1
ORACLE INTERNET DIRECTORY ARCHITECTURE ...................................................................... 2 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Overview ....................................................................................................................... 2 Configuration ................................................................................................................ 3 Directory Schema ........................................................................................................ 4 Directory Schema Extensions ................................................................................... 4 Access Control List Considerations.......................................................................... 8 Attribute Uniqueness Management .......................................................................... 8 SSL and Oracle Internet Directory ............................................................................ 8
2
ORACLE VIRTUAL DIRCETORY ARCHITECTURE ........................................................................ 9 2.1 2.2 2.3 2.4 Oracle Virtual Directory details .................................................................................. 9 Configuration .............................................................................................................. 10 Directory Schema Extensions ................................................................................. 10 SSL and Oracle Virtual Directory ............................................................................ 10
3 4
KEY TECHNOLOGY SELECTIONS ............................................................................................. 10 Directory Integration Components ....................................................................................... 12 4.1 DD_DI_01: Migration of Data from SAP HRMS into Oracle Internet Directory 12 Pseudo code for exporting data from database to CSV format ......... 16 Pseudo code for importing from CSV file into Oracle Internet 16
CD_DD_01: CD_DD_02: Directory
4.2 DD_DI_02: Synchronization of data between Oracle Internet Directory and Oracle Virtual Directory .......................................................................................................... 17
�1
ORACLE INTERNET DIRECTORY ARCHITECTURE
Aircel implementation of the Identity and Access Management project stores configuration as well as the user information in the directory server supporting LDAP. The user directory server and its schema details are given in the following sections. Proposed LDAP for storing user, Oracle Identity Manager and Oracle Access Manager Configuration and Policy data is Oracle Internet Directory (OID). The configuration data for Identity manager and access manager will be stored in the location created by the respective products during installation. Also, the policy data created by the access manager will be stored in directory The custom namespace that should be used would be „dc=aircel, dc=co, dc=in‟
1.1
Overview
Oracle Internet Directory is an LDAP v3 service that combines the mission-critical strength of the oracle‟s database technology with the flexibility and compatibility of the LDAP v3 directory standard. It is tightly integrated with the Oracle database 10g. Oracle Internet Directory‟s scalability, high availability and security features make it the ideal choice for high-end carrier and online service provider implementations. The Oracle Internet Directory server is implemented as an application running on top of Oracle Database 10g. Through its tight integration, Oracle internet Directory effectively leverages the features of the Oracle platform for mission-critical applications. Within Oracle Application Server 10g, Oracle Internet Directory enables users to be created centrally and shared across components such as Oracle Identity Manager, Oracle Access Manager and other. When users log in, they are authenticated once by the Oracle Application Server Single Sign-on server against their Oracle Internet Directory credential, and can thereby access multiple applications seamlessly .
