Cloud Security Perspectives and Insights

How to rapidly deploy and evaluate Oracle Identity and Access Management 12C PS4

Paul Toal
Distinguished Solution Engineer - Cyber Security

Back in August 2019, I talked about how you can quickly get an Oracle Identity Governance (OIG) instance up and running within Oracle Cloud using an image we had released on the Oracle Cloud Infrastructure (OCI)  Marketplace. That image was based on 12c PatchSet 3, which was the current version at the time of writing.

Moving forward to today and things have moved on in leaps and bounds. Not least, we have released 12c PatchSet 4, which contains a range of new features and capabilities. Have a look here if you want to see what those are, or watch a 3-minute video here for a 12C overview.

The OCI image has been updated to the latest 12c PatchSet 4 image. However, there have also been some great improvements in that Marketplace image since we first released it last August. Firstly, not only can you deploy Oracle Identity Governance (OIG) from there, but Oracle Access Management (OAM) is also now available as well. However, that isn’t the only change. Let me explain….

Oracle has been a leading vendor in the Enterprise Identity and Access Management space for a long time. That means we have a very mature, feature-rich platform, designed to meet even the most complex enterprise IAM requirements. However, as well as evolving the platform to meet changing requirements, it must also evolve to meet changing patterns of development, use, and deployment. As part of that transformation, a number of changes are happening with the Oracle Enterprise IAM platform, as summarized in the figure below.

As you can see, from a deployment perspective, we are moving from a bare metal/virtual machine-based installation to one better suited for multi-cloud and modern data centres, and therefore basing our deployment on technologies like Docker and Kubernetes. So, what does this mean for the Marketplace images?

I’m glad you asked. When an image is published on the OCI Marketplace it can either be deployed as a custom image that will spin up a template VM on compute and then configure it (just as the OIG 12c PS3 image did), or it can be based on a Terraform stack. The new 12c PS4 images are based on Terraform stack. When you deploy either OAM and OIG 12c PS4 (aka OIM) from the marketplace, what you are actually doing is launching a Terraform script within the OCI Resource Manager (which is a managed service that can provision all OCI resources and services using Terraform). However, that’s not all. We could use that approach and still just deploy a compute resource from a custom image. But, that’s not what we are doing. Instead, we are taking advantage of Oracle Container Engine for Kubernetes (OKE), which is a fully-managed developer friendly, container-native, and enterprise-ready Kubernetes service for running highly-available clusters with strong control, security, and predictable performance. Oracle provides you with all of the control framework (including a Registry), and all you pay for is the Kubernetes worker nodes running your workloads.

The marketplace image will use OKE to create the OIG/OAM environment for you, including a resilient cluster of 2 or more OIG/OAM nodes, the load balancer, and the bastion host. You just need to create the Database Cloud Service instance as a pre-requisite and provide the connection details together to the job together with your preferred sizing etc. Here is the architecture of the deployed OAM cluster as an example of what is created for you.

Let me summarise exactly what resources the marketplace image will create and configure within your tenancy.

  • 2 x Virtual Cloud Networks -1 for bastion host, 1 for the Kube worker nodes:
    • Internet Gateway to enable an inbound internet connection to the VCNs
    • NAT gateway to enable outbound internet access for nodes in private subnets
    • Service Gateway to enable private access to Oracle Services (e.g. file storage)
    • Route tables for above Gateways
    • Regional PUBLIC subnet for Bastion (and associated security list)
    • Regional PRIVATE subnet for Kubernetes cluster worker nodes
    • Regional PUBLIC load balancer (and associated security list)
    • 2 x Virtual Cloud Networks (VCNs) with associated Internet, NAT, and Service Gateways
  • File Storage
    • File Storage service
    • Mount point
  • Virtual Machines
    • Bastion Host
    • Monitoring node
    • Mount node
    • Kubernetes cluster with worker nodes (2 by default, user configurable)

Let’s see what it looks like to deploy one of these images from the marketplace.

First, I create my pre-requisite database using Database Cloud Service. I can choose any of the versions supported by the OIG/OAM marketplace images and have full control over all of the Database setup, e.g. size and shape, backup policy etc.

After creating the database, I head over the OCI Marketplace and find my OIG image. After searching and selecting my image, I can initiate deployment straight from the details screen as shown below. Have you noticed on the details page, the $0.00/hr charge? No, it’s not a typo. The current OIG/OAM images in marketplace are free for evaluation purpose only. You do need to pay for infrastructure usage cost in OCI (e.g. the compute that the image spins up). I will cover more detail later about what it means for evaluation.

All I need to do is choose my compartment and the version of OIG I want to deploy. The stack will then be created within my Cloud tenancy and I will be asked to provide some variables such as compute size and shape, passwords, number of nodes etc.

The Terraform Apply job will then automatically execute. After about 40 minutes, the job will complete.

That’s it! I can now connect to the public IP address of the load balancer and connect to my running OIG cluster.

The same is true if I deploy OAM from the marketplace. Below is the OAM console from the marketplace deployment.

If you want to see any end-to-end demonstration, showing exactly what steps you need to go through to deploy the OAM image, click the image below.

When i’ve done with my environment, I can execute the Terraform Destroy to remove all of the components.

The plan is to make these Terraform scripts available for use across other platforms, not just OCI, but hey, OCI is absolutely the best place to run Oracle software, so I don’t know why you would look elsewhere for deploying this.

There are a couple of cautionary notes to accompany this release of the OIG and OIM marketplace images that I want to make clear.

Firstly, the two marketplace images discussed above are designed for EVALUATION use only and should only be used with non-sensitive test data at this point. As the first release of the OIG/OAM stacks in this container format, these marketplace images are still being improved as well as being made production ready. You will notice that when you look at the configuration. For example:

  1. To keep this initial configuration simple the Load Balancer doesn’t request a TLS cert and therefore defaults to HTTP traffic.
  2. The pre-requisite database must be created with a public IP address and be configured to allow inbound connections to its listener.

Both of these points will be ironed out in upcoming production-ready releases with Bring-Your-Own-License (BYOL) option. Whilst I’m talking roadmap, you can also expect to see an Oracle Unified Directory (OUD) marketplace image coming soon, based on the same stacks and container-based approach.

So, in summary, if you want to get the latest and greatest OIG and/or OAM platforms up and running quickly and easily for your evaluation test drive, then the OCI marketplace is the place to be. And of course, don’t forget that OCI fully supports Infrastructure-As-Code through tools like Terraform. So, if you want to script all of this including the database creation, go ahead.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.