Friday Jun 27, 2008
Friday Jun 27, 2008
In a configuration of OpenDS as a Resource Adapter for Sun Identity Manager, I ran into the following challenges while setting up reconciliation with the LDAP resource. After looking into this, the issue was the proxy user which is used in Identity Manager to connect to the LDAP resource. All normal provisioning succeeds, but reconciliation fails since that uses the server side sorting control to return all users.
Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:
Original ldif file to create the suffix:
THIS SEARCH WORKS FOR DIRECTORY MANAGER:
But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:
Original ldif file to create the suffix:
dn: dc=identric,dc=com objectclass: top objectclass: domain dc: identric aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";) aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ") (version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; allow (write)userdn ="ldap:///self";) aci: (targetattr = "*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)
THIS SEARCH WORKS FOR DIRECTORY MANAGER:
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=*)"
But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "uid=ldapadmin,ou=people,dc=identric,dc=com" --bindPassword--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=*)" SEARCH operation failed Result Code: 50 (Insufficient Access Rights) Additional Information: The request control with Object Identifier (OID) "1.2.840.113556.1.4.473" cannot be used due to insufficient access rights
This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
dn: dc=identric,dc=com objectclass: top objectclass: domain dc: identric aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";) aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ") (version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; allow (write)userdn ="ldap:///self";) aci: (targetattr = "*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";) aci: (targetcontrol = "1.2.840.113556.1.4.473")(version 3.0; acl "LDAP Administrator Server Sort"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";) dn: ou=People,dc=identric,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=ldapadmin,ou=people,dc=identric,dc=com givenName: Ldap sn: Admin mail: ldap.admin@identric.com uid: ldapadmin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson cn: LDAP Admin userPassword: Passw0rd
- For more information about setting aci's in OpenDS, see: Access Control Usage Examples
- For More information on configuring an LDAP Resource Adapter in Sun Identity Manager, see: LDAP Resource Adapter configuration
Monday Jun 09, 2008
A major new release of Sun Identity Manager is now available. This new release features an advanced role model and advanced reporting features as well as new resource adapters and other updates. We have been using this release internally in advance of showing it to our customers. Along with the open sourced Netbeans developer IDE for Sun Identity Manager, it provides a powerful solution for Identity Management.
For more information:
Sun Identity Manager 8.0 documentation
Download the Identity Manager 8 product:
Download
Complementary Sun Identity product information:
Sun Identity Manager Sun Role Manager 4
Also check out the Sun Identity podcasts:
Sun Identity Management Podcasts The latest podcast covers a Sun partner's (I.C. Synergy) Identity Management Solution (R.A.R.E.). I recently spent some time with them at their offices reviewing their solution. They have some great solutions for addressing common Identity Management challenges.
For more information:
Sun Identity Manager 8.0 documentation
Download the Identity Manager 8 product:
Download
Complementary Sun Identity product information:
Sun Identity Manager Sun Role Manager 4
Also check out the Sun Identity podcasts:
Sun Identity Management Podcasts The latest podcast covers a Sun partner's (I.C. Synergy) Identity Management Solution (R.A.R.E.). I recently spent some time with them at their offices reviewing their solution. They have some great solutions for addressing common Identity Management challenges.
Thursday Apr 24, 2008
OpenSSO is maturing at a rapid pace with a fantastic new feature addition released today, the Fedlet!
Watch the video below to see the Instant federation for a partner in action with OpenSSO. This video is proof that federation can be fun (or at least that Daniel can make it fun).
I get involved in all types of identity discussions (provisioning, identity compliance, access management, federation, etc.) in my travels, recently (Tuesday), I had the opportunity to talk to Sun customers and potential customer about Federated Access Management at The Sun Identity Roadshow in Dallas. There was a lengthy Q&A after the session and some of the questions were related to asking when it will be easier to create federation agreements and enable smaller partners. I answered by describing the Federation configuration wizards in OpenSSO make configuration of federation simple, and the fedlet will make it easy to enable a partner to federate with you. The video above shows exactly how easy these tasks can be.
