I'll Get My Coat
Identity Management? I'll Get My Coat...
DIE IE ESC DIE !!
We all love the Fox but sometimes there's no getting away from brave old Internet Exploder. Recently whilst working on a Test Sandboxed Windows2008R2 Server system this became so frustrating , "Do you want to trust microsoft.com?" message dialogs for example that I had to disable it.. Now on previous versions of Windows I knew how to do this, on 2008 it took me some time, and hence the raison d'être for this blog post. Disabling IE Enhanced Security Configuration is relatively easy, ignore all the warnings at your own risk 
Follow these simple steps, open Server manager, go to the Security Information and see what's currently enabled. Then click on the right hand side you'll find "Configure IE ESC". This opens up the dialog where you can disable IE ESC.
Infrastructure Software: The Billings Hot Spot within Sun?
Reading Sun's investor earnings release for Q1 FY10 here we can see that one of the few billing line items that has grown quarter by quarter throughout FY08, FY09 and now into FY10 is the MySQL/Infrastructure. As fiscal year FY09 came to a close we can see that billings for MySQL/Infrastructure where $313m up from $208m the previous fiscal year. So whilst some analysts and spokespeople say that Sun Identity (which comes under Infrastructure) is on the way out, no longer a leader, we can see that Identity continues to grow, even in these challenging times..
Increasing billings, quarter by quarter against the tide? I'll get my coat.
Integrating Sun Role Manager v5 with Oracle Identity Manager
Sun Role Manager (SRM) can work in an offline or online mode with a Provisioning Server such as Sun's Identity Manager, other provisioning engines can be used such as CA, IBM and Oracle. In this blog posting we'll go through the steps required to integrate SRM 5 with Oracle's Identity Manager v9.1.0.
For this exercise I used a Windows XP image, purely to keep things simple as they can be.
Integration Steps:
- Install Sun JDK 1.6.0_10
- Install Oracle 11g RDBMS and Oracle Identity Manager, using JBoss 4.2.3 GA follow the steps defined here
- Install the OIM Design Console and test connectivity with the OIM Server. Extract the customClient.zip into c:/oracle/customClient
- Edit the c:/oracle/customClient/config/xlConfig.xml to the JBoss environment such as
- Deploy SRM into Glassfish not forgetting to set the RBACX_HOME system environment variable.
- Edit the /rbacx/WEB-INF/iam-context.xml file not forgetting that there are several edits that must be performed within this file. First one is to uncomment the oracle provisioning server;
- Second edit is to enable the OIM bean by removing the comments <-- and --> around the OIMIAMSolution Bean entry
- Next edit is to remove or preferably comment the lines starting <property name="namespaceMap"> down to the closing tab of the line <property name="secPolicyMap">
- Next copy the jar files from c:/oracle/customClient/lib into rbacx/WEB-INF/lib , originally in testing I had expected to copy the c:/oracle/customClient/ext jar files as well but this proved not necessary and in fact copying these 'ext' folder jars caused conflicts with the Apache xerces classes.
<CoreServer>
<java.naming.provider.url>jnp://localhost:1099</java.naming.provider.url> <java.naming.factory.initial>org.jnp.interfaces.NamingContextFactory</java.naming.factory.initial> </CoreServer>
</Discovery>
<bean class="com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl" parent="baseServiceSupport" >
<property=name="iamSolutions">
<entry key="oracle">
<ref local="oim"/>
</entry>
</property>
<bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution">
Failure to do this edit will result in errors when the SRM starts.
We're not quite done yet with this file, next we must configure the OIM connection information:
<property name="loginConfig">
<value>C:/oracle/customClient/config/auth.conf</value>
</property>
<property name="maxStaleDays">
<value>1</value>
</property>
<property name = "excludeFlag">
<value>1</value>
</property>
<property name="oimHome">
<value>C:/oracle/customClient </property>
- In order to prevent the following stack trace you must copy the jbossall-client.jar from the OIM Design Console installation to the rbacx/WEB-INF/lib
10:05:55,238 ERROR [JBOSSLOGINHANDLER] Error in creating login context
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.ClientLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Thor.API.Security.LoginHandler.jbossLoginHandler.login(Unknown Source)
at Thor.API.Security.ClientLoginUtility.login(Unknown Source)
at Thor.API.tcUtilityFactory.
