Oracle Identity Management presents a comprehensive suite of products for all aspects of identity management.This guide describes five reference enterprise topologies for the Oracle Identity Management Infrastructure components of Oracle Fusion Middleware. It also provides detailed instructions and recommendations to create the topologies by following the enterprise deployment guidelines.
This chapter includes the following topics:
An enterprise deployment is an Oracle best practices blueprint based on proven Oracle high-availability technologies and recommendations for Oracle Fusion Middleware. The high-availability best practices described in this book make up one of several components of high-availability best practices for all Oracle products across the entire technology stack—Oracle Database, Oracle Fusion Middleware, Oracle Applications, Oracle Collaboration Suite, and Oracle Grid Control.
An Oracle Fusion Middleware enterprise deployment:
Considers various business service level agreements (SLA) to make high-availability best practices as widely applicable as possible
Leverages database grid servers and storage grid with low-cost storage to provide highly resilient, lower cost infrastructure
Uses results from extensive performance impact studies for different configurations to ensure that the high-availability architecture is optimally configured to perform and scale to business needs
Enables control over the length of time to recover from an outage and the amount of acceptable data loss from a natural disaster
Evolves with each Oracle version and is completely independent of hardware and operating system
For more information on high availability practices, visit:
http://www.oracle.com/technology/deploy/availability/htdocs/maa.htm
Table 1-1 provides definitions for some of the terms that define the architecture of an Oracle Fusion Middleware environment:
Table 1-1 Oracle Fusion Middleware Architecture Terminology
The Oracle Fusion Middleware configurations discussed in this guide are designed to ensure security of all transactions, maximize hardware resources, and provide a reliable, standards-compliant system for enterprise computing with a variety of applications. The security and high availability benefits of the Oracle Fusion Middleware configurations are realized through isolation in firewall zones and replication of software components.
This section contains the following topics:
The Enterprise Deployment architectures are secure because every functional group of software components is isolated in its own DMZ, and all traffic is restricted by protocol and port. The following characteristics ensure security at all needed levels, as well as a high level of standards compliance:
All external communication received on port 80 is redirected to port 443.
Communication from external clients does not go beyond the Load Balancing Router level.
No direct communication from the Load Balancing Router to the data tier DMZ is allowed.
Components are separated between DMZs on the web tier, application tier, and the directory tier.
Direct communication across two firewalls at any one time is prohibited.
If a communication begins in one firewall zone, it must end in the next firewall zone.
Oracle Internet Directory is isolated in the directory tier DMZ.
Identity Management components are in the application tier DMZ.
All communication between components across DMZs is restricted by port and protocol, according to firewall rules.
Oracle Identity Management consists of a number of products, which can be used either individually or collectively. The Enterprise Deployment Guide for Identity Management allows you to build five different enterprise topologies. This section describes them.
Section 1.4.2, "Topology 2 - Oracle Access Manager 10g and Oracle Identity Manager 11g"
Section 1.4.3, "Topology 3 - Oracle Access Manager 11g and Oracle Identity Manager 11g"
Section 1.4.4, "Topology 4 - Oracle Adaptive Access Manager 11g"
Section 1.4.5, "Topology 5 - Oracle Identity Federation 11g"
Figure 1-1 is a diagram of the Oracle Access Manager 11g topology.
The directory tier is in the Intranet Zone. The directory tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The directory tier is managed by directory administrators providing enterprise LDAP service support.The directory tier is closely tied with the data tier. Access to the data tier is important for the following reasons:
Oracle Internet Directory relies on Oracle Database as its back end.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the directory tier and data tier might be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier.
Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet.
The application tier is the tier where J2EE applications are deployed. Products such as Oracle Directory Integration Platform, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key J2EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the application tier interact with the directory tier as follows:
In some cases, they leverage the directory tier for enterprise identity information.
In some cases, they leverage the directory tier (and sometimes the database in the data tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the application tier as well as the directory tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in the application tier as well. However, for the enterprise deployment shown in Figure 1-1, customers will have a separate web tier relying on web servers such as Apache or Oracle HTTP Server.
In the application tier:
IDMHOST1
and IDMHOST2
have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Integration Platform, Oracle Directory Services Manager and Oracle Access Server installed. IDMHOST1
and IDMHOST2
run both the WebLogic Server Administration Servers and Managed Servers. Note that the administration server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
The Oracle Access Server communicates with Oracle Virtual Directory in the directory tier to verify user information.
