Archive for the ‘Access Management’ Category

« Older Entries
Newer Entries »

Web Single Sign-on (SSO) using SAML 2.0 & Shibboleth

Sunday, March 13th, 2011

In the past decade we’ve literally seen an explosion of web based applications make their way into many big and small businesses.  No doubt, the payoff has been great.  With various business models, such as Amazon and Ebay, the Web Service concept was born allowing companies to consolidate several “stores”, aka Portals, and offer the consumer a one-stop-shopping experience.

The same opportunities made their way to large corporations.  Big companies with affiliates, such as 401K, Health Insurance, and Payroll providers are able to offer their employees access to portals built directly inside company’s intranet sites.

With these implementations new challenges have arrived.   For example, in order for an employee to see his or her payroll and file a medical claim, the employee would have to log onto 2 separate sites and provide a set of credentials to each before being able to get access to each portal.

So how do we solve this issue?  The concept is simple and certainly not new today.  But the adoption of the SSO technology had been pretty slow up until about 5 years ago when the adoption of the single sign-on soared.  The main reason for such rapid growth is technology maturity.

There are various single sign-on authentication technologies today.  Common examples of Enterprise Single Sign-on (ESSO) are Windows Integrated SSO allowing the user to access applications within the network.  Another example is a Server based SSO allowing systems such as a RACF Mainframe  to be used by a user authenticated utilizing Active Directory.

And there is a Web Single Sign-On enabling the user to access resources over the Internet using a single set of user credentials

For this blog entry we will focus on Web Single Sign-On technology managing authentication using web based protocols.

Let’s look at the typical Federated Single Sign-On scenario: Health Care and 401K providers are doing business with an Employer and have their sites available to employees within Company intranet site.  An employee of the company has to (1) log onto the company’s intranet site, (2) log onto the 401K site By adding SSO the user will be able to log on once and let the trusted partners ascertain that the logon was a success. In other words, if you authenticate your employee against your Directory, then I trust you and will allow him/her to enter my site without prompt for credentials.

There are several Single Sign On implementation methods developed and available today:

In future blogs we plan to cover each of the methods in details, but today we will explain the benefits of SAML-based authentication and Shibboleth metadata validation.

SAML is an XML-based framework. With proper formatting and following the guidelines and standards of the OASIS consortium, it allows businesses to make secure assertions and securely exchange identity information.

Information Exchange

On March 28, 2008, The Oasis Technical committee laid out well-defined standards for SAML 2.0.  Perhaps most important is the Metadata requirement.   Without properly formed Metadata the Identity Provider fails during parsing.  The required end point location must be properly defined for an Identity Provider to build a SAML response and to redirect the user to a proper destination.

An example of metadata (below) shows required elements for an Identity Provider to understand a SAML request:

<EntityDescriptor xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#” entityID=”https://site.with.certificate.com”><SPSSODescriptor AuthnRequestsSigned=”false” WantAssertionsSigned=”true” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>

<KeyDescriptor use=”signing” xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”>

<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>

<ds:X509Data xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>

<ds:X509Certificate xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>cert info</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</KeyDescriptor>

<AssertionConsumerService isDefault=”true” index=”0″ Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://home.customer.redirect.location.com” />

</SPSSODescriptor>

</EntityDescriptor>

Metadata Validation using Shibboleth

Shibboleth is an open source software package for web single sign-on.   The schema file used in validation is included as part of the package and installs to /usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd by default.

  • XMLSEC Tool: validates the schema as well as well-formedness of the metadata document.

The following syntax is used to perform validation:

o    xmlsectool.sh –validateSchema –schemaDirectory /usr/share/xml/opensaml/ –inFile your-metadata.xml

  • XMLLINT:  This utility is included with RedHat and allows you to validate metadata against the predefined OASIS SAML  schema metadata XSD file.  To perform validations on RedHat execute following command:

o    xmllint –schema http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd –noout example-metadata.xml

As usual if you have questions, comments or concerns feel free to reach out to us at IDMWorks.

