Oracle Identity Management Leveraging Oracle’s Engineered Systems

An Oracle White Paper

August 2013

Oracle Identity Management Leveraging Oracle’s Engineered Systems

High Performance, Scalability, Simplified Deployment

Oracle Identity Management Leveraging Oracle Engineered Systems

Disclaimer

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products, remains at the sole discretion of Oracle.


Executive Overview ............................................................................ 2 Introduction ......................................................................................... 3

Oracle’s Engineered Systems ......................................................... 3 Oracle Identity Management ........................................................... 4

Oracle Exalogic / Oracle Exadata Benefits ......................................... 5 Installing Oracle Identity Management on Oracle Exalogic ................ 5 250 Million User Benchmark ............................................................... 6 Customer Case Studies ...................................................................... 7

Turkey’s Ministry of Education ........................................................ 7 Western US State ........................................................................... 8

Conclusion .......................................................................................... 9


2

Executive Overview

Enterprises deploy Information Technology (IT) applications in various ways today. They may use on-premise physical servers, virtualization, private clouds, public clouds, or a combination thereof. In all cases, the main goals include improving the ease of application deployment, increasing system performance, providing security across the enterprise, and ensuring contained costs.

With an inclusive “in-a-box” strategy, Oracle’s engineered systems combine best-of-breed hardware and software components with game-changing technical innovations. Designed, engineered, and tested to work best together, Oracle’s engineered systems power the cloud or streamline data center operations to make IT deployments more efficient. The components of Oracle’s engineered systems are preassembled for targeted functionality and then, as a complete system, optimized for extreme performance, translating into less risk and cost for your organization. Oracle’s engineered systems integrate seamlessly with existing IT environments, and provide the kind of customer experience that helps your users do what they need to do faster, better, and more efficiently.

With Oracle’s engineered systems as the foundation for running your mission-critical applications, you get fully integrated servers, storage and networking that will save you months of integrating, testing, and benchmarking time. Oracle’s engineered systems deployment also gives you the ability to manage the entire system—from applications to servers to storage—from a single console.

Oracle Identity Management enables organizations to effectively manage the end-to-end lifecycle of user identities across all enterprise resources, both within and beyond the firewall and into the cloud. The Oracle Identity Management platform delivers highly scalable solutions for identity governance, access management, and directory services, helping organizations strengthen security and capture business opportunities around mobile and social access.

This document presents the business benefits of leveraging Oracle’s engineered systems for deploying and running Oracle Identity Management.


3

Introduction

This section introduces Oracle’s engineered systems and Oracle Identity Management.

Oracle’s Engineered Systems

Oracle’s engineered systems include the following products, designed for specific purposes:

• Oracle Exadata Database Machine: The only database machine that provides extreme performance

for both data warehousing and online transaction processing (OLTP) applications.

• Oracle Exalogic Elastic Cloud: Designed, optimized, and certified for running Oracle applications

(such as Oracle Identity Management). Exalogic is ideal for mission-critical middleware and

applications from Oracle and third-party vendors. It delivers lower total cost of ownership (TCO),

reduces risk, and offers unprecedented levels of performance, reliability, and scalability.

• Oracle SuperCluster T5-8: A complete engineered system that delivers extreme performance and the

highest availability and efficiency for databases and applications. Oracle SuperCluster T5-8 is ideal

for consolidation and private clouds.

• Oracle Database Appliance: An engineered system of software, servers, storage and networking that

offers a simple, reliable, low-cost package for mid-range database workloads.

• Oracle Exalytics: The first engineered system featuring in-memory software and hardware and an

optimized business intelligence platform with advanced visualization.

• Oracle Big Data Appliance: An engineered system optimized for acquiring, organizing and loading

unstructured data into Oracle Database.

• Oracle’s Sun ZFS Storage Appliances: Provide robust application and data storage for Oracle’s SPARC

SuperCluster and Exalogic Elastic Cloud, and offer immediate benefits for customers using

network-attached storage (NAS) for enterprise applications, virtualization, cloud, storage

consolidation, and data protection.

• Oracle Network Application Platform: An engineered system for carrier-grade application development

that enables network equipment providers and communications service providers to dramatically

improve cost, time to market, and capacity to innovate.


4

Oracle Identity Management

Over the last decade, the mission of identity and access management (IAM) has expanded to include a

wide range of business objectives. Whereas early identity systems essentially served to simplify user

account management, organizations are now building IAM functionality into their controls

infrastructure (according to IT market intelligence firm IDC, the IAM market size for 2014 is

estimated at around US$4billion). As applications outgrow traditional network boundaries through

cloud and mobile channels, organizations are using IAM to create a secure, integrated user experience.

The constant specter of insider threats and consumer fraud also necessitates identification-based access

controls throughout the enterprise. IAM systems are now at the backbone of e-government services,

commercial websites, telecommunications networks, social networking, and healthcare information

exchanges.

Figure 1: Oracle Identity and Access Management Logical View

Oracle Identity Management is a fully integrated suite of IAM functionality. Oracle Identity

Management protects enterprise resources and manages the processes acting on those resources.

