Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Requirement for HA with SSO
� Centralized access control SPOF for dependent apps
� SSO failure = no protected application access
� Critical user data stored in Identity Store directory
� Recommended even if all apps not HA
Solution Focus
�Oracle Access Manager (11.1.2)
�Oracle Internet Directory (11.1.1.x)
�Database HA considerations (11.2)
�FMW integrations (Forms 11.1.2, ADF 11.1.2)
HA Directory Components
�Oracle Internet Directory (LDAP)
�OID RAC Database
�Oracle Directory Services Manager (ODSM)
�Hardware Load Balancer
HA Access Components
�Access Manager (SSO / Access Control)
�OAM RAC Database (Policy Store / Session Persistence)
�Web Tier (OHS + WebGate)
�Hardware Load Balancer
Firewall Zones
OID + Databases
OAM + ODSM
OHS + WebGatesWeb Tier
Application Tier
Data Tier / Directory Tier
Integrated Load Balancing
� Oracle Access Manager (OAM)
� OHS > OAM Admin console (HTTP / mod_wl_ohs)
� OHS > Weblogic Admin console (HTTP / mod_wl_ohs)
� Web Gate > Access Server (Oracle Access Protocol)
� Oracle Directory Management Services (ODSM)
� OHS > ODSM (HTTP / mod_wl_ohs)
� OHS > Weblogic Admin console (HTTP / mod_wl_ohs)
� OHS > FMW Control (HTTP / mod_wl_ohs)
Hardware Load Balancing
Description Protocol VIP Hostname VIPport
Service port
OAM SSO HTTPS sso.mycompany.com 443 7777
OID non-SSL LDAP ldap.mycompany.com 389 3060
OID SSL LDAPS ldap.mycompany.com 636 3161
OAM Admin HTTPS oamadmin.mycompany.com 443 7777
IDM Admin HTTPS idmadmin.mycompany.com 443 7777
Middleware Storage
� Shared (NFS etc)
� Middleware Homes (Redundant)
� Admin Server domain directory (Mirrored)
� Local
� Weblogic Managed Server directories (ODSM, OAM)
� Oracle Instance directories (OID, Web Tier)
OID: HA Install Requirements
� Weblogic / Java only required for ODSM
� Separate domain if using ODSM (IDM (11.1.1.x) IAM (11.1.2.x))
� NTP – installed and hosts time synchronized
� Select clustered option during installation
� OID 2nd node shared repository warning
OID HA: Single Site
RACDB
OID1 OID2
RAC1 RAC2
RAC Cluster
IDM Cluster
TNS (1521)Load Balancing + TAF
LDAP(S)(389, 636)
NFS / ASM
ldap.mycompany.com
Load Balancer
LDAP(S)(3060, 3161)
oidhost1 oidhost2
dbhost1 dbhost2
OID: HA Features and Config� OID Identity Management Cluster
� Database based shared state
� Notable settings� Entry Caching must be disabled
� orclcacheisenabled=0
� Load Balancer / Firewall timeouts� orclldapconntimeout < network device timeout
� OPMN auto-restart
� RAC for database instance HA
� TAF for database connection resilience
OID Multi-Site: Data Guard
� Active-Passive (normally)
� (1Gbps+) may allow cross-site database connections
� 100% data consistency across active OID instances
� No change logging required
� OID host cloning (VM clones, snap mirroring, rsync)
OID HA: Multi-Site with Data Guard
RACDB
OID1 OID2
RAC1 RAC2
ldap.mycompany.com
RAC ClusterPrimary
IDM ClusterPrimary
LDAP(S)
(389, 636)
NFS / ASM
RACDB
OID1 OID2
RAC1 RAC2
NFS / ASM
TNS (1521)TAF + Load Balancing
Data Guard
Load BalancerPrimary ldap.mycompany.com
LDAP(S)(3060, 3161)
LB Mirroring
IDM ClusterClone
Clone
Load BalancerStandby
RAC ClusterStandby
TNS (1521)TAF + Load Balancing
LDAP(S)(3060, 3161)
LDAP(S)
(389, 636)Primary Site Standby Site
Directory Management HA
� ODSM provides LDAP Entry / ACL Management
� ODSM Weblogic idmcluster in IDMDomain
� Separate ODSM Managed Servers from Admin Server
� Admin Server
� Domain directory on shared storage
