NOT PROTECTIVELY MARKED Enterprise Architecture 2010 Reference Architecture Secure Portal Framework June 2010 Version: 1.0 Editor Mike Williams Status: Issued Date: 16 June 2010 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Document Control Reference Architecture – Secure Portal Framework Mike Williams Ivan Wells General – SHARE and PartnerNET Issued Document Title Author Owner Distribution Document Status Revision History Version 0.1 1.0 Date 1st December 2009 16th June 2010 Description First draft. Baseline issue. Author Mike Williams Mike Williams Forecast Changes Version Date Description Reviewer List Name Role Ivan Wells Reviewer Various External peer review Approvals Name Title Ivan Wells Strategy and Architecture Date Version Document References Document Title Document Links _________________________________________________________________________ 03/03/2016 v1.0 Page 2 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ CONTENTS 1 INTRODUCTION ........................................................................................................... 4 1.1 PREAMBLE ................................................................................................................... 4 1.2 RELATIONSHIP TO REFERENCE MODELS ........................................................................ 4 2 PLATFORM INDEPENDENT MODEL (PIM) ................................................................. 8 2.1 SUMMARY DESCRIPTION AND OVERVIEW ....................................................................... 8 2.2 FEDERATED PORTALS .................................................................................................. 8 2.3 REVERSE PROXY ....................................................................................................... 10 2.4 ACCESS MANAGEMENT............................................................................................... 11 3 PLATFORM SPECIFIC MODEL (PSM) ....................................................................... 14 3.1 PORTAL FRAMEWORK OVERVIEW ................................................................................ 14 3.2 WEBCENTER COMPONENTS ....................................................................................... 14 3.3 REVERSE PROXY ....................................................................................................... 15 3.4 ACCESS MANAGEMENT............................................................................................... 16 _________________________________________________________________________ 03/03/2016 v1.0 Page 3 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ 1 INTRODUCTION 1.1 Preamble Reference architectures describe one or more Architecture Building Blocks for architectures in a particular domain. They also provide a common vocabulary with which to discuss implementations, often with the aim of stressing commonality. In Model-Driven Architecture (MDA) terms, they equate to Platform Independent Models (PIM’s). These represent (potentially re-usable) components of business, ICT, or architectural capability that can be combined with other building blocks to deliver architectures and solutions. Building blocks can be defined at various levels of detail, depending on which stage of architecture development has been reached. For instance, at an early stage, a building block can simply consist of a name, or an outline description, in architecture models which represent a placeholder for subsequent specifications. Later on, a building block may be decomposed into multiple supporting building blocks that may then be accompanied by full specifications. Reference Implementations are examples of software specifications. These are intended as a guide for Service Providers to develop concrete Solution Building Blocks (SBB’s). In ModelDriven Architecture (MDA) terms, they equate to Platform Specific Models (PSM’s). These PSM’s are described as either Commercial-Off-The-Shelf (COTS) or Open Source Software (OSS). In this respect, the HA Technology Policies are aligned with CrossGovernment Enterprise Architecture (xGEA) Technical Policies. These specify that OSS components should be considered as viable building blocks wherever they can be shown to meet the business requirements and offer Value for Money (VfM). Therefore, actual product selections will generally be determined through procurements and their evaluations of the Most Economically Advantageous Tenders (MEAT). Where such selections have already been made, the Reference Implementations will be superseded by Level 2 (Physical) Technology Policies which reinforce the use of those components. Some of these components will stem from a build out, through re-use, of the HA’s more recently acquired, existing infrastructure assets and investments, such as in Business Intelligence. In all other cases, the PSM’s will be based on OSS projects which implement the relevant Open Standards. 