Michael P. Mesaros
Uppili Srinivasan
Oracle Identity Management
and Security
Oracle Corporation
Planning Your Oracle
Identity Management
Deployment
OracleWorld Paper 40207
Agenda





Need for identity management
Oracle Identity Management overview
Why deploy Oracle Identity Management?
Deployment process overview
Deployment/planning steps
–
–
–
Requirement analysis
Logical design
Detailed deployment planning
 Summary and conclusions
Need for Identity Management
Oracle Identity Management
Web applications are great ...
 Inexpensive to develop
 Easy to deploy
 Access anywhere
BUT ….
…but they can be an
administrative and usability
nightmare!
Web application problems
 Administrative problems
–
–
Efficiently provisioning users for applications
Limited/no ability to delegate administration
 Usability problems
–
–
Different user names/passwords
Little/no personalization of portal content
 Security problems
–
–
Inconsistent password management policies
Fragmented security policy enforcement
The identity management
solution
 Identity management is the process by which
–
–
–
–
Users are provisioned for enterprise applications
Application user roles and permissions are
managed
Users manage profile information such
as application preferences, passwords
and PINs
Applications (such as Portals) are
personalized for individual users
Oracle application
environment
•Mail
•Voicemail
•Calendar
•Files
•iMeeting
•etc.
•Supply chain mgmt
•Marketing & sales mgmt
•Service mgmt
•Financial mgmt
•Project mgmt
•HR mgmt
•Vertical applications …
•HTTP server
•Web services
•Portal
•Web cache
•Forms
•Reports
•etc.
•Oracle Database
•Oracle Label Security
Oracle Identity Management
requirements






Enterprise integration
High availability
Scalability
Security
Integration with the Oracle product stack
Support for standards
Oracle Identity Management
infrastructure
Directory
Directory
Integration
Provisioning
Integration
Delegated
Administration
Single
Sign-On
Certificate
Authority
Oracle
Identity
Management
Oracle Internet Directory




Scalability
LDAP
Clients
– Millions of user entries on
single server
– 1000’s of simultaneous
clients
High availability
– Multimaster replication
LDAP
– Oracle9i hot backup/recovery
over SSL
Security
– Sophisticated security model
Directory
based on access control lists
Administration
Standards-based
– Native LDAPv3
implementation
Oracle
Database
Oracle
Internet Directory
Server
Oracle Net
Connections
Directory Integration and
Provisioning
Event
Poll
Oracle
Internet
Directory
Provisioning
Integration
Services
Directory
Synch.
Services
PL/SQL over
Oracle Net
LDAP or File
Provisioned
Applications
•Portal
•iFS
•iAS Wireless
•Legacy apps.
Connected
Directories
•ADS
•iPlanet
•etc
Oracle Delegated
Administration Services
 New directory feature with
Oracle9iAS V2
 Provides a consistent
interface for directory
content administration
–
–
Administrative tool:
supports application
administration delegation
End-user tool: Set
passwords, preferences,
whitepages
Oracle Application Server
Single Sign-On
 Provides single sign-on capability for all
Oracle web-based applications
 Partner API, Keberos support permits
integration with other authentication services
 Built on Oracle technology
–
–
HA deployments
Leverages Oracle Internet Directory, Delegated
Administration Services
Oracle Application Server
Certificate Authority
 Key features
–
–
–
–
–
Out-of-the-box PKI solution; allows Oracle
customers to secure their deployments
Easy provisioning of X.509v3 digital certificates
Web Based certificate management and
administration
Seamless integration with Oracle Application
Server Single Sign-On
High availability and scalability with Oracle10g
and Oracle Internet Directory
Grid computing model
Topology
Manager
Resource
Manager
Policy
Manager
Workload &
QOS
Manager
Cross-Tier
Routing
BLADE FARM
(Local Grid)
High Speed
Interconnect
Dynamically
Provisioned &
Registered
BLADES
Oracle Identity Management’s
role in grid computing
 Provisioning hardware in the network
 Provisioning applications on the grid
 Provisioning users for grid applications
Identity Management is essential to
realizing the grid computing vision!
Oracle Identity Management –
customer benefits
 Scalable, robust and integrated infrastructure
 Out-of-the-box deployment for Oracle
products
 Single point of integration between Oracle and
other identity management applications
 Open, standards-based infrastructure
Why Deploy Oracle Identity
Management?
Oracle Identity Management
Identity management
deployment options
 No infrastructure
 Deploy “local” infrastructure for Oracle
applications
 Deploy enterprise-wide Oracle Identity
Management infrastructure
No infrastructure
 All user identities managed locally by
applications
 Suitable for development deployments
–
–
Can be migrated to identity management
infrastructure for production
e.g. OracleAS OC4J instance with JAAS/XML
Deploy “local” infrastructure
for Oracle applications
 Many Oracle products (e.g. Single Sign-On) require
components of identity management infrastructure to
be installed
 Possible scenarios
–
–
–
Pilot deployments
Integrating an isolated Oracle community with enterprise
identity management services
Semi-independent departments
 OracleAS 10g has features to support this deployment
model
–
–
Administration privilege model
Partial/fan-out replication
Deploy enterprise-wide
infrastructure
 Recommended for supporting production enterprise
deployments
 More planning typically required, however:
–
–
–
–
Faster deployment of additional applications
Centralized “professional” infrastructure administration
Centralized identity management across all Oracle
applications in the enterprise
Standards-based identity management platform which is
leveraged by other (non-Oracle) applications
Deployment Process Overview
Oracle Identity Management
Distributed systems security
reference architecture
Users
Application
Audit
Authentication
Privacy
Protected
Resources
Authorization
Application Security Services
Policy Decision
Services
Identity &
Policy
Store
Identity & Profile
Assertion Services
Administration & Provisioning
Identity
Management
Infrastructure
Infrastructure usage overview
Deployment process overview
Enterprise
Requirements
Requirement
Analysis
Logical
Deployment
Plan
Deployment
Planning
Physical
Deployment
Plan
New requirements
Based on Deployment
Experience
Implementation
and Deployment
Administration
Deployment example: Oracle
Data Center
 Services for 40K employees worldwide
 Application environment
–
–
Employee portal, Oracle E-Business Suite,
Oracle Collaboration Suite
Extranet environment
 Initial requirements
–
–
Unified identity management
Single sign-on across applications
Deployment Planning Steps
Oracle Identity Management
Requirements Analysis Phase









