You are on page 1of 42

<Insert Picture Here>

Oracle Internet Directory 11g Oracle Directory Integration Platform 11g Oracle Authentication Services for OS 11g
Olaf Stullich Product Manager

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

Agenda

Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>

Oracle Fusion Middleware

Oracle Identity Management


Oracle + Sun Combination
Identity Administration Access Management* Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Identity & Access Governance Identity Analytics Directory Services

Identity Manager

Directory Server EE Internet Directory Virtual Directory

Oracle Platform Security Services Operational Manageability


Management Pack For Identity Management
*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet

Oracle Directory Services Strategy The complete picture

Oracle Directory Services Strategy


A complete offering of directory virtualization, storage and synchronization solutions
Virtual directory for enterprise standard identity access layer Highly scalable directory servers for storage and consolidation Meta directory capabilities enable synchronization Support on-premise and in-the-cloud scenarios

Directory data access


OVD virtualization and Directory Proxy Server (DPS) to converge

Directory data storage and synchronization


DSEE for heterogeneous environment

OID for Oracle environment


Directory Integration Platform (DIP) for meta-directory synchronization

OID Overview
LDAP storage built upon Oracle database Full functional meta directory with Directory Integration Platform (DIP) component Integrated into Oracle Fusion Middleware and applications High performance and scalability with 2-billion-entry benchmark Maximum availability with multi-layer HA including LDAP replications and Oracle RAC etc Extreme security with database vault and encryption in addition to LDAP access control

Agenda

Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>

Components of Oracle Internet Directory

10

Understanding OID in OFM

11

Oracle Internet Directory Architecture

Oracle Directory Services Manager

Oracle FMW Control

Applications

Sun JSDS Microsoft AD Novell eDirectory Tivoli Directory Server MS AD LDS OpenLDAP
Directory Integration Server Oracle Internet Directory Directory Replication Server Directory Replication Server

12

Oracle Internet Directory Node


One or more LDAP server processes

One Replication Server only per node


DB can be on same node Oracle Process Manager and Notification Server (OPMN)
Invokes oidmon as required

OID Monitor

initiates, monitors, and terminates the LDAP and replication server processes

Oracle Directory Services Manager


administrates OID or OVD installed locally with OID / OVD or on a remote node

13

Scalability
Unique Server Architecture
Multi-threaded using DB connection pooling Multi-processing to utilize existing CPUs Multi-instance directory server using multiple HW nodes Scalability with the number of CPUs in SMP HW architectures Scalability with the number of nodes in HW cluster architectures

Scalability to Terabytes of Directory data Best performance on very large groups (>1M users) High speed bulk tools

14

2 Billion Entries Benchmark


SPECIFICATION RESULTS CONCLUSION

Two Billion Entries Single Directory Information Tree, Single Directory Server Instance

Data loaded in 5 hrs, DB indexing in 19.5 hrs 100,000+ LDAP search ops/sec with 2.5 msec average latency

High speed data load High throughput of LDAP operations with low latency both for read and write operations

OID v10.1.4.0.1, Oracle Database v10.2.0.3


SGI Altrix 4700 Server
32 1.6 Dual Core Itanium2 Processors 256 GB RAM SGI IS4500 RAID Array

80,000+ LDAP authentications/sec with 9 msec average latency


14,000 LDAP update ops/sec with 16 msec average latency 99,000+ ops/sec with 16,000 concurrent clients

Scalable to very large directory sizes


Scalable to 10s of thousands of concurrent clients Ability to scale on large hardware CPUs, RAM Superior data management capabilities

SLAMD load generation test tool

15

Performance
Start small
Low HW requirements Entries in the directory E.g. manage Oracle databases in OID

Use existing DB HW and scale as needed No need to switch directory service when requirements saturates HW
Upgrade HW as needed and leverage OIDs flexible deployment architecture

Use OID Server Cache


Usually for small deployments less 300K entries No cluster configuration used

16

High Availability
Sample High Availability Environment

Most comprehensive set of HA configurations Local HA


Active/Passive OID cluster configuration Active/Active OID cluster configuration Local DataGuard

Geographic HA and Disaster Recovery


Multi-master replication DataGuard based DR configuration

17

When to Choose OID Cluster

Local active/active Availability on multiple hardware nodes


Scalability of IdM on more than one hardware node Oracle RAC database for Availability, Scalability and Manageability of the Directory Store Solutions that require protection from node failure

18

OID HA Directory Replication


Multi-Master Replication
No practical limit on the number of replicas
LDAP and Database replication LDAP replication flexible, very granular approach to select naming
contexts wizard based setup from Enterprise Manager FMW control not supported for Oracle SSO

Fan-out Replication
Read-only and Updateable replicas
Fractional and Partial replication subset of MMR

19

When to Choose Replication?

Low entry cost for IdM HA deployment


Customer looking for Rolling Upgrade support Requirements for IdM with Geographic Availability

Solutions that does not require HA of all Application Server components but IdM

20

OID Data Security


Database Vault Integration
Restrict DBAs to access OID data directly from the database

ODS Protection Realm

Transparent Data Encryption Integration


Prevent unauthorized data retrieval from file systems

Reports

Multi-Factor Authorization

Secure LDAP attributes in OID


Configurable list of encrypted attributes

Benefits
Enhanced security Improved compliance

Command Rules

Separation of Duty

21

11g Deployment Accelerators How to improve administrator productivity?