� Listen on virtual “floating” host IP
Directory Management HA
wls_ods1
AdminServer
WL Console
EM
wls_ods2
AdminServer
WL Console
EM
idmclusterWeblogic Cluster
WebTier2WebTier1
idmadmin.mycompany.com
HTTP(S)(7777,4443)
HTTP(S)(80,443)
webhost1 webhost2
idmhost1 idmhost2
mod_wl_ohs(7001,7006)
OAM HA Install Requirements� Separate Domain for Access Manager – IAMDomain
� Domain template options - OAM, OEM, OPSS, JRF
� NTP – installed and hosts time synchronized
� config.sh optional configuration� Administration Server
� Managed Servers, Clusters and Machines
� Deployment Services
� Configure OAM Security Store before first startup!� Run using WLST
� ${ORACLE_HOME}\common\tools\configureSecurityStore.py
� create then verify
OAM Policy / Session Database� Contents
� Access control policies (resources, authentication, authorization)
� OAM Session Data (persistent back up of in-memory)
� RAC for single-site protection
� Multi Data Sources / Grid Link Data Sources
� Data Guard for cross-site protection
� Site Connection Failover in JDBC connect string
OAM Database connection
Domain directories
� Admin Server (Shared)
� Master directory� ${ORACLE_BASE}/admin/IAMDomain/aserver/IAMDomain
� Managed Server (Local)
� Node specific� ${ORACLE_BASE}/admin/IAMDomain/mserver/IAMDomain
� managed=true option for pack.sh
� pack.sh and unpack.sh to relocate if required
OAM HA Features and Config� OAM Access Server Cluster
� Runs Access service – sessions, access control
� WebGate talks Oracle Access Protocol to OAM Proxy
� Coherence replicates live config and sessions across cluster
� OAM_REQ cookie – RequestCacheType to COOKIE
� Admin Server
� Floating host virtual interface
� Standard Admin Console (WLS, EM)
� OAM Console – policy configuration
Oracle Access Manager HA
wls_oam1
AdminServer
WL Console
EM
wls_oam2
oamclusterWeblogic Cluster
WebTier 2WebTier 1
sso.mycompany.comoamadmin.mycompany.com
HTTP(S)(7777,4443)
HTTP(S)(80,443)
webhost1 webhost2
oamhost1 oamhost2
HTTP(S) 7001/7002
OAM Console
AdminServer
WL Console
EM
OAM Console
HTTP(S) (14100)
coherence coherence
OAM Proxy OAM Proxy
RAC
OAMDB
Web Tier Configuration� Web Tier Utilities – link to existing IAMDomain
� Front-end SSL desirable
� OAM virtual host (sso.mycompany.com)
� Access service URLs unprotected
� mod_wl_ohs handler
� /oam context path
� WLCookieName OAM_JSESSIONID
OID as OAM Identity Store
� Default ID Store is Weblogic Embedded LDAP� Max 10K users, not suitable for Enterprise HA
� Use OID for Enterprise HA deployment
� OAM heartbeats to check directory availability� Configurable timeouts and failure check intervals
� Secondary ID store configuration possible
OAM / OID Integration
� idmConfigTool.sh – creates Identity Store in OID� –preConfigIDStore
� –prepareIDStore mode=WLS (weblogic)
� –prepareIDStore mode=OAM (oamadmin)
� Register Identity Store (OAM Console)� cn=oamLDAP,dc=mydomain,dc=com (not cn=orcladmin)
� Change System Identity Stores (OAM Console)� System Store – admin accounts, groups, roles
� Default Store – security token service / patching
� LDAP Authentication Module (OAM Console)
OAM / OID Integrated
OAMWLS oamcluster OID
IDM LDAP Cluster
ldap.mycompany.com
Web Tiers
RAC
OIDDBRAC
OAMDB
sso.mycompany.comoamadmin.mycompany.comidmadmin.mycompany.com
ODSMWLS idmcluster
IAMDomain
Identity Data(Identity Store)
Policy / Session Data(Policy Store)
OAM Admin
HTTP(S)7001
HTTP(S)14100
HTTP(S)7006
HTTP(S) 7777
IDMDomain
WebGate Considerations
� WebGate Farm or application specific WebGates?
