Archive for the ‘Novell’ Category

« Older Entries

Tips & Tricks: Novell IDM JDBC Driver Filter Gotcha

Thursday, October 20th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Have you ever had a JDBC driver that wouldn’t find changes in the database while using a triggerless Publisher channel?

The obvious things to check are the views/tables in the database the driver monitors to make sure the changes appear there correctly. Ideally you will check the class objects and attributes in the driver filter to make sure they are sent to Synchronize for the Publisher channel. Additionally you should check to make sure the Publisher channel is enabled and configured properly in the driver settings.

Unfortunately once you have checked these items you still may have the issue.

Having run into this issue a few times I’d recommend taking another look at the Driver Filter.

Basically what happens in a JDBC driver with a triggerless connection to a database is that it polls the database tables or views configured in the driver settings at the scheduled intervals by doing a “SELECT *” command for each table or view tracked. If a class in the filter has the “Track member of template” set to “No” the driver does not do the SELECT statement for the table or view associated with that class.  Thus, in the filter, the class object setting for “Track member of template” should be set to “Yes” if you want those objects monitored in the Publisher channel.

Another way this issue can be found is by reviewing the driver logs. Each time the driver checks for changes in the database the SELECT statements are recorded (provided that the logging is turned on and set to an appropriate level). If no SELECT statement is found for a table/view that is expected then the template setting is the  likely cause.

And since this is a filter setting the fix is easy:
1. Open the driver filter in Designer
2. Select the desired class in the filter
3. Set the “Track member of template” setting to “Yes”
4. Save the filter changes
5. Deploy the filter changes to eDirectory
6. Restart the driver to initialize the changes

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , ,
Posted in Novell, Novell Identity Manager, Tips & Tricks | No Comments »

Novell IDM Best Practices: Don’t Forget the Small Stuff

Monday, October 17th, 2011

Don’t Forget the Small Stuff

When developing a Novell IDM driver its easy to get focused on requirements and lose track of the little things that can come back to bite you later on. The perfect example of this is the DirXML-Associations attribute.

This handy little attribute is typically automatically set by a driver to establish a relationship between an object in eDirectory and the object in the driver’s connected system.  When this value is set for a specific driver it allows future changes to be processed more quickly and efficiently.  These relationships are stored in eDirectory on the object and consist of the unique identifiers from the connected systems; for example, the Microsoft Active Directory driver leverages the Active Directory’s GUID value for the account to create the association in eDirectory.

The problem is that once these associations are created there are only two ways of getting rid of them.  The most obvious way is to delete the associated object in eDirectory.  If the object holding the values is deleted then it goes without saying that the values are deleted.  This method doesn’t require any additional coding or consideration in the driver.

The other method is to remove the association value from the attribute in eDirectory either manually (not recommended) or programmatically by creating a policy in the driver that contains the Remove Association action.  This means that someone has to create a policy or policies that contain a number of conditions to determine if/when an association should be removed.  The only thing is that in the course of requirements gathering and design these use cases and conditions are overlooked and not documented and therefore do not get implemented.

More often than not requirements simply dictate that a driver is not to delete objects out of eDirectory.  The natural instinct is to create a simple policy that checks to see if the current transaction is a delete event and if so to do a simple veto action.  The veto action will stop the transaction from processing through the driver to eDirectory and will result in the eDirectory object being unchanged, including the driver association.

So what’s the issue with keeping a driver association in eDirectory after the object/account/record has been deleted out of the connected system?  Well, simply put, it causes errors! This is because of how the driver detects and uses the association values in the DirXML-Associations attributes for more efficient transaction processing its a problem to have an association for a driver that points to a nonexistent record.

The result is that when an transaction for an object in eDirectory in such a state processes through the associated driver the driver will use the invalid association as its target reference.  This causes the transaction to result in an error because the target reference no longer exists.  The obvious result of this is that no changes are made in the target system.

