Tuesday Dec 11, 2007

Shibboleth

Shibboleth is a standard for federated Single-SignOn.
It is also a new art exhibit at the Tate gallery in London, consisting of a crack in the floor....
Perhaps OpenId would be a more appropriate name

Posted at 02:43AM Dec 11, 2007 by Jonathan Gershater in Identity & Directory Server |

Tuesday Nov 13, 2007

Enterprise Role Management to be part of the Sun Identity stack

Sun has entered into an agreement to acquire VAAU a premier provider of Enterprise Role Management software.

Here is the press release

What is role management?

A role represents access rights to resources or data, that often corresponds to a business function. Example a tax manager has the rights to view financial data.

How do roles gel with Identity Management and Sun Identity Manager in particular?

If you have worked with Sun Identity Manager, you will have a assigned a role to a resource and then a user to that role to grant the user access to the resource.

Role management software simplifies that process especially in a large deployment with hundreds of applications and thousands of roles. Often roles usurp users in their quantity - more roles than users!

With good role management, security policies can be easier to manage and enforce, example ensuring users only have the roles they are entitled to, to perform their job.

Assumptions

This procedure assumes the following:

The operating system is Solaris SPARC.
The PKG version of Directory Server 6.0 has been installed.
The DCC is deployed in the Sun Java Web Console (not as a .war file in a J2EE container).
The services are managed in SMF.
The patches are downloaded to a directory “RequiredPatches”. Note: installation of the first patch requires a reboot, therefore do NOT download the patches to /tmp or /var/tmp (some systems) otherwise the files will be lost after the reboot.
The installation paths are as follows:

Software	Instances	DSCC	Cacao	WebConsole
/opt/SUNWdsee	/var/opt/SUNWdsee/dsins1	/var/opt/SUNWdsee/dscc/ads	/var/cacao	/usr/share/webconsole

Patches required before upgrade

Inventory the patches on each server and establish what versions exist.

To inventory the patches, execute ‘showrev –p | grep “Patch: <patchnumber>”’

Example:

# showrev -p | grep "Patch: 119963"

Patch: 119963-05 Obsoletes: Requires: Incompatibles: Packages: SUNWlibC

Patch: 119963-08 Obsoletes: Requires: Incompatibles: Packages: SUNWlibC

#

The list of patches is in column one and is hyperlinked to enable download of the patch from sunsolve.sun.com

Patch to install
118833-36
119963-08
119254-44
125378-02
119810-04
119345-05
119044-03
123893-04
125937-05

Patches required to perform 6.2 upgrade

125276-05

Verify current version installed

Execute LDAPSEARCH to display the current version, substituting <PASSWORD> for the Directory Manager password.

# ldapsearch -h localhost -b cn=config -D "cn=directory manager" -w <PASSWORD> objectclass=nsslapdConfig nsslapd-versionstring

version: 1

dn: cn=config

nsslapd-versionstring: Sun-Java(tm)-System-Directory/6.0

Begin the upgrade process

Stop the processes

Disable DCC Directory server

# svcadm disable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads

Disable LDAP instance

# svcadm disable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

Disable CACAO

#svcadm disable svc:/application/management/common-agent-container-1:default

Disable Java Web Console

#svcadm disable svc:/application/management/wbem:default

#svcadm disable svc:/system/webconsole:console

Installation of patches

Before installing patch 118836 a workaround for a small defect is required.

(see note here)

Workaround

#mkdir /var/tmp/118833-36.SUNWcslr

Click each of the following to view the output of the above patch installations

118833-36.txt see above workaround. Also, reboot after installing this patch.

Upgrade to Directory Server 6.2

Install patch 125276-05.txt

Restart Directory and Console services

Start cacaoagent

#svcadm enable svc:/application/management/common-agent-container-1:default

Start DCC

# svcadm enable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads

Start LDAP instance

# svcadm enable svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

Start Java Web Console

#svcadm enable svc:/application/management/wbem:default

#svcadm enable svc:/system/webconsole:console

Verify that server was upgraded

Execute LDAPSEARCH to display the current version, substituting <PASSWORD> for the Directory Manager password.

