1 / 45

Michael P. Mesaros Uppili Srinivasan Oracle Identity Management and Security Oracle Corporation

Michael P. Mesaros Uppili Srinivasan Oracle Identity Management and Security Oracle Corporation. Planning Your Oracle Identity Management Deployment OracleWorld Paper 40207. Agenda. Need for identity management Oracle Identity Management overview Why deploy Oracle Identity Management?

albert
Download Presentation

Michael P. Mesaros Uppili Srinivasan Oracle Identity Management and Security Oracle Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Michael P. Mesaros Uppili Srinivasan Oracle Identity Management and Security Oracle Corporation

  2. Planning Your Oracle Identity Management DeploymentOracleWorld Paper 40207

  3. Agenda • Need for identity management • Oracle Identity Management overview • Why deploy Oracle Identity Management? • Deployment process overview • Deployment/planning steps • Requirement analysis • Logical design • Detailed deployment planning • Summary and conclusions

  4. Need for Identity Management Oracle Identity Management

  5. Web applications are great ... • Inexpensive to develop • Easy to deploy • Access anywhere BUT ….

  6. …but they can be an administrative and usability nightmare!

  7. Web application problems • Administrative problems • Efficiently provisioning users for applications • Limited/no ability to delegate administration • Usability problems • Different user names/passwords • Little/no personalization of portal content • Security problems • Inconsistent password management policies • Fragmented security policy enforcement

  8. The identity management solution • Identity management is the process by which • Users are provisioned for enterprise applications • Application user roles and permissions are managed • Users manage profile information suchas application preferences, passwordsand PINs • Applications (such as Portals) arepersonalized for individual users

  9. Oracle application environment • Supply chain mgmt • Marketing & sales mgmt • Service mgmt • Financial mgmt • Project mgmt • HR mgmt • Vertical applications … • Mail • Voicemail • Calendar • Files • iMeeting • etc. • HTTP server • Web services • Portal • Web cache • Forms • Reports • etc. • Oracle Database • Oracle Label Security

  10. Oracle Identity Management requirements • Enterprise integration • High availability • Scalability • Security • Integration with the Oracle product stack • Support for standards

  11. Oracle Identity Management infrastructure Directory DirectoryIntegration ProvisioningIntegration Oracle Identity Management DelegatedAdministration SingleSign-On CertificateAuthority

  12. Oracle Internet Directory LDAP Clients • Scalability • Millions of user entries on single server • 1000’s of simultaneous clients • High availability • Multimaster replication • Oracle9i hot backup/recovery • Security • Sophisticated security modelbased on access control lists • Standards-based • Native LDAPv3 implementation Oracle Internet Directory Server LDAP over SSL Oracle Net Connections Directory Administration Oracle Database

  13. Directory Integration and Provisioning • ProvisionedApplications • Portal • iFS • iAS Wireless • Legacy apps. PL/SQL over Oracle Net ProvisioningIntegrationServices Event • ConnectedDirectories • ADS • iPlanet • etc LDAP or File DirectorySynch.Services Poll OracleInternet Directory

  14. Oracle Delegated Administration Services • New directory feature with Oracle9iAS V2 • Provides a consistent interface for directory content administration • Administrative tool: supports application administration delegation • End-user tool: Set passwords, preferences, whitepages

  15. Oracle Application Server Single Sign-On • Provides single sign-on capability for all Oracle web-based applications • Partner API, Keberos support permits integration with other authentication services • Built on Oracle technology • HA deployments • Leverages Oracle Internet Directory, Delegated Administration Services

  16. Oracle Application Server Certificate Authority • Key features • Out-of-the-box PKI solution; allows Oracle customers to secure their deployments • Easy provisioning of X.509v3 digital certificates • Web Based certificate management and administration • Seamless integration with Oracle Application Server Single Sign-On • High availability and scalability with Oracle10g and Oracle Internet Directory

  17. Grid computing model Workload & QOS Manager Topology Manager Policy Manager Cross-Tier Routing Resource Manager BLADE FARM (Local Grid) High Speed Interconnect Dynamically Provisioned & Registered BLADES

  18. Oracle Identity Management’s role in grid computing • Provisioning hardware in the network • Provisioning applications on the grid • Provisioning users for grid applications Identity Management is essential torealizing the grid computing vision!

