View
222
Download
0
Category
Preview:
Citation preview
<Insert Picture Here> Apresentação de solução da Oracle para Apresentação de solução da Oracle para autorização de usuários em autorização de usuários em aplicativos/sistemas aplicativos/sistemas
Identity and Access Management
Alexandre Freire | Principal Sales Solution Security SpecialistIdentity and Access Management | GRC | Technology
Oracle Latin America Strategic Accounts
Oracle Identity and Access ManagementCommitment to Leadership & Innovation
Innovate
Lead
Id. Assurance Partner AllianceOracle Access Management SuiteAcquisition of BEA ���� OES
Acquisition of Bharosa ���� OAAMAcquisition of Bridgestream ���� ORM
Identity Governance Framework
Market Leader in Forrester’s IAM WaveOracle IdM Eco-system
Lead
Build
1999 20072005 2006
Oracle eSSO Leader in Gartner’s UP & WAM Magic Quadrant
Oracle Identity and Access Management SuiteIdentity Audit and Compliance offering
Acquisition of OctetString ���� OVDAcquisition of Thor ���� OIM
Acquisition of Oblix ���� OAM, OIF & OWSMAcquisition of Phaos ���� Federation and WS technologies
Oracle Internet Directory
2008
Leader in Magic Quadrants
User Provisioning, H2 2008 Web Access Management, H2 2008
“Oracle assumes the No. 1 position”- Earl Perkins, Perry Carpenter, Aug. 15 2008 (Research G00159740)
Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Comentários do Gartnet sobre Entitlements
• WAM Market Trends for 2008• Market segmentation (access management suites vs.
commodity WAM vs. consumer extranets): The strategic direction for WAM tools is diverging as the market matures. Larger, enterprise-focused vendors (IBM, CA, Sun, Novell, Oracle, Evidian and Siemens) are developing access
•Oracle - Strengths•Oracle now sells OAM as part of an integrated suite of access management components, including Oracle Identity Federation, Oracle Entitlements Server and Oracle Adaptive Access Manager, providing improved authorization functionality beyond Web applications, as well as fraud detection capabilities. The wide Oracle, Evidian and Siemens) are developing access management suites, which include WAM, platform access control, fine-grained entitlement management , identity federation and, often, Web services security tools, combined with unified administration and audit facilities. Smaller vendors (for example, Cafesoft and P2 Security) are focused on low-cost, low-complexity SMB offerings. A few vendors (including EMC/RSA Security and Entrust) are focused specifically on the consumer extranet.
Web applications, as well as fraud detection capabilities. The wide range of access management functions in the suite p uts Oracle on an excellent footing with broad suite off erings from IBM and CA.
Source: http://mediaproducts.gartner.com/reprints/o racle/article48/article48.html
Market Leader According To
“Oracle has established itself as Leader.”- The Forrester Wave: Identity And Access Management, Q1 2008
Oracle reached the top of our evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision.- The Forrester Wave: Identity And Access Management, Q1 2008
Access ManagementIdentity Admin. Directory Services
Oracle’s Identity Management Suite
Adaptive Access Manager
Entitlements Server
Web Services Manager
Role Manager Virtual Directory
“Identity Management 2.0”
Entitlement Server
Access Manager
Identity Federation
Enterprise Single Sign-On
Identity Manager Internet Directory
Authentication Service for OS
Identity Management Suite
Audit & Compliance
Enterprise Manager IdM Pack
Manageability
Core Platform
<Insert Picture Here>
Oracle Entitlements ServerOracle Entitlements Server
ArquiteturaArquitetura FuncionalFuncional
Oracle Entitlement Server O que é?
• É um Sistema de Controle de Privilégios que possibilta uma definição centralizada de privilégios de complexas aplicações e a execução runtime dos controles destes privilégios.
• Permite externalizar o controle de privilégios• Separa as decisões de segurança, da lógica de
negócio das aplicações; • Centraliza a gestão das políticas de acesso para
vários ambientes de aplicações.
Oracle Entitlement Server O que é?
• Modelo de Políticas suporta a hierarquica natural dos objetos de negócio, roles e direitos de acesso.
• Protege tanto os componetes de software (ex. URLs, EJBs, etc.) quanto os objetos de negócio (ex. Contas, EJBs, etc.) quanto os objetos de negócio (ex. Contas, registros de pacientes, etc.).
• Prove uma implantação flexível e de fácil integração com os sistemas de segurança e identidades existentes.
Entitlements Management
Presentation TierPolicy
Decision
Point
Business Logic TierPolicy
Decision
Point
Repositório de políticascentralizado
Aproveita e potencializaos investimentosexistentes em segurança e Identity Management
“Enforcement” da Políticade Segurança da corporação
Entitlements Server Gerenciamento de direitos
Data Access Tier
Databases
Point
Policy
Decision
Point
Policy
Decision
Point
corporação
Tira a responsabilidade da criação e manutenção das políticias da mão dos desenvolvedores
Controle quem pode fazer, ou ver algo, quando e como.