#ldapsearch -h localhost -b cn=config -D "cn=directory manager" -w <PASSWORD> objectclass=nsslapdConfig nsslapd-versionstring

version: 1

dn: cn=config

nsslapd-versionstring: Sun-Java(tm)-System-Directory/6.2

View the Directory Server documentation here

Posted at 07:00AM Nov 12, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[2]

Sunday Nov 11, 2007

Article published in the ISSA journal

I published an article titled "Trends in Identity and Access Management" in the November edition of ISSA.
ISSA is a prestigious international information systems security asssociation. Thanks to Glenn and Joel for their encouragement.

If you would like a copy of my article, I encourage you to become an ISSA member .

Alternatively, here is a copy of my article in PDF.

Posted at 09:02PM Nov 11, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[1]

Thursday Oct 04, 2007

Privacy priorities and Identity

So I had to call my wife's health insurance to get some information on her behalf. The polite lady at the call center answered and asked me some identifying questions first: birth date, last four digits of social security, address etc. Satisfied with the answers she relinquished the information I requested. I guess they answer so many calls per day, it did not occur to her that a male voice was requesting information on someone with a female name. Or it means that anyone who presents the answers to the questions is entitled to the information. I wonder what HIPAA dictates?

A few days later, my wife went to the public library and I asked her to bring home a book that I had reserved. The library refused to allow her to check out a book reserved under my account, using her card. She produced her driver's license showing the same surname and address as the library's computer had for me. No success. However, if she produced my library card, which holds no picture of me, they would have happily checked out the book.

Why is that personal medical information can be released over the phone to anyone who answers four or five identifying questions about an individual, yet a book cannot be checked out unless one produces a library card that bears no visual identification of the bearer on it whatsoever?

Posted at 02:33PM Oct 04, 2007 by Jonathan Gershater in Identity & Directory Server |

Monday Sep 17, 2007

Sun Java Directory Server and CA Siteminder

I would obviously prefer that you use Sun Java Access Manager for managing web authentication, authorization and policies but if you do use Siteminder with Sun Java Directory Server for the user store, then please note:
Siteminder password services must be stored in a single valued binary attribute. Do not use a multi-valued attribute such as 'audio' from the inetOrgPerson objectclass. Rather, create a custom binary attribute and configure Siteminder as per this screenshot:

Posted at 07:58AM Sep 17, 2007 by Jonathan Gershater in Identity & Directory Server |

Thursday Jul 26, 2007

F5 Load Balancers and Sun Directory Servers

An IP load balancer, is often used to load balance Directory Servers. (Although far better and feature rich load balancing can be achieved with Sun Java System Directory Proxy Server).
If you choose to use a load balancer such as a BIG-IP F5, then please configure the F5 as follows:
Create an LDAP monitor that will execute a bind against the Directory Server. This is preferable to a standard TCP health check because:

A simple TCP health check does not perform as complete an LDAP operation as a BIND
The LDAP server does not know how to handle the simple TCP health check properly and thus in your Sun Directory Server logs you will likely see 4164 or 4166 errors.

'user name': enter an LDAP user that has no rights to important data in the Directory, ideally an ACI that only gives privileges to the use and nothing else. This ensures that if anyone compromises these credentials they cannot access other data. Sample ACI that only allows the F5 user to modify their own password.
```
aci: (targetattr = "userPassword") ( version 3.0; acl "allow 
userpassword self modification"; allow (write) userdn = "ldap:///self";)
```
'password': the password for the user
'Base': base DN
'Filter;: if your user is in it's own OU no need to filter anything
'Security': select yes if you wish to test LDAPS (LDAP over SSL)

Posted at 05:07PM Jul 26, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[5]

Tuesday Jul 17, 2007

more on HR-XML, Identity Management and Federated SingleSignOn

Following up on my meeting with Sara Moss, I attended a call today with some folks who offer solutions for the staffing industry. The attendees on today's call offer solutions that pre-screen candidates during the hiring process - background checks 'n all. The goal of today's call was to define, for the HR-XML consortium, standards and methods for job applicants to single-sign-on to the pre-screening tool and the potential employer's job application website.

