web access management and optimizing storage rebecca astin and gray fernandez november 2, 2010
TRANSCRIPT
Web Access Management and Optimizing StorageRebecca Astin and Gray Fernandez
November 2, 2010
2
Web Access Management(WAM)
Overview and FY11 Priorities
3
Federal Triangle Cash Cab
• The solar power cells on the NCC roof
generate how many kilowatt hours of
electricity annually?
A. 111,952
B. 900
C. 200
D. 4
4
Web Access Management
• WAM
– Purpose / Benefits
– Customers / Applications
• FY 11 Priorities
– OID High Availability
– Access to WAM
– TSSMS Migration
– Operations and Maintenance
5
Purpose / Benefits• Provide centralized authentication and authorization
services for EPA developed Web applications– WAM components - Oracle Access Manager (OAM) and Oracle
Internet Directory (OID)
– Provide a central directory which facilitates single sign-on (SSO)
– Improve security as the central directory reduces the number of identities and enables a person’s access be deleted from multiple applications quickly
– Comply with Enterprise Architecture
– Adhere to security procedures and best practices
– Reduces development dollars as individual applications no longer need to develop code for user and access roles management
– Versatile – supports Java, C++, Cold Fusion some COTS, and Web 2.0 apps
6
Classes of Users
• EPA Staff – People who are hired by the EPA
• Internal Affiliates – A non-EPA person who has an EPA LANid (includes interns, other gov’t detailees, some contractors etc
• External Users – People who are not employees and not Internal Affiliates. These users complete the self
registration screen.
7
Current Applications/Customers
• 95+ applications and 130+ Wikis/Blogs– Ebusiness (OTOP)
– Emissions Inventory System (OAR)
– ORBIT Reports (OCFO)
– Performance Assessment Tool (OSWER)
– Water Quality Standards Information Tracking System
(WQSITS) (OW)
– Clean Watershed Needs Survey (CWNS) (OW)
– Emergency Management Portal (OEM)
8
Web Access Management
FY 11 Priorities
9
Web Access Management
• OID Failover/High Availability
– With so many applications relying on WAM, high
availability and failover is a requirement
– Benefits for WAM environment and applications:
1) increased availability and performance
2) reduced planned and unplanned downtime
– Phase 1 – Create redundant LDAP Servers
– Phase 2 – Create redundant Login (OSSO) & Delegated
Admin (DAS) Servers
10
OID HA/FO Architecture
LDAPS /636
- Oracle Single Sign-On (OSSO) ( listen https / 8081 )- Delegated Administration Services (DAS) ( listen https / 8082 )- WebgateRHEL5 / 64 bit, Virtual Machine- 2 vCPU (core)
LDAP User Directory- Oracle Internet Directory (OID)- Directory Integration & Provisioning (DIP)- Metadata Repository- Oracle RDBMS 11gr2 RAC- Oracle ASM- Oracle Clusterware 11gAIX, IBM p570 LPAR
Intranet
NEW Linux Host 2
PONDEROSA
Internal / AgencyFirwall
- Oracle Single Sign-On (OSSO) ( listen https / 8081 )- Delegated Administration Services (DAS) ( listen https / 8082 )- WebgateRHEL5 / 64 bit, Virtual Machine- 2 vCPU (core)
NEW Linux Host 1
LDAP User Directory- Oracle Internet Directory (OID)- Directory Integration & Provisioning (DIP)- Metadata Repository- Oracle RDBMS 11gr2 RAC- Oracle ASM- Oracle Clusterware 11gAIX, IBM p570 LPAR
LOBLOLLY / (REDWOOD hardware)
DMZ F5 LTM
VIP1 =
sso-vip.epa.gov(134.67.21.14)
https/443FIPS 140-2
VIP2 =
oiddas-vip.epa.gov(134.67.21.15)
https/443FIPS 140-2
IntanetF5 LTM
IP = ponderosa-resv
134.67.27.29
IP = loblolly-resv
134.67.27.30
SharedSAN
DatabaseStorage
SAN
SAN
Private VLANRAC
Interconnect
IP = ponderosa-priv
IP = loblolly-priv
VIP = ponderosa-vip.rtpnc.epa.govAddress: 134.67.221.86
maintained by Oracle Clusterware VIP Service
DMZFirewall
ssodas1.epa.gov(134.67.22.20)
ssodas2.epa.gov (134.67.22.21)
DMZ
VIP = loblolly-vip.rtpnc.epa.govAddress: 134.67.221.87
maintained by Oracle Clusterware VIP Service
VIP =iasimprod-resv.rtpnc.epa.gov
(134.67.25.6)ldap/389 ldaps/636
FIPS 140-2
11
Developer Access
• Access to WAM at NCC
– Developers can access OAM User and Group
Manager to populate test users and groups
– Developers have access to the WAM staging
environment when testing applications in the
development environment
12
TSMSS Phase Out
• TSMSS is being phased out for non mainframe platforms
• Will be phased out by FY 2012
• De-couple user provisioning and account registration
– Migrate web account registration
– Migrate TSSMS identities to WAM
• Migrate disk space billing for Oracle databases from TSSMS
accounts to eBusiness accounts
• Migrate legacy applications that use TSSMS identities for
application or database level access to WAM identities
• Linux / WAM authentication
TSSMS Migration
13
TSMSS Pilot
• Pilot program for migrating Oracle database
users from TSSMS identities to WAM identities
• Working with AQS to document identity and
access workflow
• Close coordination with TSSMS, Oracle DBSS and
CDX
• Modify OID attributes and registration process
AQS WAM Authentication
14
Operations and Maintenance
• OAM Upgrade to 10.1.4.3
• P2V Migration
– All WAM servers will migrate to virtual machines
• Monitor Audit Logs
– Review OAM logs for suspicious patterns
• WAM Self Registration Changes
– De-Couple self-registration and application
access request from Portal
16
Optimizing Storage
17
Federal Triangle Cash Cab
• Do you think your storage costs could
decrease in FY 11?
