Enterprise Architecture 2010

farrierlimpingInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 4 χρόνια και 13 μέρες)

209 εμφανίσεις

NOT PROTECTIVELY

MARKED





Enterprise Architecture 2010

Reference Architecture

Secure Portal Framework

June 2010




Version:


1.0

Editor

Mike Williams

Status:

Issued

Date:

16 June 2010






HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
2

of
23



Document Control

Document Title

Reference Architecture


Secure Portal Framework

Auth
or

Mike Williams

Owner

Ivan Wells

Distribution

General


SHARE and PartnerNET

Document Status

Issued

Revision History

Version

Date

Description

Author

0.1

1
st

Dec
ember 2009

First draft.

Mike Williams

1.0

16
th

June 2010

Baseline issue.

Mike
Williams

Forecast Changes

Version

Date

Description




Reviewer List

Name

Role

Ivan Wells

Reviewer

Various

External peer review

Approvals

Name

Title

Date

Version

Ivan Wells

Strategy and Architecture



Document References

Document Title

Document Link
s



HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
3

of
23




CONTENTS


1

INTRODUCTION

................................
................................
................................
................

4

1.1

P
REAMBLE

................................
................................
................................
........................

4

1.2

R
ELATIONSHIP TO
R
EFERENCE
M
ODELS

................................
................................
...........

4

2

PLATFORM INDEPENDENT

MODEL (PIM)

................................
................................
....

8

2.1

S
UMMARY
D
ESCRIPTION AND
O
VERVIEW

................................
................................
..........

8

2.2

F
EDERATED
P
ORTALS

................................
................................
................................
.......

8

2.3

R
EVERSE
P
ROXY

................................
................................
................................
............

10

2.4

A
CCESS
M
ANAGEMENT

................................
................................
................................
...

11

3

PLATFORM SPECIFIC MO
DEL (PSM)

................................
................................
..........

14

3.1

P
ORTAL
F
RAMEWORK
O
VERVIEW
................................
................................
....................

14

3.2

W
EB
C
ENTER
C
OMPONENTS
................................
................................
............................

14

3.3

R
EVERSE
P
ROXY

................................
................................
................................
............

15

3.4

A
CCESS
M
ANAGEMENT

................................
................................
................................
...

16




HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
4

of
23




1

INTRODUCTION

1.1

Preamble


Reference architectures

describe one or more Architecture Building Blocks for architectures
in a particular domain. They also provide a common vocabulary with which to discuss
implementations, often with the aim o
f stressing commonality. In Model
-
Driven Architecture
(MDA) terms, they equate to Platform Independent Models (PIM’s).


These represent (potentially re
-
usable) components of business, ICT, or architectural capability
that can be combined with other buildin
g blocks to deliver architectures and solutions. Building
blocks can be defined at various levels of detail, depending on which stage of architecture
development has been reached. For instance, at an early stage, a building block can simply
consist of a na
me, or an outline description, in architecture models which represent a
placeholder for subsequent specifications. Later on, a building block may be decomposed into
multiple supporting building blocks that may then be accompanied by full specifications.


R
eference Implementations
are examples of software specifications. These are intended as a
guide for Service Providers to develop concrete Solution Building Blocks (SBB’s). In Model
-
Driven Architecture (MDA) terms, they equate to Platform Specific Models (P
SM’s).


These PSM’s are described as either Commercial
-
Off
-
The
-
Shel f (COTS) or Open Source
Software (OSS). In this respect, the HA Technology Policies are aligned with Cross
-
Government Enterprise Architecture (xGEA) Technical Policies. These specify that O
SS
components should be considered as viable building blocks wherever they can be shown to
meet the business requirements and offer Value for Money (VfM). Therefore, actual product
selections will generally be determined through procurements and their eval
uations of the Most
Economically Advantageous Tenders (MEAT).


Where such selections have already been made, the Reference Implementations will be
superseded by Level 2 (Physical) Technology Policies which reinforce the use of those
components. Some of the
se components will stem from a build out, through re
-
use, of the HA’s
more recently acquired, existing infrastructure assets and investments, such as in Business
Intelligence. In all other cases, the PSM’s will be based on OSS projects which implement the
relevant Open Standards.

