28
Oracle Identity Manager Architecture An Oracle White Paper May 2006

Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

  • Upload
    others

  • View
    31

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Oracle Identity Manager Architecture An Oracle White Paper May 2006

Page 2: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Oracle Identity Manager Architecture

Executive summary ........................................................................................... 4 Core architecture ............................................................................................... 5 Industrial strength, n-tier application architecture ....................................... 6

Basic Tiers...................................................................................................... 6 Presentation Layer ........................................................................................ 6 Dynamic Presentation Logic Layer ............................................................ 7 Business Logic Layer .................................................................................... 7 Data Access Layer......................................................................................... 7 Backend System Integration Layer............................................................. 7

Oracle identity manager’s n-tier j2ee application architecture .................... 8 Presentation Layer ........................................................................................ 8 Dynamic Presentation Logic Layer ............................................................ 9

Oracle Identity Manger Web Application............................................. 9 Oracle Identity Manager Design Console........................................... 10

Business Logic Layer .................................................................................. 10 Execution Environment – The Application Server .......................... 11 Client Interfaces and Business Logic Implementation ..................... 13

Data Access Layer....................................................................................... 14 Backend System Integration Layer........................................................... 15

Remote Manager.............................................................................................. 18 The Oracle Identity Manager Scheduler ...................................................... 19 The Oracle Identity Manager Platform Security Model ............................ 20

Channel Security ......................................................................................... 20 Key and Certificate Security ...................................................................... 21 Remote Manager Security .......................................................................... 21

JAAS-Based Authentication.................................................................. 22 Deployment Options ...................................................................................... 23

Option 1 – Simple Deployment ............................................................... 23 Option 2 – Clustered Deployment........................................................... 24 Option 3 – Proxied Deployment.............................................................. 25 Option 4 – Partitioned Deployment........................................................ 26 Remote Manager Deployment Options .................................................. 27

Conclusion........................................................................................................ 27

Oracle Identity Manger Architecture White Paper Page 2

Page 3: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Oracle Identity Manger Architecture White Paper Page 3

Page 4: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Oracle Identity Manager Architecture

EXECUTIVE SUMMARY Oracle Identity Manager is Oracle’s identity management solution for enterprise user

provisioning. Oracle Identity Manager® is a secure enterprise provisioning solution with proven functionality in the identity management domain. Enterprise provisioning involves the management activities, business processes and technologies governing the creation, modification and deletion of user access rights and privileges to an organization’s IT systems, applications and physical assets. To gain better control over user access rights, enterprises are turning to automated provisioning systems that enforce organizational security policies and ensure adherance of regulatory standards.

This technical whitepaper describes the robust core technology that powers the Oracle Identity Manager platform. The paper provides an overview of the technologies that the architecture is based on, then describes how these technologies are leveraged to deliver a scalable, high-availability provisioning solution than manages identity information across a typically heterogeneous environment.

Oracle Identity Manger Architecture White Paper Page 4

Page 5: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

CORE ARCHITECTURE Oracle Identity Manager is built on a state-of-the-art, J2EE-based, N-tier deployment architecture that separates the platform's presentation, business logic and data tiers. This separation of tiers means that Oracle Identity Manager can rapidly scale with the performance needs of the customer. The architecture is able to leverage the most flexible and supported cross-platform J2EE services available: a combination of Java, XML, and object technologies. Such architecture makes Oracle Identity Manager a scalable, fault-tolerant solution for the most ambitious global deployments in the industry.

Oracle Identity Manager runs on leading J2EE compliant application server platforms, including Oracle, JBoss, BEA WebLogic and IBM WebSphere, to support JSP/Java Servlet and EJB execution, as well as to exploit the performance and scalability features inherent in these servers. Oracle Identity Manager also supports application server clustering for increased performance and virtually automatic failover in mission-critical computing environments. The standards-based approach also allows Oracle Identity Manager to leverage multiple enterprise databases like Oracle and SQL Server for its data tier.

Oracle Identity Manager’s technology architecture is designed to deliver the specific functionality requirements expected of an industry-leading provisioning system. Specifically, the Oracle Identity Manager architecture is designed to meet the following goals and objectives:

• Time to Market – rapidly deploy Oracle Identity Manager services

• Performance – speedy response times and efficient navigation

• Portability – minimizing platform and external system dependencies

• Scalability – scale from low end to thousands of users

• Maintainability – easy to support and maintain

• Availability – always online and available when needed

• Reliability – consistency of application and transactions

Oracle Identity Manager meets all the above goals and objectives with a well-designed architecture and application of J2EE, Java, XML, and other new Internet technologies. The 100% Java-based, n-tiered architecture was designed from the ground up with performance, scalability and extensibility in mind. The architecture reflects the years of experiences and expertise possessed by Oracle (formerly Thor Technologies) in successfully producing and deploying an enterprise level provisioning system.

