Archive for the ‘Identity Management’ Category

« Older Entries
Newer Entries »

Avatier Identity Management Suite (AIMS) Overview

Monday, August 29th, 2011

The Product: Avatier Identity Management Suite (AIMS)

The Review:

Install

The installation of the Avatier Identity Management Suite (AIMS) was one of the more straight forward processes we have encountered and only took about 15 minutes to complete. The product itself installs on a Windows 2008 32/64 bit server (for version 7 and earlier) and for version 8  installs on a Windows server 2008 R2 64 bit.  AIMS is GUI driven and offers a branding interface that allows the customer to modify text or any of the graphics that appear on those screens without the need for custom programming or scripting. The product offers a range of connectors as many of the vendor IdM applications do and as is to be expected, with AIMS there is no additional install of software on the end-point server for the connector to function (agentless).  There are 28 different connects currently offered OOBincluding AS/400, Linux, various Microsoft (SQL, Windows, ADAM), Novell, Oracle, PeopleSoft, SAP, Sybase and Sun.  On the Access Management side, AIMS offers several web agents for the following platforms, IBM iSeries, IBM AIX, Linux, HP-UX and Sun Solaris.

Functionality

There are 8 core functions within the AIMS suite, Account Creator, Account Terminator, Compliance Auditor, Identity Analyzer, Identity Enforcer, Password Bouncer, Password Station and HR Feeds. These are installed as part of the base install of AIMS. Interestingly enough, all of the functions are configured through GUI windows and no scripting is involved.  Another nice touch with the product is the workflow is automagically built based on your configuration unlike many other products where you have to build it through scripting. 

The Identity Enforcer is the primary function of the product, this is where you configure Delegation, Org Charts, Reports, Security, etc…. . The product itself does have some pretty cool killer apps such as “Connect with IPad’”.  The reporting is stronger than many other products we have used and somewhat easier to configure. and the HR Feeds can read from several different databases (which is a given), such as Oracle, DB2, SQL-Server and MYSQL.

The Hits:

1. Password Station enables you to eliminate password reset calls to your internal help desk by allowing users to securely perform reset action themselves.
2. Password Bouncer improves on your password policy by allowing users only complex passwords that are difficult to crack.
3. Account Terminator automatically deactivates and captures account data from ex-employees as well as accounts that have been dormant and are no longer in use.
4. Account Creator automates all aspects of user provisioning thereby achieving great cost savings in starting new employees.
5. Identity Enforcer integrates workflow process of self-service authorization management.
6. Logon Station permits Single Sign-On so users only need to logononce to have access to every resource for which they are authorized.

The Verdict:

The maintence and setup is where the savings are compared to other market products. A big plus is that there is virtually no coding involved for workflow as AIMS can and will handle this automatically based on your configuration settings.  And a killer diller process that sets Avatier apart from others is the ability to get live updates (the platform is the only commercial off-the-shelf Identity Management solution I know that offers an optional Live Update service for automating software updates and upgrades but your mileage may vary with the usage of that one).

Once you have gained the knowledge of where everything resides in the GUI under specific functions the product is fairly straight forward to set up and while AIMS offers a lot of the same functionality as most of the IDM products on the market, such as Workflow, Reporting, Creating/Deleting Users and Reconciliation of Users across multiple platforms, it also offers a built in Role Mining function.

All in all a pretty bang up product addition to the Identity & Access Management market place.

Agree, Disagree or have a product we should be tackling next? Sound off below or feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Access Management, Avatier, Identity Management, Password Management | No Comments »

Where Novell/Net IQ fit in the Standards Based IDM Market

Thursday, August 18th, 2011

IDMWorks is a vendor neutral Identity & Access Management Service provider.  On our blog we highlight individual companies and products quite often.  Today we will be highlighting the Novell/Net IQ IAM stack.

When implementing an identity management solution it is typically in the best interest of a company to pursue a solution that adheres to industry standards.  Before we go any further it warrants pointing out that no solution is completely open and exclusively standards based. Every company has something in their product that makes them unique and hence worth purchasing.  But when you can implement a solution that is primarily based on standards such as LDAP, SAML or other industry accepted standards it gives your organization much greater flexibility in choosing a best-in-class point technology solution as part of the overall identity solution.

