Advanced Replication Setup for High availability and Performance

In my personal opinion, Oracle leads the market in Directory Product offerings (LDAP Directories). Starting from Oracle Internet Directory (OID), to the latest Oracle Unified Directory (OUD), Oracle definitely provides variety of LDAP Directory related products for integration.

With increasing demand for mobile computing and cloud computing offering, there is a need to standardize LDAP Deployments for Identification, Authentication and (sometimes) Authorization (IAA) services. With a highly scalable, highly performing, highly available, highly stable and highly secure LDAP Directory, these IAA services will be easier to integrate with applications in the cloud or for the mobile applications.

Introduction

Oracle Unified Directory (OUD) is a latest LDAP Directory offering from Oracle Corp. As mentioned in my previous post, OUD comes with three main components. They are:

• Directory Server
• Proxy Server
• Replication Server

Here, Directory Server provides the main LDAP functionality (I assume you already know what an LDAP Directory Server means). Proxy server is used for to proxy LDAP requests (how?). AndReplication Server is used for replicating (copying) data from one OUD to another OUD or even to ODSEE server (we will talk more about replication in this post). You can read about my first post on OUD here. In this current article, I will write about replication server and advanced replication setup for Oracle Unified Directory.

Many people want a step by step guide (kind of cheat sheet) to setup something like OUD or OID for replication. Unfortunately I am not going to give you that here. In my personal opinion, that (cheat sheet) is not a right approach at all and will not be helpful in the long run for gaining concepts or knowledge. First of all, we need to give importance to the basic concepts behind how something works.

First of all, read OUD Documentation

Product Documentation must be read before you plan your deployment. You can find the OUD Documentation here. This link is for OUD Version 11.1.1. Make sure to refer the latest product manual. Documentation provides lot of details about the product and save lot of time with investigation later. For Replication, you need to start with “Architecture Reference” Guide.

When do you want to setup replication?

There should be a reason, right? If there is no reason, then there is no need for you to setup replication at all. Instead, you can have a beer and pass the time happily doing something else.

Ideally, you need replication setup for “High Availability” and “Performance”. Usually, there will be multiple instances of OUD Directory Server processes running in Production. Let’s say we need to have around four OUD Directory Servers (and four more for Business Continuity/Disaster Recovery).

Unfortunately, there is no single process to update all the eight OUD Directory Servers in our example. We need to find a mechanism to synchronize the directory entries across these servers.  For this, we need to use the OUD Replication Server Component.

Securing the Replication Traffic

We don’t want network sniffers taking away critical user information (even inside the internal network, it is possible). We need to encrypt the traffic between the replication servers. Do not consider setting up a Replication Server communication without encrypted traffic.

Since OUD provided identity data, all the network traffic is prone to sniffing attacks. Always use encrypted or secure connections to OUD or to any LDAP Directory.

Deciding a Replication Method to use

Next important thing is to decide what replication method you are going to use. This is mostly site specific and you need to know lot of details before deciding a replication method to use. I am planning to use the following sample architecture for this post. Let’s understand our sample OUD Architecture first.

Here are the quick components of the architecture:

• We have one master OUD Server called PROD-01. All the updates to the directory happens here. Most probably, HR System will update the directory. Also, Updates can happen using a custom developed application plug-in for LDAP Directory or using a Identity and Access Management System (IAM) system such as Oracle Identity Manager or Tivoli Identity Manager.
• PROD-02 will be used with PROD-01 for High Availability and Performance in this Production Deployment.
• In Disaster Recovery deployment, we have PROD-03 and PROD-04 servers. These servers need to synchronize the user data from the master server PROD-01.

One way to setup replication is by provisioning users into all the six OUD Directory Servers by an Identity and Access Management (IAM) System (such as Oracle Identity Manager or Tivoli Identity Manager). However this provisioning can be time consuming to complete because it will be treated as updating six different LDAP Directories. So a better way to achieve this is using a Replication Server.

We will continue setting up the Replication Server for this architecture. Lets meet in another post - Until then.

My exploration with Oracle Unified Directory 11g

When I read the blog post about the introduction of a new product Oracle Unified Directory, first thing that came to my mind was, why another LDAP directory from Oracle? Oracle already has two LDAP Directory offerings, ODSEE (Sun Directory) and OID. However my impression changed after attending this webcast from Oracle (which justified about the new product in general). You can find the Q & A from the webcast here. It looks like “unified” summarizes about the new product.