Oracle Identity Manger Architecture White Paper Page 5

Page 6: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

INDUSTRIAL STRENGTH, N-TIER APPLICATION ARCHITECTURE The purpose of this section is to outline the generic architectural elements of an industrial strength n-tier application developed using J2EE (Java 2 Enterprise Edition), which serves as the blueprint for the Oracle Identity Manager architecture. J2EE defines a set of standards for implementing scalable and reliable enterprise applications from reusable components. It defines a set of standardized, modular components, provides a complete set of services to those components, and handles many details of the application behavior.

Oracle Identity Manager is architected as an N-tier J2EE application, providing

scalability, reliability, and reusable components.

Basic Tiers Using J2EE to develop n-tier applications involves breaking the application architecture into multiple tiers. A typical n-tier enterprise application provides separate layers for each of the following services.

• Presentation Layer

• Dynamic Presentation Logic Layer

• Business Logic Layer

• Data Access Layer

• Backend System Integration Layer

Figure 1 illustrates these layers in a typical distributed J2EE application.

Figure 1: J2EE N-Tier architecture

Presentation Layer In a typical web enabled n-tier application, the Presentation Layer consists of a web browser running on a client machine which handles the presentation using HTML, Java Applets, JavaScripts etc., It can also contain stand-alone applications which

Oracle Identity Manger Architecture White Paper Page 6

Page 7: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

directly communicate to the business logic layer using the protocol supported by the middle tier.

Dynamic Presentation Logic Layer Even though the browsers could handle some of the presentation, most of the logic for generating dynamic presentations is done in the Web Server using JSPs, Servlets, XML, XSL etc., to support the different kinds of browsers and presenting the content in a meaningful way.

Business Logic Layer All the business logic of the enterprise application is implemented in the middle tier using a J2EE application server which uses EJBs (Enterprise Java Beans) and other J2EE technologies to deploy the application as scalable and distributed granular components and services.

Data Access Layer This layer typically contains data access beans and other data access components to connect to the relational databases. This layer also manages the pool of Java Database Connectivity (JDBC) connections and could be conceptualized as an object oriented wrapper around relational databases implemented as distributed and reusable components.

Backend System Integration Layer The backend tier typically consists of a distributed set of relational databases integrated to the middle tier using JDBC, which could be used to access a wide variety of databases in a uniform way. This tier could also contain other legacy systems that integrate to the application using a variety of technologies depending on the exact nature of the backend system.

Oracle Identity Manger Architecture White Paper Page 7

Page 8: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

ORACLE IDENTITY MANAGER’S N-TIER J2EE APPLICATION ARCHITECTURE As discussed in the previous section, any industrial strength n-tier application developed using J2EE can be divided into 5 basic tiers. This section discusses each of these tiers in the Oracle Identity Manager context and describes how they are implemented in the J2EE Architecture. Figure 2 illustrates the N-Tier J2EE architecture of Oracle Identity Manager.

Oracle Identity Manager EJB Application

Oracle Identity Manager Web Application

Client-SidePresentation

Web Container

JSP

Servlet

XML

JavaBean

J2EE Container

RM

I-IIOP

JAAS

JND

I

Vendor Implementation

APISession Bean

MessageDriven Bean

JavaData Object

ConnectorsJD

BCJA

XPR

MI-IIO

PJavaM

ailJTA

JAAS

JMS

JND

I

Vendor Implementation

Database

Java Client

J2EE-Protocol

JAAS

JND

I

Server-SidePresentation

Server-SideBusiness Logic

Data AccessLayer and

Enterprise Systems

Web Browser

HTTP/SSL

J2EE-Protocol/SSL

J2EEProtocol

/SSL

Remote Manager

RM

I

JND

I

RMI/SSL

JDBC

Quartz

Adapters Target API Protocol

Integration Target

Oracle Identity Manager Design Console

Oracle Identity Manager Administration & End-

User Console

Figure 2: Oracle Identity Manager N-Tier architecture

Presentation Layer The presentation layer consists of two clients – the Administration Console and the Design Console. The Administration Console is a web based thin client that can be accessed from any web browser. Since most of the content in this client is highly dynamic, the bulk of the work is done in the Dynamic Presentation Logic Layer. The Administration Console provides user self-service and delegated administration features that serve the bulk of the user base of the provisioning system. The look and feel of the Web Client can be customized via cascading style sheets. Additional customization is achieved by modifying the JSPs and Tiles in the Dynamic Presentation Logic Layer, described below.

