Archive for the ‘Identity Management’ Category

« Older Entries

All Java is Not Created Equal

Tuesday, January 31st, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

The what:

Java & CA Identity Manager V12.5

The issue:

I got hung up with a version of Java 6.29 that should have worked with CA IDM V12.5 but on Windows, the IDM install was completing yet the JBoss startup hung on Analytics everytime.

The symptoms:

On Windows, CA IDM did not load thoroughly enough to do a clean uninstall. In the boot log there were errors abound specific to  ‘unzipping jar files’ but not much more to go on.

I replaced JBoss with a new download from a known good load to no avail.

I thought perhaps the Java version was incorrect. I uninstalled and reinstalled Java 6.27 but this only appeared to cause more problems.

The Solution:

In an effort to not have to wipe the box to change the Java install, I renamed the folder containing 6.27 to 6.29 and reset the Java Home variable.
The IDM console started up correctly utilizing the lower version of Java from the higher named Container.
The product release notes did say Java 6.X but this does not always guarantee compatibility.

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , ,
Posted in CA, CA Identity Manager, Identity Management, Java Development, Tips & Tricks | No Comments »

Novell IDM Best Practices: Don’t Forget the Small Stuff

Monday, October 17th, 2011

Don’t Forget the Small Stuff

When developing a Novell IDM driver its easy to get focused on requirements and lose track of the little things that can come back to bite you later on. The perfect example of this is the DirXML-Associations attribute.

This handy little attribute is typically automatically set by a driver to establish a relationship between an object in eDirectory and the object in the driver’s connected system.  When this value is set for a specific driver it allows future changes to be processed more quickly and efficiently.  These relationships are stored in eDirectory on the object and consist of the unique identifiers from the connected systems; for example, the Microsoft Active Directory driver leverages the Active Directory’s GUID value for the account to create the association in eDirectory.

The problem is that once these associations are created there are only two ways of getting rid of them.  The most obvious way is to delete the associated object in eDirectory.  If the object holding the values is deleted then it goes without saying that the values are deleted.  This method doesn’t require any additional coding or consideration in the driver.

The other method is to remove the association value from the attribute in eDirectory either manually (not recommended) or programmatically by creating a policy in the driver that contains the Remove Association action.  This means that someone has to create a policy or policies that contain a number of conditions to determine if/when an association should be removed.  The only thing is that in the course of requirements gathering and design these use cases and conditions are overlooked and not documented and therefore do not get implemented.

More often than not requirements simply dictate that a driver is not to delete objects out of eDirectory.  The natural instinct is to create a simple policy that checks to see if the current transaction is a delete event and if so to do a simple veto action.  The veto action will stop the transaction from processing through the driver to eDirectory and will result in the eDirectory object being unchanged, including the driver association.

So what’s the issue with keeping a driver association in eDirectory after the object/account/record has been deleted out of the connected system?  Well, simply put, it causes errors! This is because of how the driver detects and uses the association values in the DirXML-Associations attributes for more efficient transaction processing its a problem to have an association for a driver that points to a nonexistent record.

The result is that when an transaction for an object in eDirectory in such a state processes through the associated driver the driver will use the invalid association as its target reference.  This causes the transaction to result in an error because the target reference no longer exists.  The obvious result of this is that no changes are made in the target system.

On the flip side of things, if an unassociated object/account is created/modified in the target system and the driver attempts determines that the record in questions matches are previously associated eDirectory record the driver will attempt to merge the records and create a new association in eDirectory with the new account.  This causes an issue too.  An eDirectory object is only allowed to have one association per driver and since the driver already has an association for the old record on the eDirectory object the merge process will fail and the driver logs will record an error along the lines of “Object already associated“.

In either case the obsolete associations in eDirectory essentially defeat the purpose of having an identity management system.  Removing an association through driver policies is simple to do and can go a long way in developing a system that delivers reliable identity management capabilities between the various connected systems.  So the next time you are planning a driver or get a requirement that demonstrates the use case where the relationship between eDirectory and a connected system is being destroyed remember to clean up the association.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , ,
Posted in Best Practices, Identity Management, Novell, Novell Identity Manager | No Comments »

Twitter Updates for 2011-10-08

Saturday, October 8th, 2011

Tags:
Posted in Identity Management | No Comments »

Tips & Tricks: Startup & Shutdown Configuration for Tivoli Identity Manager

Monday, September 19th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Configuring Startup and Shutdown Procedures On Reboot for the ITIM and Associated Applications

Step 1

Create a script that will perform the Startup and Shutdown processes. Below is a script that was we used where ITIM, Directory Manager, Node Agent and jmsservers needed to be shutdown and started during reboot of the system.

