By Darin_Pendergraft_Oracle on Sep 20, 2012
Thanks to all of the guest speakers on our Sun2Oracle webcast: Steve from Hub City Media, Albert from UCLA and our own Scott Bonell.
If you missed the webcast here is a link: Webcast Replay
During the webcast, we tried to answer as many questions as we could, but there were a few that we needed a bit more time to answer. Albert from UCLA sent me the following information:
Alternate Directory Evaluation
We were happy with Sun DSEE. OUD, based on the research we had done, was a logical continuation of DSEE. If we moved away, it was to to go open source.
UCLA evaluated OpenLDAP, OpenDS, Red Hat's 389 Directory. We also briefly entertained Active Directory.
Ultimately, we decided to stay with OUD for the Enterprise Directory, and adopt OpenLDAP for the non-critical edge directories.
For Enterprise Directory, UCLA runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. We run 2 of those servers at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.
You mentioned federation, was that an important requirement for UCLA?
Yes. UCLA collaborates heavily with other higher education institutions around the country/world. We often have researchers wanting to sign into services provided by fellow higher ed institutions. We also have plenty of visiting scholars or collaborating researchers from other institutions accessing UCLA services. Higher education communities around the world have deployed Shibboleth/SAML-based federated IDM solutions to facilitate these collaborations:
And a more comprehensive listing of federations around the world:
What was the net change in hardware footprint?
Not much actually. We kept the same server/network topology:
- two servers at our local data center, one at our remote DR data center.
- the servers replicate in real time via multi-master replication.
- 1 of the servers at our local data center serves as the primary access server serving all query traffic. The other servers serve as hot standby.
On our old Sun DSEE servers - we ran Red Hat Enterprise Linux AS release 4 (Nahant Update 8) - 32bit. On the new OUD servers - Red Hat Enterprise Linux Server release 5.7 (Tikanga) - 64bit
The only changes we made during the upgrade were that we upgraded the software from DSEE 6.3, upgraded Linux, and that we bought new servers. The old servers were Dell PowerEdge 2850's. The new ones are Dell PowerEdge R710's.
What is your hardware specification for one OUD 11g server…
Can you explain the HA/DR architecture a bit more?
RAM size, CPU type, and number?
We runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. 2 of those servers run at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.
Our IDM architecture is highly modular. All external access to the enterprise directory run through a service layer. This layer is consists of Shibboleth, a set of data update web services and loading programs, and a number of edge directories. All service layer components can be easily configured (some automatically) to seek out the secondary directory servers when the primary goes down. We take advantage of this capability during maintenance to keep the services available.
FYI, our servers are hosted in a tier 2.5 data center (We have tier 3-like capability for critical servers such as OUD, but we don't have that for all servers in the data center).
What was the cost of the migration?
Because of the labor and equipment cost differences, I don't think my numbers will be all that accurate. I can say the following:
- We engaged Hub City Media for just about 1.5 months worth of work.
- We had one system engineer working full time on the project throughout the 4 month period. He also managed the project.
- We had fractional support/transition coordination from our Infrastructure Services team (sys admin, operations, networking), probably about 80 hours
- We purchased 3 of the servers described above.
- We purchased the OUD software.
How much testing did you do? Did you do load testing?
Yes. We conducted several passes of data loading/validation tests. In addition, we ran security vulnerability scans and ran multi stress tests ranging from peak stress tests to sustained, multi-day simulations. Sorry. We can't release test result data, but I can say that OUD passed with flying colors.
We only had one engineer working on the project. Between test prep, run, and analysis, testing did take about a month.
Was the OUD Proxy used at UCLA?
No. We considered it, and might still consider it as we revise our architecture. But for the migration, we did not introduce the Proxy.
Can OUD Server and DSEE replicate each other?
Yes, but with caveats. There is no direct replication between OUD 11g and Sun DSEE 6.3. You need to place Oracle DSEE in between. In addition, there is an undisclosed cap on the replication rate. All of this may have changed since we worked on the project though. :-)