The Design Console is a feature-rich, sophisticated client accessed using a desktop Java client. The Design Console provides the full range of Oracle Identity Manager’s system configuration and development capabilities including Form Designer, Workflow Designer and Adapter Factory. The Design Console interacts directly with the components of the Business Logic Tier, and thus also includes the Dynamic Presentation Logic Layer within it.

Oracle Identity Manger Architecture White Paper Page 8

Page 9: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Dynamic Presentation Logic Layer Since both the Administration Console and the Design Console are highly dynamic, the Dynamic Presentation Logic Layer guides the content being displayed. While in the case of the Administration Console, there is a clear separation between the Presentation and Presentation Logic Layers, no such boundary exists in the Design Console.

Oracle Identity Manger Web Application

The Oracle Identity Manager Web Application provides the Administration Console access to the Oracle Identity Manager functionality. It is built on the “Struts with Tiles” framework using JSPs, Servlets and JavaBeans. Struts is an open source framework for building Java web applications. The core of the Struts framework is a flexible control layer based on standard technologies like Java Servlets, JavaBeans, ResourceBundles, and XML, as well as various Jakarta Commons packages. The current Web Client is designed and built to use the Oracle Identity Manager APIs and to be compatible with the J2EE framework.

The design of the Oracle Identity Manager Web Application is based on the JavaServer Pages Model 2 architecture, which is a refinement of the well-known MVC (Model-View-Controller) design pattern. An overview of the Model-View-Controller design pattern is shown in Figure 3.

Figure 3: Model-View-Controller (MVC) Design Pattern

Struts provides its own Controller component and integrates with other technologies to provide the Model and the View. For the Model, Struts can interact with standard data access technologies, like JDBC and EJB. For the View, Struts

Oracle Identity Manger Architecture White Paper Page 9

Page 10: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

works well with JavaServer Pages, including JSTL and JSF, as well as Velocity Templates, XSLT, and other presentation systems.

In the Oracle Identity Manager Web Application, the Model is based on the published Oracle Identity Manager APIs, while the View is implemented using JavaServer Pages.

Customization

Being based on the Struts framework, it supports a great deal of configurability and customization. Customers can easily extend the Oracle Identity Manager Web Application with pages and functional flows that are more suitable for their environment.

Modular Design

The Oracle Identity Manager Web Application is built in a very modular manner with mostly reusable components and widgets that customers can leverage when extending the Web Application to suit their needs. This eliminates a great deal of the work necessary to build components for custom flows.

Interface Philosophy

The interface philosophy in the Oracle Identity Manager Web Application is based on ease-of-use and intuitive user interaction. A number of wizards are provided to allow users to step through commonly needed tasks in a well thought-out, intuitive manner.

Oracle Identity Manager Design Console

The Oracle Identity Manager Design Console is implemented as a Java Swing client that communicates directly to the Business Logic Tier in the application. It is a feature-rich interface that provides the sophistication necessary to deal with the configuration and design functions in Oracle Identity Manager, like designing forms and workflows and creating and managing adapters.

Based on a highly object-oriented architecture, it interacts with the Oracle Identity Manager EJB Application directly using a set of non-published interfaces. It also supports a highly sophisticated delegated administration model, guaranteeing that users can only work on those parts of the application configuration that they have been given privileges to.

Business Logic Layer The Business Logic Layer for Oracle Identity Manager is implemented as an EJB application. Oracle Identity Manager runs on leading J2EE compliant application server platforms, leveraging the J2EE services provided by these industry-leading application servers to deliver a high-performance, fault tolerant enterprise application.

Oracle Identity Manger Architecture White Paper Page 10

Page 11: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Execution Environment – The Application Server

The application server in which Oracle Identity Manager runs provides the life-cycle management, security, deployment and runtime services to the logical components that make up the Oracle Identity Manager Application. These services include

• Scalable Management of Resources (Clustering, Failover)

• Transaction Management

• Security Management

• Client Access

• Technology Resources (Database Connection Pooling, Messaging, etc)

• Other services required as part of a manageable server platform.

Clustering

A cluster in J2EE architecture is generally defined as a group of two or more J2EE-compliant web or application servers that closely cooperate with each other through transparent object replication mechanisms to ensure each server in the group presents the same content. Each server (node) in the cluster is identical in configuration and networked to act as a single virtual server. Any J2EE server in the cluster can handle client requests directed to this virtual server independently, which gives the impression of single entity hosting the J2EE application in the cluster.

High availability refers to the capability to ensure applications hosted in the middle tier remain consistently accessible and operational to their clients. It is achieved through the redundancy of multiple web and application servers within the cluster and is implemented by the cluster's "failover" mechanisms. If an application component fails processing its task, the cluster's failover mechanism reroutes the task and any supporting information to a copy of the object on another server to continue the task.