Tags: , , , , , ,
Posted in Access Management, Best Practices, SAML, Shibboleth, Single Sign On (SSO) | No Comments »

Starting Tivoli Access Manager for e-business & Tivoli Directory Server

Wednesday, February 23rd, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

I’d like to present the  recommended order for starting the Tivoli Access Manager for e-Business (TAMeb) processes, including IBM Tivoli Directory Server (ITDS).

The TAMeb and ITDS components are often distributed across multiple machines. When your deployment spans more than one machine, switch to the appropriate machine to complete the instructions for starting each component.

1. Start the registry server that was used to configure TAMeb.

* When using ITDS as the registry server, verify that db2 is running and then start the Directory Server process (ibmslapd).

2. Start the policy server. Ensure that the registry server is running and can be accessed before starting the policy server (pdmgrd).

3. Verify that pdadmin can be used for administration commands. After the policy server has started, you can use pdadmin or any other TAMeb administration application.

4. Start any blades servers (for example, WebSEAL) or any local mode authorization applications.

*Local mode authorization applications need to receive the latest policy database from the policy server, but otherwise do not depend on the policy server. Any local mode authorization application (for example, WebSEAL) can start and run without direct dependence on the policy server, as long as the application has a local copy of policy database, and as long as the registry server is running. Remember, however, that the application requires the policy server to be running in order to complete administrative tasks such as managing junctions.

* To start WebSEAL, you can use the command:

pdweb start InstanceName

* When your deployment includes junctioned backend Web servers ensure that those servers are running.

5. Start the authorization server. All remote mode authorization applications require that the authorization server (pdacld) is running. Most of the TAMeb Java Authorization applications are remote mode application.

6. The authorization server has a local copy of the policy database. The authorization server does not rely on the policy server, with the exception that when the authorization server starts it must be able to obtain any updates to the policy database.

* WebSEAL and the authorization server can be started in any order. They are not dependent on each other.

7. When your deployment includes any remote mode authorization applications, start them now.

8. When your deployment includes a policy proxy server (pdmgrproxyd), start it now.

9. When your deployment includes the WPM administration console, or any TAMeb Java Application that runs under WebSphere, ensure that the the applications are running by stopping and restarting WebSphere.

* You can use the command pd_start startto start the following TAMeb servers:

  • Policy server
  • Policy proxy server
  • Authorization server
  • WebSEAL servers

* When the policy server (pdmgrd) is configured on a machine, the command pd_start start always starts the policy server process first and then starts the other configured processes in order. To determine the order, use the command:

pd_start status

Stopping the TAMeb and ITDS processes

In most cases, you can stop the TAMeb and ITDS processes in the reverse order in which they were started. For example:

1. Stop any admininstration applications, such as pdadmin.

2. Stop any authorization applications.

3. Stop the TAMeb servers such as the policy server, authorization server, policy proxy server, and WebSEAL server. You can use the command:
pd_start stop

4. When appropriate, stop the registry server.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Access Management, IBM, Tips & Tricks, Tivoli Access manager, Tivoli Directory Server | No Comments »

Identity Management & the Art of Removing Cloud Security Obstacles

Thursday, February 17th, 2011

First the fun, why Cloud?  Well, we seem to define this a lot here at IDMWorks.

The quick and dirty:

1. Pay As You Go Approach to IT
There is no upfront cost and this helps keep the cost down for the service consumers. Cloud computing is a pay-as-you-go approach, in which a low initial investment is required to get started, and additional investment is incurred as system usage increases.

2. Highly Available Infrastructure
Many cloud providers sell their service as highly available. This gives Cloud services the aura of a utility which is an always on and that can be leveraged anytime and from anywhere.

