Scott Fehrman's journal on life as a Principal Engineer (PE) @ Sun. Systems Engineering 101

This blog, and my previous blog, made it to the web via a two-man tent at the Blackhawk forest preserve in Kane County Illinois. I'm with my son, Nathan, on his first over-night camping trip as a new Boy Scout (promoted from Cub Scouts).

Yes, that's a winter coat Nathan is wearing. It's a little windy here. It's sunny but the temperature was in the 60's. It's suppose to get down into the 40's tonight for sleeping. I'm in my tent, as I type this, with my clothes on, in my new 20-30 degree rated sleeping bag (on the ground). So far so good.

In case your wondering, I'm getting a good signal on my AT&T 3G wireless card with my Apple MacBook Pro. Is it wrong to be typing blog entries and reading emails from a tent while camping ... let me know.

Last week I was invited to speak at the first sfbay identity management user group meeting. The meeting was held at the Sun Santa Clara facility. I gave an overview of Project OpenPTK. We had users from The Gap, Hitatchi, Weyerhauser and Safeway. It was a good first meeting. If your interested in joining the user group, please send an email to "REQUEST_SFBAY_IDM_LUG AT sun DOT com"

Extending OpenPTK, the User Provisioning Toolkit by Masoud Kalali -- Project Open Provisioning ToolKit (OpenPTK) is as an open source user provisioning toolkit exposing APIs, web services, HTML taglibs, and JSR-168 portlets with user self-service and administration examples. OpenPTK hides the implementation differences between different user stores, allowing developers to use multiple stores with a common API. Masoud Kalali shows how to use and extend the toolkit.

OpenPTK is an open source project that provides a collection of tools and sample applications that Web and Java developers can use to integrate custom applications with user provisioning systems. Using industry standard interfaces, developers can build flexible user management applications that support Enterprise-class, department/group level and Web 2.0 type user provisioning environments.

Organizations:

Most intranet and Internet applications require user authentication. Applications either have an intergrated data store (e.g. RDBMS) or leverage an network service (e.g. LDAP) for validating users. Managing the "life cycle" of user data has become challenging. There are different user provisioning strategies:

• An enterprise typically implements a provisioning solution such as Sun's Identity Manager to manage user data across multiple applications and services.
• Departments (or group level) many only have a single application that has a dedicated user data store. The volume of user management activities is usually small.
• Web 2.0, Internet facing, applications typically leverage a scaleable / available network service for storing user information.

Requirements:

Organizations need to implement a set of basic user management capabilities. For End Users, a solution needs to provide; "Forgotten Password" and "Self Service" functionality. For User Administration, a solution needs to provide fundemental Create, Read, Update, Delete and Password operations. Provisioning solutions and user data stores most likely provide these basic user management capabilities through their native interfaces. The problem is that these native interfaces may not meet the organization's requirements. Organizations have expressed the need to intergrate user management systems with different custom "End User" experiences/interfaces. Commonly requested interfaces include:

Remote Web Interface:	Organizations need a Web interface, for user provisioning, that can be deployed remotely from the system that host the provisioning solution.
Command Line Interface:	Administrators need an interface that allows them to perform provisioning from a comamnd-line interface, either interactively or from a shell script.
Portal / Portlet Interface:	Enterprise and Departmental organizations may have to provide user provisioning interfaces into an existing Portal infrastructure.
WSDL-based Web Service:	Developers need to integrate user provisioning into a SOA environment and are requiring Web Services that can be used by SOA development tools.

Because of these requirements for custom end-user experiences, organizations will build applications that leverage different types of development environments. The "End User" application (experience) may need to support a rich-native desktop interface, a browser-based interface, a Web Service or a command-line interface. Developers will design solutions that integrate an orgaization's interface experience with the various user data stores. Developers will most likely have to learn the details related to interacting with the various user data stores. Web developers may not be prepared to deal with Java APIs that are need to access the data store(s).

Solution:

Project OpenPTK is a three-tier architecture which enables developers to focus on the business application interface, not on the underlying user data store. There's a number of "Consumer Tier" interfaces which address various development options. The "back-end" user data store is abstracted through the "Service Tier". The "Framework Tier" integrates the Consumer and Service tiers while also managing configurations, logging/debugging and provisioning operations.

