Posts Tagged ‘Identity Manager’

Newer Entries »

Novell ATT Live Roundup Part 3 – What’s New in Novell Identity Manager 4

Monday, December 20th, 2010

(Editor’s Note) Just a brief disclaimer here: Although we are blogging quite a bit these days about Novell and they are at the forefront (no Microsoft IdM pun intended) of our thoughts we remain steadfast VENDOR NEUTRAL. It just so happens a bunch of IDMWorks folks went to the ATT Live Novell event in Las Vegas a week or so back and as such it seemed a waste to not flood the Blog with what we saw, liked, didn’t like and loved.  Besides this they covered the costs for us to attend (hint, hint vendors out there) and I think we owe it to Novell to give them a fair bit of coverage.  We remain honest in our assessments and appreciate and and all feedback you might have either below or through our contact pageNow back to our regularly scheduled blog already in progress…

Along with Todd Rossin (who beat me to the blog), I was one of the lucky ones who got to attend Novell’s ATT Live 2010 in Las Vegas.  There is far too much to cover in one blog entry, so there will be multiple blogs for each class/training session that I attended.  This entry will be covering the “What’s New with Novell’s Identity Manager 4″ session.

There are some cool new features that Novell added to Identity Manager, and they include:

  • Advance reporting and metrics capability
  • Role Mapping Administrator
  • Package Manager
  • Sharepoint and Salesforce.com drivers (connectors)

The  Advance Reporting and Metrics piece includes tons of “out of the box” report templates, state based reporting (present, past, and activity level reporting), visibility across Identity Vault and connected systems, and customization of reports.  You can also automate your reports, collect data based on policies and distribute them automatically once they are run.  This is much improved over the previous version of Identity Manager and seems to incorporate more of what is used in Sentinel.  Sometime in 2011, Sentinel and IDM reporting are going to get even closer along with other capabilities (we even blogged on this topic).  The report customization was kind of difficult to grasp at first but the options seem pretty limitless once you get rolling.  The added functionality of an automated distribution method is also a nice feature to have so that everyone can get their reports in a timely fashion without having to remind your Report Administrator to send them out.   If you don’t want to clutter up your email system with these reports  then you can also set them to retrieve upon you login to Identity Manager.

The Role Mapping Administrator application puts everything on one screen so you don’t have to scour through confusing tables or lists of roles and authorizations.  It will show you the roles that are set up in your Identity Manager space and the available authorizations for your connected systems.  It even allows one to drag and drop your connected system’s authorizations to your roles making it easier to control what accesses the employees get within your organization.

The Package Manager now allows more control over approval flows, roles, policies, and style sheets.  By allowing versioning of your packages one can add enhancements and reduce the time it takes to upgrade a driver (connector).  Of course if don’t like the packages that Novell provides you can now customize them and deploy them to your driver (connector) easier and faster than before.

There are  new drivers (connectors) available out of the box including some very interesting ones, Sharepoint and  Salesforce.com.  I have always valued when companies keep up with the industries that they are supporting, so any new out of the box drivers (connectors) are helpful and welcome as this speeds up my own deployments and reduces the amount of customizations required to get everything up and running.

I will go into more detail on some of the above features in future blogs but I figured the first one should just be an overview of what’s new in IDM4.  Overall the week was full of solid information straight from the developers of the software.  You can’t go wrong trying to pry information directly from the people who designed it.  Unfortunately, in the negative, the labs during the week  had their fair share of problems but most of it worked out just fine in the end with a bit of cajoling.  It is obvious that Novell is trying to become a major force in the Identity Management arena and this product will most likely move them in the right direction to accomplish that.

Tags: , , , ,
Posted in Identity Management, Novell, Novell Identity Manager, Novell Sentinel, Role Management, Security Information & Event Management (SIEM) | 1 Comment »

The CA Identity Manager 12.5 Bulk Loader

Thursday, November 11th, 2010

Being a newbie to IDMWORKS, and not used to writing blog entries, I decided to gain inspiration by browsing some of the older posts to see what has been written thus far.  I noticed that there was a blog entry posted about Oracle Identity Manager (9.1.0.2), and the Bulk Load Utility that it includes.  I said “Hey! Computer Associates Identity Manager has that too!”.  So, needless to say, I decided to share a bit about the CA Identity Manager 12.5 Bulk Loader that is new to the CA Identity Manager product.

What is the CA Identity Manager Bulk Loader and what is it good for?

