Reference Architecture

advertisement
NOT PROTECTIVELY MARKED
Enterprise Architecture 2010
Reference Architecture
Secure Portal Framework
June 2010
Version:
1.0
Editor Mike Williams
Status: Issued
Date: 16 June 2010
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Document Control
Reference Architecture – Secure Portal Framework
Mike Williams
Ivan Wells
General – SHARE and PartnerNET
Issued
Document Title
Author
Owner
Distribution
Document Status
Revision History
Version
0.1
1.0
Date
1st December 2009
16th June 2010
Description
First draft.
Baseline issue.
Author
Mike Williams
Mike Williams
Forecast Changes
Version
Date
Description
Reviewer List
Name
Role
Ivan Wells
Reviewer
Various
External peer review
Approvals
Name
Title
Ivan Wells
Strategy and Architecture
Date
Version
Document References
Document Title
Document Links
_________________________________________________________________________
03/03/2016 v1.0
Page 2 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
CONTENTS
1 INTRODUCTION ........................................................................................................... 4
1.1
PREAMBLE ................................................................................................................... 4
1.2
RELATIONSHIP TO REFERENCE MODELS ........................................................................ 4
2 PLATFORM INDEPENDENT MODEL (PIM) ................................................................. 8
2.1
SUMMARY DESCRIPTION AND OVERVIEW ....................................................................... 8
2.2
FEDERATED PORTALS .................................................................................................. 8
2.3
REVERSE PROXY ....................................................................................................... 10
2.4
ACCESS MANAGEMENT............................................................................................... 11
3 PLATFORM SPECIFIC MODEL (PSM) ....................................................................... 14
3.1
PORTAL FRAMEWORK OVERVIEW ................................................................................ 14
3.2
WEBCENTER COMPONENTS ....................................................................................... 14
3.3
REVERSE PROXY ....................................................................................................... 15
3.4
ACCESS MANAGEMENT............................................................................................... 16
_________________________________________________________________________
03/03/2016 v1.0
Page 3 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
1
INTRODUCTION
1.1 Preamble
Reference architectures describe one or more Architecture Building Blocks for architectures
in a particular domain. They also provide a common vocabulary with which to discuss
implementations, often with the aim of stressing commonality. In Model-Driven Architecture
(MDA) terms, they equate to Platform Independent Models (PIM’s).
These represent (potentially re-usable) components of business, ICT, or architectural capability
that can be combined with other building blocks to deliver architectures and solutions. Building
blocks can be defined at various levels of detail, depending on which stage of architecture
development has been reached. For instance, at an early stage, a building block can simply
consist of a name, or an outline description, in architecture models which represent a
placeholder for subsequent specifications. Later on, a building block may be decomposed into
multiple supporting building blocks that may then be accompanied by full specifications.
Reference Implementations are examples of software specifications. These are intended as a
guide for Service Providers to develop concrete Solution Building Blocks (SBB’s). In ModelDriven Architecture (MDA) terms, they equate to Platform Specific Models (PSM’s).
These PSM’s are described as either Commercial-Off-The-Shelf (COTS) or Open Source
Software (OSS). In this respect, the HA Technology Policies are aligned with CrossGovernment Enterprise Architecture (xGEA) Technical Policies. These specify that OSS
components should be considered as viable building blocks wherever they can be shown to
meet the business requirements and offer Value for Money (VfM). Therefore, actual product
selections will generally be determined through procurements and their evaluations of the Most
Economically Advantageous Tenders (MEAT).
Where such selections have already been made, the Reference Implementations will be
superseded by Level 2 (Physical) Technology Policies which reinforce the use of those
components. Some of these components will stem from a build out, through re-use, of the HA’s
more recently acquired, existing infrastructure assets and investments, such as in Business
Intelligence. In all other cases, the PSM’s will be based on OSS projects which implement the
relevant Open Standards.