3.  Strong Time to Value Ratio
With Cloud computing organizations realize benefits more rapidly than with the traditional packaged software use model. In the traditional IT model, a large investment is made early in the project prior to system build out, and well before tangible business benefits are realized. This model has several risks associated with it since a large percentage of IT projects are cancelled due to poor ROI or user acceptance. Cloud provides IT a way to outsource non critical functions to an organization better equipped to run those services.

4. Flexible Computing Model
Cloud computing offers much more flexibility than traditional computing models. Your Employees can access information wherever they are rather than having to be restrained to their desktop.

5. It’s Simple
One of the advantages of cloud computing is that businesses of all sizes can instantly obtain the benefits of the enormous infrastructure without having to implement and administer it directly.

Enough of the pitch, now on to Identity Management in the Cloud

Cloud Identity Challenges:

1. User Lifecycle Management:
New Cloud applications bring new complications of management, more costs and administrative hassles. You may have invested hundreds of thousands or even millions in enterprise provisioning software only to find out that it does nothing to address your identities in the Cloud. There could be windows of time where your terminated contractors may not have been de-provisioned from critical applications.   As such, organizations will quickly find out they need a centralized infrastructure to manage user identity information effectively.  Further, explosive growth in the use of web applications increases the complexity and administrative overhead of which users should be entitled to access across applications. So it is critical in the cloud framework to be able to facilitate self-service registration whenever possible. This can lead to better agility, reduced help desk costs and higher convenience for end users.

2. Compliance:
As more services and applications are being provided by 3rd parties, organizations have new compliance issues to worry about. The more sensitive data we have via these 3rd party applications the more we need to be able to enforce the types of controls that allow us to be compliant.

3. Federated Authentication:
The ability to collaborate seamlessly with your partners, vendors, and customers. An organization may already have all of its internal user identities stored in Active Directory and its external users such as partners and vendors in an LDAP directory and the organization may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having their users sign on once to access not only internal applications but also SaaS applications in the cloud.

Cloud Identity Solutions:

1. User Lifecycle Management:
Identity Administration helps solve the user lifecycle management challenge and many other common issues such as self service registration and compliance reporting.  Automation of provisioning and de-provisioning of users and administering user identities for both on premise and cloud applications will bridge the security gap regardless of the size of the network.  The addition of Role Based Access Control (RBAC) allows for when a user changes a role they are automatically de-provisioned from systems no longer needed and added to new ones relevant to their new role.  Additionally, automated Identity Administration allows us to identify and remediate orphaned accounts (those accounts with long gone owners).

Throw in user self-service access requests and self-service password reset capabilities and the User Lifecycle Process can be fully automated across the Cloud.

Need this to be standards driven?  Let’s implement SPML connectors.

2.  Compliance:
Simply put, utilize Identity Management tools to log and report Who has access to What, When, Why, and How and fulfill those pesky regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA, and HSPD-12.

3.  Federated Authentication:
Need to collaborate seamlessly and yet securely across complex heterogeneous environments?  Make sure your Single Sign-On solution can support SAML, Windows CardSpace, WS-Fed and/or OpenID.

In summation, contact IDMWorks and let us help you plan your Cloud based Identity & Access Management (IAM) security solutions around the core tenets:

1. Identity Management

a. Roles based User Provisioning

b. Self-Service Request &  Approval

c. Password Management

2. Access Management

a. Authentication & Fraud Prevention

b. Single Sign-On & Federation

c. Authorization & Entitlements

d. Web Services Security

e. Information Rights Management

3. Governance, Risk and Compliance (GRC)

a. Analytics

b. Fraud Prevention

c. Privacy Controls

Tags: , , , , , , , , , , , , , , ,
Posted in Access Management, Cloud Computing, Identity Management | 1 Comment »

Aveksa Post Unification Customization

Wednesday, January 26th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Often times our clients want to create another identity attribute that is “calculated“.  Maybe this is an overall status, or perhaps it’s an overall supervisor.  Either way, you can implement a customization to accomplish this (and it’s a little complicated so I have two sets of instructions, one for the business user, and the other for the technical user).

