gettingtoknow oid v2

8/13/2019 GettingToKnow OID v2

1/42

Oracle Internet Directory 11g

Oracle Directory Integration Platform 11g

Oracle Authentication Services for OS 11g

Olaf Stullich

Product Manager


2/42

2

The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not berelied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracles

products remains at the sole discretion of Oracle.


3/42

3

Agenda

Overview

Architecture

Future Roadmap

DemoQ&A


4/42

4

Oracle Fusion Middleware


5/42

5

Oracle Identity ManagementOracle + Sun Combination

Oracle Platform Security Services

Access Management*Identity Administration Directory Services

Access Manager

Adaptive Access Manager

Enterprise Single Sign-On

Identity Federation

Entitlements Server

Identity Manager Directory Server EE

Internet Directory

Virtual Directory

Identity Analytics

Management Pack For Identity Management

Operational Manageability

Identity & Access Governance

*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet


6/42

6

Oracle Directory Services Strategy

The complete picture


7/427

Oracle Directory Services Strategy

A complete offering of directory virtualization, storage and

synchronization solutions

Virtual directory for enterprise standard identity access layer

Highly scalable directory servers for storage and consolidation

Meta directory capabilities enable synchronization

Support on-premise and in-the-cloud scenarios

Directory data access

OVD virtualization and Directory Proxy Server (DPS) to converge

Directory data storage and synchronization

DSEE for heterogeneous environment

OID for Oracle environment

Directory Integration Platform (DIP) for meta-directory synchronization


8/428

OID Overview

LDAP storage built upon Oracle database

Full functional meta directory with Directory Integration

Platform (DIP) component

Integrated into Oracle Fusion Middleware and applications

High performance and scalability with 2-billion-entry

benchmark

Maximum availability with multi-layer HA including LDAP

replications and Oracle RAC etc

Extreme security with database vault and encryption in

addition to LDAP access control


9/429

Agenda

Overview

Architecture

Future Roadmap

DemoQ&A


10/4210

Components of Oracle Internet Directory


11/4211

Understanding OID in OFM


12/4212

Oracle Internet Directory Architecture

Novell eDirectory

Oracle InternetDirectory

DirectoryReplication

Server

DirectoryIntegration Server

DirectoryReplication

Server

Sun JSDS

Microsoft AD

MS AD LDS

OpenLDAP

Tivoli Directory Server

Oracle DirectoryServices Manager

Oracle FMWControl

Applications


13/4213

Oracle Internet Directory Node

One or more LDAP server processes

One Replication Server only per node

DB can be on same node

Oracle Process Manager and

Notification Server (OPMN) Invokes oidmon as required

OID Monitor initiates, monitors, and terminates the LDAP

and replication server processes

Oracle Directory Services Manager administrates OID or OVD installed locally with OID / OVD or on a

remote node


14/4214

Scalability

Unique Server Architecture

Multi-threaded using DB connection pooling

Multi-processing to utilize existing CPUs

Multi-instance directory server using multiple HW nodes

Scalability with the number of CPUs in SMP HW architectures

Scalability with the number of nodes in HW cluster architectures

Scalability to Terabytes of Directory data

Best performance on very large groups (>1M users)

High speed bulk tools


15/4215

Two Billion Entries

Single DirectoryInformation Tree, SingleDirectory ServerInstance

OID v10.1.4.0.1, OracleDatabase v10.2.0.3

SGI Altrix 4700 Server

32 1.6 Dual Core Itanium2Processors

256 GB RAM

SGI IS4500 RAID Array

SLAMD load generationtest tool

SPECIFICATION

2 Billion Entries Benchmark

RESULTS CONCLUSION

Data loaded in 5 hrs, DBindexing in 19.5 hrs

100,000+ LDAP searchops/sec with 2.5 msecaverage latency

80,000+ LDAPauthentications/sec with9 msec average latency

14,000 LDAP updateops/sec with 16 msecaverage latency

99,000+ ops/sec with16,000 concurrent clients

High speed data load

High throughput of LDAPoperations with lowlatency both for readand write operations

Scalable to very largedirectory sizes

Scalable to 10s ofthousands of concurrentclients

Ability to scale on large

hardware CPUs, RAM

Superior datamanagement capabilities


16/42

16

Performance

Start small

Low HW requirements Entries in the directory

E.g. manage Oracle databases in OID

Use existing DB HW and scale as needed

No need to switch directory service when requirements saturates HW Upgrade HW as needed and leverage OIDs flexible deployment architecture

