Upload
oracleidm
View
602
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Perren Walker (Oracle), Ravi Meda (Qualcomm) & Nadine Siddell (Qualcomm) presentation at OOW2013
Citation preview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
CON9573Managing the Oracle Identity Management Platform with Oracle Enterprise Manager Ravi Meda, Qualcomm, Inc.Nadine Siddell, Qualcomm, Inc.Perren Walker, Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
Enterprise Manager 12c Platform Management– Benefits of Platform Management Approach
– Implementing Enterprise Manager 12c
Qualcomm: Situation, Challenges, Solutions, Results
Management Use-Case
Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
65% 20% 15%
Run theBusiness
Grow theBusiness
Transform theBusiness
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
Access Request
Certification Review
Help DeskTickets
Access Control
OffBoarding
UserProvisioning
POINT SOLUTIONS
are FRAGMENTEDand DIFFICULT
TO MANAGE On-boarding
ComplianceValidation
End UserExperience
SSO Availability
Service Level Agreements
Change Management
Scalability
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Total Cloud Control
Complete Cloud Lifecycle Management
Integrated Cloud Stack Management
Business-Driven Application Management
Self-Service IT Simple and Automated Business Driven | |
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Consolidate Management
• Manage IdM and enterprise applications from a single pane of glass:
• Metric Thresholding and Alerting• Service Level Management• Configuration Management• Security & Best Practice Health
Checks
•Identify and resolve IdM problems across the stack•Improved Compliance through role based access.
With a Single Pane of Glass: Enterprise Manager 12c
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
9
Benefits of the EM12c Platform
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
Complete and Integrated
Compliance & Security
Better User Experience
A Complete and Integrated Platform Approach for IdM Services and Management
Scalability & Availability
• Risk Based Access
• Oracle Privileged Account
Management
• Compliance Rules &
Compliance Dashboard
• Configuration Change
Tracking
• Role-based access & auditing
• 3x/5x Performance Gain
Optimized on T5 hardware
• 200+ million users on
Exalogic
• 500k+ targets managed in Oracle Public Cloud on Exalogic
• Highly availability and Disaster Recovery Configurations
• Shopping Cart UI
• Easy Customization
• Social Identity Log-in
• Real User Experience
Insight
• Service Level Management
Dashboarding and
Reporting
• User Provisioning & Identity Governance
• Access Management
• Directory Services
• Single Management Dashboard
• Manage IdM application, host, & Oracle Hardware
• Understand Runtime Relationships with Topology Views
Identity AccessManagement
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
BUSINESS DRIVEN MANAGEMENT WITH EM12C
User Experience Mgmt
Seperate Applicationand Access Problems
MW & DBDiagnostics
Are my customers happy? How is the order intake doing?
Is it an application
problem or SSO?
What is the root cause of the
problem?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
BUSINESS REPORTS DASHBOARDS
•Restricted access policy possible• Overview of key reports like Geo location, User Flow completion and KPI results• “Drag and drop”• Can be stored as ‘templates’
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Unified IdM Dashboard
Assess Health Across IdM Components– Unified dashboard of status, alerts and
incidents
– Quickly drill down and perform deep target management and diagnostics
Top Utilization by Resource IdM System Management Service Level Management
Health Status at a Glance
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Service Level ManagementManage IT from a business perspective
• Model services and underlying systems
• Monitor availability, performance and service level compliance of critical services
• Define SLA compliance as flexible set of objectives on top of a variety of metric indicators
• Proactively monitor end-user experience from remote locations via service tests
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Compare IdM ConfigurationsUnderstand differences across environments quickly
• Track IdM configuration changes for diagnostic and regulatory purposes
• Compare latest configurations (e.g. stage vs production)
• Compare latest Identity and Access configuration with previously saved configuration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Enforce Compliance and Security ConfigurationsEnsure compliance to best practices, industry standards
• IdM Specific Compliance Rules• Rules: checks/tests performed against
specific target types
• Standards: collection of rules associated to multiple targets
• Frameworks: conceptual ‘folders’ map standards to real-world structure of compliance frameworks (PCI, COBIT, HIPAA, CIS, etc.)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
•When critical errors occur in IAM you can collect diagnostic data and send it to Oracle Support
•Greatly reduces resolution time for external bugs related to IAM Server
Insert Chart Here
Support Workbench & My Oracle SupportStream-line interaction with Oracle Support for IAM issues
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Oracle Identity Management
Provisioning & IdentityAdministration
Access Management Directory Services
Oracle Identity Manager
Oracle Access Manager
-Mobile and Social
-Oracle Identity Federation
Oracle Adaptive Access Manager
Oracle Enterprise Single Sign-On
Oracle Web Services Manager
Oracle OpenSSO Secure Token Service
Oracle Internet Directory
Oracle Virtual Directory
Oracle Directory Server Enterprise Edition
Oracle Unified Directory
Management Pack Plus for Identity Management
Manageability
• Automated Discovery of Identity Management Components
• Performance and Availability Monitoring
• Service Level Management
• Configuration Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
19
Implementing EM12c
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
EM12c Implementation Roadmap
EM12c inProduction
HardwareProcurement
Sizing, Growth &
Architecture
Implementation& Testing
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Enterprise Manager 12c Implementation Blueprint
Architecture
Number & Growth rate of:
• Application Targets
• Middleware Targets
• Database Targets
1. High Availability& Load Balancing
2. High Availability + Disaster Recovery
Target Sizing
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
EM12c Sample Architecture and Sizing
EM 12c Target SizingEM12c Size Agent Count Target CountSmall < 100 < 1000Medium >= 100, < 1000 >= 1000, < 10,000Large >= 1000 >= 10,000
Size
OMS Machine Count*
Cores per OMS
Memory per OMS (GB)
Database Machine Count*
Cores per Database Machine
Memory per Database Machine
Small 1 2 6 1 2 6(GB)Medium 2 4 8 2 (Oracle
RAC)4 8(GB)
Large2 8 16 2 (Oracle
RAC)8 16(GB)
Large4 4 8 2 (Oracle
RAC)8 16(GB)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Improve operations and compliance through role-based access: Passwords are stored in the EM12c key store, not exposed to administratorsIAM, System, NOC and Database administrators get their own logical view restricted to their targets.User and job auditing.