On the firewall protecting the application tier, the HTTP ports, OIP port, and OAP port are open. The OIP (Oracle Identity Protocol) port is for the WebPass module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as querying user groups. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as user authentication.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Service (OPSS) agent.
The Administration Server, Oracle Enterprise Manager and Oracle Access Manager console are always bound to the listen address of the Administration Server.
The WLS_ODS1
Managed Server on IDMHOST1
and WLS_ODS2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Oracle Directory Integration Platform applications are targeted to the cluster.
The WLS_OAM1
Managed Server on IDMHOST1
and WLS_OAM2
Managed Server on IDMHOST2
are in a cluster and the Access Manager applications are targeted to the cluster.
Oracle Directory Services Manager and Oracle Directory Integration Platform are bound to the listen addresses of the WLS_ODS1
and WLS_ODS2
Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1
and IDMHOST2
respectively.
The Identity Servers and Access Servers are active-active deployments; the Access Server may communicate with the Identity Server at run time.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive (where other components are active-active).
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1
fails or the Administration Server on IDMHOST1
does not start, the Administration Server on IDMHOST2
can be started. All Managed Servers and components on IDMHOST1
and IDMHOST2
must be configured with the Administration Server virtual IP address.
Oracle Oracle WebLogic Server Console, Oracle Enterprise Manager Fusion Middleware Control console, and Oracle Access Manager console are only accessible via admin.mycompany.com
, which is only available inside the firewall.
The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier.
Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required.
While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired.
In the web tier:
WEBHOST1
and WEBHOST2
have Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs
plug-in module installed. The mod_wl_ohs
plug-in module allows requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.
WebGate (an Oracle Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1
and IDMHOST2
, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the web tier, only the HTTP ports are open: 443 for HTTPS and 80 for HTTP.
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
are configured with mod_wl_ohs
, and proxy requests for the Oracle Enterprise Manager, Oracle Directory Integration Platform, and Oracle Directory Services Manager J2EE applications deployed in WebLogic Server on IDMHOST1
and IDMHOST2
.
The Oracle HTTP Servers process requests received using the URL's sso.mycompany.com
and admin.mycompany.com
. The nameadmin.mycompany.com
is only resolvable inside the firewall. This prevents access to sensitive resources such as the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control console from the public domain.
Figure 1-2 is a diagram of the Oracle Access Manager 10g and Oracle Identity Manager 11g topology.
The directory tier is in the Intranet Zone. The directory tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The directory tier is managed by directory administrators providing enterprise LDAP service support.
The directory tier is closely tied with the data tier. Access to the data tier is important for the following reasons:
Oracle Internet Directory relies on Oracle Database as its backend.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the directory tier and data tier may be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier.
Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet.
The application tier is the tier where J2EE applications are deployed. Products such as Oracle Directory Integration Platform, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key J2EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the application tier interact with the directory tier as follows:
In some cases, they leverage the directory tier for enterprise identity information.
In some cases, they leverage the directory tier (and sometimes the database in the data tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the application tier as well as the directory tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener will exist in the application tier as well. However, for the enterprise deployment shown in Figure 1-1, customers will have a separate web tier relying on web servers such as Apache or Oracle HTTP Server.
In the application tier:
IDMHOST1
and IDMHOST2
have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Integration Platform, and Oracle Directory Services Manager installed. IDMHOST1
and IDMHOST2
run both the WebLogic Server Administration Servers and Managed Servers. Note that the administration server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
On the firewall protecting the application tier, the HTTP ports, OIP port, and OAP port are open. The OIP (Oracle Identity Protocol) port is for the WebPass module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as querying user groups. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as user authentication.
OAMHOST1
and OAMHOST2
have Oracle Access Manager (with the Identity Server and Access Server components) installed. Oracle Access Manager is the single sign-on component for Oracle Fusion Middleware. It communicates with Oracle Internet Directory in the directory tier to verify user information.
OIMHOST1
and OIMHOST2
have Oracle Identity Manager and Oracle SOA installed. Oracle Identity Manager is used for provisioning. Oracle SOA is used to provide the workflow functionality.
OAMADMINHOST
is on an isolated subnet (for Oracle Access Manager administration), and it has Oracle HTTP Server, WebGate, WebPass, and Policy Manager installed.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Service (OPSS) agent.