1.2 Relationship to Reference Models
This reference architecture refers to a Secure Portal Framework for implementing Enterprise
2.0 services. This comprises the introduction and implementation within an enterprise of Web
2.0 technologies, including Rich Internet Applications (RIA), Software-as-a-Service (SaaS), and
portal frameworks as a general platform. Similarly, Government 2.0 is an attempt to provide
more effective processes for government service delivery to individuals and businesses (as
with the G-Cloud). In order to describe this in terms of its relationship to Reference Models
requires a number of views as depicted in the diagrams below.
Figure 1 shows a functional mapping to the Delivery Interfaces Layer and Figure 2 the
Collaboration Layer, of the EA Reference Model (EARM) – note that the same technology
framework is applied internally for Intranet-based applications and externally for the Extranet
(PartnerNET). Similarly, Figure 3 shows it from a common infrastructure viewpoint and Figure 4
directly relates it to the Technical Reference Model (TRM). Finally, Figure 5 expands this into a
detailed layered/tiered view of an SOA – this shows that the Secure Portal Framework
Reference Architecture mainly covers the Application Layer, with an emphasis on the
Presentation Tier, together with its underlying infrastructure. However, the security elements
also cover other aspects of the TRM.
_________________________________________________________________________
03/03/2016 v1.0
Page 4 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 1 Relationship to EARM (1) - Sub-set of Delivery Interfaces Layer
Figure 2 - Relationship to EARM (2) - Sub-set of Collaboration Layer
_________________________________________________________________________
03/03/2016 v1.0
Page 5 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 3 - Relationship to EARM (3) - Sub-set of Service Infrastructure Layer
Figure 4 - Relationship to Technical Reference Model (TRM)
_________________________________________________________________________
03/03/2016 v1.0
Page 6 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 5 - Layered View of Services
_________________________________________________________________________
03/03/2016 v1.0
Page 7 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
2
PLATFORM INDEPENDENT MODEL (PIM)
2.1 Summary Description and Overview
The reference architecture for the Secure Portal Framework is based around Enterprise 2.0
technology which includes social software such as Blogs, Wikis, and other kind of collaborative
tools. The portal framework outlined in Figure 6 must have at least the following Enterprise 2.0
features:
o
o
o
o
o
o
o
o
o
Portability across all major application servers and Servlet containers, databases, and
operating systems.
Uses the latest in Java, J2EE, and Web 2.0 technologies.
Uses an open SOA framework.
JSR-168/JSR-286 and Web-Services for Remote Portlets (WSRP) 2.0 compliant.
Out-of-the-box usability with a catalogue of portlets.
Personalised pages for all users.
AJAX-enabled user interface.
Full Identity Management and secure Enterprise Single Sign-On (ESSO) integration.
Granular role-based authorisations.
Figure 6 - Portal Framework Architecture
2.2 Federated Portals
2.2.1 As-Is Infrastructure Problem
The existing infrastructure is fragmented and there’s a lack of integration between internal and
external systems, thus preventing “One version of the truth”. This is illustrated in Figure 7.
_________________________________________________________________________
03/03/2016 v1.0
Page 8 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 7 - As-Is Infrastructure
Problems arising from this current infrastructure include:




Duplication across multiple portals.
No “one version of the truth” due to security restrictions, e.g. a master document held in
the “SHARE” repository is copied into PartnerNET as a snapshot in time without any
form of synchronisation for subsequent updates.
Multiple user accounts with separate logins, passwords and user administration
requirements.
High administration and maintenance costs.
2.2.2 Proposed federated solution
Within the Reference Architecture, the proposed solution to the problems described above is to
adopt a Federated Portal Architecture. Federated portals are:
o
Distributed – Portlets are deployed on remote systems across the enterprise.
o
Loosely coupled – The portal and its portlets do not depend upon one another. In
most cases, remote portlets can be maintained and deployed separately from the main
portal.
o
Collaborative – Remote portlets can communicate and share data.
o
Plug-and-Play – Remote portlets can easily be located and consumed, usually without
coding.
o
Standards based – Federated portals are built upon open standards, such as WSRP,
SOAP, WSDL, and SAML.
