10 Identity Management

This chapter describes how you can use Grid Control to manage your Identity Management targets.

This chapter contains the following sections:

About Access and Identity Management

Oracle Identity Management provides a unified, integrated security platform designed to manage user identities, provision resources to users, secure access to corporate resources, enable trusted online business partnerships, and support compliance (identity analytics) across the enterprise.

Oracle Identity management products include the following:

  • Oracle Access Manager 10g

  • Oracle Identity Manager 9.x

  • Oracle Identity Federation 10g and 11g

  • Oracle Identity Management Suite 10g (including Oracle Internet Directory, Single Sign-On, Delegated Administration Services, and Directory Integration Platform)

  • Oracle Internet Directory 11g

  • Directory Integration Platform 11g

  • Oracle Virtual Directory 11g

Using Grid Control for Monitoring Identity Management Targets

Enterprise Manager helps you monitor the availability and diagnose the health of Identity Manager targets within your enterprise configuration. By deploying a Management Agent on each host, you can use Enterprise Manager to discover the Identity Management components on these hosts, and automatically begin monitoring them using default monitoring levels, notification rules, and so on.

Identity Component Server Home Page

In Enterprise Manager Grid Control 11g Release 1, an Identity and Access page provides a central site for monitoring all discovered Identity Management components. The Identity and Access page can be added to the Targets sub-tabs by clicking on Preferences > Target and by adding Identity and Access to the selected target subtabs. From the Identity and Access page, you can discover both Identity Management 10g and Identity Management 11g components, create systems and services based on the end-to-end Identity Management environment, and monitor the health of all discovered Identity Management components from a single page. All Identity Management targets, whether Access, Identity, Identity Federation, and Identity Manager have their own server home pages that provide easy access to key information required by the administrators. Each Identity Management Server home page provides the following information:

  • Server status, responsiveness, and performance data. This includes a wide range of out-of-box performance metrics like CPU utilization, failed and successful authentications or authorizations, average response time, provisioning metrics, and up/down status of servers and components), to find root causes of problems that could potentially slow performance, extend response times, or create outages.

  • Customizable performance summaries with a Metric Palette that allows users to drag and drop performance charts and drill down into usage and performance statistics for:

    • Oracle Identity Federation Providers that show authentication requests and responses, HTTP and SOAP requests and responses, and authentication response processing time.Oracle Internet Directory User Statistics that show failed and completed LDAP operations like Add, Bind, Compare, Delete, Modify, and Search. Directory Integration Platform Synchronization and Provisioning Profiles that show job status, successful, skipped, or failed changes, completion time, and errors.

  • Resource usage for the server and its components

  • Functionality to start, stop, and restart components

  • Configuration Management: Allows you to perform key configuration management tasks like keeping track of configuration changes for diagnostic and regulatory purposes, taking snapshots to store configurations, and comparing component configurations to ensure consistency of configurations within the same or across different environments.

Figure 10-1 shows the Access Manager - Access Server home page.

Figure 10-1 Access Manager - Access Server Home Page

Access Server Home Page

Identity Management Systems

Identity Management services run on Identity Management systems defined in Grid Control. The system includes the software infrastructure components that the Identity services rely on. The system includes components such as databases, HTTP servers, OC4Js, and other servers.

The system is a collection of server targets that are grouped together in Grid Control to give you a view of the "data-center" components that comprise your Identity Management deployment. Identity Management Systems are created when Identity suite components are discovered using Grid Control. Grid Control also monitors the performance and availability of these components and provides a System Dashboard to view the health of the Identity Management system in a single window.

Figure 10-2 shows an Access Manager-Identity System home page:

Figure 10-2 Identity System Home Page

This figure shows the Identify System Home page.

Configuring Identity Management Services

An Identity Management service is a logical target configured by Grid Control. You use Grid Control to step you through the process of configuring a web application service for your Identity component instances. After you configure a service, that service is displayed on the Services page.

Critical application functions are defined and monitored as services in Grid Control. Each service is monitored by Grid Control beacons, which run service tests that simulate real user access to the service. Service availability and performance are monitored automatically, and problems are immediately reported to the administrator. By monitoring availability and performance of Identity Management services, you can identify and resolve user-visible problems more quickly and thus minimize the impact on users.