The Bulk Loader is used to make changes to a large number of objects simultaneously.  That is a lot easier than doing it one at a time.  At a, um,  previous employer; I was not only the Identity Manager Administrator (STAFF EDIT: as opposed to being the “Identity Manager“? *lol*), but I was also responsible for overseeing the group that did all of the user provisioning for the corporate systems.  Here was the situation:

  • The company had just tripled in size (by acquiring parts of another company)
  • We received an employee listing of the acquired company very late in the game (sound familiar?)
  • They decided that the accounts needed to be created over the weekend (are they kidding??)
  • I was a bass player in a rock band and had 2 gigs that weekend (Relevant? Yes!)

The overall setup is something that we’ve all seen at some point:

Very difficult task + short deadline + no time = Hair pulling time!

I was pleased to discover with our upgrade from version 8.1 to 12.5, that the Bulk Loader was included in the software.  In a very short amount of time I was able to create thousands of users just by using the spreadsheet of the employees that HR gave me (and I wasn’t late to my gigs!).

The bottom line is that sometimes the simplest things are easily overlooked, and I’m glad that I knew about the Bulk Loader feature.  Who knows, it might save you too someday!  In my next post, I will cover some of the issues that I ran into while using it, and what you can do to overcome them.

Tags: , , , , ,
Posted in CA, CA Identity Manager, Identity Management, Identity Provisioning, User IDs | No Comments »

State of the Union

Saturday, October 9th, 2010

Last week Oracle announced they had purchased Passlogix (best known for the V-GO ESSO application) and this got me thinking about the changes in the last 10 years in the Identity Industry.

A decade ago you had start-ups galore.  Business Layers (eProvisioning), Netegrity (SiteMinder), Access360, Thor (Xellerate), Waveset, Oblix, Trulogica, M-Tech and Courion, too name a few, almost all of which were acquired.

Business Layers got acquired by Netegrity who got subsequently acquired by CA.  Access360 got acquired by IBM as part of the Tivoli Identity Manager product.  Thor got acquired by Oracle, Waveset by Sun and subsequently Oracle, Oblix by Oracle as well (I am sensing a trend here by the way).  Trulogica got acquired by HP where it saw its demise.  M-Tech became Hitachi and Courion bucked the trend and stayed Courion.  Even the smaller space tools like Maxware got picked up by SAP.  In fact, up until the last few years, we have remained in the land of the Big Company Identity Stack.

So how did we get there?

Back in the day IDM was slowly being looked at as the next wave in Risk and security.  The issue at the time was that the products were very green and lacked the technical maturity to make implementation a worthwhile process.  Sure, the low hanging fruit of automagically creating an Active Directory or Netware account was a breeze but the implementation around single sign-on, strategic workflows and approval/escalation to a host of applications was not a smooth process.  In fact in the early 2000s the process involved prior to the technology was still being ironed out.  Many of the projects we worked on required a high level of customization and as a result the time to implement took in some cases years to complete.  During these multi-year engagements a good number of projects failed to get off the ground or changed scope so many times that in the end the effort was deemed a failure or not what is was originally sold as.

Eventually sanity won out and most organizations realized that Web Access Management, Provisioning and further more Federation and Role Management were separate sides of the Identity Management box.  Instead of one large “Big Bang” a step by step approach gained traction as a method to actual success.  Many of the larger organizations even split Access Management and Identity Management into strongly separate buckets with their own teams and infrastructure.  Gone are the days where Access Manager and Identity Manager are viewed as the same application.  Today the products are treated as interconnected but individual pieces complimenting each other even when they fall into the same stack.  This can be seen in the job reqs that many organizations release when looking for a technical resource.  5 years back recruiters were still looking for the Jack-of-All trades Engineer/Developer/Architect/PM that knew the SSO, Provisioning, Federation, Role Management and Password Management tools from the 4 different vendors (my personal favorite being when the recruiter would then say a “junior” resource for said position was OK as a method to justify the sub-par rate, as if such a “junior” person existed with that level of knowledge).

The big company buy-up of the old Venture Capital backed firms yielded a greater maturity in the market and a fierce rivalry in the market place.  In fact the biggest players are now Oracle, IBM, CA, Novell, and to a lesser extent BMC and a hard charging Microsoft.  What is interesting though is as of a few years back the next generation of VC based IAM start-ups popped up and we are seeing history repeat itself with the next wave of industry consolidation.

For instance, take a look at the Role Management and Identity Governance market place.

Bridgestream Roles and Vaau RBACx got scooped up by Oracle and Sun and subsequently Vaau won the application war as Oracle’s preferred Role application (under the unfortunately named Identity Analytics banner).

Aveksa and Sailpoint popped up to not only compete in the same space but to offer superior products to manage compliance with HIPAA, SarBox and the like moving beyond solely role management into the governance and compliance management space.