1.2 Relationship to Reference Models This reference architecture refers to a Secure Portal Framework for implementing Enterprise 2.0 services. This comprises the introduction and implementation within an enterprise of Web 2.0 technologies, including Rich Internet Applications (RIA), Software-as-a-Service (SaaS), and portal frameworks as a general platform. Similarly, Government 2.0 is an attempt to provide more effective processes for government service delivery to individuals and businesses (as with the G-Cloud). In order to describe this in terms of its relationship to Reference Models requires a number of views as depicted in the diagrams below. Figure 1 shows a functional mapping to the Delivery Interfaces Layer and Figure 2 the Collaboration Layer, of the EA Reference Model (EARM) – note that the same technology framework is applied internally for Intranet-based applications and externally for the Extranet (PartnerNET). Similarly, Figure 3 shows it from a common infrastructure viewpoint and Figure 4 directly relates it to the Technical Reference Model (TRM). Finally, Figure 5 expands this into a detailed layered/tiered view of an SOA – this shows that the Secure Portal Framework Reference Architecture mainly covers the Application Layer, with an emphasis on the Presentation Tier, together with its underlying infrastructure. However, the security elements also cover other aspects of the TRM. _________________________________________________________________________ 03/03/2016 v1.0 Page 4 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 1 Relationship to EARM (1) - Sub-set of Delivery Interfaces Layer Figure 2 - Relationship to EARM (2) - Sub-set of Collaboration Layer _________________________________________________________________________ 03/03/2016 v1.0 Page 5 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 3 - Relationship to EARM (3) - Sub-set of Service Infrastructure Layer Figure 4 - Relationship to Technical Reference Model (TRM) _________________________________________________________________________ 03/03/2016 v1.0 Page 6 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 5 - Layered View of Services _________________________________________________________________________ 03/03/2016 v1.0 Page 7 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ 2 PLATFORM INDEPENDENT MODEL (PIM) 2.1 Summary Description and Overview The reference architecture for the Secure Portal Framework is based around Enterprise 2.0 technology which includes social software such as Blogs, Wikis, and other kind of collaborative tools. The portal framework outlined in Figure 6 must have at least the following Enterprise 2.0 features: o o o o o o o o o Portability across all major application servers and Servlet containers, databases, and operating systems. Uses the latest in Java, J2EE, and Web 2.0 technologies. Uses an open SOA framework. JSR-168/JSR-286 and Web-Services for Remote Portlets (WSRP) 2.0 compliant. Out-of-the-box usability with a catalogue of portlets. Personalised pages for all users. AJAX-enabled user interface. Full Identity Management and secure Enterprise Single Sign-On (ESSO) integration. Granular role-based authorisations. Figure 6 - Portal Framework Architecture 2.2 Federated Portals 2.2.1 As-Is Infrastructure Problem The existing infrastructure is fragmented and there’s a lack of integration between internal and external systems, thus preventing “One version of the truth”. This is illustrated in Figure 7. _________________________________________________________________________ 03/03/2016 v1.0 Page 8 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 7 - As-Is Infrastructure Problems arising from this current infrastructure include: Duplication across multiple portals. No “one version of the truth” due to security restrictions, e.g. a master document held in the “SHARE” repository is copied into PartnerNET as a snapshot in time without any form of synchronisation for subsequent updates. Multiple user accounts with separate logins, passwords and user administration requirements. High administration and maintenance costs. 2.2.2 Proposed federated solution Within the Reference Architecture, the proposed solution to the problems described above is to adopt a Federated Portal Architecture. Federated portals are: o Distributed – Portlets are deployed on remote systems across the enterprise. o Loosely coupled – The portal and its portlets do not depend upon one another. In most cases, remote portlets can be maintained and deployed separately from the main portal. o Collaborative – Remote portlets can communicate and share data. o Plug-and-Play – Remote portlets can easily be located and consumed, usually without coding. o Standards based – Federated portals are built upon open standards, such as WSRP, SOAP, WSDL, and SAML. Figure 8 illustrates the basic concepts of a federated portal with producers and consumers as its component parts. A producer is a portal web application that offers remote portlets to other consumer portal web applications. Both producers and consumers implement a web services layer that enables them to communicate. This web services layer allows producers to offer portlets-as-a-service to consumers on remote systems. Consumers bring these remote, distributed portlets together at runtime. Each of the remote portlets may be developed and maintained by different groups of people. _________________________________________________________________________ 03/03/2016 v1.0 Page 9 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 8 - Concept of Federated Portals This federated portal approach reflects the HA’s Service Oriented Architecture (SOA). It does, however, rely upon on a Web Services infrastructure as shown in Figure 9. Figure 9 - WSRP Architecture This is also referred to sometimes as a Web Oriented Architecture (WOA) which is a style of software architecture that extends the Service-Oriented Architecture (SOA) paradigm to webbased applications. 