Figure 8 illustrates the basic concepts of a federated portal with producers and consumers as
its component parts. A producer is a portal web application that offers remote portlets to other
consumer portal web applications. Both producers and consumers implement a web services
layer that enables them to communicate. This web services layer allows producers to offer
portlets-as-a-service to consumers on remote systems. Consumers bring these remote,
distributed portlets together at runtime. Each of the remote portlets may be developed and
maintained by different groups of people.
_________________________________________________________________________
03/03/2016 v1.0
Page 9 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 8 - Concept of Federated Portals
This federated portal approach reflects the HA’s Service Oriented Architecture (SOA). It does,
however, rely upon on a Web Services infrastructure as shown in Figure 9.
Figure 9 - WSRP Architecture
This is also referred to sometimes as a Web Oriented Architecture (WOA) which is a style of
software architecture that extends the Service-Oriented Architecture (SOA) paradigm to webbased applications.
2.3 Reverse Proxy
A reverse proxy is a proxy server that is used in front of Web servers. All connections from the
Internet to one of the Web servers are routed through the proxy server, which may either deal
with the request itself (from its cache) or pass the request wholly or partially to the main web
servers as shown in Figure 10.
_________________________________________________________________________
03/03/2016 v1.0
Page 10 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 10 - Communication via a Reverse Proxy
A reverse proxy dispatches in-bound network traffic to a set of servers, presenting a single
interface to the caller. There are several benefits of reverse proxy servers:
1.
2.
3.
4.
5.
Security: the proxy server may provide an additional layer of defense by separating and
protecting servers further up the chain - mainly through obfuscation.
Encryption and acceleration: on secure websites, accessed via HTTPS, the SSL
encryption is best offloaded from the Web server itself, using a reverse proxy equipped
with SSL acceleration hardware to optimise performance.
Load distribution: the reverse proxy can distribute the load across several servers, for
scalability and resilience. The reverse proxy may have to re-write the URL's in each
webpage (translation from externally known URL’s to the internal addresses).
Caching: the reverse proxy can offload the Web servers by caching static content, such
as images, as well as dynamic content, such as a HTML-page rendered by a content
management system. Proxy caches of this sort can often satisfy a considerable amount
of website requests, greatly reducing the load on the central web server.
Compression: the proxy server can optimise and compress the content to speed up the
load time.
2.4 Access Management
Access Management includes both Identity Management and Enterprise Single Sign-On
(ESSO).
“Identity management projects are much more than
technology implementations — they drive real business
value by reducing direct costs, improving operational
efficiency and enabling regulatory compliance.” - Gartner.
With the current architecture, based on individual silos, the Agency and its stakeholders
experience a number of “pain points” as shown in Table 1 below.
_________________________________________________________________________
03/03/2016 v1.0
Page 11 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
IT Admin
Too many user
stores and
account admin
requests.
Unsafe sync
scripts.
IT Developers
Redundant code
in each
application.
Need to re-work
code too often.
Table 1 – Pain Points
End Users
Security/
Compliance
Too many
passwords.
Long waits for
access to apps/
resources.
Too many
orphaned
accounts.
Limited auditing
ability.
Business
Owners
Too expensive
to reach new
partners, and
channels.
Need for control.
These pain points are particularly significant in the HA due to the diverse types and numbers of users
and the multiple contexts of these digital identities as shown in Figure 11 below.
Figure 11- Identities have multiple contexts
The HA has approximately:
 2,700 office-based staff;
 800 mobile Traffic Officers; and
 450 external partner organisations.
Moreover, the Agency procures from its supply chain almost all (over 95%) of what is needed to
provide efficient, effective and value for money services to its customers. In the future, (To-Be)
architecture, the following requirements must be met:




Users only have to login once.
Identities are federated across domains.
Access permissions are determined by Role(s), Groups and Policies.
Automated provisioning services are linked to ERP Systems:
• Employees joining/leaving (HR)
• Contractors (Procurement)
_________________________________________________________________________
03/03/2016 v1.0
Page 12 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
A logical architecture is shown in Figure 12 below.
