Steffo's Echolot : Weblog

Wednesday Apr 11, 2007

IDM and SAP

There's a frequent question that comes up when configuring the schema mapping between Sun Java System Identity Manager and SAP: how can I tell from looking at SAP GUI what attribute to configure on the right hand side (RHS) of the schema mapping?

For example, in SAP GUI you see a tab entry "Parameters". What's the technical name of "Parameters" to be configured in IDM's resource adapter? Answer and procedure can be found at Sun Sharespace (look for "What's behind SAP GUI's displayed attributes?").

Posted at 02:25AM Apr 11, 2007 by steffo in Identity Systems | Comments[0]

Thursday Mar 22, 2007

UNESCO on Ethical Implications of Emerging Technologies

The 2007 report is out and covers

Semantic Web and MetaData
Digital Identity Management and Biometrics
RFID and Sensor Networks
Geospatial Web and Location-based services
Mash Networking
Grid Computing
New Computing Technologies

Posted at 04:54PM Mar 22, 2007 by steffo in Sun | Comments[0]

The need for virtualization on Load Balancers

Surprisingly many (big) companies still don't use load-balancing switches (LBs). I am talking of hardware boxes like Alteon, Foundry, Nauticus. Those that use LBs, use them in mission-critical environments. If any of these companies plans to rollout a new project that could benefit from a load-balanced network environment, they're instantly in a big discussion with the people who operate these boxes.

Since these boxes are mission-critical, configuration changes require a lot of discussion. This is espacially true if you want to convince these people to use configurations they've never used before (e.g. proxy IP addresses). End of the game

a lot discussions about what to configure and why it is needed
an unplanned outage of the mission-critical service (maybe)
dropping the hardware load-balancing for the new project and using a software LB solution

It would be easier to buy a seperate load-balancer for each project. But then: costs, costs, costs. A load-balancer with appropriate features is not a cheap thing: 10-20K EUR per box, at least 2 boxes (high-availability), three environments (development, integration, production) with 60-120K EUR per project/application.

So what's the alternative: discussions or cheap software solutions? Well the cheap software solutions I saw (I'm not talking about Resonate here, I'm talkling about things like BEAs LB plugin, DNS round-robin etc) don't take you that far. Load-balancing is a network thing, is a hardware thing (you don't use multi-homed PCs for L3 routing, don't you).

Discussions? The average time spend on discussions on how to configure the load-balancer without affecting the other applications is 5-10 days (you, the network guy plus some project manager). Yes, that's 5-15K EUR per project. Assume you have 3-5 projects on you LB infrastructure, that's 15-75K EUR spend on discussions. Plus the amount that is caused by the unplanned outage (maybe not of the production system but non-availability of the integration system can also cost money). So in total: 5-80K EUR.

That money could be saved if the network guy can easily be assured that the new configuration won't harm his existing one. That's what virtualization can do for you (and for him). Every project get its own sandbox on one LB platform.

Posted at 02:00AM Mar 22, 2007 by steffo in Sun | Comments[2]

Sunday Mar 11, 2007

Security: Risk analysis

"Please continue shopping via our Security Server. It uses encryption to protect your data." Sentences like these always surprise me. I've never seen a bank advertising "Please open an account at our bank. We use armoured cars to transport your money."

One problem with IT security is that a lot of technical people tend to implement a plethora of mechanisms without doing a proper risk analysis before. The tems in risk analysis are not standardised. However, some terms like 'threat' and 'risk' are by no means identical. A threat is something like: Someone holding a gun enters the bank building saying 'I want your money'. This risk is an evaluation of the threat regarding two aspects:

likelihood that he gets the money and
the amount of money he gets.

So a risk is a point in a two dimensional matrix (x: likelihood that the event happens and y: potential amount of loss).