On the flip side of things, if an unassociated object/account is created/modified in the target system and the driver attempts determines that the record in questions matches are previously associated eDirectory record the driver will attempt to merge the records and create a new association in eDirectory with the new account.  This causes an issue too.  An eDirectory object is only allowed to have one association per driver and since the driver already has an association for the old record on the eDirectory object the merge process will fail and the driver logs will record an error along the lines of “Object already associated“.

In either case the obsolete associations in eDirectory essentially defeat the purpose of having an identity management system.  Removing an association through driver policies is simple to do and can go a long way in developing a system that delivers reliable identity management capabilities between the various connected systems.  So the next time you are planning a driver or get a requirement that demonstrates the use case where the relationship between eDirectory and a connected system is being destroyed remember to clean up the association.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , ,
Posted in Best Practices, Identity Management, Novell, Novell Identity Manager | No Comments »

Fixing the Dreaded “Novell eDir-to-eDir Driver Code (-8015) Operation Vetoed by Filter”

Wednesday, September 21st, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Novell eDir-to-eDir Driver Code (-8015) Operation Vetoed by Filter

If you ever find yourself working an eDir-to-eDir driver and run up against the Code (-8015) Operation vetoed by filter” wall please allow me to help.

If you search Google (or whatever you search provider of choice is) you will undoubtedly find several postings across a variety of websites from many people who have run into the same error. While I won’t discourage you from reading those postings I will say don’t be too upset if you don’t find the answer you are looking for among them.

Most online posts regarding this error talk about bad or missing association values or remote loader logs for other drivers; like the Active Directory driver. While those are good things to know odds are your eDir-to-eDir driver doesn’t use a remote loader, you have checked the input document for malformed tags or values, and have generally already done a lot of the basic troubleshooting methods.

When dealing with the eDir-to-eDir driver it is important to remember that you are actually dealing with TWO drivers, not just one.  It is easy to forget that when dealing with an eDir-to-eDir connection that there are two filters, two publisher channels, and two subscriber channels that have to be coordinated to avoid issues.  With this particular error it is typically caused by an attribute or class being set to synch in one driver filter but not the other filter.

To make matters even more confusing, the error appears in the log for the driver that has the attribute in the filter.  Usually when a developer sees an error in a driver log that mentions the driver filter they assume the error is referring to that driver.  In this situation that is simply not the case.  It is the companion driver that is vetoing the event because the data being passed isn’t in its filter so the transaction is thus rejected by the companion driver’s filter and the message is returned and captured by the originating driver.  Confusing at a minimum.

The solution to this error when using an eDir-to-eDir driver is to check the filter on BOTH eDir-to-eDir drivers to make sure that both filters have the necessary attributes with the proper settings and correct any differences that are necessary (remember to restart the driver after making changes!).

As a note: Transactions cross from one eDirectory instance to the other eDirectory instance using the eDir-to-eDir drivers, the transaction flips channels, so it is important to keep that in mind when building policies on connecting drivers.  Events that start in “Vault 1″ goes through the subscriber channel of “eDir Driver A” and when that driver hands the transaction off to “eDir Driver B” the transaction is now on the publisher channel before ending in “Vault 2″.  Unfortunately, this is another easy to make mistake when dealing with this “daisy chain” type connection between Novell eDirectories.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , ,
Posted in Novell, Novell eDirectory, Tips & Tricks | No Comments »

Where Novell/Net IQ fit in the Standards Based IDM Market

Thursday, August 18th, 2011

IDMWorks is a vendor neutral Identity & Access Management Service provider.  On our blog we highlight individual companies and products quite often.  Today we will be highlighting the Novell/Net IQ IAM stack.

When implementing an identity management solution it is typically in the best interest of a company to pursue a solution that adheres to industry standards.  Before we go any further it warrants pointing out that no solution is completely open and exclusively standards based. Every company has something in their product that makes them unique and hence worth purchasing.  But when you can implement a solution that is primarily based on standards such as LDAP, SAML or other industry accepted standards it gives your organization much greater flexibility in choosing a best-in-class point technology solution as part of the overall identity solution.