Figure 12 – IAM Logical Architecture
_________________________________________________________________________
03/03/2016 v1.0
Page 13 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
3
PLATFORM SPECIFIC MODEL (PSM)
3.1 Portal Framework Overview
The chosen reference implementation for the Secure Portal Framework is Oracle WebCenter
11g combined with the Oracle Identity and Access Management Suite. The rationale for this is
as follows:






Integration with business applications such as the E-Business Suite (EBS - Financials
and Human Resources) and Business Intelligence.
Oracle provides rich functionality and is widely supported within the ISV community
with an extensive ecosystem of partners.
Integrated set of developer tools – Oracle Corporation alone have more than 20,000
developers worldwide using these.
Re-use of the existing Oracle-based infrastructure deployed for Business Intelligence
(BI) and Geographical Information System (GIS) data warehouses.
Pre-existing (COTS-based) integrations with the rest of the Oracle technology stack.
The HA has an Enterprise license.
Figure 13 - Oracle WebCenter 11g Architecture
The main components are described in outline in the following sections.
3.2 WebCenter Components
The main components of Oracle WebCenter 11g are as follows:
 Oracle WebCenter Framework is a declarative JavaServer Faces (JSF) framework that
embeds Asynchronous JavaScript and XML (AJAX) components, portlets, and content to
create context-rich, customisable applications. It also includes Composer and Business
Dictionary - role-based capabilities that enable business users to seamlessly unify many
_________________________________________________________________________
03/03/2016 v1.0
Page 14 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
corporate information resources with enterprise portals with just a few mouse clicks. It’s a
complete, standards-based portlet development environment - business user tools
support the rapid creation of JSR-168 portlets and the deployment of WSRP 1.0 and 2.0
portlet producers. The solution also includes a JSF Portlet Bridge that facilitates the
conversion of any JSF application into a JSR-168 portlet. Content can easily be
integrated and published using data controls built to the JCR/JSR-170 standard. Content
repositories supporting the JCR standard can just be configured; adapters are also
available for Oracle’s content repository, Oracle Portal, file systems, and third-party
content management systems, including Documentum, Microsoft SharePoint, and Lotus
Notes. Oracle WebCenter Framework is also delivered as an Oracle JDeveloper
extension, providing a unified development environment for developers to build and
deliver SOA process models, Business Intelligence applications, enterprise portals, and
composite applications.
 WebCenter Spaces provide out-of-the-box collaborative applications for business users
to manage personal information, group projects and dynamic online communities without
having to call upon on IT.
 Oracle Composer allows business users to edit application pages on the fly after the
application or portal has been deployed – edits can include new colour schemes,
changes in page layout and new content or services added to the page. When using
Composer, users can add new enterprise services and content to further customise their
pages via the Business Dictionary, a catalogue of role-based enterprise resources
such as views of structured enterprise application data, personal productivity services
and secure content sources. Additionally, IT developers can add the Oracle Composer
capability to any application or portal during development without any coding.
 Oracle WebCenter Anywhere provides a set of wireless services that enable users to
connect with Oracle WebCenter Suite applications from any connected device, including
desktop and mobile applications.
 Oracle WebCenter Services provide out-of-the-box Enterprise 2.0 Social Computing
Services which can be embedded directly into applications. These include wikis, blogs,
RSS feeds, recent activities, discussion forums, tags, links, social networking, Business
Process Execution Language (BPEL) workflows, and analytics.
 Additional Value-Add Components are bundled with WebCenter Suite: includes Oracle
Universal Content Management; Secure Enterprise Search and Presence; and
Communications Services.
 Oracle WebCenter Interaction provides an integrated collection of components
designed to deploy communities and composite solutions over diverse platforms that
offer native support for both Microsoft .NET and Java.
 Oracle Application Server/Oracle WebLogic Portal provides a fully certified server
environment although the framework should run on any J2EE platform including open
source products such as Red Hat’s JBoss and Apache Jakarta Tomcat running on Linux.