The base of the Novell/Net IQ identity management solution is the identity vault (IDV).  This is the hub in the hub-and-spoke solution that forms the basis for most implementations.  Choosing an identity repository is critical to the overall solution of the implementation.  The IDV should be fast, scalable and support the most common protocols such as LDAP and RADIUS.  The identity vault has the ability to be implemented on multiple platforms as organizations change over time and what is the preferred server platform today may not be the preferred platform tomorrow.  While it is not truly part of the standards argument, an identity vault that can operate of different platforms reduces risks when migrating the data center from one server platform to another and gives an organization much more flexibility in choosing the server platform that works best for their organization.

When you implement an identity management system you will be connecting to various systems and applications throughout your organization.  You should ask yourself  the following:

  • How easy or difficult is it to connect to various systems?
  • How many connectors does the identity management product come with?
  • What is the development effort for connecting to a system?
  • Is there an available community of expertise for supporting the identity management product?

These are all critical questions that must be answered as they have direct impact on the costs of implementing and supporting your identity management infrastructure.  By selecting a product that comes with a wide variety of pre-built connectors you greatly decrease your implementation expense and also decrease the risks of implementation issues as you are using a product that has been developed and tested in other environments and has a track record and a support channel behind it.  Also by using a product that adheres to industry standards such as XML, Java and even SQL you widen your pool for selecting professionals that can implement and support your solution.

Password Mangement

One of the greatest issues faced by help desk and IT organizations around the world today is password management and synchronization.  Your identity management solution should help address the chaos that is password policies.  Your solution should synchronize passwords throughout the connected systems or provide a mechanism for managing the access to those systems.  The solution should also provide a way for users to manage and reset their own passwords without help desk intervention.  Lastly, the solution should offer extensibility for password management so that future technologies can be integrated into the identity management solution without compromising the integrity of the authentication and authorization process as proper implementation of a password management solution will decrease the burden on your help desk and overall IT organization.

Workflow

An important component is many identity management solutions today is the ability to initiate and execute workflow requests.  Gone are the days where paper forms are shuffled through the mail room to grant access to critical systems.  Shuffling the same forms through email provided some improvement to the process but lacked the audit trail and accountability that is necessary for efficient business functionality.  These processes are now managed through the workflow engine and interface.  But when selecting that engine what are you getting?  Does the product lock you into it’s own interface or do you have the flexibility to integrate it with your other enterprise applications?  Does the product support web services and REST calls?  What features are available to these calls?  Choosing the correct solution can greatly increase the flexibility of your organization when it comes to implementing a workflow solution that makes your business dynamic and able to quickly react to the changing requirements that you are faced with daily.

Interoperability

Finally when evaluating an identity management product you must look at how well that product integrates with other components of an identity management solution.  You must consider authentication and authorization services.  No single product provides all of the needed or desired functionality so you are going to be looking at a suite of products.  Does the access management product support SAML?  How well will it integrate with the newly emerging Attribute Based Access Control (ABAC) and XACML (Extensible Access Control Markup Language) technologies?  And of course you must always be concerned with auditing and logging to meet compliance requirements.

While there are some vendors who offer many if not most of the components that make up a comprehensive identity management solution there are few, if any that offer all of the components.  This is where adhering to standards becomes such a critical issue.  By selecting components that adhere to industry standards it allows you to select best in class technology for each individual implementation point of your identity management solution with the confidence that it will work well as a part of your overall strategy.

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Identity Management, Novell, Novell Access Manager, Novell Identity Manager, Standards | No Comments »

The Novell Acquisition Conundrum

Wednesday, July 27th, 2011

With the recent purchase of Novell there has been a lot of discussion as to whether or not purchasing Novell technology is a good investment for your business.  There are legitimate concerns that an organization must take into consideration when investing in technology from a company that has just been acquired.

  • Will the technology continue to be developed and sold?
  • Who will provide support?
  • Will the quality and functionality of the product be maintained by the new organization?

