Thursday Sep 20, 2012

It's The End of Work as We Know It, But I Feel Fine

If you are attending Open World this year, don't miss Amit Jasuja's session on trends in Identity Management. This session will take place on Monday October 1st in Moscone West at 10:45. You can join the conversation on Twitter as Amit Jasuja discusses the trends that are shaping Identity Management as a market and how Oracle is responding to these secular trends. Use hashtag OracleIDM. In addition, here’s a list of the sessions in the  Identity Management  track.

In Amit's session, he will discuss how the workplace is changing. The pace of technology is accelerating and work is no longer a place but rather an activity. We are behaving socially in our professional lives and our professional responsibilities are encroaching on our social lives. 

The net result is that we will need to change the way we work and collaborate. Work is anytime and anywhere. This impacts the dynamics of teams and how they access information and applications. Our teams span multiple organizations and "the new work order" means enabling the interaction and securing the experience.

It is the end of work as we know it both economically and technologically. Join Amit for this session and you will feel much better about the changing workplace. 

Sun2Oracle: Upgrading from DSEE to the next generation Oracle Unified Directory - webcast follow up

Thanks to all of the guest speakers on our Sun2Oracle webcast: Steve from Hub City Media, Albert from UCLA and our own Scott Bonell.

If you missed the webcast here is a link: Webcast Replay

During the webcast, we tried to answer as many questions as we could, but there were a few that we needed a bit more time to answer.  Albert from UCLA sent me the following information:

Alternate Directory Evaluation

We were happy with Sun DSEE. OUD, based on the research we had done, was a logical continuation of DSEE.  If we moved away, it was to to go open source.

UCLA evaluated OpenLDAP, OpenDS, Red Hat's 389 Directory. We also briefly entertained Active Directory.

Ultimately, we decided to stay with OUD for the Enterprise Directory, and adopt OpenLDAP for the non-critical edge directories.

Hardware

For Enterprise Directory, UCLA runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. We run 2 of those servers at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.

You mentioned federation, was that an important requirement for UCLA?

Yes. UCLA collaborates heavily with other higher education institutions around the country/world. We often have researchers wanting to sign into services provided by fellow higher ed institutions. We also have plenty of visiting scholars or collaborating researchers from other institutions accessing UCLA services. Higher education communities around the world have deployed Shibboleth/SAML-based federated IDM solutions to facilitate these collaborations:

http://www.incommon.org/

http://www.canarie.ca/en/caf-service/about

http://www.ukfederation.org.uk/

http://www.feide.no/om-feide

And a more comprehensive listing of federations around the world:

http://en.wikipedia.org/wiki/Shibboleth_(Internet2)#Federations

What was the net change in hardware footprint?

Not much actually. We kept the same server/network topology: 

  • two servers at our local data center, one at our remote DR data center. 
  • the servers replicate in real time via multi-master replication. 
  • 1 of the servers at our local data center serves as the primary access server serving all query traffic. The other servers serve as hot standby.
  • On our old Sun DSEE servers - we ran Red Hat Enterprise Linux AS release 4 (Nahant Update 8) - 32bit.  On the new OUD servers - Red Hat Enterprise Linux Server release 5.7 (Tikanga) - 64bit

The only changes we made during the upgrade were that we upgraded the software from DSEE 6.3, upgraded Linux, and that we bought new servers. The old servers were Dell PowerEdge 2850's. The new ones are Dell PowerEdge R710's.

What is your hardware specification for one OUD 11g server…

Can you explain the HA/DR architecture a bit more?

RAM size, CPU type, and number?

We runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. 2 of those servers run at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups. 

Our IDM architecture is highly modular. All external access to the enterprise directory run through a service layer. This layer is consists of Shibboleth, a set of data update web services and loading programs, and a number of edge directories. All service layer components can be easily configured (some automatically) to seek out the secondary directory servers when the primary goes down. We take advantage of this capability during maintenance to keep the services available.  

FYI, our servers are hosted in a tier 2.5 data center (We have tier 3-like capability for critical servers such as OUD, but we don't have that for all servers in the data center).

What was the cost of the migration?

 Because of the labor and equipment cost differences, I don't think my numbers will be all that accurate. I can say the following:

  • We engaged Hub City Media for just about 1.5 months worth of work.
  • We had one system engineer working full time on the project throughout the 4 month period. He also managed the project.
  • We had fractional support/transition coordination from our Infrastructure Services team (sys admin, operations, networking), probably about 80 hours
  • We purchased 3 of the servers described above.
  • We purchased the OUD software.

How much testing did you do? Did you do load testing?

Yes. We conducted several passes of data loading/validation tests. In addition, we ran security vulnerability scans and ran multi stress tests ranging from peak stress tests to sustained, multi-day simulations. Sorry. We can't release test result data, but I can say that OUD passed with flying colors.

We only had one engineer working on the project. Between test prep, run, and analysis, testing did take about a month.

Was the OUD Proxy used at UCLA?

No. We considered it, and might still consider it as we revise our architecture. But for the migration, we did not introduce the Proxy.

Can OUD Server and DSEE replicate each other?

Yes, but with caveats. There is no direct replication between OUD 11g and Sun DSEE 6.3. You need to place Oracle DSEE in between. In addition, there is an undisclosed cap on the replication rate. All of this may have changed since we worked on the project though. :-)

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« September 2012 »
SunMonTueWedThuFriSat
      
1
2
3
5
8
9
12
14
15
16
21
22
23
29
30
      
Today