12c Role Based Access, Key Store with Auditing
Centralized Credential Store
EM User1
EM User2
EM Users
Privileges
Jobs, DPs, MEs,Preferred Credentials
Refer to
SSH Keys
Digital
CertKerberos Ticket
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
24
Qualcomm & Enterprise Manager 12c
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Qualcomm Background
CUSTOMER PERSPECTIVE
Oracle Enterprise Manager allows us to delegate varying levels of operational privileges among 24x7 NOC administrators, Identity and Access administers and database administrators. This streamlines operations and internal compliance in response to management incidents on a global 24x7 basis.
COMPANY OVERVIEW• Qualcomm designs, manufactures, and markets digital wireless
telecommunications products and services based on its CDMA and other technologies
• Industry: High Tech Segment: Semiconductors• Employees: 26,000• Revenue: $19.12 billion in FY12
CHALLENGES/OPPORTUNITIES
Provide high IAM & Database SLA levels, monitor and report on them.
NOC operators have restricted delegated privileges to act on alerts and not immediately contact the IAM or Database target administrator as the first response to an incident.
Quickly move from SLA violations to diagnostics and root cause analysis.
SOLUTIONS
Replacing home grown solution OIM for company wide user provisioning and de-provisioning with iPlanet LDAP, AD & Exchange.
Weblogic, Demantra, EBS, SOA Suite, and Agile• Database 1500+ targets• Application • Middleware
RESULTS• Manage OIM, Applications and Database with a
highly available and DR configured Enterprise Manager.
• Improve compliance by giving appropriate management permissions for all internal stakeholders
• Proactive Monitoring & faster time to resolution through the empowerment of NOC operators.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Leader in designing, manufacturing, and marketing digital wireless telecommunications products and services based on its CDMA and other technologies
Provide company-wide user provisioning/de-provisioning with high service levels, service level monitoring and reporting.
Expose management services to Network Operations Center, Database and IAM administrators.
Situation
Qualcomm StreamlinesOperations and Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Identity and Access Management:
Proactively monitor OIM for SLA performance and outages.
Provide health dash boarding in Qualcomm’s 24x7 NOC and take action based with restricted start/stop role-based access.
IT Governance & compliance and change management.
Best Practice Configuration validation & change management.
From a management perspective:
Provide multiple management views for DBAs, NOC operators, Identity and Access, Application and Middleware Administrators with role based access and auditing.
Enhanced diagnostics with by SLA alerts, root cause analysis and SLA reporting.
Need for scalable, highly available, and multi-site disaster recovery management for packaged applications, middleware, Identity Management and database.
Challenges
Qualcomm StreamlinesOperations and Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
SERVICE ORIENTED ARCITECTURE
Enterprise Manager 12c R3 in a highly available and disaster recovery configuration.
Identity and Access Management Oracle Identity Manager 11g.
Oracle Database 11g Internal customers include Oracle
Applications and Databases.
Solutions
Qualcomm StreamlinesOperations and Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
The following six steps were used by Qualcomm to configure Enterprise Manager 12c in order to give Identity and Access management permissions to IAM administrators while restricting other targets such as database.
IAM administers and DB administrators have role separation with their targets, however, they are using a single EM infrastructure providing common management services in high availability and disaster recovery configuration.
Configuring EM12c
Steps for Creating EM12c Roles and Groups
1 Create privilege-propagating dynamic group (FMWHOSTS) where membership criteria is: targets on. myhost.qualcomm.com
2 Create privilege-propagating dynamic group (DBHOSTS) where membership criteria is: targets on myhost.qualcomm.com
3 Create role Qualcomm_FMW. Grant this role: Full privilege on FMWHOSTS, View on DBHOSTS
4 Create role Qualcomm_DB. Grant this role: Group Administration, Full privilege on DBHOSTS, View on FMWHOSTS
5 Grant role Qualcomm_FMW to the EM users who are part of the Qualcomm FMW team.
6 Grant role Qualcomm_DB to the EM users who are part of the Qualcomm DB team.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Single day EM12c role configuration, agent deployment, & target discovery.
Improved compliance through streamlined operations allowing NOC,IAM and DB administers role based permission views with the same target.
Faster incident response and resolution through role delegation and operational collaboration.
Results
Qualcomm StreamlinesOperations and Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Nadine SiddellQualcomm
“Oracle Enterprise Manager allows us to improve compliance by delegating varying levels of operational privilege among 24x7 NOC administrators, Identity and Access administrators and Database administrators. This streamlines operations in response to incidents on a global 24x7 basis.”
Qualcomm StreamlinesOperations and Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
32
Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
Credits
Special Thanks to:– Babu Rallapalli, Consulting Solutions Architect
Architect Team
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34
Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37
COMPLETE GOVERNANCE
IDENTITY GOVERNANCE
OPERATING SYSTEMS
DIRECTORYSERVICES
APPS
APPLICATIONS
COMMON REPOSITORY
DATABASES SINGLE USERVIEW
ACCESS REQUEST
ENTITLEMENTCATALOG
PRIVILEGEDACCOUNTMANAGEMENT
ACCESS CERTIFICATION
COMPLETE MANAGEMENT