As an old school Novell Identity & Access Management solutions SME I’d like provide a little perspective based on my own experience with Novell over the years.

The first thing I want to point out is this is not the first major merger Novell has been through.  In 2001 when Novell merged with Cambridge Technology Partners (CTP) there were many of the same questions.  While Novell was the company acquiring CTP it was not a typical merger as a large portion of CTP upper management was being infused into the combined company (including CTP CEO Jack Messman).  Many of the same challenges that Novell faces today were faced during that merger in terms of educating management on what the product offerings were and what the benefit to the customers that those offerings provided.  There was also the combination of sales force and education of said sales force.  Additionally there was the merging of the company cultures that is a challenge whenever any two organizations combine.  Obviously each merger is different and successfully merging once does not guarantee the same result the second time but there is experience within the organization in merging that hopefully will lead to success this time around.

But what about your organization?  Is Novell technology a good investment?  The technology produced by Novell is still a potentially good investment.  Novell produces a number of excellent technologies including SLES and ZenWorks however I’d like to stick with what IDMWorks implements and that is the Identity Manager suite of products.  Novell IDM is a very mature product that has a multitude of implementations.  Novell technology has a large, well established community of expertise.  There are many Novell partners (such as IDMWorks) which can implement and provide support for Novell technology.  Additionally Novell IDM solutions are largely based on industry standards such as XML, SAML, REST, and ECMAScript so we can train internal staff to self-support your Novell solution.

While a merger always puts a question mark over a company there is a good history at Novell with best-in-class technology offerings that has wide support in the industry.

But feel free to reach out to us at IDMWorks and we can talk options, fit or not, Novell or another vendor, as a vendor agnostic IAM services firm we can and will present a case for a multitude of options.  Get to know peace of mind.

Tags: , , , , ,
Posted in Identity Management, Novell, Novell Identity Manager | No Comments »

Secure Information? Why my Bank is making me Paranoid!

Wednesday, July 20th, 2011

Who is protecting your personal information?

Recently I received a note from one of the service providers I use for personal banking telling me that some of my information may have been compromised. Hey, this stuff happens from time to time, right? One would hope there would be some level of real disclosure about what information was in fact compromised.

A follow-up letter arrived via email that provides tidbits of information about what actually occurred and what information may have been accessed.  Not surprisingly, it had obviously been drafted by a professional wordsmith, passed through lawyers’ hands, filtered through many levels of executive approvals, and then finally sent out to the masses. I have included the letter below and added my own insite in red (the company’s names have been changed to protect the…….).

Email from XYZINC

XYZINC is letting our customers know that we have been informed by ABCINC, a vendor we use to send e-mails, that an unauthorized person outside ABCINC accessed files (um…how exactly were they accessed?) that included e-mail addresses (and…..?) of some XYZINC customers (would be nice to know if I am I one of the “some”?). We have a team at ABCINC investigating (What kind of team? Who’s on the team? What are their qualifications? Hey wait a minute, are these the same guys that just allowed my information to be “accessed”?) and we are confident (they were probably confident the last time as well but if they are confident I guess that means I should be as well because…well… they said so) that the information that was retrieved included some (again, am I one of the “some”?) XYZINC customer e-mail addresses, but did not include any customer account or financial information (I’d love to know what they qualify as customer account/financial information.  I’d be much happier if they specifically pointed out that my SSN, address, phone number, place of employment, or any other information they required of me in order to transact business through them was not swiped).
We apologize if this causes you any inconvenience (the inconvenience is unknown until it’s too late as I don’t know what information was really “accessed”, do I?). We want to remind you that XYZINC will never ask for your personal information or login credentials in an e-mail (neither do the phishers these days.  They just put up bogus sites hidden under mis-labled URLs for the non-technical folk to give away their information, now they have my email address apparently, oh joy!). As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam (LOL, I am willing to bet that ABCINC has already sold my email address to a number of “partner” companies and that’s where most of the marketing spam originated). It is not XYZINC ‘s practice to request personal information by e-mail. 

