Archive for the ‘Oracle Identity Manager’ Category

« Older Entries
Newer Entries »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

So now what? What to do with your Sun IAM stack (hint: start looking)

Friday, November 12th, 2010

Legacy Sun Java System Identity and Access Management (IAM) customers have been calling us up often to ask about the state of the industry and their options with the Sun IAM stack moving forward.   The choices are many right now but one fact remains, Sun IDM and Open SSO’s days are numbered.  The products will be around for a while, years in fact, but eventually like that Saturn dealership on the corner, it will go away. Thus the grand migration is underway.  As an IAM enabled company the question of where to migrate to is paramount.  So let’s talk options.

Option 1) Stick with Sun As-Is

The old wait and see approach, but let’s be honest, the clock is ticking.  Like a legacy application your IT staff built in their garage it won’t keep up with the rest of market and the future of IDM.  There will never be a grand Cloud version of Sun IDM.  What is most interesting is that there are options to move away from Sun that pretty much expire by years end.

So let’s move away from Option 1 for now and take a look at the future.

Option 2) “Migrate” to Oracle IAM (as part of Oracle Fusion Middleware)

I say migrate because with any non-Sun tool (and Oracle IAM is a much different beast) there is NO upgrade path. Oracle is attempting to woo existing Sun implementations into the fold by offering license swaps in the short term. For those looking to definitively move into Oracle IAM then this is the best bet and should be done ASAP as the swap cycle is time limited.

Option 3) Migrate to Novell IAM

Similar to Oracle, Novell is offering a swap out of the Sun software and licenses.  This is a very interesting proposition.  Novell is willing to give the product up for free in order to build the relationship.  Basically from what the Novell Website states:

  • The Sun Identity Manager swap gives you Novell Identity Manager, roles based provisioning module and enterprise integration module.
  • The Sun Role Manager swap gives you Novell Access Governance Suite.
  • The Sun Open SSO swap gives you Novell Access Manager.
  • The Sun Directory Server EE swap gives you Novell eDirectory.
  • Sun subscription customers can opt in for equivalent Novell product subscriptions and will be considered for additional incentives on a case-by-case basis.

I think this is brilliant tactic that I am surprised a few other vendors haven’t tried.  To be straight, Novell has a great directory and SSO offering and is making huge strides in the Provisioning and Federation space.  At a minimum for a no-cost look I might suggest talking to a Novell rep.  But alas, much like Oracle, Novell’s offer is time-boxed.  Come Dec.31, 2010 a statement of interest (not a purchase mind you, this simply locks in Novell’s committment in 2011 for the swap) must be signed or that coach turns back into a pumpkin.

Option 4)  Migrate to CA IAM, IBM IAM, Microsoft IAM, etc. (there are many to chose from)

Choices, choices, choices.  I can say that CA is making a major push in the IAM space and IBM seems to be lagging a bit but has been a big player in the past.  Microsoft is also making strides to broaden their footprint in the IAM space.  And there are plenty more vendors to look at. My guess is there are deals to be had even if there is no published “sale” going on.

I wouldn’t keep any pre-conceived notions about any of the vendors right now and thanks to the Oracle-Sun purchase the alternative vendors are pumping time and money into getting your business.  We at IDMWorks are happy to work with you on any and all of the products in the market.  We can help to dissect and divide the various offerings and help you to understand the best choice that fits into your environment.

The point is NOW is the time to take the Pepsi challenge.  If you have a SUN IAM implementation you should be taking a look at the various vendors (including those not listed in Option 4) and line up a chat (or webcast, lunch-and-learn, email or phone call) with your local vendor representative because by 2011 a potential low cost update may go away.

Feel free to shoot us a note if you have questions.