� What Virtual Hosting is required?
� Is SSL required between WebGates and Access servers?
� Do WebGates need to reside in DMZ?
� Are legacy agents used (OSSO, WebGate 10g)?
OAM Configuration
� WebGate Agent and Policy Registration� RREG (XML config file)
� OAM Console
� Host Identifiers – Virtual Hosting
� Application Resources - URLs
� Authentication Schemes – Identity and credential verification
� Authorization Policies - Protect and Unprotect resources
OAM: HA Web App Integration
OAMWLS oamcluster
OIDIDM LDAP Cluster
ldap.mycompany.comWeb Tiers
RAC
OIDDBRAC
OAMDB
sso.mycompany.com
IDMDomain
Identity Data(Identity Store)
Policy / Session Data(Policy Store)
myapp.mycompany.com
Web TiersWebGate
IAMDomain
MYAPP
OAP (5575)
HTTP(S) (14100)
App Requests SSO requests
OAM Multi-Site Options
� Active-Passive
� Database - Data Guard
� Mid-Tier - Cloning
� Active-Active
� Database – Replication
� Mid-Tier
� Single OAM Cluster (low latency required)
� Multi-cluster - Multi-Tier Load Balancing (site-based stickiness)
Forms: OAM Compatibility� Forms 11.1.2 (OAM 11.1.2.x or 11.1.1.5)
� Native compatibility
� OAM WebGate compatible
� Forms 10.1.x, 11.1.1.x
� No native OAM compatibility
� OAM OSSO Legacy agent compatible
Forms: OAM SSO� OAMAuthnCookie_<hostname+port> + OAM_ID cookies
� Encrypted SSO ID and session information
� WebGate protect /forms/frmservlet?*oamMode=true*
� Resource Access Descriptors (RADs) stored in OID� Web SSO ID mapped to DB credentials� LDAP entry in OID maintains mapping� Defaults, pre-populated or created on first user login
� Enterprise User Security (optional)� Centralized Identity data� Reduced Administration
Forms: OAM SSO
OAM
OIDOAM
DBPolicy
Datastore
Web Tier
WebGate
FORMS
OAP
Web Browser
Login requests
(HTTP)
Forms Requests
(HTTP)
OAM_ID
DB Resource Access
Descriptors
(LDAP)
SSO Identities
(LDAP)
FORMS
DB
Policy data
requests
(TNS)
ApplicationDatastore
App data
requests
(TNS)
WWW Requests
(HTTP)OAMAuthnCookie Redirect
Forms: 11.1.2 OAM Integration
� Associate Forms with OID in FMW Control
� Host: ldap.mycompany.com
� Port: 389
� Username: cn=orcladmin
� Override formsweb.cfg parameters
� ssoMode webgate
� ssoProxyConnect yes
Forms: SSO Parameters� ssoMode – instructs Forms of the type of SSO agent
� webgate – Forms 11.1.2.x
� mod_osso (true) – Forms 11.1.1.x
� false – No SSO
� ssoProxyConnect – use shared Proxy account� Login Credentials / RAD used are for Proxy database account
� Web SSO ID used as Named User database account
� Privileges against Named User database account
� ssoDynamicResourceCreate� Allows Dynamic RAD creation
ADF: OAM SSO
� OAMAuthnCookie_<hostname+port> + OAM_ID
� ADF Security / OPSS
� OAM Authentication Provider� Identity Asserter – WebGate protection / authentication
� Authenticator– ADF authentication / no WebGate
ADF: WebGate SSO
OAM
OIDOAM
DBPolicy
Datastore
Web Tier
ADF
OAP
Web Browser
Login requests
(HTTP)
App Requests
(HTTP)
OAMAuthnCookie
OAM_ID
SSO Identities
(LDAP)
APP
DB
Policy data
requests
(TNS)
ApplicationDatastore
App data
requests
(TNS)
WWW Requests
(HTTP)
IdentityAsserter
OID Authenticator
(LDAP)
Redirect
WebGate
