Robert Honeyman

Honeyman IT Consultinghttp://www.honeymanit.co.uk

rob.honeyman@honeymanit.co.uk

Requirement for HA with SSO

� Centralized access control SPOF for dependent apps

� SSO failure = no protected application access

� Critical user data stored in Identity Store directory

� Recommended even if all apps not HA

Solution Focus

�Oracle Access Manager (11.1.2)

�Oracle Internet Directory (11.1.1.x)

�Database HA considerations (11.2)

�FMW integrations (Forms 11.1.2, ADF 11.1.2)

HA Directory Components

�Oracle Internet Directory (LDAP)

�OID RAC Database

�Oracle Directory Services Manager (ODSM)

�Hardware Load Balancer

HA Access Components

�Access Manager (SSO / Access Control)

�OAM RAC Database (Policy Store / Session Persistence)

�Web Tier (OHS + WebGate)

�Hardware Load Balancer

Firewall Zones

OID + Databases

OAM + ODSM

OHS + WebGatesWeb Tier

Application Tier

Data Tier / Directory Tier

Integrated Load Balancing

� Oracle Access Manager (OAM)

� OHS > OAM Admin console (HTTP / mod_wl_ohs)

� OHS > Weblogic Admin console (HTTP / mod_wl_ohs)

� Web Gate > Access Server (Oracle Access Protocol)

� Oracle Directory Management Services (ODSM)

� OHS > ODSM (HTTP / mod_wl_ohs)

� OHS > Weblogic Admin console (HTTP / mod_wl_ohs)

� OHS > FMW Control (HTTP / mod_wl_ohs)

Hardware Load Balancing

Description Protocol VIP Hostname VIPport

Service port

OAM SSO HTTPS sso.mycompany.com 443 7777

OID non-SSL LDAP ldap.mycompany.com 389 3060

OID SSL LDAPS ldap.mycompany.com 636 3161

OAM Admin HTTPS oamadmin.mycompany.com 443 7777

IDM Admin HTTPS idmadmin.mycompany.com 443 7777

Middleware Storage

� Shared (NFS etc)

� Middleware Homes (Redundant)

� Admin Server domain directory (Mirrored)

� Local

� Weblogic Managed Server directories (ODSM, OAM)

� Oracle Instance directories (OID, Web Tier)

OID: HA Install Requirements

� Weblogic / Java only required for ODSM

� Separate domain if using ODSM (IDM (11.1.1.x) IAM (11.1.2.x))

� NTP – installed and hosts time synchronized

� Select clustered option during installation

� OID 2nd node shared repository warning

OID HA: Single Site

RACDB

OID1 OID2

RAC1 RAC2

RAC Cluster

IDM Cluster

TNS (1521)Load Balancing + TAF

LDAP(S)(389, 636)

NFS / ASM

ldap.mycompany.com

Load Balancer

LDAP(S)(3060, 3161)

oidhost1 oidhost2

dbhost1 dbhost2

OID: HA Features and Config� OID Identity Management Cluster

� Database based shared state

� Notable settings� Entry Caching must be disabled

� orclcacheisenabled=0

� Load Balancer / Firewall timeouts� orclldapconntimeout < network device timeout

� OPMN auto-restart

� RAC for database instance HA

� TAF for database connection resilience

OID Multi-Site: Data Guard

� Active-Passive (normally)

� (1Gbps+) may allow cross-site database connections

� 100% data consistency across active OID instances

� No change logging required

� OID host cloning (VM clones, snap mirroring, rsync)

OID HA: Multi-Site with Data Guard

RACDB

OID1 OID2

RAC1 RAC2

ldap.mycompany.com

RAC ClusterPrimary

IDM ClusterPrimary

LDAP(S)

(389, 636)

NFS / ASM

RACDB

OID1 OID2

RAC1 RAC2

NFS / ASM

TNS (1521)TAF + Load Balancing

Data Guard

Load BalancerPrimary ldap.mycompany.com

LDAP(S)(3060, 3161)