Some ideas were tossed out, such as SAML, which of course Sun's Federation Manager supports.

I will continue to participate in the HR-XML initiative. It could be interesting to extend Sun's Identity Manager to include pre-screening requests and approvals, prior to the employee's first day on the job. Combine that with Federation Manager for federated identity and we could have a neat solution.....

Technorati Tags: Identity, Federation, pre-screening, onboarding

Posted at 12:08PM Jul 17, 2007 by Jonathan Gershater in Identity & Directory Server |

Monday Jul 09, 2007

New DNS service

The NYTimes today reviews a new DNS service called OpenDNS
I configured my computer to use OpenDNS's DNS servers and one immediate benefit is that typos in the browser address bar are optionally redirected to the correct destination website.

Technorati Tags: DNS

Posted at 07:35AM Jul 09, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[4]

Integrating Sun Java System Identity Manager and Access Manager

A year ago I collaborated with some fine fellows from Sun to document the integration steps of Access Manager and Identity Manager.
Another excellent Sun employee, Steffo Weber, has provided content that allowed us to update the document for versions 7.0 of Access Manager and Identity Manager and a chapter on Identity Manager SPE.
The document was edited and is available here

Posted at 12:47AM Jul 09, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[2]

Thursday May 31, 2007

Sun Identity Manager on Mac OS X

Earlier I blogged about installling OpenDS on Mac OS X.
Installing Sun Identity Manager 7.1 is just as easy with a minor tweak.

The "lh" script that sets up an environment for subsequent Java commands, is only aware of Unix, Linux and Windows.

A minor edit, in red font below, is required for the lh script to recognize the Macintosh Operating System 'Darwin'

OS=`uname -s`
if [ "$OS" = "Darwin" ]; then
    ARCH=linux
    ARCH_DIR=linux
elif [ "$OS" = "SunOS" ]; then
    SPECIFIC_OS=`arch`
    if [ "$SPECIFIC_OS" = "i86pc" ]; then
        ARCH=solaris/x86
        ARCH_DIR=solaris/x86
    else
        ARCH=solaris/sparc
        ARCH_DIR=solaris/sparc
    fi
elif [ "$OS" = "AIX" ]; then
    ARCH=aix
    ARCH_DIR=aix
elif [ "$OS" = "HP-UX" ]; then
    ARCH=hpux
    ARCH_DIR=hpux
else
    ARCH=winnt
    ARCH_DIR=win
fi

Thus, the standard procedure to install is as follows:

unzip IDM_7_1_0.zip                                         unzip the download
cd IDM_7_1_0
cd db_scripts                                                       setup the database tables
mysql -u root < create_waveset_tables.mysql

( copy the mysql driver to WEB-INF/lib )

mkdir idm                                                         create a staging directory
mv idm.war idm
cd idm
jar -xvf idm.war                                                   unjar the .war file
export WSHOME=/Applications/idm                         set WSHOME
cd bin

( edit the "lh" script as per below )

chmod +x lh
./lh setup                                                              run setup
./lh setRepo -tMysql -ujdbc:mysql://localhost/waveset run setrepo
cd ../sample
../bin/lh import init.xml                                            import init.xml
jar -cvf /Applications/idm.war *                                 create a new .war file

./asadmin deploy /Applications/idm.war                      deploy to the application server

Posted at 08:43PM May 31, 2007 by Jonathan Gershater in Identity & Directory Server |

Thursday May 17, 2007

SAP & Maxware but no mention of Sun Microsystems?

Lori Rowland offers some analysis of the SAP acquisition of Maxware, vis-a-vis Oracle

Interesting that no mention is made of Sun Microsystems Identity Solutions, which Gartner gives highest ratings:
and Forrester calls and ""an identity management powerhouse."