A risk analysis is a process:

Determine the threat. A threat is an event.
Determine the weaknesses that favour the threat (e.g. missing encryption, missing cameras, no bulletproof glass).
Set up an appropriate scale for the risk matrix: the likelihood can be qualitive (neglectible, low, middle high) whereas the potential loss might be (10^5 EUR, 10^7 EUR and 10^9 EUR). Try to capture the 'out of business' case as well which might occur either through

Acting against legal requirements.
A high loss (that's easy).
Loss of image and customer confidence.

Determine the likehood that the threatening event occurs by relating (combinations of) weaknesses to threats.

Sounds too theoretical? Here's the classical example from Star Wars:

Threat. Death Star will be destroyed.
Weakeness. A small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system.
Likelihood. Low (difficult to approach; approaches will be detected).
Potential amount of loss. Out of business

Now you can start of developing counter-measures. A lot of things can be done wrong here. Most notably: technical measures lacking proper organizational support (believe me, I've seen large banks where the whole network traffic must be encrypted, the operators however, being unable to set-up a procedure for changing the certificates or keys). In that case a security strategy might help: if you cannot go for the complicated mechanism right now, why not choosing a weaker mechanism plus an organizational mechanism (e.g. insurance) for a transitional period?

I agree, that sounds too simple and I haven't seen a company that uses an insurance to make up for such operational drawbacks. My only point is: don't always think too technical. Use a combination of technical and organizational things. And if you set up online banking, don't only tell your customers that you use SSL military grade encryption, but also that you set up processes and took an insurance, just in case.

Posted at 02:48AM Mar 11, 2007 by steffo in Identity Systems | Comments[1]

Thursday Mar 08, 2007

Java ES 5 and Zones

Java ES 5 supports sparse zones for most components (e.g. Directory Server, Directory Proxy, Web Server, Access Manager). You must install the shared components in the global zone first. After that create sparse zones for your apps.
Here's the config I use:

zonecfg:ds> export
create -b
set zonepath=/zones/ds
set autoboot=true
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/usr/sfw
end
add net
set address=192.168.0.150
set physical=bge0
end

Now you can install Directory Proxy, Access Manager all using seperate zones.

Posted at 03:22AM Mar 08, 2007 by steffo in Identity Systems | Comments[0]

Tuesday Mar 06, 2007

Groovy Identity Manager: integrating IdM and Groovy

I'm actively doing Identity Manager projects for about 4 years now. I really like the product because of its flexibility. There is one obstacle: the XPress language. With respect to its language features, XPress is comparable to Shell script (bash, tcsh etc.). Here is a sample of Xpress code:

<block trace=true>
   <set name="foo">
     <concat>
        <s>Hello, </s>
        <ref>input</ref>
        <s>!</s>
     </concat>
  </set>
  <ref>foo</foo>
</block>

The variable foo will contain the value "Hello, world!" (assuming that input has a vlue of "world").

You can also call any Java class from XPress code

<invoke class="com.sun.idm.Hello" name="print">
   <ref>input</ref>
</invoke>

which leads to the same result.

The good thing about XPress is that you can change the code while your IdM is running (i.e. you don't have to redeploy IdM if you change the code. The bad thing is that XPress suffers from XML-bola (tags, brackets etc): the code becomes easily unreadable. Given the fact, that everything in IdM needs to be serializble in order to write it to the persistent storage (SQL database), it is propably difficult to fully replace XPress.

If you want to have both, readable code plus the agility of a scripting language, you can use e.g. Groovy (the trick basically is to invoke your own class loader). Suppose you have a Java class "GroovyWrapper" that has a method "run(String groovyScript)". You can call this method (e.g. with a workflow):

<Activity id='10' name="groovyTest">
        <Action>
          <invoke name="run" >
            <new class="com.sun.idm.GroovyWrapper"></new>
            <s>/Users/steffo/CodeWarrior/helloWorld.groovy</s>
          </invoke>
       </Action>
</Activity>

You can now change your groovyScript from

def name='World'; println "Hello $name!"

def name='Sun'; println "Hello $name!"

without redeploying IdM.

