Monday, January 07, 2013

Oracle fusion IDM domain architecture

Oracle fusion has a complete new architecture which differs from previous Oracle products on quite some ways. One of the things that is different to products like Oracle e-Business suite is for example the way security is handled. With Oracle e-Business Suite you would have the option to add identity management and single sign on solutions to your solution stack. Within the Fusion stack this is no longer an option and is this a integrated part of the solution stack itself.

If we take for example Oracle fusion CRM a good place to start understanding the architecture of the solution stack is the Oracle document; Oracle Fusion Applications Customer Relationship Management Enterprise Deployment Guide. This document is offering some blueprints on how you should implement Oracle Fusion CRM. Looking at the guide you will note that the stack fusion stack is split up into several domains, namely the CRM domain, Common domain, IC domain, SCM domain, HCM domain, FIN domain and the BI domain.

Not noted in this list nor in the image above is the IDM (Identity Management) domain which is a pre-req for getting the domains implemented. As you can see in the image below you have a CRM domain which consists out of 2 webhost servers, 2 crmshost servers and a 2 node Oracle Database RAC cluster. However, on the left side you can note that we have a IDM domain which also needs to be connected to be able to use the Oracle Fusion CRM part.


The IDM domain holds a couple of primary components as can be seen in the diagram below and is broken down into webhost, OAM host, OID host and a database server. Best practice states that you have 3 firewalls in place. Firewall 1 provides security against the outside world secondly we have 2 firewalls to create 2 DMZ's one DMZ holds the webhost and one DMZ holds the OAM host.

Webhost;
The webhost in Oracle fusion holds the Oracle HTTP server (OHS). The Oracle HTTP server is based upon the Apache web server. This installation of the Oracle HTTP server holds webgate for OAM (Oracle Access manager) and the MOD_WL_OHS module for the Oracle HTTP server.

A WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. An AccessGate is an Oracle Access Manager access client that processes requests for Web and non-Web resources and is developed using the Software Developer Kit. The terms AccessGate and WebGate may be used interchangeably. Before you can install a WebGate, you must associate it with an Access Server.

MOD_WL_OHS is a module in Oracle HTTP Server 11g which allows requests to be proxied from Oracle HTTP Server (OHS) to Oracle WebLogic Server.

Communication between the webhost and the OAMhost is primarily done via the HTTP protocol and 2 specific Oracle protocols, the OAP and OIP protocol. The OAP Oracle Access Protocol enables communication between Access System components (for example, Access Manager server, WebGate) during user authentication and authorization. This protocol was formerly known as NetPoint Access Protocol (NAP) or COREid Access Protocol. Also the OIP, Oracle Identity Protocol is used for communication between the webhost and OAMhost.

OAMHost;
The OAMHost is primarily used to host the Access Server supported by JRF/OPSS. The Access Server is a stand-alone component that provides dynamic policy evaluation services for both Web-based and non-Web resources and applications. The Access Server receives requests from an access client, either a WebGate or a custom AccessGate; queries your LDAP directory for authentication, authorization, and auditing rules; and validates credentials, authorizes users, and manages user sessions for Oracle Access Manager.

Oracle Platform Security Services comprises Oracle WebLogic Server's internal security framework and Oracle's security framework (referred to as Oracle Platform Security). OPSS delivers security as a service within a comprehensive, standards-based security framework. OPSS provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate developers from security and identity management implementation details. With OPSS, developers do not have to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures. By leveraging OPSS, in-house developed applications, third-party applications, and integrated applications all benefit from the same uniform security, identity management, and audit services across the enterprise.

The OAMHost communicates with the OIDHost via OID (Oracle Internet Directory) and OVD (Oracle Virtual Directory) to request the information needed for authentication and authorization.

OIDHost:
The OIDHost runs an instance of Oracle Internet Directory. Oracle Internet Directory is a system component. That is, it is a manageable process that is not an Oracle WebLogic Server. System components can use the WebLogic Administrative Domain for management services, including Oracle Enterprise Manager Fusion Middleware Control, Audit Framework, configuration management through MBeans and Secure Sockets Layer and Wallet Management. The Oracle WebLogic Server Administration Server controls Oracle Internet Directory and other system components through OPMN. Oracle Internet Directory itself is a C-based process. Its only run time dependency is the Oracle Database. To be managed by the Oracle Fusion Middleware management framework, Oracle Internet Directory must register itself with a local or a remote Oracle WebLogic Server administration domain during installation or from the command line after installation. Therefore, an Oracle Internet Directory 11g installation requires either a local or a remote installation of Oracle WebLogic Server. Also, the Directory Management user interface, ODSM, is a Java component deployed on Oracle WebLogic Server. If you must manage Oracle Internet Directory in your deployment using only command-line tools and a remote ODSM, there is also an option to install and configure Oracle Internet Directory without registering with a Oracle WebLogic Server Domain.

DBHost;
the DBHost holds the data structure used by OID and is nothing more then a datastore. You can create a Oracle database RAC cluster to ensure a more high-available architecture however this is not a strict requirement. 

No comments: