11g Identity Management - InSync10
•Als ODP, PDF herunterladen•
1 gefällt mir•463 views
Presentation on Oracle Identity Management from Insync10 conference in Melbourne August 2010. Looks at OID and some of the potential issues around installation and configuration
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie 11g Identity Management - InSync10
Ähnlich wie 11g Identity Management - InSync10 (20)
11g Identity Management - InSync10
- 1. 11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th August 2010 The most comprehensive Oracle applications & technology content under one roof
- 2. Everyone who has ever taken a shower has had an idea. It's the person who gets out of the shower, dries off, and does something about it that makes a difference. -- Nolan Bushnell
- 7. Single Sign On (Single Point of truth)
- 14. Security
- 18. Audit Support
- 20. Fine grain access controls
- 21. Tracking of events – logon - logoff
- 24. Oracle Directory Server Enterprise Edition
- 25. Oracle Directory Server & Oracle Internet Directory
- 28. Data Store used by other Identity Services
- 30. OIDMON
- 31. ODS
- 32. ODRS
- 35. Tuning Required
- 37. 3131 SSL
- 39. Directory schema - what is stored
- 40. Root DSE - Stores information about the server itself
- 42. Contains entries for hosted businesses,password verification,password policy and others
- 43. DIT What is a DIT? Can I have more DIT's?
- 45. Type of user can be known or anonymous
- 46. Filters can be put in place to limit search
- 47. User authenticated, bind made, ACL checked
- 49. Database retrieves data; passes it back via OCI to the LDAP server
- 50. Query result sent back to the database
- 51. Server Chaining What is it? Why do we want to use it?
- 52. Server Chaining
- 54. Compare
- 55. Modify
- 56. Search
- 58. dn: cn=AD,cn=users,dc=pacificdbms,dc=com,dc=au cn: AD objectclass: orclcontainer objectclass: top
- 59. Connection to Sun IPlanet cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ********
- 60. Connection to Sun IPlanet orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
- 61. Connection to Sun IPlanet orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********
- 63. filedn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1Execute
- 64. $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
- 66. If you have the skills use Linux on VM's
- 67. Scatter installations across your environment
- 68. Use Replication
- 69. If you have load balancers use them
- 71. Can do small memory with altered Java VM settings
- 72. Need to understand 11g path conventions
- 74. INST errors – You will love these if you encounter them
- 77. Save configuration before running configuration step at the end
- 79. -Xrs -XX:MaxPermSize=192m in Admin Console – Server Configuration
- 80. Replication Its Important What model? Fan Out, Multimaster, Single Master? Not guaranteed to be consistent- data different on different nodes
- 84. LDAP Replication Full or Partial Peer to peer, One Way, Two Way Multimaster, Single Master, Fan Out
- 85. LDAP Replication
- 87. Peer to peer
- 88. Multimaster
- 89. Single by changing all but one to read only
- 90. Uses the database to do the replication
- 91. Uses command line tools to configure this
- 93. Modify or reset replication Bind DN password
- 94. Displaying various errors and status information for change log propagation
- 95. Convert advanced replication to LDAP replication
- 97. Bootstrapping is the better option
- 99. Use remtool to copy metadata from supplier to replica
- 100. Set up the replication with the Replication wizard
- 104. Follow remaining steps – Oracle Docs
- 106. A number of issues in My Oracle Support for bootstrap
- 108. Fusion Middleware Control uses SSL
- 109. Can't start from Console without Nodemanager
- 110. To connect use http://host:port/odsm
- 111. EM Console
- 112. Start ODS
- 113. EM Main OIM
- 114. Connect ODSM
- 115. Sign In
- 117. Instance Home to manage the OID Server
- 118. opmnctl to control the OID server
- 121. Can be used by other scripts to monitor OID
- 123. Jython based
- 124. MBeans
- 127. cat registry.xml | grep version
Hinweis der Redaktion
- Welcome all Mention something about the conference Thank them for coming to the presentation Dont forget to be human
- I can see some here that did get out of the shower, see how rough people are from prior nights events
- I don't know on some days if I feel like the cat or the bird Operation – cat – cant get to the product on offer Bird - oh god today is not looking so good Funny thing the bird doesn't care one bit about the cats presence on the cage
- This is a run down on Identity Management and we delve into one key component Sharing across sites both within and outside of the organisation Securing your cloud applications NSW Gov has recently announced about cloud, Macquarie student email The old chestnut, still not all that effectively done in places, some very good and some with significant work
- Entitlements Server Entitlements Server Security Module Directory Services Plus Access Manager Adaptive Access Manager Identity Federation Identity Manager Identity Manager Connector Role Manager Information Rights Management Enterprise Single Sign-On Suite Plus Access Management Suite Plus Identity and Access Management Suite Plus Identity Analytics Identity Management Enterprise Management Management Pack Plus for Identity Management
- Meet compliance requirements to say we measure up for lets say our PCI DSS requirements We increase our security through the use of a centralised directory of user accounts Who has had to provision a user in the network for a login set up an email account add them to finance system the list goes on and on? (Not funny) Directories provide a cost benefit as we don't have to provision a user over and over again for each application they use, One user account across systems ith the details all retained in a common repository.
- Access Control sets who can do what Manage those policiies froma central location Audit support for the our compliance requirements
- Set up roles to simply application or system access management Fine grain control is able to use many different attributes eg by entry, by name, By mode Auditing basic – log on and log off
- All the ODSP products Directory Server EE is a high performance directory Server, embedded database ; Identity Synchronisation; Resource kit for tuning
- Now down to a key component the directory Server and more importantly the Oracle Internet Directory OID
- LDAP v3 compliant Use it as a way for client systems to obtain connection information for databases It is often the datastore of choice of other products within the Oracle Identity management offering
- There is 4 main components Database 10.2.0.4 or above and is certified to use 11.2 OIDMON ODS – the instance – provides the LDAP service to the clients ODRS – replication service for LDAP replication to other OID on other directory servers.
- The server processes are the LDAP Instance, OIDMON, OPMN to manage it – starting stopping and some other changes. Out of the box OID is not configured to support any connection load, so you will ned to tune it to maximize its workload capability – whole section on this Default ports no longer well known ports 389 and 636
- When OID starts it creates a cache and it is populated with some information, then as caches do it ads content during the life of the cache. Less database calls Cache is write through Directory schema is the object table of the data types that have been configured for the OID – this is people objects, password objects database connection objects alias objects and so it goes Access Control is configured under a separate section of the directory allowing such things as roles, user passwords. Root DSE Contains Server data itself, number instances, port info
- DIT Directory Information Tree We search the DIT for our information we require Under our DIT should be all the data, there is aliases that can be used for transitional roles. Do you homework for integrating to other Directories if you already have AD or something else then make sure you align your DIT to that one even if you feel integration is a way off, much easier if your DIT is the same. I say this about the DIT as from usage there is the ability to have more than one tree for multiple organisations or even having multiple trees within the same organisation. Reasons to not have are great but maybe unavoidable in some cases of migration
- Unless you use an SSL only server can be either Anonymous bind is available by default but can be disabled Filters to limit data can be used in the query/update Once the user is authenticated as gues or user, then the bind is made and ACL is checked as to what objects in the directory are accesible
- As the directory uses OCI – conversion of the LDAP request is made for OCI transport Database acts upon the query Query sent back to OID Server converted to ldap and returned to the user.
- How we connect to the other directories E-directory AD (what is IBM's? I don't know, is it part of Tivoli?) So it is allows us to pass information between different directory offerings
- Why Server chain?
- Non Oracle Middleware clustering Linux VM's could be the cheapest option of implementing many of these in your organisation and can make it easy to moving servers Whilst LDAP is light weight there is good reason to have them closer to end users if you have a highly dispersed user base
- I found that a server with OEL and just 4GB to be a minimum requirement, I think 6 GB is a better minimum for a production system You can do small memory footprint but it detunes I will explain how in a second You need to manage the