Eventually, as is the case in the IAM space one, one or both companies are likely to be acquired.  Where they will land is open to conjecture but like all Venture Capital based opportunities you are either a resounding success in the sales game or you are a cheap acquisition target.  I have my own guesses as to what comes next for both companies but alas that is a topic for another blog entry.

As for the announcement of Passlogix being acquired, Oracle has a strong set of tools in the space covering all facets of Identity and Access Management.  They are truly becoming the Walmart of the Identity World.

Tags: , , , , , , , , , , , ,
Posted in Access Management, Aveksa, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Password Management, RBAC, Role Management, SailPoint, Security & Risk, Sun Identity & Access Management, Vaau | 1 Comment »

Novell’s future, confusing at best…

Thursday, September 23rd, 2010

If you haven’t already heard, VMWare is thinking about buying Novell’s Linux platform, SUSE Enterprise Linux (a rumor since late August). This is a bold move for VMWare who has been seeing increasing competition from Microsoft and Oracle in the virtualization space.  Also, it will give Red Hat a run for its money in the Enterprise Linux business.

Questions abound…

1) What space will Novell concentrate on?

  • Identity & Security – check
  • Cloud – check
  • File Management Solutions – check
  • Platspin and other niche technologies – check

2) Does this mean that Novell is a better acquisition target now that they are a little smaller?

3) Will this cause any uncertainty when folks are buying Novell software?

All of this Novell acquisition talk makes me wonder about what the true Novell strategy is.

4) why would Novell give up a fantastic distribution of Linux (and all of the tools that come with it such as SuSE Studio)?

5) Given that some of our customers are VMWare and SuSE customers, this is fantastic news, however, for those that are VMWare and *nix customers, is this bad news?

I’m eager to see how this plays out in the next few weeks, even more eager to see what our customers will do should this purchase go through…

Any comments?

Tags: , , , , ,
Posted in Identity Management, Identity Provisioning, Novell, Novell Identity Manager, Roadmap, SLES, VMWare | 3 Comments »

Unique Identifiers and Why you shouldn’t let users select their own ID

Tuesday, July 20th, 2010

The Unique Identifier, AKA the Unique ID, the UID, the Enterprise Unique ID, the Primary ID, the Global Unique ID.

The UID is the key internal identifier, potentially used for authentication, authorization, group membership, and tracking (reporting, logging, auditing). It is recommended to have this ID be unfriendly so as to discourage its inappropriate use. This ID is centrally provided, perhaps through your Identity Management solution, and should be assigned to all current active users and future users. The UID should be non-revokable and non-reassignable; hence it needs a large enough capacity to sustain generations of UIDs . All other identifiers should be either directly or indirectly linked to the UID.

Now as to why you shouldn’t let users select their own ID:
1) The first mistake users make is using Private Data when creating their ID (such as):

  • First and last name
  • Address
  • Phone numbers
  • SSN
  • The names of parents, children and siblings

Many governance rules for applications specifically disallow Personal Identity Data and this most likely would need to be coded in your IdM application and you would not be able to prevent it in the case of someone using SSN when you are forbidden from asking for SSN in the first place and this is a really, really long run-on sentence :) .

2) Some users will use derogatory and/or inflammatory language in their name (which may cause an issue with your support staff/help desk).  I mean let’s face it, there are a lot of geniuses in the world who think Bizhatch is a cool user ID.

3) As a fix in your Identity Management process, might I suggest adding a forgotten user name Use Case into your requirements so as to avoid the issue of the user having an inaccessible ID as they can request the user name be sent to their registered email address.

4) If a user name is selected by a user, and the user name already exists, the new user will now “know” an existing user name in the system.
This presents an associated issue of “guess the password” in which someone selects a user name/password combination such as userID: Minnesota password: Twins.  While you should have password rules to help offset this, the above example might just work.

5) I would highly recommend NOT using email address as a login credential in the future as you cannot guarantee uniqueness and a family could all use the same ID (ex. RossinFamily@ThisIsNotUnique.com).  Additionally if someone uses an address they no longer have you have just added to the complication (“oh yeah, I registered with my Mickey D’s email address, too bad I got fired for embezzling, maybe I should have though ahead”).

6) Technologically why not:

  • You must code validation rules if rejecting special characters in the name (O’Rossin, R@isen, Van Rossin, etc.) and worse if allowing them (such as remove the ‘ from O’Rossin and make it ORossin, join Van Rossin into VanRossin, etc.).
  • If the user can select User ID, you will have to decide if it should be case sensitive (which I would hope not as the volume of help desk calls will sky rocket) as a user might pick a name they wish to be case-sensitive (ex. ToddRossinRulez)

All in all, this list, while not being complete by any stretch, should give you some ammo as to not allowing a user to select his/her own ID.

