Date post: | 11-Nov-2014 |
Category: |
Technology |
Upload: | oracleidm |
View: | 599 times |
Download: | 0 times |
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
Access at Scale for Hundreds of Millions of UsersVenugopal ShastriSenior Principal Product Manager, IDM
Selva NeelamegamPMTS, IDM Performance
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
Overview & Key Capabilities
Architecture & Deployment
Best Practices
250 Million User Benchmark
Customer Panel
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
Overview & Key Capabilities
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Why Is Scalability So Crucial For Access?
Large enterprises with global work-force. Massive Internet deployments – E-Commerce, Government Services
etc Access is mission-critical. Authentication is often the first, critical step. Device Multiplier Effect. Hit the same access infrastructure. Enabling social media further increases traffic.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
ORACLE ACCESS MANAGEMENT 11G IS THE MOST COMPREHENSIVE AND SCALABLE ACCESS MANAGEMENT SOLUTION IN THE MARKET TODAY
Oracle Access Management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Access for NextGen Extranet
Scales to hundreds of millions of external users
Ability to secure mobile access for external users
Support for federated users as well as leading social providers
Real-time risk analytics & fraud prevention
Light weight user management and self service
EXTRANET
FOCUS
Federation & SocialIdentity
Self ServiceInternet
Scalability
Extranet User Mgmt
Mobile Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
Architecture & Deployment
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
Architecture & Deployment
Server infrastructure – 100 % Java Solution Deployed on a J2EE Container like Oracle WebLogic Cluster Coherence provides distributed caching within a cluster Horizontal Scalability achieved via
– Addition of Nodes to the Cluster within a data center
– Multi-data center Deployment
Tuned and benchmarked on Oracle Exa platform
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
Deployment Overview
Resource
User StoreAccess Manager Runtime Servers (acting as PDP)
User
Administrator
Audit Logs
Access Mgmt Admin Server (acting as PAP)
Webgates on webservers (acting as PEP)
Policy Store
Access Mgmt cluster
Stores PoliciesManages Policies
Reads Policies
Authenticates against
Stores Audit Info
OAP
Tries to access
Intercepts & Enforces Policies
Allow Or Deny
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
Deployment Overview – With Mobile
User StoreAccess Manager Runtime Servers (acting as PDP)
Audit Logs
Access Mgmt Admin Server (acting as PAP)
Policy Store
Access Mgmt cluster
Stores Policies
Reads Policies
Authenticates against
Stores Audit Info
Client Layer
Web Gates
Mobile SDK O
WS
M
Mobile clients accessing same server infrastructure
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
Scaling up within a Data Center
Admin Console on Admin Server
Access Mgmt -Node 1 Access Mgmt -Node 2 Access Mgmt -Node N
User StorePolicy Store
Webgate 1 Webgate 2 SDK Client 1 Client N
Access Mgmt deployed on a WebLogic Cluster
Stores Policies
Read Policies Authenticate against
Clients
Primary Server Secondary
Server
. . .
. . .
SDK Client 2
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
Scaling up within a Data Center
Admin Console on Admin Server
Access Mgmt -Node 1 Access Mgmt -Node 2 Access Mgmt -Node N
User StorePolicy Store
Webgate 1 Webgate 2 SDK Client 1 Client N
Access Mgmt deployed on a WebLogic Cluster
Stores Policies
Read Policies Authenticate against
Clients
Load Balancer
. . .
. . .
SDK Client 2
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
Completely integrated with Access Management
Provides high-performance distributed caching
Keeps user session data in sync across cluster nodes
Coherence
Coherence for Distributed Caching
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Server Session Management Advanced Session Management across
nodes via Coherence-based caching.
Excellent Reliable performance
Recommended for most deployments, especially internal ones where rich session management features are desirable.
Client Session Management Essentially stateless. Session managed via
browser cookies.
Higher performance compared to Coherence-based approach. Lightweight.
May be appropriate for very large internet deployments where advanced server-side session management may not be required.
