identity and access management - magicwebmagicweb.com.br/afreire/oracle/oes-web.pdf · larger,...

<Insert Picture Here> Apresentação de solução da Oracle para Apresentação de solução da Oracle para autorização de usuários em autorização de usuários em aplicativos/sistemas aplicativos/sistemas

Identity and Access Management

Alexandre Freire | Principal Sales Solution Security SpecialistIdentity and Access Management | GRC | Technology

Oracle Latin America Strategic Accounts

<Insert Picture Here>

Oracle Entitlements ServerOracle Entitlements Server

IntroduçãoIntrodução

Oracle Identity and Access ManagementCommitment to Leadership & Innovation

Innovate

Lead

Id. Assurance Partner AllianceOracle Access Management SuiteAcquisition of BEA �� OES

Acquisition of Bharosa �� OAAMAcquisition of Bridgestream �� ORM

Identity Governance Framework

Market Leader in Forrester’s IAM WaveOracle IdM Eco-system

Lead

Build

1999 20072005 2006

Oracle eSSO Leader in Gartner’s UP & WAM Magic Quadrant

Oracle Identity and Access Management SuiteIdentity Audit and Compliance offering

Acquisition of OctetString �� OVDAcquisition of Thor �� OIM

Acquisition of Oblix �� OAM, OIF & OWSMAcquisition of Phaos �� Federation and WS technologies

Oracle Internet Directory

2008

Leader in Magic Quadrants

User Provisioning, H2 2008 Web Access Management, H2 2008

“Oracle assumes the No. 1 position”- Earl Perkins, Perry Carpenter, Aug. 15 2008 (Research G00159740)

Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Comentários do Gartnet sobre Entitlements

• WAM Market Trends for 2008• Market segmentation (access management suites vs.

commodity WAM vs. consumer extranets): The strategic direction for WAM tools is diverging as the market matures. Larger, enterprise-focused vendors (IBM, CA, Sun, Novell, Oracle, Evidian and Siemens) are developing access

•Oracle - Strengths•Oracle now sells OAM as part of an integrated suite of access management components, including Oracle Identity Federation, Oracle Entitlements Server and Oracle Adaptive Access Manager, providing improved authorization functionality beyond Web applications, as well as fraud detection capabilities. The wide Oracle, Evidian and Siemens) are developing access management suites, which include WAM, platform access control, fine-grained entitlement management , identity federation and, often, Web services security tools, combined with unified administration and audit facilities. Smaller vendors (for example, Cafesoft and P2 Security) are focused on low-cost, low-complexity SMB offerings. A few vendors (including EMC/RSA Security and Entrust) are focused specifically on the consumer extranet.

Web applications, as well as fraud detection capabilities. The wide range of access management functions in the suite p uts Oracle on an excellent footing with broad suite off erings from IBM and CA.

Source: http://mediaproducts.gartner.com/reprints/o racle/article48/article48.html

Market Leader According To

“Oracle has established itself as Leader.”- The Forrester Wave: Identity And Access Management, Q1 2008

Oracle reached the top of our evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision.- The Forrester Wave: Identity And Access Management, Q1 2008

Access ManagementIdentity Admin. Directory Services

Oracle’s Identity Management Suite

Adaptive Access Manager

Entitlements Server

Web Services Manager

Role Manager Virtual Directory

“Identity Management 2.0”

Entitlement Server

Access Manager

Identity Federation

Enterprise Single Sign-On

Identity Manager Internet Directory

Authentication Service for OS

Identity Management Suite

Audit & Compliance

Enterprise Manager IdM Pack

Manageability

Core Platform



ArquiteturaArquitetura FuncionalFuncional

Oracle Entitlement Server O que é?

• É um Sistema de Controle de Privilégios que possibilta uma definição centralizada de privilégios de complexas aplicações e a execução runtime dos controles destes privilégios.

• Permite externalizar o controle de privilégios• Separa as decisões de segurança, da lógica de

negócio das aplicações; • Centraliza a gestão das políticas de acesso para

vários ambientes de aplicações.

Oracle Entitlement Server O que é?

• Modelo de Políticas suporta a hierarquica natural dos objetos de negócio, roles e direitos de acesso.

• Protege tanto os componetes de software (ex. URLs, EJBs, etc.) quanto os objetos de negócio (ex. Contas, EJBs, etc.) quanto os objetos de negócio (ex. Contas, registros de pacientes, etc.).

• Prove uma implantação flexível e de fácil integração com os sistemas de segurança e identidades existentes.

Entitlements Management

Presentation TierPolicy

Decision

Point

Business Logic TierPolicy

Decision

Point

Repositório de políticascentralizado

Aproveita e potencializaos investimentosexistentes em segurança e Identity Management

“Enforcement” da Políticade Segurança da corporação

Entitlements Server Gerenciamento de direitos

Data Access Tier

Databases

Point

Policy

Decision

Point

Policy

Decision

Point

corporação

Tira a responsabilidade da criação e manutenção das políticias da mão dos desenvolvedores

Controle quem pode fazer, ou ver algo, quando e como.