The directory is /etc/init.d and  the member that we are working with is IBMitim (within this member is where the startup and shutdown commands reside.

From there we have Status, Startup and Shutdown commands. The status command will determine whether to start or stop the various servers. On this system there were 4 different servers that needed to be stopped or started during a reboot of the system (Deployment Manager, Node, jms servers and ITIM).

The script as follows:

state=”$1″
. /export/home/db2admin/sqllib/db2profile

case “$state” in
‘status’)
/opt/WebSphere/AppServer/bin/serverStatus.sh –all

/opt/WebSphere/DeploymentManager/bin/serverStatus.sh -all
;;
‘start’)

echo “Starting deployment manager “

/opt/WebSphere/DeploymentManager/bin/startManager.sh

echo “Start WebSphere Node”
/opt/WebSphere/AppServer/bin/startNode.sh

echo “Starting jms server”
/opt/WebSphere/AppServer/bin/startServer.sh jmsserver
echo “Starting ITIM”
/opt/WebSphere/AppServer/bin/startServer.sh ITIM
;;
‘stop’)

echo “Stopping ITIM”
/opt/WebSphere/AppServer/bin/stopServer.sh ITIM

echo “Stopping jms server”
/opt/WebSphere/AppServer/bin/stopServer.sh jmsserver

echo “Stopping WebSphere Node”
/opt/WebSphere/AppServer/bin/stopNode.sh

echo “Stopping Deployment Manager “

/opt/WebSphere/DeploymentManager/bin/stopManager.sh
echo “Stop WebSphere Server1″
/opt/WebSphere/AppServer/bin/stopServer.sh server1
;;
*)
echo “Usage: $0 { start | stop | status }”
exit 1
;;
esac
exit 0

Step 2

Determine where your procedure will reside. Now you need to create a link within a specific rc#.d directory. There are several rc#.d directories including rc0.d, rc1.d, rc2.d, rc3.d and rcS.d. During a system reboot these rc files are processed in order, rc0.d first and so on. You will need to determine when the process needs to occur. For this configuration of ITIM the startup and shutdown process will be placed in rc3.d.

Create a link for Startup/Shutdown by entering a link command as follows:

  1. ln command format “ln A B”

A = where your new script resides, this is what was performed in step 1when IBMitim was created.

B = file that is linked to IBMitim, there are certain rules that apply when creating these.  First character must be a “K” for stop and a “S” for start. The next 2 must be numeric, which will determine when they are processed. And the last 4 can be whatever you want.

As stated above we are going to place are Startup/Shutdown process in rc3.d, first cd /etc/rc3.d, now enter pwd at the command prompt to verify that you are pointing to /etc/rc3.d (displayed below). The ls (List command) will display what members reside in this directory.

Now we need to perform the link command.

-          ln /etc/init.d/IBMitim K01itim – this will link /etc/init.d/IBMitim to /etc/rc3.d/K01itim

-          ln /etc/init.d/IBMitim S99itim – this will link /etc/init.d/IBMitim to /etc/rc3.d/S99itim

After a ls(list command) you can see the link that was created(K01itim), perform the same process for S99itim.

Questions?  We have answers. Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in IBM, Identity Management, Tips & Tricks, Tivoli Identity Manager | No Comments »

Tips & Tricks: How to Install the New OIDSync RMI Adapter for ITIM

Tuesday, September 13th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Tivoli Identity Manager Installation & Integration Procedures for OIDSync RMI Adapter

The following contains  the steps necessary to install the new OIDSync RMI Adapter in the ITIM Environment.

First, start with the Profile installation on ITIM (in this case the instructions necessary to install an OIDSync specific service profile on the ITIM 4.6 servers).

1.   Ensure that a copy of the file oidrmiprofile.jar, shipped with this release, is saved locally on the machine that you will use to open the web browser in the next step.

2.   Open the ITIM Management Console by entering the following URL into a Web-Browser:

URL: http://<ITIM_Console_Hostname>/enrole

3.   Enter the following information into the login screen to login to the ITIM console:

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

4.   Click the Configuration tab in the menu at the top of the screen 5.   Click the Import/Export tab in the configuration menu.

5.   Click the Import tab in the Import/Export window

6.   Click the Browse button.

7.   Navigate to the location that you saved the oidrmiprofile.jar file, on the local machine.

8.   Select the oidrmiprofile.jar and click Open

9.   Click the Import data into Identity Manager link below the selected file

10. Click Continue to complete the import process.

Next up, ITIM Configuration and Provisioning Policy Creation.

(more…)

Tags:
Posted in IBM, Identity Management, Tips & Tricks, Tivoli Identity Manager | No Comments »

Configuring Additional Password Rules for Tivoli Identity Manager

Thursday, September 8th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

There are 2 different ways to accomplish this task, automatically or manually.

Method 1: Automatically copy the files, as follows:

There is a script that is located in folder /export/home/<Name Wanted>_rules named installRules.sh.  This script will copy the <Name Wanted>.jar and MANIFEST.MF to the appropriate folders, it will also append 3 new password rules to the correct properties file.

The <Name Wanted>.jar, MANIFEST.MF and the passwordrules.properties files must exist in the same directory as the installRules.sh.

The code within the installRules.sh script copies the 2 files and performs a ‘cat’ function (as in concatinate) to the passwordRules.properties file that exist in itim/data directory.

Here are the 3 lines that will be appended to the passwordrules.properties file that resides in /itim/data.

            password.rule.com.passwordrules.MinUpperCaseCharacters=true

            password.rule.com.passwordrules.MinLowerCaseCharacters=true

            password.rule.com.passwordrules.MinSpecialCharacters=true

Once the script has been completed successfully you will need to edit the Customslabels.properties file. This is where the labels for the 3 new attributes are configured. Below are what the statements should look like in the CustomLabels.Properties file.

      password.rule.com.passwordrules.MinUpperCaseCharacters=Mininum Upper Case Required

      password.rule.com.passwordrules.MinUpperCaseCharacters=Mininum Lower Case Required

      password.rule.com.passwordrules.MinSpecialCharacters=Mininum Special Characters Required

Method 2: Manually copy the files, as follows:

 There are 4 separate steps that need to be completed to successfully add additional password rules for the ITIM system. Each step is described below and needs to be completed in order so that the additional rules work correctly.

Verify that the MANIFEST.MF member resides in the META-INF folder.

The META-INF folder is location in:

            /opt/WebSphere/AppServer/installedApps/”hostname”/enrole.ear/app_web.war

Add “<Name Wanted>.jar” to the Class-Path, verify that you can see Class-Path Entry where the <Name Wanted>.jar was added.

Verify that the <NameWanted>.jar member resides in the enRole.ear directory.

The enRole.ear folder is location in:

            /opt/WebSphere/AppServer/installedApps/’hostname’/

Edit the CustomLabels.properties file to add the new labels for the 3 new password attributes.

  1.  Change the directory to /itim/data
    1.  vi CustomLabels.properties file and add the 3 new password labels. Then save the file, as a precaution backup the CustomLabels.properties file before you start to edit it.

 Edit the passwordRules.properties file, add the 3 password attributes and set them to equal true.

 The passwordrules.properties file resides in “itim/data

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in IBM, Identity Management, Tips & Tricks, Tivoli Identity Manager | No Comments »

Your IAM Toolset: the NVD Database

Monday, August 29th, 2011

Being in technical field it seems the TLAs (Three Letter Acronyms) and FLAs (Four Letter Acronyms) abound. But at times knowing about a few of them may provide key information we can all use to protect our customers.

Such is the case with the NVD (National Vulnerability Database)

First off, the NVD is hosted on the NIST.gov site. This database contains information about software or programming that can either create or leave open vulnerabilities. For example, if you type IDM on the search bar, 57 entries come back.  These include vulnerabilities in IDM apps including Novell and Sun IdM (btw, I only picked these two as they are on the first set of returned entries). If you open one of these vulnerabilities the NVD has information on what causes it, what damages it could do and most improtantlyhow to remediate it.

You can search by product or vendor name to narrow in on the entries that might be of concern. Some of the newer ones have just been reported and might not have a solution yet. Of course you can check with support at the company whose software has a concern.

So I’d recommend taking a few minutes to explore this database and the information that is availableand add this site to your IDM toolset.

Have a tool we should profile and/or add to the blog? Feel free to sound off below or reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Access Management, Best Practices, Identity Management, Tips & Tricks | No Comments »

Avatier Identity Management Suite (AIMS) Overview

Monday, August 29th, 2011

The Product: Avatier Identity Management Suite (AIMS)

The Review:

Install

The installation of the Avatier Identity Management Suite (AIMS) was one of the more straight forward processes we have encountered and only took about 15 minutes to complete. The product itself installs on a Windows 2008 32/64 bit server (for version 7 and earlier) and for version 8  installs on a Windows server 2008 R2 64 bit.  AIMS is GUI driven and offers a branding interface that allows the customer to modify text or any of the graphics that appear on those screens without the need for custom programming or scripting. The product offers a range of connectors as many of the vendor IdM applications do and as is to be expected, with AIMS there is no additional install of software on the end-point server for the connector to function (agentless).  There are 28 different connects currently offered OOBincluding AS/400, Linux, various Microsoft (SQL, Windows, ADAM), Novell, Oracle, PeopleSoft, SAP, Sybase and Sun.  On the Access Management side, AIMS offers several web agents for the following platforms, IBM iSeries, IBM AIX, Linux, HP-UX and Sun Solaris.