Session Management & Performance
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
Multi Data Center Deployment - Conceptual
Supports Active - Active, Active - Passive or Active - Hot Standby deployments
Enables seamless User SSO across data centers with session continuity Independent but identical WebLogic domains in each data center Follows Master-Clone configuration. Policy and configuration changes
synchronized from Master to Clones. Behavior is configurable based on Session Adoption Policy
– Re-authentication Required
– Remote Session Invalidation
– On-Demand Session Data Retrieval
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Multi Data Center Deployment - Conceptual
Global Load Balancer
Access Mgmt Cluster in New York Data-Center
(Master)
Access Mgmt Cluster in London Data-Center
(Clone)
User 1 (Based in US)
User 2 (Based in Europe)
ActiveActive Stand-byStand-by
Synchronized
OAM ID CookieCluster=NYCluste
r
OAM ID CookieCluster=LonCluster
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
Multi Data Center Deployment - Conceptual
Global Load Balancer
Access Mgmt Cluster in New York Data-Center
(Master)
Access Mgmt Cluster in London Data-Center
(Clone)
User 1 (Based in US)
User 2 (Based in Europe)
New York Data-Center is overloaded or down
OAM ID CookieCluster=NYClusterCluster=LonCluster
OAM ID CookieCluster=LonCluster
Retrieve Remote Session Data ?
Back-channel OAP call
Re-authenticate User ?
GLB routes to London Data-Center
Invalidate Remote Session ?
Continue if retrieval fails ?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
Multi Data Center Deployment - Detailed
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21
Multi Data Center Deployment - Detailed
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22
Scaling across Data Centers
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23
Best Practices for Large Deployments
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24
Best Practices for Large Deployments
Modeling resources appropriately – Use Excluded over Anonymous, HTTP caching directives etc
Using Agent Caches to improve latency – 11g Agents significantly improve on 10g
Ensuring fast network connections between Web, Middleware and Data Tiers– Scale out requires matching Web Tier scale out and tuning
Tuning the default Agent and Server settings– OAP/LDAP Connection Mgmt, Caching
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
Best Practices for Large Deployments
Follow MAA Deployment Patterns Use of Load Balancers for HTTP, OAP and LDAP
– Leverage hardware acceleration of Crypto and SSL, if available
Leveraging metrics to proactively address issues – DMS Metrics, EM Grid Control Monitoring
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
250 Million User Benchmark
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
Benchmark Summary
Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM) were tested to serve extreme loads with 250 million users seeded in the Oracle Internet Directory (OID) and Oracle Database
Mid-tiers were deployed on Oracle Exalogic hardware with Oracle Exalogic Elastic Cloud Software (EECS) and Database on Oracle Exadata hardware.
Demonstrated the ability of the IDM products to serve extreme loads when deployed on Exalogic(EL) and Exadata(ED) hardware.
Identified the scalability characteristics for OAM and OAAM on EL and ED.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
To demonstrate the linear scale out, one, two and three server tests were run.
To demonstrate the linear scale up, controlled tests with 4, 8, 16 physical cores as well as 32 logical cores (16 physical cores with hyper-threading) were run on a single server.
OAM Test Cases & Topology
Test Cases
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Besides the strong functional improvements and enhancements, OAM showed great performance and linear scaling on multi EL nodes.
3 EL nodes can support up to 16.4 Million Logins/Hour
OAM Scale Out Benchmark
Results
One Server Two Server Three Server0
2000000
4000000
6000000
8000000
10000000
12000000
14000000
16000000
18000000
7.7M
12.5M
16.4M
OAM Login Scale Test
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.30
This test was run by limiting the number of cores available to the operating system on a single Exalogic server.
OAM shows a linear scale up in 4, 8,16 and 32* core testing.
OAM Scale Up Benchmark
Results
* - 16 Physical cores with hyper-threading to 32 Logical cores
0 10 20 30 40 50 60 70 80 90 1000
200
400
600
800
1000
1200
1400
1600
1800
2000
2200
32 Core*16 Core8 Core4 Core
CPU %
Logi
ns/S
econ
ds
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.31
To demonstrate the linear scale out, one and two server tests were run
Tests were also run with one OAAM server and two OAAM servers in the same EL node.
OAAM Test Cases & Topology
Test Cases
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.32
Besides providing an innovative, comprehensive feature set to help organizations prevent fraud and misuse, OAAM shows very robust performance.