LB Mirroring

IDM ClusterClone

Clone

Load BalancerStandby

RAC ClusterStandby

TNS (1521)TAF + Load Balancing

LDAP(S)(3060, 3161)

LDAP(S)

(389, 636)Primary Site Standby Site

Directory Management HA

� ODSM provides LDAP Entry / ACL Management

� ODSM Weblogic idmcluster in IDMDomain

� Separate ODSM Managed Servers from Admin Server

� Admin Server

� Domain directory on shared storage

� Listen on virtual “floating” host IP

Directory Management HA

wls_ods1

AdminServer

WL Console

EM

wls_ods2

AdminServer

WL Console

EM

idmclusterWeblogic Cluster

WebTier2WebTier1

idmadmin.mycompany.com

HTTP(S)(7777,4443)

HTTP(S)(80,443)

webhost1 webhost2

idmhost1 idmhost2

mod_wl_ohs(7001,7006)

OAM HA Install Requirements� Separate Domain for Access Manager – IAMDomain

� Domain template options - OAM, OEM, OPSS, JRF

� NTP – installed and hosts time synchronized

� config.sh optional configuration� Administration Server

� Managed Servers, Clusters and Machines

� Deployment Services

� Configure OAM Security Store before first startup!� Run using WLST

� ${ORACLE_HOME}\common\tools\configureSecurityStore.py

� create then verify

OAM Policy / Session Database� Contents

� Access control policies (resources, authentication, authorization)

� OAM Session Data (persistent back up of in-memory)

� RAC for single-site protection

� Multi Data Sources / Grid Link Data Sources

� Data Guard for cross-site protection

� Site Connection Failover in JDBC connect string

OAM Database connection

Domain directories

� Admin Server (Shared)

� Master directory� ${ORACLE_BASE}/admin/IAMDomain/aserver/IAMDomain

� Managed Server (Local)

� Node specific� ${ORACLE_BASE}/admin/IAMDomain/mserver/IAMDomain

� managed=true option for pack.sh

� pack.sh and unpack.sh to relocate if required

OAM HA Features and Config� OAM Access Server Cluster

� Runs Access service – sessions, access control

� WebGate talks Oracle Access Protocol to OAM Proxy

� Coherence replicates live config and sessions across cluster

� OAM_REQ cookie – RequestCacheType to COOKIE

� Admin Server

� Floating host virtual interface

� Standard Admin Console (WLS, EM)

� OAM Console – policy configuration

Oracle Access Manager HA

wls_oam1

AdminServer

WL Console

EM

wls_oam2

oamclusterWeblogic Cluster

WebTier 2WebTier 1

sso.mycompany.comoamadmin.mycompany.com

HTTP(S)(7777,4443)

HTTP(S)(80,443)

webhost1 webhost2

oamhost1 oamhost2

HTTP(S) 7001/7002

OAM Console

AdminServer

WL Console

EM

OAM Console

HTTP(S) (14100)

coherence coherence

OAM Proxy OAM Proxy

RAC

OAMDB

Web Tier Configuration� Web Tier Utilities – link to existing IAMDomain

� Front-end SSL desirable

� OAM virtual host (sso.mycompany.com)

� Access service URLs unprotected

� mod_wl_ohs handler

� /oam context path

� WLCookieName OAM_JSESSIONID

OID as OAM Identity Store

� Default ID Store is Weblogic Embedded LDAP� Max 10K users, not suitable for Enterprise HA

� Use OID for Enterprise HA deployment

� OAM heartbeats to check directory availability� Configurable timeouts and failure check intervals

� Secondary ID store configuration possible

OAM / OID Integration

� idmConfigTool.sh – creates Identity Store in OID� –preConfigIDStore

� –prepareIDStore mode=WLS (weblogic)

� –prepareIDStore mode=OAM (oamadmin)

� Register Identity Store (OAM Console)� cn=oamLDAP,dc=mydomain,dc=com (not cn=orcladmin)

� Change System Identity Stores (OAM Console)� System Store – admin accounts, groups, roles

� Default Store – security token service / patching

� LDAP Authentication Module (OAM Console)

OAM / OID Integrated

OAMWLS oamcluster OID

IDM LDAP Cluster

ldap.mycompany.com

Web Tiers

RAC

OIDDBRAC

OAMDB

sso.mycompany.comoamadmin.mycompany.comidmadmin.mycompany.com

ODSMWLS idmcluster

IAMDomain

Identity Data(Identity Store)

Policy / Session Data(Policy Store)

OAM Admin

HTTP(S)7001

HTTP(S)14100

HTTP(S)7006

HTTP(S) 7777

IDMDomain

WebGate Considerations

� WebGate Farm or application specific WebGates?

