Israel Web Tour 2008 & בלוג רישון בעיברית

Sun Microsystems was a sponsor of the Israel Web Tour -representatives from 15 select Web 2.0 Israeli startups visiting Silicon Valley. Representatives from the startups visited the Sun Menlo Park campus, on Tuesday February 5th, where Juan Carlos Soto briefed them in the Sun Executive Business Center.
I was fortunate to get a ticket to the showcase which took place at Microsoft on Wednesday the 6th of February. Each of the 15 companies had five minutes to pitch their company's concept.
I was intrigued by:
1.5min    - user submitted content of “how to” guides.
2.AllofMe – you basically add photos and videos of yourself and your family and make an online movie of your life, relatives etc. What's neat is you can zoom in or out to view a snapshot of your life on a day or even over a century.
3.BlogTv – blogging via video. The IsraelWebTour showcase at Microsoft was broadcast via BlogTv.
4.Clicktale & nuConomy – web analytics beyond page views. In particular, Clicktale can make a video of a customer's entire interaction on your webpage. Thus for example, you can see why a customer completed half the shopping cart form and then discarded the transaction.  nuConomy will deliver reports on all customer interactions on your website.
5.Pageonce – an aggregation tool for all your finances, email, airline miles etc. It will also alert you, for example when a payment is due, when you are about to reach your maximum free cellular minutes or  when airline miles will expire.
6.Ply – a platform for video. They demo'd a cute video clip of the movie “When Harry met Sally” and the user can mouse over Sally and a little pop up window will display a brief bio of Meg Ryan.
7.Velingo (used to be Tagsense) – web search enhanced by tag words. Try it here: When I tried a search on Sun Microsystems, I got this: There is a firefox extension but for Windows only <sigh>

Now will have a go at blogging in Hebrew, painstakingly slow one letter at a time, as  I cannot touch-type in Hebrew

                                                                               סן מיפרו חברה טחנולוגי באמק הסיליקון נתמה חסות ל15 חברות ווב 2.0 לבקר אמק הסיליקון.

Posted at 09:32PM Feb 06, 2008 by Jonathan Gershater in Identity & Directory Server  | 

OpenID & Yahoo

Yahoo have released an OpenID Provider Service
Read all about it!

Posted at 11:19PM Jan 30, 2008 by Jonathan Gershater in Identity & Directory Server  | 

Sun Java Directory Server 6.2 corruption and recovery...

This has not been classified as a Sun Directory Server error, rather it led to a method of recovery that I would like to share.

I was working on a pair of Sun Directory Servers (version 6.2) recently, with a custom plugin. The servers would only start with a very peculiar error logged every second in the error log (anyone know what this means?)

[18/Jan/2008:18:49:15 +0000] - INFORMATION - conn=-1 op=-1 msgId=-1 - allow_operation: component identity is NULL

After a day of researching the error proved futile, we decided to rebuild from scratch. Fortunately the data appeared intact, though there were replication errors galore! Secondly, the partner master server logged the same error every second so that server also needed to be rebuilt.

I followed the following steps. Note that this was a pair of Sun Directory Servers (version 6.2) with only a few thousand objects (development and QA environment). The steps below may not be optimal for many replicated servers containing hundreds of thousands or millions of users.

• Export the old instance to LDIF

• Create a new instance

• Copy the certificates and schema from the old instance to the new

• Import the LDIF file

• Enable replication

Assumptions

1. Sun Java Directory Server 6.2

2. Solaris 10

3. PKG version of Directory Server.(location of commands differs for the ZIP version)

4. The hostname & IP address of the new and faulty Directory instances are the same

5. Two servers in MMR (multi-master replication)

6. Custom schema in 99user.ldif

Perform the following.................

First Solaris host

1. Shutdown the faulty Directory Server

/opt/SUNWdsee/ds6/bin/dsadm stop /var/opt/SUNWdsee/dsins1

2.Export the data without replication information

/opt/SUNWdsee/ds6/bin/dsadm export -Q /var/opt/SUNWdsee/dsins1 dc=company,dc=com /export/home/CleanExport.ldif

3. Create a new instance on port 389 since the faulty instance is not running

/opt/SUNWdsee/ds6/bin/dsadm create /var/opt/SUNWdsee/dsins2

4. Copy custom schema from the faulty directory server to the new instance

(a) backup the new 99user.ldif

cp /var/opt/SUNWdsee/dsins2/config/schema/99user.ldif /var/opt/SUNWdsee/dsins2/config/schema/99user.ldif.BACKUP

(b) copy the schema

cp /var/opt/SUNWdsee/dsins1/config/schema/99user.ldif /var/opt/SUNWdsee/dsins1/config/schema/