�1.2
Configuration
Refer to installation document for details on the install options and parameters set while installing Oracle Internet Directory. Few snapshots are captured below which are required for presenting Directory structure. Select custom namespace and enter „dc=aircel,dc=co,dc=in‟ Specify global database name and SID. Also specify the Database file name . Select „Use the same Password for all the accounts‟ option. Password used below is „wipro123‟. Enter the instance name as (aircel_admin) and password as „wipro123‟
Steps to launch OID admin console
Go to /bin directory of server, where OID is installed and execute following command. ./oidadmin Enter „cn=orcladmin‟ as user and password as „wipro123‟. You are logged on to admin console
�1.3
Directory Schema
The section of the directory that stores user data is typically laid out in the form of an expandable tree structure, the schema of which is described below: For each of the node in the internal user o=Aircel,dc=aircel,dc=co,dc=in is discussed below, dc=in | +-- dc=co | +--dc=aircel | +--o=Aircel | +--ou=AircelUsers | +--ou=Groups | +--ou=devices | +--ou=Computers | +--ou=Mass Storage Devices | +--ou=Network Devices | +--ou=Servers | +--ou=Peripherals data under the node
1.4
Directory Schema Extensions
The user entry needed for holding the attributes of a person in the Aircel organization directory would require some custom attributes. For this purpose, the inetorgPerson class would be extended to form a new structural object class. The new object class would be called as aircelPerson. The required and the optional attributes of the class are as follows
Object Class : aircelPerson (Inherits inetOrgPerson) Attribute Display Type Description
Uid Single Line Text, Hidden Field Uid is used as username for authentication in to system. For Internal user, uid is created in OID. Client Identifier
uidNumber
�employeeNumber givenName Cn middleName Sn fatherName designation userPassword Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Password
Employee Identification number
Full Name of User. User’s Middle name User’s Last name
userPassword is used by user for authentication in to system. For Internal user, userPassword is created by Identity Management system User’s Email address. For Internal user, Email address is created in OID Organization Location ID
mail
Single Line Text
o l circle zone birthday orclHireDate endDateofContract level manager supervisorMailID departmentNumber hrID hrMailID employeeType employmentStatus
Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text
User Hire Date Cotract End Date
Single Line Text Single Line Text
Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text
SupervisorID
Department to which user belongs Location HR ID
a persons type of employment Status of Employment
�description aircelBand bloodGroup gender maritalstatus nationality address1 address2 Address3 St postalCode Title telephoneNumber facsimileTelephoneNumber accessNetworkFlag webPageURL appADFlag appCRMFlag appBillingFlag appOMFlag appIMFlag appProvisioningFlag appMediationFlag appInterconnectFlag appADRole appCRMRole appBillingRole
Multi line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Multi line Text Multi line Text Multi line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text
�appOMRole appIMRole appProvisioningRole appMediationRole appInterconnectRole
Single Line Text Single Line Text Single Line Text Single Line Text Single Line Text
Objectclass
aircelPerson (inherits inetOrgperson)
Required attributes
Uid employeeNumber cn givenName sn manager zone circle l supervisorID o orclHireDate departmentNumber employeeType enddateofcontract
Optional attributes
bloodGroup gender maritalStatus nationality street st postalCode c title telephoneNumber facsimileTelephoneNumber webPageURL mail intials middleName description grade level birthday address1 address2 address3 fatherName designation accessNetworkFlag orclSAMAccountName supervisormail hrid hrMailid employementStatus appCRMFlag appBillingFlag appOMFlag
�Objectclass
Required attributes
Optional attributes
appIMFlag appProvisioningFlag appMediationFlag appInterconnect_flag appCRMRole appBillingRole appOMRole appIMRole appProvisioningRole appMediationRole appInterconnectRole
1.5
Access Control List Considerations.
The anonymous search needs to be turned off. This would be done so that no one is able to access the information in directory without authentication.
1.6
Attribute Uniqueness Management
The attribute „uid‟ needs to be unique. This would be done so that no duplicate account is entered with same „uid‟.
1.7
SSL and Oracle Internet Directory
SSL authentication between a client and a directory server involves three basic steps . The user initiates an LDAP connection to the directory server by using SSL on the SSL port. SSL performs the handshake between client and directory server. If the handshake is successful, the directory server verifies that the user has the appropriate authorization to access the directory.
Refer to configuration document for details on the install options and configurations of SSL for Oracle Internet Directory
Component
SAP HRMS Database Oracle Internet Directory (Open) Oracle Internet Directory (SSL)
Port Number
1527 389 1636
�2
ORACLE VIRTUAL DIRCETORY ARCHITECTURE
Oracle Virtual Directory is a flexible and secure service for connecting applications to existing user identity, such as directories and databases, without requiring changes to either the infrastructure or applications. OVD accelerates the deployment of directoryenabled applications, such as portals and Single Sign-On (SSO) systems. OVD solves specific problems around needing to unify multiple directories, allow LDAP access to databases or other proprietary identity data stores, improve directory server scalability, and provide enhanced security .
