Using Advanced Security And OID To Create A Database SSO Environment

January 26th, 2004 by Mark Rittman

"I am in the process of implementing oid and security in
datawarehosuing environemnt very similar to whatever i have read in ur
fantastic paper. i have asked and queried a few oracle gururs who come up with
answers that everything is possible with oid w/o really understanding the
shortfalls in the product. ur paper was very helpful and i though i could ask
you a few clarifications on this.

  • this is the scenario i am dealing with now. we have a few databases
    with a big set of user comunity. i would like to store the userids and
    passwords for all these users in a single oid instance so that it gives a
    single-sign on effect when users access these databases. so when they have
    access to tools like sqlplus can this be achieved?
  • and i understand that u can have the 9i database use the oid to store
    userid and password and u talk about syncing up the userids and passwords.
    here is my question
  • i have database A,database B having a common user C. when C is
    created in database A can his password and privileges be linked to
    database B too. that is the syncing you are talking about is it two-way
    from database to oid and oid to database too.

can you please tell me whether you have any other documentation on
setting up oid and the usual gotchas that one has to keep in mind when testing
them."

It looks like what you’re looking for is the ‘Advanced
Security Option’ for the Oracle 9i database. The "Oracle
9i Advanced Security Release 2 Factsheet" on OTN gives a good overview
of this Oracle 9i option.

In particular, Advanced Security can be used to set up global users, roles
and accounts that can be used across a set of Oracle Database applications, with
full details of how these are set up given in the OTN document "Oracle Advanced Security 9i: Enterprise User Security"

Looking at what Advanced Security does, you wouldn’t need to sync the OID to
the database users and roles, as Advanced Security would do this for you. Also,
you wouldn’t need to sync individual OIDs with each other, as there’s just one
OID instance per enterprise. The only time you’d need to sync OID instances is
if you want to synchronise the 9i Database OID with the 9iAS OID instance (or
indeed sync either with the Oracle Apps 11i OID instance) to achieve single
sign-on across the complete Oracle technology stack.

In terms of Gotchas - well, first of all, bear in mind that Advanced Security
is a pay-extra option for the database. Also, be prepared to spend a bit of time
getting it all set up. In addition, whilst setting up Advanced Security on your
database is a fairly well-trodden path, synchronising it with 9iAS or Oracle
Apps is a far more complex task (and with no clear ‘best practice’ in this area
published by Oracle), although I’ve been told by Oracle support that this whole
area is much simpler to set up with Oracle Application Server 10g. Haven’t tried
it myself though.

You can find out more details on Oracle Advanced Security on OTN’s Advanced
Security product page.

Posted in Uncategorized |

Comments

  1. Rich Says:

    January 26th, 2004 at 9:07 pm

    Hi Mark, I was browsing the web & came across your Oracle Website - Great page! I’m still rather new to the Oracle world and am pursuing my Oracle DBA OCP. I have some questions regarding 9iAS & RAC that I’m hoping you can answer.
    We currently have a configuration similar to this:
    (INTERNET)–>(9iAS SunFire 280R w/ D2 StorEdge )–>(9iRDBMS SunFire 280R w/ D2 StorEdge)
    We have our 9iAS Webserver & DB on separate machines. Though, we don’t have 9i Infrastructure & 9iAS on different machines… they’re on the same 280R.
    Now I have been reading about RAC on the 9i RDBMS but I haven’t seen much about an equivelant on 9iAS. I’ve seen some bits about “Clustering Technology” on 9iAS but no true diagrams.
    Could you provide some insight here? Eventually I’d love to scale my environment from 1 9iAS SunFire 280R to 2 or 3 or 4 and then do the same with the 9i RDBMS SunFire 280R.
    The simplier the language the better!
    Thanks in advance,
    Rich

  2. Mark Rittman Says:

    January 26th, 2004 at 10:49 pm

    Hi Rich,
    The 9iASr2 (and 10g) architecture is designed to allow you to add more servers into the mix as demand ramps up. Two words you’ll come across when looking at this area are ‘clusters’ and ‘farms’.
    A ‘farm’ is all of the 9ias mid-tier instances under the control of a 9ias infrastructure. These mid-tier instances can be Forms & Reports servers, Reports Servers, Discoverer servers, Portal servers or whatever. A ‘cluster’ is two or more mid-tier instances configured the same way, that logically can be thought of as one instance. When 9iAS propagates a change using DCM to a clustered mid-tier, it applies the change identically to the cluster as if it was only one instance.
    For example, your 9iAS farm might consist of seven mid-tier instances, and an infrastructure tier, set up as
    - one infrastructure instance, on it’s own server
    - a 4-server mid-tier cluster configured for Discoverer
    - a 2-server mid-tier cluster configured for Portal
    - a single mid-tier instance configured for reports.
    As time goes on, you can add further mid-tier instances to the farm, either as individual instances, or as part of a cluster. It’s important to note that all instances within the cluster are configured identically, and updates to the cluster are propagated using DCM (or the EMWebsite).
    I’m sure i’ve got some papers on this subject on my work pc; i’ll take a look when I get back on Wednesday and email them on to you.
    cheers
    Mark
    p.s. how far have you got on your OCP? I’ve got one exam to do (DBA Fundamentals II) and i’m revising the chapters on RMAN at the moment…

  3. Rich Says:

    January 27th, 2004 at 2:46 pm

    Thanks Mark, I appreciate the info!
    I’ve only been in the business ~12 months and am not ready to take my OCP tests yet. I’m still trying to finish my University education… I should just study & take the tests though, I know :-) Thanks for the explanation… you only need 1 infrastructure with 9iAS cluster farms? That’s interesting. So that will be the ‘front line’ of the web services & will direct queries to the appropriate server? If you have some papers on the topic I’d love to read them. The email listed is legitimate. It would be nice to get real email… I think my yahoo account has learned to filter out the legitimate email and leave the spam! ;-) Thanks again,
    Rich

  4. Bilal Ramadan Says:

    January 26th, 2007 at 10:09 am

    Dear Mark,

    I read your article “Integrating Discoverer 9iAS Logins And Database Logins” and it was a good help for me to understand the integration between Portal and Discoverer. However, this article is quite old. Have you published any new article discussing the same subject using OAS 10g.

    Best Regards,

    Bilal