- Now at this stage you might think we're done copying jars and so on but there's one final thing we need to do, copy the log4j-1.2.8.jar from the JBoss server to the rbacx/WEB-INF/lib , this is also required to get your OIM Design Console to work properly with JBoss otherwise you will see the following stack trace:
Then 11:44:41,261 ERROR [JBOSSLOGINHANDLER] Error in creating login context javax.security.auth.login.LoginException: java.lang.NoSuchFieldError: TRACE at org.jboss.logging.Log4jLoggerPlugin.isTraceEnabled(Log4jLoggerPlugin.java:85) at org.jboss.logging.Logger.isTraceEnabled(Logger.java:122) at org.jboss.security.ClientLoginModule.initialize(ClientLoginModule.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
- To enable log4j trace of the OIMIAMSolution class that does the heavy lifting between OIM and SRM you must edit the rbacx/WEB-INF/log4j.properties to include the following:
- Now we're ready to create the OIM Provisioning Server inside of Sun Role Manager. Login as an administrator and setup something similar to this, note that there's no Test Connection with the Oracle provider class inside of SRM so you'll need to run a scheduled job to flex the interface before any errors show up.
#Oracle Identity Manager Settings
com.vaau.rbacx.iam.oracle=DEBUG
It's always a good idea when testing integration with a provisioning server to set the OOTB IAM log4j to debug until things have settled down a bit
#RBACx IAM logging
log4j.logger.com.vaau.rbacx.iam=DEBUG
There you go, good luck, it took me some time to figure out all the pieces. More importantly what is colleague John Walsh "The Sultan" typing ?!
OpenDS Weather Station
Thanks to the fellow engineers at the Grenoble Engineer Centre for blog posting this eXcellent innovation from the OpenDS engineering team, how cool is this. Arnaud describes this as, "This is basically a simple setup with a USB Bit Whacker controlled by a
Python script, feeding it data crunched from various sources, mainly
the Directory Server access log, the garbage collection log and
kstats... the result is a useful dashboard where I can see things
happen at a glance.".
Here's a sneak view.. Bravo Arnaud !
Sun Role Manager 5 Released!
| Download Sun Role Manager version 5 today .. 43Mb of User and Role compliance goodness! |
|
| For the first time Sun Role Manager is available for public download at http://sun.com/rolemanager |
 |
| |
|
If you're bugged by User Certification(Attestation) requirements or interested in Role Engineering (RBAC), Mining and Lifecycle Management be sure to check out if Role Manager meets your needs. This version 5.0 release contains many improvements over the previous releases including (but not limited to!) some treats such as :
- Improved Entitlement Management using the new Application concept which are containers for one or more entitlements on one or more resources. Applications are now available in the Identity Warehouse along with Business Units, Users, Roles, Policies, and Resources. Entitlements can be grouped by Application during User Entitlement Certifications.
- Rule Lifecycle Management Supports Rule Versioning, Rule Approvers, Rule History, Rule Impact Analysis.
- Event Listeners You can create Event Listeners to respond to certain events within the Role Manager system, such as updating a particular attribute on a User. This will trigger the Event Listener into performing one of four actions; 1) User to Business Unit rules 2) User to Role assignment rules 3) Audit Policy Scan and 4) Certification
- Identity Audit enhancements both functional and in terms of runtime performance
Plus many many more...
One area that has received a lot of attention is the integration between Sun Identity Manager and Sun Role Manager. Once I've had chance to flex this thing I'll write more on that topic.
Public Role Manager page is available here , simply click on the "get it" tab to login and download the binary zip.
PS... For ease of installation set the RBACX_HOME environment variable for your system and you should be good to go without having the need to swap tags in XML files...
Yeee....
Roll Your Own - Sun Role Manager Toolkit
For those of you out there using Sun Role Manager this could be of great interest to you, a set of home grown Sun Role Mgr deployment tools from a Sun blogger 'Han-Dat'. Functionality available ranges from changing and encrypting user and service account passwords to the ability to generate business structures and much much more in a GUI and CLI format !
