I'll Get My Coat

Identity Management? I'll Get My Coat...

Wednesday Feb 27, 2008

Solaris Authorization Bug Prevents Provisioning from SUN IDM

Thought I'd drop a note to myself more than anything on this topic, I was working with a colleague and provisioning users to a Solaris 10 system in order to test some Sun Secure Global Desktop use-cases for a customer demonstration. The Solaris resource adapter inside Sun Identity Manager was giving the following exception:

com.waveset.util.WavesetException: An error occurred adding user 'pwalker' to resource 'Solaris - dde880'. com.waveset.util.WavesetException: loop> loop> loop> loop> UX: useradd: ERROR: solaris.jobs.users is not a valid authorization. Choose another.

Google to the rescue, with the following bug 6337435 reference, here's the solution to save the 'click'

Change "solaris.jobs.users" to "solaris.jobs.user" in /etc/security/prof_attr.
## 05/10/16 gww ##
The workaround should probably say change in /etc/security/prof_attr

Thanks Rene for the pointer !

Posted at 07:20PM Feb 27, 2008 by Paul Walker in Handy IDM Bits |

Monday Jan 21, 2008

Sun Identity Manager & SGD Password Cache Integration

Last week at the Grenoble Software Technical Event based at the Grenoble Engineering Center in the French Alpes I demonstrated the integration of Sun Identity Manager and the Sun Secure Global Desktop (SGD) products. One area of interest was the SGD Password Cache integration. Why is this of interest? Well let me explain the use-case.

SGDs raison d'être is to securely deliver your desktop anyplace anytime to almost any devise. The applications on your desktop usually require a username & password to gain access. When you launch such an application for the first time SGD attempts to authenticate you to that application using the credentials which you specified when authenticating to SGD. If this fails then SGD will prompt you for a username/password to auth against the application, this is shown below:

You can see above there's a "Save Password" checkbox that if checked will securely persist whatever you entered within SGD itself.

If you hit the default Administrative URL for SGD of http://<servername>/sgdadmin you'll be able to see the Password Cache entries, this is shown below. On the left hand side of this table is the user identity with which you authenticated to SGD itself, folllowed by the Server name which served up the application and finally the user identity which is understood by the application itself.

So imagine the popular use-case where Sun Identity Manager is being used to process employee self-service password change. A user logs onto the system and invokes the Change User Password workflow via the webpage, they specify a new password and Identity Manager pushes this password out to the resource accounts that are linked. All of a sudden the password previously stored by SGD is out of sync with the target resource, now as a convenience we want to update the SGD Password Cache directly from within the workflow associated to the changeUserPassword IDM workflow process, how is this done?

To start with I developed a NetBeans 6 Java project and imported the relevant SGD webservice jar files which where as follows:

opt/tarantella/webserver/tomcat/5.0.28_axis1.2/common/lib
     axis.jar
     commons-discovery-0.2.jar
     commons-logging-1.0.4.jar
     jaxrpc.jar
     saaj.jar
     xerces.jar

/opt/tarantella/webserver/tomcat/5.0.28_axis1.2/shared/lib
     sgd-webservices.jar

Before we go any further I'd strongly recommend reading the SGD webservices section on wikis.sun.com kudos to the SGD engineering team for sharing information like this in Wiki form for all to use

Those that know Sun Identity Manager workflow will understand how easy and simple it is to directly invoke java using XPRESS invoke command, the completed changeUserPassword workflow that calls the SGDHelper class to manage the SGD Password Cache can be downloaded here

Any questions or improvements feel free to chip in!

Password Cache? I'll get my coat