� What Virtual Hosting is required?

� Is SSL required between WebGates and Access servers?

� Do WebGates need to reside in DMZ?

� Are legacy agents used (OSSO, WebGate 10g)?

OAM Configuration

� WebGate Agent and Policy Registration� RREG (XML config file)

� OAM Console

� Host Identifiers – Virtual Hosting

� Application Resources - URLs

� Authentication Schemes – Identity and credential verification

� Authorization Policies - Protect and Unprotect resources

OAM: HA Web App Integration

OAMWLS oamcluster

OIDIDM LDAP Cluster

ldap.mycompany.comWeb Tiers

RAC

OIDDBRAC

OAMDB

sso.mycompany.com

IDMDomain

Identity Data(Identity Store)

Policy / Session Data(Policy Store)

myapp.mycompany.com

Web TiersWebGate

IAMDomain

MYAPP

OAP (5575)

HTTP(S) (14100)

App Requests SSO requests

OAM Multi-Site Options

� Active-Passive

� Database - Data Guard

� Mid-Tier - Cloning

� Active-Active

� Database – Replication

� Mid-Tier

� Single OAM Cluster (low latency required)

� Multi-cluster - Multi-Tier Load Balancing (site-based stickiness)

Forms: OAM Compatibility� Forms 11.1.2 (OAM 11.1.2.x or 11.1.1.5)

� Native compatibility

� OAM WebGate compatible

� Forms 10.1.x, 11.1.1.x

� No native OAM compatibility

� OAM OSSO Legacy agent compatible

Forms: OAM SSO� OAMAuthnCookie_<hostname+port> + OAM_ID cookies

� Encrypted SSO ID and session information

� WebGate protect /forms/frmservlet?*oamMode=true*

� Resource Access Descriptors (RADs) stored in OID� Web SSO ID mapped to DB credentials� LDAP entry in OID maintains mapping� Defaults, pre-populated or created on first user login

� Enterprise User Security (optional)� Centralized Identity data� Reduced Administration

Forms: OAM SSO

OAM

OIDOAM

DBPolicy

Datastore

Web Tier

WebGate

FORMS

OAP

Web Browser

Login requests

(HTTP)

Forms Requests

(HTTP)

OAM_ID

DB Resource Access

Descriptors

(LDAP)

SSO Identities

(LDAP)

FORMS

DB

Policy data

requests

(TNS)

ApplicationDatastore

App data

requests

(TNS)

WWW Requests

(HTTP)OAMAuthnCookie Redirect

Forms: 11.1.2 OAM Integration

� Associate Forms with OID in FMW Control

� Host: ldap.mycompany.com

� Port: 389

� Username: cn=orcladmin

� Override formsweb.cfg parameters

� ssoMode webgate

� ssoProxyConnect yes

Forms: SSO Parameters� ssoMode – instructs Forms of the type of SSO agent

� webgate – Forms 11.1.2.x

� mod_osso (true) – Forms 11.1.1.x

� false – No SSO

� ssoProxyConnect – use shared Proxy account� Login Credentials / RAD used are for Proxy database account

� Web SSO ID used as Named User database account

� Privileges against Named User database account

� ssoDynamicResourceCreate� Allows Dynamic RAD creation

ADF: OAM SSO

� OAMAuthnCookie_<hostname+port> + OAM_ID

� ADF Security / OPSS

� OAM Authentication Provider� Identity Asserter – WebGate protection / authentication

