| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
This chapter describes and illustrates the enterprise deployment reference topologies described in this guide. The road map for installation and configuration directs you to the appropriate chapters for the tasks you need to perform. Use this chapter to help you plan your Oracle Identity Management enterprise deployment.
This chapter contains the following topics:
Section 2.1, "Overview of Enterprise Deployment Reference Topologies"
Section 2.2, "Hardware Requirements for an Enterprise Deployment"
Section 2.3, "Identifying the Software Components to Install"
Section 2.4, "Road Map for the Reference Topology Installation and Configuration"
This section describes diagrams used to illustrate the enterprise deployment possibilities described in this guide. Use this section to plan your enterprise deployment topology.
This section covers these topics:
Oracle Identity Management consists of a number of products, which can be used either individually or collectively. The Enterprise Deployment Guide for Identity Management (Fusion Applications Edition) enables you to build three different enterprise topologies for Fusion Applications.
One of the topologies shown is the split domain topology. A split domain topology is useful if you need either of the following features:
The ability to keep operational functionality (OAM) separate from administrative (OIM) functions
The ability to patch OIM independently
This section provides diagrams of the topologies.
In the diagrams, active nodes are shown in color, and passive nodes are shown in white.
This section contains the following topics:
Section 2.1.1.1, "Oracle Access Manager 11g and Oracle Identity Manager 11g for Fusion Applications"
Section 2.1.1.2, "Split Domain Topology for Oracle Fusion Applications"
Section 2.1.1.3, "Oracle Identity Federation 11g for Fusion Applications"
Note:
The Split Domain Topology is not supported in Oracle Fusion Applications 11g Release 1 (11.1.3) or earlier releases.
Note:
Customers who use machines with large memory and CPU foot prints can collapse multiple machines in the topology into single machines within the same tier. For example:
OIDHOST and OVDHOST can be collapsed into single host
IDMHOST and OIMHOST can be collapsed into single host
Figure 2-1 is a diagram of the Oracle Access Manager 11g and Oracle Identity Manager 11g topology.
Not supported in Oracle Fusion Applications 11g Release 1 (11.1.3) or earlier releases.
Figure 2-2 is a diagram of the split domain topology for Oracle Fusion Applications, where Oracle Identity Management is placed in a separate domain.
Figure 2-3 is a diagram of the Oracle Identity Federation 11 g topology for Fusion Applications.
The directory tier is in the Intranet Zone. The directory tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The directory tier is managed by directory administrators providing enterprise LDAP service support.
The directory tier is closely tied with the data tier. Access to the data tier is important for the following reasons:
Oracle Internet Directory relies on Oracle Database as its back end.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the directory tier and data tier might be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier.
Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet. The ports 389 and 636 on the load balancer are typically redirected to the non-privileged ports used by the individual directory instances.
The directory tier stores two types of information:
Identity Information: Information about users and groups
Oracle Platform Security Services (OPSS): Information about security policies and about configuration.
Although the topology diagrams do not show LDAP directories other than Oracle Internet Directory, you can use Microsoft Active Directory to store identity information. You must always store policy information in Oracle Internet Directory. You may store identity information in Oracle Internet Directory or in another directory.
If you store the Identity details in a non-OID directory you can use Oracle Virtual Directory to present that information.
Chapter 13, "Configuring an Identity Store with Multiple Directories," describes how to configure Oracle Virtual Directory for two multidirectory scenarios.
A split profile, or split directory configuration, is one where identity data is stored in multiple directories, possibly in different locations. A split profile is used to store custom attributes required for Fusion Application Deployment. Use this kind of deployment when you do not want to modify the existing Identity Store by extending the schema. In that case, deploy a new Oracle Internet Directory instance to store the extended attributes. Alternatively, you can use the Oracle Internet Directory instance deployed for Policy Store for this purpose.
Another multidirectory scenario is one where you have distinct user and group populations. In this configuration, Oracle-specific entries and attributes are stored in Oracle Internet Directory. Enterprise-specific entries that might have Fusion Applications-specific attributes are stored in Active Directory.
In both multidirectory scenarios, you use Oracle Virtual Directory to present all the identity data in a single consolidated view that Oracle Identity Management components can interpret.
Although you can use a single Oracle Internet Directory instance for storing both the identity and policy information, in some cases you might need to use two separate Oracle Internet Directory installations, one for the Policy Store and another for Identity Store. For example, this might be necessary due to throughput or enterprise directory requirements. You might also need to use separate Oracle Internet Directory installations if you have a shared Identity Management deployment with multiple Oracle Fusion Applications pods pointing to it.