Tags: , , , , , , , , , ,
Posted in Access Management, CA, CA Identity Manager, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Sun Identity & Access Management, Sun Identity Manager | 5 Comments »

No Need to Re-invent the OIM Wheel

Tuesday, October 19th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Recently for an Oracle Identity Manager project, I was given what most would consider a “simple” requirement. The requirement was to add a field to the out of the box OIM Self Registration Form. The field was to be used to confirm the users email address entered, similar to how currently there is a password confirm field on the form which forces the user to enter their password twice to mitigate typos. Oracle’s documentation is pretty straight forward for modifying the OOTB Registration form. If you want to add a field, just edit the FormMetaData.xml file. Simple enough, but the problem comes in when you want to add logic to the form to have the Email confirm field match the Email field.

To solve that dilemma most people would create their own custom Self Registration form and then update the link off of the Login Page to point to their new page. But why re-invent the wheel? You only want to add one additional functional to the Self Registration form. So instead of going the time consuming complete customization route, I instead decided to de-compile the tcSelfRegistrationAction.class, which handles all the functionality for the Self Registration page. After de-compiling the class file using jd-gui, I simply copied the logic already in the code for the Password Confirm field and applied it to the Email Confirm field. Then it was as simple as compiling the updated java file and replacing the current tcSelfRegistrationAction.class in the deployed XellerateFull.ear file.

Questions? Feel free to reach out to us at IDMWorks.

Tags: ,
Posted in Identity Management, Identity Provisioning, Oracle Identity Manager, Tips & Tricks | 3 Comments »

Elvis has left the building (what to do when a new version of the software is released).

Wednesday, August 25th, 2010

RE: Oracle Fusion Middleware 10g vs. 11g stack selection (OID, OVD, OIM, OAM specifically).

Here at IDMWorks we specialize in Identity and Access Management full life-cycle services.

Discovery √ Design √ Implementation √ Development √ Support √

During a recent trip to a customer site for an installation of the Oracle Fusion Middleware stack we ran into an interesting conundrum. We were to install the 10g release of OVD, OID, OAM and OIM into the development environment. The customer pointed out that 11g had been released approximately 3 weeks prior and asked for a recommendation of whether we should jump to the 11g implementation path or continue down the 10g path.

First, let me say, the customer was right on point with the question. We like a customer who is knowledgeable and will challenge the decisions and recommendations that we make as a team because that is the same customer who will “take care” of their system long after Elvis (or in this case IDMWorks) has left the building.

Conventional wisdom states that you never jump to the next release of a product in the first month. You wait for stabilization (and typically the first service pack). However in this case we must keep in mind that the products, at least the directory components, are pretty mature. So we can add another option of a mixed upgrade, perhaps 11g OID and OVD, with the 10g release of OAM and OIM. Additionally, with a new release, and this speaks to stabilization, you don’t have the luxury of all the little “gotchas” that have been addressed with implementations of the past. In our case, when we had a Linux Service Pack Library dependency issue, we had Google to rely on to find the fix in less than 5 minutes. No call to Oracle Support, no waiting for recreation and resolution, no explanation to the customer on why we must halt progress while we investigate the issue.

So we created a game plan as follows:

1) Stick with what works!
The known 10g release, while the “older” release, provides a level of maturity and issue resolution that will allow our project to remain on budget and time. This is HUGE. The unknowns that a fresh release present, if the customer has time and budgetary constraints (don’t they all?), means that time spent resolving the “basics” is time lost (and hence money).

2) Plan, Plan, Plan for the future!
In order to address the 11g want of the customer, the resolution we opted for, was to develop an upgrade path and plan to 11g including the steps, the timeline, the associated cost and the follow up procedures that will allow, in a cost and time effective manner, the ability to smoothly transition into the next release in a matter of months instead of years.

3) Work with the customer
This should go without saying but don’t let personal agendas drive the project to failure. The customer wants (and rightfully so) the latest and greatest they can have. If that means the latest technology, than so be it. In our case we have three options, Old, New, and Newish (a little old and new mixed together). However, because we are the implementation partner ours is not to decide but to recommend. As such we explained all available options, gave our recommended approach and let the customer know that if they choose to move forward with another option (the non-recommended one) we would support them 100% and move forward in that direction.