Business Instructions:

  1. Inventory the custom attributes that you would like to aggregate / evaluate (typically in the form of CUS_ATTR_CAS_1##)
  2. Develop a SQL query that does what you need to do with these attributes
  3. Put the SQL query in the correct package file
  4. Import the changes into the database
  5. Test your changes

Technical Instructions:

  1. Login to your database instance, query the database to find out the names of the attributes that you’re interested in:
    2. e.g. select * from t_extensible_schema_columns where display_name like'%status%';
  2. Develop the SQL query based on these attributes that does what you need.
  3. Create the following directory 
    ~oracle/database/packages/custom
  4. Copy over the .pkb and .pks files into this custom directory and add your changes to the .pkb file
  5. Launch sqlplus from the custom directory and login as AVUSER
  6. Now import the .pkb and .pks scripts as follows:
    7. @'your_package_name'_Pkg.pks;

@'your_package_name'_Pkg.pkb;
  7. Now you can log back into the GUI and test your changes

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , ,
Posted in Access Management, Aveksa, Best Practices, Role Management, Security & Risk, Tips & Tricks | No Comments »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

So now what? What to do with your Sun IAM stack (hint: start looking)

Friday, November 12th, 2010

Legacy Sun Java System Identity and Access Management (IAM) customers have been calling us up often to ask about the state of the industry and their options with the Sun IAM stack moving forward.   The choices are many right now but one fact remains, Sun IDM and Open SSO’s days are numbered.  The products will be around for a while, years in fact, but eventually like that Saturn dealership on the corner, it will go away. Thus the grand migration is underway.  As an IAM enabled company the question of where to migrate to is paramount.  So let’s talk options.

Option 1) Stick with Sun As-Is

The old wait and see approach, but let’s be honest, the clock is ticking.  Like a legacy application your IT staff built in their garage it won’t keep up with the rest of market and the future of IDM.  There will never be a grand Cloud version of Sun IDM.  What is most interesting is that there are options to move away from Sun that pretty much expire by years end.

So let’s move away from Option 1 for now and take a look at the future.

Option 2) “Migrate” to Oracle IAM (as part of Oracle Fusion Middleware)

I say migrate because with any non-Sun tool (and Oracle IAM is a much different beast) there is NO upgrade path. Oracle is attempting to woo existing Sun implementations into the fold by offering license swaps in the short term. For those looking to definitively move into Oracle IAM then this is the best bet and should be done ASAP as the swap cycle is time limited.

Option 3) Migrate to Novell IAM

Similar to Oracle, Novell is offering a swap out of the Sun software and licenses.  This is a very interesting proposition.  Novell is willing to give the product up for free in order to build the relationship.  Basically from what the Novell Website states:

  • The Sun Identity Manager swap gives you Novell Identity Manager, roles based provisioning module and enterprise integration module.
  • The Sun Role Manager swap gives you Novell Access Governance Suite.
  • The Sun Open SSO swap gives you Novell Access Manager.
  • The Sun Directory Server EE swap gives you Novell eDirectory.
  • Sun subscription customers can opt in for equivalent Novell product subscriptions and will be considered for additional incentives on a case-by-case basis.

I think this is brilliant tactic that I am surprised a few other vendors haven’t tried.  To be straight, Novell has a great directory and SSO offering and is making huge strides in the Provisioning and Federation space.  At a minimum for a no-cost look I might suggest talking to a Novell rep.  But alas, much like Oracle, Novell’s offer is time-boxed.  Come Dec.31, 2010 a statement of interest (not a purchase mind you, this simply locks in Novell’s committment in 2011 for the swap) must be signed or that coach turns back into a pumpkin.