GroovyWrapper is very simple. First you need to download Groovy from groovy.codehouse.org. There
is also a nice Section on how to integrate Groovy which can be the basis for your GroovyWrapper

/*
* GroovyWrapper.java
*
* Created on March 5, 2007, 11:11 AM
*
* To change this template, choose Tools | Template Manager
* and open the template in the editor.
*/

/*
* The following JARs must be copied to $WSHOME/WEB-INF/lib
*
* antlr-2.7.5.jar
* asm-2.2.jar
* asm-analysis-2.2.jar
* asm-attrs-2.2.jar
* asm-tree-2.2.jar
* asm-util-2.2.jar
* groovy-1.0.jar
* groovy-starter.jar
* groovy-xmlrpc-0.3.jar
*/

package com.sun.idm;

import java.io.File;
import java.io.IOException;
import groovy.lang.GroovyObject;
import groovy.lang.GroovyClassLoader;

import groovy.lang.Binding;
import groovy.util.GroovyScriptEngine;
import groovy.util.ResourceException;
import groovy.util.ScriptException;

/**
*
* @author steffo
*/
public class GroovyWrapper {

/** Creates a new instance of GroovyWrapper */
private GroovyClassLoader loader;
private Class groovyClass;

public GroovyWrapper() {

}
public Object run(String groovySrc){
ClassLoader parent = getClass().getClassLoader();
loader = new GroovyClassLoader(parent);

Object obj = null;

try {
groovyClass = loader.parseClass(new File(groovySrc));
} catch (IOException e) {
System.out.println("File " + groovySrc + "does not exists or is unreadabl");
}

try {
GroovyObject groovyObject = (GroovyObject) groovyClass.newInstance();
Object[] args = {};
obj = groovyObject.invokeMethod("run", args);

} catch (Exception e) {
System.out.println("Cannot instantiate Groovy object");

}

return obj;

}

The problem with the run method is that is does not return any object. This can be achieved by the following method:

/** Runs the script 'script'. This script must have an output variable 'outputVariable' */
public Object runScript(String script, String outputVariable) {
Object obj = null;
String root = new String("/Users/steffo/CodeWarrior");

try {
GroovyScriptEngine gse = new GroovyScriptEngine(root);
Binding binding = new Binding();
binding.setVariable("input", "world");
gse.run(script, binding);

obj = binding.getVariable(outputVariable);
} catch (IOException e) {
System.out.println("Path " + root + " does not exist");
} catch (ResourceException e) {
System.out.println("Error running " + script);
} catch (ScriptException e) {
System.out.println("Error running " + script);
}

return obj;

}

You can use this method via:

<block>
<set name="groovyResult">
<invoke name="runScript" >
<new class="com.sun.idm.GroovyWrapper"></new>
<s>helloWorldScript.groovy</s>
<s>output</s>
</invoke>
</set>
<ref>groovyResult</ref>
</block>

The veriable groovyResult contains the object that is passed from Groovy to IdM.

A last remark: I currently have no idea of the potential drawbacks (e.g. performance) of this approach. What I know is that our support stuff says: try to use XPress, if that doesn't work use JavaScript. If that doesn't work, use Java. Please take this into account when developing IdM solutions or opening support cases.

Posted at 05:44PM Mar 06, 2007 by steffo in Identity Systems | Comments[4]

Thursday Mar 01, 2007

Quatsch: Identity Karaoke...

... this is actually better than I thought (especially if you take into account that Bohemian Rhapsody is not the easiest piece of music for a singer).

Posted at 06:05PM Mar 01, 2007 by steffo in Identity Systems | Comments[0]

Java Enterprise System 5 is out

Java ES 5 is out! Most exciting things for me in this release

Directory Server 6 and Directry Proxy/Virtual Directory (which now allows you to aggregate a single view not only from LDAP sources but also from SQL or flat files). Not that this is the first major upgrade of an overall very, very stable and mature product since 2003.
WebServer 7 comes with Elliptic Curve Cryptography support
J2EE Application Server 8.2 has zone support
Identity Manager 7.0 now support SPML 2.0, has a nice integration in NetBeans and includes Identity Auditor
Access Manager 7.1 now has a simplified single WAR deployment.