3.3 Reverse Proxy
The reference implementation for the reverse proxy is OracleAS Web Cache.
OracleAS Web Cache is a content-aware server accelerator, or reverse proxy server, that
improves the performance, scalability, and availability of Web sites that run on Oracle
Application Server.
By storing frequently accessed URL’s in memory, OracleAS Web Cache eliminates the need to
repeatedly process requests for those URL’s on the application Web server and database tiers.
Unlike legacy proxies that handle only static objects, OracleAS Web Cache caches both static
and dynamically generated content from one or more Web servers thus providing optimal
performance by greatly reducing the load on the Web server, application and database tiers. As
an external cache, OracleAS Web Cache is also an order of magnitude faster than object
caches that run within the web tier.
_________________________________________________________________________
03/03/2016 v1.0
Page 15 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 14 shows the basic architecture. OracleAS Web Cache sits in front of application Web
servers, caching their content, and providing that content to Web browsers that request it.
When Web browsers access the Web site, they send HTTP or HTTPS protocol requests to
OracleAS Web Cache. OracleAS Web Cache, in turn, acts as a virtual server on behalf of the
Web servers. If the requested content has changed, OracleAS Web Cache retrieves the new
content from the Web servers. The Web servers may retrieve dynamic content from an Oracle
database. OracleAS Web Cache can be deployed on its own dedicated tier of computers or on
the same computer as the Web servers.
Figure 14 - OracleAS Web Cache
3.4 Access Management
3.4.1 Overview
The reference implementation for Access Management is Oracle Identity and Access
Management Suite, as certified by CESG. Oracle IAM is a suite consisting of Oracle Access
Manager, Oracle Virtual Directory and Oracle Internet Directory. It allows enterprises to
manage and automate the end-to-end lifecycle of user identities, and provides users with
secure, fine-grained access to enterprise resources and assets.
An end-to-end overview of the Oracle Identity Management platform is shown in Figure 15
below. The individual components are described in the following sub-sections.
_________________________________________________________________________
03/03/2016 v1.0
Page 16 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 15 – Oracle Identity & Access Management Framework
3.4.2 Oracle Access Manager (OAM)
Oracle Access Manager provides Web-based identity administration, as well as access control
to Web applications and resources running in a heterogeneous environment. It provides the
user and group management, delegated administration, password management and selfservice functions necessary to manage large user populations in complex, directory-centric
environments.
Access Manager supports all popular authentication methods including browser forms, digital
certificates and smart cards, and integrates with most application servers and portals. User
identities and credentials can be accessed from a number of LDAP-based repositories
including Oracle Internet Directory, Microsoft Active Directory and Sun Java System Directory.
With Access Manager, user access policies can be defined and enforced with a high degree of
granularity through centralised management.
3.4.3 Oracle Adaptive Access Manager (OAAM)
Oracle Adaptive Access Manager provides superior protection through its core components:
Adaptive Strong Authenticator (ASA) and Adaptive Risk Manager (ARM).
ASA relies on the following standards-based technologies:
 Relative cryptographic strength (for example, NIST and Common Criteria levels).
 Cryptographically strong pseudorandom number generator, which complies with
Federal Information Processing Standard (FIPS) 140-2.
_________________________________________________________________________
03/03/2016 v1.0
Page 17 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
 Cryptographically strong sequences as described in RFC 1750: Randomness
Recommendations for Security.
 J2EE, Microsoft .NET, JSR 94-based rules engine.
Leveraging a soft, two-factor authentication solution, ASA provides fraud protection against
online identity theft. It does so by encrypting credential data inputs at the point of entry. This
ensures maximum user protection because information never resides on a user’s computer.
Nor does information reside anywhere on the Internet where it can be vulnerable to theft.
ASA includes a number of user interfaces for managing fraud and identity theft protection.