Option 4)  Migrate to CA IAM, IBM IAM, Microsoft IAM, etc. (there are many to chose from)

Choices, choices, choices.  I can say that CA is making a major push in the IAM space and IBM seems to be lagging a bit but has been a big player in the past.  Microsoft is also making strides to broaden their footprint in the IAM space.  And there are plenty more vendors to look at. My guess is there are deals to be had even if there is no published “sale” going on.

I wouldn’t keep any pre-conceived notions about any of the vendors right now and thanks to the Oracle-Sun purchase the alternative vendors are pumping time and money into getting your business.  We at IDMWorks are happy to work with you on any and all of the products in the market.  We can help to dissect and divide the various offerings and help you to understand the best choice that fits into your environment.

The point is NOW is the time to take the Pepsi challenge.  If you have a SUN IAM implementation you should be taking a look at the various vendors (including those not listed in Option 4) and line up a chat (or webcast, lunch-and-learn, email or phone call) with your local vendor representative because by 2011 a potential low cost update may go away.

Feel free to shoot us a note if you have questions.

Tags: , , , , , , , , , ,
Posted in Access Management, CA, CA Identity Manager, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Sun Identity & Access Management, Sun Identity Manager | 5 Comments »

Tricks of the Trade: Oracle Access Manager Performance Tuning

Thursday, October 28th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Typically with COTS applications the vendor will provide instructions as to what software components are configurable to meet a customer’s business needs.  But is it enough to simply understand what components are allowed to be customized?

Depending on the nature of the business the customization can play a significant role in how an application performs and what software components need be tuned.

Some examples of the questions you need to ask yourself and your organization include:

What type of organization are we running the application in?

Is this a banking site where most of the daily activities are dawdling with the exception of pay day when everyone and their significant other wants to see their salaries deposited, thus slowing down down the systems to a crawl?

Is this a high-traffic auction or retail site where customer registrations constantly hammer repositories while  inventories get updated thousands times per minute and the company must account for triple traffic around Chrismahanukwanzakah?

Is this a research site where databases get pounded with complex queries by the Revenge of the Nerds crew?

We at IDMWorks have run into these situations a multitude of times while working with customers.   Many times we see applications get tuned incorrectly or the application is tuned to the correct specifications but the hardware isn’t sufficient enough to handle the required settings (like putting a Smart Car engine in a Mustang).

So for today I would like to promote tuning guidelines for an Identity System, specifically Oracle Access Manager (OAM), and explain how to better tune your application and/or help make better decisions during the design and architecture phase of your project.

Tuning Identity System Searches

For OAM and really any Access Management application, the types of searches that user’s conduct in the directory can significantly affect performance.

For example, Customer Service Representatives in a high traffic call center should not perform a search for a customer with the last name “Smith” while instead searching for the last name “Smith” compounded with the first name to insure a narrowing of the search.  Of course this is common sense and we all know how our user’s practice common sen….um, forget that last line.

So lets force the CSRs to come to our train of thinking.

These steps below will help you to optimize Identity System Searches in the directory:

Restricting the operator use in search

When users conduct a search in an Identity System application, the search bar presents a drop-down list with options for matching the search input with a set of results. These options include the following:

  • That contains
  • Contains in order
  • Equals
  • Less than
  • Greater than
  • Begins with
  • Ends with
  • Sounds like

The “greater than” and “less than” operations can result in many entries being searched and retrieved. By eliminating these choices, you can improve the performance of search operations. You configure and adjust the search operations in a set of parameter files.