Monitoring Services

Grid Control enables you to monitor all of your Identity Management services. Each service is monitored for performance, usage, and availability.

Each service has its own home page. The Service Home pages in Grid Control provide:

  • Status, responsiveness, and performance data

  • Resource usage data for the service

  • Summary information such as status, performance alerts, usage alerts, and policy violations for the service's subcomponents, including other services and associated systems

  • Links to home pages for the service's subcomponents

  • Alerts and diagnostic drill-downs so that you can identify and resolve problems quickly

  • Services Dashboard

    The Services Dashboard provides a high-level view of the status, performance, and usage of each Identity Management target. Service-level compliance for various time periods are also included for each service on the dashboard. You can launch the dashboard directly from Identity system target home page. You can also publish the Services Dashboard so that it can be viewed by non-Enterprise Manager users. This allows you to provide a self-service status web page to your end users.

  • Related Links to do the following:

    • View metrics for the service

    • View client configurations

    • Edit the service

    • View the service target's properties

    • Manage blackouts

    • View and manage metric thresholds and policies

Identity Management Root Cause Analysis

Individual services in Identity Management are associated with critical system components. This allows Enterprise Manager to perform Root Cause Analysis down to the system level whenever a service outage is detected. When you are configuring an Identity Management service in Grid Control, as mentioned in Configuring Identity Management Services, you also mention the critical system components of this service. When an Identity Management service goes down, Enterprise Manager automatically performs a root cause analysis to determine which critical system component is responsible for this.

Automated Identity Management Monitoring and Alerts

Enterprise Manager automatically gathers and evaluates diagnostic information from Identity Management targets distributed across the enterprise. As with all targets managed by Enterprise Manager, an extensive number of Identity Management performance metrics are automatically monitored against predefined thresholds. Alerts are generated in Grid Control when metrics exceed these thresholds.

Diagnosing Identity Management Performance and Availability Problems

You can use Grid Control to diagnose performance and availability problems with your Identity Management services. For example, if a service outage occurs, Root Cause Analysis will determine if the primary cause is an outage of a critical service or system component. If a service performance issue is found, an administrator can examine detailed metrics over time related to that service and any of the service or system components used by that service. When you suspect there is a problem with one or more server components in the Identity Management system, the system home pages provide metrics and charts for diagnosing the issue.

Administrators can monitor the health of all critical Identity Management components, including both Identity Management 10g and Identity Management 11g components. Thresholds may be defined against server and component statistics such as CPU utilization, the number of failed and successful authentications or authorizations, average response time, provisioning metrics (e.g. number of newly provisioned, created, deleted, disabled, locked users), Identity Provider and Service Provider metrics, and up/down status of servers and components.In addition to relying on system performance metrics, you may use Management Pack for Identity Management Service Tests to record synthetic web transactions that include a combination of one or more navigation paths within the application to be used as the criteria for determining the availability of the service. For example, Oracle Access Manager requires that a user be successfully authenticated and authorized against a certain WebGate for the service to be considered available. Enterprise Manager uses these logical tasks or transactions to define the availability of the Identity Management environment. In addition to synthetic web transactions, Enterprise Manager also supports LDAP tests that allow you to record LDAP operations against a specific LDAP server (including Oracle Virtual Directory). With the LDAP tests, you can specify the username or password, Search Filter, Search Base, and Compare Attribute Name or Value. These synthetic web transactions are recorded, and the stored transaction or service test can be launched at a user-defined interval from strategic locations across the user-base."

Leveraging the Grid Control Management Framework

Grid Control includes many general features that are useful to an Identity Management administrator, including:

  • Job Automation: You can use the Grid Control job system to schedule tasks you want to automate.

  • Policies: You can utilize the policy framework to ensure your Identity Management infrastructure adheres to your site-specific standards.

  • Database and Application Server Management: Using the single Grid Control console, you can also manage the specific databases and application servers in your Identity Management deployment if needed.

  • Extensions: Grid Control also includes monitoring of key network components that may be part of your Identity Management deployment. You can also extend Grid Control to monitor other components that are not recognized out-of-box by Enterprise Manager.