If you intend to separate your identity and policy information, you must create two separate clusters of highly available Oracle Internet Directory. These Oracle Internet Directory clusters can share the same machines but they should use separate Real Application Clusters databases as their data store.
If you are using Oracle Internet Directory exclusively, you do not need to use Oracle Virtual Directory.
This guide assumes that you are creating two virtual names: one for your Policy Store (policystore.mycompany.com) and one for your Identity Store (idstore.mycompany.com). When using a single Oracle Internet Directory for both your identity and policy information, you can either create two virtual host names, both pointing to the same directory, or combine them into a single suitable virtual host name in the load balancer.
If you are using Oracle Internet Directory as your Identity Store, you can configure it to use multimaster replication as described in the Oracle Fusion Middleware High Availability Guide chapter Configuring Identity Management for Maximum High Availability. This enables you to maintain the same naming contexts on multiple directory servers. It can improve performance by providing more servers to handle queries and by bringing the data closer to the client. It improves reliability by eliminating risks associated with a single point of failure.
The application tier is the tier where Java EE applications are deployed. Products such as Oracle Identity Manager, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key Java EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the application tier interact with the directory tier as follows:
In some cases, they leverage the directory tier for enterprise identity information.
In some cases, they leverage the directory tier (and sometimes the database in the data tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the application tier as well as the directory tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in the application tier as well. However, for the enterprise deployment shown in Figure 1-1, customers have a separate web tier relying on web servers such as Apache or Oracle HTTP Server.
In the application tier:
IDMHOST1 and IDMHOST2 have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Services Manager, Oracle Access Management Server, and Oracle Identity Federation installed. IDMHOST1 and IDMHOST2 run both the WebLogic Server Administration Servers and Managed Servers. Note that the Administration Server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
The Oracle Access Management Server communicates with the directory tier to verify user information.
On the firewall protecting the application tier, the HTTP ports, and OAP port are open. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as user authentication.
In the OAM and OIM topology, OIMHOST1 and OIMHOST2 have Oracle Identity Manager and Oracle SOA installed. Oracle Identity Manager is user provisioning application. Oracle SOA deployed in this topology is exclusively used for providing workflow functionality for Oracle Identity Manager.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Services (OPSS) agent.
The Oracle WebLogic Server console, Oracle Enterprise Manager Fusion Middleware Control, and Oracle Access Manager console are always bound to the listen address of the Administration Server.
The WebLogic administration server is a singleton service. It runs on only one node at a time. In the event of failure, it is restarted on a surviving node.
The WLS_ODS1 Managed Server on IDMHOST1 and WLS_ODS2 Managed Server on IDMHOST2 are in a cluster and the Oracle Directory Services Manager applications are targeted to the cluster.
The WLS_OAM1 Managed Server on IDMHOST1 and WLS_OAM2 Managed Server on IDMHOST2 are in a cluster and the Access Manager applications are targeted to the cluster.
Oracle Directory Services Manager are bound to the listen addresses of the WLS_ODS1 and WLS_ODS2 Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1 and IDMHOST2 respectively.
In the OAM + OIM topology, the WLS_OIM1 Managed Server on OIMHOST1 and WLS_OIM2 Managed Server on OIMHOST2 are in a cluster and the Oracle Identity Manager applications are targeted to the cluster.
In the OAM + OIM topology, the WLS_SOA1 Managed Server on OIMHOST1 and WLS_SOA2 Managed Server on OIMHOST2 are in a cluster and the Oracle SOA applications are targeted to the cluster
The WLS_OIF1 Managed Server on IDMHOST1 and WLS_OIF2 Managed Server on IDMHOST2 are in a cluster and the Oracle Identity Federation applications are targeted to the cluster.
In the OIM split domain topology, Oracle Identity Manager components are installed into a separate domain.
Note:
Do not use the split domain topology with Oracle Fusion Applications 11g Release 1 (11.1.3) or earlier releases.
The Oracle Access Manager Servers are active-active deployments.
In the Oracle Access Manager and Oracle Identity Manager topology, the Identity Management Servers and SOA Servers are active-active deployments; these servers communicate with the data tier at run time.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive (where other components are active-active).
The Identity Federation Servers are active-active deployments; the Oracle Identity Federation Server may communicate with the data tier at run time.
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1 fails or the Administration Server on IDMHOST1 does not start, the Administration Server on IDMHOST2 can be started.