Embedded Entitlements

Oracle Entitlements Server Architecture

Policies

App

Server

Admin Server

Policy Administration Point (PAP)

XACML 2.0 Policy

Policy Decision Point (PDP/PEP)(Embedded)

Browser Admin ServerSSM

ATN ATZ RM AD CM

Entitlements Server

Policy Decision Point (PDP)(Standalone)

Oracle Confidential – For Internal Use Only

Entitlements

Entitlements

Server

Policy InformationPoint (PIP)

Client

Entitlements

LDAPRelational DBService Data ObjectsAttribute Retriever API

Plan Old Java Object (POJO).Net ClientGeneric SOAP Client

SSMATN ATZ RM AD CM

SSMATN ATZ RM AD CM

User or application directories or database that contain information that is required to make an access decision. Such information includes user, group, and resource attributes.

OES Admin Server (J2EE)

OES Administration Server (PAP)

Entitlements API Management API

Admin UI Application Mgmt Tools

Admin Scripts

Web Browser

• Runs on WebLogic, Tomcat, WebSphere

• Web-based Admin Console

• Policy Reporting

• Management Tools


Entitlements API

SSMATN ATZ RM AD CM

Management API

Policy DistributorPolicy Loader/Exporter

Policy Store PolicyFiles To SSMs…

• Management Tools

• Management API via Java and Web Services

• Transactional policy distribution to SSMs

Security Service Module (PDP)Security Service Module

Authentication

Framework API

Authorization Role Mapping Auditing Cred Mapping

EntitlementsIdentityDirectories

EntitlementsSecureAudit Logs

External

Application


Application

• Integrate with LDAP, RDBMS, Custom Identity Stores

• Leverage multiple stores simultaneously

• Assert identity from SSO or custom tokens

• Establishes JAAS Subject

• Provide Grant/Deny decisions based upon policies

• Integrate external entitlement attribute data from LDAP, RDBMS, SDO

• Dynamically map users to Roles based upon policy

• Log messages generated by framework events

• Write to everything from log4j to secured filesystems

• Describe custom handlers for various events

• Translate credentials into custom formats

• Helps propagate identity across disparate systems

Standalone Server (PDP) J2EE/JVM (PDP/PEP)

SSM Configurations

Embedded EntitlementsEntitlements Server

Java API

.Net API

SOAP API

XACML 2.0

WebLogic Server, Tomcat, Websphere

Plain Old Java Object (POJO)

Oracle Service Bus

Documentum Client/Content Server*

SSMATN ATZ RM AD CM

SSMATN ATZ RM AD CM


XACML 2.0

Oracle DB (with VPD)

SharePoint

Documentum Client/Content Server*

SSMs are kept synchronized with central policy stor e

Handle “push” from Admin Server

Retrieve policy upon startup

SSMs maintain local persistent caches of relevant p olicy

SSMs maintain local caches of attribute and policy decisions

OES Access Policy• OES Access policy is used to grant or deny privileges to resources

in the application to specific users, groups, or roles

Grant (view, /app/Sales/RevenueReport, /role/Manage r) if region = “East”;

Authorization RequestAuthorization Response


Application

Objects

Resources SubjectsConstraint

Boolean

Attributes

Eval Functions

Action

Read

Write

View

…

External

DataIdentity

Store(s)

Effect

Grant

Deny

Delegate

Maps toBased on

Read from

OES Role Policy• OES role policy is used to dynamically determine role membership

Grant (/role/Executive, /app/Sales/, /sgrp/manager) if level > 5;

Resources

Authorization RequestAuthorization Response

Effect Roles


Application

Objects

ResourcesSubjects Constraint

Boolean

Attributes

Eval Functions

External

DataIdentity

Store(s)

Effect

Grant

Deny

DelegateMaps to

Based on Read from

Roles

Based on

• Gerenciamento dos Entitlements

• User Roles

• Application Resources

• Authorization Policies

• Role Membership Policies

• Create Separation of Duties Rules

• Distribute Entitlements to SSMs

Entitlements Management Gerenciamento centralizado


• Distribute Entitlements to SSMs

• Administração das Identidades

• User Identity Directories

• User Attributes

• Auditoria

• Run Policy Reports

Operations and Compliance Staff

Business Owner

DeveloperOracle

Entitlements

Entitlements Lifecycle Enforcement das Policies sem alterar as aplicações

Entitlements

ServerDeveloper Security

Administrator



ArquiteturaArquitetura TécnicaTécnica

OAM-OAAM-OES Arquitetura

Web Server 1(Web Gate)

Load-balancer

OVD

Oracle Access ServerAccess Manager

PartnersOracle Internet

Directory

OAAM Server(OASA)