Functionality

There are 8 core functions within the AIMS suite, Account Creator, Account Terminator, Compliance Auditor, Identity Analyzer, Identity Enforcer, Password Bouncer, Password Station and HR Feeds. These are installed as part of the base install of AIMS. Interestingly enough, all of the functions are configured through GUI windows and no scripting is involved.  Another nice touch with the product is the workflow is automagically built based on your configuration unlike many other products where you have to build it through scripting. 

The Identity Enforcer is the primary function of the product, this is where you configure Delegation, Org Charts, Reports, Security, etc…. . The product itself does have some pretty cool killer apps such as “Connect with IPad’”.  The reporting is stronger than many other products we have used and somewhat easier to configure. and the HR Feeds can read from several different databases (which is a given), such as Oracle, DB2, SQL-Server and MYSQL.

The Hits:

1. Password Station enables you to eliminate password reset calls to your internal help desk by allowing users to securely perform reset action themselves.
2. Password Bouncer improves on your password policy by allowing users only complex passwords that are difficult to crack.
3. Account Terminator automatically deactivates and captures account data from ex-employees as well as accounts that have been dormant and are no longer in use.
4. Account Creator automates all aspects of user provisioning thereby achieving great cost savings in starting new employees.
5. Identity Enforcer integrates workflow process of self-service authorization management.
6. Logon Station permits Single Sign-On so users only need to logononce to have access to every resource for which they are authorized.

The Verdict:

The maintence and setup is where the savings are compared to other market products. A big plus is that there is virtually no coding involved for workflow as AIMS can and will handle this automatically based on your configuration settings.  And a killer diller process that sets Avatier apart from others is the ability to get live updates (the platform is the only commercial off-the-shelf Identity Management solution I know that offers an optional Live Update service for automating software updates and upgrades but your mileage may vary with the usage of that one).

Once you have gained the knowledge of where everything resides in the GUI under specific functions the product is fairly straight forward to set up and while AIMS offers a lot of the same functionality as most of the IDM products on the market, such as Workflow, Reporting, Creating/Deleting Users and Reconciliation of Users across multiple platforms, it also offers a built in Role Mining function.

All in all a pretty bang up product addition to the Identity & Access Management market place.

Agree, Disagree or have a product we should be tackling next? Sound off below or feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Access Management, Avatier, Identity Management, Password Management | No Comments »

Where Novell/Net IQ fit in the Standards Based IDM Market

Thursday, August 18th, 2011

IDMWorks is a vendor neutral Identity & Access Management Service provider.  On our blog we highlight individual companies and products quite often.  Today we will be highlighting the Novell/Net IQ IAM stack.

When implementing an identity management solution it is typically in the best interest of a company to pursue a solution that adheres to industry standards.  Before we go any further it warrants pointing out that no solution is completely open and exclusively standards based. Every company has something in their product that makes them unique and hence worth purchasing.  But when you can implement a solution that is primarily based on standards such as LDAP, SAML or other industry accepted standards it gives your organization much greater flexibility in choosing a best-in-class point technology solution as part of the overall identity solution.

The base of the Novell/Net IQ identity management solution is the identity vault (IDV).  This is the hub in the hub-and-spoke solution that forms the basis for most implementations.  Choosing an identity repository is critical to the overall solution of the implementation.  The IDV should be fast, scalable and support the most common protocols such as LDAP and RADIUS.  The identity vault has the ability to be implemented on multiple platforms as organizations change over time and what is the preferred server platform today may not be the preferred platform tomorrow.  While it is not truly part of the standards argument, an identity vault that can operate of different platforms reduces risks when migrating the data center from one server platform to another and gives an organization much more flexibility in choosing the server platform that works best for their organization.

When you implement an identity management system you will be connecting to various systems and applications throughout your organization.  You should ask yourself  the following:

  • How easy or difficult is it to connect to various systems?
  • How many connectors does the identity management product come with?
  • What is the development effort for connecting to a system?
  • Is there an available community of expertise for supporting the identity management product?

These are all critical questions that must be answered as they have direct impact on the costs of implementing and supporting your identity management infrastructure.  By selecting a product that comes with a wide variety of pre-built connectors you greatly decrease your implementation expense and also decrease the risks of implementation issues as you are using a product that has been developed and tested in other environments and has a track record and a support channel behind it.  Also by using a product that adheres to industry standards such as XML, Java and even SQL you widen your pool for selecting professionals that can implement and support your solution.