Check it out here
Applet problem with JRE1.6.10 fixed in Sun IM 8.1 Patch3
Those of you who've noticed the annoying java applet display issues with the Sun JRE1.6_10 and Sun Identity Manager will be interested in this latest patch release from Sun that provides a fix for bug number 20880. The patch can be downloaded from sunsolve, the documentId is "141642-03" and the description "Identity Manager 8.1 Patch 3" or try this download link
Don't forget to check your md5 hashes against md5sum.txt
Generating Unique ASCII AccountIds
In many situations on my travels I've been requested by customers to show how we can generate UID attribute values that are ASCII only. Take for example the name TODORIć SNJEžANA or for example the French name, Françoise, we want to replace the ç with an ASCCI c. Since using extended characters for userNames can actually break many systems that expect ASCII only. For this reason I'm sharing some code that I've reused many many times during proof of concepts with Sun Identity Manager.
First of all we're assuming you're in an ActiveSync scenario here, so we've got a <Field> element on an ActiveSync form. Let's see how we'll call this Rule to generate a unique Identity Manager accountId using ASCII characters only.
<Field name='waveset.accountId'>
<Expansion>
<rule name='Custom - Generate IDM Account Id'>
<argument name='p_firstname' value='$(activeSync.firstname)'/>
<argument name='p_lastname' value='$(activeSync.lastname)'/>
</rule>
</Expansion>
</Field>
The Rule "Custom - Generate IDM Account Id" iterates over the input strings and checks each character replacing it with a specificied ASCII alternative.
In the Rule called "Custom - Test String" there's a list of source characters that will be taken as the source list of characters to replace
<set name='sourceList'>
<List>
<String>Ć</String>
<String>Š</String>
<String>Č</String>
<String>Ž</String>
<String>Đ</String>
<String>è</String>
</List>
</set>
In the Rule called "Custom - Swap Char" there's the actual case statement that does the swap between the original non-ASCII char and the specified ASCII alternative.
<case>
<s>Š</s>
<s>S</s>
</case>
<case>
<s>Ć</s>
<s>C</s>
</case>
<case>
<s>Ž</s>
<s>Z</s>
</case>
<case>
<s>Đ</s>
<s>DJ</s>
</case>
Finally, the Rule "Custom - Generate IDM Account Id" ensures the generated candidate accountId is unique by querying the IdM repo and using a numeric suffix to ensure uniqueness.
You can download my original XML Rules here
Evolution not Revolution
If you've not yet noticed the OpenDS engineering team have released their latest build namely OpenDS 2.0.0-RC1, as usual you can install from a zip or a super-simple online install via Java WebStart. Over in presales at Sun we're using OpenDS all the time in our demonstration environments, it's super fast, super easy to get up and running in no time at all.
To checkout what's new in this build here's the changelog
As you can see there's been some welcome additions to the Control Panel recently now with the ability to manage every day items such as import/export LDIF, creating new base DNs and managing indexes. One step at a time fella's nice and steady as she goes
Pat Patterson interviewed at EIC
Felix Gaehtgens interviews my good buddy Pat Patterson, Sun Microsystems at the European Identity Conference 2009..
Watch with interest as Pat drinks on the job
Provisioning Disconnected (External) Resources
Introducing a great new feature inside Identity Manager 8.1, the ability to manage provisioning to target systems that are not on-line, or synchronous. System targets that may be provisioned manually today can now be integrated into Sun Identity Manager using out-of-the-box functionality. No need for complex workflow or user interface modifications. This new feature is referred to as "External Resources" and is available with the latest version of Sun Identity Manager.
Examples of External Systems would include a badge system with no API, or a procurement request for a cell phone or laptop again using a manual process perhaps interacting with closed systems with no API. During onboarding manual processes, such as sending and receiving fax's or emails or even telephone calls would take place in order to complete the provisioning request. Whilst this works today there's often problems occuring from forgotten work, or badly worded instructions etc giving rise to problems in the order-delivery process (imagine a laptop coming mis-configuring and the resulting cost to get this problem resolved).