1.2

Relationship to Reference Models


This reference architecture refers to a Secure Portal Framework for implementing Enterprise
2.0 services. This comprises the introduction and implementation within an enterprise of
Web
2.0

technolo
gies, including Rich Internet Applications (RIA), Software
-
as
-
a
-
Service (SaaS), and
portal frameworks as a general platform. Similarly,
Government 2.0

is an attempt to provide
more effective processes for government service delivery to individuals and busi
nesses (as
with the G
-
Cloud). In order to describe this in terms of its relationship to Reference Models
requires a number of views as depicted in the diagrams below.

Figure
1

shows a functional mapping to the Delivery Interfaces
Layer and
Figure
2

the
Collaboration Layer, of the EA Reference Model (EARM)


note that the same technology
framework is applied internally for Intranet
-
based applications and externally for the Extranet
(PartnerN
ET). Similarly,
Figure
3

shows it from a common infrastructure viewpoint and
Figure
4

directly relates it to the Technical Reference Model (TRM). Finally,
Figure
5

expands this into a
detailed layered/tiered view of an SOA


this shows that the Secure Portal Framework
Reference Architecture
mainly
covers the Application Layer, with an emphasis on the
Presentation Tier, together with its underlying infrastructure.

H
owever, the security elements
also cover other aspects of the TRM.

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
5

of
23




Figure
1

Relationship to EARM (1)
-

Sub
-
set of Delivery Interfaces Layer



Figure
2

-

Relationship to EARM (2)
-

Sub
-
set of Collaboratio
n Layer




HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
6

of
23




Figure
3

-

Relationship to EARM (3)
-

Sub
-
set of Service Infrastructure Layer



Figure
4

-

Relationship to Technical Reference Model (TRM)


HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
7

of
23




Figure
5

-

Layered View o
f Services



HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
8

of
23



2

PLATFORM INDEPENDENT

MODEL (PIM)

2.1

Summary Description and Overview


The reference architecture for the Secure Portal Framework is based around
Enterprise 2.0

technology which includes social software such as Blogs, Wikis, and other kind of col
laborative
tools.

The portal framework outlined in
Figure
6

must have at least the following
Enterprise 2.0

features:


o

Portability across all major application servers and Servlet containers, databases, and
operating systems.

o

Uses

the latest in Java, J2EE, and Web 2.0 technologies.

o

Uses an open SOA framework.

o

JSR
-
168/JSR
-
286

and Web
-
Services for Remote Portlets (WSRP) 2.0 compliant.

o

Out
-
of
-
the
-
box usability with a catalogue of portlets.

o

Personalised pages for all users.

o

AJAX
-
enable
d user interface.

o

Full Identity Management and secure Enterprise
Single Sign
-
On
(E
SSO
) integration.

o

Granular role
-
based authorisations.



Figure
6

-

Portal Framework Architecture


2.2

Federated Portals

2.2.1

As
-
Is Infrastructure Problem


Th
e existing infrastructure is fragmented and there’s a lack of integration between internal and
external systems, thus preventing “One version of the truth”. This is illustrated in

Figure
7
.

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
9

of
23





Figure
7

-

As
-
Is Infrastructure


Problems arising from this current infrastructure include:



Duplication across multiple portals.



No “one version of the truth” due to security restrictions, e.g. a master document held in
the “SHARE” repository is copied

into PartnerNET as a snapshot in time without any
form of synchronisation for subsequent updates.



Multiple user accounts with separate logins, passwords and user administration
requirements.



High administration and maintenance costs.

2.2.2

Proposed
federated
so
lution


Within the Reference Architecture, the proposed solution to the problems described above is to
adopt a Federated Portal Architecture.

Federated portals are:

o

Distributed


Portlets

are deployed on remote systems across the enterprise.

o

Loosely couple
d


The portal and its
portlets

do not depend upon one another. In
most cases, remote
portlets

can be maintained and deployed separately from the main
portal.

o

Collaborative


Remote
portlets

can communicate and share data.

o

Plug
-
and
-
Play


Remote
portlets

c
an easily be located and consumed, usually without
coding.

o

Standards based


Federated portals are built upon open standards, such as WSRP,
SOAP, WSDL, and SAML.