In the end the customer stuck with the recommendation approach and we are well on our way to a successful implementation with a path to the future product laid over the existing framework!

Tags: , , , , , , , , , ,
Posted in Access Management, Best Practices, Identity Management, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory | No Comments »

Oracle Identity Manager (OIM): IT Resources in the database

Friday, June 11th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

While setting up a staging environment at a client’s site, I needed to mirror the Production OIM instance to the Staging environment. The steps involved are outside the scope of this blog, outlined in detail in Oracle’s Metalink article How To Export and Import an OIM Instance? [ID 555655.1]

There is one very important caveat to note when doing this. If you take a snapshot of the production database and insert it into your development environment, when you bring that OIM instance up, it will contain all production data; including IT Resource connections. If there were any scheduled tasks in your production instance that would’ve ran during your transition, they may run as soon as you bring your development OIM instance up. Against your production resources!!

The way I found to avoid this is to blank the server name/IP values out directly in the database prior to launching your freshly imported development environment. For this, you need to know where IT Resources are stored in the database.

While there are more tables to hold other metadata, the following 3 have the key information:

  • SVR – Contains all the different resource names (ie.  AD Server, iPlanet User, Exchange Server, etc…)
  • SPD – Contains a list of all the fields (ie. Server Name, SSL, Port, Root DN, etc…)
  • SPV – Contains values for all fields – This list is encrypted, but since all we want to do is blank them, it’s ok.

The following SQL code will show you a list of the Resources, Fields, and Values

select svr.svr_name, spd.spd_field_name, svp.svp_key,svp_field_value
from svp
inner join spd on spd.spd_key = svp.spd_key
inner join svr on svr.svr_key = svp.svr_key;

Browse through the results and look for the field names that suggest a server name or ip address. This will depend on each resource, but common names are “Server Address” or “Server Name”. For each resource you want to blank out, note the corresponding key (column svp.svp_key).

For each field, run the following UPDATE statement substituting the svp_key value for X,Y,Z

UPDATE SVP SET svp_field_value = '' WHERE svp_key in (X,Y,Z)

That’s it. You can now safely launch your development OIM instance without worrying it may touch production data. Please note that if you have custom or funny adapters that don’t user server names/ip as the source, for example a file path, you need to figure out which field name is the correct one that stores your production resource.

Questions? Ask at IDMWorks.

Tags: , ,
Posted in Identity Management, Oracle Identity Manager, Tips & Tricks | No Comments »

OIM Bulk Load Utility: DB Permissions

Friday, May 7th, 2010

The latest version of Oracle Identity Manager (9.1.0.2) comes with a tool called the Bulk Load Utility, designed to quickly import large numbers of users into the system. The utility is backwards compatible with OIM 9.1.0.1.

There are a few tweaks required to get the Bulk Load Utility functioning as it does not work straight out of the box.

First, you will need to create a table space in the database. The code below should do, but feel free to adjust as needed:

create tablespace tspace logging datafile '/opt/oracle/tspace.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;

Second, the utility runs under the OIM user account and, by default,  does not have sufficient privileges causing the tool to error out. To fix this,  try the following:

grant CREATE ANY SYNONYM, CREATE ANY TRIGGER, CREATE ANY TYPE, CREATE DATABASE LINK, CREATE JOB, CREATE LIBRARY, CREATE MATERIALIZED VIEW, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE , CREATE TRIGGER , CREATE VIEW to oimuser;

With these two changes the tool should run fine under the CSV file load.

Tags: , , , , ,
Posted in Oracle Identity Manager | No Comments »

OIM: Installing the Design Console under Linux

Friday, February 26th, 2010

According to the Certification Matrix, the Oracle Identity Manager Design Console only runs under Windows environments, but this is not necessarily the case. It’s only supported under Windows environments, but it can run just fine under Linux, it just takes a little work.