OAM Admin

Oracle XE DatabasePolicy Store

Vendors Web Server 2(Web Gate)

Entitlement Server

Application Server 1(SSM)

Application Server 2(SSM)

OAAM Sever(OARM)

OESAdmin

Table 1 Core Components Component Platforms Operating Systems

Admin Console Browser MS IE 6.0, 7.0 Windows 2000 SP4, 2003 R2, XP SP2

E-UI Browser MS IE 6.0, 7.0Firefox 2.0.x

Windows 2000 SP4, 2003 R2, XP SP2

Admin Server Platform WebLogic Server1 9.2 MP2WebLogic Server 10.0 MP1WebLogic Server 10gR3 (10.3)2

WebSphere Application Server 6.13

Tomcat 5.5.23 4

Sun Solaris 8, 9, 10 (32-bit) Windows 2000 SP4, 2003 R2, XP SP2, Red Hat Adv. Server 3.0, 4.0Suse Linux5 9.2 & 10.0AIX 5.36

OES Policy Store Oracle 9.2.0.5, 10.1.2, 10.2.0.2, 11.1.0.6Sybase 12.5.3, 15

OES Arquitetura – Plataformas (PAP)

Sybase 12.5.3, 15MS-SQL 2000 & 2005 PointBase 5.1DB2 Universal DB Enterprise Server 9.1

User Directory Oracle Identity Directory 10.1.4.2Microsoft Active Directory 2000 & 20037

Microsoft ADAMSunONE Directory Server v5.2Novell eDirectory v8.7.31 Open LDAP v2.2.24Oracle 9.2.0.5, 10.1.2, 10.2.0.2, 11gSybase 12.5.3, 15DB2 Enterprise Server Edition 9.1MS-SQL 2000 & 2005

Table 2 Security Modules Category Platform Version(s) Windows 1 Solaris

8, 9, 10RHAS2

3.0, 4.0Suse3 9.2, 10.0 AIX 5.34

Web Services / RMI MS .NET 1.1 & 2.05

WL Workshop 9.0, 10.0Studio 3.0

Yes Yes Yes Yes No

Oracle WebLogic Products

WebLogic Server6 8.1.5, 8.1.6, 9.2.2, 10.0 MP1, 10.37

WebLogic Portal 8.1.5, 8.1.6, 9.2.2, 10.0.1, 10.2WebLogic Integration 9.2.2

Yes Yes Yes Yes No

Other Oracle Products ODSI (formerly ALDSP) 2.5, 3.0, 3.18

OSB (formerly ALSB) 2.6, 3.09

Yes Yes Yes Yes No

OES Arquitetura – Plataformas (SSM)

OSB (formerly ALSB) 2.6, 3.09

OBPM (formerly ALBPM) 6.0

IBM WebSphere WebSphere 6.1 Yes Yes Yes Yes Yes

Java Sun JVM 1.4.2, 5.0, 6.0JRockit 1.4.2, 5.0, 6.0IBM JDK 1.4.2, 5.010

Yes Yes Yes Yes No

Web Servers ApacheMS IIS 6.011

Yes Yes Yes Yes No

Other Applications Oracle Database 10gDocumentum Content Server v5Microsoft Office SharePoint Server 2007

YesYesYes

NoYesN/A

NoYesN/A

NoYesN/A

NoYesN/A

High Availability - Runtime• Security Module/PDP continues to provide security services even if external

components it relies on (such as authentication database, for example) become unavailable.

• Failover for authentication sources • Failover for entitlement sources (attribute retrievers)• Failover for Credential Mapper sources• For data replication between data sources we recommend to use vendor specific

approach or use solutions like Oracle RAC• Runtime independence of SM/PDP from Admin Server


Application Environment

AuthenticationProviders

Security Framework

RoleProviders

AuthorizationProviders

AuditingProviders

CredentialProviders

Security Service Module

Back-upAuthentication Source

PrimaryAuthentication Source

Source specific replication

Back-up EntitlementsSource

Primary Entitlements Source

Source specific replication

High Availability – Management TimeNew York LondonTokyo

SSM

Application

Environment

PrimaryAdmin Server

SSM

Application

Environment

SSM

Application

Environment

SecondaryAdmin Server


RDBMS specific replicationPrimary

OES DB

OES Administrator

SecondaryOES DB

OES AdministratorOES Administrator

High Availability – Management TimeNew York LondonTokyo

SSM

Application

Environment

PrimaryAdmin Server

SSM

Application

Environment

SSM

Application

Environment

SecondaryAdmin Server


PrimaryALES DB

ALES Administrator

SecondaryALES DB

ALES AdministratorALES Administrator

D E M O N S T R A T I O N

Oracle Entitlements Server

Live demonstration on a Vmware environment

identity and access management - magicwebmagicweb.com.br/afreire/oracle/oes-web.pdf · larger,...

Documents