Figure
8

illustrates the basic concepts of a federated portal with
p
roducers

and
consumers

as
its component parts. A
producer

is a portal web application that offers remote portlets to other
consumer
portal web applications. Both
producers

and
consumers

implement a web services
layer that enables them to communicate. This
web services layer allows
producers

to offer
portlets
-
as
-
a
-
service to
consumers

on remote systems. Consumers bring these remote,
distributed portlets together at runtime. Each of the remote portlets may be developed and
maintained by different groups of pe
ople.


HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
10

of
23




Figure
8

-

Concept of Federated Portals


This federated portal approach reflects the HA’s Service Oriented Architecture (SOA). It does,
however, rely upon on a Web Services infrastructure as shown in

Figure
9
.


Figure
9

-

WSRP Architecture


This is also referred to sometimes as a Web Oriented Architecture (WOA) which

is a style of
software architecture that extends the Service
-
Oriented Architecture (SOA) paradigm to web
-

b
ased applications.

2.3

Reverse Proxy


A
reverse proxy

is a proxy server that is used in front of Web servers. All connections from the
Internet to one of the Web servers are routed through the proxy server, which may either deal
with the request itself (from i
ts cache) or pass the request wholly or partially to the main web
servers as shown in

Figure
10
.

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
11

of
23




Figure
10

-

Communication via a Reverse Proxy


A reverse proxy dispatches in
-
bound network traffic to a se
t of servers, presenting a single
interface to the caller. There are several benefits of reverse proxy servers:

1.

Security: the proxy server may provide an additional layer of defense by separating and
protecting servers further up the chain
-

mainly through

obfuscation.

2.

Encryption and acceleration: on secure websites, accessed via HTTPS, the SSL
encryption is best offloaded from the Web server itself, using a reverse proxy equipped
with SSL acceleration hardware to optimise performance.

3.

Load distribution: th
e reverse proxy can distribute the load across several servers, for
scalability and resilience. The reverse proxy may have to re
-
write the URL's in each
webpage (translation from externally known URL’s to the internal addresses).

4.

Caching: the reverse proxy

can offload the Web servers by caching static content, such
as images, as well as dynamic content, such as a HTML
-
page rendered by a content
management system. Proxy caches of this sort can often satisfy a considerable amount
of website requests, greatly
reducing the load on the central web server.

5.

Compression: the proxy server can optimise and compress the content to speed up the
load time.


2.4

Access Management


Access Management includes both Identity Management and Enterprise Single Sign
-
On
(ESSO).


“Iden
tity management projects are much more than
technology implementations


they drive
real business
value

by reducing direct costs, improving operational
efficiency and enabling regulatory compliance.”
-


Gartner.


With the current architecture, based on ind
ividual silos, the Agency and its stakeholders
experience a number of “pain points” as shown in
Table
1

below.






HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
12

of
23




Table
1



Pain Points

IT Admin

IT Developers

End Users

Security/
Compliance

Business

Owne
r
s

Too many user
stores and
account admin
requests.

Unsafe sync
scripts.

Redundant code
in each
application.

Need to re
-
work
code too often.

Too many
passwords.

Long waits for
access to apps/
resources.

Too many
orphaned
accounts.

Limited auditing
ability
.

Too expensive
to reach new
partners, and
channels.

Need for control.


These pain points are particularly significant
in the HA
due to the diverse types and numbers of users
and the multiple contexts of these digital identities as shown in
Figure
11

below.



Figure
11
-

Identities have multiple contexts



The HA has approximately:



2,700 office
-
based staff;



800 mobile Traffic Officers; and



450 external partner organisations.


Moreover, the
Agency procures from its supply chain almost all (over 95%) of what is needed to
provide efficient, effective and value for money services to its customers. In the future, (To
-
Be)
architecture, the following requirements must be met:



Users only have to log
in once.



Identities are federated across domains.



Access permissions are determined by Role(s), Groups and Policies.