2 EL nodes can support up to 20.6 Million Transactions/Hour
OAAM Benchmark Results
Results
1EL - 1OAAM 1EL - 2OAAM 2EL - 2OAAM 2EL - 4OAAM0
5000000
10000000
15000000
20000000
11M12.3M
18.3M
20.6M
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.33
• OS: Oracle Linux Server release 5.8 (Tikanga)
• Exalogic Elastic Cloud Software (EECS) 2.0.4.0.0
• Exalogic Optimized WebLogic Server 10.3.6.0
• JRockit jdk1.6.0_37-R28.2.5-4.1.0
• Oracle Traffic Director (OTD) 11.1.1.7.0
• Oracle Http Server (OHS) 11.1.1.7
• OAM 11.1.2.1
• OAAM 11.1.2.1
• Oracle Internet Directory (OID) 11.1.1.7
Software
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.34
Exalogic (X3-2) - ¼ Rack
•Eight Compute Nodes (Intel® Xeon® CPU E5-2690; 2x8 core @ 2.90GHz; 256GB RAM)
•Total 128 Compute Cores
•Total 2TB Compute Node Memory
•One ZFS Storage 7320 Clustered Configuration
•High-Speed InfiniBand Internal Network
•42RU Rack Exposure
Hardware
Exadata (X3-2) - ¼ Rack
•Two Compute Nodes (Intel® Xeon® CPU E5-2690; 2x8 core @ 2.90GHz; 256GB RAM) •Total 512GB Memory •Disk Controller HBA with 512MB Battery Backed Write Cache •4 x 300 GB 10,000 RPM Disks •2 x QDR (40Gb/s) Ports •2 x 10 Gb Ethernet Ports based on the Intel 82599 10GbE Controller •3 x Exadata Storage Servers X 3-2 with 36 CPU cores for SQL processing, 12 x PCI •flash card with 4.8 TB Exadata Smart Flash Cache and, 36 x 600 GB 15,000 RPM •High Performance disks or 3 TB High Capacity disks
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.35
Conclusion
The OAM & OAAM Scale Up & Scale Out benchmark tests showcased the extreme scalability and performance over a huge user base of over 250 million users.
Illustrated the linear scalability characteristics for OAM and OAAM on EL and ED hardware.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.36
Customer Panel Discussion
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.37
Customer Panel
Nirmal Rahi– Solution Architect, College Board
Chirag Andani– Senior Director, Identity Management Services, Oracle IT
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.38
Q & A
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.39
Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud
Complete and Integrated
Best-in-class
Open standards
On-premise and Cloud Foundation for Oracle Fusion
Applications and Oracle Cloud
User Engagement
Identity Management
Business Process
Management
Content Management
Business Intelligence
Service Integration Data Integration
Development Tools
Cloud Application Foundation
Enterprise Management
Web Social Mobile
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.40
Innovation Awards
Lam Research Theater (Next to Moscone North)
Session ID: CON8082
Session Title: Oracle Fusion Middleware: Meet This Year’s Most Impressive Innovators
Venue / Room: YBCA - Lam Research TheaterDate and Time: Monday Sep 23, 4:45 - 5:45 p.m.
18 Winners Across Eight Categories
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.41
Join the Oracle IDM Community
oracle.com/identity
Twittertwitter.com/OracleIDM
Facebookfacebook.com/OracleIDM
Blog
blogs.oracle.com/OracleIDM
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.42
Don’t miss these IDM Sessions
CON4535 Monday 09/23, 4:45PM
Moscone West, Room 2012
200M: Real World Large Scale Access and Directory Deployment at Verizon
Verizon Wireless
CON8834 Tuesday, 09/24, 3:45PM
Moscone West, Room 2018
Attract new customer and users by leveraging Bring Your Own Identity (BYOI)
Forest Yin, Oracle
CON8837 Wednesday 09/25, 11:45AM
Moscone West, Room 2018
Leverage Authorization to Monetize Content and Media Subscriptions
Roger Wigenstam, Oracle
CON8836 Thursday 09/26, 11:00AM
Moscone West, Room 2018
Leveraging the Cloud to simplify your Identity Management implementation
Guru Shashikumar, Oracle
CON9024 Thursday 09/26, 2:00PM
Moscone West, Room 2018
Next Generation Optimized Directory - Oracle Unified Directory
Etienne Remillon, Oracle
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.43
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.44