Whether making payments, accessing sensitive documents, entering passwords, or answering
challenge questions, users and data are protected. These GUI-based interfaces include:
QuestionPad, QuizPad, Keypad (Virtual Keyboard) and Slider.
Adaptive risk manager enables an enterprise to evaluate and score risk. They can do so for
each online login and transaction. As a result, the solution increases authentication security in
real-time for high-risk situations.
Adaptive risk manager provides a strong second and third factor of security for the enterprise. It
can serve as a standalone solution that offers increased security, with no change to the user
experience but it can also be used in combination with ASA. Together the components provide
further anti-identity theft and fraud protection.
3.4.4 Oracle Enterprise Single Sign-On (OESSO)
Enterprises these days generally have Microsoft Windows® desktop users accessing diverse
enterprise applications on a daily basis. Each enterprise application often has different security
requirements and, as a consequence, users are often forced to remember multiple different
passwords for various applications – this scenario is illustrated in Figure 16. As a result, there is
a need to enable a simple and secure way for enterprise users to access heterogeneous
applications (e.g. Microsoft Windows, Java, etc.) by signing on just once to their windows
desktop. This should not only circumvent the need to remember credentials for individual
applications but also enhance user productivity by eliminating help desk calls associated with
forgotten passwords.
Figure 16 – Separate User Logons
The Oracle ESSO Suite facilitates a way for desktop users to access enterprise applications by
signing on just once to their desktops using a single set of credentials, as depicted in Figure 17.
Figure 17– Oracle ESSO Logon Manager
_________________________________________________________________________
03/03/2016 v1.0
Page 18 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
The Oracle ESSO Suite comprises five key components:
 Oracle ESSO Logon Manager (ESSO-LM) provides interfaces to network and




computer logons as well as sign-on to applications, enabling users to log in once with
a single password. Once users are logged in, whatever application they open is
served the correct ID and password transparently and automatically. This eliminates
the need for users to remember and manage multiple user names and passwords for
their applications, while allowing administrators to centrally manage passwords. The
Oracle ESSO Logon Manager Admin Console interacts with the Logon Manager and
facilitates management and administration of ESSO attributes.
Oracle ESSO Password Reset (ESSO-PR) provides a recovery mechanism for
users who forget their desktop passwords. If users forget their Windows password,
then ESSO-PR enables them to regain access to their computer and the corporate
network. This allows users to reset their password directly from the Windows logon
prompt of their locked-out workstation, so that they can get to their applications within
seconds - without having to call the help desk or go to another workstation.
Oracle ESSO Kiosk Manager (ESSO-KM) provides initial user authentication and
automatic user sign-off to kiosk environments, enabling secure kiosk computing at
any location within the enterprise. The system monitors and protects unattended kiosk
sessions from unauthorised access. Inactive sessions are protected by a secure
screen saver, which permits the next user to sign on to a new session while safely
terminating the prior session.
Oracle ESSO Authentication Manager (ESSO-AM) allows organisations to use any
combination of tokens, smart cards, biometrics and passwords to control user access
to their applications; making it easier to implement advanced authentication
strategies. The software can be integrated seamlessly with applications, providing
granular control over the level of authentication required to access specific
applications.
Oracle ESSO Provisioning Gateway (ESSO-PG) allows system administrators to
directly distribute user credentials, usernames and passwords to Oracle ESSO. The
administrator can add credentials for new applications and new users as well as
modify or delete old credentials to Oracle ESSO. The Provisioning Gateway is also
the interface that is used to integrate Oracle Identity Manager (OIM), which enables
provisioning of users to all enterprise applications and enables Oracle ESSO.
3.4.5 Oracle Identity Federation (OIF)
Oracle Identity Federation is a complete, enterprise-level solution for secure identity information
exchange between partners. It significantly reduces need to manage unnecessary accounts in
the enterprise directory and lowers the cost of integrations through support of industry
federation standards. Key features of OIF include:
 Multiple Federation Protocols Support: OIF supports the following protocols:
o SAML 1.0/1.1/2.0,
o Liberty Alliance ID-FF 1.1/1.2, and,
o WS-Federation.