2.1
Oracle Virtual Directory details
The oracle virtual directory is designed to take requests that are submitted by applications using LDAPv3, DSMLv2, and related protocols. These requirements are then routed, mapped, and otherwise transformed by the engine. The operation is then forwarded to an adapter, which is designed to perform real time access to a native data source. Finally, results are gathered, normalized, and returned to the requesting application as appropriate. Here are the key features of the Oracle Virtual Directory: LDAP v3 and DSML compliant server interfaces Connects to most directories, databases and web services Directory firewall and proxy Single service – Multiple views Virtually unify identities Rapidly deploy with Graphical Management Interface
�2.2
Configuration
Refer to installation document for details on the install options and parameters set while installing Oracle Virtual Directory server and manager.
2.3
Directory Schema Extensions
The oracle internet directory will act as the master directory source. For performance considerations and to accommodate the needs for custom directory structure for other applications, oracle virtual directory will be used. Oracle Virtual Directory provides full schema and namespace translation services, ensuring that data presented to applications from multiple proxied sources has a common and consistent format. The virtual directory will provide a view of the DIT present in master directory. The directory structure in virtual directory may be different than the DIT in master directory. This is done to suit the need for custom structure by various applications. The applications do the read operations from the virtual directory whereas write operations are done on the master directory. Depending on this feature there is no need to create separate schema in Oracle Virtual Directory.
2.4
SSL and Oracle Virtual Directory
Oracle Virtual Directory server offers SSL/TLS capabilities that provide for secure communication sessions with LDAP clients. This allows greater security by allowing Oracle Virtual Directory server to be the trusted transport mechanism. Refer to configuration document for details on the install options and configurations of SSL for Oracle Virtual Directory.
Component
Oracle Virtual Directory Admin (SSL) LDAP Listener (Open) LDAP Listener (SSL)
Port Number
8889
1389 1636
3
KEY TECHNOLOGY SELECTIONS
Component Web Browser Description
HTTP Server
�Application Server
Database Server
Connectors
Identity Management Product
Access Management Product
OVD Product Details Oracle Virtual Directory Server Version 10.1.4.0.1 and runs on Solaris server. Stores all the configuration information pertaining to server, adapters and users in XML format. Version 10.1.4.0.1 and runs on Windows. Used to manage all the server operation through management interface like, server configuration, creation of Adapters for connecting to third party resources, creation of listeners etc.,
Oracle Virtual Directory Manager
ESSO Suite Details
Directory Server product details Oracle Internet Directory Oracle Internet Directory serves as the central user repository for Oracle Identity Management, a component of Oracle Fusion Middleware, simplifying user administration in the oracle environment and providing a standards-based application directory for the heterogeneous enterprise. Oracle Directory synchronization allows seamless integration with other directories and enterprise user repositories, allowing users to leverage identity information wherever it resides.
�4 4.1
Directory Integration Components
DD_DI_01: Migration of Data from SAP HRMS into Oracle Internet Directory Oracle Internet Directory is the primary directory source for the Oracle Identity and Oracle Access Management. It will maintain user identities. In order to maintain user identities, it should be integrated with SAP HRMS and the data should be synchronized into OID.
All the internal users existing in the SAP HRMS needs to be migrated into Oracle Internet Directory. This is a real time activity in which the users getting added/modified/terminated in SAP HRMS are imported into Oracle Internet Directory . By using user defined Java API (Pseudo code in Annexure-1), user identities will be exported data into CSV file format and same CSV file would be imported into Oracle Internet Directory by user defined Java API. ZHR_USERS table (in SAP HRMS) would be used for retrieving internal user information into Oracle Internet Directory. Basically, we would issue a „select‟ query against ZHR_USERS table where employeeNumber is not null. Then the data will be exported into CSV format using Java API, which subsequently fed into Oracle Internet Directory using Java API (Procedure in Annexure-2). Cn field would be user to link SAP accounts with Oracle Internet Directory.