2.3 Reverse Proxy A reverse proxy is a proxy server that is used in front of Web servers. All connections from the Internet to one of the Web servers are routed through the proxy server, which may either deal with the request itself (from its cache) or pass the request wholly or partially to the main web servers as shown in Figure 10. _________________________________________________________________________ 03/03/2016 v1.0 Page 10 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 10 - Communication via a Reverse Proxy A reverse proxy dispatches in-bound network traffic to a set of servers, presenting a single interface to the caller. There are several benefits of reverse proxy servers: 1. 2. 3. 4. 5. Security: the proxy server may provide an additional layer of defense by separating and protecting servers further up the chain - mainly through obfuscation. Encryption and acceleration: on secure websites, accessed via HTTPS, the SSL encryption is best offloaded from the Web server itself, using a reverse proxy equipped with SSL acceleration hardware to optimise performance. Load distribution: the reverse proxy can distribute the load across several servers, for scalability and resilience. The reverse proxy may have to re-write the URL's in each webpage (translation from externally known URL’s to the internal addresses). Caching: the reverse proxy can offload the Web servers by caching static content, such as images, as well as dynamic content, such as a HTML-page rendered by a content management system. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the central web server. Compression: the proxy server can optimise and compress the content to speed up the load time. 2.4 Access Management Access Management includes both Identity Management and Enterprise Single Sign-On (ESSO). “Identity management projects are much more than technology implementations — they drive real business value by reducing direct costs, improving operational efficiency and enabling regulatory compliance.” - Gartner. With the current architecture, based on individual silos, the Agency and its stakeholders experience a number of “pain points” as shown in Table 1 below. _________________________________________________________________________ 03/03/2016 v1.0 Page 11 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ IT Admin Too many user stores and account admin requests. Unsafe sync scripts. IT Developers Redundant code in each application. Need to re-work code too often. Table 1 – Pain Points End Users Security/ Compliance Too many passwords. Long waits for access to apps/ resources. Too many orphaned accounts. Limited auditing ability. Business Owners Too expensive to reach new partners, and channels. Need for control. These pain points are particularly significant in the HA due to the diverse types and numbers of users and the multiple contexts of these digital identities as shown in Figure 11 below. Figure 11- Identities have multiple contexts The HA has approximately: 2,700 office-based staff; 800 mobile Traffic Officers; and 450 external partner organisations. Moreover, the Agency procures from its supply chain almost all (over 95%) of what is needed to provide efficient, effective and value for money services to its customers. In the future, (To-Be) architecture, the following requirements must be met: Users only have to login once. Identities are federated across domains. Access permissions are determined by Role(s), Groups and Policies. Automated provisioning services are linked to ERP Systems: • Employees joining/leaving (HR) • Contractors (Procurement) _________________________________________________________________________ 03/03/2016 v1.0 Page 12 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ A logical architecture is shown in Figure 12 below. Figure 12 – IAM Logical Architecture _________________________________________________________________________ 03/03/2016 v1.0 Page 13 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ 3 PLATFORM SPECIFIC MODEL (PSM) 3.1 Portal Framework Overview The chosen reference implementation for the Secure Portal Framework is Oracle WebCenter 11g combined with the Oracle Identity and Access Management Suite. The rationale for this is as follows: Integration with business applications such as the E-Business Suite (EBS - Financials and Human Resources) and Business Intelligence. Oracle provides rich functionality and is widely supported within the ISV community with an extensive ecosystem of partners. Integrated set of developer tools – Oracle Corporation alone have more than 20,000 developers worldwide using these. Re-use of the existing Oracle-based infrastructure deployed for Business Intelligence (BI) and Geographical Information System (GIS) data warehouses. Pre-existing (COTS-based) integrations with the rest of the Oracle technology stack. The HA has an Enterprise license. Figure 13 - Oracle WebCenter 11g Architecture The main components are described in outline in the following sections. 