To eliminate the “greater than” and “less than” search operations

1.   To modify the search bar open each of the following files in a text editor (here Install_dir is the directory where Oracle Access Manager is installed):

Install_dir\identity\oblix\apps\userservcenter\bin\userservcenterparams.xml
Install_dir\identity\oblix\apps\groupservcenter\bin\groupservcenterparams.xml
Install_dir\identity\oblix\apps\objservcenter\bin\objservcenterparams.xml
Install_dir\identity\oblix\apps\selector\bin\selectorparams.xml

2.  Find the entry for the ObEnhanceSearchList parameter in each of these files. and edit the entry in each of the files so that it only contains the following parameters:

<ValNameList ListName=”ObEnhanceSearchList” > 

<NameValPair ParamName=”OOS” Value=”MOOS”/>

<NameValPair ParamName=”OSM” Value=”MOSM”/>

<NameValPair ParamName=”OEM” Value=”MOEM”/>

<NameValPair ParamName=”OBW” Value=”MOBW”/>

<NameValPair ParamName=”OEW” Value=”MOEW”/>

</ValNameList>

4. Modify the query builder by opening the following file in a text editor:

Install_dir\identity\oblix\apps\querybuilder\bin\querybuilderparams.xml

5. Then edit the element ObQBOperatorsList to have only the following values:

<ValList ListName=”ObQBOperatorsList” > 

<ValListMember Value=”CND_CON”/>

<ValListMember Value=”CND_DNC”/>

<ValListMember Value=”CND_EQ”/>

<ValListMember Value=”CND_NEQ”/>

<ValListMember Value=”CND_PRE”/>

<ValListMember Value=”CND_NPR”/>

<ValListMember Value=”CND_BW”/>

<ValListMember Value=”CND_EW”/>

</ValList>

Require the user to enter a minimum number of characters in a search field

1.       To specify the minimum number of characters users must enter in the primary search bar open the following file in a text editor (where Install_dir is the directory where Oracle Access Manager is installed):

Install_dir\identity\oblix\apps\common\bin\oblixappparams.xml

2.       Set the value of the searchStringMinimumLength parameter to the minimum length of the string that users can input (as illustrated in the following example):

<NameValPair ParamName=”SearchStringMinimumLength” Value=”3″/>

Restricting the Number of Entries Returned on a Search

You can set a limit on the number of elements that can be returned as the result of a search in an OAM.  This limits the effect that a search can have on performance.  You can configure the maximum number of search results that are returned from the directory server on the Size Limit parameter for the directory server instance profile.

For example, if you set the value of this parameter to 1,000, a maximum of 1,000 entries can be returned in the search results. The default value of 0 indicates that an unlimited number of results can be returned.

You can specify different size limits for different directory server profiles. For example, you can configure a size limit of 0 (unlimited) for the directory server instances that your valued Identity System Administrators use and you can configure a limit of 1,000 for the directory server profiles that are used by those lowly demented end users such as Customer Service Reps (wait, did I just write that?) .

To restrict the number of entries returned on a search

1.       From the Identity System Console select System Configuration.

2.       On the System Configuration page select Directory Profiles.

3.       Select the link for the directory server profile to which you want to add a database instance (the Modify Directory Server Profile page will appear).

4.       Scroll down to Database Instances and select the database instance you wish to configure (the Modify Database Instance page appears).

5.       Configure the Size Limit parameter to indicate the maximum number of search results that can be returned from the directory server.

Create Thread-Safe Plug-Ins

Both the Access Server and Identity Server are multithreaded. Thus when writing  custom code  ensure that all Identity Event plug-ins are thread-safe. This recommendation also applies to Identity Event plug-ins.

Consider Pooling Identity Servers

It is a good practice to use at least two Identity Servers running in a pooled primary configuration. Pooled primary means using multiple Identity Servers that run as primary servers with one or more WebPass instances connecting to the primary Identity Servers.

You can use separate Identity Servers as secondary servers when using the  pooled primary approach. If you have only two servers, a pooled primary configuration is recommended over using one primary and one secondary server. When running a pooled primary configuration it is best to use identical but separate hardware for the Identity Servers.

Advantages of pooled primary mode

  • Increased performance through load balancing
  • Increased availability through multiple servers
  • Automatic failover

Disadvantages of pooled primary mode

  • The cost of additional hardware.
  • Additional system configuration (if there are no secondary servers each primary server needs to be sized to handle the total expected load if the other primary servers are unavailable).

