identity and access management deployment using lifecycle management (lcm)
TRANSCRIPT
1
Identity and Access Management
Deployment using Lifecycle Management (LCM)
AST Corporation
2
What is LCM?
Deployment Topology
LCM versus Typical Implementation
Infrastructure Changes
Challenges of LCM
Possible Customization Considerations
Next Steps
Agenda
3
Provides automated installation and configuration capabilities for Oracle Identity and Access Management
Provides automation for all aspects of:• Installing
• Configuring
• Deploying
• Integrating
• Patching
Alternative to Manual Install
Assists in following Oracle Enterprise Deployment Guide (EDG)
What is Lifecycle Management (LCM)?
4
• Old Deployment Process1. Run RCU
2. Install JDK
3. Install WebLogic
4. Install Application
5. Configure Domain
6. Post Install Tasks
7. Patch Application
• New Deployment Process1. Install IDM LCM Tools
1. Patch IDM LCM Tools
2. Create Response File
3. Deploy Response File
1. Ability to automatically
deploy latest patch to
applications
2. Automated or manual
deployment process
Traditional Install versus LCM Install
5
• Old Patching Process1. Update OPatch, if necessary
2. Download application patch
3. Patch Oracle Binaries
4. Modify patch_oim_wls.profile
5. Patch OIM Managed Servers
6. Patch design console and remote manager
7. Post configurations for WebLogic Server
8. Patch diagnostic dashboard
9. Redeploy SPML DSML Web Service
• New LCM Patching Capabilities1. Patches all nodes
2. Applies patch to both shared and
local storage
3. Stops and starts affected servers
4. Executes post-patch artifact
changes
5. Provides comprehensive state-sharing and reporting
6. Capable of upgrading to newer
Patch Set releases (e.g. PS2 to PS3)
Traditional Patching versus LCM Patching
6
Benefits
Reduces the
complexity of
installation
Provides
maximum
automation
Assists in
automated
upgrade and
patching
Can be used for
provisioning,
patching, and
upgrade
Supports
production-
ready
topologies on
multiple hosts
Provides
significant
reduction in
deployment
time
For
provisioning,
patching, and
upgrade – Pre-
and post-install
health checks
Flexible
deployment
Runtime
monitoring and
diagnosability
Automated tool for
initial deployment
Automated tool for
ongoing upgrade,
patching, and health
check
Proactive
monitoring and
management with
Enterprise Manager
Simplicity Usability Manageability Outcome
Source: http://www.oracle.com
7
Deployment Topology using LCM
8
• Application Binaries
– OAM
– OIM
– SOA
• Admin Server
• IAM Patch Manager
• Application Binaries (OHS)
• Managed Servers
– OAM
– OIM
– SOA
– BI
• OHS opmnctl Instance
– httpd.conf and moduleconf all
configured automatically out of box
Binaries and Application Servers Install Location
Shared Directory Local Directory
9
Typical IAM Directory Structure
10
LCM Directory Structure
Source: http://www.oracle.com
11
OIM PS3
*LCM-recommended directory structure for OIM,
highlighting shared and private directories
12
OAM PS3
*LCM-recommended directory structure for OAM,
highlighting shared and private directory structure
Out-of-the-box creates 3
managed servers:
1. OAM Managed Server
2. Oracle Policy Manager
3. Mobile Security Suite
Managed Server
13
OHS 11.1.1.9.0
14
DEV2 OIM Two-Node Topology
dev2igdadmin.ast.org
For all internal HTTP traffic directed to administration
services in Governance Domain
dev2igdinternal.ast.org
SOA Managed Servers access this virtual host to callback OIM
web services
dev2prov.ast.org
Access point for all HTTP trafficdirected to SSO services
Source: https://docs.oracle.com/cd/E40329_01/doc.1112/e48618/network_im.htm#IMEDG2156
astastast
15
DEV2 OAM Two Node Topology
dev2iadadmin.ast.org
Load Balancer end point used to access
IAMAccessDomain admin functions
dev2iadinternal.ast.org
Internal call back virtual host
dev2sso.ast.org
Access point for all HTTP traffic directed to
SSO services; Incoming traffic from clients is
SSL-enabled
dev2msas.ast.org
Central access point for securing traffic
from mobile devices to intranet resourcesSource: http://www.oracle.com
astast astast
ast
16
HA Deployment using LCM supports deployment on only two nodes• Scale-out scripts available – Manual process
May need two separate OHS Instances to front-end internal OIM and OAM applications
OHS server does not use latest version
Shared Directory System may not be an option for all enterprises
Challenges
17
Installing and Creating Oracle Internet Directory is not supported
OAM-only and OIM-only topologies cannot share same IDM_TOP• Requires two different mounts and additional storage
Cleanup and restore is supported only for single-host deployments
Scale-out and scale-up of configured environment not automated by LCM tools• Manual steps required
Automated patching does not support:• JDK Upgrade
• Patching of database and Oracle WebLogic Server• Patching of Oracle Access Manager Webgates used for Web servers
• Patching of LCM tools
Tool Limitations
18
Quicker Deployment Time
IDM Admin Service• REST API-based
• Scale-out capabilities
• Test-to-productiono Uses IDMAS to generate configuration difference between multiple
environments
o T2P gesture is achieved by applying new configuration to target environment
• Multi-data center capabilitieso Automatically synchronize changes between Master DC & Clone DC
Future 12c LCM Features
19
LCM has a learning curve
Use LCM where HA is required for only two nodes
Recommend to use only where Enterprise allows shared
directories
Use Redhat 6 or Redhat 7 as OS
Allow Load Balancers to respond to PING during installation
Some customization around timeouts may be required
Concluding Thoughts
*The views and opinions expressed herein are those of the author and do not necessarily reflect the views of Oracle or any other associates.
20
https://docs.oracle.com/cd/E40329_01/doc.1112/e48618/toc.htm
http://docs.oracle.com/cd/E52734_01/cross/installtasks.htm
https://docs.oracle.com/cd/E52734_01/core/IMEDG/toc.htm
References