We've seen that once customers get their provisioning systems deployed, often by third parties, the cost of introducing new provisioning targets can be expensive and disruptive. Hence often the provisioning systems tend to stagnate as new targets are introducted. Using the External Resources from Sun Identity Manager allows customers to easily integrate a new provisioning target that may be offline, or maybe online, it just depends
So the External Resource is assigned to Users just as with any other resource. It's what happens behind the scenes that's different which we'll come to discuss laters.
So I'm editing a User record and want to assign a Mobile Phone to the user, what does this look like? Here's a screen shot of editing a user and assigning an External Resource that represents provisioning a Mobile Phone to a user.
Sun Identity Manager has a virtual Identity approach, where is the data associated with the External Request actually stored if the target system does not have an API? Good Question!! As part of the configuration of the External Resources you must tell Identity Manager where to store this information, today out-of-the-box we have two choices 1) Inside a relational database or 2) Inside LDAP.
Inside
my example I'm using a MySQL database, inside this database we've got a
tabled called "attributes" that stores the values for the external
resource account as shown below. This information is passed along to
the external provisioner by either email or by out-of-the-box
integration with Remedy helpdesk:
So back to our process of assigning the Mobile Phone resource to the user John Doe, once the Save button is pressed and Sun IDM stores the external resource attributes in our relational table we see the following Provisioning Request pending processing:
Next step is for the ProcurementAdmin to process the external provisioning request, so this would involve any number of manually performed steps. Perhaps call/fax/email a third party provider of mobile telephones and request one on behalf of John Doe. After a period of time the mobile phone will arrive in the hands of the ProcurementAdmin and they will complete the process by logging into Sun Identity Manager and editing the pending workItem stating it's been completed.
On a recent customer engagement I had to use this new feature with the integrated Remedy HelpDesk support, out of the box there's a built in notifier into this new process of provisioning External Resources, the notifier can be email or Remedy ticket based.
If Remedy is selected then the really cool thing is that the Provisioning Request workItem (that we completed above) is *automatically* completed by a polling system that will check at predetermined points in time whether or not the Remedy Ticket has been completed. This way the ProcurementAdmin use case actor does not have to log into Sun Identity Manager to manually state the asynchronous provisioning has been completed successfully, the system detects this, audits it, emails the requestor stating that the provisioning has been completed and then closes down the workItem... How cool is that??! And yes, it really does work as I found out recently. For those that are interested here's the XML block that is appended to the WSUser object for the Remedy Ticket Deferred Workflow task..
<properties>
<property name="tasks">
<list>
<object name="External Resource Remedy Deferred Task">
<attribute name="authorized" value="true">
<attribute name="date">
<date>2009-04-28T07:19:10.732Z</date>
</attribute>
<attribute name="remedyRule" value="Sample External Remedy Rule"/>
<attribute name="remedyTemplate" value="Mobile Phone External Remedy Template"/>
<attribute name="task" value="External Resource Remedy Deferred Task"/>
<attribute name="ticketId" value="000000000000071"> </attribute>
</object>
</list>
</property>
As you can see above the Remedy TicketID is stored against the WSUser object, this way Sun IDM can query Remedy to see if the Remedy Ticket has been closed off, if so then we automatically close off our provisioning request workItem.
So there you have it, to summarise, External Resources new in Identity Manager 8.1 allow for disconnected or asynchronous provisioning. Fully audited including OOTB email or Remedy integration Sun Identity Manager now provides a solution for those sites where it's either too expensive or not suitable (no API) to include a online provisioning target.
Sun Identity Gets a FaceLift
If you've not yet seen it, pretty late myself actually, the Sun Identity launch page has had a face lift, making it easier to get to stuff you actually want.. check it out today http://www.sun.com/identity
Oracle & Sun IdM Stack, One Perspective from KuppingerCole
Hello Everyone, well... what interesting times we come to, our number one competitor in the Identity Management space has stepped up and has announced plans to acquire us, sure you've all seen the news... assuming everything goes through as planned, what would any future Identity Management stack look like? Oracle have a very comprehensive and broad line of products from many recent acquisitions, Sun's stack is no where near as wide but does the river run more deeply with the Sun products? We'd like to think so but obviously and most importantly need to share these thoughts with our prospective new employers and here their opinion. This was an acquisition of Sun after all and not a merger.
