4

Identity Management

Copyright 2009, Oracle. All rights reserved.

Identity Management Product Suites

These slides are based on the initial 11.1.1.2.0 Release, where there was only one IDM
suite
We now have two suites of products:

1. Identity Management (IDM)

Oracle Internet Directory (OID)
Oracle Virtual Directory (OVD)
Oracle Directory Integration Platform (ODIP)
Oracle Directory Services Manager (ODSM)
Oracle Identity Federation (OIF)

2. Identity and Access Management (IAM)

Oracle Access Manager (OAM)
Oracle Identity Manager (OIM)
Oracle Adaptive Access Manager (OAAM)
Oracle Identity Navigator (OIN)
Oracle Platform Security Services (OPSS)
Oracle Authorization Policy Manager (OAPM)
Also see Considerations When Patching FMW 11g Identity Management Products to 11.1.1.4
or Higher (Doc ID 1298815.1)
5-3

Copyright 2009, Oracle. All rights reserved.

OFM 11g IM HA Considerations

Application Characteristic

HA Feature Used

JavaEE Components like OIF, DIP, OIM,

ORM, OAM

WLS ilities like clustering, loadbalancing,

failover etc.

C based components like OID

Clustered deployments against same DB

repository

JavaSE applications like OVD

Clustered deployments against same LDAP

repository

Persistence Store

RAC DB
WLS Multi DataSource for JavaEE
components
TAF for C Components

No special dependency on hostnames, IP

Address etc.

File System based Backup and Recovery

Storage Replication for Disaster Recovery.
MMR for OID only deployments

5-4

Copyright 2009, Oracle. All rights reserved.

OFM 11g Identity Management HA Architecture

Hardware LB

Machine1

External Load Balancer used to

front-end WebServers
WebServer cluster is a run time
cluster and does not support
cluster wide management
All WLS instances in cluster
WLS Cluster

Machine2
Runtime Cluster

MW_HOME1

OHS

OHS

Machine3

Machine4

MultiDS

WLS_ODS

MultiDS

WLS_OIF

At least two MW_HOMEs used

to support HA Patching (on
local or shared storage)

Cluster

Cluster

WLS_OIF

AdminServer

AdminServer

Machine5

Machine6

RAC DB

CFC for Admin Server

protection (optional)

TAF

OVD

C Components protected with

OPMN

TAF

OID

GOHS

GOHS

RAC

5-5

WLS_ODS

Copyright 2009, Oracle. All rights reserved.

OVD

OID

MW_HOME2

OID Single Node Architecture

Directory Server: LDAP server
Single dispatcher with one or more
servers
Replication Server: Replicates to other OID
servers. Singleton. **
Database: Directory data and configuration
store
OPMN: Starts/Stops/Monitors OIDMON.
OIDMON: Starts/Stops/Monitors OID
Server and Replication Server processes.
Reads ODS_PROCESS_STATE_TABLE
OIDCTL: Command line utility for server
process control. Communicates with
OIDMON by placing message in OID
server table

5-6

Copyright 2009, Oracle. All rights reserved.

OID HA Design Consideration

C based component
Active/Active cluster against same DB repository
Stateless. State stored in DB repository
Load Balanced connections to DB
TAF and HA Event Notifications for RAC failover. OID has stale
connection detection mechanism. If no DB available, OID
processes shut down.
Clusterwide config change as it is stored in DB. OIDMON polls
for changes.
Metadata cached in server processes. Cluster wide cache
sync via notifications and OIDMON
Can be configured with or without a WebLogic domain
5-7

Copyright 2009, Oracle. All rights reserved.

OID HA Architecture
All nodes in run time cluster
External hardware LBR
FAN/OCI events with TAF

5-8

Copyright 2009, Oracle. All rights reserved.

OID Failover and Expected Behaviour

Failover transparent to clients
Load balancer detects OID failure and routes to other instances
Other instance continue to service requests
FAN/OCI/TAF protect against any DB failures

5-9

Copyright 2009, Oracle. All rights reserved.

OID Setup Steps

1. RCU DB
2. Install product binaries and configured OID using OUI
3. Register against a WLS Domain (Optional)

5 - 10

Copyright 2009, Oracle. All rights reserved.

IAM HA
OIM
Uses clustering and whole server migration

OAM
Uses clustering, coherence

OAPM
Deployed to Admin server so uses CFC active-passive solution

OIN
Deployed to Admin server so uses CFC active-passive solution

OAAM
Uses clustering and DB HA features

5 - 11

Copyright 2009, Oracle. All rights reserved.

OVD Single Node Architecture

Oracle Virtual Directory is an LDAP
version 3 enabled service
Provides virtualized abstraction of
one or more enterprise data sources
into a single directory view
Server is written in Java and internally
it is organized into multiple layers.
Appears as a single complete service
to the administrator and to clients.
OPMN is used to start, monitor, and
manage the Oracle Virtual Directory
process (JavaSE Process)
Has LDAP and HTTP listeners

5 - 13

Copyright 2009, Oracle. All rights reserved.