Embedded Entitlements
Oracle Entitlements Server Architecture
Policies
App
Server
Admin Server
Policy Administration Point (PAP)
XACML 2.0 Policy
Policy Decision Point (PDP/PEP)(Embedded)
Browser Admin ServerSSM
ATN ATZ RM AD CM
Entitlements Server
Policy Decision Point (PDP)(Standalone)
Oracle Confidential – For Internal Use Only
Entitlements
Entitlements
Server
Policy InformationPoint (PIP)
Client
Entitlements
LDAPRelational DBService Data ObjectsAttribute Retriever API
Plan Old Java Object (POJO).Net ClientGeneric SOAP Client
SSMATN ATZ RM AD CM
SSMATN ATZ RM AD CM
User or application directories or database that contain information that is required to make an access decision. Such information includes user, group, and resource attributes.
OES Admin Server (J2EE)
OES Administration Server (PAP)
Entitlements API Management API
Admin UI Application Mgmt Tools
Admin Scripts
Web Browser
• Runs on WebLogic, Tomcat, WebSphere
• Web-based Admin Console
• Policy Reporting
• Management Tools
Oracle Confidential – For Internal Use Only
Entitlements API
SSMATN ATZ RM AD CM
Management API
Policy DistributorPolicy Loader/Exporter
Policy Store PolicyFiles To SSMs…
• Management Tools
• Management API via Java and Web Services
• Transactional policy distribution to SSMs
Security Service Module (PDP)Security Service Module
Authentication
Framework API
Authorization Role Mapping Auditing Cred Mapping
EntitlementsIdentityDirectories
EntitlementsSecureAudit Logs
External
Application
Oracle Confidential – For Internal Use Only
Application
• Integrate with LDAP, RDBMS, Custom Identity Stores
• Leverage multiple stores simultaneously
• Assert identity from SSO or custom tokens
• Establishes JAAS Subject
• Provide Grant/Deny decisions based upon policies
• Integrate external entitlement attribute data from LDAP, RDBMS, SDO
• Dynamically map users to Roles based upon policy
• Log messages generated by framework events
• Write to everything from log4j to secured filesystems
• Describe custom handlers for various events
• Translate credentials into custom formats
• Helps propagate identity across disparate systems
Standalone Server (PDP) J2EE/JVM (PDP/PEP)
SSM Configurations
Embedded EntitlementsEntitlements Server
Java API
.Net API
SOAP API
XACML 2.0
WebLogic Server, Tomcat, Websphere
Plain Old Java Object (POJO)
Oracle Service Bus
Documentum Client/Content Server*
SSMATN ATZ RM AD CM
SSMATN ATZ RM AD CM
Oracle Confidential – For Internal Use Only
XACML 2.0
Oracle DB (with VPD)
SharePoint
Documentum Client/Content Server*
SSMs are kept synchronized with central policy stor e
Handle “push” from Admin Server
Retrieve policy upon startup
SSMs maintain local persistent caches of relevant p olicy
SSMs maintain local caches of attribute and policy decisions
OES Access Policy• OES Access policy is used to grant or deny privileges to resources
in the application to specific users, groups, or roles
Grant (view, /app/Sales/RevenueReport, /role/Manage r) if region = “East”;
Authorization RequestAuthorization Response
Oracle Confidential – For Internal Use Only
Application
Objects
Resources SubjectsConstraint
Boolean
Attributes
Eval Functions
Action
Read
Write
View
…
External
DataIdentity
Store(s)
Effect
Grant
Deny
Delegate
Maps toBased on
Read from
OES Role Policy• OES role policy is used to dynamically determine role membership
Grant (/role/Executive, /app/Sales/, /sgrp/manager) if level > 5;
Resources
Authorization RequestAuthorization Response
Effect Roles
Oracle Confidential – For Internal Use Only
Application
Objects
ResourcesSubjects Constraint
Boolean
Attributes
Eval Functions
External
DataIdentity
Store(s)
Effect
Grant
Deny
DelegateMaps to
Based on Read from
Roles
Based on
• Gerenciamento dos Entitlements
• User Roles
• Application Resources
• Authorization Policies
• Role Membership Policies
• Create Separation of Duties Rules
• Distribute Entitlements to SSMs
Entitlements Management Gerenciamento centralizado
Oracle Confidential – For Internal Use Only
• Distribute Entitlements to SSMs
• Administração das Identidades
• User Identity Directories
• User Attributes