Automated provisioning services are linked to ERP Systems:



Employees joining/leaving (HR)



Contractors (Procurement)



HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
13

of
23



A logical architectur
e is shown in
Figure
12

below.



Figure
12



IAM Logical Architecture




HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
14

of
23




3

PLATFORM SPECIFIC MO
DEL

(PSM)

3.1

Portal Framework Overview

The chosen reference implementation for the Secure Portal Framework is Ora
cle WebCenter
11g combined with the Oracle Identity and Access Management Suite. The rationale for this is
as follows:



Integration with business applications such as the E
-
Business Suite (EBS
-

Financials
and Human Resources) and Business Intelligence.



Ora
cle provides rich functionality and is widely supported within the ISV community
with an extensive ecosystem of partners.



Integrated set of developer tools


Oracle Corporation alone have more than 20,000
developers worldwide using these.



Re
-
use of the exi
sting Oracle
-
based infrastructure deployed for Business Intelligence
(BI) and
Geographical Information System

(GIS) data warehouses.



Pre
-
existing (COTS
-
based) integrations with the rest of the Oracle technology stack.



The HA has an Enterprise license.



F
igure
13

-

Oracle WebCenter 11g Architecture


The main components are described in outline in the following sections.

3.2

WebCenter Components


The main components of Oracle WebCenter 11g are as follows:



Oracle WebCenter Framework
is a

declarative JavaServer Faces (JSF) framework that
embeds Asynchronous JavaScript and XML (AJAX) components, portlets, and content to
create context
-
rich, customisable applications. It also includes
Composer

and
Business
Dictionary

-

role
-
based capabilitie
s that enable business users to seamlessly unify many
HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
15

of
23



corporate information resources with enterprise portals with just a few mouse clicks. It’s a
complete, standards
-
based portlet development environment
-

business user tools
support the rapid creation of

JSR
-
168 portlets and the deployment of WSRP 1.0 and 2.0
portlet producers. The solution also includes a JSF Portlet Bridge that facilitates the
conversion of any JSF application into a JSR
-
168 portlet. Content can easily be
integrated and published using
data controls built to the JCR/JSR
-
170 standard. Content
repositories supporting the JCR standard can just be configured; adapters are also
available for Oracle’s content repository, Oracle Portal, file systems, and third
-
party
content management systems,
including Documentum, Microsoft SharePoint, and Lotus
Notes. Oracle WebCenter Framework is also delivered as an
Oracle JDeveloper
extension
, providing a unified development environment for developers to build and
deliver SOA process models, Business Intell
igence applications, enterprise portals, and
composite applications.



WebCenter

Spaces
provide

out
-
of
-
the
-
box collaborative applications for business users
to manage personal information, group projects and dynamic online communities without
having to call
upon on IT.



Oracle Composer

allows business users to edit application pages on the fly after the
application or portal has been deployed


edits can include new colour schemes,
changes in page layout and new content or services added to the page. When usin
g
Composer
, users can add new enterprise services and content to further customise their
pages via the
Business Dictionary
, a catalogue of role
-
based enterprise resources
such as views of structured enterprise application data, personal productivity servic
es
and secure content sources. Additionally, IT developers can add the
Oracle
Composer

capability to any application or portal during development without any coding.



Oracle
WebCenter

Anywhere
provides a

set of wireless services that enable users to
connect

with Oracle WebCenter Suite applications from any connected device, including
desktop and mobile applications.



Oracle WebCenter Services

provide
out
-
of
-
the
-
box Enterprise 2.0 Social Computing
Services which can be embedded directly into applications. Thes
e include wikis, blogs,
RSS feeds, recent activities, discussion forums, tags, links, social networking, Business
Process Execution Language (BPEL) workflows, and analytics.



Additional Value
-
Add Components
are bundled with

WebCenter Suite
:

includes Oracle
Universal Content Management
;

S
e
cure Enterprise Search and Presence
;

and
Communications Servi
ces
.



Oracle WebCenter Interaction
provides a
n integrated collection of components
designed to deploy communities and composite solutions over diverse platforms tha
t
offer native support for both Microsoft .NET and Java.