Personally, I have interests in all the products that deal with LDAP Protocol and LDAP Directories. So, I was interested to know more about the new product. I read about Oracle Unified Directory (OUD) 11g release notes here. You can find the OUD documentation for 11g R1 release (11.1.1.5.0) here.

OUD is one of a brand new directoty product from Oracle as part of the Fusion Middleware Identity Management. OUD comes with Oracle Directory Services Plus (ODS Plus) suite. So, if you already have a license for ODS Plus, then you already have a license to use OUD in your enterprise (Please check with Oracle Licensing before any major deployments to see the existing license covers it).

There are too many TLAs (Three Letter Acronyms) used in this post – I tried to use this minimally but that was not easy. If you hate TLAs, here is a quick recap:

OUD – Oracle Unified Directory

OID – Oracle Internet Directory

ODS (ODSEE) – Oracle Directory Server (previously, Sun Java System Directory Server – also, iPlanet Directory)

DIP – Directory Integration Platform

A brand new LDAP v3 Implementation

LDAP Protocol is the standard way for storing directory entries for an enterprise. With more than 5 years of development (mentioned in the webcast), OUD is a LDAP v3 implementation from Oracle. It was also mentioned that OUD was written in Java.

OUD comes with three main components. They are:

• Directory Server
• Proxy Server
• Replication Server

Directory Server provides the main LDAP functionality. Proxy server can be used for proxy LDAP requests. And Replication Server is used for replication from one OUD to another OUD or even ODSEE server.

Embedded Berkeley DB

This is my favorite part of OUD. There is no separate Oracle Database requirement for OUD (unlike Oracle Internet Directory). Personally I like LDAP Directories embedded with an attached database such as Berkeley DB for storing the data entries. Some may argue that we can use Database features in the LDAP Directory. However I feel that we can use file based storage features for the DB files which can be better.

OUD Replication for ODSEE

Replication is one of the major requirements for LDAP Directories now. To setup high availability environments, we need replication to be setup in almost every LDAP Directory deployment. We need to propagate changes from one OUD directory to another using replication for High-Availability.

One of the important features I like about OUD is its replication gateway for ODSEE (also for OUD). Definitely this is aimed for deployments with ODSEE to migrate to the OUD easily.

Directory Integration Platform (DIP)

Oracle DIP provides functionality to synchronize data from one LDAP Directory to another, such as Active Directory (also from database to the LDAP Directory). Oracle DIP was already available earlier. Now, DIP is supported in OUD as well.

Performance and Security

In existing LDAP Directories, we face performance issues related to writing data entries. In OUD, it was mentioned in the webcast that it provides “5 times write” and “3 times read” performance.

OUD will be used for storing user information for authentication and sometimes for authorization purposes. Also, it can be used to store personnel information. So, security is one of the major concerns during the deployment. I need to explore more on this.

Some of the other features:

1. dsconfig command – dsconfig command line is used to configure most of the system administration functions for OUD.
2. ODSM – ODSM is a graphical utility for managing OUD.

So what’s next? Obviously it is time to download the new product and play around with its features.

Installation and Configuration

Installation is a simple task with Oracle Installers. This is no exception for OUD too. OUD installation is a simple process. We just need to download the software and run the runInstaller utility (I have Oracle Linux in my laptop – All my examples below is on Linux).

./runInstaller –jreloc /usr

[I have Oracle Linux 6.0 in my laptop. I installed OUD in this laptop with jre 1.6.0_20 installed under /usr by default. The Java executable is /usr/bin/java/]

OUD installation is a simple process with 7 step installation process:

1. Welcome
2. My Oracle Support Updates
3. Prerequisite checks
4. Installation Location
5. Installation Summary
6. Installation Progress
7. Installation Complete

[Since the prerequisite checks failed in my laptop (Issue with Linux Version), I have to tweak little bit for the OUD installation, by editing /etc/redhat-release and /etc/oracle-release files]

Once Installation is completed, then we need to configure OUD based on what components we want to deploy.

For each component, OUD comes with a GUI utility for configuration. We can configure OUD for Directory Server, Proxy Server and/or Replication Server. We can run these utilities using command line options for configuration too. The utilities are located under the install folder:

oud-setup

oud-proxy-setup

oud-replication-setup

Once configuration is completed using these utilities, you can use the commands in bin folder to start or stop the components. You can refer the installation guide for more details on this.