As a reminder, we recommend that you:
Don’t give your XYZINC User ID or password in e-mail.
Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
Don’t reply to e-mails asking you to send personal information.
Don’t use your e-mail address as a login ID or password.
The security of your information is a critical priority to us and we strive to handle it carefully at all times (Should this be considered case and point? I am guessing not, but gosh they are striving, that makes me feel so much better). Please visit our Security Center at XYZINC.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us (but remember, we hire ABCINC to send our email, so email from us is not really from us even though it appears to be sent by us).

After reading this stunning bit of legal repentance my next stop was to go review XYZINC’s Privacy notice on their web site, and what an eye opener that was. I won’t bore you with all the gory details of the notice but here are a few highlights that made me worry: (more…)

Tags: , , , , , , , , , , ,
Posted in Data Loss Prevention, Identity Management, Identity Theft, Security & Risk | No Comments »

Twitter Updates for 2011-07-13

Wednesday, July 13th, 2011

Tags:
Posted in Identity Management | No Comments »

OIM: Manually Revoking a Stuck Resource Object through the Database

Wednesday, June 29th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle Identity Manager: Manually Revoking a Stuck Resource Object through the Database

Have you ever had a Resource Object stuck in a Pending or Provisioning state that you just couldn’t do anything about?  This happens a lot when first setting up a Resource Object and running Revoke before you create the Revoke tasks. The status will stay on “Provisioned” but all the tasks inside will say “Cancelled” and there’s nothing more you can do to it.  If you only allow one instance that user is now stuck.

Here is how to set the status to Revoked manually, through the database, so you can re-provision a new instance of the Resource Object.

First, let’s look at all the resource the user has. This query will show you his resources, their statues, and some necessary keys you’ll need later (Replace USER with your USERID):

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key
from oiu inner join ost on oiu.ost_key = ost.ost_key inner join obi on oiu.obi_key = obi.obi_key
inner join obj on obi.obj_key = obj.obj_key where oiu.usr_key=(select usr_key from usr where usr_login='USER');

Look at the results and find the line that has the stuck object and save the OIU_KEY and the OBJ_KEY.

Next we need the key for this Object’s Revoked status. Each Object has it’s own set of Status Codes, so to find the ones for our object above, run this query and replace YOUROBJKEY with the OBJ_KEY number from the first query above:

select * from OST where obj_key = YOUROBJKEY;

Look at the results and find the line where the OST_STATUS is “Revoked” and save the OST_KEY.

Next we will update the Object Instance, and set it’s status to the new key. If you want to see the current recode in it’s bare naked form run this (Replace THEKEY with the OIU_KEY from the first query):

select * from oiu where OIU_KEY = THEKEY;

You will see in the results the OST_KEY column. This is the current status of your Resource Object. This is what we are going to change to the new status. So let’s run this query, replaceing YOUROSTKEY with the OST_KEY from the second query and YOUROIUKEY with the OIU_KEY from the first query:

update oiu set ost_key = YOUROSTKEY where oiu_key=YOUROIUKEY;

Perform a Commit and that’s it. Pull up the resource profile for the user in the web console and you should see the status for that resource object is now “Revoked“.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks | No Comments »

Oracle Identity Manager, Oracle Linux 5, & VMWare

Tuesday, June 28th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

As someone who has spent the majority of my computing time in a Microsoft Windows world but familiar with Linux I didn’t think twice when attempting to setup an Oracle Identity Manager environment based on Linux. A few obstacles later I learned some very important lessons for installing OIM on Linux.