The Administration Server, Oracle Enterprise Manager and Oracle Access Manager console are always bound to the listen address of the Administration Server.
The WLS_ODS1
Managed Server on IDMHOST1
and WLS_ODS2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Oracle Directory Integration Platform applications are targeted to the cluster.
Oracle Directory Services Manager and Oracle Directory Integration Platform are bound to the listen addresses of the WLS_ODS1
and WLS_ODS2
Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1
and IDMHOST2
respectively.
The WLS_OIM1
Managed Server on OIMHOST1
and WLS_OIM2
Managed Server on OIMHOST2
are in a cluster and the Oracle Identity Manager applications are targeted to the cluster.
The WLS_SOA1
Managed Server on OIMHOST1
and WLS_SOA2
Managed Server on OIMHOST2
are in a cluster and the Oracle SOA applications are targeted to the cluster.
The Identity Servers and Access Servers are active-active deployments; the Access Server may communicate with the Identity Server at run time.
The Identity Management Servers and SOA Servers are active-active deployments; these servers will communicate with the data tier at run time.
The Oracle Identity Manager servers are active-active deployments; the Oracle Identity Manager application may communicate with the data tier at any time.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive, unlike other components, which are active-active.
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1
fails or the Administration Server on IDMHOST1
does not start, the Administration Server on IDMHOST2
can be started. All Managed Servers and components on IDMHOST1
and IDMHOST2
must be configured with the Administration Server virtual IP address.
Oracle WebLogic Server Console, Oracle Enterprise Manager Fusion Middleware Control console and Oracle Access Manager console are only accessible through admin.mycompany.com
, which is only available inside the firewall.
WebPass communication from the public DMZ to Identity and Access Servers is not allowed.
The Policy Manager (an Oracle HTTP Server module secured with both WebGate and WebPass) is deployed in an isolated administrative subnet, which communicates directly with Oracle Internet Directory.
The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier.
Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required.
While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired.
In the web tier:
WEBHOST1
and WEBHOST2
have Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs
plug-in module installed. The mod_wl_ohs
plug-in module allows requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.
WebGate (an Oracle Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1
and IDMHOST2
, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the web tier, only the HTTP ports are open: 443 for HTTPS and 80 for HTTP.
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
are configured with mod_wl_ohs
, and proxy requests for the Oracle Enterprise Manager, Oracle Directory Integration Platform, and Oracle Directory Services Manager J2EE applications deployed in WebLogic Server on IDMHOST1
and IDMHOST2
.
The Oracle HTTP Servers process requests, received using the URL's sso.mycompany.com
and admin.mycompany.com
. The name admin.mycompany.com
is only resolvable inside the firewall. This prevents access to sensitive resources such as the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control console from the public domain.
WebPass is installed on OAMADMINHOST
along with the Policy Manager. The Policy Manager and the WebPass are used to configure the Access Servers and the Identity Servers on OAMHOST1
and OAMHOST2
.
WebGate is installed on OAMADMINHOST
to protect the Policy Manager, and configured on WEBHOST1
and WEBHOST2
to protect inbound access.
Oracle Access Manager Identity Assertion Provider for WebLogic Server 11gR1 is installed on IDMHOST1
and IDMHOST2
.
Figure 1-1 is a diagram of the Oracle Access Manager 11g and Oracle Identity Manager 11g topology.
The directory tier is in the Intranet Zone. The directory tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The directory tier is managed by directory administrators providing enterprise LDAP service support.
The directory tier is closely tied with the data tier, therefore access to the data tier is important:
Oracle Internet Directory relies on RDBMS as its backend.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the directory tier and data tier may be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier.
Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet.
The application tier is the tier where J2EE applications are deployed. Products such as Oracle Directory Integration Platform, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key J2EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the application tier interact with the directory tier as follows:
In some cases, they leverage the directory tier for enterprise identity information.
In some cases, they leverage the directory tier (and sometimes the database in the data tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the application tier as well as the directory tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener will exist in the application tier as well. However, for the enterprise deployment shown in Figure 1-1, customers will have a separate web tier relying on web servers such as Apache or Oracle HTTP Server.