It also comes with a better systems management support.

Since Paralles 2.5 is now also officially released, the reduces the amount of beta software on my Mac substantially. Since I work in the identity systems area I haven't tested all of the Java ES components. However, for a PoC/TOI I had 6 instances of Directory Server 6 plus Directory Proxy and MySQL database running in my Solaris 10 Parallels image. No problems apart from the clock issue (which might be a problem with S10U1 and doesn't show up with Update 3 of Solaris 10). All this requires some memory; 2GB seem to be sufficient, and the simple truth "Hubraum ist durch nicht zu ersetzen außer durch noch mehr Hubraum" holds here as well.

Posted at 04:34PM Mar 01, 2007 by steffo in Sun | Comments[0]

Wednesday Feb 28, 2007

Wanted: Identity Provider

Whenever it comes to a comparison between paper passport and an electronic passport it turns out that it is not so much a question of what data is stored on the new electronic passport, but how it is managed. There are a view companies that are able to manage a large amount of data, so that the availability of the data (e.g. for OCSP checks) can be guaranteed. But what about aspects of security?

I prefer the state would handle my electronic ID (X.509 certificated, being identity provider etc). Unfortunately, I don't see any activities in that direction. If the state is waiting for industry partners to take the challenge, why are they keeping my normal paper based password records? Why don't we get X.509 certificated, when we get a new ID card? Is there someone taking electronic communication serious?

The government cannot be responsible for everything, I hear officials say. Very difficult to tell where they should start and where they should stop. Here are a few points:

It makes sense that the institution issuing passports at least governs all kind of passports (whether they are on paper or on silicon)
If you have an electronic ID card, it should contain your private key. German authorities are actually talking quite a while about electronic passports which also have some memory left for electronic signature, but I am not sure when we will get it. Also I suspect that the electronic signature part will take substantially longer. Further, taking into account that they - German government that is - still are unable to prohibit smoking in restaurants, I am looking forward to the excuses that will come up with electronic passports.
Politicians insist that they can only provide an economical framework rather than actively controling economics. I fully agree and may I add that knowing who you're dealing with in (electronic) communication/business is definitely part of the framework.

Steffo, everything is on the way. It'll take only a couple years until everything is rolled out because it's so complex.

I see, I reply, and I know it's complex; but: we all know this since mid 90s and if it works in the military area why does it not work in the civil area? It doesn't work in the military area you say? Now, that's frightning.

Posted at 04:06AM Feb 28, 2007 by steffo in Identity Systems | Comments[0]

Firewalls: No more perimeter security?

"The era of firewalls is over!" I hear people say. What they mean is "The era of perimeter security is over". While the first sentence is absolutely rubbish, the latter is provocative, too strong and needs some clarification. The arguments at the Net-ID conference was that perimter security is like a medieval city wall and no longer appropiate in modern communication infrastructures. To me this sounds very much like arguments from the intrusion detection/prevention community in the late 90's: you allow everybody to walk (surf) around wherever he/she wants to go. Instead of rigid access system (firewall), however, you install cameras to detect if people are vandalizing or otherwising doing harmful things to your IT systems.

I haven't seen a single company touting intrusion detection systems while offering public access to their premises. Folks, let's get real here: firewall are not city walls; firewalls control access to your IT systems and are comparale with the walls of your building. Companies - like cities - have areas which are public (called internet websites) and anonymous access to these places should be granted.

However, there are certain areas where access should be granted only to those who can be identified. Maybe I don't need to know who that person is. I only need to know that persons e-mail address. So if there is a third party which authenticates the user, I can rely on that party. I don't need any other information about who that person is or what his e-email address looks like. Maybe I am only interested in that person's age (in her 20's, 30's or whatever). The same information a concierge can gather. Of cource, a person must have distinct control over what information (age, shoe size) will be visible to whom. That's called federated identity and there are plethora of mechnisms and products to achieve this. Admittedly, there is new Unübersichtlichkeit when it comes to these mechanism.

