Oracle Internet Directory consolidates the management of users and groups in Oracle9iAS. It retrieves and stores information about dispersed users, groups, and network resources.
The directory implements version 3 of the Lightweight Directory Access Protocol (LDAP), which is the Internet standard for directory services. LDAP is based on the earlier ISO X.500 Directory Access Protocol (DAP) standard, but simplifies that standard considerably, enabling LDAP to be more efficient, straightforward, and easier to implement. LDAP is especially suited for deployment with "thin-client"
applications that are developed for an Internet environment.
Oracle Internet Directory is not a security product, but rather a technology for managing enterprise data, including security data such as user names and passwords for Oracle9iAS Single Sign-On.
Centralized User Provisioning and Single Sign-On in Oracle9iAS
Each LDAP directory server instance looks like the configuration inFigure 2–2.
Figure 2–2 LDAP Server Instance Architecture
See Also: For complete information about Oracle Internet Directory, see the following documents, which are available in the Oracle9iAS Documentation Library unless otherwise specified here:
■ Oracle Internet Directory Administrator’s Guide
■ Oracle Internet Directory Application Developer’s Guide
■ Oracle Directory Service Integration and Deployment Guide
■ "Oracle Internet Directory Administration and Delegation Model in Oracle9i Application Server, Release 2," a white paper that is available on Oracle Technology Network at:
http://otn.oracle.com/docs/index.htm
Oracle Directory Server Oracle Internet Directory Instance
Oracle Directory
Centralized User Provisioning and Single Sign-On in Oracle9iAS
Overview of Security in Oracle Internet Directory
Oracle Internet Directory offers comprehensive and flexible support for directory access control. This includesentry level, attribute level, and prescriptive access control to provide varying levels of security to meet the specific needs of enterprise and service providers. An administrator can grant or control access to a specific directory object or to an entire directory subtree. The directory implements three levels of user authentication: anonymous, password-based, and certificate-based using Secure Sockets Layer (SSL) Version 3 for authenticated access and data privacy.
In addition, the directory provides many powerful features you can use in an enterprise or hosted environment to control access to application metadata—the information governing how applications behave and who can access them. To do this, you deploy the directory for administrative delegation. Using this deployment, a global administrator can give department administrators access to the metadata of applications in their departments. These department administrators can then control access to their department applications.
Oracle Internet Directory offers the following important security benefits:
Security Benefit Description
Data Integrity Oracle Internet Directory uses SSL to ensure that data has not been modified, deleted, or replayed during transmission. SSL can generate a cryptographically secure message digest, through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA), and include it with each packet sent across the network.
Data Confidentiality Oracle Internet Directory ensures that data is protected against undesired disclosure during transmission by using encryption available with SSL.
Password Protection To protect passwords, Oracle Internet Directory uses the MD4 algorithm as the default. MD4 is a one-way hash function that produces a 128-bit hash, or message digest.
Data Access Control Oracle Internet Directory supports access control down to the attribute level for read, write, or update of attributes.
Centralized User Provisioning and Single Sign-On in Oracle9iAS
The Oracle Context: A Directory Administration and Delegation Model
A directory stores all information pertaining to Oracle software in a root container called the Oracle Context. A starter Oracle Context is automatically created for you when you install the Oracle9iAS Infrastructure, but you can create an Oracle Context under any entry in the DIT (directory information tree). Oracle Net Configuration Assistant is a tool you can use to configure directory access. It displays a list of published directory entries as suggested locations from which you can build an Oracle Context.
Figure 2–3 shows a simplified view of the starter Oracle Context that is set up when you install Oracle9iAS Infrastructure. The starter Oracle Context looks very similar to a directory subtree with Products and Groups containers subsumed under the root Oracle Context. In this figure, there are containers for two products under the Products container, plus a container that holds all of the entries which are common to all of the Oracle9iAS products represented in the DIT.
Figure 2–3 Simplified View of DIT Structure with a Starter Oracle Context
Centralized User Provisioning and Single Sign-On in Oracle9iAS
See Also: For a complete description of the starter Oracle Context that is set up when you install Oracle9iAS Infrastructure, refer to the white paper, "Oracle Internet Directory Administration and Delegation Model in Oracle9i Application Server, Release 2," on Oracle Technology Network at:
http://otn.oracle.com/docs/index.htm
Centralized User Provisioning and Single Sign-On in Oracle9iAS
How Oracle Internet Directory is Implemented
An Oracle Internet Directory node is implemented as an application running on the Oracle9iAS Metadata Repository. To communicate with the repository, which may be on the same system or on a different one, Oracle Internet Directory uses Oracle Net Services, the Oracle platform-independent database connectivity solution. This relationship is illustrated inFigure 2–4.
Figure 2–4 Oracle Internet Directory Architecture
Oracle Internet Directory Server
Oracle9iAS Metadata Repository
Oracle Net Connections Oracle9iAS
LDAP Clients
Directory Administration
LDAP over SSL
Oracle9iAS Infrastructure
Centralized User Provisioning and Single Sign-On in Oracle9iAS
Delegated Administration Service (DAS)
DAS is a Web-based GUI tool that directory administrators can use to create users, and users can use to modify their own personal data (such as addresses, phone numbers, and photos), without an administrator’s intervention. Using DAS, users can also search other parts of the directory to which they have access, so
administrators are free to perform other tasks.
This tool relies on small Java programs, called servlets. Servlets receive requests from clients, process those requests (by either retrieving or updating data in the directory), then generate results, which they send back to clients.
Centralized User Provisioning and Single Sign-On in Oracle9iAS