Oracle Identity Management functionality is delivered as a unified, integrated security services platform

designed to administer user identities, provision resources to users, protect access to corporate

resources, enable trusted online business partnerships, and support governance and compliance across

the enterprise.


5

This document covers Oracle Identity Management running on Oracle Exalogic and Oracle Exadata.

Please refer to the 250 Million-User Benchmark technical white paper for more technical information

regarding the benchmarking of Oracle Identity Management on Oracle Exalogic and Oracle Exadata.

Oracle Exalogic / Oracle Exadata Benefits

The integrated systems trend is on the rise. According to Gartner, “by 2015, 35 percent of total server

shipped value will be as integrated systems.” (Gartner Data Center Conference presentation, “Will

Fabric Computing Change the Concept of the Traditional Server?” December 2011.)

The extreme performance designed into every Oracle engineered system helps reduce risk and lower

costs in your business. Oracle standardizes components in its engineered systems to reduce your risk

and make tasks—such as software and hardware upgrades—automatic and predictable. Consolidating

resources, whether in the data center or in the cloud, is a way to simplify your IT environment.

One of the key business benefits of Oracle’s engineered systems is the savings you make in operations.

According to Gartner and Crédit Suisse, the enterprise IT budget is typically broken down into

facilities (7%), hardware (10%), software (12%), implementation (31%) and staffing (40%). Oracle’s

engineered systems allow you to cut down on IT costs by 70% in implementation and staffing,

including sizing and deployment planning, installation and configuration, deployment and scaling,

patching and maintenance, and platform administration.

Converged Oracle Identity Management platforms running on Oracle’s engineered systems can

consolidate hundreds of servers into a single “box.” For example, a very large US broadband and

telecommunications company runs 200 Oracle Identity Management servers on Oracle Exalogic.

Installing Oracle Identity Management on Oracle Exalogic

Customers install Oracle Identity Management on Oracle Exalogic in the same way they install other

Oracle applications or middleware components.

Typically, after preparing your data center site, commissioning the Oracle Exalogic machine, providing

initial network configuration (e.g., IP address assignments), and setting up the Sun ZFS Storage 7320

(the initial configuration of the storage appliance in your Oracle Exalogic machine is completed at the

time of manufacturing), you’re ready to install Oracle Identity Management on the Oracle middleware

stack (Oracle Linux 5.5 is preinstalled on each of the compute nodes in your Oracle Exalogic machine).


6

Figure 2: Oracle Identity Management on Oracle Exalogic

250 Million User Benchmark

The goal of the 250 million-user benchmark is to demonstrate the ability of a selection of Oracle

Identity Management components to support extreme loads when deployed on Oracle Exalogic and

Oracle Exadata. The Oracle Identity Management components involved in this benchmark are Oracle

Access Manager (OAM), a web single sign-on (SSO) solution, and Oracle Adaptive Access Manager

(OAAM), a strong, multifactor authentication and fraud detection platform, together with Oracle

Internet Directory (OID), one of the LDAP directory servers offered by Oracle with the Oracle

Directory Services platform, used in this case to seed test user data.

The 250 million-user benchmark (1) shows the ability of the environment to support up to 250 million

users (based on specific use cases described in the 250 Million-User Benchmark technical white paper), (2)

demonstrates the scalability of OAM and OAAM on Oracle Exalogic and Oracle Exadata, and (3)

identifies optimal settings for each tier (operating system, middleware, and database) as well as optimal

settings for each Cloud Application Foundation component (Java Virtual Machine, web tier, Oracle

Traffic Director (OTD), OAM, OAAM, OID, and the Oracle Database).

Figure 3: 250M User Benchmark Configuration

The Oracle Exalogic / Oracle Exadata platforms used for this benchmark include an Oracle Exalogic

machine (X3-2 Quarter Rack) and an Oracle Exadata machine (X3-2 Quarter Rack). The Oracle

Exalogic machine comes with 8 compute nodes (Intel Xeon CPU E5-2690; 2x8 cores at 2.90 GHz (or


7

a total of 128 compute cores), 256GB of RAM, one ZFS Storage 7320 clustered configuration, and the

high-speed InfiniBand internal network. The Oracle Exadata machine comes with 2 compute nodes

(Intel Xeon CPU E5-2690; 2x8 cores at 2.90 GHz), and three Oracle Exadata storage servers X3-2

with 36 CPU cores for SQL processing.

The benchmark topology is as follows: The OAM and OAAM servers are installed on Oracle Exalogic

nodes. The OAM and OAAM database servers are installed on Oracle Exadata. OID is installed on

Oracle Exalogic nodes, and OID’s database is installed on Oracle Exadata. The web tier including

Oracle HTTP Server (OHS) with OAM’s WebGates (web filters communicating with the OAM server

in the application tier, as shown in Figure 1), and Oracle Traffic Director are on Oracle Exalogic

nodes. The Load Runner Controller used for the benchmark is installed on an external Microsoft

Windows machine, and load generators are installed on miscellaneous external machines.