If you have powerful enough servers, you can merge IDMHOST1 and OIMHOST1 onto a single server. Similarly, you can merge IDMHOST2 and OIMHOST2.
The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier.
Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required.
While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired.
In the web tier:
WEBHOST1 and WEBHOST2 have Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs plug-in module installed. The mod_wl_ohs plug-in module enables requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.
WebGate (an Oracle Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1 and IDMHOST2, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the web tier, the HTTP ports are 443 for HTTPS and 80 for HTTP. Port 443 is open.
Oracle HTTP Servers on WEBHOST1 and WEBHOST2 are configured with mod_wl_ohs, and proxy requests for the Oracle Enterprise Manager, and Oracle Directory Services Manager Java EE applications deployed in WebLogic Server on IDMHOST1 and IDMHOST2.
The Oracle HTTP Servers process requests received using the URLs sso.mycompany.com and admin.mycompany.com. The name admin.mycompany.com is only resolvable inside the firewall. This prevents access to sensitive resources such as the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control console from the public domain.
The minimum hardware requirements for the Enterprise Deployment on Linux operating systems are listed in Table 2-1. The memory figures represent the memory required to install and run an Oracle Fusion Middleware server; however, for most production sites, you should configure at least 4 GB of physical memory.
For detailed requirements, or for requirements for other platforms, see the Oracle Fusion Middleware Installation Guide for that platform.
Table 2-1 Typical Hardware Requirements
| Server | Processor | Disk | Memory | TMP Directory | Swap |
|---|---|---|---|---|---|
|
|
4 or more X Pentium 1.5 GHz or greater |
nXm n=Number of disks, at least 4 (striped as one disk). m=Size of the disk (minimum of 30 GB) |
6-16 GB |
Default |
Default |
|
WEBHOST |
2 or more X Pentium 1.5 GHz or greater |
10 GB |
4 GB |
Default |
Default |
|
IDMHOST |
2 or more X Pentium 1.5 GHz or greater |
10 GB |
6 GB |
Default |
Default |
|
OIDHOST |
2 or more X Pentium 1.5 GHz or greater |
10 GB |
4 GB |
Default |
Default |
These are the typical hardware requirements. For each tier, carefully consider the load, throughput, response time and other requirements to plan the actual capacity required. The number of nodes, CPUs, and memory required can vary for each tier based on the deployment profile.Production requirements may vary depending on applications and the number of users.
The Enterprise Deployment configurations described in this guide use two servers for each tier to provide failover capability; however, this does not presume adequate computing resources for any application or user population. If the system workload increases such that performance is degraded, you can add servers to the configuration by repeating the instructions for the second server (that is, WEBHOST2, IDMHOST2, OIDHOST2, OVDHOST2, OIDDBHOST2) to install and configure additional servers where needed.
Note:
Oracle recommends configuring all nodes in the topology identically with respect to operating system levels, patch levels, user accounts, and user groups.
Table 2-2, "Software Versions Used" lists the Oracle software you need to obtain before starting the procedures in this guide.
For complete information about downloading Oracle Fusion Middleware software, see Section 6.1.2, "Software to Install" and the Preparing for an Installation chapter in Oracle Fusion Applications Installation Guide.
Table 2-2 Software Versions Used
| Short Name | Product | Version |
|---|---|---|
|
OHS11G |
Oracle HTTP Server |
11.1.1.6.0 |
|
JRockit |
Oracle JRockit |
jrockit-jdk1.6.0_29-R28.2.0-4.0.1-linux-x64.bin |
|
WLS |
Oracle WebLogic Server |
10.3.6.0 |
|
IAM |
Oracle Identity and Access Management |
11.1.1.5.0 |
|
SOA |
Oracle SOA Suite |
11.1.1.6.0 |
|
IDM |
Oracle Identity Management |
11.1.1.6.0 |
|
WebGate 10g |
10.1.4.3.0 |
|
|
RCU |
Repository Creation Assistant |
11.1.1.6.0 |
Note:
WebGate 11g is not supported for Oracle Fusion Applications.
Before beginning your Oracle Identity Management enterprise deployment, review the flow chart in Figure 2-4, "Flow Chart of the Oracle Identity Management Enterprise Deployment Process for Oracle Fusion Applications". This flow chart illustrates the high-level process for completing the enterprise deployment documented in this guide. Table 2-3 describes the steps in the flow chart and directs you to the appropriate section or chapter for each step.