  • First, it is important to know the “root” user password but to also have another account available with permission to access installation data. Some processes requires “root” user access while others strictly prohibit “root” user from executing them. For the most part you will not be using “root” user for the installs but there are some scripts used in the installation processes that require “root” user to execute making knowledge of both accounts a must.
  • Always understand the prerequisites! Oracle Identity Manager requires other applications like Oracle Database, Web Logic, etc. Each of these applications have their own prerequisites like versions of Java JDK, Java_Home variables declared in the .bash_profile, and certain Linux packages be installed. If these prerequisites aren’t met it can result in errors during installation, stalled installations, and even graphical distortions with the install wizards. This means that before attempting to install the OIM components it is very worthwhile to double check all of the prerequisites prior to installation to make your life easier.
  • Another useful tip is to “know your installer”. Many of the OIM component downloads contain installers for multiple platforms and some generic installers that are platform independent. Knowing which install to use for the desired platform is important. Some of the generic installers do not have some components bundled in the installer that are required. A perfect example is the Web Logic Server installer. Web Logic requires a JDK selection during the install process.  While the OS specific installs come bundled with compatible JDK’s the generic install does not include any JDK so one will have to be installed separately and manually specified.  Which installer to use is determined by the compatibility matrix on Oracle’s website.  And I can tell you for sure that it will save you time and frustration to look at that before starting your installs.
  • For VM installs you may run into an issue that upon install the max resolution is 800 x 600.  This becomes a small issue since the Oracle Database 11g installer wants a 1024 x 768 resolution so the full menu won’t appear on the screen.  This is actually a pretty easy fix.  In the display properties change the hard to an LCD with the desired resolution.  Once that is set you can go back to the resolution selection screen and change to a higher resolution.  A reboot will be required before the new resolution can take effect though.
  • And probably the most useful thing to know is the Linux commands that will be used throughout these installs.  Below is a list of some of the commands that were used:
  1. su:  This command lets you assume superuser or “root” user level access, provided that you know the password for that account.
  2. exit: When you are finished with “root” user access this command will exit the root user session and return the terminal permissions back to the logged in user.
  3. java -version: This will print out what version of java is installed and registered in the environment variables located in the .bash_profile.
  4. whereis java: This will print out the different locations that java is installed based on the environment variables and any linked symbols.
  5. vi ~/.bash_profile:
    • This command will allow you to edit the .bash_profile where environment variables are declared.
    • This file should only be edited under instruction because if this file is fouled up it can trash the system and require a complete reinstall.
  6. : wq: When editing the .bash_profile file this command will allow you save the changes and then exit back to the terminal.  Of course there are other commands that can be used to accomplish the thing.
  7. . ./.bash_profile: After editing the .bash_profile this will reload the settings using the updated file.
  8. rpm -ivh <filename>: This will install packages that may be missing.  This does require an exact file name to be specified.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Identity Management, linux, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks, VMWare | Comments Off

Novell Identity Manager Workflows – Combo Box Iteration

Tuesday, June 14th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Identity Workflows…over the years we have seen a number of workflows developed.  Most were pretty straightforward.  There was a request form, an approval form or two, and an entitlement/role/resource activity action before closing out the workflow.  Every once in a while there might even have been an integration activity thrown in along the way to just make things interesting.  But from time to time there is a requirement that users can select multiple items from a picklist and then the workflow has to perform separate actions for each item selected.

This is a bit more challenging.

There isn’t a predefined activity in Designer to do anything remotely along the lines of a action based per item picklist.  As a result you must build this process manually.

So let’s take a look at how to do this in Novell IdM.

First the good news!  This is not an overly complex process but does have a few pieces to it as seen below:

  1. Determine where in the workflow you want to start this process and add a “Mapping” activity.
  2. Map the expression “flowdata.getObject(‘<fieldName>’).size()” to a new flowdata element.  This will be used to get our max count index or upper range.
    1. flowdata.getObject(‘<fieldName>’)” will return all of the items selected in the specified field.*Side note: depending on your version of Designer the “getObject” method may not be obvious but it can be manually entered using the proper casing to achieve the desired results*
    2. The “.size()” method will actually return the count of the items returned from the first part of the call so when put all together the “flowdata.getObject(‘<fieldName>’).size()” expression will return a count of only the selected items in the selected field.
  3. In the same “Mapping” activity set a value of ‘0‘ (zero) to a new flowdata element.  This element will be used as the counter element to show how many iterations have been completed.
  4. Next add a “Condition” activity.  This activity will compare the current counter value to the upper range to determine if another iteration is needed.  If the counter is less than the upper range (true) then continue iteration otherwise exit the loop to the next desired activity (false) .
    1. Sample: “flowdata.get(‘Counter‘) < flowdata.get(‘UpperRange’)”
  5. Along the “true” path from the “Condition” activity add another “Mapping” activity.  Map the expression “flowdata.getObject(‘<fieldName>’).get((flowdata.get(‘<counterName>’))*1)” to a new flowdata element.  This will get the value of the selected item at the current counter index, or position.
    1. Just like in the first mapping, the “flowdata.getObject(‘<fieldName>’)” expression will only return the selected values in the specified field.
    2. The “.get()” method will allow you to specify a position, or index, in the array of values from the first method to return a single value from the list.
    3. The “(flowdata.get(‘<counterName>’)*1)” expression will retrive the value of the current iteration count and multiply it by 1 to provide an integer value for the “.get()” method part of the expression.  This means that the string value of ‘0′ multiplied (*) by the integer of 1 will result in an integer of 0, which in an array of values means the first value.
  6. Now that you have the selected value you can perform whatever action is needed.  Most commonly I have granted entitlements, roles, and/or resources based on the selected value using the proper activity for the version of IDM being used.
    *Side note: Pretty much all supported versions of IDM and Designer at the date of this blog’s publication have an entitlement activity.  With IDM 4.0 and Designer 4.0 there is a “Role Request” activity for granting and revoking roles but resources must be individually granted or revoked using the “Integration” activity and the User Application WSDL which has the necessary web methods to perform the desired action.  Now in IDM 4.0.1 and Designer 4.0.1 Novell added a “Resource Request” activity that is similar to the other activities which make it very easy to grant/revoke resources through a workflow.

    1. After performing the desired action(s) it is time to increase the count.  To do this we need another “Mapping” activity.  In this activity map the expression “((flowdata.get(‘<counterName>’)*1)+1)+”" ” to the same flowdata element that was originally set to ‘0‘ back in Step 2, that way we keep the same flowdata variable name as our counter.
    2. Connect the “Mapping” activity from Step 7 to the “Condition” activity from Step 4 to complete the iteration loop.  This means that with each iteration the counter will go up by a value of 1 and as long as that counter value is less than the value of the number of selected items this loop will occur.  Once those values are equal or the counter is somehow greater the loop will exit and the workflow will follow the “false” path laid out from the “Condition” activity.

    And yes, you can add additional activities within the iteration loop.  It is very common to have various “Log” activities sprinkled through the loop outputting things like the current counter value, the current selected item value, etc.

    “Um…I think there is a flaw in your logic.  If I have three items selected wouldn’t I need my counter to be greater than 3 and not equal to 3 before exiting the loop?” No! While the “.size()” method gives you count of 3, this is just the count of items selected but when you iterate through the item list the list is actually considered an array so the first item starts at position 0, not 1 like counting does.  This means that the selected values of a pick list are read like this:

    1. List Item 1 = Array Index 0
    2. List Item 2 = Array Index 1
    3. List Item 3 = Array Index 2

    This means that as long as our index counter is less than our object count we can continue but once our counter is equal to or greater than our object count we need to stop.  If we had a count of three and tried to access Array Index 3 in the example above the workflow would encounter an error because no value of Array Index 3 will be found and the workflow would terminate.

    So as you can see it isn’t a difficult process to do, it just requires some careful mapping and pathing to make sure things go where they need to go and in the proper order.

    Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

    Tags: , , , ,
    Posted in Identity Management, Identity Provisioning, Novell, Novell Identity Manager, Tips & Tricks | No Comments »

    Taking Control of Your Oracle Identity Manager Scheduler

    Tuesday, June 14th, 2011

    **NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

    According to Oracle’s sizing guide for Oracle Identity Manager (OIM) 10g in a large deployment you should break up your clustered servers by task.   For example, if you have four nodes in your cluster, you may use two to handle user requests, two to handle provisioning processes and scheduled tasks.   This allows you to dedicate servers to the tasks you want them handling.  This combined with load balancing, either through Weblogic, or through an appliance, provide a high level of stability and availability.   However, one thing I noticed when reading through Oracle’s documentation is nowhere does it mention how to do it.

    So how do you do it?

    The scheduler service on each server can be enabled or disabled by the xlconfig.xml file that contains the settings for OIM.    This will set the scheduler service to either start or not when OIM starts on that node. The file is typically found in the OIM_HOME\xellerate\config folder and can be modified with any text editor.