Project OpenPTK Architecture

Consumer Tier interfaces/examples:

User Management Lite (UML):	A JSPs/Taglib-based web application which provides basic user administration, and self-service functions.
Command Line Interface (CLI):	Provides basic provisioning operations. The CLI can be part of custom scripts that administrators can use to automate provisioning tasks.
JSR-168 Portlets:	Provides "Forgotten Password", "Self Service" and "User Administration" capabilities. These portlets can be integrated into a customers existing JSR-168 compliant Portal server.
WSDL-based Web Service:	Provides User provisioning operations. Web Service clients (e.g. Java CAPS and soapUI) can reference the WSDL from this service and create custom integration solutions.

Service Tier implementations:

SPML:	The Service Provisioning Markup Language is the external interface used by Sun's Identity Manager user provisioning solution.
SPE:	Sun's Identity Manager, user provisioning solution, contains a Service Provider Edition interface for user provisioning.
JNDI:	The Java Naming and Directory Interface API is used to access LDAP-based (e.g. OpenDS) user data stores.
JDBC:	The Java Database Connectivity API is used to access Relational Database user data stores (e.q. MySQL).

Developers can use Project OpenPTK's interfaces and APIs to handle user provisioning operations without having to worry about the back-end user data stores. User provisioning applications that leverage Project OpenPTK can easily support multiple different user data stores through the use of its flexible configuration mechanism.

Project OpenPTK is a formal open source project hosted on Java.net and is part of the Identity Management community. Project OpenPTK founders: Scott Fehrman, Derrick Harcey and Terry Sigle are Pre-Sales Systems Engineers supporting Sun's Identity Management products.

The Project OpenPTK site contains source code (via svn), documentation, distributions and tracks issues. Anyone is welcome to join the community as an Observer and please subscribe to the "user" and "announce" mailing lists.

Last night was the first meeting of the Chicago-Area Identity Management User Group. Sun hosted the meeting in their Itasca, IL office. The user group is focused on sharing knowledge and experiences related to; Identity Manager, Access Manager, Directory Server and RBACx

The attendees included the Sun identity team, partners (Laurus Technologies, Deliotte) and customers (Kraft, Motorola, Hewitt). Meeting agenda:

• User Group vision/strategy
• Sun: Identity Suite Roadmap
• Deloitte: Role Management for Enterprise (RM4E)
• User Group Next Steps

The user group raised / discussed the following items:

• More focus on managability with Identity Manager; upgrades, integration, debugging
• More "best practices" examples (whitepapers, templates, etc.) for Identity Manager
• How to leverage Identity Manager for SOX compliance
• Need Resource Kit (tools) for Identity Manager, like Directory Server
• Need to enhance the Directory Editor that part of the Directory Server

Agenda for the next meeting:

• Upgrading Identity Manager (Laurus Technologies)
• Getting more value out of Identity Manager (Deloitte)
• Identity Manager 8.0 Overview (Sun)

The next meeting will be help at the Sun Itasca Office @ 6:30 pm on Thursday May 22nd 2008.

If you're interested in joining the user group, please send an email to: requestChicagoIdmLUG at Sun dot COM

The Project Open Provisioning ToolKit (OpenPTK) team has announced a new Consumer-Tier application, a WSDL-base Web Service. The new application enables other web (client) applications to perform user provisioning operations. Clients can consume the published WSDL and invoke the service's operations: Create, Read, Update, Delete and Search.

The Web Service application is based on JAX-RPC and leverages the Web Services features of NetBeans. The Project OpenPTK NetBeans guide has been updated to cover the building and deploying of this new application.

This new OpenPTK Consumer-Tier application can be used by composite application tools like Sun's Java CAPS to integrate user provisioning into an Enterprise solution.

The WSDL-based Web Service application is available now. It can be obtained by downloading Project OpenPTK's source code from the openptk.dev.java.net site.

Here's some screen shots of the new WSDL-based Web Service being tested with soapUI

I downloaded ecto for managing my blog ... this is a test blog entry from it.

Today we posted an announcement regarding a new feature that was added to Project OpenPTK. The new feature is a Consumer Tier application that leverages Project OpenPTK's flexible architecture, a set of JSR-168 Portlets:

Forgotten Password: Users can leverage challenge questions/answers stored within the Sun Java System Identity Manager to change a forgotten password.

---

Self Service: After authenticating to the Portal, users can change some of their own information and change their own password.

---

User Administration: Authorized users can perform basic user life-cycle operations; Create, Read, Update, Delete, Change Password, Reset Password.

The JSR-168 Portlets have been tested on the open source Jetspeed portal server and on the Sun Java System Portal Server. The JSR-168 Portlets are available now. They can be obtained by downloading Project OpenPTK's source code from the openptk.dev.java.net site.

