les 04 identity management high availability

4Copyright © 2009, Oracle. All rights reserved.

Identity Management

Copyright © 2009, Oracle. All rights reserved.5 - 3

Identity Management Product Suites

• These slides are based on the initial 11.1.1.2.0 Release, where there was only one IDM suite•We now have two suites of products:

1. Identity Management (IDM)

Oracle Internet Directory (OID)Oracle Virtual Directory (OVD)Oracle Directory Integration Platform (ODIP)Oracle Directory Services Manager (ODSM)Oracle Identity Federation (OIF)

2. Identity and Access Management (IAM)

Oracle Access Manager (OAM)Oracle Identity Manager (OIM)Oracle Adaptive Access Manager (OAAM)Oracle Identity Navigator (OIN)Oracle Platform Security Services (OPSS)Oracle Authorization Policy Manager (OAPM)

•Also see Considerations When Patching FMW 11g Identity Management Products to 11.1.1.4 or Higher (Doc ID 1298815.1)


OFM 11g IM HA ConsiderationsApplication Characteristic HA Feature UsedJavaEE Components like OIF, DIP, OIM, ORM, OAM

WLS ilities like clustering, loadbalancing, failover etc.

C based components like OID•Clustered deployments against same DB repository

JavaSE applications like OVD•Clustered deployments against same LDAP repository

Persistence Store

RAC DB

WLS Multi DataSource for JavaEE components

TAF for C Components

No special dependency on hostnames, IP Address etc.

•File System based Backup and Recovery•Storage Replication for Disaster Recovery. MMR for OID only deployments


OFM 11g Identity Management HA Architecture

Machine1 Machine2

Machine3

AdminServer

Machine4

OHS OHS

RAC

WLS_ODS WLS_ODS

Hardware LB

Cluster

Runtime Cluster

Machine5 Machine6

OID OIDGOHS

• External Load Balancer used to front-end WebServers

• WebServer cluster is a run time cluster and does not support cluster wide management

• All WLS instances in cluster WLS Cluster

• At least two MW_HOMEs used to support HA Patching (on local or shared storage)

• RAC DB

• CFC for Admin Server protection (optional)

• C Components protected with OPMN

AdminServer

MW_HOME2MW_HOME1

MultiDS

TAF

OVD OVDGOHS

TAF

WLS_OIF WLS_OIFClusterMultiDS


OID Single Node Architecture

• Directory Server: LDAP server• Single dispatcher with one or more

servers• Replication Server: Replicates to other OID

servers. Singleton. **• Database: Directory data and configuration

store• OPMN: Starts/Stops/Monitors OIDMON.• OIDMON: Starts/Stops/Monitors OID

Server and Replication Server processes. Reads ODS_PROCESS_STATE_TABLE

• OIDCTL: Command line utility for server process control. Communicates with OIDMON by placing message in OID server table


OID HA Design Consideration

•C based component

•Active/Active cluster against same DB repository

•Stateless. State stored in DB repository

•Load Balanced connections to DB

•TAF and HA Event Notifications for RAC failover. OID has stale connection detection mechanism. If no DB available, OID processes shut down.

•Clusterwide config change as it is stored in DB. OIDMON polls for changes.

•Metadata cached in server processes. Cluster wide cache sync via notifications and OIDMON

•Can be configured with or without a WebLogic domain


OID HA Architecture

•All nodes in run time cluster

•External hardware LBR

•FAN/OCI events with TAF


OID Failover and Expected Behaviour

•Failover transparent to clients•Load balancer detects OID failure and routes to other instances•Other instance continue to service requests•FAN/OCI/TAF protect against any DB failures


OID Setup Steps

1. RCU DB

2. Install product binaries and configured OID using OUI

3. Register against a WLS Domain (Optional)


IAM HA

• OIM •Uses clustering and whole server migration

•OAM •Uses clustering, coherence

•OAPM •Deployed to Admin server so uses CFC active-passive solution

•OIN •Deployed to Admin server so uses CFC active-passive solution

•OAAM •Uses clustering and DB HA features


OVD Single Node Architecture

• Oracle Virtual Directory is an LDAP version 3 enabled service

• Provides virtualized abstraction of one or more enterprise data sources into a single directory view

• Server is written in Java and internally it is organized into multiple layers.