This section covers the following topics:
Figure 2-4, "Flow Chart of the Oracle Identity Management Enterprise Deployment Process for Oracle Fusion Applications" provides a flow chart of the Oracle Identity Management enterprise deployment process. Review this chart to become familiar with the steps that you must follow, based on the existing environment.
Table 2-3 describes each of the steps in the enterprise deployment process flow chart for Oracle Identity Management, shown in Figure 2-4. The table also provides information on where to obtain more information about each step in the process.
Table 2-3 Steps in the Oracle Identity Management Enterprise Deployment Process
| Step | Description | More Information |
|---|---|---|
|
Prepare your Network for Enterprise Deployment |
To prepare your network for an enterprise deployment, understand concepts, such as virtual server names and IPs and virtual IPs, and configure your load balancer by defining virtual host names. |
Chapter 3, "Preparing the Network for an Enterprise Deployment" |
|
Prepare your File System for Enterprise Deployment |
To prepare your file system for an enterprise deployment, review the terminology for directories and directory environment variables, and configure shared storage. |
Chapter 4, "Preparing the File System for an Enterprise Deployment" |
|
Prepare your Database for Enterprise Deployment |
To prepare your database for an enterprise deployment, review database requirements, create database services, load the metadata repository, in the Oracle RAC database, configure Identity Management schemas for transactional recovery privileges, and back up the database. |
Chapter 5, "Preparing the Database for an Enterprise Deployment" |
|
Install the Software |
Install Oracle HTTP Server, Oracle WebLogic Server, Oracle Fusion Middleware, and apply patchsets to Oracle Fusion Middleware components. |
Chapter 6, "Installing the Software for an Enterprise Deployment" |
|
Configure the Web Tier |
Configure the Oracle Web Tier by associating the Oracle Web tier with the Oracle WebLogic Domain, Configuring Oracle HTTP Server with the load balancer, and configuring virtual host names. |
Chapter 7, "Configuring the Web Tier for an Enterprise Deployment" |
|
Create Domains |
Run the Configuration Wizard to create the domains (IDMDomain and optionally OIMDomain) and include OAM and OIM. |
|
|
Extend the Domain for Oracle Internet Directory |
Extend the existing WebLogic domain by running the Configuration Wizard to configure Oracle Internet Directory. |
Chapter 9, "Extending the Domain to Include Oracle Internet Directory" |
|
Extend the Domain for Oracle Directory Services Manager |
Extend the existing WebLogic domain by running the Configuration Wizard to configure ODSM. |
|
|
Prepare Identity and Policy Stores |
Prepare the Identity and Policy Stores in an Oracle Identity Management enterprise deployment. |
|
|
Extend the Domain for Oracle Virtual Directory? |
Extend the existing WebLogic domain by running the Configuration Wizard to configure Oracle Virtual Directory. |
Chapter 12, "Extending the Domain to Include Oracle Virtual Directory" |
|
Configure Multiple Directories as an Identity Store? (Requires Oracle Virtual Directory) |
Configure Multiple Directories as an Identity Store for Fusion Applications. |
Chapter 13, "Configuring an Identity Store with Multiple Directories" |
|
Configure Oracle Access Manager 11g |
Configure Oracle Access Manager 11g |
|
|
Configure Oracle Identity Manager 11g |
Configure Oracle Identity Manager 11g |
|
|
Extend the Domain for Oracle Identity Federation? |
Run the Configuration Wizard again and extend the domain to include Oracle Identity Federation. |
Chapter 16, "Extending the Domain to Include Oracle Identity Federation" |
|
Set up Node Manager |
Set up Node manager by enabling host name verification, starting Node Manager, and configuring WebLogic Servers to use custom keystores. |
Chapter 17, "Setting Up Node Manager for an Enterprise Deployment" |
|
Configure Server Migration |
Configure server migration for the WLS_OIM1, WLS_SOA1, WLS_OIM2, and WLS_SOA2 Managed Servers. The WLS_OIM1 and WLS_SOA1 Managed Server are configured to restart on OIMHOST2 should a failure occur. The WLS_OIM2 and WLS_SOA2 Managed Servers are configured to restart on OIMHOST1 should a failure occur. |
Chapter 18, "Configuring Server Migration for an Enterprise Deployment" |
|
Integrate Identity Management Components |
Integrate Oracle Identity Management components for an enterprise deployment. |
Chapter 19, "Integrating Oracle Identity Management Components for an Enterprise Deployment" |
|
Configure single sign-on for administration Consoles in an Enterprise Deployment |
Configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment. |
Chapter 20, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment" |
|
 Copyright © 2004, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
