oam edg training

Download OAM EDG Training

Post on 30-Oct-2015

115 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Oracle Access Manager, EDG, training

TRANSCRIPT

  • Oracle Access Manager 11g R2: Advanced Administration 4 - 1

    Schedule: Timing Topic

    minutes Lecture

    minutes Practice

    minutes Total

  • Oracle Access Manager 11g R2: Advanced Administration 4 - 2

    Using Action Verbs for Objectives

    In the slide, use the introductory phrase After completing this lesson, you should be able to followed by a colon. Use action verbs to introduce each bulleted objective. Your choice of

    action verb depends on the content of the lesson:

    If the content is designed to cover facts and terms, use such verbs as identify, choose,

    select, match, label, list, and so on.

    If the content is designed to teach a concept, use such verbs as identify, choose, select,

    indicate, match, classify, and so on.

    If the content is about application of knowledge or execution of a procedure or process,

    use such verbs as use, run, create, modify, construct, drop, and so on.

    For detailed and high-level content, use such verbs as conclude, analyze, separate,

    compare, contrast, justify, differentiate, perform, and so on.

  • Oracle Identity and Access Management has two main functions - user provisioning and

    access management. The Enterprise Deployment Guide is a solution to implementing Oracle

    Identity and Access Management in an enterprise and has the following features:

    Main Components Deployed: Oracle Access Manager Access Manager (OAM), Oracle

    Access Manager Oracle Identity Manager (OIM), Oracle Access Manager Authorization

    Policy Manager (APM)

    Support for different Identity Stores including: Oracle Internet Directory, Oracle Unified

    Directory, and Oracle Virtual Directory. Oracle Virtual Directory can be used to support

    third party directories or to provide multi-directory support.

    All components are Highly Available.

    SSL is terminated at the load balancer.

    OAM and OIM are deployed into different domains to separate administrative tasks from

    operational tasks.

    Directories will are deployed into independent domains, this allows directories to be

    patched independently of Oracle Access Management components. This removes the

    need to ensure that products are certified with infrastructure components from a different

    product set, this makes patching easier. It is also likely that enterprises will already have

    an enterprise identity store (LDAP), which can be reused.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • If you are using load balancers to frontend the Identity Management environment, you must

    configure virtual servers and associated ports on the load balancer for different types of

    network traffic and monitoring. These virtual servers should be configured to the appropriate

    real hosts and ports for the services running. Also, the load balancer should be configured to

    monitor the real host and ports for availability so that the traffic to these is stopped as soon as

    possible when a service is down. This ensures that incoming traffic on a given virtual host is

    not directed to an unavailable service in the other tiers.

    Fusion Applications: Install and Configure Identity Management 2 - 4

  • The directory tier provides the LDAP services. The directory tier stores identity information

    about users and groups. This tier includes products such as Oracle Internet Directory, Oracle

    Unified Directory, and Oracle Virtual Directory. The directory tier is closely tied with the data

    tier.

    In some cases, the directory tier and data tier might be managed by the same group of

    administrators. In many enterprises, however, database administrators own the data tier while

    directory administrators own the directory tier.

    The directory components such as Oracle Unified Directory, Oracle Internet Directory and

    Oracle Virtual Directory are installed on LDAPHOSTs. LDAP requests are distributed among

    these servers using a hardware load balancer.

    If you store the Identity details in a directory other than Oracle Internet Directory or Oracle

    Unified Directory, you can use either

    Oracle Virtual Directory to present that information or

    Oracle Directory Integration Platform to synchronize the users and groups from the other

    directory to Oracle Internet Directory.

    If you are using Oracle Internet Directory exclusively, you do not need to use Oracle Virtual

    Directory or Oracle Unified Directory.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Directory Tier (continued)

    If you store your identity information in Oracle Unified Directory, this information is stored locally

    in a Berkeley database. To ensure high availability, this information is replicated to other Oracle

    Unified Directory instances using Oracle Unified Directory replication.

    Typically protected by firewalls, applications above the directory tier access LDAP services

    through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and

    636 for the SSL port. LDAP services are often used for white pages lookup by clients such as

    email clients in the intranet. The ports 389 and 636 on the load balancer are typically redirected

    to the non-privileged ports used by the individual directory instances.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The application tier is where Java EE applications are deployed. Products such as Oracle

    Identity Manager, Oracle Directory Integration Platform, Oracle Directory Services Manager

    and Oracle Enterprise Manager Fusion Middleware Control are the key Java EE components

    that are deployed in this tier. Applications in this tier benefit from the High Availability support

    of Oracle WebLogic Server.

    OAM Server, Oracle Adaptive Access Manager, Oracle Identity Manager, and SOA, can be

    run in active-active mode; these servers communicate with the data tier at run time.

    The WebLogic Administration Server is a singleton component and can be deployed in an

    active-passive configuration. If the primary fails or the Administration Server on one host

    does not start, the Administration Server on the secondary host can be started. If a WebLogic

    managed server fails, the node manager running on that host attempts to restart it.

    The Identity Management application tier applications interact with directory tier as follows:

    They leverage the directory tier for enterprise identity information.

    They leverage the database tier for application metadata.

    WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in

    the application tier as well. However, for the enterprise deployment shown, customers

    have a separate web tier relying on web servers such as Oracle HTTP Server.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The HTTP Servers are deployed in the web tier. Most of the Identity Management

    components can function without the web tier, but to support enterprise-level single sign-on by

    using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is

    required.

    Components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle

    Directory Services Manager can function without a web tier. They can also be configured to

    use a web tier, if desired.

    In the web tier:

    Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the

    mod_wl_ohs module are installed. The mod_wl_ohs module enables requests to be

    proxied from Oracle HTTP Server to a WebLogic Server that is running in the

    application tier.

    WebGate in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate

    with Oracle Access Manager. WebGate and Oracle Access Manager are used to

    perform operations such as user authentication.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • These are the typical hardware requirements. For each tier, carefully consider the load,

    throughput, response time and other requirements to plan the actual capacity required. The

    number of nodes, CPUs, and memory required can vary for each tier based on the

    deployment profile.Production requirements may vary depending on applications and the

    number of users. For detailed requirements, or for requirements for other platforms, see the

    Oracle Fusion Middleware Installation Guide for that platform.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Configuring virtual servers (IP addresses and host names) on physical machines enables you

    to efficiently move the services from one configured environment to another.

    A virtual IP address is an unused IP Address, which belongs to the same subnet as the host's

    primary IP address. It is assigned to a host manually and Oracle WebLogic Managed servers

    are configured to listen on this IP Address. In the event of the failure of the node where the IP

    address is assigned, the IP address is assigned to another node in the same subnet, so that

    the new node can take responsibility for running the managed servers assigned to it.

    You must configure several virtual servers and associate ports on the load balancer for

    different types of network traffic and monitoring. These virtual servers should be configured to

    the appropriate real hosts and ports for the services running. Also, the