5. Start the new instance

/opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dsins2

6. Create the suffix

/opt/SUNWdsee/ds6/bin/dsconf create-suffix dc=company,dc=com

7. Import the data into the new instance

/opt/SUNWdsee/ds6/bin/dsadm import /var/opt/SUNWdsee/dsins2 /export/home/CleanExport.ldif dc=company,dc=com

8. Enable replication on the new instance

/opt/SUNWdsee/ds6/bin/dsconf enable-repl /var/opt/SUNWdsee/dsins2 -d 40404 master dc=company,dc=com

Second Solaris host

1. Shutdown the faulty Directory Server

/opt/SUNWdsee/ds6/bin/dsadm stop /var/opt/SUNWdsee/dsins1

2.Create a new instance on port 389 since the faulty instance is not running

/opt/SUNWdsee/ds6/bin/dsadm create /var/opt/SUNWdsee/dsins2

3. Copy custom schema from the faulty directory server to the new instance

(a) backup the new 99user.ldif

cp /var/opt/SUNWdsee/dsins2/config/schema/99user.ldif /var/opt/SUNWdsee/dsins2/config/schema/99user.ldif.BACKUP

(b) copy the schema

cp /var/opt/SUNWdsee/dsins1/config/schema/99user.ldif /var/opt/SUNWdsee/dsins1/config/schema/

4. Create the suffix

/opt/SUNWdsee/ds6/bin/dsconf create-suffix dc=company,dc=com

5. Start the new instance

/opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dsins2

6. Enable replication on the new instance

/opt/SUNWdsee/ds6/bin/dsconf enable-repl /var/opt/SUNWdsee/dsins2 -d 50505 master dc=company,dc=com

First Solaris host

1.Create replication agreement from host 1 to host 2

/opt/SUNWdsee/ds6/bin/dsconf create-repl-agmt dc=company,dc=com secondhost:389

2.Initialize the second Directory Server with data from the first Directory Server

/opt/SUNWdsee/ds6/bin/dsconf init-repl-dest dc=company,dc=com secondhost:389

Technorati Tags: directory-server Sun Java Directory Server

Posted at 02:41PM Jan 22, 2008 by Jonathan Gershater in Identity & Directory Server  | 

Humbled by those who have less, much less.

Although it has been 20+ years since I finished high school, The English poetry I learnt, still resonates with me and I can recall phrases and lines to this day. William Wordsworth wrote a sonnet that I shall reproduce here, since it is, of course, only 14 lines.

The world is too much with us; late and soon,
Getting and spending, we lay waste our powers;
Little we see in Nature that is ours;
We have given our hearts away, a sordid boon!
This Sea that bares her bosom to the moon,
The winds that will be howling at all hours,
And are up-gathered now like sleeping flowers,
For this, for everything, we are out of tune;
It moves us not.--Great God! I'd rather be
A Pagan suckled in a creed outworn; (1)
So might I, standing on this pleasant lea, (2)
Have glimpses that would make me less forlorn;
Have sight of Proteus (3) rising from the sea;
Or hear old Triton (4) blow his wreathed horn.

(1) Brought up in an outdated religion.
(2) Meadow.
(3) Greek sea god capable of taking many shapes.
(4) Another sea god, often depicted as trumpeting on a shell.

For two years our family was very fortunate to have the services of a live-in nanny who began her employment with us a year after our son was born. A rather simple woman, almost illiterate, and not conversant in English, I recall that when our daughter started grade one and began to learn reading and writing, our nanny used some of her free time to study English reading and writing as well. I remarked to myself that a 60 and 6 year old were learning to read and write English for the first time. Our nanny grew very fond of our younger son and loved him as if he were the son she could not bear (her husband divorced her in their youth as they were unable to conceive). Upon recent a visit to her home country, she phoned us with the most unfortunate news that she was not returning to America as she had been diagnosed with breast cancer.

With no dependents of her own, our nanny worked to save for her and her sisters' retirement. Her sole possessions accompanied her in one suitcase when she went home a few weeks ago. Thus when she called to inform us of her condition, we offered to send her few remaining possessions to her but she refused and suggested we give them away.

As I cleaned her room I found notes she had taken in her English language classes. In the notebook, among other sentences, was written:

“I love children.”

“I love to cook for the children.”

I was moved to tears. Here we live in one of the most sought after areas in the world. Our children attend magnificent schools and not deprived of toys nor clothing nor extra-curricular activities. And a woman who at age 60 is learning English for the first time, writes of her love for children that she could not bear herself. Those of us consumed by the rat-race and materialism that American consumerism thrusts upon us, as Wordsworth wrote, should stop and smell the flowers.....

Technorati Tags: nanny wordsworth

Posted at 09:00AM Jan 14, 2008 by Jonathan Gershater in Personal  | 

a useful link - searching all libraries

I am a member at two public libraries and occasionally use university libraries too.

I found this link that will search for a book across multiple public and university libraries.

The website lists libraries near you, so I am guessing it does a reverse DNS lookup and then determines your location?

