OID, mod_wl_ohs, OAM, Identity Asserter

Basic questions about OAM Identity Asserter, WebLogic Authentication in Oracle Identity and Access Management


What is OAM Identity Asserter? Why is it required?
>>Why OAM Identity Asserter is important for both AD and OID , what exactly it does ?
OAM Identity Asserter is required so that your WebLogic server (OBIEE application is deployed on a WebLogic server) can be provided with information/token so that it can map to a valid user. This is just a short answer, but you will require this configuration during OBIEE configuration. As mentioned above OBIEE is protected by OAM. So you see the big picture. Here is link for details about Identity asserter. In order to enable SSO for Weblogic applications (meaning web applications that are deployed on Weblogic server), you need to add and configure OAM Authentication Provider for WebLogic Server.

 Here is discussion on Oracle forum on Identity Asserter.
Link to Oracle Discussion OID, mod_wl_ohs, Identity Asserter 

 >>How OID is different from LDAP and whose performance is better for long term ?
OID is an LDAP compliant server. Other LDAP compliant servers from Oracle include ODSSE and OUD.
>>Why we have to go for OID instead of LDAP ?
LDAP is name of protocol, whereas OID is ldap compliant Directory server from Oracle.

>>What is the roles of Oracle Access manager in OID ?
OAM is Oracle Access Manager and it provides authentication and authorization services to applications. In your case, you would use OAM to provide authentication services to OBIEE application. In other words your Oracle environment would be something like, Protected application being OBIEE, Directory server being OID and OAM providing authentication.

>>what is Oracle HTTP Server 11g Webgate ?
Now lets come to your web tier, meaning where your OBIEE application url will be made accessible. You cannot put your OBIEE server on the perimeter. Hence you use a webserver which hosts the OBIEE url for a user to access. This webserver here is OHS, or Oracle HTTP server. Webgate is a software component (it is part of the OAM), which will serve as an agent and protect the OBIEE url which is hosted on the OHS server. So you configure policy in OAM for authentication/authorization purposes and which has an agent residing on the webserver (OHS server). 11g refers to the version, e.g. 11gR2 is version of Oracle Identity and Access Management suite of products containing Oracle Access Manager (OAM), Oracle Identity Manager (OIM), Oracle Internet Directory (OID) etc.

>>What MOD_WL_OHS configuration file contains ?
Refer to this link Configuring the mod_wl_ohs Plug-In for Oracle HTTP Server    The mod_wl_ohs module is included in the Oracle HTTP Server (OHS) installation. You need not download and install it separately. mod_wl_ohs is a plug-in for proxying requests from Oracle HTTP Server to Oracle WebLogic server.
With mod_wl_ohs plug-in the user requests sent to the OHS server are forwarded to the Application server. In other words, OHS server hosts the URL which is published so the user sends their request. On reaching the OHS server/mod_wl_ohs module, the user request is forwarded to the Weblogic server hosting the application. This way the OHS can be installed in a dmz and WebLogic/Application can be installed in the internal network.

>>Why OAM Identity Asserter is important for both AD and OID , what exactly it does ?
OAM Identity Asserter is required so that your WebLogic server (OBIEE application is deployed on a WebLogic server) can be provided with information/token so that it can map to a valid user. This is just a short answer, but you will require this configuration during OBIEE configuration. As mentioned above OBIEE application access is protected by OAM. Here is link for details about Identity asserter. In order to enable SSO for Weblogic applications (meaning web applications that are deployed on Weblogic server, e.g OBIEE), you need to add and configure OAM Authentication Provider for WebLogic Server.

>>Do I have to enable SSO mandatorily for OID ?
It depends on your requirement. But generally requirement is to secure applications like OBIEE. In your case for authentication/SSO for OBIEE makes sense. However you could also enable SSO for OID if you really have to.

>>What is HWLB URL , what is its function ?
HWLB means Hardware Load Balancer. HWLB URL would mean the URL which is hosted on the load balancer. Typically what this means that Load Balancer is like your front-end sitting on the dmz which captures the url requested by a user to access an application URL. The Load Balancer is configured to forward the request to any of the servers. For example, say your application, OBIEE application, for example is hosted on two separate servers for High Availability purposes. Since these two servers will have different IP addresses, a load balancer can be configured to publish a public URL which user can access, and load balancer will forward to one of the OBIEE server, depending upon the rules, e.g. round-robin or number of requests etc or availability of the server. This forwarding by Load Balancer to the application server is transparent to the user. For the user, they are requesting access to a URL which is hosted or published by the Load Balancer, and depending upon the configuration of the Load Balancer, the user request is sent to the backend application server(s).

 Link to Oracle Discussion OID, mod_wl_ohs, Identity Asserter

Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Image
Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
Read more