In the application tier:
IDMHOST1
and IDMHOST2
have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Integration Platform, Oracle Directory Services Manager and Oracle Access Server installed. IDMHOST1
and IDMHOST2
run both the WebLogic Server Administration Servers and Managed Servers. Note that the administration server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
The Oracle Access Server communicates with Oracle Virtual Directory in the directory tier to verify user information.
On the firewall protecting the application tier, the HTTP ports, OIP port, and OAP port are open. The OIP (Oracle Identity Protocol) port is for the WebPass module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as querying user groups. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as user authentication.
OIMHOST1
and OIMHOST2
have Oracle Identity Manager and Oracle SOA installed. Oracle Identity Manager is user provisioning application. Oracle SOA deployed in this topology is exclusively used for providing workflow functionality for Oracle Identity Manager.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Service (OPSS) agent.
The Administration Server, Oracle Enterprise Manager Fusion Middleware Control, and Oracle Access Manager console are always bound to the listen address of the Administration Server.
The WLS_ODS1
Managed Server on IDMHOST1
and WLS_ODS2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Oracle Directory Integration Platform applications are targeted to the cluster.
The WLS_OAM1
Managed Server on IDMHOST1
and WLS_OAM2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Access Manager applications are targeted to the cluster.
Oracle Directory Services Manager and Oracle Directory Integration Platform are bound to the listen addresses of the WLS_ODS1
and WLS_ODS2
Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1
and IDMHOST2
respectively.
The WLS_OIM1
Managed Server on OIMHOST1
and WLS_OIM2
Managed Server on OIMHOST2
are in a cluster and the Oracle Identity Manager applications are targeted to the cluster.
The WLS_SOA1
Managed Server on OIMHOST1
and WLS_SOA2
Managed Server on OIMHOST2
are in a cluster and the Oracle
SOA applications are targeted to the cluster
The Identity Servers and Access Servers are active-active deployments; the Access Server may communicate with the Identity Server at run time.
The Identity Management Servers and SOA Servers are active-active deployments; these servers will communicate with the data tier at run time.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive, unlike other components which are active-active).
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1
fails or the Administration Server on IDMHOST1
does not start, the Administration Server on IDMHOST2
can be started. All Managed Servers and components on IDMHOST1
and IDMHOST2
must be configured with the Administration Server virtual IP address.
Oracle Oracle WebLogic Server Console, Oracle Enterprise Manager Fusion Middleware Control, and Oracle Access Manager Console are only accessible via admin.mycompany.com
, which is only available inside the firewall.
The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier.
Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required.
While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired.
In the web tier:
WEBHOST1
and WEBHOST2
have Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs
plug-in module installed. The mod_wl_ohs
plug-in module allows requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.
WebGate (an Oracle Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1
and IDMHOST2
, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the web tier, only the HTTP ports are open: 443 for HTTPS and 80 for HTTP.
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
are configured with mod_wl_ohs
, and proxy requests for the Oracle Enterprise Manager, Oracle Directory Integration Platform, and Oracle Directory Services Manager J2EE applications deployed in WebLogic Server on IDMHOST1
and IDMHOST2
.
The Oracle HTTP Servers process requests received using the URL's sso.mycompany.com
and admin.mycompany.com
. The name admin.mycompany.com
is only resolvable inside the firewall. This prevents access to sensitive resources such as the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control from the public domain.
Figure 1-4 is a diagram of the Oracle Adaptive Access Manager 11g topology.
The directory tier is in the Intranet Zone. The directory tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The directory tier is managed by directory administrators providing enterprise LDAP service support.
The directory tier is closely tied with the data tier, therefore access to the data tier is important:
Oracle Internet Directory relies on RDBMS as its backend.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the directory tier and data tier may be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier.
Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet.
The application tier is the tier where J2EE applications are deployed. Products such as Oracle Directory Integration Platform, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key J2EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the application tier interact with the directory tier:
In some cases, they leverage the directory tier for enterprise identity information.
In some cases, they leverage the directory tier (and sometimes the database in the data tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the application tier as well as the directory tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener will exist in the application tier as well. However, for the enterprise deployment shown in Figure 1-1, customers will have a separate web tier relying on web servers such as Apache or Oracle HTTP Server.
In the application tier:
IDMHOST1
and IDMHOST2
have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Integration Platform, Oracle Directory Services Manager and Oracle Access Server installed. IDMHOST1
and IDMHOST2
run both the WebLogic Server Administration Servers and Managed Servers. Note that the administration server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
The Oracle Access Server communicates with Oracle Virtual Directory in the directory tier to verify user information.