Oracle Application Server/Oracle
WebLogic

Portal
provides a fully certified server
environment although the framework should run on any J2EE platform including open
source products such as Red Hat’s
JBoss

and Apache Jakarta Tomcat running on Linux.

3.3

Reverse Proxy


The reference implementation for the reverse proxy is OracleAS Web Cache.

OracleAS Web Cache is a content
-
aware server accelerator, or reverse proxy server, that
improves the performance, sca
lability, and availability of Web sites that run on Oracle
Application Server.

By storing frequently accessed URL’s in memory, OracleAS Web Cache eliminates the need to
repeatedly process requests for those URL’s on the application Web server and database
tiers.
Unlike legacy proxies that handle only static objects, OracleAS Web Cache caches both static
and dynamically generated content from one or more Web servers thus providing optimal
performance by greatly reducing the load on the Web server, applicatio
n and database tiers. As
an external cache, OracleAS Web Cache is also an order of magnitude faster than object
caches that run within the web tier.


HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
16

of
23




Figure
14

shows the basic architecture.
OracleAS Web Cache sits in front of app
lication Web
servers, caching their content, and providing that content to Web browsers that request it.

When Web browsers access the Web site, they send HTTP or HTTPS protocol requests to
OracleAS Web Cache. OracleAS Web Cache, in turn, acts as a virtual
server on behalf of the
Web servers. If the requested content has changed, OracleAS Web Cache retrieves the new
content from the Web servers. The Web servers may retrieve dynamic content from an Oracle
database. OracleAS Web Cache can be deployed on its ow
n dedicated tier of computers or on
the same computer as the Web servers.




Figure
14

-

OracleAS Web Cache


3.4

Access Management

3.4.1

Overview


The reference implementation for Access Management is Oracle Identity and Access
Management S
uite, as certified by CESG.
Oracle IAM is a suite consisting of Oracle Access
Manager, Oracle Virtual Directory and Oracle Internet Directory. It allows enterprises to
manage and automate the end
-
to
-
end lifecycle of user identities, and provides users with

secure, fine
-
grained access to enterprise resources and assets.

An end
-
to
-
end overview of the Oracle Identity Management platform is shown in
Figure
15

below. The individual components are described in the following sub
-
sections.














HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
17

of
23





Figure
15



Oracle Identity & Access Management Framework


3.4.2

Oracle Access Manager (OAM)


Oracle Access Manager provides Web
-
based identity administration, as well as access control
to Web applications and resources
running in a heterogeneous environment. It provides the
user and group management, delegated administration, password management and self
-
service functions necessary to manage large user populations in complex, directory
-
centric
environments.


Access Manag
er supports all popular authentication methods including browser forms, digital
certificates and smart cards, and integrates with most application servers and portals. User
identities and credentials can be accessed from a number of LDAP
-
based repositories

including Oracle Internet Directory, Microsoft Active Directory and Sun Java System Directory.
With Access Manager, user access policies can be defined and enforced with a high degree of
granularity through centralised management.


3.4.3

Oracle Adaptive Access
Manager (OAAM)


Oracle Adaptive Access Manager provides superior protection through its core components:
Adaptive Strong Authenticator (ASA) and Adaptive Risk Manager (ARM).


ASA relies on the following standards
-
based technologies:




Relative cryptographic

strength (for example, NIST and Common Criteria levels).



Cryptographically strong pseudorandom number generator, which complies with
Federal Information Processing Standard (FIPS) 140
-
2.

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
18

of
23





Cryptographically strong sequences as described in RFC 1750: Randomn
ess
Recommendations for Security.



J2EE, Microsoft .NET, JSR 94
-
based rules engine.


Leveraging a soft, two
-
factor authentication solution, ASA provides fraud protection against
online identity theft. It does so by encrypting credential data inputs at the p
oint of entry. This
ensures maximum user protection because information never resides on a user’s computer.
Nor does information reside anywhere on the Internet where it can be vulnerable to theft.


ASA includes a number of user interfaces for managing fra
ud and identity theft protection.
Whether making payments, accessing sensitive documents, entering passwords, or answering
challenge questions, users and data are protected. These GUI
-
based interfaces include:
QuestionPad
,
QuizPad
, Keypad (Virtual Keyboard
) and Slider.