The base of the Novell/Net IQ identity management solution is the identity vault (IDV).  This is the hub in the hub-and-spoke solution that forms the basis for most implementations.  Choosing an identity repository is critical to the overall solution of the implementation.  The IDV should be fast, scalable and support the most common protocols such as LDAP and RADIUS.  The identity vault has the ability to be implemented on multiple platforms as organizations change over time and what is the preferred server platform today may not be the preferred platform tomorrow.  While it is not truly part of the standards argument, an identity vault that can operate of different platforms reduces risks when migrating the data center from one server platform to another and gives an organization much more flexibility in choosing the server platform that works best for their organization.

When you implement an identity management system you will be connecting to various systems and applications throughout your organization.  You should ask yourself  the following:

  • How easy or difficult is it to connect to various systems?
  • How many connectors does the identity management product come with?
  • What is the development effort for connecting to a system?
  • Is there an available community of expertise for supporting the identity management product?

These are all critical questions that must be answered as they have direct impact on the costs of implementing and supporting your identity management infrastructure.  By selecting a product that comes with a wide variety of pre-built connectors you greatly decrease your implementation expense and also decrease the risks of implementation issues as you are using a product that has been developed and tested in other environments and has a track record and a support channel behind it.  Also by using a product that adheres to industry standards such as XML, Java and even SQL you widen your pool for selecting professionals that can implement and support your solution.

Password Mangement

One of the greatest issues faced by help desk and IT organizations around the world today is password management and synchronization.  Your identity management solution should help address the chaos that is password policies.  Your solution should synchronize passwords throughout the connected systems or provide a mechanism for managing the access to those systems.  The solution should also provide a way for users to manage and reset their own passwords without help desk intervention.  Lastly, the solution should offer extensibility for password management so that future technologies can be integrated into the identity management solution without compromising the integrity of the authentication and authorization process as proper implementation of a password management solution will decrease the burden on your help desk and overall IT organization.

Workflow

An important component is many identity management solutions today is the ability to initiate and execute workflow requests.  Gone are the days where paper forms are shuffled through the mail room to grant access to critical systems.  Shuffling the same forms through email provided some improvement to the process but lacked the audit trail and accountability that is necessary for efficient business functionality.  These processes are now managed through the workflow engine and interface.  But when selecting that engine what are you getting?  Does the product lock you into it’s own interface or do you have the flexibility to integrate it with your other enterprise applications?  Does the product support web services and REST calls?  What features are available to these calls?  Choosing the correct solution can greatly increase the flexibility of your organization when it comes to implementing a workflow solution that makes your business dynamic and able to quickly react to the changing requirements that you are faced with daily.

Interoperability

Finally when evaluating an identity management product you must look at how well that product integrates with other components of an identity management solution.  You must consider authentication and authorization services.  No single product provides all of the needed or desired functionality so you are going to be looking at a suite of products.  Does the access management product support SAML?  How well will it integrate with the newly emerging Attribute Based Access Control (ABAC) and XACML (Extensible Access Control Markup Language) technologies?  And of course you must always be concerned with auditing and logging to meet compliance requirements.

While there are some vendors who offer many if not most of the components that make up a comprehensive identity management solution there are few, if any that offer all of the components.  This is where adhering to standards becomes such a critical issue.  By selecting components that adhere to industry standards it allows you to select best in class technology for each individual implementation point of your identity management solution with the confidence that it will work well as a part of your overall strategy.

