Thanks to all of the guest speakers on our Sun2Oracle webcast: Steve from Hub City Media, Albert from UCLA and our own Scott Bonell.
If you missed the webcast here is a link: Webcast Replay
During the webcast, we tried to answer as many questions as we could, but there were a few that we needed a bit more time to answer. Albert from UCLA sent me the following information:
Alternate Directory Evaluation
We were happy with Sun DSEE. OUD, based on the research we had done, was a logical continuation of DSEE. If we moved away, it was to to go open source.
UCLA evaluated OpenLDAP, OpenDS, Red Hat's 389 Directory. We also briefly entertained Active Directory.
Ultimately, we decided to stay with OUD for the Enterprise Directory, and adopt OpenLDAP for the non-critical edge directories.
For Enterprise Directory, UCLA runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. We run 2 of those servers at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.
federation, was that an important requirement for UCLA?
Yes. UCLA collaborates
heavily with other higher education institutions around the country/world. We
often have researchers wanting to sign into services provided by fellow higher
ed institutions. We also have plenty of visiting scholars or collaborating
researchers from other institutions accessing UCLA services. Higher education
communities around the world have deployed Shibboleth/SAML-based federated IDM
solutions to facilitate these collaborations:
And a more
comprehensive listing of federations around the world:
What was the net
change in hardware footprint?
Not much actually. We
kept the same server/network topology:
The only changes we
made during the upgrade were that we upgraded the software from DSEE 6.3,
upgraded Linux, and that we bought new servers. The old servers were Dell
PowerEdge 2850's. The new ones are Dell PowerEdge R710's.
What is your
hardware specification for one OUD 11g server…
Can you explain
the HA/DR architecture a bit more?
RAM size, CPU
type, and number?
We runs 3 Dell
PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5
645 processors. 2 of those servers run at UCLA's Data Center in a semi
active-passive configuration. The 3rd server is located at UCLA Berkeley. All
three are multi master replicated. At run time, the bulk of LDAP query requests
go to 1 server. Essentially, all of our authn/authz traffic is being handled by
1 server, with the other 2 acting as redundant back ups.
Our IDM architecture
is highly modular. All external access to the enterprise directory run through
a service layer. This layer is consists of Shibboleth, a set of data update web
services and loading programs, and a number of edge directories. All service
layer components can be easily configured (some automatically) to seek out the
secondary directory servers when the primary goes down. We take advantage of
this capability during maintenance to keep the services available.
FYI, our servers are
hosted in a tier 2.5 data center (We have tier 3-like capability for critical
servers such as OUD, but we don't have that for all servers in the data
What was the cost
of the migration?
Because of the labor
and equipment cost differences, I don't think my numbers will be all that
accurate. I can say the following:
engaged Hub City Media for just about 1.5 months worth of work.
had one system engineer working full time on the project throughout the 4
month period. He also managed the project.
had fractional support/transition coordination from our Infrastructure
Services team (sys admin, operations, networking), probably about 80 hours
purchased 3 of the servers described above.
purchased the OUD software.
How much testing
did you do? Did you do load testing?
Yes. We conducted
several passes of data loading/validation tests. In addition, we ran security
vulnerability scans and ran multi stress tests ranging from peak stress tests
to sustained, multi-day simulations. Sorry. We can't release test result data,
but I can say that OUD passed with flying colors.
We only had one
engineer working on the project. Between test prep, run, and analysis, testing
did take about a month.
Was the OUD Proxy used at UCLA?
No. We considered it,
and might still consider it as we revise our architecture. But for the
migration, we did not introduce the Proxy.
Can OUD Server
and DSEE replicate each other?
Yes, but with caveats.
There is no direct replication between OUD 11g and Sun DSEE 6.3. You need to
place Oracle DSEE in between. In addition, there is an undisclosed cap on the
replication rate. All of this may have changed since we worked on the project