Wednesday, July 24, 2013

Long-lived TCP connections and Load Balancers

I've talked about the subject of long lived TCP connections and load balancers for years, explaining to people why they may not need or want to use a load balancer between two servers. Each time I explain it I remind myself that I should probably write it down so I can just point to the URL.

So today is the day that I write it down for you.

Wednesday, July 17, 2013

OIM 11g R2 Delegated Administration Model - Sample implementation (Part I)

Introduction

It is a very common requirement from customers to have a delegated administration model that is not tied to the organizations where the administrators are placed.
 
Historically, OIM only supports a one-to-one relationship between Users and Organizations. However, starting with OIM 11g R2 and the introduction of the Catalog, it is possible to publish resources to one or more Organizations.
 
This allows to limit the visibility of the resources to only the users who need them. However, OIM 11g R2 also provides the mechanisms to delegate the administration of Users, Organizations and Resources to specific users regardless of the Organization to which those users belong.
 
This article describes an approach that can be used to implement a Provisioning Solution powered by OIM 11g R2 that is not necessarily tied to an organization-centric model. The intent of this design is to show our readers how to leverage the advanced features of OIM 11g R2 to implement Delegated Administration Models that are resource-centric and not organization-centric.

Monday, July 15, 2013

OAM 11g Custom Authentication Plugins: Interacting with the Identity Store


The OAM 11g release includes a powerful authentication plugin framework, which can be used to extend the out-of-the-box authentication schemes, or to implement something completely custom. In this post, we explore how an authentication plugin can interact with the underlying LDAP Identity Store, via a simple example. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Wednesday, July 3, 2013

OAM 11g: The Policy migration Strategy


The purpose of this post is to provide some tips when planning a policy migration from Oracle Access Manager (OAM) 10g to OAM 11g.  Before you begin, I recommend that you install the latest Bundle Patch (BP).  At the time of this writing, the latest BP for OAM 11gR2PS1 is patch 16872730.  Installing this patch will save you lots of time as there has been a few important bugs fixed in this release.  Secondly, take a look at the documentation link here; within the document take note of Table 11-1.  The table the describes what artifacts are compatible from OAM 10g.

The first step is to run a policy migration report on the OAM 10g artifacts.  This report will display all artifacts along with the compatibility mode.  The modes are COMPATIBLE, INCOMPATIBLE, INCOMPATIBLE WITH LESS FEATURES and IGNORE.  The documentation goes over these modes in more details and the report will give you an idea on how much of manual changes you will need to make in your new OAM 11g environment.  The more of the INCOMPATIBLE type modes could mean more manual changes.  The report file can be huge depending on your data set; however, the file itself has a lot of blank spaces due to formatting of the data.  I recommend that you replace say two blank spaces for one in your favourite editor.  This should make it easier to read the file.
Here is a small sampling of the file.

I added a single line for each artifact type:

Artifact TypeArtifactDetailsCompatibilityMessage
DATA SOURCESAS_User_ProfileName:source.us.oracle.com, Host:idm.us.oracle.com, Port:3060 COMPATIBLEThe data store LDAP entry name source.us.oracle.com will be modified to source.us.oracle.com(AS_User_Profile).
AUTHENTICATION SCHEMES10g AuthenticationDescription: Migrated: 10g Authentication scheme.COMPATIBLE_WITH_ LESS_FEATURESSome of the challenge parameters will not be migrated. Post migration actions will be required to modify the authentication scheme as per Oracle Access Manager 11g. Missing challenge parameters are: [name: form ,value: /login.htm, name: creds ,value: userid password domain authtype customPlugin, name: action ,value: /access/login.cgi, name: path ,value:/
RESOURCE TYPEShttp
COMPATIBLE
HOST IDssourceHostIDHost:Port source.us.oracle.com& source.us.oracle.com:80& source.us.oracle.com:443COMPATIBLE
AGENTSsourceWGMode: cert COMPATIBLE
POLICY DOMAINOblix::Resources/identity IGNORE

There are three modes of execute for the migration tool; these are COMPLETE, INCREMENTAL and DELTADELTA mode is new in PS1 and is not the same as INCREMENTAL.  When planning your policy migration strategy one of the things you will need to decide is whether you are planning to co-exists with OAM 10g.  If so, the policies in OAM 10g may change and you may need to push changes to your new OAM 11g environment.  The DELTA mode is used in this scenario.  INCREMENTAL mode is used when you only want a sub-set of the artifacts from 10g.  Keep in mind that if you migrate single policy domain, all dependencies for that policy domain will also be migrated.

Once you have evaluated the report, the next step is to prep your OAM 11g environment.  Now, I have never seen a migration attempted only once.  Undoubtedly, you may need to run the migration tool multiple times due to testing/issues etc.  Running the tool multiple times for the same data set against the same 11g environment is not recommended.  Even if you remove all the data from the 11g environment, you may still see some unintended side effects.  My recommendation is to make a clean back-up of the environment.  Once you have installed OAM 11g (including the patch), make a back-up if the domain home directory.  You may also need to modify the setDomainEnv.sh script to increase the JVM heap size as described here in section 11.17.2.

If the migration fails or has issues, here are the steps to get back to a clean state:
1) Shutdown the Weblogic Admin server.
2) Drop and create the OAM 11g Schema using Repository Creation Utility (RCU).  Make sure you create the schema using the same schema name and password.
3) Remove the domain home directory and recover by copying the back-up directory.  If you changed the JVM properties,  make sure the changes exists after you copied from the back-up directory.
4) Run the configureSecurityStore.py script to re-associate OAM to the database policy store.

This will allow you to quickly re-run the migration tool against the same domain you initially created.  Instructions for running the migration script is documented here.   Depending on your data set; the actual policy migration could take hours.  Running the script again without following the steps I outlined above will more than likely waste more of your time.  Trust me.

Tuesday, July 2, 2013

A checklist for OIM go-live

This post presents a list of configuration points in OIM that must be taken into account whenever a customer is planning an OIM go-live. This list is not intended to replace the OIM documentation, instead, the idea is to complement it. It provides tips on a few topics that are not part of the documentation.

Let's go for them:

Monday, July 1, 2013

Announcing the A-Team Chronicles

I’m pleased to announce the launch of the A-Team Chronicles. This is a new website that will host blogs and other content from the whole A-Team including experts focused on JAVA, WebLogic, Coherence, WebCenter, AIA, SOA, Fusion Apps, and of course the Identity Management posse that you’ve come to know and love.

On the A-Team Chronicles you can find all the articles we post here and much more.

All the Identity Management and Middleware Security content that you are used to seeing on this site can be found at this link: http://www.ateam-oracle.com/category/identity-management/

There is an RSS category for the same content that can be found here: http://www.ateam-oracle.com/category/identity-management/feed/

There are additional RSS feeds and sub category pages for access management, identity governance, directories, and platform security. That being said, I heavily encourage you to subscribe to the base Identity Management category.

For you twitter users, our existing twitter feed has already begun to publish links to articles on the A-Team Chronicles.

We hope you enjoy the site! Drop us a line and let us know what you think.