The Oracle Identity Manager application has been architected to support a clustered environment. This includes ensuring that the EJBs and the Value Objects used to store data support serialization (for object replication to work).

Load Balancing

For a server cluster to achieve its high-availability, high-scalability, and high-performance potential, load balancing is required. Load balancing refers to the capability to optimally partition inbound client processing requests across all the J2EE servers that constitute a cluster based on factors such as capacity, availability, response time, current load, historical performance, and also administrative weights (priority) placed on the clustered servers.

Oracle Identity Manger Architecture White Paper Page 11

Page 12: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

A load balancer, which can be either software or hardware based, sits between the Internet and the physical server cluster, also acting as a virtual server. As each client request arrives, the load balancer makes near-instantaneous intelligent decisions about the J2EE server best able to satisfy that request.

The Oracle Identity Manager architecture takes full advantage of the built-in load-balancing capabilities of the application server it runs on.

Security Management

The Oracle Identity Manager architecture relies on the application server for certain security services as part of its overall security infrastructure. This is discussed in the following Security section that details the overall security model in Oracle Identity Manager.

Messaging Leveraging the Java Messaging Service allows Oracle Identity Manager to provide

improved performance and load balancing. The basic concept behind messaging is that distributed applications can communicate using a self-contained package of business data and routing headers. These packages are called messages. While RMI and HTTP rely on a two-way active conversation between a client and a server, messaging relies on two or more interested parties communicating asynchronously through a messaging server (that is, without waiting for a response).

JMS (Java Messaging Service) is a wrapper API incorporated in the J2EE standard as a way to standardize messaging functionality. All industry standard application servers provide their own JMS server implementations as a part of their service offerings.

The Oracle Identity Manager platform leverages messaging to provide better performance and load balancing. This is done within the Oracle Identity Manager application by messaging to off-line processing. Off-lining is a way to separate an end-user’s interaction with the application from the processing that the user’s interaction initiates. When the user initiates some action that will result in a lot of processing, it is desirable to return the control of the console to the user before the processing is finished. This can be accomplished by not initiating the processing right away based on the users action, but rather sending a message into the system’s message queue regarding the action. Sending a message is a lightweight operation, and the user gets back a response instantly. The message can be picked up asynchronously, and processing can be initiated based on the content of the message. Since the message handlers can be distributed across the application server cluster, processing of multiple simultaneous user actions can be load-balanced across the different nodes in the cluster. Figure 4 shows an overview of message-based off-lining in the Oracle Identity Manager application.

Oracle Identity Manger Architecture White Paper Page 12

Page 13: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

J2EE Container/Oracle Identity Manager

User(1)

Initiates action

that has off-lining support Xellerate

Server Layer(Message Producer)

Oracle Identity ManagerServer Layer

(Message Consumer)

XellerateServer Layer

(Message Producer)

Oracle Identity ManagerServer Layer

(Message Producer)

Message PersistenceData Store

Message Queue

DB Persistence Managed

(2)After initial processing, producer sends message

consumer receives message, initiates remaining processing

(3)Response and

control returned

Figure 4: Message-based off-lining of processing

Messages are also persisted to a data store for guaranteed delivery in the case of fail-over. The persistence of the messages is controlled by the application server, and therefore by the system administrator in a standard way.

Client Interfaces and Business Logic Implementation

The Oracle Identity Manager Business Logic Layer is implemented in the form of an EJB application. The core functionality for the Oracle Identity Manager platform is implemented in Java using a highly modular, object-oriented methodology. This makes the application extremely flexible and extensible. This includes the various engines that comprise the Oracle Identity Manager platform – Workflow Engine, Request Engine, User Management Engine, Rule Engine and Reconciliation Engine – as well as the Integration Layer based on the Adapter Factory, which dynamically generates integration code based on the metadata definition of the adapters.

Access to the functionality of the platform is via a set of EJB Beans. These session beans are divided into two sets

1. Non-Published APIs: These are session beans that expose functionality used only by the Design Console.

2. Published Public APIs: These are session beans that expose the public functionality of Oracle Identity Manager. This API layer provides access to high-level, coarse-grained functionality in the Oracle Identity Manager system. It is the basis for the functionality implemented in the Oracle Identity Manager Web Application. It is also the interface that custom clients can use to access Oracle Identity Manager capabilities.

Oracle Identity Manger Architecture White Paper Page 13

Page 14: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Access to the business functionality is via the above sets of APIs. The APIs, which are implemented as Stateless Session EJBs, use the J2EE infrastructure to provide the lookup and communication mechanisms.