SAP HRMS
Oracle Directory
User Added User Modified User Terminated
AddUserLDAP() UpdateUserLDAP() DeleteUserLDAP()
HR
�Basic fields in SAP that mapped to Oracle Internet Directory attributes are listed below .
Sr.No 1 2. 3. 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
ZHR_USERS column MANDT EMP_CODE NAME MIDDLE_NAME LAST_NAME EMPLOYEE_STATUS FATHER_NAME DEPARTMENT DEPARTMENT_DESC DESIGNATION CIRCLE LOCATION ZONE DATE_OF_BIRTH DATE_OF_JOINING END_DATE_OF_CONT GRADE LEVEL_EMP EMAIL-ID MARITAL_STATUS BLOOD_GROUP ADDRESS1
OID Attribute uidNumber employeeNumber givenName middleName Sn employementStatus fatherName departmentNumber description designation circle l zone birthday orclHireDate endDateofContract grade level mail maritalStatus bloodGroup address1
Description of filed Client Identifier Employee ID First Name Middle Name Last Name Employement Status Father’s Name Department Description Designation Circle Location Zone Date of Birth Joining Date Contract End Date Grade Level Email-ID Marital Status Blood Group Address
�23 24 25 26 27 28 29 30 31 32 33
ADDRESS2 ADDRESS3 STATE NATIONALITY GENDER ACCESS_TO_NETWOR USER_TYPE POSTAL_CODE TITLE TELEPHONE_NUMBER FAX_NUMBER
address2 address3 st nationality gender accessNetworkFlag employeeType postalCode title telephoneNumber facsimileTelephoneNu mber webPageURL o manager supervisorMail hrId hrMailId recordUpdateDate
Address Address State Nationality Gender Access to Network Employement type Postal Code Employee’s Title Telephone Number Fax Number
34 35 36 37 38 39 40
WEBPAGEURL ORGANIZATION SUPERVISORID SUPERVISORMAIL HR_SUPERVISOR_ID LOCALHRMAILID RECORD_UPDATE_DT
Web Page URL Organization Supervisor ID Supervisor Mail Local HR ID Local HR Mail ID Date Record Updated
The user that will be created will be of object class aircelPerson. Apart from the above attributes, we will generate attributes uid and email through user defined Java API. The generated uid and email are attached to the user profile and loaded into Oracle Internet Directory through Java API. Attribute cn will make the RDN of the user entry. The uid generated through the application will be used for cn attribute i.e. uid and cn will have same value.
�Policy for Creation of uid: UserID for an Aircel employee will be generated
based on following policy.
First three characters of NAME field of SAP HRMS. First three characters of LAST_NAME field of SAP HRMS. If the User already exists with the same uid then add numbers to the last generated uid. The length of uid for Aircel employee will be at least 5 characters to at most 8 characters.
Creation of email: mail attribute for the Aircel employee will be generated
based on Email policy.
The
email
address
should
have
the
format
like ,
firstname.lastname@domainname. Manager attribute creation: The manager attribute will be created by using the value of SUPERVISORID attribute coming from SAP HRMS. Scheduling
The application will be scheduled to run every one minute. The scheduling would be done using crontab entry on the host machine.
Application Design
The following sequence diagram depicts flow of control from one class to other during the creation/updating of user identities in Oracle Internet Directory.