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Identity Management, Novell, Novell Access Manager, Novell Identity Manager, Standards | No Comments »

Novell IdM – Implementing Remote Loader on Microsoft Windows

Tuesday, August 2nd, 2011

When implementing Novell’s (or NETIQs) Identity Manager product there are times when a certain connector(s) must be run on the MS Windows platform. If Meta-Directory Engine is running on a Linux (or other non-Windows) platform the requirement is the use of the Remote Loader. When asked if it is better to run the Remote Loader on a Windows Domain Controller or simply on a Windows Member Server, the answer is to run it on a Member Server for several reasons:

  1. Most organizations maintain a very controlled environment particularly when it comes to what is installed on Domain Controllers.  Most organizations will not allow a service such as the Remote Loader (RL) to run on said Domain Controllers.  As a result it is generally required, due to policy, to run the Remote Loader on a Member Server.  
  2. Additionally, through experience, we have found over the years that due to patching and security controls that take place specific to Domain Controllers it becomes more efficient, in terms of over-arching stability, to run the RL on a Member Server.  
  3. Lastly, the separation of duties between the Active Directory team and the Identity Management team generally makes life easier to manage the RL if it is running on a Member Server (i.e. less political).

Another advantage of running the RL on a Member Server is the ability to run the RL in a clustered environment. Member Servers may be configured in a Microsoft cluster with instrumental registry keys for password synchronization configured as a clustered resource.  This will allow the Domain Controllers to communicate with the clustered resource for password synchronization to the Identity Vault and it will allow the Identity Vault to do the same.  This is a configuration that is supported by both Novell and Microsoft and is considered to be the best way to provide password synchronization failover.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , ,
Posted in Best Practices, Novell, Novell Identity Manager | No Comments »

The Novell Acquisition Conundrum

Wednesday, July 27th, 2011

With the recent purchase of Novell there has been a lot of discussion as to whether or not purchasing Novell technology is a good investment for your business.  There are legitimate concerns that an organization must take into consideration when investing in technology from a company that has just been acquired.

  • Will the technology continue to be developed and sold?
  • Who will provide support?
  • Will the quality and functionality of the product be maintained by the new organization?

As an old school Novell Identity & Access Management solutions SME I’d like provide a little perspective based on my own experience with Novell over the years.

The first thing I want to point out is this is not the first major merger Novell has been through.  In 2001 when Novell merged with Cambridge Technology Partners (CTP) there were many of the same questions.  While Novell was the company acquiring CTP it was not a typical merger as a large portion of CTP upper management was being infused into the combined company (including CTP CEO Jack Messman).  Many of the same challenges that Novell faces today were faced during that merger in terms of educating management on what the product offerings were and what the benefit to the customers that those offerings provided.  There was also the combination of sales force and education of said sales force.  Additionally there was the merging of the company cultures that is a challenge whenever any two organizations combine.  Obviously each merger is different and successfully merging once does not guarantee the same result the second time but there is experience within the organization in merging that hopefully will lead to success this time around.

But what about your organization?  Is Novell technology a good investment?  The technology produced by Novell is still a potentially good investment.  Novell produces a number of excellent technologies including SLES and ZenWorks however I’d like to stick with what IDMWorks implements and that is the Identity Manager suite of products.  Novell IDM is a very mature product that has a multitude of implementations.  Novell technology has a large, well established community of expertise.  There are many Novell partners (such as IDMWorks) which can implement and provide support for Novell technology.  Additionally Novell IDM solutions are largely based on industry standards such as XML, SAML, REST, and ECMAScript so we can train internal staff to self-support your Novell solution.

While a merger always puts a question mark over a company there is a good history at Novell with best-in-class technology offerings that has wide support in the industry.

But feel free to reach out to us at IDMWorks and we can talk options, fit or not, Novell or another vendor, as a vendor agnostic IAM services firm we can and will present a case for a multitude of options.  Get to know peace of mind.

Tags: , , , , ,
Posted in Identity Management, Novell, Novell Identity Manager | No Comments »

Novell Role-Based Provisioning Module Install – Tips, Tricks and Gotchas

Monday, June 27th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

A recent install of Novell’s RBPM product has led me to remember that documentation often lags behind product development. There are a handful of reasons for this, the main being that when product is being actively developed, the feature set is not fully decided upon. So documenting the current state is many times an exercise in futility as the features may change very rapidly. T hus documentation is always an after-thought.   The last task to be performed.

So without further ado, here are some observations. Specifically with regards to using WebSphere for web services.

