I'll Get My Coat

Identity Management? I'll Get My Coat...


Tuesday Apr 15, 2008

Role Manager (RBACx) WebServices

Sun's new GRC market entry product, Sun Role Manager (formerly Vaau RBACx) offers a wealth of webservice integration points. I had to work on a project recently integrating with the wsdl interface of Role Manager and here's  some information about how to enable the  services and what can be achieved by doing so...

The webservice interface of RBACx is not enabled by default, to enable it you must follow these steps:

1. Shut down the RBACx webcontainer

2. Edit the /webapps/rbacx/WEB-INF/web.xml adding the following changes:

<servlet>
         <servlet-name>ws</servlet-name>
         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
         <servlet-name>ws</servlet-name>
         <url-pattern>/ws/*</url-pattern>
</servlet-mapping>

 3. Restart the webcontainer

4. Consider using Soap UI as a testing tool and point this to the RBACx instance to consume the WSDLs

http://localhost:8080/rbacx/ws/auditService?wsdl http://localhost:8080/rbacx/ws/businessUnitManagementService?wsdl http://localhost:8080/rbacx/ws/logService?wsdl http://localhost:8080/rbacx/ws/roleManagementService?wsdl http://localhost:8080/rbacx/ws/userManagementService?wsdl

The RBACx webservice requires authentication this can be performed a number of ways such as in the following request 

 <soapenv:envelope xmlns:ser="http://service.api.rbacx.vaau.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:header>
  <wsse:security s:mustunderstand="1" 
	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
		xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
         <wsse:usernametoken>
            <wsse:username>rbacxadmin</wsse:username>
            <wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:password>
         </wsse:usernametoken>
   </wsse:security>
</soapenv:header>
   <soapenv:body>
      <ser:findactiveusers>
         <ser:in0>10130</ser:in0>
      </ser:findactiveusers>
   </soapenv:body>
</soapenv:envelope>
There you go Role Manager Webservices enabled and ready to rock..!

Posted at 05:19PM Apr 15, 2008 by Paul Walker in Handy IDM Bits  | 

Wednesday Feb 27, 2008

Solaris Authorization Bug Prevents Provisioning from SUN IDM

Thought I'd drop a note to myself more than anything on this topic, I was working with a colleague and provisioning users to a Solaris 10 system in order to test some Sun Secure Global Desktop use-cases for a customer demonstration. The Solaris resource adapter inside Sun Identity Manager was giving the following exception:

com.waveset.util.WavesetException: An error occurred adding user 'pwalker' to resource 'Solaris - dde880'. com.waveset.util.WavesetException: loop> loop> loop> loop> UX: useradd: ERROR: solaris.jobs.users is not a valid authorization. Choose another.

 Google to the rescue, with the following bug 6337435 reference, here's the solution to save the 'click' ;-)

Change "solaris.jobs.users" to "solaris.jobs.user" in /etc/security/prof_attr.
## 05/10/16 gww ##
The workaround should probably say change in /etc/security/prof_attr

 Thanks Rene for the pointer !

Posted at 07:20PM Feb 27, 2008 by Paul Walker in Handy IDM Bits  | 

Tuesday Jan 22, 2008

Attachmate No permission to run emulation

As you may know Sun Identity Manager can be used to manage identities that reside on Host systems such as 3270 Mainframes, in order to do this 3rd party libraries that provide the protocol support are required. If you try and use the Attachmate reflection for the web libraries with Sun Identity Manager and see within the application server logs the following error message:

IBM3270@D58939: No permission to run emulation.

 

 Then you'll need to add the following to your JVM launch script:

-Dcom.wrg.profile.dir=/pathToAttachmateLibFolder

 Here's a simple example using the command line:

C:\temp\Attachmate>java -Dcom.wrg.profile.dir=c:\temp\Attachmate com.wrq.rweb.Launcher
IBM3270@D58939: No permission to run emulation.
IBM3270@D58939: Reflection shutdown
com.wrq.enterview.Glue3270 loaded. [4,297ms]

and now specifying the location of the license.jaw file that comes with Attachmate:

 C:\temp\Attachmate>java -Dcom.wrq.profile.dir=c:\temp\Attachmate com.wrq.rweb.Launcher
IBM3270@676E3F: Reflection v9.5.36.100 starting [IBM 3270] **
IBM3270@676E3F: RWEB_CACHE = C:\Documents and Settings\pwalker\Local Settings\Temp\reflectionweb_pwalker
IBM3270@676E3F: RWEB_PREFS = C:\Documents and Settings\pwalker\reflectionweb
IBM3270@676E3F: USER_HOME = C:\Documents and Settings\pwalker

