You are on page 1of 42

<Insert Picture Here>

Oracle Internet Directory 11g Oracle Directory Integration Platform 11g Oracle Authentication Services for OS 11g
Olaf Stullich Product Manager

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.


Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>

Oracle Fusion Middleware

Oracle Identity Management

Oracle + Sun Combination
Identity Administration Access Management* Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Identity & Access Governance Identity Analytics Directory Services

Identity Manager

Directory Server EE Internet Directory Virtual Directory

Oracle Platform Security Services Operational Manageability

Management Pack For Identity Management
*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet

Oracle Directory Services Strategy The complete picture

Oracle Directory Services Strategy

A complete offering of directory virtualization, storage and synchronization solutions
Virtual directory for enterprise standard identity access layer Highly scalable directory servers for storage and consolidation Meta directory capabilities enable synchronization Support on-premise and in-the-cloud scenarios

Directory data access

OVD virtualization and Directory Proxy Server (DPS) to converge

Directory data storage and synchronization

DSEE for heterogeneous environment

OID for Oracle environment

Directory Integration Platform (DIP) for meta-directory synchronization

OID Overview
LDAP storage built upon Oracle database Full functional meta directory with Directory Integration Platform (DIP) component Integrated into Oracle Fusion Middleware and applications High performance and scalability with 2-billion-entry benchmark Maximum availability with multi-layer HA including LDAP replications and Oracle RAC etc Extreme security with database vault and encryption in addition to LDAP access control


Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>

Components of Oracle Internet Directory


Understanding OID in OFM


Oracle Internet Directory Architecture

Oracle Directory Services Manager

Oracle FMW Control


Sun JSDS Microsoft AD Novell eDirectory Tivoli Directory Server MS AD LDS OpenLDAP
Directory Integration Server Oracle Internet Directory Directory Replication Server Directory Replication Server


Oracle Internet Directory Node

One or more LDAP server processes

One Replication Server only per node

DB can be on same node Oracle Process Manager and Notification Server (OPMN)
Invokes oidmon as required

OID Monitor

initiates, monitors, and terminates the LDAP and replication server processes

Oracle Directory Services Manager

administrates OID or OVD installed locally with OID / OVD or on a remote node


Unique Server Architecture
Multi-threaded using DB connection pooling Multi-processing to utilize existing CPUs Multi-instance directory server using multiple HW nodes Scalability with the number of CPUs in SMP HW architectures Scalability with the number of nodes in HW cluster architectures

Scalability to Terabytes of Directory data Best performance on very large groups (>1M users) High speed bulk tools


2 Billion Entries Benchmark


Two Billion Entries Single Directory Information Tree, Single Directory Server Instance

Data loaded in 5 hrs, DB indexing in 19.5 hrs 100,000+ LDAP search ops/sec with 2.5 msec average latency

High speed data load High throughput of LDAP operations with low latency both for read and write operations

OID v10., Oracle Database v10.2.0.3

SGI Altrix 4700 Server
32 1.6 Dual Core Itanium2 Processors 256 GB RAM SGI IS4500 RAID Array

80,000+ LDAP authentications/sec with 9 msec average latency

14,000 LDAP update ops/sec with 16 msec average latency 99,000+ ops/sec with 16,000 concurrent clients

Scalable to very large directory sizes

Scalable to 10s of thousands of concurrent clients Ability to scale on large hardware CPUs, RAM Superior data management capabilities

SLAMD load generation test tool


Start small
Low HW requirements Entries in the directory E.g. manage Oracle databases in OID

Use existing DB HW and scale as needed No need to switch directory service when requirements saturates HW
Upgrade HW as needed and leverage OIDs flexible deployment architecture

Use OID Server Cache

Usually for small deployments less 300K entries No cluster configuration used


High Availability
Sample High Availability Environment

Most comprehensive set of HA configurations Local HA

Active/Passive OID cluster configuration Active/Active OID cluster configuration Local DataGuard

Geographic HA and Disaster Recovery

Multi-master replication DataGuard based DR configuration


When to Choose OID Cluster

Local active/active Availability on multiple hardware nodes

Scalability of IdM on more than one hardware node Oracle RAC database for Availability, Scalability and Manageability of the Directory Store Solutions that require protection from node failure


OID HA Directory Replication

Multi-Master Replication
No practical limit on the number of replicas
LDAP and Database replication LDAP replication flexible, very granular approach to select naming
contexts wizard based setup from Enterprise Manager FMW control not supported for Oracle SSO

Fan-out Replication
Read-only and Updateable replicas
Fractional and Partial replication subset of MMR


When to Choose Replication?

Low entry cost for IdM HA deployment

Customer looking for Rolling Upgrade support Requirements for IdM with Geographic Availability

Solutions that does not require HA of all Application Server components but IdM


OID Data Security

Database Vault Integration
Restrict DBAs to access OID data directly from the database

ODS Protection Realm

Transparent Data Encryption Integration

Prevent unauthorized data retrieval from file systems


Multi-Factor Authorization

Secure LDAP attributes in OID

Configurable list of encrypted attributes

Enhanced security Improved compliance

Command Rules

Separation of Duty


11g Deployment Accelerators How to improve administrator productivity?