Adaptive risk manager enables an enterprise to evaluate and score risk. They can do so for
each online login and transaction. As a result, the solution increases authentication security in
real
-
time for high
-
risk situations.


Adaptive risk m
anager provides a strong second and third factor of security for the enterprise. It
can serve as a standalone solution that offers increased security, with no
change to the user
experience b
ut it can also be used in combination with ASA. Together the compo
nents provide
further anti
-
identity theft and fraud protection.

3.4.4

Oracle Enterprise Single Sign
-
On (OESSO)


Enterprises these days generally have Microsoft Windows® desktop users accessing diverse
enterprise applications on a daily basis. Each enterprise app
lication often has different security
requirements and, as a consequence, users are
often
forced to remember multiple different
passwords for various applications



this scenario is illustrated in

Figure
16
. As a result, there is
a need to enable a simple and secure way for enterprise users to access heterogeneous
applications (e.g. Microsoft Windows, Java, etc.) by signing on just once to their windows
desktop. This should not only circumvent the need to remember credentials for i
ndividual
applications but also enhance user productivity by eliminating help desk calls associated with
forgotten passwords.



Figure
16



Separate User Logons



The Oracle ESSO Suite facilitates a way for desktop users to access

enterprise applications by
signing on just once to their desktops using a single set of credentials, as depicted in

Figure
17
.



Figure
17


Oracle ESSO Logon Manager

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
19

of
23




The Oracle ESSO Suite comprises five

key components:




Oracle ESSO Logon Manager

(ESSO
-
LM) provides interfaces to network and
computer logons as well as sign
-
on to applications, e
nabling users to log in once

with
a single password. Once users are logged in, whatever application they open is
s
erved the correct ID and password transparently and automatically. This eliminates
the need for users to remember and manage multiple user names and passwords for
their applications, while allowing administrators to centrally manage passwords. The
Oracle E
SSO Logon Manager Admin Console interacts with the Logon Manager and
facilitates management and administration of ESSO attributes.



Oracle ESSO Password Reset

(ESSO
-
PR) provides a recovery mechanism for
users who forget their desktop passwords. If users for
get their Windows password,
then ESSO
-
PR enables them to regain access to their computer and the corporate
network. This allows users to reset their password directly from the Windows logon
prompt of their locked
-
out workstation, so that they can get to th
eir applications within
seconds
-

without having to call the help desk or go to another workstation.



Oracle ESSO Kiosk Manager

(ESSO
-
KM) provides initial user authentication and
automatic user sign
-
off to kiosk environments, enabling secure kiosk computing

at
any location within the enterprise. The system monitors and protects unattended kiosk
sessions from unauthorised access. Inactive sessions are protected by a secure
screen saver, which permits the next user to sign on to a new session while safely
term
inating the prior session.



Oracle ESSO Authentication Manager

(ESSO
-
AM) allows organisations to use any
combination of tokens, smart cards, biometrics and passwords to control user access
to their applications; making it easier to implement advanced authen
tication
strategies. The software can be integrated seamlessly with applications, providing
granular control over the level of authentication required to access specific
applications.



Oracle ESSO Provisioning Gateway

(ESSO
-
PG) allows system administrators
to
directly distribute user credentials, usernames and passwords to Oracle ESSO. The
administrator can add credentials for new applications and new users as well as
modify or delete old credentials to Oracle ESSO. The Provisioning Gateway is also
the inter
face that is used to integrate Oracle Identity Manager (OIM), which enables
provisioning of users to all enterprise applications and enables Oracle ESSO.


3.4.5

Oracle Identity Federation (OIF)


Oracle Identity Federation is a complete, enterprise
-
level solution

for secure identity information
exchange between partners. It significantly reduces need to manage unnecessary accounts in
the enterprise directory and lowers the cost of integrations through support of industry
federation standards.
Key features of OIF i
nclude:




Multiple Federation Protocols Support: OIF supports the following protocols:

o

SAML 1.0/1.1/2.0,

o

Liberty Alliance ID
-
FF 1.1/1.2, and,

o

WS
-
Federation.