Instead of getting rid of the perimeter solution, companies might want to add a mechanism to give more data (information, binary downloads etc) to people who willingly give up their anonymous status.

I am not saying that the (more or less) anymous access we have today should be given up. My point is that

I don't want to logon again and again to a software's vendor development site, once again to IEEE's or ACM's site (who all have my e-mail address, name etc).
I understand, that companies are interested to know a little bit - and I am strict about "little" here - about whose downloading their product (honestly, some data gathering behaviour is clearly not justifiable and is somewhat beyond me)

So, if your firewall is a perimter solution comparable to medieval city walls:

Get rid your archaic solution.
Identify your real assets (e.g. via a risk analysis).
Create as many open spaces as possible for people who want to stay anonymous.
Use a perimeter solution (building wall) to protect your assets against those who want to stay anonymous.
Use a federated identity solution to allow authenticated access to your assets and to control access based on an authorization model.

Posted at 03:50AM Feb 28, 2007 by steffo in Identity Systems | Comments[1]

Saturday Feb 24, 2007

Google Apps Premier Edition

Whose afraid of Google? Financial Times Deutschland (well not the tech mag par excellance) has an article about Google attacking Microsoft with Google Apps Premier Edition. Moreover - and quite unusual for a business oriented newspaper - they question privacy in Google's approach. Would I be afraid of Google? Mmmh. Maybe. Maybe not. Suppose Google were a telco (like AT&T, Deutsche Telekom) in 1920. Did people in 1920 worry about their privacy? Most certainly not. The whole data and privacy issue in technology is a phanomenon which emerged during the past 20 to 15 years.

If Google manages to protect the data as required by law, why not give Google apps a try? Honestly, I am more worried about viruses for Windows than people hacking into Google apps. If Google offers the Premier Edition for (small) business users, they should have some interest in defending data privacy. If it turns out, that the data is really at stake, then this yields a lack of accepetance (or the end of Google apps). What I like about Google's approach - though it's not new - is that it's been carried out by a big player. I don't know how many people at Google work for Google apps but it's definetly more than at the ISPs I know of in 2000. It is size that matters.

If I owned a small business, what would I like to have? A diskless client (well, a Sun Ray 170 like thing) which is able to access (web-based) network apps (like Google apps) plus an external drive where I can copy my private data on. So it's not totally diskless. I will use this drive to store private data. Since it's not an always-on drive this - me thinks - reduces the likelyhood of data being compromised to an acceptable level.

I don't run my own business plus I'm a tech buff and I propably won't accept giving control over my boxes to anyone else. I will propably end up in a situation where computers with hard drives are what mechanical cameras are today: geekware. I still use mechanical cameras and I will always want to have a real computer. However, most of my mates are using freemailer's e-mail services and digital cameras. This is, where the crowd heads to. I will encourage people to use thin clients because with thin clients I won't hear the "Can you fix my PC" question. I won't fix your PC. Use a real computer or use Google apps.

Posted at 06:56AM Feb 24, 2007 by steffo in Personal | Comments[1]

It's the processes, stupid

What makes identity management difficult? For short: complicated business processes. Q: What's so complicated about business processes? A: the fact that many companies are not willing to change the processes as they are carved in stone. Q: Why should a company change a business process if all the want is an identity management tool. Can't the tool handle these processes?

Well, yes it can. Definitely. The only thing is, these processes need to be implemented and/or adapted. Identity Management software comes with a whole bunch of preconfigured processes that could easily serve a customers needs. The point is: many processes are the way they are because they use paper forms. Companies might want to change the processes if they change the media (i.e. moving from paper to electronic forms) or introduce a new tool.

How paper-implemented processes look like:

Sending form sheets from A to B via interoffice mail.
More approval steps than necessary.
Rely on manual data look up.
Contains data from a business perspective (i.e. personnel number instead of AD samAccountName).