Custom Clients The client environment for Oracle Identity Manager is highly customizable via well-

documented Java APIs. In quite a few enterprises, there is a need for the provisioning system to support a custom developed client. Some of the needs that may drive this include:

• Integration of the client into an existing enterprise portal

• Creation of custom flows for user interaction

• Creation of custom pages built around the customer’s unique needs from the provisioning system

• Adherence to enterprise portal standards

In order to support such customization, Oracle Identity Manager exposes the bulk of the necessary functionality via its published public APIs. A comprehensive Software Development Kit (SDK) is also provided to assist in the development effort.

Data Access Layer J2EE contains several technologies for manipulating and interacting with transactional resources like databases, based on JDBC, JTA and JTS. The Oracle Identity Manager architecture leverages the following J2EE services:

• Database Connection Pooling

• Integration with JNDI – Lookup of DataSources in the JNDI Namespace

• XA Compliance

• Batch Updates

The system administrator can manage the data sources the same way as they do for all standard J2EE applications in the enterprise. Oracle Identity Manager is able to use these data sources to communicate with the database tier.

Oracle Identity Manager has a custom persistence layer that has been built on the JDBC framework to manage persistence of the data to the database. This custom implementation is optimized to deal with the complexity of the data involved in the provisioning transactions in an optimal manner above and beyond what container managed persistence and generic persistence mechanisms can support.

An important requirement for the Oracle Identity Manager application to operate is for the backend database to be XA-compliant. This requires XA support to be turned on at the database level. This is important for the application server to properly manage transactions that involve not just database connections but also message delivery and receipt.

Oracle Identity Manger Architecture White Paper Page 14

Page 15: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Backend System Integration Layer

Database

Oracle Identity Manager’s data tier consists of the Oracle Identity Manager repository, which manages and stores Oracle Identity Manager metadata in an ANSI SQL 92-compliant relational database. Oracle Identity Manager is heavily metadata driven, with all the data residing in the Oracle Identity Manager repository. It is this ability to be metadata driven that allows Oracle Identity Manager to be so flexible and adaptable from a functional perspective. The Oracle Identity Manager repository is the authoritative store for the “Who Has What, When, How and Why” data as well as all audit data that is the core value of the provisioning system. As such, the database is a critical component in the Oracle Identity Manager architecture.

The Database system must provide a truly scalable and redundant data layer. The architecture relies heavily on the corresponding capabilities provided by the Enterprise Database Management System that is used with the product. These include, but are not limited to:

• Clustering

• Standby Databases

• Replication

Figure 5: Database clustering

Oracle Identity Manger Architecture White Paper Page 15

Page 16: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Clustering

Most major vendors provide cluster certified hardware and software on which a relational database could be clustered and configured easily. Oracle Identity Manager will rely on these capabilities to provide redundancy. An example cluster configuration is shown in Figure 5.

In this example, there are two server nodes, each having two network interfaces. These nodes combine to provide a single network access point, with the actual access routed accordingly to one node or the other. Two of the network interfaces are for internal cluster communication and use separate private IP addresses, thus forming a private network. The other two are the regular interfaces on the internal network. Here also two IP addresses are used. The cluster itself has a single IP address used by external sources that communicate with the cluster, and the software internally handles the delegation and arbitration.

The database will be installed on a shared disk that uses a disk array that provides hardware redundancy and high-speed access to disk data. Oracle Identity Manger can be deployed on any number of state-of-the-art high availability storage technologies.

Load shifting from one node to another is easily possible from an administrative user interface. This may be needed if one of the servers has to be brought down for maintenance purposes. All running applications on one machine will move to the other machine. When it rejoins the cluster, data transfer and synchronization can be done automatically or at preset times.

Another big advantage of using a cluster service is that no special programming is required to implement a simple cluster. The design can assume a single server with a database residing on a directly accessible disk.

Standby Database Oracle Identity Manager deployments can leverage the comprehensive high-

availability features of Oracle10g database. A standby database is an offline database that exactly mirrors the primary database that is online and in use with the application. To protect the database's availability from site disasters, the primary database and standby database must operate on physically different machines at physically different locations. Both databases must operate with media recovery enabled. As the primary database archives fill log groups, a mechanism must transfer the logs and apply them to the offline standby database. This keeps the standby database current with the changes that have been made to the primary database. The basic architecture of a standby database deployment is shown in Figure 6.

Oracle Identity Manger Architecture White Paper Page 16

Page 17: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Figure 6: Standby database deployment

If a disaster happens that makes the primary database unavailable for an unacceptable period of time, the standby database can be activated and brought online. Oracle Identity Manager must now connect to the new primary database. To account for a possible database switchover, the system's SQL*Net network must be configured to include both the primary and standby databases.

