OracleAS 10G SSO: A “Fan-Out” Configuration Overview for Decentralized Implementation Presented By: Tony Macedo "This work was performed under the auspices.

Slides:



Advertisements
Similar presentations
Lesson 17: Configuring Security Policies
Advertisements

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Understanding Active Directory
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Chapter 12: Additional Active Directory Server Roles
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
Oracle Application Server 10g (9.0.4) Recommended Topologies Pavana Jain.
Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
The Directory A distributed database Distributed maintenance.
Designing Active Directory for Security
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
LLNL Implementation Overview. 2  DOE/NNSA laboratory  Managed by the University of California since 1952  Unique world class research capabilities.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
SURENDER SARA 10GAS Building Corporate KPI’s
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Maintaining Active Directory Domain Services
INTRODUCTION What is a Web-Enabled Database? Problem and its Importance Two-tier Architecture Three-tier Architecture Need for a compatible centralized.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Module 1: Exploring Replication. Overview Understanding SQL Server Replication Setting Up Replication Understanding Agents in Replication Securing Replication.
1 Chapter Overview Introducing Replication Planning for Replication Implementing Replication Monitoring and Administering Replication.
Multiplexing OID, SSO, PORTAL Virtual Private Portals (VPP) Presented By: Author Surender Sara - Co-Author Vivek Pavle -
Module 7: Resolving NetBIOS Names by Using Windows Internet Name Service (WINS)
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
FailSafe SGI’s High Availability Solution Mayank Vasa MTS, Linux FailSafe Gatekeeper
Kyle Brokaw – LDS Church Russ Lowenthal – Oracle Corp. Session #102 Enterprise User Security – One Companies Experience.
Overview of the SAS® Management Console
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Introduction to Active Directory
1 Configuring Sites Configuring Site Settings Configuring Inter-Site Replication Troubleshooting Replication Maintaining Server Settings.
11 WORKING WITH ACTIVE DIRECTORY SITES Chapter 3.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Unified Address Book Security Implications. Unified Address Book Overview –What are we talking about –What is the Risk –What are we doing to minimize.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.
July 12, 2012 Tier I Meeting Identity Management.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Virtual Directory Services and Directory Synchronization May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department.
2 Copyright © 2008, Oracle. All rights reserved. Building the Physical Layer of a Repository.
LDAP Overview Kevin Moseley Server Team Manager Walgreen Co.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Overview of MDM Site Hub
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Peer-to-peer networking
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
ESA Single Sign On (SSO) and Federated Identity Management
Overview of Oracle Site Hub
James Cowling Senior Technical Architect
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Overview Multimedia: The Role of WINS in the Network Infrastructure
Presentation transcript:

OracleAS 10G SSO: A “Fan-Out” Configuration Overview for Decentralized Implementation Presented By: Tony Macedo "This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under contract no. W Eng-48" or "This work was performed under the auspices of the U.S. DOE by LLNL under contract no.W-7405-Eng-48."

Agenda  Business Problem Definition  “Fan-Out” Configuration Definition  “Fan-Out” Componentry  Centralized v. “Fan-Out” SSO Models  “Fan-Out” SSO Design Benefits  “Fan-Out” SSO Implementation Options  LLNL Implementation Overview  Implementation Details  Lessons Learned

Business Problem Definition  Business Problems: –How can you implement a centralized Single Sign-on (SSO) scheme when your IT organizations are structured in a highly decentralized manner? –How can you provide infrastructure management autonomy while supporting a centralized SSO scheme?

“Fan-Out” Configuration Definition  Definition: –A “Fan-Out” SSO configuration is a particular scheme for implementing OracleAS 10G Infrastructure instance installations. This configuration scheme supports the following: Central repository of user information Automatic replication to “Fan-Out” instances Centralized or decentralized SSO, DAS and Repository Services implementations

“Fan-Out” Componentry  Infrastructure Instance(s)  Single Sign-on (SSO via MOD_OSSO as a Partner Application)  Delegated Administration Services (DAS)  Oracle Internet Directory (OID - including OIDMON, OIDLDAPD, and OIDREPLD)  Metadata Repository (OracleASDB)

Centralized v. “Fan-Out” SSO Models  Centralized –Centrally managed set of OID, SSO, DAS, and Metadata Repository services –All centralized & decentralized OracleAS instances install into the Central/Master Infrastructure Repository –Authentication & Authorization are centrally managed –Centralized SSO administrator(s) must coordinate maintenance activities with the Decentralized OracleAS administrators –Repository and OID maintenance must be conducted by centralized SSO, OID and Repository administrators when required by decentralized application server administrators  Fan-out –Decentralized set of OID, SSO, DAS, and Metadata Repository services that are coupled to a Master via LDAP replication –Decentralized OracleAS instances install into a “local” Infrastructure Repository –Authentication & Authorization can be centrally or de-centrally managed depending upon requirements –Centralized SSO administrator(s) are still required to coordinate maintenance activities with the Decentralized OracleAS administrators; but to a lesser extent than centralized –“Local” repository and OID maintenance can be conducted by the “decentralized” application server administrators when required