The benchmark results are indicative of how much performance is gained by running Oracle Identity

Management on Oracle Exalogic / Oracle Exadata. OAM shows extreme performance, linear scale up

and scale out. OAM can support 7.7 million, 12.5 million, and 16.4 million logins per hour with one,

two, and three Oracle Exalogic nodes respectively. OAAM can support up to 12 million transactions

per hour with one Oracle Exalogic node, and 2 Oracle Exalogic nodes can support up to 20 million

transactions per hour.

Customer Case Studies

Following are two examples of customers that have deployed (or are in the process of deploying)

Oracle Identity Management on Oracle Exalogic / Oracle Exadata machines.

Turkey’s Ministry of Education

Turkey has over 25 million children in K-12 public schools. FATIH, a project commissioned by the

Turkish Ministry of Education, is designed to advance the use of modern technology to support

teaching in over 42,000 schools (570,000 classes) throughout Turkey. Technology includes smart

boards, tablets for teachers, rich content, and a central governance structure. Oracle has been chosen

by the Turkish Ministry of Education to provide a solution to identity-related challenges.

Every year more than 2 million students enter the K-12 population, and 2 million students graduate

from the system annually. More than 20 million students go on to the next grade, 2 million of them

move from primary to secondary, and 2 million from secondary to high school thus creating substantial

provisioning challenges. Since most end-users are children, the user experience must be very simple


8

(authentication, single sign-on, and credentials management). For a project of this scale (25 million

students), performance and scalability are key factors. Performance requirements are based on specific

use cases. Peaks are expected to happen with a high ratio of the total user population authenticating

and starting single sign-on sessions in very short-time periods.

Similarly, provisioning happens in bulk with almost all the user population seeing annual

“organizational changes” over a few weeks. This includes 10% of the total user population off-

boarding and new users on-boarding within the same time frame. Scalability is important because there

are many potential usage scenarios that will follow, such as parents accessing the resources after school

hours.

The FATIH project uses Oracle Access Manager (OAM) for web applications authentication and

single sign-on, and Oracle Identity Manager (OIM) for provisioning and user life cycle management.

User identities are persisted in Oracle Unified Directory (OUD). Performance and scalability

challenges are addressed by running the identity management components on Oracle Exalogic (Oracle

performed a preliminary proof of concept on an Oracle Exalogic system which earned the customer’s

unequivocal endorsement).

Oracle’s engineered systems are hosted at the Turkish Telekom Datacenter in Ankara. This includes

Oracle Exalogic and Oracle Exadata, in addition to Oracle Exalytics and Oracle Big Data Appliance,

together with a set of machines dedicated to disaster recovery. Running all of the identity management

components on Oracle’s engineered systems has made it possible to have natural load switching: OAM

and OUD are loaded mainly during school time, whereas OIM is loaded during the summer when

OAM/OUD loads are minimal. So, even if all components run on all nodes, the load is naturally

balanced since the OAM-OUD and OIM peak times are different. The most important performance

impact can be observed on connections, for example directory replication sees zero network friction.

The time required to upload directory data from scratch (25 million records in 50 minutes) is almost

the same as the time it takes to replicate the whole directory over to a new directory replica.

Western US State

This western United States state with a potential number of 3M+ users runs its business on Oracle’s

engineered systems. Adding Oracle Identity Management components to the existing stack was a

natural thing to do. Oracle’s engineered systems are hosted on Oracle On Demand (Oracle On

Demand recommends the use of Oracle’s engineered systems). As a result, no customer maintenance

staff is necessary, all Oracle’s engineered systems’ maintenance is provided by Oracle itself.


9

The customer uses Oracle Access Manager and Oracle Adaptive Access Manager for access control,

web single sign-on, strong authentication, and fraud detection, and Oracle Identity Manager for user

life cycle management. In addition to Oracle Identity Management components, the customer also uses

Oracle PeopleSoft, Enterprise Resource Planning (ERP) applications, and custom applications, all

running on Oracle’s engineered systems.

In this case, the customer uses Oracle Identity Management to support its Health Information

Exchange (HIE). Oracle Consulting Services (OCS) supported the implementation of the identity

management components. Oracle Identity Management is a solution well suited to support the

customer’s requirements in terms of a very large number of roles and integrated eligibility (e.g., the

legal ability to review others’ medical information).

Conclusion

Oracle engineered systems are optimized to achieve enterprise performance levels that are unmatched

in the industry. Whether it’s consolidating business applications on Oracle Exalogic Elastic Cloud and

database workloads on Oracle Exadata Database Machine, or consolidating workloads from several

machines onto a single system, engineered systems that work faster and that are less expensive just

make good sense. Oracle Identity Management is one example of how Oracle Exalogic and Oracle

Exadata can help support up to 250 million users and show tremendous improvement over traditional

deployments.

Complete and Scalable Access Management August 2013 Author: Marc Chanliau

Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A.

Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200

oracle.com

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark licensed through X/Open Company, Ltd.