Use OID Server Cache Usually for small deployments less 300K entries

No cluster configuration used


17/42

17

High Availability

Most comprehensive set of HAconfigurations

Local HAActive/Passive OID cluster configuration

Active/Active OID cluster configuration

Local DataGuard

Geographic HA and Disaster RecoveryMulti-master replicationDataGuard based DR configuration

Sample High Availability Environment


18/42

18

When to Choose OID Cluster

Local active/active Availability on multiple hardware

nodes

Scalability of IdM on more than one hardware node

Oracle RAC database for Availability, Scalability and

Manageability of the Directory Store

Solutions that require protection from node failure


19/42

19

OID HA Directory Replication

Multi-Master Replication No practical limit on the number of replicas

LDAP and Database replication

LDAP replication

flexible, very granular approach to select namingcontexts

wizard based setup from Enterprise Manager FMWcontrol

not supported for Oracle SSO

Fan-out Replication

Read-only and Updateable replicas

Fractional and Partial replication

subset of MMR


20/42

20

When to Choose Replication?

Low entry cost for IdM HA deployment

Customer looking for Rolling Upgrade support

Requirements for IdM with Geographic Availability

Solutions that does not require HA of all Application

Server components but IdM


21/42

21

Database Vault Integration

Restrict DBAs to access OID data directlyfrom the database

Transparent Data Encryption

IntegrationPrevent unauthorized data retrieval from file

systems

Secure LDAP attributes in OIDConfigurable list of encrypted attributes

BenefitsEnhanced securityImproved compliance

Reports

ODS Protection Realm

Multi-Factor

Authorization

Separation

of Duty

Command

Rules

OID Data Security


22/42

22

11g Deployment Accelerators

How to improve administrator productivity? Roll out new service quickly Reduce administrative learning curve

Simplify complex admin tasks

Limit number of tools to use

Leverage: Oracle Directory Services Manager (ODSM)

Manages OID and OVD

Use intelligent wizards and templates for

Replication

Sizing and Tuning

Directory Synchronization Presenting user and group information

Accessible via FMW console


23/42

23

11g EM FMW Control & ODSM

FMW console Homepage with vital

systems statics

Customizable dashboard

ODSM accessible via FMWconsole or standalone

ODSM Used for specific LDAP

related tasks

User creation

Schema management

Security management


24/42

24

11g Auditing

Suite-wide auditability

ECID propagation

Audit records in DB schema

Out-of-box reports using BIpublisher

Policies forUser sessions

Authorization

Data Access

Account Managemement

LDAP entry access


25/42

25

11g Logging

Suite wide log messages format

Diagnostic Logging information

OID, OID replication server, DIP

Flexible logging options / levels

View trace messages

severity and order of importance

Execution Context Identifiers(ECID)

propagation


26/42

26

Directory Integration Platform

Oracle Internet DirectoryCentral repository for identities & support for external authentication

Directory Integration ServerExecutes a set of connectors for synchronization

Connector support for:MS AD, AD LDS, Sun Java Enterprise Directory, Novell eDirectory, IBM Tivoli, OpenLDAP and custom agents

Used for synchronization between OID and other Directories

DIP ProfilesTemplates for data mapping / transformation


27/42

27

Directory Integration Platform

Directory IntegrationPlatform (Synchronization)

Time for action -Application deployment time.- Directory synchronization is needed for connecteddirectories requiring synchronization with OID

Communicationdirection

Either one-way or two-waythat is, either from

Oracle Internet Directory to connected directories,the reverse, or both

Type of data Any data in a directory

Examples Oracle Human Resource Oracle DB

Microsoft Active Directory

SUN Enterprise Directory

Novell eDirectory


28/42

28

Enterprise User SecurityOracle Authentication Services for Operating Systems

(OAS4OS)

Use Cases


29/42

29

Enterprise User Security

User Management for Compliance Centralized User Management

Map users to shared database schemas

Requires Oracle Directory Services

Enterprise Roles

Centralized user role management Authentication Methods

Password

Kerberos (Microsoft, MIT)

PKI (x.509v3)

Heterogeneous Directory Support Oracle Virtual Directory connectivity to

Active Directory, Sun, Novell


30/42

30

EUS with OID and AD Integration


31/42

32

Oracle Authentication Services for OS

What is it?End-to-end centralized authentication solution

Built on open interfaces without proprietary agents

Automated integration with directory services

What are the key benefits?Manage users centrally using existing tools and processes