Configure Identity Servers from a File System Level

Identity Server configuration and stylesheet files must be identical on all servers. This applies to all configurations that use multiple Identity Servers. You should configure all Identity Servers from a file system level, that is, ensure that all directory and file system structures are identical.

Configure Identity Servers to Use 3 GB of Virtual Memory

On Windows, if the Identity Server causes high memory utilization, the system can crash. You can configure an Identity Server to use 3 GB of virtual address space even if 2 GB addressing is already enabled in the boot.ini file.

By default the virtual address space of Identity Server is limited to 2 GB. You can configure a 3GB switch in the Boot.ini file to allocate 3 GB of virtual address space to an Identity Server that uses IMAGE_FILE_LARGE_ADDRESS_AWARE in the process header. This switch allows applications to address an additional 1 GB of virtual address space beyond the usual 2 GB limit.

The following example shows how to add the 3GB parameter in the Boot.ini file to enable Identity Server memory tuning:

[boot loader] 

timeout=30

default=multi(0)disk(0)rdisk(0)partition(2)\WINNT

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINNT=”????” /3GB

Well class, that is all for today, I hope this helps you with your deployment of Oracle Access Manager.

Look for additional discussions on tuning Workflows, Access Server and the Directory in the near future.

Tags: , , , , ,
Posted in Access Management, Best Practices, Oracle Access Manager, Tips & Tricks | No Comments »

One of these things is not like the other…CA SiteMinder and Novell Access Manager

Friday, October 15th, 2010

I thought I’d talk about the two Access Manager products I am familiar with. This is not a “who’s the better product” thread, they both are excellent products. If someone asked me to pick one, I would hem and haw until they forgot they asked.

As far as the user experience goes, I don’t think any user is going to care about the difference. The ones who will have the most influence are the folks paying the bills. I tell people, I am technical, not sales, so I am not going to comment there either.

What I can do is highlight some of the technical differences. These two products both protect very well, but do it very differently. Let’s start with a little background on the products. This won’t be too deep. If you want deep, go see the company web sites.

Novell Access Manager is built around a fortress philosophy. You put an appliance in front of your sites and nobody gets through unless you allow it.  Appliances can be stacked for increased workloads, all protected by a cluster of administrative servers. The database that holds all the setup and access rules is eDirectory (no surprise there) and is self contained. You do not need to use an existing eDirectory but rather one setup exclusively for Access Manager. User Stores can be just about anything; LDAP, AD, eDirectory, Databases, whatever… Administration is via a customized version of iManager, the Novell Web Manager. I can build a basic version on two servers. I combine the Identity Server and Management Console on a single box, and one additional server for the Access Gateway. The last Access Manager project I was involved in we had two Gateways in the DMZ for public access, two Gateways inside the firewall for private access and a management cluster of two servers. Our User Store was the IDM LDAP instance. Protection methods are pretty much standard, just about any piece of any web site can be protected if you choose. Federation is supported… well, you get the picture. It protects your web resources well.

CA SiteMinder uses a distributed protection method. Agents do the guarding, controlled by policy servers, that talk to external databases. The key difference here is, you are protecting the resources at the source. The Agents install on the Web/Application Servers. SiteMinder does not bring along any data storage. You have a number of “Stores” involved. Policy Store, User Store, Admin User Store, Token Store, Certificate Store… (did I forget any?) These can be a number of different database types. LDAP and SQL are the most recognizable. Most of the common SQL servers are supported. I cannot claim to have worked with all types of web servers, but I have yet to find one that does not support a SiteMinder Agent. One point I might add, when choosing an agent, pay attention to the Web Server build (32 vs 64 bit) not the OS build. I did have one site that was running 32 bit Apache on 64 bit Solaris and, oops, installed the wrong agent :-( With SiteMinder R12 you also have an AdminUI server that requires an App server. It comes with JBOSS, and I typically will install it on the Policy Servers. They play real well together.