� Authenticator– ADF authentication / no WebGate

ADF: WebGate SSO

OAM

OIDOAM

DBPolicy

Datastore

Web Tier

ADF

OAP

Web Browser

Login requests

(HTTP)

App Requests

(HTTP)

OAMAuthnCookie

OAM_ID

SSO Identities

(LDAP)

APP

DB

Policy data

requests

(TNS)

ApplicationDatastore

App data

requests

(TNS)

WWW Requests

(HTTP)

IdentityAsserter

OID Authenticator

(LDAP)

Redirect

WebGate

ADF: WebGate SSO Configuration� Application web.xml(s) required setting

<login-config>

<auth-method>CLIENT-CERT</auth-method>

</login-config>

� mod_wl_ohs handler + connection filter from WebGate protected OHS to ADF Weblogic

� Add OAM provider to ADF domain jps-config.xml� addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html",

autologinuri="/obrar.cgi")

� Configure OAM protected policy for /${app.context}/adfauthentication

� Copy OAM provider war file to ADF Weblogic autodeploy directory� oamauthenticationprovider.war

� Select Identity Assertion Mechanism - OAM_REMOTE_USER, OAM_IDENTITY_ASSERTION

� Weblogic Authentication Provider settings� OAM Identity Asserter (REQUIRED)� OID Authenticator (SUFFICIENT)� Default Authenticator (SUFFICIENT)

Reference Documentation� Identity Management Enterprise Deployment Guide

http://docs.oracle.com/cd/E37115_01/doc.1112/e40782/intro.htm

� Fusion Middleware High Availability Guidehttp://docs.oracle.com/cd/E37115_01/doc.1112/e40782/intro.htm

� Oracle MAA – IDM 11.1.2 Enterprise Deploymenthttp://www.oracle.com/technetwork/database/availability/maa-deployment-blueprint-1735105.pdf

� Oracle® Fusion Middleware Integration Guide for Oracle Identity Management Suite

http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/toc.htm

� Oracle® Fusion Middleware Forms Services Deployment Guidehttp://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm#i1010624

� Oracle® Fusion Middleware Application Security Guidehttp://docs.oracle.com/cd/E27559_01/admin.1112/e27239/opssadf.htm

� Oracle® Database Enterprise User Security Administrator's Guidehttp://docs.oracle.com/cd/E11882_01/network.112/e10744/toc.htm

Oracle Unified Directory: HA� Data stored locally in Berkeley DB� Directory Replication only HA option� Loose consistency model

� Replication occurs AFTER returning write result to app

� Assured Replication Model� Safe Read Mode => replication GUARANTEED before return� Trade off performance v replica integrity� Recommended for Identity Management

� Configurations� Active/Active – Assured configuration

� (Patch ARU 16154932)

� Active/Passive – Non assured configuration

� No OPMN auto-restart – failover only

OUD: HA Topology

OUD1 OUD2

ldap.mycompany.com

LDAP(S)(389, 636)

Load Balancer

LDAP Replication

BDB1 BDB2

LDAP(S)(1389, 1636)

oudhost1 oudhost2

OID: LDAP Replication� Active-Active multi-master multi-site configurations

� Loose consistency – possible data consistency issues

� “No downtime” options for patching

� Change logging required

� Replication Options� Advanced Replication (Database Transport)

� Faster - Required for Active-Active SSO configurations

� LDAP Transport� Too slow for Active-Active SSO configurations

� Various types - Single Master, Multi Master, Fan-Out

OID HA: Multi-Site with Replication

RACDB1

OID1 OID2

RAC1 RAC2

ldap.mycompany.com

RAC Cluster Site 1

IDM ClusterSite 1

LDAP(S)

(389, 636)

NFS / ASM

RACDB2

OID1 OID2

RAC1 RAC2

RAC ClusterSite 2

NFS / ASM

TNS (1521)Load Balancing + TAF

Load BalancerSite 1

ldap2.mycompany.com

Load BalancerSite 2

TNS (1521)Load Balancing + TAF

IDM ClusterSite 2

LDAP(S)(3060, 3161)

LDAP(S)(3060, 3161)

Multi-Master Replication LDAP(S)

(389, 636)