I get involved in all types of identity discussions (provisioning, identity compliance, access management, federation, etc.) in my travels, recently (Tuesday), I had the opportunity to talk to Sun customers and potential customer about Federated Access Management at The Sun Identity Roadshow in Dallas. There was a lengthy Q&A after the session and some of the questions were related to asking when it will be easier to create federation agreements and enable smaller partners. I answered by describing the Federation configuration wizards in OpenSSO make configuration of federation simple, and the fedlet will make it easy to enable a partner to federate with you. The video above shows exactly how easy these tasks can be.
Wednesday Jan 30, 2008
A coverup is quietly going unnoticed......
I had opportunity to attend a great Sun event last week, FAM Fest 08. Top engineers marketing and SEs focused on federation got together with a shared goal. Here is an image of the attendees to document everyone's presence (I am in the blue shirt on the left):
Several blogs have been posted on this topic: FAMFest Complete, in Vegas, Meet the Heroes
But something is amiss. Upon closer inspection of the image:
Notice how the person (let's call him Brad) at the top center looks out of place.... This must certainly be a doctored image as the guy on the immediate right (Let call him Jeffery) has a reflection on his head from lights on the right, while "Brad", and only "Brad", has a clear source of light coming from the left. This is most certainly not possible, not to mention the discoloration and jagged edges.
Seriously, I know that "Brad" was at the event as I talked to him many times, and I even witnessed a picture of "Brad" being taken alone in a hallway and come to think of it, the lighting source was on the left. I would venture to guess that said image was used used as the basis for the coverup. Hopefully this clears up the raging debate regarding determining if the Canadians had a presence at FAMFest08.
DISCLAIMER: my attempt at humor may be weak and feeble, but at least I had to give it a shot after seeing the fine humor coming out of engineering and marketing:
I had opportunity to attend a great Sun event last week, FAM Fest 08. Top engineers marketing and SEs focused on federation got together with a shared goal. Here is an image of the attendees to document everyone's presence (I am in the blue shirt on the left):
Several blogs have been posted on this topic: FAMFest Complete, in Vegas, Meet the Heroes
But something is amiss. Upon closer inspection of the image:
Notice how the person (let's call him Brad) at the top center looks out of place.... This must certainly be a doctored image as the guy on the immediate right (Let call him Jeffery) has a reflection on his head from lights on the right, while "Brad", and only "Brad", has a clear source of light coming from the left. This is most certainly not possible, not to mention the discoloration and jagged edges.
Seriously, I know that "Brad" was at the event as I talked to him many times, and I even witnessed a picture of "Brad" being taken alone in a hallway and come to think of it, the lighting source was on the left. I would venture to guess that said image was used used as the basis for the coverup. Hopefully this clears up the raging debate regarding determining if the Canadians had a presence at FAMFest08.
DISCLAIMER: my attempt at humor may be weak and feeble, but at least I had to give it a shot after seeing the fine humor coming out of engineering and marketing:
Thursday Nov 01, 2007
The OpenSolaris Developer Preview is now available.
It's available for download at: http://dlc.sun.com/osol/indiana/downloads/current/in-preview.iso
This is an x86-based LiveCD install image, containing some new and emerging OpenSolaris technologies.
The VMware image selected should be 8 GB. For some reason, the OS would not proceed if I selected a 4 GB disk.
The default screen resolution was too big for VMWare on my machine, I had to switch to 1024 x 768 and even then I had to scroll down then to navigate the install screens. I tried 800 x 600 but could not see the bottom of the screen to navigate the install screens so I switched back to 1024 x 768. I opened a install bug on this issue at http://www.opensolaris.org/os/project/indiana/resources/reporting_bugs/
Select a 64 bit VMWare image (assuming your hardware is 64bit capable) and the 32 bit boot option from the LiveCD. When the installation is done it will install in 64 bit mode if the hardware is capable.
Some impressive things about this milestone OpenSolaris release:
It's available for download at: http://dlc.sun.com/osol/indiana/downloads/current/in-preview.iso
This is an x86-based LiveCD install image, containing some new and emerging OpenSolaris technologies.
I gave it a try today in a VMWare Fusion image on Mac OS 10.5 host OS.
The experience was great! This is a liveCD, so it comes up with GNOME and works fine. I wanted to install a developer version of Solaris with NetBeans and Idm7.1 and a few other tools.
The installation was extremely simple, but a few things which I ran into along the way:The VMware image selected should be 8 GB. For some reason, the OS would not proceed if I selected a 4 GB disk.