OVD HA Design Consideration

JavaSE based component
Active/Active cluster
Stateless.
No external dependencies
Config stored on local file system
No cluster wide config changes possible
Can be configured with or without a WebLogic domain

5 - 14

Copyright 2009, Oracle. All rights reserved.

OVD HA Architecture
All nodes in run time cluster
External hardware LBR
Config updated one
instance at a time
Fault tolerance and load
balancing for LDAP sources
thru a list of host names
Distinction between read
only v/s read write replicas

5 - 15

Copyright 2009, Oracle. All rights reserved.

OVD Failover and Expected Behaviour

Failover transparent to clients
Load balancer detects OVD failure and routes to
other instances
Other instance continue to service requests
Automated failover for proxied LDAP sources

5 - 16

Copyright 2009, Oracle. All rights reserved.

OVD Setup Steps

1.
2.
3.
4.

5 - 17

Install product binaries and configured OVD using OUI

Use OUI to setup second node
Configure load balancer to route to OVD instances
Register against a WLS Domain (Optional)

Copyright 2009, Oracle. All rights reserved.

DIP Single Node Architecture

J2EE application that enables
you to integrate applications
and directories
Synchronization and
Provisioning service
Quartz scheduler invokes
stateless EJBs for Provisioning
or Sync
Runs on WLS managed server
Metadata stored in OID. Quartz
uses ODSM schema for config

5 - 18

Copyright 2009, Oracle. All rights reserved.

DIP HA Architecture
Active/Active configuration
with WLS Cluster
DIP is not a singleton
anymore
Multi DS for RAC DB
LBR to OID
No cluster wide config
changes

5 - 19

Copyright 2009, Oracle. All rights reserved.

DIP Failover and Expected Behaviour

Failover is transparent to users (background processing)
Quartz Scheduler invokes EJBs for JOB execution.
It tags the EJB as executing the job
In case the EJB fails, the Quartz scheduler marks the job as
failed and reschedules it to be executed later by another EJB
Multi DS for RAC DB connection
External LBR for OID connection

5 - 20

Copyright 2009, Oracle. All rights reserved.

ODSM Single Node Architecture

Used to managed OID
and OVD
Replaces ODM (10g)
ADF based JavaEE
application
Process management
using WLS tools

5 - 21

Copyright 2009, Oracle. All rights reserved.

ODSM HA Architecture and Failover

Active/Active configuration
with WLS Cluster
NO session state
replication possible
Multi DS for RAC DB
LBR to OID
No cluster wide config
changes

5 - 22

Copyright 2009, Oracle. All rights reserved.

ODSM Failover and Expected Behaviour

Failover not transparent to users
For WLS failover, users need to exit browser, launch a new
browser and establish connections again
For ODSM Failure, users will lose their login session and
will see a popup stating Your session is idle. Will need
to re-connect.
For OID/OVD failover, a popup is shown (LDAP Server is
down) while connections are failed over to other LDAP
servers. Connections re-established in less than a minute
For Rac DB Failover, a message (Failure accessing
Oracle database) is shown that. Connections reestablished in less than a minute

5 - 23

Copyright 2009, Oracle. All rights reserved.

DIP & ODSM Setup Steps

1. RCU DB
2. WLS binaries
3. Install and configure DIP and ODSM with Admin Server on
Machine1
4. Install and configure DIP and ODSM on machine 2
5. Configure OHS to route to DIP & ODSM
6. Configure load balancer to route to OHS instances

5 - 24

Copyright 2009, Oracle. All rights reserved.

OIF Single Node Architecture

Federation Server for multi
domain authentication and SSO
JavaEE, runs in WebLogic
Server
DB based message and user
session data store
DB based configuration data
store
LDAP/DB based user data store
LDAP/DB based federation data
store
Can be configured to use SSO,
OAM etc. as Authentication
Engine/SP Engines

5 - 25

Copyright 2009, Oracle. All rights reserved.

OIF HA Design Consideration

JavaEE based component
State replication not configured OOB. HTTP Session State is
short lived. Sticky Routing recommended.
All data (user, session, config,federation) stored in shared
repositories.
Cluster wide config changes as config stored in shared DB
repository

5 - 26

Copyright 2009, Oracle. All rights reserved.

OIF HA Architecture
Active/Active configuration
with WLS Cluster
Multi DS for RAC DB
LBR to LDAP stores

5 - 27

Copyright 2009, Oracle. All rights reserved.

OIF Failover and Expected Behaviour

Failover is seamless to users
In case of an instance failure, surviving OIF instances will
continue to seamlessly process any unfinished transactions
started on the failed instance since the state information is in
the shared database and is available to all the members in the
cluster

5 - 28

Copyright 2009, Oracle. All rights reserved.

OIF Setup Steps

1.
2.
3.
4.
5.
6.

5 - 29

RCU DB
Install WLS binaries
Install and configure OIF with Admin Server on Machine1
Install and configure OIF on machine 2
Configure OHS to route to OIF
Configure load balancer to route to OHS instances

Copyright 2009, Oracle. All rights reserved.