Introduction to Enterprise Identity Management

(LESSON09)

SUMMARY

Managing Customized Oracle Application Server Topologies

(Deployment Topologies)

Oracle Application Server Components:

• OracleAS Infrastructure components:

• OracleAS Metadata Repository

• Oracle Net Listner

• OID and the OID monitor

• Oracle HTTP server (OHS)

• OC4J Delegated Administration Service (DAS) instance

• OracleAS Single Sign-On

• Distributed Configuration Management (DCM)

• Oracle Middle-Tier Components:

• HTTP Server

• J2EE container (Active servlets, JSPs, EJBs, etc.)

• Portal

• Wireless

• Business Intelligence

• Forms

• Reports

Oracle provides great flexibility in deploying an application server.

• Installation options:

• Installation of Oracle Identity Management (IM) only with an existing OracleAS Metadata Repository on a same or different host.

• Installation of OracleAS Metadata Repository only to not register it with the Oracle Internet Directory (OID) in an IM installation.

• Installation of multiple IM installations pointing to the same Metadata Repository (Rack-Mounted Directory Server Configuration)

• Topology options:

• Java Developers (General Development Topologies)

• Install the J2EE and Web Cache (OC4J)

• Install Oracle JDeveloper

• Portal and Wireless developers

• Install Portal and Wireless - HOME1

• Install Identity Management (OID, SSO, and Metadata Repository) – HOME2 *** Metadata Repository is a collection of the PORTAL, OID, and SSO schemas.

• Forms and Reports developers

• Install Business Intelligence and FORMS (BI) - HOME1

• Install Identity Management (OID, SSO, and Metadata Repository) – HOME2

• Integration architects and process modelers

• Install J2EE and Web Cache (OC4J) - HOME1

• Install Identity Management (OID, SSO, and Metadata Repository) – HOME2

• Enterprise Data Center Topology – Multiple departments share the same data center.

• Departmental Topology – each department hosts their application with more servers.

• Development Life Cycle Support topology (Development, test and production)

• Cold Fialover Cluster (Special Topologies)

• Real Application Clusters (RAC)

• Identity Management Replication

Why Identity Management

Identity management is the set of steps by which users are created or managed in an enterprise. A user can access to the web application, database, operating system, legacy system, and directory. You can also:

• Provision users for an application (creation, suspension, and deletion)

• Manage user permissions in applications

• Manage profile information such as application preferences, passwords, and personal identification numbers (PINs)

• Personalize applications for individual users such as portals.

Synchronization and Provisioning

Oracle Identity Management use directory integration to integrate OIM with other third party identity management. It provides two different integration services such as synchronization and provisioning. With synchronization service, you can synchronize the Oracle Internet Directory (OID) server with other third-party directories. With provisioning services, you can notify the Lightweight Directory Access Protocol (LDAP)-enabled applications of any changes in the OID server.

Oracle Identity Management: Terminology

Identity, Entitlements, Authentication, Authorization, Identity database, Security principals, Identity management policies, Centralized assertion services, Identity provisioning, Account provisioning, Authorization policies, Identity administration, Policy decision services, Identity management realms, Identity policy assertion services

Tools to manage the Oracle Identity Management (LDAP)

• Oracle Enterprise Manager Application Server Control (http://host:7777)

• Oracle Delegated Administration Services (DAS) (http://host:7777/oiddas)

• Oracle Enterprise Manager Control (http://host:1156)

• Oracle Application Server Portal (http://host:7777/pls/portal)

• Oracle Application Server Discoverer (http://host:7777/discoverer/plus)

• Oracle Enterprise Manager Database (http://host:7777/em)

• Check the ports at the $ORACLE_HOME/install/portlist.ini file

• Oracle Internet Directory Tool ($ ./dmadmin)

• Oracle Process Management and Notification Server ($ORALCE_HOME/opmn/bin/opmnctl)

• Oracle Distributed Configuration Management ($ORACLE_HOME/dcm/bin/dcmctl)

Enterprise Data Center Topology:

External Client from internet access to intranet – outside of DMZ Firewall (De-Militarized Zone)

• External Clients can access to OracleAS using Load Balancer by HTTP/HTTPS through DMZ Firewall

• Load Balancer sends the request to the following servers:

• (One or more servers) containing Web Cache, Oracle HTTP Server, mod_oc4j (for load balancing and failover-using J2EE application only to access to database), mod_plsql (using SQLNet {plsql programs} to access to database), Business Intelligence and Forms (using OC4J_PORTAL to access to database).

• RAC for customers database

• (One or more servers) containing Oracle HTTP Server and OC4J (for Single Sign-On and Delegated Administration Services {SSO, DAS} to access to OracleAS Metadata Repository which can be on one or more separate servers.)

• RAC for your Metadata Repository

Important Questions to know about Identity Management

Why does an administrator need to use identity management?

-         Lower costs of user administration

-         Improves user provisioning

-         Centralizes management of security policies and authorizations

-         Provides better security using Centralized processing

-         Scalable administration through delegation

What are the users’ benefits for using identity management?

-         Improves productivity by using quick access to an application

-         Improves usability with a single user identity and credentials, and application personalization

Name the different components of Oracle Identity management.

-         Oracle Internet Directory

-         OracleAS Single Sign-On Server

-         Delegated Administration Services

-         OracleAS Certificate Authority

-         Directory Integration Service

-         Directory Provisioning Service

What does the “Authentication” term mean in OID?

It is the process by which an application or a security system ascertains whether the entity is one what it claims to be.

What does the “Authorization” term mean in OID?

It is the process by which an application or a security system ascertains the entitlements of a network entity or a user.

What does the “Account Provisioning” mean in OID?

It is the process of creating an account for a given application and managing the account’s entitlements to allow and control its access to the resources managed by the application.

What does the “Identity Management Realm” mean in OID?

It is a collection of identities and associated policies, which is typically used when enterprises want to isolate user populations and enforce different identity management policies for each population. The various identity management realms created are not hierarchical but are at the same level.

How can a user get a certificate from the OCA server?

A user can get a certificate from the OCA server by using any of the following methods:

-         Authenticating using Oracle AS Single Sign-On username and password

-         Authenticating using secure sockets layer (SSL), by using an existing certificate issued by the CA

-         Traditional administrative review and approval

What is the “Delegated Administration Services (DAS)” web?

It is a set of individual, predefined Web-based services called Delegated Administration Service units. Delegated Administration Service units perform directory operations on behalf of a user. DAS makes it easier to develop and deploy administration solutions for OID-enabled applications. You can use DAS to delegate certain functions to an administrator or a user.