 




Posted at 12:06PM Jan 22, 2008 by Paul Walker in Handy IDM Bits  | 

Monday Jan 21, 2008

Sun Identity Manager & SGD Password Cache Integration

Last week at the Grenoble Software Technical Event based at the Grenoble Engineering Center in the French Alpes I demonstrated the integration of Sun Identity Manager and the Sun Secure Global Desktop (SGD) products. One area of interest was the SGD Password Cache integration. Why is this of interest? Well let me explain the use-case.

 SGDs raison d'ĂȘtre is to securely deliver your desktop anyplace anytime to almost any devise.  The applications on your desktop usually require a username & password to gain access. When you launch such an application for the first time SGD attempts to authenticate you to that application using the credentials which you specified when authenticating to SGD. If this fails then SGD will prompt you for a username/password to auth against the application, this is shown below:

 

 You can see above there's a "Save Password" checkbox that if checked will securely persist whatever you entered within SGD itself.

If you hit the default Administrative URL for SGD of http://<servername>/sgdadmin you'll be able to see the Password Cache entries, this is shown below. On the left hand side of this table is the user identity with which you authenticated to SGD itself, folllowed by the Server name which served up the application and finally the user identity which is understood by the application itself.

 

 So imagine the popular use-case where Sun Identity Manager is being used to process employee self-service password change. A user logs onto the system and invokes the Change User Password workflow via the webpage, they specify a new password and Identity Manager pushes this password out to the resource accounts that are linked. All of a sudden the password previously stored by SGD is out of sync with the target resource, now as a convenience we want to update the SGD Password Cache directly from within the workflow associated to the changeUserPassword IDM workflow process, how is this done?

 To start with I developed a NetBeans 6 Java project and imported the relevant SGD webservice jar files which where as follows:

 opt/tarantella/webserver/tomcat/5.0.28_axis1.2/common/lib
     axis.jar
     commons-discovery-0.2.jar
     commons-logging-1.0.4.jar
     jaxrpc.jar
     saaj.jar
     xerces.jar

 /opt/tarantella/webserver/tomcat/5.0.28_axis1.2/shared/lib
     sgd-webservices.jar

Before we go any further I'd strongly recommend reading the SGD webservices section on wikis.sun.com kudos to the SGD engineering team for sharing information like this in Wiki form for all to use :)

Those that know Sun Identity Manager workflow will understand how easy and simple it is to directly invoke java using XPRESS invoke command, the completed changeUserPassword workflow that calls the SGDHelper class to manage the SGD Password Cache can be downloaded here

Any questions or improvements feel free to chip in!

Password Cache? I'll get my coat ;)


 


Posted at 02:57PM Jan 21, 2008 by Paul Walker in Handy IDM Bits  |  Comments[1]

Extremely useful Firefox plugin

Ever missed a meeting due to time zone mistakes? Well being honest I think most of us have, worry no more this cunning little Firefox plugin called FoxClocks will cure your pain... most of us have our favorite plugins but this one really is simple and extremely useful here's a wee peak:

FoxClocks  

no excuses being late now....enjoy :)


In an attempt to spice up my blog page delivering a more entertaining experience I'll be posting clips from one of my favorite comedy shows of all time (subjective I know but true!) The Fast Show staring Paul Whitehouse.

Enjoy this clip from The Fast Show this time staring Johnny Depp, "Are you by chance American sir?"

**Talk to the hand disclaimer: My offend,  contains moderate swearing & sexual references **

Posted at 09:59AM Jan 21, 2008 by Paul Walker in Personal  | 

Monday Jan 14, 2008

Sun Grenoble Engineering Identity/Desktop Event

This coming week at the Grenoble Engineering Center I'll be presenting on the subject of Identity Management within the scope of desktop virtualisation, in particular integration with the Sun Secure Global Desktop product.   The agenda can be found here

The background to this was a proof of concept that I performed with Simon Ross and Graham Hares both Sun UK employees at a major communications customer within the UK.

 The technology integration was actually really quite straightforward, as a side thought, isn't this always the case, if it involves custom coding and buckets of glue it's likely it ain't gonna fly let alone scale.