3.2 WebCenter Components The main components of Oracle WebCenter 11g are as follows: Oracle WebCenter Framework is a declarative JavaServer Faces (JSF) framework that embeds Asynchronous JavaScript and XML (AJAX) components, portlets, and content to create context-rich, customisable applications. It also includes Composer and Business Dictionary - role-based capabilities that enable business users to seamlessly unify many _________________________________________________________________________ 03/03/2016 v1.0 Page 14 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ corporate information resources with enterprise portals with just a few mouse clicks. It’s a complete, standards-based portlet development environment - business user tools support the rapid creation of JSR-168 portlets and the deployment of WSRP 1.0 and 2.0 portlet producers. The solution also includes a JSF Portlet Bridge that facilitates the conversion of any JSF application into a JSR-168 portlet. Content can easily be integrated and published using data controls built to the JCR/JSR-170 standard. Content repositories supporting the JCR standard can just be configured; adapters are also available for Oracle’s content repository, Oracle Portal, file systems, and third-party content management systems, including Documentum, Microsoft SharePoint, and Lotus Notes. Oracle WebCenter Framework is also delivered as an Oracle JDeveloper extension, providing a unified development environment for developers to build and deliver SOA process models, Business Intelligence applications, enterprise portals, and composite applications. WebCenter Spaces provide out-of-the-box collaborative applications for business users to manage personal information, group projects and dynamic online communities without having to call upon on IT. Oracle Composer allows business users to edit application pages on the fly after the application or portal has been deployed – edits can include new colour schemes, changes in page layout and new content or services added to the page. When using Composer, users can add new enterprise services and content to further customise their pages via the Business Dictionary, a catalogue of role-based enterprise resources such as views of structured enterprise application data, personal productivity services and secure content sources. Additionally, IT developers can add the Oracle Composer capability to any application or portal during development without any coding. Oracle WebCenter Anywhere provides a set of wireless services that enable users to connect with Oracle WebCenter Suite applications from any connected device, including desktop and mobile applications. Oracle WebCenter Services provide out-of-the-box Enterprise 2.0 Social Computing Services which can be embedded directly into applications. These include wikis, blogs, RSS feeds, recent activities, discussion forums, tags, links, social networking, Business Process Execution Language (BPEL) workflows, and analytics. Additional Value-Add Components are bundled with WebCenter Suite: includes Oracle Universal Content Management; Secure Enterprise Search and Presence; and Communications Services. Oracle WebCenter Interaction provides an integrated collection of components designed to deploy communities and composite solutions over diverse platforms that offer native support for both Microsoft .NET and Java. Oracle Application Server/Oracle WebLogic Portal provides a fully certified server environment although the framework should run on any J2EE platform including open source products such as Red Hat’s JBoss and Apache Jakarta Tomcat running on Linux. 3.3 Reverse Proxy The reference implementation for the reverse proxy is OracleAS Web Cache. OracleAS Web Cache is a content-aware server accelerator, or reverse proxy server, that improves the performance, scalability, and availability of Web sites that run on Oracle Application Server. By storing frequently accessed URL’s in memory, OracleAS Web Cache eliminates the need to repeatedly process requests for those URL’s on the application Web server and database tiers. Unlike legacy proxies that handle only static objects, OracleAS Web Cache caches both static and dynamically generated content from one or more Web servers thus providing optimal performance by greatly reducing the load on the Web server, application and database tiers. As an external cache, OracleAS Web Cache is also an order of magnitude faster than object caches that run within the web tier. _________________________________________________________________________ 03/03/2016 v1.0 Page 15 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 14 shows the basic architecture. OracleAS Web Cache sits in front of application Web servers, caching their content, and providing that content to Web browsers that request it. When Web browsers access the Web site, they send HTTP or HTTPS protocol requests to OracleAS Web Cache. OracleAS Web Cache, in turn, acts as a virtual server on behalf of the Web servers. If the requested content has changed, OracleAS Web Cache retrieves the new content from the Web servers. The Web servers may retrieve dynamic content from an Oracle database. OracleAS Web Cache can be deployed on its own dedicated tier of computers or on the same computer as the Web servers. Figure 14 - OracleAS Web Cache 3.4 Access Management 3.4.1 Overview The reference implementation for Access Management is Oracle Identity and Access Management Suite, as certified by CESG. Oracle IAM is a suite consisting of Oracle Access Manager, Oracle Virtual Directory and Oracle Internet Directory. It allows enterprises to manage and automate the end-to-end lifecycle of user identities, and provides users with secure, fine-grained access to enterprise resources and assets. An end-to-end overview of the Oracle Identity Management platform is shown in Figure 15 below. The individual components are described in the following sub-sections. _________________________________________________________________________ 03/03/2016 v1.0 Page 16 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 15 – Oracle Identity & Access Management Framework 3.4.2 Oracle Access Manager (OAM) Oracle Access Manager provides Web-based identity administration, as well as access control to Web applications and resources running in a heterogeneous environment. It provides the user and group management, delegated administration, password management and selfservice functions necessary to manage large user populations in complex, directory-centric environments. Access Manager supports all popular authentication methods including browser forms, digital certificates and smart cards, and integrates with most application servers and portals. User identities and credentials can be accessed from a number of LDAP-based repositories including Oracle Internet Directory, Microsoft Active Directory and Sun Java System Directory. With Access Manager, user access policies can be defined and enforced with a high degree of granularity through centralised management. 