Search any library

Posted at 11:02AM Jan 08, 2008 by Jonathan Gershater in Personal  | 

Patches required to enable Solaris servers and workstations to migrate to native-ldap clients

Notes:

1. The tables below list patches required to allow Solaris SPARC servers and workstations to migrate to native-ldap clients. (The equivalent x86 patch is available on the download links below).

2. The patch column contains a number which references the patch to install. The number is hyperlinked to http://sunsolve.sun.com to enable patch downloads. The links are current as of January 8^th, 2008.

3. IMPORTANT: Solaris patches are revised and replaced by newer patches. The links in the patch column to download the patch, may not resolve the latest patch available. Please read the patch notes carefully, be aware of obsoleted patches and download the newer patch.

Solaris 10 patches

Install SUNWnisu package from the Solaris 10 DVD, before installing patches

Order	Patch	Prerequisite patch
1	119213 (NSS patch)	n/a
2	119042	n/a
3	119963	n/a
4	119574	n/a
5	119578	n/a
6	126419	n/a
7	118918	n/a
8	120900	n/a
9	125547	n/a
10	125378	n/a
11	121133	120900
12	126538	119042
13	119254	121133
14	118833	118918 119042 119578 119254
15	120272	119042 126538 118833
16	126897	119578
17	122640	118833
18	125503	118833 118918 119042 119574 119578 120272 120900 121133 126538 122640 126897
19	125369	118833 119578 126897
20	120011	119574 126538 122640 125369 125503 125547 126419 126897

Solaris 9 patches

Order	Patch	Prerequisite patch
1	119211 (NSS patch)	n/a
2	112233	n/a
3	112874	112233
4	112960	112874

Solaris 8 patches

Order	Patch	Prerequisite patch
1	119209 (NSS patch)	n/a
2	111310	n/a
3	111111	n/a
4	112936	n/a
5	116602	n/a
6	115827	n/a
7	113648	n/a
8	111317	n/a
9	111023	n/a
10	110386	n/a
11	108987	112936
12	108528	108987 111111 111310
13	108989	108528
14	128624	108528 108989 110386 111023 111317 113648 115827 116602
15	108993	108528 108989 110386 111023 111317 113648 115827 116602

Posted at 10:15AM Jan 07, 2008 by Jonathan Gershater in Identity & Directory Server  | 

Shibboleth

Shibboleth is a standard for federated Single-SignOn.
It is also a new art exhibit at the Tate gallery in London, consisting of a crack in the floor....
Perhaps OpenId would be a more appropriate name

Posted at 02:43AM Dec 11, 2007 by Jonathan Gershater in Identity & Directory Server  | 

Enterprise Role Management to be part of the Sun Identity stack

Sun has entered into an agreement to acquire VAAU a premier provider of Enterprise Role Management software.

Here is the press release

What is role management?

A role represents access rights to resources or data, that often corresponds to a business function. Example a tax manager has the rights to view financial data.

How do roles gel with Identity Management and Sun Identity Manager in particular?

If you have worked with Sun Identity Manager, you will have a assigned a role to a resource and then a user to that role to grant the user access to the resource.

Role management software simplifies that process especially in a large deployment with hundreds of applications and thousands of roles. Often roles usurp users in their quantity - more roles than users!

With good role management, security policies can be easier to manage and enforce, example ensuring users only have the roles they are entitled to, to perform their job.

Read more at VAAU's website

Posted at 10:55AM Nov 13, 2007 by Jonathan Gershater in Identity & Directory Server  | 

Sun Directory Server 6.2 upgrade process

This blog entry outlines the process of upgrading the Sun Directory Server from version 6.0 to version 6.2

Assumptions

This procedure assumes the following:

1. The operating system is Solaris SPARC.

2. The PKG version of Directory Server 6.0 has been installed.

3. The DCC is deployed in the Sun Java Web Console (not as a .war file in a J2EE container).

4. The services are managed in SMF.

5. The patches are downloaded to a directory “RequiredPatches”. Note: installation of the first patch requires a reboot, therefore do NOT download the patches to /tmp or /var/tmp (some systems) otherwise the files will be lost after the reboot.

6. The installation paths are as follows:

Software	Instances	DSCC	Cacao	WebConsole
/opt/SUNWdsee	/var/opt/SUNWdsee/dsins1	/var/opt/SUNWdsee/dscc/ads	/var/cacao	/usr/share/webconsole

Patches required before upgrade

Inventory the patches on each server and establish what versions exist.