OIF participated in vendor-neutral standard conformance events and has achieved
Liberty Alliance certification for Liberty ID-FF and SAML 2.0.
 Oracle Universal Federation Framework: OIF provides architectural flexibility and
integration capabilities for rapid deployment in complex multi-vendor and homegrown
environments. It exposes a set of simplified programmatic interfaces for seamless
integration with any application or identity and access management solution including
the Government Gateway.
_________________________________________________________________________
03/03/2016 v1.0
Page 19 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
 OIF provides unified and simplified interfaces for all management and administration
tasks by leveraging Oracle Enterprise Manager Technology for enterprise-grade
operational management.
 Enterprise scalability, availability and manageability: The OIF is designed to be
scalable and highly available. Its flexible architecture makes it easier to scale and
tune the federation infrastructure at each component level. OIF supports mission
critical applications through load balancing and failover.
 Support for Microsoft Windows CardSpace (Geneva) as an authentication
mechanism: OIF can act as a CardSpace Relying Party (RP) and comes with a
CardSpace authentication provider. With OIF, organisations can enable their sites to
accept self-issued or managed InfoCards in a matter of hours.
 Operational monitoring of server status, adapter status, system status including CPU
& Memory utilisation. Provides a single dashboard view of entire deployment topology
and server status including all Oracle Fusion Middleware components, databases,
and applications.
 Integration with Fusion audit and logging viewers enables unified view of OIF logs and
end-to-end tracing of a transaction across application stack. In addition, OIF can
generate standard reports through default integration with Oracle BI Publisher.
3.4.6 Oracle Web Services Manager (OWSM)
Oracle Web Services Manager is a comprehensive solution for managing Service-Oriented
Architectures (SOA's). It allows IT managements to centrally define policies that govern web
services operations such as access policy, logging policy, and content validation, and then
wrap these policies around services, with no modification to existing web services required.
Also, Oracle Web Services Manager collects monitoring statistics to ensure service levels and
security, and displays them in a web dashboard.
Key features of Oracle Web Services Manager include:
 Policy Manager
 Enforcement
 Monitoring Dashboard
3.4.7 Oracle Identity Manager (OIM)
Oracle Identity Manager (OIM) is a secure enterprise provisioning solution with proven
functionality in the identity management domain. Enterprise provisioning involves the
management activities, business processes and technologies governing the creation,
modification and deletion of user access rights and privileges to an organisation’s ICT systems,
applications and physical assets. To gain better control over user access rights, enterprises
require automated provisioning systems that enforce organisational security policies and
ensure adherance of regulatory standards.
The architecture of OIM is shown in Figure 18.
_________________________________________________________________________
03/03/2016 v1.0
Page 20 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Figure 18 - OIM Architecture
3.4.8 Oracle Role Manager (ORM)
Oracle Role Manager (ORM) provides a comprehensive feature set for role lifecycle
management, business and organisational relationships and resources. Built using a scalable
J2EE architecture, ORM enables business users to define user access by abstracting
resources and entitlements as roles. Organisation data in existing applications can be managed
within ORM to model complex relationship paths across business structures such as reporting
organisation hierarchies and locations. Business policies defined in ORM utilise organisation
and relationship data to drive role membership and ultimately access. Through seamless
integration with Identity and Access Management (IAM) applications, ORM enables the
automation of provisioning events, addressing governance and compliance needs across an
existing ICT infrastructure.
With ORM, organisations can:
 Enhance security by dramatically improving the timeliness and accuracy of
provisioning and de-provisioning of resources as role membership changes.
 Accelerate role management implementation by mining for candidate roles.
 Maintain a single authoritative source for roles.
 Strengthen regulatory compliance through detailed audits on who should have access
to what, and why a user was given access with complete reports.
3.4.9 Oracle Directory Services (ODS)
Oracle Directory Services (ODS) are delivered through two products: Oracle Internet Directory
(OID) and Oracle Virtual Directory (OVD).