The default screen resolution was too big for VMWare on my machine, I had to switch to 1024 x 768 and even then I had to scroll down then to navigate the install screens. I tried 800 x 600 but could not see the bottom of the screen to navigate the install screens so I switched back to 1024 x 768. I opened a install bug on this issue at http://www.opensolaris.org/os/project/indiana/resources/reporting_bugs/
Select a 64 bit VMWare image (assuming your hardware is 64bit capable) and the 32 bit boot option from the LiveCD. When the installation is done it will install in 64 bit mode if the hardware is capable.
Some impressive things about this milestone OpenSolaris release:
- LiveCD for OpenSolaris!
- cdrom install media!
- Installation was almost too easy!
zfs is the default filesystem!
Sunday Oct 28, 2007
My migration to Mac OS 10.5 is complete. I chose to do some housecleaning / backup, then start with a clean install. Here are the applications which I use and had to install.
Tuesday Oct 16, 2007
The User Management Lite sample application was designed to provide a way to integrate user provisioning services into a remote java application. It uses the OpenPTK's provisioning tag library to provide a simple way to add user provisioning services to a java application.
The OpenPTK User Management Lite (UML) was designed to showcase user provisioning and self service functions. Authentication and Authorization are necessary for a complete solution deployment. The UML provides an interface for user authentication. The UML was designed to be protected by a web single signon infrastructure like Sun Acccess Manager or OpenSSO. If a web single signon infrastructure is not configured with the UML, it provides simulated authentication screens to enable the sample application's features to be used. In a real world deployment, it is expected that the authentication will be implemented in many different ways and is out of scope of the core OpenPTK framework features. The instructions below describe the steps to protect the UML application with OpenSSO. The same steps would be required with Sun Access Manager or another web single signon infrastructure.
Configuring OpenSSO to protect the OpenPTK User Management Lite (UML)
The UML was designed to be protected by a web single signon infrastructure. Once it is deployed to an application server, it can be protected by an agent for integration with the web single signon infrastructure. The following high level tasks will enable authentication of the UML to be provided by an external infrastructure:- Deploy UML .war file
- Deploy OpenSSO infrastructure and Agent to protect UML's application server
- Create a policy for UML access in OpenSSO (or Sun Access Manager)
- Protect the UML application (if deployed on Application Server, this step is not required if deploying on Sun Web Server) in web.xml
- Configure the agent to insert an HTTP header named: openptkid
- Configure the agent to not enforce the UML welcome page
Wednesday Oct 10, 2007
Project Open Provisioning ToolKit (OpenPTK) provides a bridge between Identity Solutions and specialized user interfaces or access points.
It is hosted on the Identity Management community on java.net.
Project Open Provisioning ToolKit (OpenPTK) is an open source User Provisioning Toolkit exposing API's, Web Services, HTML Taglibs, JSR-168 Portlets with user self-service and administration examples. The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3.
Available now are several sample applications which demonstrate the features of the OpenPTK. These samples are preconfigured to connect to a hosted Identity Management infrastructure. This infrastructure includes Sun Identity Manager and it's SPML interface. The applications include:
- User Management Lite - a sample java web application which provides simple User Management in a remote interface, user self service, and user registration / forgotten password services. This leverages the OpenPTK's provisioning tag library.
- Provisioning Web Service - This JAX-RPC web service provides the a .wsdl interface to define specific user management tasks. This leverages the OpenPTK's java api.
- OpenPTK Command line interface - this provides a command line interface to access a remote provisioning infrastructure . This leverages the OpenPTK's java api.
- Coming soon: JSR 168 Portlets for User Admnistration, Self Service, and Forgotten Password services. This leverages the OpenPTK's provisioning tag library and the java api.
Coming soon will be documentation to deploy these sample applications to connect to your Identity infrastructure, followed closely by full access to the source code for the OpenPTK framework.
This project was started last year by 3 Sun Systems Engineers (Scott Fehrman, Terry Sigle, and myself) to demonstrate the power and flexibility of Sun's Identity Management suite of products in new and flexible ways. Due to the demand and flexibility of the solution, this open source project was launched to enable others to extend the value of their Identity Management infrastructures. It is designed to be completely complementary to existing deployments of Identity Management infrastructures.