Here’s the steps to getting the Design Console to run under Linux. I ran everything as root.

  1. Install normally under Windows and ZIP up the “xlclient” folder
  2. Extract  the zip into whatever folder you want, just note the path so you can update the CLASSPATH variables later. We’re going to install under /opt/oim/oralce/xlclient
  3. Create a symbolic link as follows.
    1. cd /opt/oim/oracle/xlclient
    2. ln -s Config config   (case sensitive)
  4. Create a shell script that launches the program. 
      java -DXL/opt/oim/oracle/xlclient/gExtendedErrorOptions=TRUE -DXL.HomeDir=/opt/oim/oracle/xlclient -Djava.security.policy=config/xl.policy -Dlog4j.configuration=config/log.properties -Djava.security.manager -Djava.security.auth.login.config=config/auth.conf com.thortech.xl.client.base.tcAppWindow -server server
    1. make it executable by running chmod a+x xlclient.sh
  5. Make sure your CLASSPATH variable is set by editing your .bashrc or .bash_profile or whatever sets your environment variables
      You may use this, just make sure you find & replace the path to your install

      export CLASSPATH=/opt/oim/oracle/xlclient/ext/jakarta-oro-2.0.8.jar: /opt/oim/oracle/xlclient/ext/bsh.jar: /opt/oim/oracle/xlclient/ext/mail.jar: /opt/oim/oracle/xlclient/ext/jboss-j2ee.jar: /opt/oim/oracle/xlclient/ext/jboss-jaas.jar: /opt/oim/oracle/xlclient/ext/jbosssx.jar: /opt/oim/oracle/xlclient/ext/jts.jar: /opt/oim/oracle/xlclient/ext/jbossall-client.jar: /opt/oim/oracle/xlclient/ext/concurrent.jar: /opt/oim/oracle/xlclient/ext/getopt.jar: /opt/oim/oracle/xlclient/ext/gnu-regexp.jar: /opt/oim/oracle/xlclient/ext/jacorb.jar: /opt/oim/oracle/xlclient/ext/jboss-client.jar: /opt/oim/oracle/xlclient/ext/jboss-common-client.jar: /opt/oim/oracle/xlclient/ext/jbosscx-client.jar: /opt/oim/oracle/xlclient/ext/jbossha-client.jar: /opt/oim/oracle/xlclient/ext/jboss-iiop-client.jar: /opt/oim/oracle/xlclient/ext/jbossjmx-ant.jar: /opt/oim/oracle/xlclient/ext/jboss-jsr77-client.jar: /opt/oim/oracle/xlclient/ext/jbossmq-client.jar: /opt/oim/oracle/xlclient/ext/jboss-net-client.jar: /opt/oim/oracle/xlclient/ext/jbosssx-client.jar: /opt/oim/oracle/xlclient/ext/jboss-system-client.jar: /opt/oim/oracle/xlclient/ext/jboss-transaction-client.jar: /opt/oim/oracle/xlclient/ext/jcert.jar: /opt/oim/oracle/xlclient/ext/jmx-connector-client-factory.jar: /opt/oim/oracle/xlclient/ext/jmx-ejb-connector-client.jar: /opt/oim/oracle/xlclient/ext/xdoclet-module-jboss-net.jar: /opt/oim/oracle/xlclient/ext/jsse.jar: /opt/oim/oracle/xlclient/ext/jnet.jar: /opt/oim/oracle/xlclient/ext/jmx-rmi-connector-client.jar: /opt/oim/oracle/xlclient/ext/jmx-invoker-adapter-client.jar: /opt/oim/oracle/xlclient/ext/jnp-client.jar: /opt/oim/oracle/xlclient/ext/wlfullclient.jar: /opt/oim/oracle/xlclient/ext/sas.jar: /opt/oim/oracle/xlclient/ext/oc4jclient.jar: /opt/oim/oracle/xlclient/ext/ejb.jar: /opt/oim/oracle/xlclient/ext/oscache.jar: /opt/oim/oracle/xlclient/ext/commons-logging.jar: /opt/oim/oracle/xlclient/ext/javagroups-all.jar
export CLASSPATH=$CLASSPATH: /opt/oim/oracle/xlclient/lib/XellerateClient.jar: /opt/oim/oracle/xlclient/lib/xlAPI.jar: /opt/oim/oracle/xlclient/lib/xlLogger.jar: /opt/oim/oracle/xlclient/lib/xlVO.jar: /opt/oim/oracle/xlclient/lib/xlUtils.jar: /opt/oim/oracle/xlclient/lib/xlCrypto.jar: /opt/oim/oracle/xlclient/lib/xlAuthentication.jar: /opt/oim/oracle/xlclient/lib/xlDataObjectBeans.jar: /opt/oim/oracle/xlclient/ext/log4j.jar: /opt/oim/oracle/xlclient/ext/log4j-1.2.8.jar: /opt/oim/oracle/xlclient/ext/jhall.jar