1. AIX is not a supported platform for RBPM. Initially, the IDM 4.0 documentation stated that AIX was a supported platform. We had attempted the install but it never worked and discussions with Novell indicated that AIX was never intended to be a platform option for this version of IDM. It was subsequently removed from documentation in the IDM 4.0.1 release.
2. The Java environment variables are very strict. The version of Java that IBM packages with WebSphere 7 is the correct version, IBM J9 VM (build 2.4 J2RE 1.6.0) with Fix Pack 7 or higher. However, there is a step in the documentation that mentions you must apply the unrestricted policy files to JAVA_HOME/jre/lib/security. Failure to do so, results in the master key not being generated as the key size is not the proper size. REMEMBER THIS! This is very difficult to troubleshoot after the fact.
3. WebSphere uses shared libraries to incorporate jar files with web services. There are several setup steps in the documentation but there are some slight omissions. The java class, commons-logging.jar, is not packaged with the install and must be downloaded manually. This is noted in the documentation, however the additional classes of antlr.jar and jaxb-impl.jar are also missing and must be manually downloaded as well. A simple omission that can cause a great deal of hair pulling and teeth gnashing.

Hopefully these observations prevent anyone from committing a mistake. Good luck with your future installs.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Novell, Novell Identity Manager, Novell Role Based Provisioning, RBAC, Role Management, Tips & Tricks | No Comments »

Novell Identity Manager Workflows – Combo Box Iteration

Tuesday, June 14th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Identity Workflows…over the years we have seen a number of workflows developed.  Most were pretty straightforward.  There was a request form, an approval form or two, and an entitlement/role/resource activity action before closing out the workflow.  Every once in a while there might even have been an integration activity thrown in along the way to just make things interesting.  But from time to time there is a requirement that users can select multiple items from a picklist and then the workflow has to perform separate actions for each item selected.

This is a bit more challenging.

There isn’t a predefined activity in Designer to do anything remotely along the lines of a action based per item picklist.  As a result you must build this process manually.

So let’s take a look at how to do this in Novell IdM.

First the good news!  This is not an overly complex process but does have a few pieces to it as seen below:

  1. Determine where in the workflow you want to start this process and add a “Mapping” activity.
  2. Map the expression “flowdata.getObject(‘<fieldName>’).size()” to a new flowdata element.  This will be used to get our max count index or upper range.
    1. flowdata.getObject(‘<fieldName>’)” will return all of the items selected in the specified field.*Side note: depending on your version of Designer the “getObject” method may not be obvious but it can be manually entered using the proper casing to achieve the desired results*
    2. The “.size()” method will actually return the count of the items returned from the first part of the call so when put all together the “flowdata.getObject(‘<fieldName>’).size()” expression will return a count of only the selected items in the selected field.
  3. In the same “Mapping” activity set a value of ‘0‘ (zero) to a new flowdata element.  This element will be used as the counter element to show how many iterations have been completed.
  4. Next add a “Condition” activity.  This activity will compare the current counter value to the upper range to determine if another iteration is needed.  If the counter is less than the upper range (true) then continue iteration otherwise exit the loop to the next desired activity (false) .
    1. Sample: “flowdata.get(‘Counter‘) < flowdata.get(‘UpperRange’)”
  5. Along the “true” path from the “Condition” activity add another “Mapping” activity.  Map the expression “flowdata.getObject(‘<fieldName>’).get((flowdata.get(‘<counterName>’))*1)” to a new flowdata element.  This will get the value of the selected item at the current counter index, or position.
    1. Just like in the first mapping, the “flowdata.getObject(‘<fieldName>’)” expression will only return the selected values in the specified field.
    2. The “.get()” method will allow you to specify a position, or index, in the array of values from the first method to return a single value from the list.
    3. The “(flowdata.get(‘<counterName>’)*1)” expression will retrive the value of the current iteration count and multiply it by 1 to provide an integer value for the “.get()” method part of the expression.  This means that the string value of ‘0′ multiplied (*) by the integer of 1 will result in an integer of 0, which in an array of values means the first value.
  6. Now that you have the selected value you can perform whatever action is needed.  Most commonly I have granted entitlements, roles, and/or resources based on the selected value using the proper activity for the version of IDM being used.
    *Side note: Pretty much all supported versions of IDM and Designer at the date of this blog’s publication have an entitlement activity.  With IDM 4.0 and Designer 4.0 there is a “Role Request” activity for granting and revoking roles but resources must be individually granted or revoked using the “Integration” activity and the User Application WSDL which has the necessary web methods to perform the desired action.  Now in IDM 4.0.1 and Designer 4.0.1 Novell added a “Resource Request” activity that is similar to the other activities which make it very easy to grant/revoke resources through a workflow.