  19. Oracle Identity Management – customer benefits • Scalable, robust and integrated infrastructure • Out-of-the-box deployment for Oracle products • Single point of integration between Oracle and other identity management applications • Open, standards-based infrastructure

  20. Why Deploy Oracle Identity Management? Oracle Identity Management

  21. Identity management deployment options • No infrastructure • Deploy “local” infrastructure for Oracle applications • Deploy enterprise-wide Oracle Identity Management infrastructure

  22. No infrastructure • All user identities managed locally by applications • Suitable for development deployments • Can be migrated to identity management infrastructure for production • e.g. OracleAS OC4J instance with JAAS/XML

  23. Deploy “local” infrastructure for Oracle applications • Many Oracle products (e.g. Single Sign-On) require components of identity management infrastructure to be installed • Possible scenarios • Pilot deployments • Integrating an isolated Oracle community with enterprise identity management services • Semi-independent departments • OracleAS 10g has features to support this deployment model • Administration privilege model • Partial/fan-out replication

  24. Deploy enterprise-wide infrastructure • Recommended for supporting production enterprise deployments • More planning typically required, however: • Faster deployment of additional applications • Centralized “professional” infrastructure administration • Centralized identity management across all Oracle applications in the enterprise • Standards-based identity management platform which is leveraged by other (non-Oracle) applications

  25. Deployment Process Overview Oracle Identity Management

  26. Distributed systems security reference architecture Users Application Audit Protected Resources Authorization Authentication Privacy Application Security Services Identity & Policy Store Identity & Profile Assertion Services Policy Decision Services Identity Management Infrastructure Administration & Provisioning

  27. Infrastructure usage overview

  28. Deployment process overview Enterprise Requirements Requirement Analysis Logical Deployment Plan Deployment Planning Physical Deployment Plan New requirements Based on Deployment Experience Implementation and Deployment Administration

  29. Deployment example: Oracle Data Center • Services for 40K employees worldwide • Application environment • Employee portal, Oracle E-Business Suite, Oracle Collaboration Suite • Extranet environment • Initial requirements • Unified identity management • Single sign-on across applications

  30. Deployment Planning Steps Oracle Identity Management

  31. Requirements Analysis Phase • Plan, deploy and administer responsibility • Which components to deploy • Information model • Centralized security management • Enterprise application • Administrative autonomy • Security Isolation • Third-party identity management integration • High availability, scalability and performance

  32. Requirement example: Oracle’s extranet environment Inside Outside Customers Company Portal (my.oracle.com) Employees Employees Partners Internal App. Internal App. Internal App. Shared App. Shared App. Shared App.

  33. Logical deployment plan • Translation of the enterprise requirements • Answers questions such as: • How many identity management infrastructures to deploy? • Which components will be deployed, and where? • Deployment of replicated local instances? • How is it going to integrate with other enterprise repositories, provisioning systems and single sign-on services?

  34. Logical deployment planning issues • Issues • Standard enterprise model • Serving internal and external users • Administrative autonomy for departmental applications • Integration with other identity management systems

  35. Example: Security isolation using two infrastructures InternalUser ExternalUser OracleASPortal OracleCollaborationSuite Extranet Identity Management Internal Identity Management SingleSign-On DelegatedAdministration SingleSign-On DirectoryIntegration DelegatedAdministration Directory Directory Directory Synch.

  36. Example: User provisioning from Windows OracleAS Portal OracleAS Single Sign-On Windows Environment 4 - User provisioned in Oracle environment OracleE-Business SuiteRelease 11i 3- User synchronized with OID 1 - “Add user” 2 - User created in ADS Microsoft ADS DelegatedAdministrationConsole Oracle Internet Directory

  37. Detailed deployment planning • Directory information model (DIT) • Identity Management Realms • Physical network topologies • High availability considerations • Geographic distribution • Certificate authority deployment

  38. Example: Oracle Internet Directory Information Tree root dc=com dc=oracle dc=amer dc=emea dc=apac dc=moc

  39. GITSSO gmsso db iAS904 stldap OCSv1 imap/ smtp for ST 9023 GITldap rgmldap20 rgmldap21 rgmldap4 rgmum11 rgmum7 CFC rgmldap3 rgmldap0 Fail-over server rgmldap1 rgmum20 rgmum21 rgmdbs1 rgmdbs3 rgmdbs2 2node RAC HA 2node RAC 3node RAC 2node RAC 2node RAC 2node RAC STMAIL db GIT db apac db emea db amer db Example: Physical Network Topology Clients BigIP 902 mid tier, sso/das, webmail/voice iAS904 mid tier SSO/DAS OCSv2 GIT webmail/voice OCSv2 sso/ das for GIT DMZ Netscape (thick) email client web218 web217 web241 web240 web239 web91 web90 OID fan out rep SSO periodic exp/imp when new partner apps added OID plugin OID ASR rep OID plugin (email/passwd) NetAPP storage SSO periodic exp/imp when new partner apps added OCSv1 imap/smtp for amer, etc. OCSv2 imap/ smtp for GIT rgmum14 rgmum15

  40. Summary and Conclusions

  41. Summary • Identity management is critical for the deployment and management of enterprise applications and essential to grid computing • Oracle includes a robust, scalable and integrated infrastructure for managing Oracle environments and more • Oracle Identity Management provides a single point of integration to other identity management environments

  42. For More Information • See the forthcoming Oracle Identity Management Concepts and Deployment Planning Guide • Released with Oracle Application Server 10g (9.0.4) • Oracle Technology Network • http://otn.oracle.com

  43. Q & Q U E S T I O N S A N S W E R S A

More Related