If you can't read please download the document
Upload
insync-conference
View
2.255
Download
0
Embed Size (px)
Citation preview
Insync 2010
11g Identity Management
Peter McLarty
Pacific DBMS Pty Ltd
17th August 2010
The most comprehensive Oracle applications & technology content under one roof
Feeling stressed?
Introduction
What are we here for?
Shared Identity
Cloud Security
Single Sign On (Single Point of truth)
Lots of products
Identity Manager
Access Manager
Identity Analytics
Directory Services Plus
Identity Federation
Why do we need it?
Compliance
Security
Cost management (Consolidation)
How is it useful
Access Controls
Policy Management
Audit Support
Controls
Roles
Fine grain access controls
Tracking of events logon - logoff
Oracle Directory Services
Oracle Virtual Directory
Oracle Internet Directory
Oracle Directory Server
Oracle Internet Directory
&
Oracle Directory Server
What's OID?
LDAP Service
Database Location Service
Data Store used by other Identity Services
Architecture
Database
OIDMON
ODS
ODRS
LDAP Server Instance
Server Processes
Dispatcher Services
Tuning Required
Default Ports3060 Non SSL
3131 SSL
OidmonOrs
Metadata
Uses a cache which is built at startup
Directory schema - what is stored
Control of who access what ACP
Root DSE - Stores information about the server itself
Metadata
Privilege Groups - Used for Access Control Policies
Contains entries for hosted businesses,password verification,password policy and others
DIT
What is a DIT?Can I have more DIT's?
Search Process 1
Client connects SSL or non SSL with LDAP protocol
Type of user can be known or anonymous
Filters can be put in place to limit search
User authenticated, bind made, ACL checked
Search Process 2
LDAP search request is converted to OCI language to interrogate the database
Database retrieves data; passes it back via OCI to the LDAP server
Query result sent back to the database
Server Chaining
What is it?Why do we want to use it?
Server Chaining 2
Server chaining supports the following operations:Bind
Compare
Modify
Search
Why Server chain?
Creating a Server Chaining Entry
Command Line or Directory Services Manager - Create LDIF file
dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au
cn: AD
objectclass: orclcontainer
objectclass: top
Connection to Sun IPlanet
cn=oidsciplanet,cn=OID Server
Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
Connection to Sun IPlanet
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer:
cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer:
cn=iPlanet,cn=groups,dc=oracle,dc=com
Connection to Sun IPlanet
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********
Debugging Server Chaining
Create an LDIF
filedn: cn=oidscad,cn=oid server
chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscDebugEnabled
orcloidscDebugEnabled: 1Execute
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
Designing your implementation
Do Not use clustered hosts - too many issues
If you have the skills use Linux on VM's
Scatter installations across your environment
Use Replication
If you have load balancers use them
Installation
Using default settings the server needs 6GB or greater
Can do small memory with altered Java VM settings
Need to understand 11g path conventions
Install Notes
Metalink Note 858748.1 Getting Started FAQ
Configuration
After installing the software configure the instance config.sh
Save configuration before running configuration step at the end
Small memory config
Metalink note 865166.1
-Xrs -XX:MaxPermSize=192m in Admin Console Server Configuration
Replication
Its ImportantWhat model? Fan Out, Multimaster, Single Master?Not guaranteed to be consistent- data different on different nodes
Single Master
One master all others read only
Multimaster
All Nodes can update all other nodes
Fan Out
Its a hybrid
LDAP Replication
Full or PartialPeer to peer, One Way, Two WayMultimaster, Single Master, Fan Out
LDAP Replication
Advanced Replication (Database)
Full replication
Peer to peer
Multimaster
Single by changing all but one to read only
Uses the database to do the replication
Uses command line tools to configure this
remtool
Use it for configuring the advanced replication
Modify or reset replication Bind DN password
Displaying various errors and status information for change log propagation
Convert advanced replication to LDAP replication
Setting up Replica - Command Line
Copy database for new instance; not recommended
Bootstrapping is the better option
What is bootstrapping?
Supplier Node and Replica Node
Use remtool to copy metadata from supplier to replica
Set up the replication with the Replication wizard
Replica Using Replication Wizard
Fusion Middleware Control
Access Manage Replication
Select Replication type
Follow remaining steps Oracle Docs
Bootstrapping issues
Cannot have replica and supplier system in bootstrap mode (orclreplicastate=1) = Normal Operation
A number of problems in My Oracle Support for bootstrap
Fusion Middleware and Managing OID
Cannot do if not part of a WLS domain
Fusion Middleware Control uses SSL
Port configured none or server authentication
To connect use http://host:port/odsm
Command Line
Domain Home to manage the Admin Server
Instance Home to manage the OID Server
opmnctl to control the OID server
/oracle/Middleware/IDMinst_1/bin/opmnctl
ods_process_status
Oidmon polls table to check system
Can be used by other scripts to monitor OID
WLST
Weblogic Scripting Tool
Jython based
Used for many things
Can script many tasks
Weblogic Server Version
The following might be useful when installing new product to an existing server
cat registry.xml | grep version
Questions
http://www.pacificdbms.com.au
Tell us what you think
http://feedback.insync10.com.au