• Auditoria
• Run Policy Reports
Operations and Compliance Staff
Business Owner
DeveloperOracle
Entitlements
Entitlements Lifecycle Enforcement das Policies sem alterar as aplicações
Entitlements
ServerDeveloper Security
Administrator
<Insert Picture Here>
Oracle Entitlements ServerOracle Entitlements Server
ArquiteturaArquitetura TécnicaTécnica
OAM-OAAM-OES Arquitetura
Web Server 1(Web Gate)
Load-balancer
OVD
Oracle Access ServerAccess Manager
PartnersOracle Internet
Directory
OAAM Server(OASA)
OAM Admin
Oracle XE DatabasePolicy Store
Vendors Web Server 2(Web Gate)
Entitlement Server
Application Server 1(SSM)
Application Server 2(SSM)
OAAM Sever(OARM)
OESAdmin
Table 1 Core Components Component Platforms Operating Systems
Admin Console Browser MS IE 6.0, 7.0 Windows 2000 SP4, 2003 R2, XP SP2
E-UI Browser MS IE 6.0, 7.0Firefox 2.0.x
Windows 2000 SP4, 2003 R2, XP SP2
Admin Server Platform WebLogic Server1 9.2 MP2WebLogic Server 10.0 MP1WebLogic Server 10gR3 (10.3)2
WebSphere Application Server 6.13
Tomcat 5.5.23 4
Sun Solaris 8, 9, 10 (32-bit) Windows 2000 SP4, 2003 R2, XP SP2, Red Hat Adv. Server 3.0, 4.0Suse Linux5 9.2 & 10.0AIX 5.36
OES Policy Store Oracle 9.2.0.5, 10.1.2, 10.2.0.2, 11.1.0.6Sybase 12.5.3, 15
OES Arquitetura – Plataformas (PAP)
Sybase 12.5.3, 15MS-SQL 2000 & 2005 PointBase 5.1DB2 Universal DB Enterprise Server 9.1
User Directory Oracle Identity Directory 10.1.4.2Microsoft Active Directory 2000 & 20037
Microsoft ADAMSunONE Directory Server v5.2Novell eDirectory v8.7.31 Open LDAP v2.2.24Oracle 9.2.0.5, 10.1.2, 10.2.0.2, 11gSybase 12.5.3, 15DB2 Enterprise Server Edition 9.1MS-SQL 2000 & 2005
Table 2 Security Modules Category Platform Version(s) Windows 1 Solaris
8, 9, 10RHAS2
3.0, 4.0Suse3 9.2, 10.0 AIX 5.34
Web Services / RMI MS .NET 1.1 & 2.05
WL Workshop 9.0, 10.0Studio 3.0
Yes Yes Yes Yes No
Oracle WebLogic Products
WebLogic Server6 8.1.5, 8.1.6, 9.2.2, 10.0 MP1, 10.37
WebLogic Portal 8.1.5, 8.1.6, 9.2.2, 10.0.1, 10.2WebLogic Integration 9.2.2
Yes Yes Yes Yes No
Other Oracle Products ODSI (formerly ALDSP) 2.5, 3.0, 3.18
OSB (formerly ALSB) 2.6, 3.09
Yes Yes Yes Yes No
OES Arquitetura – Plataformas (SSM)
OSB (formerly ALSB) 2.6, 3.09
OBPM (formerly ALBPM) 6.0
IBM WebSphere WebSphere 6.1 Yes Yes Yes Yes Yes
Java Sun JVM 1.4.2, 5.0, 6.0JRockit 1.4.2, 5.0, 6.0IBM JDK 1.4.2, 5.010
Yes Yes Yes Yes No
Web Servers ApacheMS IIS 6.011
Yes Yes Yes Yes No
Other Applications Oracle Database 10gDocumentum Content Server v5Microsoft Office SharePoint Server 2007
YesYesYes
NoYesN/A
NoYesN/A
NoYesN/A
NoYesN/A
High Availability - Runtime• Security Module/PDP continues to provide security services even if external
components it relies on (such as authentication database, for example) become unavailable.
• Failover for authentication sources • Failover for entitlement sources (attribute retrievers)• Failover for Credential Mapper sources• For data replication between data sources we recommend to use vendor specific
approach or use solutions like Oracle RAC• Runtime independence of SM/PDP from Admin Server
Oracle Confidential – For Internal Use Only
Application Environment
AuthenticationProviders
Security Framework
RoleProviders
AuthorizationProviders
AuditingProviders
CredentialProviders
Security Service Module
Back-upAuthentication Source
PrimaryAuthentication Source
Source specific replication
Back-up EntitlementsSource
Primary Entitlements Source
Source specific replication
High Availability – Management TimeNew York LondonTokyo
SSM
Application
Environment
PrimaryAdmin Server
SSM
Application
Environment
SSM
Application
Environment
SecondaryAdmin Server
Oracle Confidential – For Internal Use Only
RDBMS specific replicationPrimary
OES DB
OES Administrator
SecondaryOES DB
OES AdministratorOES Administrator
High Availability – Management TimeNew York LondonTokyo
SSM
Application
Environment
PrimaryAdmin Server
SSM
Application
Environment
SSM
Application
Environment
SecondaryAdmin Server
Oracle Confidential – For Internal Use Only
PrimaryALES DB
ALES Administrator
SecondaryALES DB
ALES AdministratorALES Administrator
Recommended