OIF participated in vendor
-
neutral standard conformance events and has achieved
Liberty Alliance cer
tification for Liberty ID
-
FF and SAML 2.0.



Oracle Universal Federation Framework: OIF provides architectural flexibility and
integration capabilities for rapid deployment in complex multi
-
vendor and homegrown
environments. It exposes a set of simplified pr
ogrammatic interfaces for seamless
integration with any application or identity and access management solution including
the Government Gateway.

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
20

of
23





OIF provides unified and simplified interfaces for all management and administration
tasks by leveraging Oracle

Enterprise Manager
Technology

for enterprise
-
grade
operational management.



Enterprise scalability, availability and manageability: The OIF is designed to be
scalable and highly available. Its flexible architecture makes it easier to scale and
tune the fed
eration infrastructure at each component level. OIF supports mission
critical applications through load balancing and failover.



Support for Microsoft Windows CardSpace (Geneva) as an authentication
mechanism: OIF can act as a CardSpace Relying Party (RP) a
nd comes with a
CardSpace authentication provider. With OIF, organi
s
ations can enable their sites to
accept self
-
issued or managed InfoCards in a matter of hours.



Operational monitoring of server status, adapter status, system status including CPU
& Memory

utilisation. Provides a single dashboard view of entire deployment topology
and server status including all Oracle Fusion Middleware components, databases,
and applications.



Integration with Fusion audit and logging viewers enables unified view of OIF log
s and
end
-
to
-
end tracing of a transaction across application stack. In addition, OIF can
generate standard reports through default integration with Oracle BI Publisher.


3.4.6

Oracle Web Services Manager (OWSM)


Oracle Web Services Manager is a comprehensive sol
ution for managing Service
-
Oriented
Architectures (SOA's). It allows IT managements to centrally define policies that govern web
services operations such as access policy, logging policy, and content validation, and then
wrap these policies around services
, with no modification to existing web services required.
Also, Oracle Web Services Manager collects monitoring statistics to ensure service levels and
security, and displays them in a web dashboard.

Key features of Oracle Web Services Manager include:



Pol
icy Manager



Enforcement



Monitoring Dashboard

3.4.7

Oracle Identity Manager (OIM)


Oracle Identity Manager (OIM) is a secure enterprise provisioning solution with proven
functionality in the identity management domain. Enterprise provisioning involves the
managem
ent activities, business processes and technologies governing the creation,
modification and deletion of user access rights and privileges to an organisation’s ICT systems,
applications and physical assets. To gain better control over user access rights, e
nterprises
require automated provisioning systems that enforce organisational security policies and
ensure adherance of regulatory standards.

The architecture of OIM is shown in

Figure
18
.

HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
21

of
23




Figure
18

-

OI
M Architecture


3.4.8

Oracle Role Manager (ORM)


Oracle Role Manager (ORM) provides a comprehensive feature set for role lifecycle
management, business and organisational relationships and resources. Built using a scalable
J2EE architecture, ORM enables business

users to define user access by abstracting
resources and entitlements as roles. Organisation data in existing applications can be managed
within ORM to model complex relationship paths across business structures such as reporting
organisation hierarchies
and locations. Business policies defined in ORM utili
s
e organisation
and relationship data to drive role membership and ultimately access. Through seamless
integration with Identity and Access Management (IAM) applications, ORM enables the
automation of pr
ovisioning events, addressing governance and compliance needs across an
existing ICT infrastructure.

With ORM, organisations can:



Enhance security by dramatically improving the timeliness and accuracy of
provisioning and de
-
provisioning of resources as rol
e membership changes.



Accelerate role management implementation by mining for candidate roles.



Maintain a single authoritative source for roles.



Strengthen regulatory compliance through detailed audits on who should have access
to what, and why a user was
given access with complete reports.

3.4.9

Oracle Directory Services (ODS)


Oracle Directory Services (ODS)

are delivered through two products: Oracle Internet Directory
(OID) and Oracle Virtual Directory (OVD).

