April 17th, 2007 by Mark Rittman
Today was the first day proper of Collaborate’07, and started off with the keynote from Ari Kaplan (IOUG President), Ken Jacobs and Andy Mendelsohn, on thirty years of the Oracle database and what’s coming in the 11g release. There wasn’t really anything new on 11g since the announcements at Open World; the main topics they discussed were new features introduced in the 10g timeline (Data Vault, Audit Vault, the new Information Lifecycle Management GUI that works off of partitioning and compression, together with some of the new features coming in 11g (online patching, improvements to partitioning, the new quality assurance stuff where you can create application versions which then get switched over when your upgraded app is ready). If you hadn’t been to Open World it would have been a useful talk, but nothing new beyond that.
I went to a few other talks during the day (Chris Claterbos on OWB and OLAP, for example) but for me, the highlight of the day was Matt Topper’s talk on Identity Managment. Identity Management is going to be something that gains more and more importance in the world of BI, as we start to build enterprise-wide BI applications that need to play well with the identity management and application framework already in the business, and Matt provided a good summary of where we are now (SSO, VPD, Advanced Security Option) and where we’re going with identity management in the future.
You may be aware that as part of Oracle’s spending spree over the past couple of years, many of the companies that Oracle bought were in the identity management space; companies such as Oblix, Thor and Octet String. There’s also been some partnerships announced with companies such as Passlogix. Matt took us through the history of these acquisitions, and set out how enterprise indentity management is going to work in the brave new world of Fusion application, Enterprise BI and heterogeneous systems.
Whereas in the past, you tended to create single sign-on environments using largely Oracle products against largely Oracle applications and databases, in the heterogenous world Oracle are trying to build, you’ll instead work with the following products:
- Oracle Enterprise Single Sign-On, a product made available through partnership with PassLogix, provides SSO across heterogenous applications and comes with a Provisioning Manager (for creating user accounts across multiple systems), Logon Manager (which replaces the Windows logon), Authentication Manager and Kiosk Manager. This would replace Oracle SSO but would work across different systems. Matt’s advice is that, when transitioning existing environments to this application, allow 30 days or so for the system to ‘bed-down’, users to pick up their new passwords, systems to start working with it.
- Oracle Identity Manager, a centralized repository for identity provisioning. Provisioning is the process of someone joining (or leaving) the organization, and their accounts being set up, security rules being applied, passwords being mailed and so on. It’s based around a workflow process and comes with connector packs to systems such as Novel, Exchange, SAP, Siebel, Remedy, database tables, Unix SSH and so on. This came from the Thor Purchase and was originally called Thor Xcellerate.
- Oracle Access Manager, described as Next-Generation Oracle Single Sign-On, could work out how this relates to Oracle Enterprise Single Sign-On) was acquired through the Oblix purchase and was originally called CoreID. This provides tools such as WebGate, WebPass, Identity Server and Policy Server, works with Oracle BI Suite Enterprise Edition and can use directory servers such as Active Directory as well as Oracle Internet Directory to hold users and roles. Matt’s opinion was that this was in fact easier than Oracle SSO to set up, and it’s benefit is that it works across all different application environments, not just Oracle.
- Oracle Virtual Directory, which came from the Octet String purchase, provides a “virtual” directory over different directories such as OID, Active Directory, plus your own application security in tables in a database. Matt felt Virtual Directory was very fast for setting up prototypes, and 9 out of 10 customers who use Oracle Access Manager used Virtual Directory as well. This virtual directory will also write-back changes made to it to the underlying physical directories, although Matt noted that write-back was sometimes slow and in many cases customers made changes directly to the underlying directories, and then had these changes reflected in time to the virtual directory. Memory is also sometimes an issue, with around 8GB of RAM needed to support 500 users.
- Oracle Identity Federation, which was previously known as Oblix CoreID Federation, uses standards such as SAML and Liberty ID-FF to create federated identity management systems (as opposed to a single system that applies across all environments)
- Oracle Web Services Manager, originally Oblix CoreSV, secures Web Services by creating a gateway in front of the web service, securing it, but not requiring changes to code.
All useful stuff, and then Matt went through some slides on how these tools are used in practice, including using them to secure an Oracle BI Suite Enterprise Edition system, which is something I’m trying to work through now. Good work from Matt and definately a case of learning something I didn’t know before.