Replication

Database replication is the process of sharing data between databases in different locations. It is used to make special copies, called replicas, of a database so that users at different locations can all work on their own copy and share, or synchronize, their changes.

Database replication can be part of an Oracle Identity Manager deployment in order to provide support for a distributed-database processing in global deployments.

Database replication is different from file replication, which essentially copies files. Database-replication logs selected database transactions to a set of internal replication-management tables. It then periodically checks these tables for updated data and moves the data from the source to the target systems while guaranteeing data coherency and consistency.

Database replication will help handle many of the issues encountered with creating a distributed system.

• Replicating databases to systems in local offices lets local-office users access a local copy of the data instead of accessing a central server over WAN links.

• Database-replication products also allow the transfer of selected data sets to a reporting server so that processor-intensive reporting processes can be moved off the main transactional database.

Oracle Identity Manger Architecture White Paper Page 17

Page 18: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

REMOTE MANAGER The Remote Manager is an Oracle Identity Manager server component that runs on a target system machine, providing the network and security layer necessary to integrate with applications that do not have network-aware APIs or do not provide security. It is built as a lightweight RMI (Remote Method Invocation) server. The communication protocol is RMI tunneled over HTTP/S.

The Remote Manager is a light-weight server providing the network and security

layer necessary to integrate with applications that do not have network-aware APIs or do not provide security.

The J2EE RMI framework enables the creation of virtually transparent, distributed services and applications. RMI-based applications consist of Java objects making method calls to one another without regard for their location. This allows one Java object to invoke methods on another Java object residing in another virtual machine in the same manner in which methods are invoked on a Java object residing in the same virtual machine. An overview of the Remote Manager architecture is shown in Figure 7.

Machine A - Server

Machine B - Target

Application Server

Oracle Identity Manager Server

Adapter with Remote Task

Remote Manager(RMI Server)

RMI/SSL Target System API (direct/via wrapper)

Target Application

hostname = machine1.domain

binding port number = 444service name = remotemgr1

RMI Registry

registered remote managersrmi://machine1.domain:444/remotemgr1

registration

lookup

Oracle Identity Manager Database

IT Resource Information

InstanceIT Resource Type=Remote ManagerName=XYZattributesservice name=remotemgr1URL=rmi://machine1.domain:444

get remote

manager connectioninformation

Figure 7: Remote Manager architecture

Oracle Identity Manger Architecture White Paper Page 18

Page 19: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

THE ORACLE IDENTITY MANAGER SCHEDULER Business systems frequently make use of scheduling systems, which are configured to run other programs at specified times. In many cases, scheduling systems run applications that generate reports, reformat data, or do audit work at night. Scheduling systems often run "batch jobs" (a.k.a. "scheduled jobs"), which perform routine work automatically at a prescribed time.

Oracle Identity Manager’s scheduler capabilities support time-driven

provisioning-related events such as nightly updates, batch provisioning, and

exception handling.

Oracle Identity Manager EJB Application

Application Server

Scheduled Job

Design ConsoleScheduler Management Form

Scheduler Management Functionality

Scheduler API

Scheduler Reference

Oracle Identity Manager DBApp Server Boundary

(if necessary)

Quartz Scheduler

Service

Oracle Identity Manager API

Session Bean

Scheduled Job

Scheduled Job

Uses runs

Figure 8: Oracle Identity Manager Scheduler architecture

Scheduling systems are an integral part of any enterprise provisioning solution. Provisioning often involves tasks that need to be done in a time-based manner. Some examples are:

• Running a nightly job to reconcile all changes made directly on a managed application

• Do escalations of assigned tasks that have not been handled within a specified time period

• Execute requests that have been raised to be executed at a specific time

The Oracle Identity Manager platform includes a sophisticated scheduling product to provide the scheduling capabilities necessary for enterprise provisioning needs. This is built on a high performance J2EE scheduling product called Quartz. The Quartz Service is managed as part of the Oracle Identity Manager platform and not as an independent product. An overview of the Oracle Identity Manager Scheduler architecture is shown in Figure 8.

Key capabilities that Oracle Identity Manager harnesses from Quartz are:

Oracle Identity Manger Architecture White Paper Page 19

Page 20: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

• The ability to create simple/complex schedules for executing anywhere from ten to thousands of jobs

• The ability to run the scheduling service as a clustered service to provide the necessary high availability (fail-over and load balancing) capabilities

• The ability to persist the job definitions for management and fail-over support

• The ability to manage errors and failures in a graceful manner

The Quartz Scheduler Service can run in the same application server as the Oracle Identity Manager application, or it can be run in a different application server. The jobs that are run in the Oracle Identity Manager Scheduler can interact with Oracle Identity Manager using the published Oracle Identity Manager APIs. They can also run any code to talk to any other systems that they may need to, especially in the case of reconciliation jobs.