On the firewall protecting the application tier, the HTTP ports, OIP port, and OAP port are open. The OIP (Oracle Identity Protocol) port is for the WebPass module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as querying user groups. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as user authentication.
OAAMHOST1
and OAAMHOST2
have the WebLogic Server with the Oracle Adaptive Access Manager Server and Console installed.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Service (OPSS) agent.
The Administration Server, Oracle Enterprise Manager and Oracle Access Manager console are always bound to the listen address of the Administration Server.
The WLS_ODS1
Managed Server on IDMHOST1
and WLS_ODS2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Oracle Directory Integration Platform applications are targeted to the cluster.
The WLS_OAM1
Managed Server on IDMHOST1
and WLS_OAM2
Managed Server on IDMHOST2 are in a cluster and the Oracle Directory Services Manager and Access Manager applications are targeted to the cluster.
The WLS_OAAM1
Managed Server on OAAMHOST1
and WLS_OAAM2
Managed Server on OAAMHOST2
are in a cluster and the Oracle Adaptive Access server applications are targeted to the cluster.
The WLS_OAAM_ADMIN1
Managed Server on OAAMHOST1
and WLS_OAAM_ADMIN2
Managed Server on OAAMHOST2
are in a cluster and the Oracle Adaptive Access Administration console applications are targeted to the cluster.
Oracle Directory Services Manager and Oracle Directory Integration Platform are bound to the listen addresses of the WLS_ODS1
and WLS_ODS2
Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1
and IDMHOST2
respectively.
The Identity Servers and Access Servers are active-active deployments; the Access Server may communicate with the Identity Server at run time.
The Oracle Adaptive Access Servers are active-active deployments; they may communicate with the Identity Server at run time and will communicate with the data tier.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive (where other components are active-active).
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1
fails or the Administration Server on IDMHOST1
does not start, the Administration Server on IDMHOST2
can be started. All Managed Servers and components on IDMHOST1
and IDMHOST2
must be configured with the Administration Server virtual IP.
Oracle WebLogic Console, Oracle Fusion Middleware Console and Oracle Access Manager Console and Oracle Adaptive Access Manager console are only accessible via admin.mycompany.com, which is only available inside the firewall.
The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier.
Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required.
While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired.
In the web tier:
WEBHOST1
and WEBHOST2
have Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs
plug-in module installed. The mod_wl_ohs
plug-in module allows requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.
WebGate (an Oracle Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1
and IDMHOST2
, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the web tier, only the HTTP ports are open: 443 for HTTPS and 80 for HTTP.
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
are configured with mod_wl_ohs, and proxy requests for the Oracle Enterprise Manager, Oracle Directory Integration Platform, and Oracle Directory Services Manager J2EE applications deployed in WebLogic Server on IDMHOST1
and IDMHOST2
.
The Oracle HTTP Servers process requests, received using the URL's sso.mycompany.com and admin.mycompany.com. admin.mycompany.com is a name only resolvable inside the firewall, and thus prevents access to sensitive resources such as the WebLogic console and Oracle Fusion Middleware console from the public domain.
Figure 1-5 is a diagram of the Oracle Identity Federation 11 topology.
The directory tier is in the Intranet Zone. The directory tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The directory tier is managed by directory administrators providing enterprise LDAP service support.
The directory tier is closely tied with the data tier, therefore access to the data tier is important:
Oracle Internet Directory relies on RDBMS as its backend.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the directory tier and data tier may be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier.
Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet.
The application tier is the tier where J2EE applications are deployed. Products such as Oracle Directory Integration Platform, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key J2EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the application tier interact with the directory tier:
In some cases, they leverage the directory tier for enterprise identity information.
In some cases, they leverage the directory tier (and sometimes the database in the data tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the application tier as well as the directory tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener will exist in the application tier as well. However, for the enterprise deployment shown in Figure 1-1, customers will have a separate web tier relying on web servers such as Apache or Oracle HTTP Server.
In the application tier:
IDMHOST1
and IDMHOST2
have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Integration Platform, Oracle Directory Services Manager and Oracle Access Server installed. IDMHOST1
and IDMHOST2
run both the WebLogic Server Administration Servers and Managed Servers. Note that the administration server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
The Oracle Access Server communicates with Oracle Virtual Directory in the directory tier to verify user information.