3.4.3 Oracle Adaptive Access Manager (OAAM) Oracle Adaptive Access Manager provides superior protection through its core components: Adaptive Strong Authenticator (ASA) and Adaptive Risk Manager (ARM). ASA relies on the following standards-based technologies: Relative cryptographic strength (for example, NIST and Common Criteria levels). Cryptographically strong pseudorandom number generator, which complies with Federal Information Processing Standard (FIPS) 140-2. _________________________________________________________________________ 03/03/2016 v1.0 Page 17 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Cryptographically strong sequences as described in RFC 1750: Randomness Recommendations for Security. J2EE, Microsoft .NET, JSR 94-based rules engine. Leveraging a soft, two-factor authentication solution, ASA provides fraud protection against online identity theft. It does so by encrypting credential data inputs at the point of entry. This ensures maximum user protection because information never resides on a user’s computer. Nor does information reside anywhere on the Internet where it can be vulnerable to theft. ASA includes a number of user interfaces for managing fraud and identity theft protection. Whether making payments, accessing sensitive documents, entering passwords, or answering challenge questions, users and data are protected. These GUI-based interfaces include: QuestionPad, QuizPad, Keypad (Virtual Keyboard) and Slider. Adaptive risk manager enables an enterprise to evaluate and score risk. They can do so for each online login and transaction. As a result, the solution increases authentication security in real-time for high-risk situations. Adaptive risk manager provides a strong second and third factor of security for the enterprise. It can serve as a standalone solution that offers increased security, with no change to the user experience but it can also be used in combination with ASA. Together the components provide further anti-identity theft and fraud protection. 3.4.4 Oracle Enterprise Single Sign-On (OESSO) Enterprises these days generally have Microsoft Windows® desktop users accessing diverse enterprise applications on a daily basis. Each enterprise application often has different security requirements and, as a consequence, users are often forced to remember multiple different passwords for various applications – this scenario is illustrated in Figure 16. As a result, there is a need to enable a simple and secure way for enterprise users to access heterogeneous applications (e.g. Microsoft Windows, Java, etc.) by signing on just once to their windows desktop. This should not only circumvent the need to remember credentials for individual applications but also enhance user productivity by eliminating help desk calls associated with forgotten passwords. Figure 16 – Separate User Logons The Oracle ESSO Suite facilitates a way for desktop users to access enterprise applications by signing on just once to their desktops using a single set of credentials, as depicted in Figure 17. Figure 17– Oracle ESSO Logon Manager _________________________________________________________________________ 03/03/2016 v1.0 Page 18 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ The Oracle ESSO Suite comprises five key components: Oracle ESSO Logon Manager (ESSO-LM) provides interfaces to network and computer logons as well as sign-on to applications, enabling users to log in once with a single password. Once users are logged in, whatever application they open is served the correct ID and password transparently and automatically. This eliminates the need for users to remember and manage multiple user names and passwords for their applications, while allowing administrators to centrally manage passwords. The Oracle ESSO Logon Manager Admin Console interacts with the Logon Manager and facilitates management and administration of ESSO attributes. Oracle ESSO Password Reset (ESSO-PR) provides a recovery mechanism for users who forget their desktop passwords. If users forget their Windows password, then ESSO-PR enables them to regain access to their computer and the corporate network. This allows users to reset their password directly from the Windows logon prompt of their locked-out workstation, so that they can get to their applications within seconds - without having to call the help desk or go to another workstation. Oracle ESSO Kiosk Manager (ESSO-KM) provides initial user authentication and automatic user sign-off to kiosk environments, enabling secure kiosk computing at any location within the enterprise. The system monitors and protects unattended kiosk sessions from unauthorised access. Inactive sessions are protected by a secure screen saver, which permits the next user to sign on to