THE ORACLE IDENTITY MANAGER PLATFORM SECURITY MODEL Oracle Identity Manager is a highly secure enterprise application providing complete security of all sensitive data as it flows through the enterprise. It also has a highly flexible permission model to provide control over the various functions within the application, discussion of which is outside the scope of this document.

Channel Security Oracle Identity Manager leverages the J2EE security framework to provide a

secure application environment. The J2EE security framework supports the encryption of all channels of communication within the framework using standard SSL. Oracle Identity Manager relies on this to ensure that all communication of provisioning data is secured against inspection and hacking. Oracle Identity Manager’s communication security architecture is shown in Figure 9.

Oracle Identity Manger Architecture White Paper Page 20

Page 21: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Client-SidePresentation

Web Container J2EE Container

Database

Java Client

Server-SidePresentation

Server-SideBusiness Logic

Data AccessLayer and

Enterprise Systems

Web Browser

Remote ManagerRMI/SSL

JDBC

HTTPS

EJB Channel/SSL

EJB Channel/SSL

Oracle Identity Manager API

EJB Channel/SSL

Oracle Identity Manager Web Application Oracle Identity

Manager Web Application

JDBC Channel not secureBut data already encrypted for secure storage

Secure Channel

Non-Secure Channel

Web Client Certificate

Symmetric Key

Keystores

Certificate Keystore

Remote Manager Certificate Truststore

Remote Manager Certificate Keystore

Figure 9: Oracle Identity Manager communication security architecture

Please note that the JDBC channel for communicating data to and from the Oracle Identity Manager database is not secured using SSL encryption by default. This is because the data being sent and retrieved from the database is already encrypted by Oracle Identity Manager using the database secret key. Additional encryption of the channel is therefore turned off to improve performance. However, the administrator has the option of turning this on, if desired, as specified by the database instructions.

Key and Certificate Security Out-of-the-box, the Oracle Identity Manager application secures all encryption keys and certificates within secure Java keystores. Also, the Oracle Identity Manager installer encrypts the enterprise data in the database using a sophisticated algorithm. The customer has the ability to control how the various Oracle Identity Manager components are secured and managed.

Remote Manager Security One of the key benefits of the Remote Manager component of Oracle Identity Manager is that it provides a mechanism for Oracle Identity Manager to communicate securely with targets that do not provide a security layer of their own in their APIs.

All Remote Managers in the Oracle Identity Manager deployment have certificates that they use to identify themselves to the Oracle Identity Manager server. These certificates are also used as the basis for setting up SSL encryption of the RMI channel between the Remote Manager and the Oracle Identity Manager server. To

Oracle Identity Manger Architecture White Paper Page 21

Page 22: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

be trusted by the Oracle Identity Manager server, all Remote Manager certificates must be registered. This prevents spoofing to gain unauthorized access to data. In addition, only the Oracle Identity Manager server can initiate communication with a Remote Manager.

A Remote Manager can also be deployed to function in a mutual authentication mode. In this mode, in addition to the normal registration of the Remote Manager certificates with the Oracle Identity Manager server, the Oracle Identity Manager server certificate needs to be registered with the Remote Manager. Upon initiating a SSL connection, the Oracle Identity Manager server sends this certificate as a part of the handshake it performs with the Remote Manager. The Remote Manager rejects any communication if verification of the certificate fails. Customers can use this mode to secure their Remote Managers from unauthorized or erroneous access. The Remote Manager security architecture is shown in Figure 10.

Machine A - Server Machine B - Target

Application Server

Oracle Identity Manager Application

SSLSocket

Remote Manager(RMI Server)

RMI/SSL Target System API (direct/via

wrapper)

Target Application

Keystore KeystoreTruststore

Adapter with Remote Task SSLSocket

Figure 10: Remote Manager security

JAAS-Based Authentication

Oracle Identity Manager relies on the J2EE framework to secure access to the EJB exposed APIs using the JAAS (Java Authentication and Authorization Services) service. Using this, Oracle Identity Manager ensures that only authenticated users are able to access the API methods that expose Oracle Identity Manager functionality.

Oracle Identity Manager supports JAAS authentication modules that properly leverage the capabilities provided by the certified application servers that Oracle Identity Manager runs on.

Oracle Identity Manger Architecture White Paper Page 22

Page 23: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

DEPLOYMENT OPTIONS The Oracle Identity Manager platform leverages the flexibility of the J2EE framework along with its scalability features to provide a number of different deployment options to the customer, depending on their requirements. This section reviews some common deployment options.