A.Yes
B.No
18
• What is it?
• What are the benefits?
• How does it work?
• Shared Environment Implementation
• Next Steps
Advanced Compression Option
19
• Compression of Table Data.
• Compression for File Data.
• Compression for Backup Data.
• Compression for Network Traffic
Benefits Summary:
ACO Minimizes costs while continuing to achieve the highest levels of application
performance.
20
What is it?
• Introduced in Oracle Database 11g
• Allows you to compress structured data (numbers,
characters) as well as unstructured data (documents,
spreadsheets, XML and other files).
• Provides enhanced compression for database backups
• Includes network compression for faster synchronization
with standby databases.
A database option that can make your database smaller and faster and reduce your storage costs.
21
Shared Environment Implementation
Phase I: Compression for Backup Data.
• Fully implemented on 11/9!
Phase II: Compression for Table Data.
• Implemented at the discretion of Application Owners
• Owners will be advised what their potential savings are on a Storage Cost Analysis Report.
• Effects will be tested in the Staging Environment.
22
Benefit: Compression of Table Data
On-disk storage savings translates directly into cost savings.
Oracle claims an average of 4:1 compression rate
GB $/GB/Yr Storage Bill Compress Rate GB With ACO Bill Savings500 87.72 $ 43,860 0% 500 $ 43,860 $ - 500 87.72 $ 43,860 30% 350 $ 30,702 $ 13,158 500 87.72 $ 43,860 50% 250 $ 21,930 $ 21,930 500 87.72 $ 43,860 70% 150 $ 13,158 $ 30,702
• Compression rates of 80% observed in testing with STORET data. * mileage will vary
• License included in shared environment, must be separately licensed for dedicated environment
• Dedicated Environments will have a Break Even point of roughly 50 GB per processor licensed.
23
Benefit: OLTP Table Compression
OLTP Table Compression Syntax CREATE TABLE emp ( emp_id NUMBER , first_name VARCHAR2(128) , last_name VARCHAR2(128) ) COMPRESS FOR OLTP;
24
Benefit: Compression for File Data
With SecureFiles, organizations can now manage all relational data and associated file data in Oracle using a single security/audit model, a unified backup & recovery process, and perform seamless retrievals across all information.
SecureFiles beats the Linux file system on both read and write performance. It also has compression, de-duplication (only storing duplicate files once), and encryption. The encryption is an extension of Oracle Transparent Data Encryption, which is FIPS 140-2 compliant.
25
Benefit: Compression for File Data
• With SecureFiles compression, typical files such as documents or XML files, experience a reduction of 2 to 3 times in size.
• Using built-in intelligence, SecureFiles Compression automatically avoids compressing data that would not benefit from compression – for instance a document that was compressed via a 3rd party tool before being inserted into the database as a SecureFiles file.
Simplify, Secure and Compress unstructured content.
26
Benefit: Compression for File Data
SecureFiles Deduplication Syntax CREATE TABLE images ( image_id NUMBER, image BLOB) LOB(image) STORE AS SECUREFILE (TABLESPACE lob_tbs DEDUPLICATE);
27
Benefit: Compression for Backup Data
Advanced Compression includes the capability to compress the backup data generated by both RMAN (physical backups) and DATA PUMP (logical exports).
28
Benefit: Compression for Backup Data
Syntax for setting the RMAN compression algorithm: RMAN> SET COMPRESSION ALGORITHM ‘LOW|MEDIUM|HIGH’;
Syntax for taking a compressed RMAN backup: RMAN> backup as COMPRESSED BACKUPSET database archivelog all;
Syntax to enable compression for Data Pump: expdp hr FULL=y DUMPFILE=dpump_dir:full.dmp COMPRESS;
29
Benefit: Compression for Network Traffic
Redo data may be transmitted in a compressed format to reduce network bandwidth consumption and in some cases reduce transmission time of redo data.
Data Guard Redo Transport Services are used to transfer redo data to standby/mirror site(s).
30
How does it work?
31Pg 31
How does it work?
32
Next Steps?
Various estimates indicate that data volume is almost doubling every 2-3 years. ACO can insure that your storage costs do not mushroom at the same rate as your data volume.
Contact your NCC Point of Contact or me directly to schedule a database storage cost analysis to see how your application might benefit.
Dedicated environments will incur extra licensing costs. The Shared environment is already licensed.