Wednesday Sep 19, 2007
I talk to customers about a lot of identity related topics and in the past few months, the topic of Service Provisioning Markup Language (SPML) has come up on many occasions. This is of course regarding integration to a provisioning infrastructure. The frequency of interest in SPML appears to demonstrate a pattern (at least from my perspective) of the maturity and applicability of the SPML standard to current identity solutions.
First, what is SPML? Service Provisioning Markup Language is an OASIS standard
Sun Java System Identity Manager includes SPML handlers which listen for incoming SPML requests. A sample SPML Resource Adapter is also provided in the REF-KIT for outbound SPML provisioning. In Identity Manager 7.x there are three SPML listeners:
1) The SPML1: http://://servlet/rpcrouter2
Using SPML 1.0 with Identity Manager Web Services
2) The SPML2: http://://servlet/openspml2
Using SPML 2.0 with Identity Manager Web Services
3) The SPMLspe handler: http://://servlet/spespml
Using SPML 1.0 with Identity Manager Web Services
Sample SPML 2.0 Resource Adapter
Identity Manager provides a sample SPML 2.0 resource adapter that can be modified and used to talk to third-party resources that support SPML 2.0 core operations.
SPML is capable of many things and the operations use SOAP / HTTP, however, due to the extensible nature of SPML to support extended operations and schema differences, SPML does not provide a .wsdl interface to define it's operations. This is not a limitation of Identity Manager, it is just how SPML was designed. It allows for tremendous flexibility using this approach.
The SPML options for interfacing with Identity Manager assume that you are using an SPML api. There is an openspml java api for SPML.
For an implementation which needs a web service with .wsdl defined web service (like a SOA infrastructure or .net application, for example). This effectively acts as a wrapper with specific operations around the more general purpose SPML interface which is exposed.
Since there is a java openspml api available, a web service which is specific to an implementation (for example CRUD operation with specific user attributes used in a deployment) in a .wsdl interface which in turn invokes spml operations to Identity Manager. This approach assumes that a Java application server is available to host the web service since the openspml apis are written in java. This approach could be hosted on the same application server or on a remote Java application server which uses SPML to contact Identity Manager. I have been involved in several examples of using this approach to integrate with Sun's Identity Manager in the past 6 months. This approach enables the provisioning infrastructure to do it's normal job of user provisioning and compliance auditing, but enables it to be accessible in new and interesting ways.
First, what is SPML? Service Provisioning Markup Language is an OASIS standard
Sun Java System Identity Manager includes SPML handlers which listen for incoming SPML requests. A sample SPML Resource Adapter is also provided in the REF-KIT for outbound SPML provisioning. In Identity Manager 7.x there are three SPML listeners:
1) The SPML1: http://
Using SPML 1.0 with Identity Manager Web Services
2) The SPML2: http://
Using SPML 2.0 with Identity Manager Web Services
3) The SPMLspe handler: http://
Using SPML 1.0 with Identity Manager Web Services
Sample SPML 2.0 Resource Adapter
Identity Manager provides a sample SPML 2.0 resource adapter that can be modified and used to talk to third-party resources that support SPML 2.0 core operations.
SPML is capable of many things and the operations use SOAP / HTTP, however, due to the extensible nature of SPML to support extended operations and schema differences, SPML does not provide a .wsdl interface to define it's operations. This is not a limitation of Identity Manager, it is just how SPML was designed. It allows for tremendous flexibility using this approach.
The SPML options for interfacing with Identity Manager assume that you are using an SPML api. There is an openspml java api for SPML.
For an implementation which needs a web service with .wsdl defined web service (like a SOA infrastructure or .net application, for example). This effectively acts as a wrapper with specific operations around the more general purpose SPML interface which is exposed.
Since there is a java openspml api available, a web service which is specific to an implementation (for example CRUD operation with specific user attributes used in a deployment) in a .wsdl interface which in turn invokes spml operations to Identity Manager. This approach assumes that a Java application server is available to host the web service since the openspml apis are written in java. This approach could be hosted on the same application server or on a remote Java application server which uses SPML to contact Identity Manager. I have been involved in several examples of using this approach to integrate with Sun's Identity Manager in the past 6 months. This approach enables the provisioning infrastructure to do it's normal job of user provisioning and compliance auditing, but enables it to be accessible in new and interesting ways.