ADF: WebGate SSO Configuration� Application web.xml(s) required setting
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
� mod_wl_ohs handler + connection filter from WebGate protected OHS to ADF Weblogic
� Add OAM provider to ADF domain jps-config.xml� addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html",
autologinuri="/obrar.cgi")
� Configure OAM protected policy for /${app.context}/adfauthentication
� Copy OAM provider war file to ADF Weblogic autodeploy directory� oamauthenticationprovider.war
� Select Identity Assertion Mechanism - OAM_REMOTE_USER, OAM_IDENTITY_ASSERTION
� Weblogic Authentication Provider settings� OAM Identity Asserter (REQUIRED)� OID Authenticator (SUFFICIENT)� Default Authenticator (SUFFICIENT)
Reference Documentation� Identity Management Enterprise Deployment Guide
http://docs.oracle.com/cd/E37115_01/doc.1112/e40782/intro.htm
� Fusion Middleware High Availability Guidehttp://docs.oracle.com/cd/E37115_01/doc.1112/e40782/intro.htm
� Oracle MAA – IDM 11.1.2 Enterprise Deploymenthttp://www.oracle.com/technetwork/database/availability/maa-deployment-blueprint-1735105.pdf
� Oracle® Fusion Middleware Integration Guide for Oracle Identity Management Suite
http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/toc.htm
� Oracle® Fusion Middleware Forms Services Deployment Guidehttp://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm#i1010624
� Oracle® Fusion Middleware Application Security Guidehttp://docs.oracle.com/cd/E27559_01/admin.1112/e27239/opssadf.htm
� Oracle® Database Enterprise User Security Administrator's Guidehttp://docs.oracle.com/cd/E11882_01/network.112/e10744/toc.htm
Oracle Unified Directory: HA� Data stored locally in Berkeley DB� Directory Replication only HA option� Loose consistency model
� Replication occurs AFTER returning write result to app
� Assured Replication Model� Safe Read Mode => replication GUARANTEED before return� Trade off performance v replica integrity� Recommended for Identity Management
� Configurations� Active/Active – Assured configuration
� (Patch ARU 16154932)
� Active/Passive – Non assured configuration
� No OPMN auto-restart – failover only
OUD: HA Topology
OUD1 OUD2
ldap.mycompany.com
LDAP(S)(389, 636)
Load Balancer
LDAP Replication
BDB1 BDB2
LDAP(S)(1389, 1636)
oudhost1 oudhost2
OID: LDAP Replication� Active-Active multi-master multi-site configurations
� Loose consistency – possible data consistency issues
� “No downtime” options for patching
� Change logging required
� Replication Options� Advanced Replication (Database Transport)
� Faster - Required for Active-Active SSO configurations
� LDAP Transport� Too slow for Active-Active SSO configurations
� Various types - Single Master, Multi Master, Fan-Out
OID HA: Multi-Site with Replication
RACDB1
OID1 OID2
RAC1 RAC2
ldap.mycompany.com
RAC Cluster Site 1
IDM ClusterSite 1
LDAP(S)
(389, 636)
NFS / ASM
RACDB2
OID1 OID2
RAC1 RAC2
RAC ClusterSite 2
NFS / ASM
TNS (1521)Load Balancing + TAF
Load BalancerSite 1
ldap2.mycompany.com
Load BalancerSite 2
TNS (1521)Load Balancing + TAF
IDM ClusterSite 2
LDAP(S)(3060, 3161)
LDAP(S)(3060, 3161)
Multi-Master Replication LDAP(S)
(389, 636)