We used the new version 4.4 of Secure Global Desktop (SGD) along with the Java Enterprise 5 release for Access Manager and Identity Manager. Without detailing every single configuration step the high level picture goes like this. We wanted to be able to achieve the following:

  • Single Sign On into Secure Global Desktop via Sun Access Manager using LDAP auth
  • Provision applications onto the SGD webtop using Sun Identity Manager
  • Provision user access to SGD using Sun Identity Manager workflow
  • Authorize application access via an external means, aka - LDAP group membership
  • Manage the SGD Password Cache such that when a user being managed by Identity Manager changed their password the SGD Password Cache was updated appropriately.

We achieved the first object using the Sun Access Manager Policy Agent 2.2 for Apache webserver 1.3, since SGD 4.4 uses Apache Webserver as the front end http listener. Install the policy agent in the usual manner making sure that this value is set within the AMAgent.properties file:

com.sun.am.policy.agents.config.profile.attribute.fetch.mode=HTTP_HEADER

 

This setting ensures that the userId of the authenticated session is passed through to Apache and then ultimately through to the Tomcat server that actually runs the majority of SGD. In order to complete the SSO through to SGD one needs to configure SGD for third party authentication. The SSO works since SGD inspects the servlet environment variable of REMOTE_USER and if present creates a user session.

The key step here (doco) in order to get it working is to modify the Tomcat server.xml to look like the following, this ensures that Apache forwards the value of REMOTE_USER to the Tomcat engine:

 

 <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" minProcessors="5" maxProcessors="75"
               enableLookups="true" redirectPort="8443"
               acceptCount="10" debug="0" connectionTimeout="0"
               useURIValidationHack="false" tomcatAuthentication="false"
               protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>

 

The great thing is that SGD can be configured to run it's authentication and application policy engine from an external source, such as an LDAP server. This is termed, Directory Services Integration within SGD land and can be read about here the ideal companion here is the Sun LDAP Directory Server.

 Using the Sun Access Manager Realm ResourceAdapter from within Sun Identity Manager we provisioned users directly into Access Manager giving them the ability to SSO into SGD.  Using Identity Manager workflow self service workflows enabled users to request access to Access Manager LDAP Groups which drive the application visibility from their SGD webtop.

So the Sun Directory Server is the backbone here, providing the persistent storage for users and groups. This LDAP server provides the SSO repository as well as for the means for application access from SGD (if a user is within this particular LDAP group then they get access to this application from SGD).

So yes this was brief and not a detailed write up but what it proves is that it is possible and fairly straight forward to protect Secure Global Desktop using the Sun Java System Access Manager and provide Single Sign On services. This brings about a ton of advantages let alone the possibility of using one of the many authentication schemes provided by Access Manager out of the box.






 

Posted at 01:02PM Jan 14, 2008 by Paul Walker in Sun  |  Comments[1]

Tuesday Dec 18, 2007

Forrester Wave

Having just spent a week locked in a snow bound room at the Sun Burlington campus I'm pleased to say that we successfully completed the Forrester Wave event. Forrester sent over an Identity Management analyst who walked through a thorough set of use-cases regarding Identity Management.

Now some of you might remember back in January 2006 Sun where voted by Forrester the leader in the User Provisioning Market with our Sun Java Systems Identity Manager product.

It was a real challenge to demonstrate all the use-cases in the one day time limit we were given, usually to walk through such a wide range of topics relating to Identity would take at least several days if not a week. Forrester where interested in seeing Identity Management use-cases relating to use compliance (certification and SOD), ease of provisioning to federation and access management (both Web SSO and Enterprise SSO). Needless to say we where all impressed by the stamina and range of knowledge with the Forrester analyst, not many people could keep up with the huge array of Identity Management experience and knowledge that Sun fielded that cold day in Boston.

Expect to see the report from Forrester in the first quarter of 2008.