Oracle Internet Directory is a general purpose directory service that enables fast retrieval and
centralised management of information about dispersed users and network resources. It
combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance,
scalability, robustness and availability of an Oracle database.
_________________________________________________________________________
03/03/2016 v1.0
Page 21 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
Oracle Virtual Directory is an LDAPv3-enabled service that provides virtualised abstraction of
one or more enterprise data sources into a single directory view. Oracle Virtual Directory
provides the ability to integrate LDAP-aware applications into diverse directory environments
while minimising or eliminating the need to change either the infrastructure or the applications.
The components of Oracle Internet Directory are:
LDAP
Directory
Directory Entries
Oracle Directory
Server Instance
Oracle Database 11g
Oracle Net
Connections
LDAP Clients
The Lightweight Directory Access Protocol (LDAP) is a
standard, extensible directory access protocol. It is a
common language that LDAP clients and servers use
to communicate.
A directory stores and retrieves information about
organisations, individuals and other resources. It acts
as the policy and configuration data repository for
OAM.
In a directory, a collection of information about an
object is called an entry. Each entry is uniquely
identified by a distinguished name (DN), which defines
exactly where in the directory’s hierarchy the entry
resides. Each entry contains information stored in
attributes. An object class is a group of attributes that
define the structure of an entry.
Each directory has a Directory-Specific Entry (DSE),
which holds information that relates to the whole
directory, such as the audit log.
Each Oracle Directory Server instance services LDAP
requests through a single OID dispatcher process
listening at a specific TCP/IP port number. There can
be more than one directory server instance on a node,
each listening on a different port. One instance
comprises one dispatcher process and one or more
server processes. By default there is one server
process for each instance.
OID runs as an Oracle Database 11g application. An
Oracle database stores the directory data. The
database can reside on the same node as the
directory server processes or on a separate node.
OID communicates with the database using Oracle
Net Services, Oracle’s operating system-independent
database connectivity solution. Oracle Net Services is
used for all connections between the Oracle Database
Server and the OID Control utility (oidctl), the directory
server instance, and the OID Monitor (oidmon).
LDAP Clients send LDAP requests to an OID
listener/dispatcher process listening for LDAP
commands at its port.
The components of Oracle Virtual Directory are:
Oracle Virtual
Directory Server
Adapters
Oracle Virtual Directory Server can integrate multiple directories by
using its ability to talk to multiple directory sources through its
adapter and mapper architecture and through the provision of full
schema and namespace translation services. This ensures that data
presented to applications from multiple proxied sources have a
common and consistent format.
OVD supports an unlimited number of directory data connection
components known as adapters. Each adapter is responsible for
managing a particular namespace that is represented by a specific
parent distinguished name (DN). Multiple adapters can be combined
_________________________________________________________________________
03/03/2016 v1.0
Page 22 of 23
HA Reference Architecture
Secure Portal Framework
_________________________________________________________________________________
and overlapped to present a customised directory tree. OVD
supports the following adapter types:
 LDAP Adapter - provides proxied access to
LDAPv2/LDAPv3 directory servers.
 Database Adapter - provides LDAP virtualisation of
relational database data.
 Storage Adapter - This adapter will form the base of the
directory and will hold entries that are not proxied.
 Join View Adapter - provides real-time join capabilities
between entries located in other OVD adapters.
Mappers
Oracle Virtual Directory includes a bi-directional mapping system
based on the Python scripting language. A mapper is a special
Python script that processes inbound and outbound transactional
data flow within Oracle Virtual Directory. A mapping script can adjust
requests as they enter the system on the way to data sources, and
transform responses on the return path to the client.
OVD Listeners
Oracle Virtual Directory provides services to clients through two
types of connections: LDAP and HTTP. LDAP is used to provide
LDAPv3 based services while HTTP can provide one or more
services such as DSMLv2, or basic white page functions provided by
an XSLT enabled Web Gateway.
_________________________________________________________________________
03/03/2016 v1.0
Page 23 of 23
Download