    1. After performing the desired action(s) it is time to increase the count.  To do this we need another “Mapping” activity.  In this activity map the expression “((flowdata.get(‘<counterName>’)*1)+1)+”" ” to the same flowdata element that was originally set to ‘0‘ back in Step 2, that way we keep the same flowdata variable name as our counter.
    2. Connect the “Mapping” activity from Step 7 to the “Condition” activity from Step 4 to complete the iteration loop.  This means that with each iteration the counter will go up by a value of 1 and as long as that counter value is less than the value of the number of selected items this loop will occur.  Once those values are equal or the counter is somehow greater the loop will exit and the workflow will follow the “false” path laid out from the “Condition” activity.

    And yes, you can add additional activities within the iteration loop.  It is very common to have various “Log” activities sprinkled through the loop outputting things like the current counter value, the current selected item value, etc.

    “Um…I think there is a flaw in your logic.  If I have three items selected wouldn’t I need my counter to be greater than 3 and not equal to 3 before exiting the loop?” No! While the “.size()” method gives you count of 3, this is just the count of items selected but when you iterate through the item list the list is actually considered an array so the first item starts at position 0, not 1 like counting does.  This means that the selected values of a pick list are read like this:

    1. List Item 1 = Array Index 0
    2. List Item 2 = Array Index 1
    3. List Item 3 = Array Index 2

    This means that as long as our index counter is less than our object count we can continue but once our counter is equal to or greater than our object count we need to stop.  If we had a count of three and tried to access Array Index 3 in the example above the workflow would encounter an error because no value of Array Index 3 will be found and the workflow would terminate.

    So as you can see it isn’t a difficult process to do, it just requires some careful mapping and pathing to make sure things go where they need to go and in the proper order.

    Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

    Tags: , , , ,
    Posted in Identity Management, Identity Provisioning, Novell, Novell Identity Manager, Tips & Tricks | No Comments »

    Novell IDM Workflow Integration Activity & .NET Web Services

    Tuesday, May 10th, 2011

    ***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

    How many times have you developed a workflow and discovered a need to have that workflow initiate another workflow, check for other open workflows, terminate another workflow, or something along those lines?  Guess what?  The Novell User Application can do that! The Novell User Application workflows can integrate with web services through the Integration Activity and the Novell User Application comes with a number of web services that provide those features and many, many more.

    For doing things within the Novell User Application it’s awesome.  But if you need to configure your workflow to use a different web service; like a .NET web service from a Microsoft Windows environment, it is supported, you just have to be aware of a few little “gotchas” when dealing with .NET web service integrations.

    The first thing you need to be aware of is this information only applies to standard web services developed using the Microsoft Visual Studio IDEs, not AJAX enabled WCF web services or web services developed through other means.

    Most web services generally provide some type of return value, even if it is nothing more than just a confirmation response to let the connecting system know that the communication was successful.  So with that in mind, if you have tried to use an Integration Activity with a .NET web service that returns a value you have probably discovered that the return value isn’t right :( .

    There is actually a very simple solution, and

    The second thing you need to know about integrating with .NET web services is that .NET requires a namespace be provided and if one is not provided then it will default to one.  The .NET namespace is the key here as the Integration Activity does not add the namespace to the activity’s configuration so the workflow doesn’t have awareness of that element.  This means that when the web service call is made from the workflow that the request reaches the web service, however the namespace is missing the parameters thus are not passed into the web service function properly.  Without the parameters most functions require, the web service will return an error, which is not the ideal behavior.  The return value is detected by the workflow but since it’s not the right value it doesn’t really do you any good.