Reduce risk by centralizing audit logs, ensuring accountability

for changes to accounts and privileges

Improve compliance by ensuring consistent password policies

and account locking across systemsObliterate identity data silos by integrating directly with

application and database security mechanism


32/42

33

Oracle Authentication Services for OS

End-to-end centralizedauthentication solution

Built on open interfaces

without proprietary agents

PAM_LDAP

NSS_LDAPAutomated integration

with directory services

Automated user migration

tools from local files and

NIS servers


33/42

34

Key Functions

Scripts to automate client configuration, including SSL

Easy Migration from Linux/Unix files

Easy Migration from NIS to LDAP

Centralized Password Policies and Lockout Control

Support

UID and GID uniqueness and provisioning support

Centralized Sudo policy management

Active Directory Integration

Cross Platform SupportLinux Redhat and Oracle Enterprise Linux, Suse Linux,

Unix Solaris, HPUX, AIX


34/42

35

Agenda

Overview

Architecture

Future Roadmap

DemoQ&A


35/42

36

Oracle Identity Management

Roadmap Timelines

11gR1Internet DirectoryVirtual Directory

Identity FederationWeb Services Manager

Platform Security Services

11g Patchset 2

Internet DirectoryVirtual Directory


Platform SecurityServices

11g Patchset 3




11g Patchset 4




July 2009

April 2010

Jan 2011

H2CY2011


36/42

37

11gR1 OID/DIP PatchSet 2

OID

Security Enhancements (e.g. support configurable set of hashed

attributes, log client IP address for change ops)

Server Enhancements (e.g. preserve case for attributes, new

attributes (lastloginattempt, lastloginsuccess), fine grained statistics,

enhanced logging for requested attributes)

Replication Server (e.g. fine grained replication frequency at seconds

level)

DIP

Support for OID SSL mode 2 (mutual authentication)

CLI export and import profiles (test production)

Integration of DIPTESTER advanced mode

ODSMUI enhancement to manage list of secure attributes and hashed

attributes


37/42

38

11gR1 Patchset 2

Oracle Authentication Services for OSFull integration with Fusion Middleware Release 11g R1 PS2

Extended client OS support

New configuration scripts to enable PAM proxy user based access to

OID for enhanced security

Easy configuration of OID SSL using customer provided certificates forproduction deployments, or use of self signed certificates to test OID

SSL connections

Restricting client access based on IP address

Easy reset of client configuration to support testing


38/42

39

OID/DIP 11gR1 Patchset 3

OID

New LDAP Protocol Features (e.g. memberof support, additionalcontrols)

Performance And Scalability Enhancements (e.g footprint

reduction, RAC write optimization)

Security Enhancements (e.g. IP based access control, new

hashing and encryption schemes SHA2, AES)Replication Enhancements (e.g. LDAP MMR rolling upgrade

support)

DIP

OOTB diagnostic enhancements (aka DIPTESTER)

32/64bit password filter availability in software media

ODSM

SSO using OAM

OID / DIP P t h t 4 ( l d f t )


39/42

408

OID / DIP Patchset 4 (planned features)

OID

Exadata support Initial integration and Benchmark

Performance improvement Priority Replication, automatic OID tuning

OAS4OS Uptake SSL automation tool

HA/LDAP failover support

ODSEE support

DIP

DSEE sync OIA synchronization support

Bi-directional DB synchronization Additional DB connectors


40/42

41

Agenda

Overview

Architecture

Future Roadmap

Demo

Q&A


41/42

42

Demos

EM Fusion Middleware Control

Oracle Directory Services Manager

Oracle Authentication Services for Operating Systems

(short)

Oracle Authentication Services for Operating Systems

(long available on OTN)

Directory Integration Platform (OID ODSEE)

Database Management

Enterprise User Security
http://adc2100029.us.oracle.com:7001/emhttp://adc2100029.us.oracle.com:7005/odsmhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OAS4OS-OID/dssodsdemo2010oas4osoid_viewlet_swf.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/learnmore/oas4os11113demo-196337.swfhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OID-DIP/dssodsdemo2010oiddip_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-2010-DBMgMt-OID/dssodsdemo2010dbmgmtoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-EUS-OID/dssodsdemoeusoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-EUS-OID/dssodsdemoeusoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-2010-DBMgMt-OID/dssodsdemo2010dbmgmtoid_viewlet_swf.htmlhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OID-DIP/dssodsdemo2010oiddip_viewlet_swf.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/learnmore/oas4os11113demo-196337.swfhttp://d/PM/Viewlet/DSS-ODS-demo-2010-OAS4OS-OID/dssodsdemo2010oas4osoid_viewlet_swf.htmlhttp://adc2100029.us.oracle.com:7005/odsmhttp://adc2100029.us.oracle.com:7001/em


42/42

gettingtoknow oid v2

Documents