Posted at 12:10PM Dec 18, 2007 by Paul Walker in Sun  | 

Wednesday Dec 05, 2007

Java Date Comparisons In Identity Manager

During my POC rounds I often come up against Identity Management requirements to manipulate date strings, for example, a contract hire date coming from a HR feed inside a CSV file, when should this user be provisioned? When should this user be deprovisioned? How long should this compliance violation be mitigated? I'm often re-writing the same piece of logic so the logic implies that others using Sun Identity Manager are doing similar, so I'll post my contribution to this blog mainly to stop me loosing it all the time (doh)... So here's the java version with the code logic adapter to XPRESS. Just to note that from within Identity Manager both Java and XPRESS can be called so you're free to select your poison ..
 

import java.text.ParseException;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
 public class DateTestEADS{
   
public static void main (String args[]){
	String dateString = "31.10.2007";
	Calendar todayCal = Calendar.getInstance();
	Date todayDate = todayCal.getTime();
        SimpleDateFormat format = new SimpleDateFormat("dd.MM.yyyy") ;

        // Parse the date        
	try {
		Date endDate = format.parse(dateString);
		System.out.println("Original string: " + dateString);
		System.out.println("Parsed date    : " + endDate.toString());
		System.out.println("Todays date	   : " + todayDate);
		Calendar endCal = new GregorianCalendar();
		endCal.setTime(endDate);boolean result = endCal.after(todayCal);           
		System.out.println("Q:Is the date " + dateString + ", after today? A:"+result);
        }
        catch(ParseException pe) {            
		System.out.println("ERROR: could not parse date in string \"" + dateString + "\"") ;
        }
   }
}

Here's the same logic in XPRESS

 

<RuleArgument name='dateString' value='31.12.2007'>
    <Comments>A date such as "31.10.2007" as a string</Comments>
    <String>31.12.2007</String>
  </RuleArgument>
  <block>
    <defvar name='todayCal'/>
    <defvar name='todayDate'/>
    <defvar name='endDate'/>
    <defvar name='endCal'/>
    <defvar name='format'/>
    <set name='todayCal'>
      <invoke name='getInstance' class='java.util.Calendar'/>
    </set>
    <set name='endCal'>
      <new class='java.util.GregorianCalendar'/>
    </set>
    <set name='todayDate'>
      <invoke name='getTime'>
        <ref>todayCal</ref>
      </invoke>
    </set>
    <set name='format'>
      <new class='java.text.SimpleDateFormat'>
        <s>dd.MM.yyyy</s>
      </new>
    </set>
    <block name='parse the date'>
      <set name='endDate'>
        <invoke name='parse'>
          <ref>format</ref>
          <ref>dateString</ref>
        </invoke>
      </set>
      <invoke name='setTime'>
        <ref>endCal</ref>
        <ref>endDate</ref>
      </invoke>
      <invoke name='after'>
        <ref>endCal</ref>
        <ref>todayCal</ref>
      </invoke>
    </block>
  </block>



Posted at 10:14PM Dec 05, 2007 by Paul Walker in Handy IDM Bits  | 

Tuesday Nov 27, 2007

Enterprise Role Management, any good?

If you follow Identity Management and have been awake recently you'll have seen the buzz around the Vaau "intent to acquire" made by Sun, if not check here. I had the privilege to work alongside Vaau on a proof of concept recently for a major UK retail financial institution. This particular prospect had requirements for Identity, Access and Role Management and had selected Sun and another vendor.

The requirements where pretty typical these days I'd guess and an increasing number of deals are mandating that RBAC be included in their product evaluation criteria:


  1. User Onboarding using complex rule based provisioning

  2. Approval based User provisioning

  3. User Certification

  4. Audit & Reporting

  5. Role Mining and Role Management



So what does Role Mining and Role Management actually mean?
In we went with the Vaau RBACx product and Sun Identity Manager version 7.1 First steps where to integrate the two products, Tomcat was selected for ease and speed of installation as the web container for the two products. In little more than a couple of hours we had both RBACx and Identity Manager products up and running on good old :8080 Integration between the products is simple and effective (most things worth their salt are aren't they?) using SPML SOAP calls to pass information relating to Users, Roles and Role Membership between RBACx and Identity Manager. Here's a rough stab at the methodology assumptions in place:

  1. Build an Identity Warehouse containing users and their access to all critical applications (both managed and non-managed systems)
  2. Launch certification and audit (continuous monitoring)

  3. Start deployment of IdM solution (unless one exists already)

  4. Perform Role Engineering in RBACx (using a hybrid approach, both top down and bottom up)

  5. Require Manager sign-off on candidate Roles

  6. Assign Role Owners to Roles

  7. Export roles into the Sun IdM solution

  8. Perform continuous role management


The sample data set provided by the customer wasn't extremely large and contained pretty well uniquely defined roles, such that say the HR extract contained 50 records per business unit each User within the BU had a distinct job function. This made mining on HR data pretty pointless for the product eval since we'd have ended up with 50 Roles and 50 Users, it was the ability for the product to aggregrate the data provided (remember it's just a test and not a complete set of user attributes). So we performed the Role Mining based upon business unit and not solely the HR data. This worked extremely well, identifying the Roles and User Role Memberships, exporting these information into Sun Identity Manager using the SPML protocol and then re-provisioning any Users who's current resource account entitlements differed from what was certified within the Enterprise Role Management tool.