To inventory the patches, execute ‘showrev –p | grep “Patch: <patchnumber>”’

Example:

# showrev -p | grep "Patch: 119963"

Patch: 119963-05 Obsoletes: Requires: Incompatibles: Packages: SUNWlibC

Patch: 119963-08 Obsoletes: Requires: Incompatibles: Packages: SUNWlibC

#

The list of patches is in column one and is hyperlinked to enable download of the patch from sunsolve.sun.com

Patch to install
118833-36
119963-08
119254-44
125378-02
119810-04
119345-05
119044-03
123893-04
125937-05

Patches required to perform 6.2 upgrade

125276-05

Verify current version installed

Execute LDAPSEARCH to display the current version, substituting <PASSWORD> for the Directory Manager password.

# ldapsearch -h localhost -b cn=config -D "cn=directory manager" -w <PASSWORD> objectclass=nsslapdConfig nsslapd-versionstring

version: 1

dn: cn=config

nsslapd-versionstring: Sun-Java(tm)-System-Directory/6.0

Begin the upgrade process

Stop the processes

Disable DCC Directory server

# svcadm disable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads

Disable LDAP instance

# svcadm disable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

Disable CACAO

#svcadm disable svc:/application/management/common-agent-container-1:default

Disable Java Web Console

#svcadm disable svc:/application/management/wbem:default

#svcadm disable svc:/system/webconsole:console

Installation of patches

Before installing patch 118836 a workaround for a small defect is required.

(see note here)

Workaround

#mkdir /var/tmp/118833-36.SUNWcslr

Click each of the following to view the output of the above patch installations

118833-36.txt see above workaround. Also, reboot after installing this patch.

119044-03.txt

119254-44.txt

119810-04.txt

123893-04.txt

125378-02.txt

125937-05.txt

Upgrade to Directory Server 6.2

Install patch 125276-05.txt

Restart Directory and Console services

Start cacaoagent

#svcadm enable svc:/application/management/common-agent-container-1:default

Start DCC

# svcadm enable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads

Start LDAP instance

# svcadm enable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

Start Java Web Console

#svcadm enable svc:/application/management/wbem:default

#svcadm enable svc:/system/webconsole:console

Verify that server was upgraded

Execute LDAPSEARCH to display the current version, substituting <PASSWORD> for the Directory Manager password.

#ldapsearch -h localhost -b cn=config -D "cn=directory manager" -w <PASSWORD> objectclass=nsslapdConfig nsslapd-versionstring

version: 1

dn: cn=config

nsslapd-versionstring: Sun-Java(tm)-System-Directory/6.2

View the Directory Server documentation here

Posted at 07:00AM Nov 12, 2007 by Jonathan Gershater in Identity & Directory Server  |  Comments[2]

Article published in the ISSA journal

I published an article titled "Trends in Identity and Access Management" in the November edition of ISSA.
ISSA is a prestigious international information systems security asssociation. Thanks to Glenn and Joel for their encouragement.

If you would like a copy of my article, I encourage you to become an ISSA member .

Alternatively, here is a copy of my article in PDF.

Posted at 09:02PM Nov 11, 2007 by Jonathan Gershater in Identity & Directory Server  |  Comments[1]

Life with two kids :)

Most days my kids are the sweet, kind and cute.

Occasionally I get home from work to this:

Posted at 08:36PM Nov 11, 2007 by Jonathan Gershater in Personal  |  Comments[1]

Finals, here we come

The Springboks played a great game against Argentina and will meet England in the finals.
Ludo, sorry you lost to the "roast beefs", don't worry, we will take care of them for you....!

Posted at 02:01PM Oct 14, 2007 by Jonathan Gershater in Personal  | 

Privacy priorities and Identity

So I had to call my wife's health insurance to get some information on her behalf. The polite lady at the call center answered and asked me some identifying questions first: birth date, last four digits of social security, address etc. Satisfied with the answers she relinquished the information I requested. I guess they answer so many calls per day, it did not occur to her that a male voice was requesting information on someone with a female name. Or it means that anyone who presents the answers to the questions is entitled to the information. I wonder what HIPAA dictates?

A few days later, my wife went to the public library and I asked her to bring home a book that I had reserved. The library refused to allow her to check out a book reserved under my account, using her card. She produced her driver's license showing the same surname and address as the library's computer had for me. No success. However, if she produced my library card, which holds no picture of me, they would have happily checked out the book.

Why is that personal medical information can be released over the phone to anyone who answers four or five identifying questions about an individual, yet a book cannot be checked out unless one produces a library card that bears no visual identification of the bearer on it whatsoever?

Posted at 02:33PM Oct 04, 2007 by Jonathan Gershater in Identity & Directory Server  | 

Marriage in the Internet age

Posted at 10:55AM Oct 03, 2007 by Jonathan Gershater in Personal  | 

Telecommuting is so 1990s..

In the age of social networks it is called co-working. If you work remote and get lonely, join or start a co-working group. I just joined the group in Palo Alto and am at the premises right now. A superb idea. Thanks Liz Henry!

Posted at 04:25PM Sep 19, 2007 by Jonathan Gershater in Personal  |