The Project OpenPTK team had their first meeting of the year. We posted the notes on openptk.dev.java.net as a new Forum called Meeting Minutes. We talked about ope issues and new ideas. Here's a summary of ideas for new features:

• JDBC Service
• RESTful Web Service
• Authentication
• Solaris Naming Service

Today we posted an announcement related to a new feature that was just added to Project OpenPTK. The new feature is a Service that enables OpenPTK-based applications to provision users to LDAP-based directory servers.

Why is this important? The new LDAP/JNDI Service demonstrates that User Provisioning applications (which leverage Project OpenPTK consumer interfaces) can be abstracted from the back-end user repository. Prior to this announcement, OpenPTK-based applications could only leverage the SPML Service. Developers can now build User Provisioning interfaces that could use LDAP for Search and Read operations while SPML would be used for Create, Update and Delete operations.

The Test Samples and Example applications provided in the Project OpenPTK source download have been tested with both LDAP/JNDI and SPML. The Command Line and User Management Lite examples can easily switch between back-end user repositories by either updating a configuration file or by specifying a context at run-time.

The OpenDS directory server was used for development and testing. It was so easy to download, install and configure. Another must have tool, if your working with LDAP, is the Apache Directory Studio.

This is just the beginning of what the Project OpenPTK team has planned for this new LDAP/JNDI Service.

Yesterday I released the Project OpenPTK NetBeans Guide to the openptk.dev.java.net documentation page. This guide will help you set-up a collection of NetBeans Projects using Project OpenPTK's source files.

I installed NetBeans 6.0 (Beta 2) on my Mac about a month ago. I didn't do much with it until last week. One of my TODO's has been: "work on Javadocs" for Project OpenPTK. I know ... I know ... we should have been writing the Javadocs as we wrote code, just like every good developer does :-).

I decided to use NetBeans 6.0 (Beta 2), instead of my NetBeans 5.5 install. I'm really happy I did ... the new editor ROCKS. There's a ton of new features, I'm sure i'll get to use them all eventually. Did I say the new editor "JUST ROCKS".

As I was adding Javadoc comments "/**", the NetBeans Editor started a nice template for me with @param, @throws, @return elements as necessary. This made it easier for me to "Fill-In-The-Blanks" with notations. As I went through all the Java files in Project OpenPTK's public api code, I noticed that the Editor was flagging different things in the code. It highlighted methods that should have @Override, include lines not being used, local variable that were conflicting with global fields and few other things. I decided to open every Java source file in the project and see what the editor found. I removed a lot of include lines that were not need being used.

There's a lot of other cool features in this new Editor. Here's a just few things that I played with:

• I really like the new diff features, especially when you delete lines and the icon lets you see what was removed, compared to what's in SVN.
• The default colorizing is a lot nicer.
• The highlighting is very useful, double-click on a variable and it's highlighted everywhere, the right-side margin shows a little "tick" mark where that variable is used thoughout your source file.
• I needed to use the Instant Renaming feature a couple of times (when a local variable name was the same as a global field ... oops). Just start changing the local variable where it's defined and it will dynamically change everywhere in the method.

There's many more new features. Take a look at this NetBeans wiki site, it's a good summary of the Editor's features.

Last Friday the Project OpenPTK team (Derrick, Terry and I) did an initial check-in of the source code. You can download the pre-built samples and browse the source code. Details related to the source code can be found on http://www.ohloh.net. Our initial check-in was about 120 files and included over 15,000 lines of code (that's minus blank lines and comments). The Javadocs for the Java API are available on http://www.openptk.org.

For those of you that are MySQL users and want to check out Postgresql (it's integrated into the latest release of Solaris 8/07), take a look at the BigAdmin article I created.

Having never used Postgresql, the Solaris integration made things nice. The changes I made to some MySQL scripts was minimal.

Derrick Harcey, Terry Sigle and I (Systems Engineers in Sun's Software Practice) publically announced Project OpenPTK at Sun's Customer Engineering Conference (CEC) 2007 in Las Vegas, Nevada.

In addition to my co-founders (Derrick and Terry), i'd like to thank lots of other people that helped make this project possible. The three of us put in a lot of evenings and weekends.

• My wife: I spent a few weekends and evenings writing code and having conference calls. I woke her up sometimes while dicsussing issues during 1:00 AM conference calls.
• My two boys: while they were either at swimming lessons or at Tae Kwon Do classes, I would occasionally bring my laptop to write code or read technology books for research.
• My management supported this project since day one. Thanks for supporting our vision.
• Sun's engineering, marketing, open source and legal teams.

Being a member of Project OpenPTK has allowed he to see, first hand, that Sun believes in and supports open source projects.