OID, mod_wl_ohs, OAM, Identity Asserter

Basic questions about OAM Identity Asserter, WebLogic Authentication in Oracle Identity and Access Management


What is OAM Identity Asserter? Why is it required?
>>Why OAM Identity Asserter is important for both AD and OID , what exactly it does ?
OAM Identity Asserter is required so that your WebLogic server (OBIEE application is deployed on a WebLogic server) can be provided with information/token so that it can map to a valid user. This is just a short answer, but you will require this configuration during OBIEE configuration. As mentioned above OBIEE is protected by OAM. So you see the big picture. Here is link for details about Identity asserter. In order to enable SSO for Weblogic applications (meaning web applications that are deployed on Weblogic server), you need to add and configure OAM Authentication Provider for WebLogic Server.

Here is discussion on Oracle forum on Identity Asserter.

Link to Oracle Discussion OID, mod_wl_ohs, Identity Asserter 

>>How OID is different from LDAP and whose performance is better for long term ?

OID is an LDAP compliant server. Other LDAP compliant servers from Oracle include ODSSE and OUD.

>>Why we have to go for OID instead of LDAP ?
LDAP is name of protocol, whereas OID is ldap compliant Directory server from Oracle.

>>What is the roles of Oracle Access manager in OID ?
OAM is Oracle Access Manager and it provides authentication and authorization services to applications. In your case, you would use OAM to provide authentication services to OBIEE application. In other words your Oracle environment would be something like, Protected application being OBIEE, Directory server being OID and OAM providing authentication.

>>what is Oracle HTTP Server 11g Webgate ?
Now lets come to your web tier, meaning where your OBIEE application url will be made accessible. You cannot put your OBIEE server on the perimeter. Hence you use a webserver which hosts the OBIEE url for a user to access. This webserver here is OHS, or Oracle HTTP server. Webgate is a software component (it is part of the OAM), which will serve as an agent and protect the OBIEE url which is hosted on the OHS server. So you configure policy in OAM for authentication/authorization purposes and which has an agent residing on the webserver (OHS server). 11g refers to the version, e.g. 11gR2 is version of Oracle Identity and Access Management suite of products containing Oracle Access Manager (OAM), Oracle Identity Manager (OIM), Oracle Internet Directory (OID) etc.

>>What MOD_WL_OHS configuration file contains ?
Refer to this link Configuring the mod_wl_ohs Plug-In for Oracle HTTP Server    The mod_wl_ohs module is included in the Oracle HTTP Server (OHS) installation. You need not download and install it separately. mod_wl_ohs is a plug-in for proxying requests from Oracle HTTP Server to Oracle WebLogic server.
With mod_wl_ohs plug-in the user requests sent to the OHS server are forwarded to the Application server. In other words, OHS server hosts the URL which is published so the user sends their request. On reaching the OHS server/mod_wl_ohs module, the user request is forwarded to the Weblogic server hosting the application. This way the OHS can be installed in a dmz and WebLogic/Application can be installed in the internal network.

>>Why OAM Identity Asserter is important for both AD and OID , what exactly it does ?
OAM Identity Asserter is required so that your WebLogic server (OBIEE application is deployed on a WebLogic server) can be provided with information/token so that it can map to a valid user. This is just a short answer, but you will require this configuration during OBIEE configuration. As mentioned above OBIEE application access is protected by OAM. Here is link for details about Identity asserter. In order to enable SSO for Weblogic applications (meaning web applications that are deployed on Weblogic server, e.g OBIEE), you need to add and configure OAM Authentication Provider for WebLogic Server.

>>Do I have to enable SSO mandatorily for OID ?
It depends on your requirement. But generally requirement is to secure applications like OBIEE. In your case for authentication/SSO for OBIEE makes sense. However you could also enable SSO for OID if you really have to.

>>What is HWLB URL , what is its function ?
HWLB means Hardware Load Balancer. HWLB URL would mean the URL which is hosted on the load balancer. Typically what this means that Load Balancer is like your front-end sitting on the dmz which captures the url requested by a user to access an application URL. The Load Balancer is configured to forward the request to any of the servers. For example, say your application, OBIEE application, for example is hosted on two separate servers for High Availability purposes. Since these two servers will have different IP addresses, a load balancer can be configured to publish a public URL which user can access, and load balancer will forward to one of the OBIEE server, depending upon the rules, e.g. round-robin or number of requests etc or availability of the server. This forwarding by Load Balancer to the application server is transparent to the user. For the user, they are requesting access to a URL which is hosted or published by the Load Balancer, and depending upon the configuration of the Load Balancer, the user request is sent to the backend application server(s).

Link to Oracle Discussion OID, mod_wl_ohs, Identity Asserter

Comments

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Session Timeout in Oracle Access Manager

SOAPUI - import certificate