HRMSScheduler
ExportDB
CSVReader
LDAPUpload
AddUser
execute(context) createCSV()
getLDAPAuth(strArrAttrib,arrAttribVal) addUserLDAP(dirctxt,strArrAttrib,arrAttrVal,userIDGen,emailGen)
loadDataLDAP()
updateUserLDAP(dirctxt,strArrAttrib,arrAttrVal,userIDGen,emailGen)
deleteUserLDAP(dirctxt,strArrAttrib,arrAttrVal,userIDGen,emailGen)
�The application will be part of package com.aircel.ExportDB
CD_DD_01:
Pseudo code for exporting data from database to CSV format
Create a java class ExportDB for exporting database to CSV format public class ExportDB
Establish connection with database Connection conn = db.connect(“”,””,””);
Create a method createCSv() to retrieve data from database and export it to CSV file format stmt =conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE, ResultSet.CONCUR_UPDATABLE); //For comma separated file query = "SELECT into OUTFILE '"+filename+ "' FIELDS TERMINATED BY ',' FROM t"; stmt.executeQuery(query);
Execute() method is the starting point of the process. createCSV(); csvReader=new CSVReader(); csvReader.loadDataLDAP(); String insertDate="INSERT INTO SCHEDULER_INFO VALUES(?,?)"; PreparedStatement pstmt = con.prepareStatement(insertDate);
CD_DD_02:
Pseudo code for importing from CSV file into Oracle Internet Directory
Create a class CSVReader for reading the CSV file.
�
loadDataLDAP() method in CSVReader.java class reads CSV file generated in the previous step line by line and converts it into Arraylist object. String strLine; ldapUpload=new LDAPUpload(); //Read File Line By Line while ((strLine = br.readLine()) != null) { arrAttrVal=(ArrayList)createObject(strLine);
Calls getLDAPAuth() method from LDAPUpload() class. This method authenticates the user in internet directory. ldapUpload.getLDAPAuth()
Based on the search result, the user gets added/modified/terminated in internet directory through AddUser() class. Method for adding user into internet directory from CSV file public void AddUserLDAP(DirContext dirctxt,String[] strArrAtrrib,ArrayList arrAttrVal) throws LdapException
Method for updating the user identity in Internet Directort from CSV file public void UpdateUserLDAP(DirContext dirctxt,SearchResult sr,String[] strArrAtrrib,ArrayList arrAttrVal) throws LdapException Method for terminating the user identity in Internet Directory from CSV file public void DeleteUserLDAP(DirContext dirctxt,String[] strArrAtrrib,ArrayList arrAttrVal) throws LdapException
4.2 DD_DI_02: Synchronization of data between Oracle Internet Directory and Oracle Virtual Directory The procedure for integrating Oracle Virtual Directory with Enterprise user security for use with Oracle Internet Directory includes configuring LDAP adapter for connecting to Oracle Internet Directory from Oracle Virtual Directory. The Oracle Virtual Directory LDAP Adapter provides the ability to proxy external LDAPv3 directories and making the external content appear as part of the Oracle Virtual Directory. It does this by providing automatic directory structure and schema translation.
�dipassistant
LDAP Adapter
A unique characteristic of the LDAP Adapter is that it provides balancing and fault tolerance at the LDAP operation level rather than the connection level. The Oracle Virtual Directory LDAP proxy can be configured in two ways: as a pure proxy or as a virtual directory proxy. By default, all attributes are passed through “as-is” from the proxied directory through the Oracle Virtual Directory to the Oracle Virtual Directory client. The LDAP adapter can perform basic DN translation of attributes containing DNs . The LDAP adapter supports full read, add, modify, delete and rename functionality .
SAP HRMS
Oracle Directory
Oracle Virtual Directory
User Added User Modified User Terminated
AddUserLDAP() UpdateUserLDAP() DeleteUserLDAP()
LDAP Adapter LDAP Adapter LDAP Adapter
HR
�Configuration of LDAP Adapter
Refer to the Installation and Configuration document for details on how to configure LDAP adapter for connecting to LDAP compliant directory servers from Oracle Virtual directory. The table below provides a list of adapter field values that needs to be provided during configuration:
Adapter Field Adapter Template Adapter Name DNS Host Discovery LDAP Servers Server Proxy Bind DN Proxy Password Pass Through Credentials Connection Options Remote Base Mapped Namespace
Value Oracle_Internet_Directory LDAP_Adapter_1 No > Port cn =orcladmin > Always Secure SSL/TLS ou=Users,o=Aircel,dc=aircel,dc=co,dc=in ou=Users,o=Aircel,dc=aircel,dc=co,dc=in