Roll out new service quickly Reduce administrative learning curve Simplify complex admin tasks Limit number of tools to use

Oracle Directory Services Manager (ODSM) Manages OID and OVD Use intelligent wizards and templates for Replication Sizing and Tuning Directory Synchronization Presenting user and group information Accessible via FMW console


11g EM FMW Control & ODSM

FMW console
Homepage with vital systems statics Customizable dashboard ODSM accessible via FMW console or standalone

Used for specific LDAP related tasks User creation Schema management Security management


11g Auditing

Suite-wide auditability ECID propagation Audit records in DB schema Out-of-box reports using BI publisher Policies for
User sessions Authorization Data Access Account Managemement LDAP entry access


11g Logging
Suite wide log messages format Diagnostic Logging information
OID, OID replication server, DIP

Flexible logging options / levels

View trace messages
severity and order of importance

Execution Context Identifiers (ECID) propagation


Directory Integration Platform Oracle Internet Directory

Central repository for identities & support for external authentication

Directory Integration Server

Executes a set of connectors for synchronization

Connector support for:

MS AD, AD LDS, Sun Java Enterprise Directory, Novell eDirectory, IBM Tivoli, OpenLDAP and custom agents Used for synchronization between OID and other Directories

DIP Profiles
Templates for data mapping / transformation


Directory Integration Platform

Directory Integration Platform (Synchronization) Time for action
- Application deployment time. - Directory synchronization is needed for connected directories requiring synchronization with OID

Communication direction

Either one-way or two-waythat is, either from Oracle Internet Directory to connected directories, the reverse, or both

Type of data

Any data in a directory


Oracle Human Resource Oracle DB

Microsoft Active Directory

SUN Enterprise Directory Novell eDirectory


Use Cases Enterprise User Security Oracle Authentication Services for Operating Systems (OAS4OS)


Enterprise User Security

User Management for Compliance

Centralized User Management Map users to shared database schemas Requires Oracle Directory Services

Enterprise Roles
Centralized user role management

Authentication Methods
Password Kerberos (Microsoft, MIT) PKI (x.509v3)

Heterogeneous Directory Support

Oracle Virtual Directory connectivity to Active Directory, Sun, Novell


EUS with OID and AD Integration


Oracle Authentication Services for OS

What is it?
End-to-end centralized authentication solution Built on open interfaces without proprietary agents Automated integration with directory services

What are the key benefits?

Manage users centrally using existing tools and processes Reduce risk by centralizing audit logs, ensuring accountability for changes to accounts and privileges Improve compliance by ensuring consistent password policies and account locking across systems Obliterate identity data silos by integrating directly with application and database security mechanism


Oracle Authentication Services for OS

End-to-end centralized authentication solution Built on open interfaces without proprietary agents

Automated integration with directory services Automated user migration tools from local files and NIS servers


Key Functions
Scripts to automate client configuration, including SSL Easy Migration from Linux/Unix files Easy Migration from NIS to LDAP Centralized Password Policies and Lockout Control Support UID and GID uniqueness and provisioning support Centralized Sudo policy management Active Directory Integration Cross Platform Support
Linux Redhat and Oracle Enterprise Linux, Suse Linux, Unix Solaris, HPUX, AIX



Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>


Oracle Identity Management Roadmap Timelines

July 2009 Jan 2011

April 2010
11g Patchset 2 Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services

11g Patchset 3
Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services 11g Patchset 4 Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services

Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services


11gR1 OID/DIP PatchSet 2

Security Enhancements (e.g. support configurable set of hashed attributes, log client IP address for change ops) Server Enhancements (e.g. preserve case for attributes, new attributes (lastloginattempt, lastloginsuccess), fine grained statistics, enhanced logging for requested attributes) Replication Server (e.g. fine grained replication frequency at seconds level)

Support for OID SSL mode 2 (mutual authentication) CLI export and import profiles (test production) Integration of DIPTESTER advanced mode

UI enhancement to manage list of secure attributes and hashed attributes

11gR1 Patchset 2
Oracle Authentication Services for OS
Full integration with Fusion Middleware Release 11g R1 PS2 Extended client OS support New configuration scripts to enable PAM proxy user based access to OID for enhanced security Easy configuration of OID SSL using customer provided certificates for production deployments, or use of self signed certificates to test OID SSL connections Restricting client access based on IP address Easy reset of client configuration to support testing


OID/DIP 11gR1 Patchset 3

New LDAP Protocol Features (e.g. memberof support, additional controls) Performance And Scalability Enhancements (e.g footprint reduction, RAC write optimization) Security Enhancements (e.g. IP based access control, new hashing and encryption schemes SHA2, AES) Replication Enhancements (e.g. LDAP MMR rolling upgrade support)

OOTB diagnostic enhancements (aka DIPTESTER) 32/64bit password filter availability in software media

SSO using OAM

OID / DIP Patchset 4 (planned features)

OID Exadata support
Initial integration and Benchmark

DSEE sync OIA synchronization support Bi-directional DB synchronization
Additional DB connectors

Performance improvement
Priority Replication, automatic OID tuning

Uptake SSL automation tool HA/LDAP failover support ODSEE support



Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>


EM Fusion Middleware Control Oracle Directory Services Manager Oracle Authentication Services for Operating Systems (short) Oracle Authentication Services for Operating Systems (long available on OTN) Directory Integration Platform (OID ODSEE) Database Management Enterprise User Security