Another interesting point is in the interim period prior to the acquisition being formalised (where Sun are still an independent) and I'm looking at my presales proof-of-concept (PoC) run list for the coming weeks and months and seeing a whole bunch of PoCs where we (Sun) are up against Oracle as our primary competitor, makes for interesting times !
Personally I'm looking forward to sharing with our new colleagues our roadmap plans, some confidential, some openly broadcast on the open source forums of dev.java.net (think OpenSSO) and seeing how Oracle perceive these plans.. If business as usual is anything (Think back to the Siebal and PSFT acquisitions etc) to go by at Oracle regarding acquisitions then its likely that no customer will be left behind this shows Oracle's integrity to customer commitment and is reassuring news for both Oracle and Sun Identity Mgmt customers who've invested in IdM software tech.
Here's one perspective from KuppingerCole on how the shake down could look like:
http://www.kuppingercole.com/articles/fg_mk_oracle_sun220409
Identity Connectors IRC Channel
Following in the footsteps of other Sun Identity Management open source IRC rooms such as #opends and #opensso you can now find a dedicated IRC room for the new open source Identity Connector technology that's previewed in Sun Identity Manager 8.1. The room is available at #identityconnectors
JOIN ##iam,#opends,#opensso, #identityconnectors
Sun Identity Manager 8.1 RELEASED
Hot off the press Sun Identity Manager 8.1 is now available for download from sun.com here
Continuing to refine and improve our provisioning server version 8.1 brings many new features including improved integration with Sun Role Manager and a leap forward in third party software integration with the new open source "Identity Connectors". This new project on dev.java.net can be accessed here. I'll blog more about what the new Identity Connectors bring us later. For now check out the download site and get it up and running using either Netbeans or Eclipse with the integrated development environment plugin for Sun Identity Manager for either IDE.
Also new to this release is the concept of 'disconnected resources', again I'll go deeper into exactly what this means once I've got time. I'm off to download this latest version and run it up inside Netbeans 6.5
Cheers
Identity Suite Tutorials Available Online for FREE
If you're looking to get an insight into the Sun Identity product stack by following some self-paced short labs there's some great online material available in Wiki format here
Great to see initiatives like this.
Open Source President ?
Sure many of us feel in a better mood now that Obama has taken over in the White House. Interesting to see his comments on transparency of government in his administration and to complement his words our very own Scott McNealy is preparing a paper to call upon Washington to adopt Open Source software , interesting article showing what Scott's up to, check the BBC technology article here
It will certainly be interesting to see how the growing adoption of our open source software solutions continues to grow over the next 12 to 18 months.
To keep up the good vibes here's a clip from something I miss o so much, The Fast Show on the BBC... Here's Rowley Birkin describing how he's "a VERY considerate lover"
Sun IdM & Virtual Desktop Infrastructure Demonstrator
So I finally got around to encoding and uploading this video that shows in about 10 minutes how the Sun Identity Management suite can complement the Sun VDI product. The products used in this demon included the following (in no particular order)
- Sun OpenSSO Enteprise
- Sun Identity Manager
- Sun Directory Server Enterprise Edition
- Sun Ray Server
- Sun Secure Global Desktop
- Sun VirtualBox
- Sun VDI
- OpenSolaris 2008.11
Our goal (Joachim Andres and I) was to show how Sun are uniquely placed to provide the whole stack from the operating system, smartcards, SunRay thin client device, through to the desktop delivery mechanism including the actual virtualised image and to top it all off a splash of Identity Management (IdM) in the form of Single Sign On and Provisioning services.
The benefits of the Sun Virtual Desktop solution are so many it's hard to actually express it clearly I keep fumbling I truly believe that this market is huge and one hopes that Sun and their partners can make significant progress helping our customers implement desktop virtualization. I'm not going to list all the benefits of Sun VDI and the supporting software stack above, I'll let the VDI product manager explain in person here
Remember, your desktop is not your PC or Mac, it's where you get your work done ! The desktop can be delivered independent of the actual physical device you're using, that's the whole point, use the internet to get your work done wherever you may be and whatever device you may be using.