OIFHOST1
and OIFHOST2
have the WebLogic Server with Oracle Identity Federation installed.
On the firewall protecting the application tier, the HTTP ports, OIP port, and OAP port are open. The OIP (Oracle Identity Protocol) port is for the WebPass module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as querying user groups. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the web tier to communicate with Oracle Access Manager to perform operations such as user authentication.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Service (OPSS) agent.
The Administration Server, Oracle Enterprise Manager and Oracle Access Manager console are always bound to the listen address of the Administration Server.
The WLS_ODS1
Managed Server on IDMHOST1
and WLS_ODS2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Oracle Directory Integration Platform applications are targeted to the cluster.
The WLS_OAM1
Managed Server on IDMHOST1
and WLS_OAM2
Managed Server on IDMHOST2
are in a cluster and the Oracle Directory Services Manager and Access Manager applications are targeted to the cluster.
The WLS_OIF1
Managed Server on OIFHOST1
and WLS_OIF2
Managed Server on OIFHOST2
are in a cluster and the Oracle Directory Services Manager and Access Manager applications are targeted to the cluster.
Oracle Directory Services Manager and Oracle Directory Integration Platform are bound to the listen addresses of the WLS_ODS1
and WLS_ODS2
Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1
and IDMHOST2
respectively.
The Identity Servers and Access Servers are active-active deployments; the Access Server may communicate with the Identity Server at run time.
The Identity Federation Servers are active-active deployments; the Access Server may communicate with the Identity Server and the data tier at run time.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive (where other components are active-active).
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1
fails or the Administration Server on IDMHOST1
does not start, the Administration Server on IDMHOST2 can be started. All Managed Servers and components on IDMHOST1
and IDMHOST2
must be configured with the Administration Server virtual IP.
Oracle WebLogic Console, Oracle Fusion Middleware Console and Oracle Access Manager Console are only accessible via admin.mycompany.com, which is only available inside the firewall.
The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier.
Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required.
While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired.
In the web tier:
WEBHOST1
and WEBHOST2
have Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs plug-in module installed. The mod_wl_ohs plug-in module allows requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.
WebGate (an Oracle Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1
and IDMHOST2
, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the web tier, only the HTTP ports are open: 443 for HTTPS and 80 for HTTP.
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
are configured with mod_wl_ohs, and proxy requests for the Oracle Enterprise Manager, Oracle Directory Integration Platform, and Oracle Directory Services Manager J2EE applications deployed in WebLogic Server on IDMHOST1
and IDMHOST2
.
The Oracle HTTP Servers process requests, received using the URL's sso.mycompany.com and admin.mycompany.com. admin.mycompany.com is a name only resolvable inside the firewall, and thus prevents access to sensitive resources such as the WebLogic console and Oracle Fusion Middleware console from the public domain.
If your enterprise deployment topology was created using the Oracle Identity Management Suite Release 11.1.1.2 binaries, follow the steps in the Oracle Fusion Middleware Patching Guide to upgrade your existing Oracle home to 11.1.1.3 before installing the Oracle Identity Management Suite software. Once the software for the Oracle Identity Management Suite is installed, follow the steps in this guide to extend your domain with the components required in your environment.
To Extend your Domain with Oracle Authorization Policy Manager, refer to Section 14.1, "Extending the Domain with Oracle Authorization Policy Manager" in this guide
To Extend your Domain with Oracle Identity Navigator, refer to Section 14.2, "Extending the Domain with Oracle Identity Navigator" in this guide
To Extend your Domain with Oracle Access Manager 11g, refer to Chapter 11, "Extending the Domain with Oracle Access Manager 11g" in this guide
To Extend your Domain with Oracle Adaptive Access Manager 11g, refer to Chapter 12, "Extending the Domain with Oracle Adaptive Access Manager" in this guide
To Extend your Domain with Oracle Identity Manager 11g, refer to Chapter 13, "Extending the Domain with Oracle Identity Manager" in this guide
To Extend your Domain with Oracle Identity Federation 11g refer to Chapter 15, "Extending the Domain with Oracle Identity Federation" in this guide.
If you are creating an enterprise deployment topology from scratch, refer to the following sections of this guide in the order shown: