The Blog

Using the Sailpoint Provisioning Integration Module (PIM) for Unsupported Connections

pramod | May 9th, 2012
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***

Sailpoint comes with a method to integrate and interact with other vendor Identity Management applications through a  supported integration module called the Provision Integration Module (PIM).
The supported vendor systems are:
  • Oracle Identity Manager (OIM)
  • Sun (now Oracle) Java System Identity Manager (SIM)
  • IBM Tivoli Identity Manager (TIM)
  • NetIQ Novell Identity Manager
  • BMC ESS
  • BMC Remedy Access
For Sailpoint to work on currently (as of this writing at least) non-supported systems (such as Microsoft Active Directory, LDAP, SQL serve, etc.) the BMC Provisioning Module is best to be used. These connector integrations should thus be configured as read-write connectors. Additionally , all individual connectors come with configuration pdf files so please feel free to read these before attempting any of the following.
Steps involved in utilizing the BMC Provisioning Module include the following :
  1. SailPoint IdentityIQ Connector Manager should be installed and configured.
  2. The Connector gateway should be configured and running as system service. This service should always be running (don’t forget that!!!)
    • Configure Init.xml contained in the ConnectorGateway folder.
    • Execute the install.bat file which creates a service (as shown below)

    3. <SM>
    <!– Connector Manager/Agents Hostname or IP Address–>
    <hostname>host name of sailpoint connector </hostname>
    <!–Connector Manager/Agents port number–>
    <port>Port no</port>
    <!– Use “AS400″ for AS400 system and “MAINFRAME” for Mainframes and leave empty in all other cases.–>
    <platform></platform>
    </SM>

    <Server>
    <!– Connector Gateway port number–>
    <port>5700</port>
    <!– Delay(in seconds) between two retry attempts while connecting to Connector Manager/Agents–>
    <sm_connect_retry>3</sm_connect_retry>
    </Server>

  3. Install and configure the individual connectors:
  • (Active Directory, LDAP, Lotus Notes..) using the SailPoint IdentityIQ Connector Manager installed in the first step.
  • (Provisioning Manager). MSCS- Managed System Configuration Set should be configured for the connectors(Active Directory, LDAP, Lotus Notes, etc.). This name will be used in the Sailpoint Application setup.

Once the Provisioning manager is installed, create a new application and choose the one ending with “Full” in the list (example: if we want to add a PM for Active Directory then we need to choose Active Directory Full from the list).

That’s it!  Good luck and sound off below if you have any questions!

Questions, comments or concerns? Feel free to reach out to us below or at IDMWorks.

Tags: , , , , , , , , , , , ,
Posted in Identity Management, NetIQ, NetIQ Access Governance Suite (AGS), Novell Identity Manager, RBAC, SailPoint, Tips & Tricks | No Comments »

Gartner recognizes IDMWORKS as a leading Identity and Access Management Consulting and System Integrator

Paul Bedi | April 26th, 2012

Gartner report IAM Consulting and System Integration, ID: G00234196, Date 19 April 2012

We’re very pleased to share with the community that Gartner included IDMWORKS in their latest IAM Consulting and System Integrator report.  The report can be obtained directly on their website, however we wanted to point out that IDMWORKS were recognized in the top 10 US based vendors in this space.

Our successes and these huge milestones are a testament to our mission which is to deliver the best of breed solutions to our Customers, providing innovation beyond your run-of-the-mill System Integrators! :)

Posted in IDMWorks | No Comments »

Don’t Shortchange Your IAM Dev Environment

jhinerman | April 19th, 2012

Here at IDMWorks, we have worked with many different clients across a wide range of sectors – from higher education, to finance, retail, and more. This experience has given us an informed perspective on some of the common challenge faced during an Identity and Access Management (IAM) implementation. In almost every case, cost is a significant constraint. As a result, organizations are forced to trim costs wherever they can, and frequently that means deploying a development IAM environment on the cheap. While in the short term this might seem like a good strategy, in the long run it can actually cause a lot of pain.

Don’t shortchange your Dev environment!

On the surface, this might sound counterintuitive; your development environment is supposed to be a light duty installation where you can test drive your software before migrating to QC and Prod. Or perhaps your “Dev” environment was originally a proof of concept and now it’s a part of your infrastructure – we don’t need a lot of power for Dev, we just need enough to make it work – right?  I respectfully disagree.

For starters, some of the Identity and Access Management (IAM) products are resource hungry. If you don’t have enough horsepower, things are going to be way too slow. Recently, I experienced an application server that took more than 30 minutes to startup in Dev – the same app server launches in less than 5 minutes in production. What are you going to have your team doing while they sit around and wait for 30 minutes for the Dev instance to start? Keep in mind that you’re going to be restarting Dev many times – configuration changes, app deployments, or even installs could happen frequently in your development lifecycle, so you don’t frequent development restarts taking more than a few minutes tops – anything longer and you’re just wasting time.

Another reason you don’t want to short change your development environment is that you have to be able to adequately simulate your production processes. You don’t want to encounter issues for the first time in production simply because your development (or QC) environments weren’t powerful enough to adequately simulate production. We have seen issues in the past where things would break when they were deployed to production even though all testing in dev and QC passed with flying colors. When we did some digging and found the root cause, we found that these were issues that had not shown up in testing simply because the production environments were dramatically different from Dev and QC.

Really there are two takeaways here:

1) Make sure you have enough juice in Dev

2) Make sure Dev is a capable stand-in for your production system for testing purposes.

We know it can be tough to justify spending more on your development environment, especially in this economic climate. However, we think you’ll find the time wasted in waiting for servers to start or chasing mystery issues in production will more than outweigh any short term budgetary gains.

Thoughts, opinions, concerns or comments? Sound off below or click here and let us know!

Tags: , , , , ,
Posted in Best Practices | No Comments »

Creating A Custom Aveksa Review Report

Tom Hertzog | April 17th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***

So let us discuss building a custom review report using the Aveksa (ACM) product.

This custom report will:

  1. Generate a review report that will show who the reviewer is that generated the review.
  2. Show who the reviewee is
  3. Show the status of the review
  4. Show the entitlement that is associated to the reviewee
  5. Show comments about the review.
  6. Show information about a group review.

The tables used in the query are as follows:

avuser.t_master_enterprise_users – table contains information about the reviewer and reviewee such as first and last names.

avuser.t_av_reviews – table contains information about review such as ID, added_by, review_report_id, state, type and name

avuser.t_av_review_components - table contains information about components that pertain to a review

avuser.t_av_entitlements - table contain entitlement information about the users that are being review for

The following query will generate the review report for our customer:

(select Distinct
meu.first_name Reviewee_Fname,meu.last_name Reviewee_Lname, meu.user_id, rc.derived_from_name,
rc.review_id ,rc.component_id, rc.sub_component_id, r.name, r.review_report_id,
meu_r.First_name Reviewer_Fname, meu_r.Last_Name Reviewer_Lname,e.resource_name,rcc.comments,
CASE WHEN rc.STATE = ‘R’ THEN ‘Revoked’ ELSE ‘Approved’ END AS Status,
CASE WHEN r.review_type = ‘G’ THEN ‘Group’ ELSE ‘Entitlement’ END AS Type
from
avuser.t_master_enterprise_users meu, avuser.t_av_review_components rc, avuser.t_av_reviews r,
avuser.t_av_review_comp_changes rcc,avuser.t_master_enterprise_users meu_r,avuser.t_entitlements e
where
rc.derived_from_name=meu.user_id and rcc.reviewer=meu_r.id and rc.sub_component_id=e.id)

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Aveksa, RBAC, Role Management, Tips & Tricks | No Comments »

Twitter Updates for 2012-04-08

IDMWORKS | April 8th, 2012

Tags:
Posted in Identity Management | No Comments »

Oracle Access Manager/E-Business Suite Integration: Unlocking the Door You Just Locked

James Carroll | March 30th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***

Like most, if not all, integrations of Oracle Access Manager and Oracle Enterprise Business Suite involve multiple systems. Each is installed and configured in isolation and then further configured and integrated into the whole.  Along the way care is taken to insure that each step is done correctly and testing is complete.  And just like every project there comes a point when the last ‘switch’ has to be thrown to turn in it all on.  Engineers double check their configurations, architects validate their designs, project managers take vacation (*chuckle*), and every one holds their breath as the last changes are committed.   The collective sigh (or groan) tells everyone in the office whether or not the team will be enjoying the weekend.

For Oracle Access Manager (OAM)/Oracle E-Business Suite (EBS) integrations the agony of defeat can be especially painful because the last step in the integration is to set a series EBS Profile parameters to make OAM the authentication mechanism. You are, for all intents and purposes, changing the locks and hoping the key you just made works. And if it doesn’t, you’ve just locked yourself out. At least, you’ve locked yourself out of the front door. Here’s how to get back in through the back door.

The parameters that you just set have to be stored somewhere and in this case they are stored in the EBS database. By connecting to the EBS database directly and running the following query, you can find the values that you just set:

select b.profile_option_id,b.profile_option_name, a.profile_option_value, a.last_update_date
from apps.fnd_profile_option_values a, apps.fnd_profile_options b
where a.profile_option_id = b.profile_option_id
order by a.last_update_date desc

This will allow you to at least see the values that are there. If you need to change them, just keep in mind that only the apps.fnd_profile_option_values table has to be updated. Something along the lines of:

Update apps.fnd_profile_option_values
Set profile_option_value = ‘This is correct’
where profile_option_value = ‘What was I thinking?’

