Loading in 2 Seconds...
Loading in 2 Seconds...
Michael P. Mesaros Uppili Srinivasan Oracle Identity Management and Security Oracle Corporation. Planning Your Oracle Identity Management Deployment OracleWorld Paper 40207. Agenda. Need for identity management Oracle Identity Management overview Why deploy Oracle Identity Management?
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Michael P. Mesaros Uppili Srinivasan Oracle Identity Management and Security Oracle Corporation
Planning Your Oracle Identity Management DeploymentOracleWorld Paper 40207
Agenda • Need for identity management • Oracle Identity Management overview • Why deploy Oracle Identity Management? • Deployment process overview • Deployment/planning steps • Requirement analysis • Logical design • Detailed deployment planning • Summary and conclusions
Need for Identity Management Oracle Identity Management
Web applications are great ... • Inexpensive to develop • Easy to deploy • Access anywhere BUT ….
Web application problems • Administrative problems • Efficiently provisioning users for applications • Limited/no ability to delegate administration • Usability problems • Different user names/passwords • Little/no personalization of portal content • Security problems • Inconsistent password management policies • Fragmented security policy enforcement
The identity management solution • Identity management is the process by which • Users are provisioned for enterprise applications • Application user roles and permissions are managed • Users manage profile information suchas application preferences, passwordsand PINs • Applications (such as Portals) arepersonalized for individual users
Oracle application environment • Supply chain mgmt • Marketing & sales mgmt • Service mgmt • Financial mgmt • Project mgmt • HR mgmt • Vertical applications … • Mail • Voicemail • Calendar • Files • iMeeting • etc. • HTTP server • Web services • Portal • Web cache • Forms • Reports • etc. • Oracle Database • Oracle Label Security
Oracle Identity Management requirements • Enterprise integration • High availability • Scalability • Security • Integration with the Oracle product stack • Support for standards
Oracle Identity Management infrastructure Directory DirectoryIntegration ProvisioningIntegration Oracle Identity Management DelegatedAdministration SingleSign-On CertificateAuthority
Oracle Internet Directory LDAP Clients • Scalability • Millions of user entries on single server • 1000’s of simultaneous clients • High availability • Multimaster replication • Oracle9i hot backup/recovery • Security • Sophisticated security modelbased on access control lists • Standards-based • Native LDAPv3 implementation Oracle Internet Directory Server LDAP over SSL Oracle Net Connections Directory Administration Oracle Database
Directory Integration and Provisioning • ProvisionedApplications • Portal • iFS • iAS Wireless • Legacy apps. PL/SQL over Oracle Net ProvisioningIntegrationServices Event • ConnectedDirectories • ADS • iPlanet • etc LDAP or File DirectorySynch.Services Poll OracleInternet Directory
Oracle Delegated Administration Services • New directory feature with Oracle9iAS V2 • Provides a consistent interface for directory content administration • Administrative tool: supports application administration delegation • End-user tool: Set passwords, preferences, whitepages
Oracle Application Server Single Sign-On • Provides single sign-on capability for all Oracle web-based applications • Partner API, Keberos support permits integration with other authentication services • Built on Oracle technology • HA deployments • Leverages Oracle Internet Directory, Delegated Administration Services
Oracle Application Server Certificate Authority • Key features • Out-of-the-box PKI solution; allows Oracle customers to secure their deployments • Easy provisioning of X.509v3 digital certificates • Web Based certificate management and administration • Seamless integration with Oracle Application Server Single Sign-On • High availability and scalability with Oracle10g and Oracle Internet Directory
Grid computing model Workload & QOS Manager Topology Manager Policy Manager Cross-Tier Routing Resource Manager BLADE FARM (Local Grid) High Speed Interconnect Dynamically Provisioned & Registered BLADES
Oracle Identity Management’s role in grid computing • Provisioning hardware in the network • Provisioning applications on the grid • Provisioning users for grid applications Identity Management is essential torealizing the grid computing vision!