Oracle Identity Manager supports a number of different deployment options to

meet various enterprise needs.

Option 1 – Simple Deployment The simplest deployment involves a single application server serving up the entire Oracle Identity Manager deployment, including the server, web and scheduler components. This is illustrated in Figure 11.

Figure 11: Simple Oracle Identity Manager deployment

Oracle Identity Manger Architecture White Paper Page 23

Page 24: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Option 2 – Clustered Deployment This option clusters the application server in Option 1 to provide load balancing and fail over capabilities. This deployment is therefore able to support high availability requirements. The system can also be configured to work with firewalls. The database server can be configured in a number of different ways to support high availability at the data tier as well. A clustered Oracle Identity Manager deployment is shown in Figure 12.

Figure 12: Clustered Oracle Identity Manager deployment

Oracle Identity Manger Architecture White Paper Page 24

Page 25: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Option 3 – Proxied Deployment The proxied deployment option adds an extra enterprise element to the deployment in Option 2, allowing for the web interface to be served up to end-users via a Web Server (like IIS or Apache) that proxies the web page requests to the Oracle Identity Manager application component in the application server. This provides the following additional capabilities:

• Transparent support for web client fail-over using the application server plugins for the web servers

• Support for SSO-based authentication

• Static content and images could be off-loaded to the web server for better performance

As user load increases, the number of Web Servers can be increased independent of the application servers in order to scale horizontally. A proxied Oracle Identity Manager deployment is shown in Figure 13.

Figure 13: Proxied Oracle Identity Manager deployment

Oracle Identity Manger Architecture White Paper Page 25

Page 26: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Option 4 – Partitioned Deployment Option 4 partitions the deployment configuration in Option 3, separating the Oracle Identity Manager server component into two logical components that handle different types of processing:

• The Front-Office Application Server provides all the Oracle Identity Manager application services necessary to support the Oracle Identity Manager Web Application processing requirements.

• The Back-Office Application Server runs the scheduler, thus doing all the heavy duty processing associated with scheduling jobs for reconciliation. Thus the Back-Office Application Server provides all the Oracle Identity Manager Application services necessary to support the scheduler requirements.

The Design Console can communicate with either of these application servers. However, if it is used to manage the scheduler (define new tasks, view existing tasks, etc), then it must connect to the Back-Office Application Server.

A partitioned Oracle Identity Manager deployment is shown in Figure 14. In this figure, each of these partitions is an independent Oracle Identity Manager deployment (individual clusters) that must be managed as a unit (from an adapter and other configuration perspective) that share the same configuration items like security keys, etc. Partitioning is managed by simple configuration of the deployment on each with regards to scheduling.

Figure 14: Partitioned Oracle Identity Manager deployment

Oracle Identity Manger Architecture White Paper Page 26

Page 27: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Remote Manager Deployment Options The deployment of the Remote Managers in the Oracle Identity Manager solution depends on the requirements that the Remote Manager aims to achieve.

If the Remote Manager is needed to execute APIs that can only be executed on the physical machine hosting the target application, or to provide a secure channel to the target application, then the Remote Manager must be deployed on the same physical machine, like Remote Manager R1 in Figure 15.

If the Remote Manager is needed to execute APIs not directly on the same physical machine, but on a machine within the same domain/network, or on the same OS as the target machine (which is different from the OS of the Oracle Identity Manager application server), then it can be deployed on a proxy target machine, like Remote Manager R2 in Figure 15.

RMI Registry URL - Machine2.DomainRemote Manager Service Name - R2

RMI Interface

Oracle Identity Manager Application Server

Cluster

Remote Manager "R1"RSA ServerMCS Server

Remote Manager "R2"

NT Server

Cleartrust Server

Exchange Server

RMI Registry URL - Machine1.DomainRemote Manager Service Name - R1

Figure 15: Remote Manager deployment options

CONCLUSION Oracle Identity Manager provides a secure, scaleable and flexible enterprise provisioning solution that can be tailored to a variety of needs. At the heart of these capabilities is the Oracle Identity Manager architecture, which reflects the latest best practices for J2EE-based N-tier architectures. As a result, Oracle Identity Manager can be deployed in a number of different ways, from simple deployments on a single application server, to clustered, proxied deployments that provide transparent failover, vertical scalability and high performance.

Oracle Identity Manger Architecture White Paper Page 27

Page 28: Oracle Identity Manager Architecture · Oracle Identity Manager Architecture Oracle Identity Manager is Oracle’s identity EXECUTIVE SUMMARY management solution for enterprise user

Oracle Identity Manager Architecture May 2006 Author: [OPTIONAL] Contributing Authors: [OPTIONAL] Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2005, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.