Friday Jul 27, 2007
As discussed on the Discovering Identity Blog post, we just had a US software meeting where our team demonstrated a project which has been in the works for quite some time now. We are preparing to open source the project and looking into our options and approach.
Here is a photo of Mark taking a photo of us at the event:
The project was started by a few engineers at Sun to demonstrate the value of our Identity products. Here is a brief description:
OpenPTK is being proposed as an open source User Provisioning Toolkit exposing API's, Web Services, HTML Taglibs, JSR-168 Portlets with user self-service and administration examples. The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3.
A brief overview of the project can be found at the openptk.org site. More information will be coming soon on this project.....
Sunday Jul 01, 2007
I have been on the customer end of some unpleasant situations lately. I recently was making an overseas trip and went to the airport to check in. As usual, I booked my trip through our company process an had an itinerary in hand. When I got to the counter to check in, I was told that the ticket had not been issued. [Read More]
Thursday Jun 14, 2007
Identity Manager 7.1 was just released. One of the most exciting new features is the new Netbeans module for Identity Manager. A Netbeans module was introduced last fall with Identity Manager 7.0, but the 7.1 release includes significant new feature enhancements.
This plugin requires Netbeans 5.5. The .nbm module is available in the product download, I have been a huge Netbeans user over the years and have been migrating a lot of Identity Manager content to the new Netbeans module format. I will blog in more details about these topics and how I am using them in the new Netbeans module soon...
- Creating new build targets
- Custom Identity Manager artifacts
- CVS Integration
- Creating custom ant targets
Major features provided by the Identity Manager IDE include (from docs):
Integrated Explorer window that allows project, directory-based, or run-time views of a project Identity Manager IDE projects are integrated with a Configuration Build Environment (CBE)- Action menus for document modification
- Custom editors, including:
- Object property sheets and graphical value editors for enumerating XML object properties and editing basic object types, XPRESS, and XML objects without typing XML
- Drag and drop palette for adding approvals, workflow services, workflow tasks, users, and so forth to XML source without typing XML
- Registered waveset.dtd definition file that enables syntax highlighting and auto-completion for XML elements and attributes
- Integrated debugger for forms, rules, and workflows
- Rule tester for verifying standalone and library rules
- Form tester for testing forms in an external browser
- Checkout View feature allows you to check out, modify, and check in Identity Manager views (such as a user view).
- CVS integration
Mac OSX VMWare Fusion beta and hostonly networking
I have been using VMWare Fusion Beta for Mac OSX since it was first released in beta. I have been using several VMWare images which require a static IP address on a hostonly network. Although the latest beta versions of Fusion support hostonly networking, it does not yet allow you to specify a specific network to use for hostonly networking. The following steps are how I manually configured hostonly networking for Fusion (beta 3 and 4).
$cd /Library/Application Support/VMware FusionYou can run the vmware-config-net.pl script to setup the hostonly network, but it does not give me a chance to specify my network range, like I can on the Linux version of VMWare Workstation with the vmware-config.pl, or directly in the Windows version through the GUI. These steps allowed me to force the network range to be the desired range.
First Stop vmware networking:
$sudo ./boot.sh --stopThen check to see what network range was auto assigned to hostonly networking:
$ more config vmnet1.hostonlyaddress = "192.168.157.1" vmnet1.hostonlynetmask = "255.255.255.0"Now grep the files in this directory to see where the network range is used:
$grep 192.168.157 * config:vmnet1.hostonlyaddress = "192.168.157.1" locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0 locations:answer VNET_1_HOSTONLY_HOSTADDR 192.168.157.1 locations:answer VNET_1_HOSTONLY_SUBNET 192.168.157.0
We see that config and locations reference this network range. Now edit these files to be the network range we desire, in my case, I want 192.168.159
Then we need to edit the vmnet1 dhcp configuration:
$cd vmnet1
Now also edit the network range in the dhcpd.conf file.
Start networking back up
$cd .. sudo ./boot.sh --start
Now VMWare networking is configured properly, and the VMWare image which is configured for hostonly networking on the network range will be reachable from the Mac.