After that, just hold your breath and press ‘Commit‘.

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Access Management, Oracle, Oracle Access Manager, Tips & Tricks | No Comments »

Identity Management Services From IDMWORKS and TEAM

Todd Rossin - CISSP | March 28th, 2012

From the Team Informatics website:

“The modern IT organization is faced with many challenges as they cut operational costs and attempt to address a variety of security issues, while, also striving to retain compliance standards, and provide the same level of service to the users. To alleviate these issues, companies need the ability to efficiently access applications across their environments seamlessly and securely for all employees. TEAM has formed a strategic partnership with IDMWORKS for their expertise with Oracle Access Manager and Identity Management services to fill these gaps.”

Tags: , ,
Posted in Access Management, IDMWorks, Oracle, Oracle Access Manager | No Comments »

Excited At Being Excited: ATT Live 2012 with NetIQ

Todd Rossin - CISSP | March 22nd, 2012

NetIQ’s ATT Live 2012 event is right around the corner and with that may I link a fellow brother in tech’s blog in relation to the upcoming festivities:

http://community.netiq.com/blogs/netiq_blog/archive/2012/03/20/excited-at-being-part-of-att-live-2012.aspx

Tags: , ,
Posted in IDMWorks, NetIQ | No Comments »

Installing OAM 10g Webgate on Windows 7

jhinerman | March 22nd, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***

Recently, we were asked to install the OAM 10g Webgate for Apache on Windows 7. Unfortunately this configuration is not yet supported by Oracle. This presents a few problems. Oracle will not support you if something goes wrong – they will require you to reproduce your issues on a supported environment before they are allowed to address your problem. Additionally you may waste a lot of time tracking down issues with your installation due to it’s unsupported nature. Lastly, even if you correct the problem and it works a patch or update patch or update might later break something that went untested (as you are utilizing an unsupported platform).

Not one to walk away from a challenge we wanted to see if it could be done anyway :) .  As it turns out, our fix worked with only a few minor quirks which we thought to share with you.

Before we get started, remember that this really should not be done on anything other than a sandbox environment (for the reasons discussed above).

Remember: You are  not going to get any support for issues in a non-certified environment.

With that in mind, let’sbegin with the following assumptions regarding our sandbox environment:

  • OAM 11g server
  • Apache 2.2.21
  • OAM 10g Webgate 10.1.4.3.0
  • Windows 7 32-bit

1.  Install Apache

  • You can use the default settings for the installation. It will install in your Program Files folder.
  • After installation, confirm it is running. Modify the httpd.conf as needed for correct port, host, etc.
  • This process should be pretty painless.

2. Install Webgate

  • Here is where you’ll start to hit snags. Installation will proceed normally, until you are asked to provide the webgate information (Access Server host name, port, etc). On this screen, the labels for the various fields will not be visible. A partial solution is to resize the window until you see the labels again (which is annoying), or you can just trust us when we say the order of the input boxes is: webgate id, password for webgate, access server id, access server hostname, access server port.
  • From this point forward, we also encountered issues on just about every screen in the installer, including some strange error message, and more hidden labels. The webgate will “fail” to configure, and then display error messages about missing XML files. Believe it or not, it is actually OK (for now). Choose “No” when prompted (the lower radio button) and choose next until you reach the end.
  • Be sure to configure httpd.conf as per the Oracle documentation to integrate the Webgate and Apache.

3. Replace missing files

  • You must replace the following missing files in your webgate installation. You can get these files from a working installation of OAM 10g Webgate, unless otherwise noted:
  • Contents of $WEBGATE_INSTALL_DIR/access/oamsso/ (language-specific sub-directories – en-us, de-de, etc.)
  • Contents of $WEBGATE_INSTALL_DIR/access/oblix/ang/en-us/ (some files will already be here, just copy the missing files/directories)
  • Config file from OAM server (ObAccessClient.xml) -> $WEBGATE_INSTALL_DIR/access/oblix/lib/

4. Start Apache and check the OAM Webgate diagnostic page to verify that it works.

5. Optionally, apply the latest OAM Webgate patch for Apache (BP10 as of this writing).

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Access Management, Oracle Access Manager, Tips & Tricks | No Comments »

Quest Software rebrands BiTKOO Keystone as part of Quest One Identity Solution

Todd Rossin - CISSP | March 1st, 2012

Quest Software rebrands BiTKOO Keystone as Quest One Authorization Policy Server.

Look towards the bottom for the IDMWorks quote ;)

http://investor.quest.com/phoenix.zhtml?c=95476&p=irol-newsArticle&id=1665785

Tags: , , , , , , , ,
Posted in BiTKOO, IDMWorks, Quest Software | No Comments »

« Older Entries

Identity Management

Data Center Services

PCI Compliance

Reg. Compliance

Project Development