Both tools worked extremely well together, non-intrusive, easy to configure, both web based and both responsible for their own domain within Identity Management. With the pending acquisition of Vaau and their RBACx product Sun will become well placed to chase the pure-play User & Role Certification opportunities currently out of their reach.



For more information on RBACx and Sun Identity Manager check out this link

Posted at 07:09PM Nov 27, 2007 by Paul Walker in Sun  |  Comments[2]

Sun Identity Manager 7.1 Update 1 RELEASED!

Not a major release but the first official update for the provisioning product of choice, Sun Identity Manager, readme can be found here Enjoy

Powered by ScribeFire.

Posted at 05:28PM Nov 27, 2007 by Paul Walker in Sun  | 

Realm or Legacy?

If you've ever, like me, wanted to know if an Access Manager installation has been deployed in Realm mode or not there's a simple test you can perform from within the browser

http://FQDN_server:port/amserver/SMSServlet?method=isRealmEnabled


Powered by ScribeFire.

Posted at 05:23PM Nov 27, 2007 by Paul Walker in Sun  |  Comments[1]

DSEE 6.2 Windows Server 2003 Installation Notes

DSEE 6.2 Windows Server 2003 Installation Notes

Obtain the zip file from here

  1. Unpack the DSEE6.2 zip file... c:\Temp\DSEE62 using folder names
  2. c:\Temp\DSEE62\dsee_deploy install --install-path c:\DSEE62 --no-inter
  3. C:\DSEE62\ds6\bin>dsadm create -p 44444 -P 44445 c:\DSEE62\sedemo
    Choose the Directory Manager password:
    Confirm the Directory Manager password:
    Use 'dsadm start 'c:\DSEE62\sedemo'' to start the instance
  4. C:\DSEE62\ds6\bin>dsadm start c:\DSEE62\sedemo
    Waiting for server to start...
    Waiting for server to start...
    Server started: pid=8132
  5. C:\DSEE62\ds6\bin>dsadm stop c:\DSEE62\sedemo
    Server stopped
  6. C:\DSEE62\ds6\bin>dsadm enable-service --type WIN_SERVICE c:\DSEE62\sedemo
    Instance c:/DSEE62/sedemo registered in WIN_SERVICE
  7. Deploy the DSCC
    Stop Tomcat
    Copy C:\DSEE62\var\dscc6\dscc.war to Tomcats webapps folder
    Start Tomcat
  8. C:\DSEE62\dscc6\bin>dsccsetup initialize
    ***
    DSCC Application cannot be registered because it is not installed
    ***
    DSCC Agent is already registered
    ***
    Choose password for Directory Service Manager:
    Confirm password for Directory Service Manager:
    Creating DSCC registry...
    DSCC Registry has been created successfully
    ***
  9. C:\DSEE62\dscc6\bin>dsccreg add-server -d SEDemo_Directory c:\DSEE62\sedemo
    Enter DSCC administrator's password:
    c:\DSEE62\sedemo is an instance of DS
    Enter password of "cn=Directory Manager" for c:\DSEE62\sedemo:
    Enter password of "cn=Directory Manager" for c:\DSEE62\sedemo:This operation will restart c:\DSEE62\
    sedemo.
    Do you want to continue ? (y/n) y
    Starting c:/DSEE62/sedemo
    Connecting to c:/DSEE62/sedemo
    Enabling DSCC access to c:/DSEE62/sedemo
    Restarting c:/DSEE62/sedemo
    Registering c:/DSEE62/sedemo in DSCC on localhost.
Et voila.... everything works first time... not bad for those Sun critics that say our products aren't great on Windows!!! :)






Powered by ScribeFire.

Posted at 05:19PM Nov 27, 2007 by Paul Walker in Sun  |  Comments[2]

Today's Page Hits: 20

attachmate date desktop dsee firefox global grenoble identity identity+manager identitymanager java management manager plugin rbac rbacx roles secure sgd solaris sun test vauu webservices xpress