I'll Get My Coat

Identity Management? I'll Get My Coat...


Tuesday Apr 15, 2008

Role Manager (RBACx) WebServices

Sun's new GRC market entry product, Sun Role Manager (formerly Vaau RBACx) offers a wealth of webservice integration points. I had to work on a project recently integrating with the wsdl interface of Role Manager and here's  some information about how to enable the  services and what can be achieved by doing so...

The webservice interface of RBACx is not enabled by default, to enable it you must follow these steps:

1. Shut down the RBACx webcontainer

2. Edit the /webapps/rbacx/WEB-INF/web.xml adding the following changes:

<servlet>
         <servlet-name>ws</servlet-name>
         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
         <servlet-name>ws</servlet-name>
         <url-pattern>/ws/*</url-pattern>
</servlet-mapping>

 3. Restart the webcontainer

4. Consider using Soap UI as a testing tool and point this to the RBACx instance to consume the WSDLs

http://localhost:8080/rbacx/ws/auditService?wsdl http://localhost:8080/rbacx/ws/businessUnitManagementService?wsdl http://localhost:8080/rbacx/ws/logService?wsdl http://localhost:8080/rbacx/ws/roleManagementService?wsdl http://localhost:8080/rbacx/ws/userManagementService?wsdl

The RBACx webservice requires authentication this can be performed a number of ways such as in the following request 

 <soapenv:envelope xmlns:ser="http://service.api.rbacx.vaau.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:header>
  <wsse:security s:mustunderstand="1" 
	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
		xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
         <wsse:usernametoken>
            <wsse:username>rbacxadmin</wsse:username>
            <wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:password>
         </wsse:usernametoken>
   </wsse:security>
</soapenv:header>
   <soapenv:body>
      <ser:findactiveusers>
         <ser:in0>10130</ser:in0>
      </ser:findactiveusers>
   </soapenv:body>
</soapenv:envelope>
There you go Role Manager Webservices enabled and ready to rock..!

Posted at 05:19PM Apr 15, 2008 by Paul Walker in Handy IDM Bits  | 

Wednesday Feb 27, 2008

Solaris Authorization Bug Prevents Provisioning from SUN IDM

Thought I'd drop a note to myself more than anything on this topic, I was working with a colleague and provisioning users to a Solaris 10 system in order to test some Sun Secure Global Desktop use-cases for a customer demonstration. The Solaris resource adapter inside Sun Identity Manager was giving the following exception:

com.waveset.util.WavesetException: An error occurred adding user 'pwalker' to resource 'Solaris - dde880'. com.waveset.util.WavesetException: loop> loop> loop> loop> UX: useradd: ERROR: solaris.jobs.users is not a valid authorization. Choose another.

 Google to the rescue, with the following bug 6337435 reference, here's the solution to save the 'click' ;-)

Change "solaris.jobs.users" to "solaris.jobs.user" in /etc/security/prof_attr.
## 05/10/16 gww ##
The workaround should probably say change in /etc/security/prof_attr

 Thanks Rene for the pointer !

Posted at 07:20PM Feb 27, 2008 by Paul Walker in Handy IDM Bits  | 

Tuesday Jan 22, 2008

Attachmate No permission to run emulation

As you may know Sun Identity Manager can be used to manage identities that reside on Host systems such as 3270 Mainframes, in order to do this 3rd party libraries that provide the protocol support are required. If you try and use the Attachmate reflection for the web libraries with Sun Identity Manager and see within the application server logs the following error message:

IBM3270@D58939: No permission to run emulation.

 

 Then you'll need to add the following to your JVM launch script:

-Dcom.wrg.profile.dir=/pathToAttachmateLibFolder

 Here's a simple example using the command line:

C:\temp\Attachmate>java -Dcom.wrg.profile.dir=c:\temp\Attachmate com.wrq.rweb.Launcher
IBM3270@D58939: No permission to run emulation.
IBM3270@D58939: Reflection shutdown
com.wrq.enterview.Glue3270 loaded. [4,297ms]

and now specifying the location of the license.jaw file that comes with Attachmate:

 C:\temp\Attachmate>java -Dcom.wrq.profile.dir=c:\temp\Attachmate com.wrq.rweb.Launcher
IBM3270@676E3F: Reflection v9.5.36.100 starting [IBM 3270] **
IBM3270@676E3F: RWEB_CACHE = C:\Documents and Settings\pwalker\Local Settings\Temp\reflectionweb_pwalker
IBM3270@676E3F: RWEB_PREFS = C:\Documents and Settings\pwalker\reflectionweb
IBM3270@676E3F: USER_HOME = C:\Documents and Settings\pwalker

 




Posted at 12:06PM Jan 22, 2008 by Paul Walker in Handy IDM Bits  | 

Monday Jan 21, 2008

Sun Identity Manager & SGD Password Cache Integration

Last week at the Grenoble Software Technical Event based at the Grenoble Engineering Center in the French Alpes I demonstrated the integration of Sun Identity Manager and the Sun Secure Global Desktop (SGD) products. One area of interest was the SGD Password Cache integration. Why is this of interest? Well let me explain the use-case.

 SGDs raison d'ĂȘtre is to securely deliver your desktop anyplace anytime to almost any devise.  The applications on your desktop usually require a username & password to gain access. When you launch such an application for the first time SGD attempts to authenticate you to that application using the credentials which you specified when authenticating to SGD. If this fails then SGD will prompt you for a username/password to auth against the application, this is shown below:

 

 You can see above there's a "Save Password" checkbox that if checked will securely persist whatever you entered within SGD itself.

If you hit the default Administrative URL for SGD of http://<servername>/sgdadmin you'll be able to see the Password Cache entries, this is shown below. On the left hand side of this table is the user identity with which you authenticated to SGD itself, folllowed by the Server name which served up the application and finally the user identity which is understood by the application itself.

 

 So imagine the popular use-case where Sun Identity Manager is being used to process employee self-service password change. A user logs onto the system and invokes the Change User Password workflow via the webpage, they specify a new password and Identity Manager pushes this password out to the resource accounts that are linked. All of a sudden the password previously stored by SGD is out of sync with the target resource, now as a convenience we want to update the SGD Password Cache directly from within the workflow associated to the changeUserPassword IDM workflow process, how is this done?

 To start with I developed a NetBeans 6 Java project and imported the relevant SGD webservice jar files which where as follows:

 opt/tarantella/webserver/tomcat/5.0.28_axis1.2/common/lib
     axis.jar
     commons-discovery-0.2.jar
     commons-logging-1.0.4.jar
     jaxrpc.jar
     saaj.jar
     xerces.jar

 /opt/tarantella/webserver/tomcat/5.0.28_axis1.2/shared/lib
     sgd-webservices.jar

Before we go any further I'd strongly recommend reading the SGD webservices section on wikis.sun.com kudos to the SGD engineering team for sharing information like this in Wiki form for all to use :)

Those that know Sun Identity Manager workflow will understand how easy and simple it is to directly invoke java using XPRESS invoke command, the completed changeUserPassword workflow that calls the SGDHelper class to manage the SGD Password Cache can be downloaded here

Any questions or improvements feel free to chip in!

Password Cache? I'll get my coat ;)


 


Posted at 02:57PM Jan 21, 2008 by Paul Walker in Handy IDM Bits  |  Comments[1]

Wednesday Dec 05, 2007

Java Date Comparisons In Identity Manager

During my POC rounds I often come up against Identity Management requirements to manipulate date strings, for example, a contract hire date coming from a HR feed inside a CSV file, when should this user be provisioned? When should this user be deprovisioned? How long should this compliance violation be mitigated? I'm often re-writing the same piece of logic so the logic implies that others using Sun Identity Manager are doing similar, so I'll post my contribution to this blog mainly to stop me loosing it all the time (doh)... So here's the java version with the code logic adapter to XPRESS. Just to note that from within Identity Manager both Java and XPRESS can be called so you're free to select your poison ..
 

import java.text.ParseException;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
 public class DateTestEADS{
   
public static void main (String args[]){
	String dateString = "31.10.2007";
	Calendar todayCal = Calendar.getInstance();
	Date todayDate = todayCal.getTime();
        SimpleDateFormat format = new SimpleDateFormat("dd.MM.yyyy") ;

        // Parse the date        
	try {
		Date endDate = format.parse(dateString);
		System.out.println("Original string: " + dateString);
		System.out.println("Parsed date    : " + endDate.toString());
		System.out.println("Todays date	   : " + todayDate);
		Calendar endCal = new GregorianCalendar();
		endCal.setTime(endDate);boolean result = endCal.after(todayCal);           
		System.out.println("Q:Is the date " + dateString + ", after today? A:"+result);
        }
        catch(ParseException pe) {            
		System.out.println("ERROR: could not parse date in string \"" + dateString + "\"") ;
        }
   }
}

Here's the same logic in XPRESS

 

<RuleArgument name='dateString' value='31.12.2007'>
    <Comments>A date such as "31.10.2007" as a string</Comments>
    <String>31.12.2007</String>
  </RuleArgument>
  <block>
    <defvar name='todayCal'/>
    <defvar name='todayDate'/>
    <defvar name='endDate'/>
    <defvar name='endCal'/>
    <defvar name='format'/>
    <set name='todayCal'>
      <invoke name='getInstance' class='java.util.Calendar'/>
    </set>
    <set name='endCal'>
      <new class='java.util.GregorianCalendar'/>
    </set>
    <set name='todayDate'>
      <invoke name='getTime'>
        <ref>todayCal</ref>
      </invoke>
    </set>
    <set name='format'>
      <new class='java.text.SimpleDateFormat'>
        <s>dd.MM.yyyy</s>
      </new>
    </set>
    <block name='parse the date'>
      <set name='endDate'>
        <invoke name='parse'>
          <ref>format</ref>
          <ref>dateString</ref>
        </invoke>
      </set>
      <invoke name='setTime'>
        <ref>endCal</ref>
        <ref>endDate</ref>
      </invoke>
      <invoke name='after'>
        <ref>endCal</ref>
        <ref>todayCal</ref>
      </invoke>
    </block>
  </block>



Posted at 10:14PM Dec 05, 2007 by Paul Walker in Handy IDM Bits  | 

Today's Page Hits: 67

attachmate date desktop dsee firefox global grenoble identity identity+manager identitymanager java management manager plugin rbac rbacx roles secure sgd solaris sun test vauu webservices xpress