Roll out new service quickly Reduce administrative learning curve Simplify complex admin tasks Limit number of tools to use

Leverage:
Oracle Directory Services Manager (ODSM) Manages OID and OVD Use intelligent wizards and templates for Replication Sizing and Tuning Directory Synchronization Presenting user and group information Accessible via FMW console

22

11g EM FMW Control & ODSM

FMW console
Homepage with vital systems statics Customizable dashboard ODSM accessible via FMW console or standalone

ODSM
Used for specific LDAP related tasks User creation Schema management Security management

23

11g Auditing

Suite-wide auditability ECID propagation Audit records in DB schema Out-of-box reports using BI publisher Policies for
User sessions Authorization Data Access Account Managemement LDAP entry access

24

11g Logging
Suite wide log messages format Diagnostic Logging information
OID, OID replication server, DIP

Flexible logging options / levels


View trace messages
severity and order of importance

Execution Context Identifiers (ECID) propagation

25

Directory Integration Platform Oracle Internet Directory


Central repository for identities & support for external authentication

Directory Integration Server


Executes a set of connectors for synchronization

Connector support for:


MS AD, AD LDS, Sun Java Enterprise Directory, Novell eDirectory, IBM Tivoli, OpenLDAP and custom agents Used for synchronization between OID and other Directories

DIP Profiles
Templates for data mapping / transformation

26

Directory Integration Platform


Directory Integration Platform (Synchronization) Time for action
- Application deployment time. - Directory synchronization is needed for connected directories requiring synchronization with OID

Communication direction

Either one-way or two-waythat is, either from Oracle Internet Directory to connected directories, the reverse, or both

Type of data

Any data in a directory

Examples

Oracle Human Resource Oracle DB

Microsoft Active Directory


SUN Enterprise Directory Novell eDirectory

27

Use Cases Enterprise User Security Oracle Authentication Services for Operating Systems (OAS4OS)

28

Enterprise User Security

User Management for Compliance


Centralized User Management Map users to shared database schemas Requires Oracle Directory Services

Enterprise Roles
Centralized user role management

Authentication Methods
Password Kerberos (Microsoft, MIT) PKI (x.509v3)

Heterogeneous Directory Support


Oracle Virtual Directory connectivity to Active Directory, Sun, Novell

29

EUS with OID and AD Integration

30

Oracle Authentication Services for OS


What is it?
End-to-end centralized authentication solution Built on open interfaces without proprietary agents Automated integration with directory services

What are the key benefits?


Manage users centrally using existing tools and processes Reduce risk by centralizing audit logs, ensuring accountability for changes to accounts and privileges Improve compliance by ensuring consistent password policies and account locking across systems Obliterate identity data silos by integrating directly with application and database security mechanism

32

Oracle Authentication Services for OS


End-to-end centralized authentication solution Built on open interfaces without proprietary agents
PAM_LDAP NSS_LDAP

Automated integration with directory services Automated user migration tools from local files and NIS servers

33

Key Functions
Scripts to automate client configuration, including SSL Easy Migration from Linux/Unix files Easy Migration from NIS to LDAP Centralized Password Policies and Lockout Control Support UID and GID uniqueness and provisioning support Centralized Sudo policy management Active Directory Integration Cross Platform Support
Linux Redhat and Oracle Enterprise Linux, Suse Linux, Unix Solaris, HPUX, AIX

34

Agenda

Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>

35

Oracle Identity Management Roadmap Timelines


July 2009 Jan 2011

April 2010
11g Patchset 2 Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services

H2CY2011
11g Patchset 3
Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services 11g Patchset 4 Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services

11gR1
Internet Directory Virtual Directory Identity Federation Web Services Manager Platform Security Services

36

11gR1 OID/DIP PatchSet 2


OID
Security Enhancements (e.g. support configurable set of hashed attributes, log client IP address for change ops) Server Enhancements (e.g. preserve case for attributes, new attributes (lastloginattempt, lastloginsuccess), fine grained statistics, enhanced logging for requested attributes) Replication Server (e.g. fine grained replication frequency at seconds level)

DIP
Support for OID SSL mode 2 (mutual authentication) CLI export and import profiles (test production) Integration of DIPTESTER advanced mode

ODSM
UI enhancement to manage list of secure attributes and hashed attributes
37

11gR1 Patchset 2
Oracle Authentication Services for OS
Full integration with Fusion Middleware Release 11g R1 PS2 Extended client OS support New configuration scripts to enable PAM proxy user based access to OID for enhanced security Easy configuration of OID SSL using customer provided certificates for production deployments, or use of self signed certificates to test OID SSL connections Restricting client access based on IP address Easy reset of client configuration to support testing

38

OID/DIP 11gR1 Patchset 3


OID
New LDAP Protocol Features (e.g. memberof support, additional controls) Performance And Scalability Enhancements (e.g footprint reduction, RAC write optimization) Security Enhancements (e.g. IP based access control, new hashing and encryption schemes SHA2, AES) Replication Enhancements (e.g. LDAP MMR rolling upgrade support)

DIP
OOTB diagnostic enhancements (aka DIPTESTER) 32/64bit password filter availability in software media

ODSM
SSO using OAM
39

OID / DIP Patchset 4 (planned features)


OID Exadata support
Initial integration and Benchmark

DIP
DSEE sync OIA synchronization support Bi-directional DB synchronization
Additional DB connectors

Performance improvement
Priority Replication, automatic OID tuning

OAS4OS
Uptake SSL automation tool HA/LDAP failover support ODSEE support

40

Agenda

Overview Architecture Future Roadmap Demo Q&A

<Insert Picture Here>

41

Demos
EM Fusion Middleware Control Oracle Directory Services Manager Oracle Authentication Services for Operating Systems (short) Oracle Authentication Services for Operating Systems (long available on OTN) Directory Integration Platform (OID ODSEE) Database Management Enterprise User Security

42

43