

Whenever users change their AD password natively (e.g., Control-Alt-Del), Hitachi ID Password Managerautomatically intercepts the change on the nearest DC, and propagates it to all other accounts belonging tothe same user, including Oracle Databases, Oracle Financials and OID.

If users forget their password, they access a self-service Password Manager web page, either from theirdesktop login prompt (login as HELP, no password to get a hardened kiosk-mode web browser), or fromanother computer’s web browser. They can authenticate by answering a random subset of 10 personalquestions, and can then administratively reset their own forgotten password on any combination of theirlogin accounts.

These processes are system-independent. With Password Manager deployed, users only have to remem-ber one ID and password, for all the systems they access. They use a single method to change all of theirpasswords, and to resolve any password problems.

© 2016 Hitachi ID Systems, Inc. All rights reserved. 8

Hitachi ID Suite Integration with Oracle Products

5.3 User Provisioning

New employees and contractors are provisioned with a variety of new accounts using Hitachi ID IdentityManager. Managers sign into the Acme Identity Manager web portal, and submit requests to create newusers. Requests are automatically routed to upper management and to application owners for approval.Approved requests are trigger account creation.

When users leave the organization, either their managers or HR staff sign into Identity Manager and requestaccess termination. These requests are again routed to appropriate managers to review and approve, andtrigger access deactivation.

Auditors sign into the Identity Manager portal to generate security access reports – “Who has what” andaccess change history.

Users sign into the Identity Manager portal to update personal information, such as their home phone num-ber, and to request additional access rights, such as group membership to access shared files and folders.Some requests are automatically approved (self-service), while others are routed to suitable authorizers forreview and approval.

The common thread in all of these processes is that they span every system in the network, includingOracle Databases, Oracle Applications and OID. The practice of managing each application in its own “silo”is eliminated, thereby making administration fast and simple.

5.4 Access Audits

Periodically, security managers launch an access certification round using Hitachi ID Access Certifier –a component of Hitachi ID Identity and Access Management Suite. Access Certifier uses org-chart dataautomatically pulled from PeopleSoft HR to identify managers, and sends each manager in the organizationan e-mail, asking that manager to sign in and review the access privileges of their subordinates.

Managers receive automatic reminders until they actually do sign in and complete their certifications.

When they sign in, managers review a list of their direct subordinates, and each of those users’ securityprivileges. Managers either certify that each user or privilege is still appropriate, or ask that it be revoked.Managers are then required to sign off on their review, indicating completion. Sign-off is normally imple-mented by retyping their primary network password.

Managers cannot sign off until their subordinate managers have likewise done so. This creates down-wards pressure, starting from the CEO or CFO, to complete the process, in order to comply with regulatoryrequirements.

5.5 Requests to Access Shares, Folders and Printers

With 50 file servers, hundreds of shares, hundreds of shared printers and thousands of shared folders,Acme users generate a substantial volume of requests to gain access to different network resources.

Technically, these are all requests for AD group membership, but users don’t generally know that. Conse-quently, these requests are somewhat costly to service, as the process always starts by a support techni-

© 2016 Hitachi ID Systems, Inc. All rights reserved. 9

Hitachi ID Suite Integration with Oracle Products

cian figuring out exactly which AD security groups a user requires, and then figuring out whose authority isneeded to attach that user to that group.

By deploying Hitachi ID Group Manager, Acme is able to the request input, authorizer routing and approvalsprocesses to business users, eliminating any IT involvement in group membership management. Usersbrowse the network, through the Group Manager web GUI, for resources including shares, folders, printersand mail distribution lists.

Users simply select a resource and an available set of privileges, which causes Group Manager to auto-matically find the appropriate group and authorizer, and submit a security change request into its workflowengine. Authorizers are asked to respond by e-mail, and respond via authenticated and encrypted webpage. Approved requests trigger user-group attachment and thank-you e-mails.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

Date: 2006-02-15 File: /pub/wp/documents/oracle/mtech-idm-suite-oracle-integration-2.tex