Password Mangement

One of the greatest issues faced by help desk and IT organizations around the world today is password management and synchronization.  Your identity management solution should help address the chaos that is password policies.  Your solution should synchronize passwords throughout the connected systems or provide a mechanism for managing the access to those systems.  The solution should also provide a way for users to manage and reset their own passwords without help desk intervention.  Lastly, the solution should offer extensibility for password management so that future technologies can be integrated into the identity management solution without compromising the integrity of the authentication and authorization process as proper implementation of a password management solution will decrease the burden on your help desk and overall IT organization.

Workflow

An important component is many identity management solutions today is the ability to initiate and execute workflow requests.  Gone are the days where paper forms are shuffled through the mail room to grant access to critical systems.  Shuffling the same forms through email provided some improvement to the process but lacked the audit trail and accountability that is necessary for efficient business functionality.  These processes are now managed through the workflow engine and interface.  But when selecting that engine what are you getting?  Does the product lock you into it’s own interface or do you have the flexibility to integrate it with your other enterprise applications?  Does the product support web services and REST calls?  What features are available to these calls?  Choosing the correct solution can greatly increase the flexibility of your organization when it comes to implementing a workflow solution that makes your business dynamic and able to quickly react to the changing requirements that you are faced with daily.

Interoperability

Finally when evaluating an identity management product you must look at how well that product integrates with other components of an identity management solution.  You must consider authentication and authorization services.  No single product provides all of the needed or desired functionality so you are going to be looking at a suite of products.  Does the access management product support SAML?  How well will it integrate with the newly emerging Attribute Based Access Control (ABAC) and XACML (Extensible Access Control Markup Language) technologies?  And of course you must always be concerned with auditing and logging to meet compliance requirements.

While there are some vendors who offer many if not most of the components that make up a comprehensive identity management solution there are few, if any that offer all of the components.  This is where adhering to standards becomes such a critical issue.  By selecting components that adhere to industry standards it allows you to select best in class technology for each individual implementation point of your identity management solution with the confidence that it will work well as a part of your overall strategy.

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Identity Management, Novell, Novell Access Manager, Novell Identity Manager, Standards | No Comments »

The Novell Acquisition Conundrum

Wednesday, July 27th, 2011

With the recent purchase of Novell there has been a lot of discussion as to whether or not purchasing Novell technology is a good investment for your business.  There are legitimate concerns that an organization must take into consideration when investing in technology from a company that has just been acquired.

  • Will the technology continue to be developed and sold?
  • Who will provide support?
  • Will the quality and functionality of the product be maintained by the new organization?

As an old school Novell Identity & Access Management solutions SME I’d like provide a little perspective based on my own experience with Novell over the years.

The first thing I want to point out is this is not the first major merger Novell has been through.  In 2001 when Novell merged with Cambridge Technology Partners (CTP) there were many of the same questions.  While Novell was the company acquiring CTP it was not a typical merger as a large portion of CTP upper management was being infused into the combined company (including CTP CEO Jack Messman).  Many of the same challenges that Novell faces today were faced during that merger in terms of educating management on what the product offerings were and what the benefit to the customers that those offerings provided.  There was also the combination of sales force and education of said sales force.  Additionally there was the merging of the company cultures that is a challenge whenever any two organizations combine.  Obviously each merger is different and successfully merging once does not guarantee the same result the second time but there is experience within the organization in merging that hopefully will lead to success this time around.

But what about your organization?  Is Novell technology a good investment?  The technology produced by Novell is still a potentially good investment.  Novell produces a number of excellent technologies including SLES and ZenWorks however I’d like to stick with what IDMWorks implements and that is the Identity Manager suite of products.  Novell IDM is a very mature product that has a multitude of implementations.  Novell technology has a large, well established community of expertise.  There are many Novell partners (such as IDMWorks) which can implement and provide support for Novell technology.  Additionally Novell IDM solutions are largely based on industry standards such as XML, SAML, REST, and ECMAScript so we can train internal staff to self-support your Novell solution.

While a merger always puts a question mark over a company there is a good history at Novell with best-in-class technology offerings that has wide support in the industry.

But feel free to reach out to us at IDMWorks and we can talk options, fit or not, Novell or another vendor, as a vendor agnostic IAM services firm we can and will present a case for a multitude of options.  Get to know peace of mind.

Tags: , , , , ,
Posted in Identity Management, Novell, Novell Identity Manager | No Comments »

« Older Entries