This was not intended to be a feature by feature comparison. I won’t tell you which product is right for you. Only you can decide that. I will put in a shameless plug for IDMWorks, we can help you decide, analyze your needs, examine how your business works, and help you decide the best way to protect your web assets.

Tags: , ,
Posted in Access Management, CA, CA SiteMinder, Novell, Novell Access Manager, Single Sign On (SSO) | No Comments »

What is a CAC (get your mind out of the gutter)?

Wednesday, October 13th, 2010

If you have ever worked on a project for the Department of Defense, you probably already know what a CAC is. For those who have not worked on a DOD project, this will give you a very tiny bit of background on “whats a CAC?”

First off, a CAC is the ATM of DOD. By that I mean most folks call it a “CAC Card”, an oxymoron, much like they do an “ATM Machine”. Also, it is another of DOD’s TLA’s (Three Letter Acronyms) and they are famous for their TLAs.

CAC stands for Common Access Card. Hence, the “CAC Card” redundancy.

The Common Access Card (CAC) is a United States Department of Defense (DoD) smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel. It is used as a means of access control to various buildings, systems, whatever needs to know who you are before letting you in. I  will now discuss how a CAC can be used in association with SiteMinder to control access to protected systems. For our purposes, CAC is a smart card you can load up with X.509 certificates.  CACs require a card reader on the PC, so we will assume that one has been installed, and the drivers loaded.

CA has an optional module available to read and process CAC certificates and pass them on to the Policy Server for processing. It is an Authentication module that installs on a Windows Policy Server (.dll based). It identifies the person at the browser like any other authentication method (LDAP, AD, ODBC, et. al). Once identified, it is up to the Policy Server to decide what to do next.

The system I worked with utilized Active Directory, via LDAP, as a User Store. Setting up CAC Authorization was very simple. Install the module and set the library properly in the Policy Server. Then you need to map X.509 certificate attributes, by issuer, to AD attributes. Once a CAC is presented, the reader will provide the contents via the CA X.509 code.  If the mapped attribute on the certificate matches a corresponding attribute in AD  the user is Authenticated.  The code installs on the Policy Server so any agent should be able to use this method for authentication.

Once you have all this configured, accessing a protected resource can be as simple as going to the URL, inserting your CAC in the reader, entering your CAC PIN, and you are there.

For more information regarding the Siteminder CAC module, contact IDMWorks.

Tags: , ,
Posted in Access Management, CA, CA SiteMinder, Common Access Card | 1 Comment »

Protecting SharePoint 2007 with the new SiteMinder SharePoint Agent

Wednesday, October 13th, 2010

The traditional method to protecting SharePoint 2007 with SiteMinder would use the SharePoint Membership Provider method and LDAP to setup protection within SharePoint.  This works fine for new installations, but if you have a legacy environment using Windows Authentication and MySites, this can throw the ownership of all the MySites into chaos.

Creating a new Membership Provider network can cause a disconnect between the MySites ownership and the users. While the Membership Provider can be pointed at the same AD environment, it now is authenticating via LDAP. SharePoint thinks these are all new users, even though they sign in with the same user ID and password. This is due to the change to an LDAP based Membership Provider. Whenever the user signs in and clicks on MySites, it goes to the right place, but then tells them the site belongs to someone else.

CA has published a new SiteMinder Agent for SharePoint. This agent incorporates into the SharePoint environment and provides seamless integration to SiteMinder via the IIS Web Agent. The key feature, where MySites is concerned, comes from the Windows Impersonation that this agent brings. Setup SiteMinder to use the same AD source as SharePoint and you can impersonate the AD user, still use Windows Authentication in SharePoint, and keep the ownership of MySites intact. If you have a large user base who use MySites, they will (silently) thank you for this.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Access Management, CA, CA SiteMinder, Single Sign On (SSO) | No Comments »

« Older Entries
Newer Entries »