Technorati Tags: Identity

Posted at 02:17PM May 17, 2007 by Jonathan Gershater in Identity & Directory Server |

Monday May 14, 2007

IIW2007 (& OpenDS on my new Mac iBook Pro)

The opening of IIW2007 was wonderful. This is the first time I have attended this workshop and I plan to return!
I particularly like the open and casual forum where everyone is hear to learn without the pressure of a corporate sponsored and publicized event.
After reading blogs from Windley, Doc Searls as well as my Sun counterparts: Eve & Lauren, it is great to finally meet in person.

Although I planned to demonstrate Sun Identity Manager during speed geeking, I quickly realized that it would not be appropriate as it is not openSource (yet). So I decided to offer OpenDS. I made this decision on the spur of the moment and within ten minutes I had the latest build (0.8) up and running on my new iBook pro. I added jxplorer for those who prefer a gui interface to LDAP and those who stopped by my table got a preview to OpenDS. I am indebted to the wonderful work of Neil, Ludo and others who make this project possible. I look forward to the 1.0 version of OpenDS later this year.

More from IIW tomorrow......

Technorati Tags: iiw2007, openDS

Powered by ScribeFire.

Posted at 09:08PM May 14, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[2]

Wednesday Apr 25, 2007

Directory Server 6.0 and idsconfig

If you are configuring DSEE 6 as naming service for LDAP clients, the following changes are required in the idsconfig script /usr/lib/ldap/idsconfig

1. The script checks if the Directory Server is version 5 and will exit if any other version is used. A quick hack around this is to comment out the exit statement: See 'exit 1' code commented out below

chk_ids_version()

{

[ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"

# check iDS version number.

eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"

if [ $? -ne 0 ]; then

${ECHO} "ERROR: Can not determine the version number of iDS!"

exit 1

fi

IDS_VER=`cat ${TMPDIR}/checkDSver`

IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`

IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`

if [ "${IDS_MAJVER}" != "5" ]; then

${ECHO} "ERROR: $PROG only works with iDS version 5.x, not ${IDS_VER}."

# exit 1

fi

if [ $DEBUG -eq 1 ]; then

${ECHO} " IDS_MAJVER = $IDS_MAJVER"

${ECHO} " IDS_MINVER = $IDS_MINVER"

fi

2. The end of script instructs you to manually run 'directoryserver' commands for vlv indexes. '/usr/sbin/directoryserver' does not apply to Directory Server 6.0. Here are the equivalent commands for Directory Server 6.0 : (obviously substitute 'company' and the instance of your Directory Server as needed)

./dsadm reindex -l -t company.com.getgrent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.gethostent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getnetent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getrpcent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getspent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getauhoent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getauhoent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getsoluent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getauhoent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getauduent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getauthent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getexecent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getprofent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getmailent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getbootent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getethent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getngrpent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getipnent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getmaskent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getprent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getip4ent /var/opt/SUNWdsee/dsins2 dc=company,dc=com
./dsadm reindex -l -t company.com.getip6ent /var/opt/SUNWdsee/dsins2 dc=company,dc=com

Technorati Tags: Directory Server 6.0 NativeLDAP

Posted at 10:39AM Apr 25, 2007 by Jonathan Gershater in Identity & Directory Server | Comments[2]

Friday Mar 16, 2007

Identity and HR-XML

Last week I had the distinct pleasure of dining with Sara Moss, a joint partner at The Code Works Inc – an up and coming consulting firm. She writes a lot on the staffing and hiring indusry. We shared a delicious Mediterranean repast and discussed our experiences in, and potential synergies between, The Code Works Inc and Sun.

The Code Works helps staffing firms with technology decisions, implementation and integration and has a lot of knowledge of on-boarding employees and using HR-XML technology.
Sun’s Identity solution automatically provision users to applications once they are entered (on-boarded) into a corporation’s HR system.

Stay tuned to this blog for further insights into how The Code Works and Sun can develop joint solutions.

Technorati Tags: hr-xml identity on-boarding hiring staffing

Posted at 02:43PM Mar 16, 2007 by Jonathan Gershater in Identity & Directory Server |