Posted in linux, Oracle Identity Manager | 5 Comments »

Logging into & setting up iManager

Sunday, January 31st, 2010

Logging into iManager is a little deceptive if trying to do it for the first time. You will need three items:

  1. The eDirectory login username. In my case this is: admin
  2. The password for the user identified in step #1
  3. The IP address of the server. Using the Tree name isn’t always reliable I have found.

Once you’re logged into iManager, you can setup Role (RBAC) within iManager using the RBS Configuration Wizard (found at Configuration->RBS Configuration Wizard).

  • After restarting Tomcat, you should see a bunch of new stuff in iManager including “Identity Manager Administration”
  • Navigate to the “Roles & Tasks”, Expand “Identity Manager Utilities” and select “Import Multiple Drivers”
  • Create a new driver, giving a name of your choice

..more to come

Tags: ,
Posted in Oracle Identity Manager | 1 Comment »

Setting up your java keystore for NIM

Sunday, January 31st, 2010

To setup your java keystore, you’ll want to run through the following exercise on your system (note: these instructions are for windows):

  • %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA \ -keystore /path/to/my/keystore (note: remember what you set the keystore password to)
  • Resart Tomcat

You’ll want to modify your <tomcat dir>\conf\server.xml file to change the value of the keystore password to whatever you set above. (hint: search for: keystorepass)

Also, make sure that the .keystore is put in the right spot (<tomcat dir>\conf\ssl).
Good luck!

Posted in Oracle Identity Manager | No Comments »

Enabling SPML Web Services with OIM

Tuesday, October 20th, 2009

Enabling SPML web services is pretty trivial, but since I’m doing it in my virtual environment and taking screen shots, I thought I would add it here.

Image here

Next Step is to enable SSL communications:
Step 1 – Generate the Keys using keytool
keytool -genkey -alias serverjboss -keyalg RSA -keysize 1024 -dname “CN=localhost,OU=Identity,O=Oracle,C=US” -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome -storetype jks

Step 2 – Sign the Certs
keytool -selfcert -alias serverjboss -sigalg MD5withRSA -validity 2000 -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome

Step 3 – Export the Cert
keytool -export -alias serverjboss -file E:\jboss-4.2.3.GA\server\jbossserver.cert -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome -storetype jks -provider sun.security.provider.Sun
(You will receive a confirmation message: Certificate stored in file )

Step 4 – modify the server.xml file (for JBoss this file is located here: $JBOSS_HOME/server/default/deploy/jboss-web.deployer
Add the following entry:
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="E:\jboss-4.2.3.GA\server\jbossserver.jks"
keystorePass="welcome"
truststoreFile="E:\jboss-4.2.3.GA\server\jbossserver.jks"
truststorePass="welcome"/>

All done! Restarting the JBoss application server should deploy the new ear file!

Tags: ,
Posted in Oracle Identity Manager, SPML | No Comments »

« Older Entries
Newer Entries »