Hope you find the demo useful, it actually includes several use-cases that I had to deliver to a Telco in the UK on a proof of concept, so these are real customer driven use-cases. Here's the demo link
Sun Wins Big in Developer.com Product Of the Year
Great news from Developer.com, Sun did well in their 2009 web voting for development products, here are some of the highlights from their polls... and of course our favourite OpenSSO Enterprise from our Identity Management Suite of products.
Sun winners!
Security Winner: OpenSSO Enterprise
Development Tool Winner: NetBeans Platform
Development Utilities Winner: NetBeans Profiler
Wireless/mobile Winner: NetBeans Mobility Pack for Connected Device Configuration (CDC) 5.5
Database Tool Winner: MySQL™ workbench
OpenSource Winner: NetBeans
Fantastic stuff, really good news at a time of global doom and glooooome.
Sun named as leader in Burton Provisioning Market RoundUp
Burton name Sun as a leader in Identity Provisioning
[Read More]Quality Assurance and OpenDS
Quality Assurance in an Open Source Softwar World, A Real World Case Study: Sun OpenDS
[Read More]Grenoble, Hotter than London according to Yahoo!
Yahoo! invests in Grenoble..... France, No longer just long holidays and good food (not forgetting the ski!)
[Read More]Update: MySQL & Sun Identity Manager, Playing Together Nicely (again)
MySQL. Supported (once again) with Sun Identity Manager v8 patch4
[Read More]How can Sun Identity complement Sun's Desktop Virtualization solution?
Sun VDI & IdentityMgmt. Suns hidden killer app?
[Read More]RockNRole Simon
A quick blog to say that a colleague who I work with has taken up blogging, Simon Moffatt is a RBAC/Role and Compliance expert and joined us from the Vaau acquisition. Take a peek... We're lucky to have the benefit of Simon's experiance working with the now Role Manager product across Europe. Welcome Simon!
Eureka!
Congratulations to those at Eurikify, enjoy your new home!
News posted yesterday concerning CA to acquire the role management vendor.
This surely reinforces the Role Compliance and Role Lifecycle Management investment taken by Oracle and Sun on their acquisitions of Enterprise Role Management products (Bridgestream and Vaau respectfully). It was surely only a matter of time before other big boys swooped on the remaining pure play vendors such as Eurikify..
Question is who's next?
Looking at the big Identity Management Suite vendors there appears only to be Novell and IBM who haven't announced some kind of enterprise role management/role compliance suite component.
On a lighter note.... 'Irish Obama' song is web hit
Working with many a close Irish Colleagues at Sun is always a pleasure, it turns out now that the new President of the U.S.A. also has some Irish roots, this made me chuckle...
Sun Secure Global Desktop and OpenSSO Integration
A close colleague of mind, Joachim Andres , myself and Andy Hall worked together on a customer project to setup web SSO integration using OpenSSO with Sun Secure Global Desktop. This work we did is a great example of the use of policy agents with existing applications and using trusted authentication mode with SGD (with Directory Services Integration configured for SGD in the background). The policy agent sets the REMOTE_USER
server variable and SGD is configured to pick that up rather than use
its own login page. With that, and a tweak to SGD's logout logic to
send the browser to OpenSSO's logout page, we have a very neat
integration. Download the document that Joachim wrote here
Today's Page Hits: 318
Contact
www.flickr.com
|
Disclaimer I work at Sun Microsystems. The opinions expressed here are my own, and neither Sun nor any other party necessarily agrees with them.
Blogging Calendar
| « November 2009 | ||||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
1 | ||||||
2 | 3 | 4 | 5 | 7 | 8 | |
| 10 | 11 | 12 | 13 | 14 | 15 | |
16 | 17 | 18 | 19 | 20 | 21 | 22 |
23 | 24 | 25 | 26 | 27 | 28 | 29 |
30 | ||||||
| Today | ||||||