Plan, deploy and administer responsibility
Which components to deploy
Information model
Centralized security management
Enterprise application
Administrative autonomy
Security Isolation
Third-party identity management integration
High availability, scalability and performance
Requirement example:
Oracle’s extranet environment
Inside
Outside
Customers
Company
Portal
(my.oracle.com)
Employees
Employees
Partners
Internal Internal Internal Shared Shared Shared
App.
App.
App.
App.
App.
App.
Logical deployment plan
 Translation of the enterprise requirements
 Answers questions such as:
–
–
–
–
How many identity management infrastructures
to deploy?
Which components will be deployed, and where?
Deployment of replicated local instances?
How is it going to integrate with other enterprise
repositories, provisioning systems and single
sign-on services?
Logical deployment planning
issues
 Issues
–
–
–
–
Standard enterprise model
Serving internal and external users
Administrative autonomy for departmental
applications
Integration with other identity management
systems
Example: Security isolation
using two infrastructures
Internal
User
External
User
OracleAS
Portal
Extranet
Identity
Management
Single
Sign-On
Oracle
Collaboration
Suite
Delegated
Administration
Single
Sign-On
Directory
Internal
Identity
Management
Directory
Integration
Directory
Directory
Synch.
Delegated
Administration
Example: User provisioning
from Windows
OracleAS Single
Sign-On
Windows
Environment
1 - “Add user”
3- User
synchronized
with OID
4 - User
provisioned in
Oracle
environment
OracleAS
Portal
Oracle
E-Business
Suite
Release 11i
2 - User created
in ADS
Microsoft ADS
Oracle Internet
Directory
Delegated
Administration
Console
Detailed deployment planning






Directory information model (DIT)
Identity Management Realms
Physical network topologies
High availability considerations
Geographic distribution
Certificate authority deployment
Example: Oracle Internet
Directory Information Tree
root
dc=com
dc=oracle
dc=amer
dc=emea
dc=apac
dc=moc
Example: Physical Network
Topology
Clients
BigIP
DMZ
iAS904 mid tier
SSO/DAS
web90
902 mid tier, sso/das, webmail/voice
web217 web218
web91
iAS904 stldap
NetAPP
storage
2node RAC
HA
rgmldap0
Fail-over server
9023 GITldap
OID ASR rep
rgmldap3
GITSSO
rgmum11
rgmum7
SSO periodic exp/imp when
new partner apps added
OCSv1 imap/
smtp for ST
rgmum20
SSO periodic exp/imp when
new partner apps added
rgmldap4
OID plugin
rgmldap21
web241
gmsso db
OID fan out rep
rgmldap20
web239 web240
OCSv2 GIT
webmail/voice
OCSv2 sso/
das for GIT
OID plugin
(email/passwd)
rgmldap1
CFC
OCSv2 imap/
smtp for GIT
OCSv1 imap/smtp for amer, etc.
rgmum21
rgmum14
rgmdbs1
rgmdbs2
rgmdbs3
2node RAC
3node RAC
2node RAC
2node RAC
2node RAC
STMAIL db
amer db
apac db
emea db
GIT db
rgmum15
Summary and Conclusions
Summary
 Identity management is critical for the
deployment and management of enterprise
applications and essential to grid computing
 Oracle includes a robust, scalable and
integrated infrastructure for managing Oracle
environments and more
 Oracle Identity Management provides a single
point of integration to other identity
management environments
For More Information
 See the forthcoming Oracle Identity
Management Concepts and Deployment
Planning Guide
–
Released with Oracle Application Server 10g
(9.0.4)
 Oracle Technology Network
–
http://otn.oracle.com
QUESTIONS
ANSWERS