    So how do we solve this problem and make the workflow submit the parameter data to the web service correctly?  Add a reference to the namespace in the Integration Activity configurations.

    Basic Setup

    1) We have a .NET web service using the namespace “MyService” and in it a function called “TestFunction”.

    2) Once we have the WSDL from the web service we add it to an Integration Activity in our workflow and configure the activity to use the “TestFunction” by selecting it from the function list after the WSDL is imported.  This will create the basic configurations along with the connection details (URL, parameters, etc.) that must be configured to use this activity.

    3) Once this is done you have the basic set up that would generate the undesirable result where the data isn’t mapping between systems properly.  If you were to review the Action Model tab of the Integration Activity near the top you would find the following lines:

    “Ignore NameSpaces For Input”
    “CALL Input.createXPath(“TestFunctionSoapIn”).setAttribute(“xmlns”, “MyService”)”
    “Apply NameSpaces For Output as( , MyService ) Root Element Name: TestFunctionSoapOut”

    4) To make this Integration Activity work with this .NET web service all that is required is a single additional line to be added to this section.  Simply copy the line “CALL Input.createXPath….”, past it directly beneath itself, and make a simple edit so that the details look like this:

    “Ignore NameSpaces For Input”
    “CALL Input.createXPath(“TestFunctionSoapIn”).setAttribute(“xmlns”, “MyService”)”
    “CALL Input.createXPath(“TestFunctionSoapIn/TestFunction“).setAttribute(“xmlns”, “MyService”)”
    “Apply NameSpaces For Output as( , MyService ) Root Element Name: TestFunctionSoapOut”

    Notice all we did was add a line that called out the actual function name in the SOAP envelope that adds the web service namespace to the SOAP message.  This will allow for proper consumption of the SOAP input by the web service so that the output response to the workflow will contain the correct data in the proper format.

    Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

    Tags: , , , , , , , ,
    Posted in Identity Management, Novell, Tips & Tricks | 2 Comments »

    Executing Command Line Functions with Novell Identity Manager

    Monday, April 18th, 2011

    ***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

    While Novell’s Identity Manager product has an extensive list of actions, there is nothing like the power of the command line. The default actions included in the product cover the most common items that one would want to perform, but occasionally, a truly unique action needs to be performed. In the past, to extend the action infrastructure, one was required to write a java class and add it to the java class path. Recent versions of IDM, however, have included the ability to use ECMA scripting to extend capabilities without custom java classes. What follows, is a script and the corresponding actions within IDM to execute command line functions.

    ECMA Script:

    importPackage(Packages.java.lang);

    function execCL(command)

    {

    var runtime, process;

    runtime = new java.lang.Runtime.getRuntime();

    process = runtime.exec(command);

    process.waitFor();

    return process.exitValue();

    }

    IDM Policy Action

    <do-set-local-variable name=”command” scope=”policy”>
    <arg-string>
    <token-text xml:space=”preserve”>YourCommandHere(Hint: use $localvariablename to pass parameters)</token-text>
    </arg-string>
    </do-set-local-variable>

    In the past, this method has been used to integrate password encryption with Mac OSX LDAP directories. The standard LDAP set password operation only sets the simple password, which appears as clear text to anyone viewing the user accounts. To properly set the password as an encrypted value, one must execute the “dscl” command on the OSX directory server.

    The following is an example of the command to perform this:

    ssh -vvv $osxHost$ /usr/bin/dscl -u $adminuser$ -P $adminpassword$ /LDAPv3/127.0.0.1 -passwd /Users/$name$ $passwd$ 2>&1

    Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

    Tags: ,
    Posted in Identity Management, Identity Provisioning, Novell, Novell Identity Manager, Tips & Tricks | No Comments »

    « Older Entries