    Always note that it is a very bad idea to change settings in the xlconfig file if you don’t know what they doso proceed with caution.

    Use the following instructions to disable the Scheduler service for any nodes you do not wish to have it running.

    Step1: Open the xlconfig.xml file with the editor of your choice

    I like to use textpad or notepad++.

    Step2: Find the line below:

    <StartOnDeployment>true</StartOnDeployment>

    Step3 Edit the line so it looks as follows:

    <StartOnDeployment>false</StartOnDeployment>

    Step4 Save your file

    Step5 Restart OIM

    That’s it.  It’s also good to note that in that same area of the xlconfig file (just above the line you modified) you will find a commented section explaining the Scheduler properties and what can be modified.  This includes:

    XLUserName
    XLPasswordUsed to login into xellerate when executing the scheduled tasks.
    StartOnDeployment - Set this to true to start scheduler along with application startup.
    ThreadPoolSize - Number of threads that can run scheduled jobs simulteniously.
    DataBasePoolSizeNumber of database connection scheduler can open.
    JNDIName  – The name underwhich the scheduler will be bound into JNDI tree
    DatabaseDeligate – Quartz Scheduler Database delegate class

    By modifying these settings you can better tailor your environment to suite your needs in production or to troubleshoot your environment where tasks are jumping from node to node, making it difficult to track them in the log.

    Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

    Tags: , , , , , , , , , , ,
    Posted in Identity Management, Identity Provisioning, Oracle Identity Manager, Security & Risk, Tips & Tricks, WebLogic | 1 Comment »

    Novell IDM Entitlement DN & Stylesheets

    Tuesday, May 10th, 2011

    Entitlements can be a bit quirky in driver policies.  Drivers have the ability to add an entitlement from that driver to an object but they don’t have the ability to add a different driver’s entitlement or remove an entitlement through policy.  When a situation occurs where entitlements have to be added or removed that can’t be done through policy that’s when you call in stylesheets.  Stylesheets are flexible and powerful tools in the driver’s toolbox but they are not as user friendly and require advanced developer knowledge over standard policies.

    Stylesheets can suffer from an annoying issue if they contain hard coded object DNs in the XML.  The issue is that when the stylesheet is migrated from one environment to the next the object DN(s) aren’t detected correctly after migration.  I have seen it a number of times where an object DN is the same in a QA and Production environment, the stylesheet tests fine in QA, but when migrated to Production the stylesheet doesn’t execute correctly. And the odd thing is in this situation that when you review the driver logs the DN is correct in both the input doc and the stylesheet.

    The quick and dirty fix is just to copy the desired object DN from the input doc in the log, paste it in the stylesheet, and restart the driver.  Even though the values are the same this process corrects the issue and after a driver restart the stylesheet will operate as expected.

    There is a better approach to avoid this issue. As with most values, it is better to use variables instead of hard coding values like object DNs in your logic.  The cleaner, more reliable solution is to create a Global Configuration Variable (GCV) on the driver, or driver set depending on your needs, for each of the DNs and then just reference the GCVs in the stylesheets.  This allows the stylesheet to be migrated between environments without risking the DN values should they be different between environments or DN value recognition for hard coded values.

    Below is an example of how to reference a GCV in a stylesheet:

    <xsl:when test=”(component[@name='volume'] = ‘~Entitlement_DN_GCV~‘)”>

    Notice that the GCV is within the single set of quotes ( ‘ ).  This is a string value so when the GCV is translated to the actual value it will need to be treated as a string.  The key symbol here is the tilde ( ~ ) that encapsulates the GCV name.  This character symbolizes the use of a GCV so the driver engine knows to substitute the GCV name with the value stored in that GCV on the driver or driver set.

    And regardless of whether you are using stylesheets or policies it is always better to use GCVs for these types of values and avoid hard coding values.  It just makes life easier.

    As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

    Tags: , , , , ,
    Posted in Best Practices, Identity Management, Novell Identity Manager | 2 Comments »

    « Older Entries
    Newer Entries »