a new session while safely terminating the prior session. Oracle ESSO Authentication Manager (ESSO-AM) allows organisations to use any combination of tokens, smart cards, biometrics and passwords to control user access to their applications; making it easier to implement advanced authentication strategies. The software can be integrated seamlessly with applications, providing granular control over the level of authentication required to access specific applications. Oracle ESSO Provisioning Gateway (ESSO-PG) allows system administrators to directly distribute user credentials, usernames and passwords to Oracle ESSO. The administrator can add credentials for new applications and new users as well as modify or delete old credentials to Oracle ESSO. The Provisioning Gateway is also the interface that is used to integrate Oracle Identity Manager (OIM), which enables provisioning of users to all enterprise applications and enables Oracle ESSO. 3.4.5 Oracle Identity Federation (OIF) Oracle Identity Federation is a complete, enterprise-level solution for secure identity information exchange between partners. It significantly reduces need to manage unnecessary accounts in the enterprise directory and lowers the cost of integrations through support of industry federation standards. Key features of OIF include: Multiple Federation Protocols Support: OIF supports the following protocols: o SAML 1.0/1.1/2.0, o Liberty Alliance ID-FF 1.1/1.2, and, o WS-Federation. OIF participated in vendor-neutral standard conformance events and has achieved Liberty Alliance certification for Liberty ID-FF and SAML 2.0. Oracle Universal Federation Framework: OIF provides architectural flexibility and integration capabilities for rapid deployment in complex multi-vendor and homegrown environments. It exposes a set of simplified programmatic interfaces for seamless integration with any application or identity and access management solution including the Government Gateway. _________________________________________________________________________ 03/03/2016 v1.0 Page 19 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ OIF provides unified and simplified interfaces for all management and administration tasks by leveraging Oracle Enterprise Manager Technology for enterprise-grade operational management. Enterprise scalability, availability and manageability: The OIF is designed to be scalable and highly available. Its flexible architecture makes it easier to scale and tune the federation infrastructure at each component level. OIF supports mission critical applications through load balancing and failover. Support for Microsoft Windows CardSpace (Geneva) as an authentication mechanism: OIF can act as a CardSpace Relying Party (RP) and comes with a CardSpace authentication provider. With OIF, organisations can enable their sites to accept self-issued or managed InfoCards in a matter of hours. Operational monitoring of server status, adapter status, system status including CPU & Memory utilisation. Provides a single dashboard view of entire deployment topology and server status including all Oracle Fusion Middleware components, databases, and applications. Integration with Fusion audit and logging viewers enables unified view of OIF logs and end-to-end tracing of a transaction across application stack. In addition, OIF can generate standard reports through default integration with Oracle BI Publisher. 3.4.6 Oracle Web Services Manager (OWSM) Oracle Web Services Manager is a comprehensive solution for managing Service-Oriented Architectures (SOA's). It allows IT managements to centrally define policies that govern web services operations such as access policy, logging policy, and content validation, and then wrap these policies around services, with no modification to existing web services required. Also, Oracle Web Services Manager collects monitoring statistics to ensure service levels and security, and displays them in a web dashboard. Key features of Oracle Web Services Manager include: Policy Manager Enforcement Monitoring Dashboard 3.4.7 Oracle Identity Manager (OIM) Oracle Identity Manager (OIM) is a secure enterprise provisioning solution with proven functionality in the identity management domain. Enterprise provisioning involves the management activities, business processes and technologies governing the creation, modification and deletion of user access rights and privileges to an organisation’s ICT systems, applications and physical assets. To gain better control over user access rights, enterprises require automated provisioning systems that enforce organisational security policies and ensure adherance of regulatory standards. The architecture of OIM is shown in Figure 18. _________________________________________________________________________ 03/03/2016 v1.0 Page 20 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Figure 18 - OIM Architecture 3.4.8 Oracle Role Manager (ORM) Oracle Role Manager (ORM) provides a comprehensive feature set for role lifecycle management, business and organisational relationships and resources. Built using a scalable J2EE architecture, ORM enables business users to define user access by abstracting resources and entitlements as roles. Organisation data in existing applications can be managed within ORM to model complex relationship paths across business structures such as reporting organisation hierarchies and locations. Business policies defined in ORM utilise organisation and relationship data to drive role membership and ultimately access. Through seamless integration with Identity and Access Management (IAM) applications, ORM enables the automation of provisioning events, addressing governance and compliance needs across an existing ICT infrastructure. With ORM, organisations can: Enhance security by dramatically improving the timeliness and accuracy of provisioning and de-provisioning of resources as role membership changes. Accelerate role management implementation by mining for candidate roles. Maintain a single authoritative source for roles. Strengthen regulatory compliance through detailed audits on who should have access to what, and why a user was given access with complete reports. 