Oracle Identity Management – customer benefits • Scalable, robust and integrated infrastructure • Out-of-the-box deployment for Oracle products • Single point of integration between Oracle and other identity management applications • Open, standards-based infrastructure
Why Deploy Oracle Identity Management? Oracle Identity Management
Identity management deployment options • No infrastructure • Deploy “local” infrastructure for Oracle applications • Deploy enterprise-wide Oracle Identity Management infrastructure
No infrastructure • All user identities managed locally by applications • Suitable for development deployments • Can be migrated to identity management infrastructure for production • e.g. OracleAS OC4J instance with JAAS/XML
Deploy “local” infrastructure for Oracle applications • Many Oracle products (e.g. Single Sign-On) require components of identity management infrastructure to be installed • Possible scenarios • Pilot deployments • Integrating an isolated Oracle community with enterprise identity management services • Semi-independent departments • OracleAS 10g has features to support this deployment model • Administration privilege model • Partial/fan-out replication
Deploy enterprise-wide infrastructure • Recommended for supporting production enterprise deployments • More planning typically required, however: • Faster deployment of additional applications • Centralized “professional” infrastructure administration • Centralized identity management across all Oracle applications in the enterprise • Standards-based identity management platform which is leveraged by other (non-Oracle) applications
Deployment Process Overview Oracle Identity Management
Distributed systems security reference architecture Users Application Audit Protected Resources Authorization Authentication Privacy Application Security Services Identity & Policy Store Identity & Profile Assertion Services Policy Decision Services Identity Management Infrastructure Administration & Provisioning
Deployment process overview Enterprise Requirements Requirement Analysis Logical Deployment Plan Deployment Planning Physical Deployment Plan New requirements Based on Deployment Experience Implementation and Deployment Administration
Deployment example: Oracle Data Center • Services for 40K employees worldwide • Application environment • Employee portal, Oracle E-Business Suite, Oracle Collaboration Suite • Extranet environment • Initial requirements • Unified identity management • Single sign-on across applications
Deployment Planning Steps Oracle Identity Management
Requirements Analysis Phase • Plan, deploy and administer responsibility • Which components to deploy • Information model • Centralized security management • Enterprise application • Administrative autonomy • Security Isolation • Third-party identity management integration • High availability, scalability and performance
Requirement example: Oracle’s extranet environment Inside Outside Customers Company Portal (my.oracle.com) Employees Employees Partners Internal App. Internal App. Internal App. Shared App. Shared App. Shared App.
Logical deployment plan • Translation of the enterprise requirements • Answers questions such as: • How many identity management infrastructures to deploy? • Which components will be deployed, and where? • Deployment of replicated local instances? • How is it going to integrate with other enterprise repositories, provisioning systems and single sign-on services?
Logical deployment planning issues • Issues • Standard enterprise model • Serving internal and external users • Administrative autonomy for departmental applications • Integration with other identity management systems
Example: Security isolation using two infrastructures InternalUser ExternalUser OracleASPortal OracleCollaborationSuite Extranet Identity Management Internal Identity Management SingleSign-On DelegatedAdministration SingleSign-On DirectoryIntegration DelegatedAdministration Directory Directory Directory Synch.
Example: User provisioning from Windows OracleAS Portal OracleAS Single Sign-On Windows Environment 4 - User provisioned in Oracle environment OracleE-Business SuiteRelease 11i 3- User synchronized with OID 1 - “Add user” 2 - User created in ADS Microsoft ADS DelegatedAdministrationConsole Oracle Internet Directory
Detailed deployment planning • Directory information model (DIT) • Identity Management Realms • Physical network topologies • High availability considerations • Geographic distribution • Certificate authority deployment
Example: Oracle Internet Directory Information Tree root dc=com dc=oracle dc=amer dc=emea dc=apac dc=moc
GITSSO gmsso db iAS904 stldap OCSv1 imap/ smtp for ST 9023 GITldap rgmldap20 rgmldap21 rgmldap4 rgmum11 rgmum7 CFC rgmldap3 rgmldap0 Fail-over server rgmldap1 rgmum20 rgmum21 rgmdbs1 rgmdbs3 rgmdbs2 2node RAC HA 2node RAC 3node RAC 2node RAC 2node RAC 2node RAC STMAIL db GIT db apac db emea db amer db Example: Physical Network Topology Clients BigIP 902 mid tier, sso/das, webmail/voice iAS904 mid tier SSO/DAS OCSv2 GIT webmail/voice OCSv2 sso/ das for GIT DMZ Netscape (thick) email client web218 web217 web241 web240 web239 web91 web90 OID fan out rep SSO periodic exp/imp when new partner apps added OID plugin OID ASR rep OID plugin (email/passwd) NetAPP storage SSO periodic exp/imp when new partner apps added OCSv1 imap/smtp for amer, etc. OCSv2 imap/ smtp for GIT rgmum14 rgmum15
Summary • Identity management is critical for the deployment and management of enterprise applications and essential to grid computing • Oracle includes a robust, scalable and integrated infrastructure for managing Oracle environments and more • Oracle Identity Management provides a single point of integration to other identity management environments
For More Information • See the forthcoming Oracle Identity Management Concepts and Deployment Planning Guide • Released with Oracle Application Server 10g (9.0.4) • Oracle Technology Network • http://otn.oracle.com
Q & Q U E S T I O N S A N S W E R S A