Suppose you request access to an IT resource by filling out a paper form. Since processes are handled by sending the form from A to B, the inefficiency of these processes is not visible to everybody: it takes two or more days (or even weeks) for the process to complete. Here, noone cares if the person whose responsible for approving a request if off for one day. If, however, you apply for access via a web form which will be send to an approver via e-mail, you have higher demands on the approval time-frame. If you have more than one approver (which many companies with paper based processes have), it makes the whole situation worse. You should rethink you process here: are all the approvals really necessary or is it sufficient to notify the (fomer) approvers?

Another example is the data model. While most paper forms require a personnel number and a departement by which an employee can be uniquely identyfied, many Active Directory implementations try to identify a user by the X.500 cn (common name) attribute. Moreover, an employee's AD entry does not even contain his/her personnel number. Thus, there is no way to link the AD account to the employee automatically. You might be able to develop a rule by which an account can be linked to emplyoee but very often this is more a rule of thumb than a mathemetical function and requires adaptation of you Identity Manager product (no matter what product you have).

Does it makes sense to change your AD data model? Yes it does. An what about the amount of approvers? I think you should reduce them, but I am a computer scientist. Definitely you should talk to the process people in your company.

Posted at 05:13AM Feb 24, 2007 by steffo in Identity Systems | Comments[0]

Friday Feb 16, 2007

Nevada, Parallels and Java Enterprise 5

What was annoying about the old Parallels/Solaris combo was that the clock did not work properly (very, very bad if you run into timeouts). I cannot say what the delay factor exactly was, but believe me I went for lunch rather than for a coffee break when I had the impression that I ran into a timeout.

With the new combo Parallels 2.5 (Beta) and Nevada (Beta) this problem is almost gone. However, it's not a good idea to put the virtual machine to sleep. It gets confused about the time delay when it wakes up again. Anyway, an OS (yes even Solaris) is more fun when it has some apps installed. So I decided to give the Java Enterprise System a try. For those not being familiar with the Sun products: the Java Enterprise System is a suite (or better: a set of suites) of different applications (LDAP Directory Server, Web Server, Cluster -- all the stuff you need).

Since the Parallels version I'm running on is beta and also the Nevada version is beta, I went for Java Enterprise 5 (should be available soonish). The graphical installer showed up shortly with a splash screen and the normal installer screen but disappeared (shy graphics). So I used installer -nodisplay and I got

Installation Summary Report
Install Summary
Java Enterprise System 5 : Installed
Sun Java(TM) System Web Server 7.0 : Installed, Configured
Sun Java(TM) System Directory Preparation Tool : Installed
Sun Java(TM) System Directory Server Enterprise Edition 6.0 : Installed

So far, so good. Next challenge: Access Manager. The installer installed the packages but for some reason was not able to deploy them to the Sun Webserver. I had no problems doing a manual deployment. Simply copy the config file /opt/etc/bin/amsamplesilent to amsilent-sun, edit it (I had to use the HTTPS port 8989 as the deployment port for Sun Webserver) and ./amconfig -s amsilent-sun . Before you restart your webserver, remember to to a chown -R webservd:webservd (or whatever user your webserver runs under) on /etc/opt/SUNWam to insure the deployed application can read the necessary config files (otherwise you'll get those nasty exceptions LoginLogoutMapping.java:74).

After 40 minutes, I have a brand new Access Manager deployment on my MacBook.

Posted at 05:08PM Feb 16, 2007 by steffo in Identity Systems | Comments[0]

Thursday Feb 15, 2007

Parallels (and Nevada)

Short version: yes it works out of the box. I downloaded the Parallels Beta 2.5 (Build 3150) software. For some reason the activation key didn't work - had to get a trial key. Started Parallels and immediately froze my Mac. Reboot (that's a shame because I found all the stuff around my OS X quite stable and that happened before). Anyway, I took the latest Nevada build and installed it. No problems so far. I'll post detailed results later.

Posted at 06:53PM Feb 15, 2007 by steffo in Sun | Comments[1]