• Appears as a single complete service to the administrator and to clients.

• OPMN is used to start, monitor, and manage the Oracle Virtual Directory process (JavaSE Process)

• Has LDAP and HTTP listeners


OVD HA Design Consideration

•JavaSE based component

•Active/Active cluster

•Stateless.

•No external dependencies

•Config stored on local file system

•No cluster wide config changes possible

•Can be configured with or without a WebLogic domain


OVD HA Architecture

•All nodes in run time cluster

•External hardware LBR

•Config updated one instance at a time

•Fault tolerance and load balancing for LDAP sources thru a list of host names

•Distinction between read only v/s read write replicas


OVD Failover and Expected Behaviour

•Failover transparent to clients•Load balancer detects OVD failure and routes to other instances•Other instance continue to service requests•Automated failover for proxied LDAP sources


OVD Setup Steps

1. Install product binaries and configured OVD using OUI

2. Use OUI to setup second node

3. Configure load balancer to route to OVD instances

4. Register against a WLS Domain (Optional)


DIP Single Node Architecture

• J2EE application that enables you to integrate applications and directories

• Synchronization and Provisioning service

• Quartz scheduler invokes stateless EJBs for Provisioning or Sync

• Runs on WLS managed server• Metadata stored in OID. Quartz

uses ODSM schema for config


DIP HA Architecture

•Active/Active configuration with WLS Cluster

•DIP is not a singleton anymore

•Multi DS for RAC DB

•LBR to OID

•No cluster wide config changes


DIP Failover and Expected Behaviour

•Failover is transparent to users (background processing)

•Quartz Scheduler invokes EJBs for JOB execution.

•It tags the EJB as executing the job

•In case the EJB fails, the Quartz scheduler marks the job as failed and reschedules it to be executed later by another EJB

•Multi DS for RAC DB connection

•External LBR for OID connection


ODSM Single Node Architecture

• Used to managed OID and OVD

• Replaces ODM (10g)• ADF based JavaEE

application

• Process management using WLS tools


ODSM HA Architecture and Failover


•NO session state replication possible


•LBR to OID

•No cluster wide config changes


ODSM Failover and Expected Behaviour

•Failover not transparent to users

• For WLS failover, users need to exit browser, launch a new browser and establish connections again

• For ODSM Failure, users will lose their login session and will see a popup stating “Your session is idle…”. Will need to re-connect.

• For OID/OVD failover, a popup is shown (“LDAP Server is down”) while connections are failed over to other LDAP servers. Connections re-established in less than a minute

• For Rac DB Failover, a message (“Failure accessing Oracle database”) is shown that. Connections re-established in less than a minute


DIP & ODSM Setup Steps

1. RCU DB

2. WLS binaries

3. Install and configure DIP and ODSM with Admin Server on Machine1

4. Install and configure DIP and ODSM on machine 2

5. Configure OHS to route to DIP & ODSM

6. Configure load balancer to route to OHS instances


OIF Single Node Architecture

• Federation Server for multi domain authentication and SSO

• JavaEE, runs in WebLogic Server

• DB based message and user session data store

• DB based configuration data store

• LDAP/DB based user data store

• LDAP/DB based federation data store

• Can be configured to use SSO, OAM etc. as Authentication Engine/SP Engines


OIF HA Design Consideration

•JavaEE based component

•State replication not configured OOB. HTTP Session State is short lived. Sticky Routing recommended.

•All data (user, session, config,federation) stored in shared repositories.

•Cluster wide config changes as config stored in shared DB repository


OIF HA Architecture



•LBR to LDAP stores


OIF Failover and Expected Behaviour

•Failover is seamless to users

•In case of an instance failure, surviving OIF instances will continue to seamlessly process any unfinished transactions started on the failed instance since the state information is in the shared database and is available to all the members in the cluster


OIF Setup Steps

1. RCU DB

2. Install WLS binaries

3. Install and configure OIF with Admin Server on Machine1

4. Install and configure OIF on machine 2

5. Configure OHS to route to OIF

6. Configure load balancer to route to OHS instances

les 04 identity management high availability

Documents