Oracle Internet Directory is a general purpose dire
ctory service that enables fast retrieval

and
centralised management of information about dispersed users and network

resources. It
combines Lightweight Directory Access Protocol (LDAP) Version 3 with

the high performance,
scalability, robustness and avail
ability of an Oracle database.


HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
22

of
23



Oracle Virtual Directory is an LDAPv3
-
enabled service that provides virtualised abstraction

of
one or more enterprise data sources into a single directory view. Oracle

Virtual Directory
provides the ability to integrate LDAP
-
aware applications into diverse

directory environments
while minimi
s
ing or eliminating the need to change either

the infrastructure or the applications.


T
he components of Oracle Internet Directory

are:

LDAP

The
Lightweight Directory Access Protocol
(LDAP
) is a
standard, extensible directory

access protocol. It is a
common language that LDAP clients and servers use
to communicate.

Directory

A
directory
stores and retrieves information about
organisations, individuals and other resources. It acts
as the po
licy and confi
guration data repository for
OAM
.

Directory Entries

In a directory, a collection of information about an
object is called an
entry
. Each entry is uniquely
identified by a
distinguished name
(DN), which defines
exactly where in the directory’
s hierarchy the entry
resides. bach entry contains information stored in
attributes
. An
object class
is a group of attributes that
define the structure of an entry.

Each directory has a
Directory
-
Specific Entry
(DSE),
which holds information that relates t
o the whole
directory, such as the audit log.

Oracle Directory
Server Instance

Each
Oracle Directory Server instance
services LDAP
requests through a single OID dispatcher process
listening at a specific TCP/IP port number. There can
be more than one dire
ctory server instance on a node,
each listening on a different port. One instance
comprises one dispatcher process and one or more
server processes. By default there is one server
process for each instance.

Oracle Database 11
g

OID runs as an Oracle Databa
se 1
1
g
application. An
Oracle database stores the directory data. The
database can reside on the same node as the
directory server processes or on a separate node.

Oracle Net
Connections

OID communicates with the database using Oracle
Net Services, Oracle
’s operating

system
-
independent
database connectivity solution. lracle ket pervices is
used for all

connections between the lracle aatabase
perver and the lfa Control utility Eoidctl)I

the directory
server instanceI and the lfa jonitor Eoidmon).

LDAP Clie
nts

LDAP Clients send LDAP requests to an OID
listener/dispatcher process listening for LDAP
commands at its port.


The components of Oracle Virtual

Directory

are:

Oracle Virtual
Directory Server

Oracle Virtual Directory Server can integrate multiple dire
ctories by
using its ability to talk to multiple directory sources through its
adapter
and
mapper
architecture and through the provision of full
schema and namespace translation services. This ensures that data
presented to applications from multiple proxi
ed sources have a
common and consistent format.

Adapters

OVD supports an unlimited number of directory data connection
components known as
adapters
. Each adapter is responsible for
managing a particular namespace that is represented by a specific
parent d
istinguished name (DN). Multiple adapters can be combined
HA Reference Architecture

Secure Portal Framework

____
_____________________________________________________________________________


_________________________________________________________________________
01/11/2013

v1.0


Page
23

of
23



and overlapped to present a customised directory tree. OVD
supports the following adapter types:



LDAP Adapter
-

provides proxied access to
LDAPv2/LDAPv3 directory servers.



Database Adapter
-

provide
s LDAP virtualisation of
relational database data.



Storage Adapter
-

This adapter will form the base of the
directory and will hold entries that are not proxied.



Join View Adapter
-

provides real
-
time join capabilities
between entries located in other OVD
adapters.

Mappers

Oracle Virtual Directory includes a bi
-
directional mapping system
based on the Python scripting language. A
mapper
is a special
Python script that processes inbound and outbound transactional
data flow within Oracle Virtual Directory. A
mapping script can adjust
requests as they enter the system on the way to data sources, and
transform responses on the return path to the client.

OVD Listeners

Oracle Virtual Directory provides services to clients through two
types of connections: LDAP an
d HTTP. LDAP is used to provide
LDAPv3 based services while HTTP can provide one or more
services such as DSMLv2, or basic white page functions provided by
an XSLT enabled
Web Gateway
.