Note:

I faced issues during the Server Startup for using the jre in /usr (delivered with Oracle Linux). I will write about it in my next post.

All right… that’s all for now. I will continue to write more on OUD for advanced options for deployment. Also, I will be deploying the ODS connector in OIM to integrate with OUD. We will meet in another post with more details on them. Until then

Read More about Oracle Unified Directory

Fusion Middleware: New features in Oracle Internet Directory

Going forward, I am planning to write more about Fusion Middleware 10g, Fusion Middleware 11g and Oracle Database 11g. These are the areas that I am developing more interest now-a-days. I am currently working on Fusion Middleware 10g. First of all, I am learning these new software. And when I write here I feel my knowledge level increases. The first Fusion Middleware component that I am going to write about is Oracle Directory Server and Oracle Internet Directory. Both are LDAP Directories from Oracle and part of Fusion Middleware (Why two LDAP Directories as part of Fusion Middleware? – Think about it).

I worked in multiple LDAP Directories during the last few years. A LDAP Directory is software that stores information or entries or data in a tree like format for easy access, it is based on a standard. As per my experience with LDAP Directories, these are the major LDAP directories:

• Oracle Directory Server (earlier Sun Java/Iplanet Directory)
• Novell’s eDirectory (earlier NDS)
• Microsoft’s Active Directory (AD)
• Oracle Internet Directory (OID)
• openLDAP

Among these, I like Sun Java Directory (now, Oracle Directory Server) the most. It is because I worked on it first and it was from Sun, standards based, and works well in heterogeneous environments. There are other various reasons, but we will talk more about Oracle Internet Directory here.

What is Oracle Internet Directory?

Oracle Internet Directory is a LDAP Version 3 Compliant Directory Server from Oracle Corporation. Oracle Internet Directory (OID) is used in most of the Oracle Components (such as Oracle Single Sign On) and is one of the primary components delivered as part of the Fusion Middleware.

OID is used to integrate Oracle Middleware and applications and mainly used with Oracle Applications. Oracle Internet Directory stores its data in an Oracle Database. The directory store is an Oracle Database. Oracle Database is a required component to run Oracle Internet Directory. This is one of the major differences among the remaining four major LDAP directory servers.

New Features of OID in Fusion Middleware 11g

OID is delivered by Oracle for the use of Oracle Identity Management. This was part of the Oracle Application Server “Application Infrastructure” Component. So, Oracle Internet Directory is not a new component that is delivered as part of Fusion Middleware.  It was already there in Version 10g as well.

I am currently working on Oracle Internet Directory Version 10.1.4.2.0. Fusion middleware version of Oracle Internet Directory is called 11.1.1. There are few improvements between these two versions. I noticed that the improvements lie on these lines

1. Manageability Features

Oracle Directory Services Manager and integration with Weblogic Admin Server are the major changes in the OID Version 11.1.1.  Fusion Middleware is Weblogic-Centric. So it is time to learn Weblogic again. Oracle Process Manager and Notification Server (OPMN) is still used in Fusion Middleware for managing OID, as well as other components.

ODSM (Oracle Directory Services Manager) is replacing Oracle Directory Manager (oidadmin). ODSM is a new web-based management tool for managing Oracle Internet Directory in Fusion Middleware 11g.

2. Replication Features

One of the important features that you can setup is a multi-master replication using LDAP based replica model. In earlier versions, it was not possible. Earlier you need to use ASR based replication to setup a multi-master replication. Now it is possible to setup multi-master replication using LDAP based replication.

3. Instance Configuration

There are changes in configset information. Now every instance can have a separate rootDSE information. This was one of the major issue in earlier version. I need to explore this option more. I will write more about this later.

A last important note is: why Oracle is delivering two separate LDAP Directories now as part of Fusion Middleware 11g or as part of its Directory Services Offerings. Why Oracle supports Oracle Directory Server and Oracle Internet Directory? This is because; Oracle Applications are tightly integrated with Oracle Internet Directory. For Example, Oracle Single Sign On needs Oracle Internet Directory. This is one of the reasons Oracle is unable to move to Oracle Directory Server. Let’s hope this will soon change.

Let’s talk more about OID in coming weeks.  Until then

Read More about Fusion Middleware