This chapter provides an overview of the enterprise topology for Oracle Identity Management.
Oracle Identity Management presents a comprehensive suite of products for all aspects of identity management.This guide describes reference enterprise topology for the Oracle Identity Management Infrastructure components of Oracle Fusion Middleware. It also provides detailed instructions and recommendations to create the topology by following the enterprise deployment guidelines.
This chapter contains the following sections:
An enterprise deployment is a carefully designed, reference topology, which demonstrates how you can install, configure, extend, and manage Oracle Fusion Middleware in a typical production environment.
A production environment is an environment where you must take into account high-availability and security considerations, so you can deploy business-critical, custom applications. The people (customers, employees, co-workers) who use your applications can access them from the Internet safely and securely.
In an enterprise deployment, you achieve high availability by deploying the Oracle Fusion Middleware products across multiple hosts. You can then use a hardware load balancer, Oracle WebLogic Server clusters, an Oracle Real Application Clusters database to allow for failover when a host is unavailable.
You build in security by setting up firewalls between the tiers of the topology to restrict access to critical software and hardware components. Security also involves integrating the enterprise deployment with Oracle Identity and Access Management products, which provide authentication, authorization, other important security features.
The enterprise deployment is not the only supported topology for an Oracle Fusion Middleware environment. However, it serves as an example (or reference) you can use to build an environment that meets the needs of your organization and your application users.
This guide provides a reference topology designed specifically for Exalogic.
Wherever possible, the topology has been modified to take advantage of the unique performance capabilities of the Exalogic Infiniband network fabric. It has also been designed to take advantage of Oracle Traffic Director and ZFS Storage appliance, both of which are available on the Exalogic platform.
Before you start implementing the Oracle Exalogic enterprise deployment topology, you should understand the current state of the Exalogic environment.
For example, it is assumed that you have completed all tasks described in the Oracle Fusion Middleware Exalogic Machine Owner's Guide, which discusses your data center site preparation, Oracle Exalogic machine commissioning, initial networking configuration including IP address assignments, and initial setup of the Sun ZFS Storage 7320 appliance.
As with other Enterprise Deployment Guides, you should use the topologies described in this guide as an example (or reference) topology on Exalogic machine, which can be modified to meet the specific needs of your organization.
The Oracle Fusion Middleware configurations discussed in this guide are designed to ensure security of all transactions, maximize hardware resources, and provide a reliable, standards-compliant system for enterprise computing with a variety of applications. The security and high availability benefits of the Oracle Fusion Middleware configurations are realized through isolation in firewall zones and replication of software components.
This section contains the following topics:
The Enterprise Deployment architectures are secure because every functional group of software components is isolated in its own DMZ, and all traffic is restricted by protocol and port. The following characteristics ensure security at all needed levels, as well as a high level of standards compliance:
Even if external communication is received on port 80, it is redirected to port 443
External communication uses the Secure Socket Layer (SSL) secure Web Protocol. This is terminated at the site's load balancer.
Communication from external clients does not go beyond the Load Balancing Router level.
No direct communication from the Load Balancing Router to the application or data tier DMZ is allowed.
Direct communication across two firewalls at any one time is prohibited.
If a communication begins in one firewall zone, it must end in the next firewall zone.
All communication between components across firewalls is restricted by port and protocol, according to firewall rules.