Professional Documents
Culture Documents
Oracle Internet Directory 11g Oracle Directory Integration Platform 11g Oracle Authentication Services for OS 11g
Olaf Stullich Product Manager
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.
Agenda
Identity Manager
OID Overview
LDAP storage built upon Oracle database Full functional meta directory with Directory Integration Platform (DIP) component Integrated into Oracle Fusion Middleware and applications High performance and scalability with 2-billion-entry benchmark Maximum availability with multi-layer HA including LDAP replications and Oracle RAC etc Extreme security with database vault and encryption in addition to LDAP access control
Agenda
10
11
Applications
Sun JSDS Microsoft AD Novell eDirectory Tivoli Directory Server MS AD LDS OpenLDAP
Directory Integration Server Oracle Internet Directory Directory Replication Server Directory Replication Server
12
OID Monitor
initiates, monitors, and terminates the LDAP and replication server processes
13
Scalability
Unique Server Architecture
Multi-threaded using DB connection pooling Multi-processing to utilize existing CPUs Multi-instance directory server using multiple HW nodes Scalability with the number of CPUs in SMP HW architectures Scalability with the number of nodes in HW cluster architectures
Scalability to Terabytes of Directory data Best performance on very large groups (>1M users) High speed bulk tools
14
Two Billion Entries Single Directory Information Tree, Single Directory Server Instance
Data loaded in 5 hrs, DB indexing in 19.5 hrs 100,000+ LDAP search ops/sec with 2.5 msec average latency
High speed data load High throughput of LDAP operations with low latency both for read and write operations
15
Performance
Start small
Low HW requirements Entries in the directory E.g. manage Oracle databases in OID
Use existing DB HW and scale as needed No need to switch directory service when requirements saturates HW
Upgrade HW as needed and leverage OIDs flexible deployment architecture
16
High Availability
Sample High Availability Environment
17
18
Fan-out Replication
Read-only and Updateable replicas
Fractional and Partial replication subset of MMR
19
Solutions that does not require HA of all Application Server components but IdM
20
Reports
Multi-Factor Authorization
Benefits
Enhanced security Improved compliance
Command Rules
Separation of Duty
21
Leverage:
Oracle Directory Services Manager (ODSM) Manages OID and OVD Use intelligent wizards and templates for Replication Sizing and Tuning Directory Synchronization Presenting user and group information Accessible via FMW console
22
FMW console
Homepage with vital systems statics Customizable dashboard ODSM accessible via FMW console or standalone
ODSM
Used for specific LDAP related tasks User creation Schema management Security management
23
11g Auditing
Suite-wide auditability ECID propagation Audit records in DB schema Out-of-box reports using BI publisher Policies for
User sessions Authorization Data Access Account Managemement LDAP entry access
24
11g Logging
Suite wide log messages format Diagnostic Logging information
OID, OID replication server, DIP
25
DIP Profiles
Templates for data mapping / transformation
26
Communication direction
Either one-way or two-waythat is, either from Oracle Internet Directory to connected directories, the reverse, or both
Type of data
Examples
27
Use Cases Enterprise User Security Oracle Authentication Services for Operating Systems (OAS4OS)
28
Enterprise Roles
Centralized user role management
Authentication Methods
Password Kerberos (Microsoft, MIT) PKI (x.509v3)
29
30
32
Automated integration with directory services Automated user migration tools from local files and NIS servers
33
Key Functions
Scripts to automate client configuration, including SSL Easy Migration from Linux/Unix files Easy Migration from NIS to LDAP Centralized Password Policies and Lockout Control Support UID and GID uniqueness and provisioning support Centralized Sudo policy management Active Directory Integration Cross Platform Support
Linux Redhat and Oracle Enterprise Linux, Suse Linux, Unix Solaris, HPUX, AIX
34
Agenda
35
April 2010
11g Patchset 2 Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services
H2CY2011
11g Patchset 3
Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services 11g Patchset 4 Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services
11gR1
Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services
36
DIP
Support for OID SSL mode 2 (mutual authentication) CLI export and import profiles (test production) Integration of DIPTESTER advanced mode
ODSM
UI enhancement to manage list of secure attributes and hashed attributes
37
11gR1 Patchset 2
Oracle Authentication Services for OS
Full integration with Fusion Middleware Release 11g R1 PS2 Extended client OS support New configuration scripts to enable PAM proxy user based access to OID for enhanced security Easy configuration of OID SSL using customer provided certificates for production deployments, or use of self signed certificates to test OID SSL connections Restricting client access based on IP address Easy reset of client configuration to support testing
38
DIP
OOTB diagnostic enhancements (aka DIPTESTER) 32/64bit password filter availability in software media
ODSM
SSO using OAM
39
DIP
DSEE sync OIA synchronization support Bi-directional DB synchronization
Additional DB connectors
Performance improvement
Priority Replication, automatic OID tuning
OAS4OS
Uptake SSL automation tool HA/LDAP failover support ODSEE support
40
Agenda
41
Demos
EM Fusion Middleware Control Oracle Directory Services Manager Oracle Authentication Services for Operating Systems (short) Oracle Authentication Services for Operating Systems (long available on OTN) Directory Integration Platform (OID ODSEE) Database Management Enterprise User Security
42
43