Centralized SSO

“Fan-Out” SSO

“Fan-Out” SSO Design Benefits  Provides autonomous application server and metadata repository management capabilities to decentralized application server administrators (upgrades, local directory pruning, application server instance installations)  Allows for centralized or decentralized SSO and Delegated Administration Service (DAS) configurations  Provides a failure recovery configuration to help guard against the central failure point (NOTE: Requires partner application re-registration)

“Fan-Out” SSO Design Benefits (#2)  Provides bi-directional password management to ensure locally managed accounts update the Central/Master repository  Enables decentralized authorization and Resource Access Descriptor (RAD) management  Enables geographically separated entities to maintain a central authentication and authorization scheme that can be implemented in a decentralized manner (NOTE: Multi-login may be required)

“Fan-Out” SSO Implementation Options  Completely Autonomous “Fan-Out”  Hybrid “Fan-Out”  Metadata Repository Services “Fan-Out”

Completely Autonomous “Fan-Out”  SSO, OID, DAS, & Metadata Repository services run on “Fan-Out” infrastructure instance(s)  No centralized SSO (NOTE: multi-login)  LDAP replicate accounts from Master, and password changes back to master from “Fan-Out” DAS  Application server partner applications only registered with “Fan-Out”

Completely Autonomous “Fan-Out”

 PRO’s –Autonomous management of “ALL” OracleAS services –Automatic OID synchronization –Can help alleviate SSO performance issues associated with geographic separation  CON’s –Results in multiple logins across disparate SSO realms

Hybrid “Fan-Out”  DAS, OID, & Metadata Repository services run on “Fan-Out” infrastructure instance(s)  SSO runs on Centralized/Master infrastructure instance(s)  LDAP replicate accounts from Master, and password changes back to master from “Fan-Out” DAS  Application server partner applications registered with Centralized/Master infrastructure instance(s)

Hybrid “Fan-Out”

 PRO’s –Autonomous management of “MOST” OracleAS services –Automatic OID synchronization –Supports a true SSO without multi-login –Authorization and RAD management can be conducted in the local repository  CON’s –Centralized SSO service failures will render your decentralized application server instances useless until SSO services are restored

Metadata Repository Services “Fan-Out”  OID & Metadata Repository services run on “Fan-Out” infrastructure instance(s)  SSO & DAS run on Centralized/Master infrastructure instance(s)  LDAP replicate accounts and authorization from Master (i.e. no local DAS)  Application server partner applications registered with Centralized/Master infrastructure instance(s)

Metadata Repository Services “Fan-Out”

 PRO’s –Autonomous management of OracleAS metadata repository registry information –Automatic OID synchronization –Supports a true SSO without multi-login  CON’s –Centralized SSO service failures will render your decentralized application server instances useless until SSO services are restored –All authorization and RAD management must be conducted in the central repository

LLNL Implementation Overview

Implementation Details  Install Centralized/Master OracleAS Infrastructure instance with the “Identity Management with Metadata Repository” option –Select required options

Implementation Details (#2)  Install “Fan-Out” OracleAS Infrastructure instance with the “Identity Management with Metadata Repository” option –De-select “ALL” options –Provide OID details of Master when prompted

Implementation Details (#3)  Manually start “Fan-Out” OID after installation completes –NOTE: You should now use OPMNCTL in place of OIDCTL to manage OID processes  Use the Replication Environment Management Tool (REMTOOL) to add the “Fan-Out” node to a replication agreement with the Master node as a “Partial” replica –Make sure to specify the “Master” OID and Port –Specify “*” as the naming context if you want the entire directory replicated, or create another naming context if necessary to reduce the replication scope

Implementation Details (#4)  Perform LDIF dump of Master OID using the LDIFWRITE command –Dump the “cn=oraclecontext”, “cn=oracleschemaversion”, and “cn=[DEFAULT SUBSCRIBER]” entries –NOTE: You can also utilize the “Automatic Bootstrapping” option with the orclIncludedNamingcontexts a nd orclExcludedNamingcontexts attributes set to alleviate the need for manual LDAP intervention, and to explicitly limit what Master directory entries are replicated to the “Fan-Out”

Implementation Details (#5)  Load the “Fan-Out” OID with the Master dump using the $ORACLE_HOME/ldap/bin/bulkload.sh script and LDIF files created previously  Start the LDAP Replication daemon on the “Fan- Out” instance  Synchronize the Master and Fan-Out orclLastAppliedChangeNumber attributes  Query and apply the Master ACL’s to the Fan-Out instance using the orclEntryLevelACI attribute  Configure Password Modification Plug-in on “Fan-Out” (NOTE: only if required)

Implementation Details (#6)  Install SSO and/or DAS OracleAS Infrastructure instance with the “Identity Management” option –Select SSO and/or DAS options as required

Implementation Details (#7)  Install OracleAS instances –Make note of the Centralized/Master & “Fan-Out” OID port numbers, server names and repository names so that the correct values can be supplied when requested

Lessons Learned  Oracle will work with you to mature their products to better meet your business needs when requested  Make sure to select the OracleAS Infrastructure design that is consistent with your IT organizational structure  Make sure to analyze “ALL” OracleAS Infrastructure instance configuration options before you finalize your design  A “Fan-Out” SSO configuration does successfully enable decentralized IT organizations to participate in a centrally managed SSO scheme

Contact Information  Tony Macedo

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.