3.4.9 Oracle Directory Services (ODS) Oracle Directory Services (ODS) are delivered through two products: Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD). Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralised management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness and availability of an Oracle database. _________________________________________________________________________ 03/03/2016 v1.0 Page 21 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ Oracle Virtual Directory is an LDAPv3-enabled service that provides virtualised abstraction of one or more enterprise data sources into a single directory view. Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimising or eliminating the need to change either the infrastructure or the applications. The components of Oracle Internet Directory are: LDAP Directory Directory Entries Oracle Directory Server Instance Oracle Database 11g Oracle Net Connections LDAP Clients The Lightweight Directory Access Protocol (LDAP) is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. A directory stores and retrieves information about organisations, individuals and other resources. It acts as the policy and configuration data repository for OAM. In a directory, a collection of information about an object is called an entry. Each entry is uniquely identified by a distinguished name (DN), which defines exactly where in the directory’s hierarchy the entry resides. Each entry contains information stored in attributes. An object class is a group of attributes that define the structure of an entry. Each directory has a Directory-Specific Entry (DSE), which holds information that relates to the whole directory, such as the audit log. Each Oracle Directory Server instance services LDAP requests through a single OID dispatcher process listening at a specific TCP/IP port number. There can be more than one directory server instance on a node, each listening on a different port. One instance comprises one dispatcher process and one or more server processes. By default there is one server process for each instance. OID runs as an Oracle Database 11g application. An Oracle database stores the directory data. The database can reside on the same node as the directory server processes or on a separate node. OID communicates with the database using Oracle Net Services, Oracle’s operating system-independent database connectivity solution. Oracle Net Services is used for all connections between the Oracle Database Server and the OID Control utility (oidctl), the directory server instance, and the OID Monitor (oidmon). LDAP Clients send LDAP requests to an OID listener/dispatcher process listening for LDAP commands at its port. The components of Oracle Virtual Directory are: Oracle Virtual Directory Server Adapters Oracle Virtual Directory Server can integrate multiple directories by using its ability to talk to multiple directory sources through its adapter and mapper architecture and through the provision of full schema and namespace translation services. This ensures that data presented to applications from multiple proxied sources have a common and consistent format. OVD supports an unlimited number of directory data connection components known as adapters. Each adapter is responsible for managing a particular namespace that is represented by a specific parent distinguished name (DN). Multiple adapters can be combined _________________________________________________________________________ 03/03/2016 v1.0 Page 22 of 23 HA Reference Architecture Secure Portal Framework _________________________________________________________________________________ and overlapped to present a customised directory tree. OVD supports the following adapter types: LDAP Adapter - provides proxied access to LDAPv2/LDAPv3 directory servers. Database Adapter - provides LDAP virtualisation of relational database data. Storage Adapter - This adapter will form the base of the directory and will hold entries that are not proxied. Join View Adapter - provides real-time join capabilities between entries located in other OVD adapters. Mappers Oracle Virtual Directory includes a bi-directional mapping system based on the Python scripting language. A mapper is a special Python script that processes inbound and outbound transactional data flow within Oracle Virtual Directory. A mapping script can adjust requests as they enter the system on the way to data sources, and transform responses on the return path to the client. OVD Listeners Oracle Virtual Directory provides services to clients through two types of connections: LDAP and HTTP. LDAP is used to provide LDAPv3 based services while HTTP can provide one or more services such as DSMLv2, or basic white page functions provided by an XSLT enabled Web Gateway. _________________________________________________________________________ 03/03/2016 v1.0 Page 23 of 23