Insync 2010

11g Identity Management
Peter McLarty
Pacific DBMS Pty Ltd
17th August 2010

The most comprehensive Oracle applications & technology content under one roof

Feeling stressed?

Introduction

What are we here for?

Shared Identity

Cloud Security

Single Sign On (Single Point of truth)

Lots of products

Identity Manager

Access Manager

Identity Analytics

Directory Services Plus

Identity Federation

Why do we need it?

Compliance

Security

Cost management (Consolidation)

How is it useful

Access Controls

Policy Management

Audit Support

Controls

Roles

Fine grain access controls

Tracking of events logon - logoff

Oracle Directory Services

Oracle Virtual Directory

Oracle Internet Directory

Oracle Directory Server

Oracle Internet Directory
&
Oracle Directory Server

What's OID?

LDAP Service

Database Location Service

Data Store used by other Identity Services

Architecture

Database

OIDMON

ODS

ODRS

LDAP Server Instance

Server Processes

Dispatcher Services

Tuning Required

Default Ports3060 Non SSL

3131 SSL

OidmonOrs

Metadata

Uses a cache which is built at startup

Directory schema - what is stored

Control of who access what ACP

Root DSE - Stores information about the server itself

Metadata

Privilege Groups - Used for Access Control Policies

Contains entries for hosted businesses,password verification,password policy and others

DIT

What is a DIT?Can I have more DIT's?

Search Process 1

Client connects SSL or non SSL with LDAP protocol

Type of user can be known or anonymous

Filters can be put in place to limit search

User authenticated, bind made, ACL checked

Search Process 2

LDAP search request is converted to OCI language to interrogate the database

Database retrieves data; passes it back via OCI to the LDAP server

Query result sent back to the database

Server Chaining

What is it?Why do we want to use it?

Server Chaining 2

Server chaining supports the following operations:Bind

Compare

Modify

Search

Why Server chain?

Creating a Server Chaining Entry

Command Line or Directory Services Manager - Create LDIF file

dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au
cn: AD
objectclass: orclcontainer
objectclass: top

Connection to Sun IPlanet

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********

Connection to Sun IPlanet

orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com

Connection to Sun IPlanet

orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********

Debugging Server Chaining

Create an LDIF

filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscDebugEnabled
orcloidscDebugEnabled: 1Execute

$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file

Designing your implementation

Do Not use clustered hosts - too many issues

If you have the skills use Linux on VM's

Scatter installations across your environment

Use Replication

If you have load balancers use them

Installation

Using default settings the server needs 6GB or greater

Can do small memory with altered Java VM settings

Need to understand 11g path conventions

Install Notes

Metalink Note 858748.1 Getting Started FAQ

Configuration

After installing the software configure the instance config.sh

Save configuration before running configuration step at the end

Small memory config

Metalink note 865166.1

-Xrs -XX:MaxPermSize=192m in Admin Console Server Configuration

Replication

Its ImportantWhat model? Fan Out, Multimaster, Single Master?Not guaranteed to be consistent- data different on different nodes

Single Master

One master all others read only

Multimaster

All Nodes can update all other nodes

Fan Out

Its a hybrid

LDAP Replication

Full or PartialPeer to peer, One Way, Two WayMultimaster, Single Master, Fan Out

LDAP Replication

Advanced Replication (Database)

Full replication

Peer to peer

Multimaster

Single by changing all but one to read only

Uses the database to do the replication

Uses command line tools to configure this

remtool

Use it for configuring the advanced replication

Modify or reset replication Bind DN password

Displaying various errors and status information for change log propagation

Convert advanced replication to LDAP replication

Setting up Replica - Command Line

Copy database for new instance; not recommended

Bootstrapping is the better option

What is bootstrapping?

Supplier Node and Replica Node

Use remtool to copy metadata from supplier to replica

Set up the replication with the Replication wizard

Replica Using Replication Wizard

Fusion Middleware Control

Access Manage Replication

Select Replication type

Follow remaining steps Oracle Docs

Bootstrapping issues

Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation

A number of problems in My Oracle Support for bootstrap

Fusion Middleware and Managing OID

Cannot do if not part of a WLS domain

Fusion Middleware Control uses SSL

Port configured none or server authentication

To connect use http://host:port/odsm

Command Line

Domain Home to manage the Admin Server

Instance Home to manage the OID Server

opmnctl to control the OID server

/oracle/Middleware/IDMinst_1/bin/opmnctl

ods_process_status

Oidmon polls table to check system

Can be used by other scripts to monitor OID

WLST

Weblogic Scripting Tool

Jython based

Used for many things

Can script many tasks

Weblogic Server Version

The following might be useful when installing new product to an existing server

cat registry.xml | grep version

Questions

peter.mclarty@pacificdbms.com.au

http://www.pacificdbms.com.au

Tell us what you think

http://feedback.insync10.com.au