One last step if you want to enable name resolution of your VMWare image in the local hosts table for the Mac so you don't have to always reference an IP address to reach the image, follow these steps (standard Mac OSX configuraiton):
Open the NetInfo Manager (under Application\Utilities) utility.
Under machines, add new entries for your VMWare image IP address and FQDN you want to use to access it. These entries only require a ip_address and a name to be defined.
now startup the image and it should be accessible on your desired hostonly network range.
Monday Mar 19, 2007
My esteemed collegue, Mark Dixon, of Discovering Identity
is preparing a list of Important trends in the Digital Identity marketplace for JavaOne.
I posted some relevant information on my blog back in Jan.: Identity Predictions for 2007
In addition to the items listed below, I had some comments to add:
In the next few years, the convergence of user centric (convenient yet initially unsecure) and established federaton standards (SAML, Liberty, WS Federation) will take place to enable a cohesive identity strategy with secure web services (still a few years away). The popularity of user centric identity is growing rapidly, but not for secure environments. It is unclear how this will manifest itself but it could be through OpenId and CardSpace, etc evolving to include SAML 2 as a foundation for their next revisions.
One thing is clear, the adoption of federation is not as rapid as it could be and until it is well established, it will be very difficult to enable real Identity enabled web services on top of that foundation. This is recognized as an issue which must be addressed since projects like openliberty.org are forming to provide a simpler solution for the secure invocation of identity enabled web services. The maturation and deployability of the identity standards will take place once there are sufficient tools to enable cross vendor interoperability and seamless integration into web services infrastructures. This maturation process is starting to happen now that the federation standards are stable and adequate to provide that foundation.
I posted some relevant information on my blog back in Jan.: Identity Predictions for 2007
In addition to the items listed below, I had some comments to add:
In the next few years, the convergence of user centric (convenient yet initially unsecure) and established federaton standards (SAML, Liberty, WS Federation) will take place to enable a cohesive identity strategy with secure web services (still a few years away). The popularity of user centric identity is growing rapidly, but not for secure environments. It is unclear how this will manifest itself but it could be through OpenId and CardSpace, etc evolving to include SAML 2 as a foundation for their next revisions.
One thing is clear, the adoption of federation is not as rapid as it could be and until it is well established, it will be very difficult to enable real Identity enabled web services on top of that foundation. This is recognized as an issue which must be addressed since projects like openliberty.org are forming to provide a simpler solution for the secure invocation of identity enabled web services. The maturation and deployability of the identity standards will take place once there are sufficient tools to enable cross vendor interoperability and seamless integration into web services infrastructures. This maturation process is starting to happen now that the federation standards are stable and adequate to provide that foundation.
Monday Mar 05, 2007
Last Thursday I went to the Dallas Ft. Worth UNIX Users Group 
which will now be hosted at the Dallas Sun Office. I volunteered to assist in hosting the meeting since I was interested in the main topic being presented:
.
Since I currently use the Linux and Windows versions to run my Solaris images and am just starting to use the MacOSX beta version. It turns out there was a bit of confusion on the start time for the main speaker and I was asked to do an impromptu presentation about Sun Identity Solutions. I was a bit surprised, but jumped in and started discussining "Integrated the Identity Software Stack", a slide deck I had created at the end of last year for a Sun / partner event, not knowing if the unix users audience would care about the topic. The speaker showed up after 20 minutes and I turned the reigns back over glady, but was asked to return to present at a future meeting of that group, in June. I will be happy to present to that audience, especially since I will have a bit of time to tailor the conversation for that audience.
which will now be hosted at the Dallas Sun Office. I volunteered to assist in hosting the meeting since I was interested in the main topic being presented:
.
Since I currently use the Linux and Windows versions to run my Solaris images and am just starting to use the MacOSX beta version. It turns out there was a bit of confusion on the start time for the main speaker and I was asked to do an impromptu presentation about Sun Identity Solutions. I was a bit surprised, but jumped in and started discussining "Integrated the Identity Software Stack", a slide deck I had created at the end of last year for a Sun / partner event, not knowing if the unix users audience would care about the topic. The speaker showed up after 20 minutes and I turned the reigns back over glady, but was asked to return to present at a future meeting of that group, in June. I will be happy to present to that audience, especially since I will have a bit of time to tailor the conversation for that audience.