Tags: , , , , , , , ,
Posted in Best Practices, Identity Management, Identity Provisioning, Risk & Compliance, Security & Risk, User IDs | 2 Comments »

The Role of Identity Management in Public vs. Private Cloud Computing or How I stopped worrying and learned to love the Cloud: Part II

Friday, July 9th, 2010

Let’s recap shall we? That install of Firefox, IE, Safari, etc. is your method to cheaper, easier to use techno-services outsourced to a service provider (like Google) who take on the infrastructure, technology and heavy lifting so that you, the business, can reap the ROI. Risks, well, we covered that already, HERE.

So how about Identity Management?
We also defined Identity Management, HERE. We can take the 101 knowledge and apply it to the Cloud. So we build out our security into buckets including Access Management (Authentication, Authorization, Entitlements), Provisioning and lest we forget, GRC (Governance, Risk and Compliance). Mix in audit, logging and reporting and we have a recipe for success.

Access Management in the Cloud
For our Cloud solution to work we need strong authentication (making sure you are who you say you are), strong authorization (making sure you can access what you are allowed to access, write where you are allowed to write, read what you are allowed to read, etc.) and record what the user has been up to (audit, log, report).

Provisioning in the Cloud
The keys to the kingdom rely on creation of an actual account (provisioning) but almost importantly in making sure that that when you leave, by choice or not, that we take those keys away (de-provisioning).

Governance, Risk and Compliance in the Cloud (GRC)
Attestation of all accounts (clean up and dump the orphaned accounts folks) and a certification process to ensure it remains so must be implemented. We don’t want Walt of the just fired brigade to have access to the company payroll do we?

Private Cloud Identity Management – Lower Risk with Higher Cost
We defined Private Clouds, HERE. Basically you own it, you operate it, you control it, you firewall it and the associated cost savings are greatly reduced but the security is greatly improved. Private clouds can be built on your own or outsourced to a “private” cloud provider but the cost savings diminishes regardless (disadvantage). Your single sign-on, authentication, authorization, provisioning, role management, GRC, and audit & logging can sit behind the firewall in the private cloud. The odds of data loss and hacking go down considerably (advantage). The return on Investment will be long term at best (I say at best because the technology cycle may produce the “next best thing” before you have a chance to recoup the cost).

Public Cloud Identity Management – Higher Risk with Lower Cost
We defined Public Clouds, HERE. On the plus side, Public Clouds equal diminished costs. Diminished costs equals happy Business people concerned with ROI in business speak we mean Return On Investment, in Security speak we would have meant Risk of Incarceration ;) . The risk of deploying Identity Management services in the Cloud increase with the move into the public realm. Security in a shared environment is much more complex as well as the potential network complexity. The risk can be diminished in deploying Identity Management services within the Cloud as you should have access to defined best practices that have been utilized by past customer Cloud IdM implementations. As such the amount of bleeding edge risk will be reduced somewhat (this is where a company like IDMWorks can help you). Your contract with your public cloud provider had better insure that they manage and take responsibility for the risk associated with potentially exposing your company’s corporate, customer and/or user data (by accident of course, but no one wants to lose their job or get sued over such an occurrence).

The Benefits of Private vs. Public Cloud Identity and Access Management
Public Cloud:
Return on Investment (ROI) higher, much quicker
Higher Risk through lessened security and network complexity

Private Cloud:
Risk of Incarceration (ROI) lower, Return on Investment long term at best
Associated costs are similar to running the environment in-house, Cloud free

Conclusion: Use Identity and Access Management to cut the Endemic Risk of Cloud Computing
By outsourcing our infrastructure hardware, software and services you, the customer, must verify and co-manage the security your provider provides. This is where Identity and Access Management come in to play.

Tags: , , , , , , , ,
Posted in Cloud Computing | 4 Comments »

Oracle Identity Manager (OIM): IT Resources in the database

Friday, June 11th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

While setting up a staging environment at a client’s site, I needed to mirror the Production OIM instance to the Staging environment. The steps involved are outside the scope of this blog, outlined in detail in Oracle’s Metalink article How To Export and Import an OIM Instance? [ID 555655.1]

There is one very important caveat to note when doing this. If you take a snapshot of the production database and insert it into your development environment, when you bring that OIM instance up, it will contain all production data; including IT Resource connections. If there were any scheduled tasks in your production instance that would’ve ran during your transition, they may run as soon as you bring your development OIM instance up. Against your production resources!!

The way I found to avoid this is to blank the server name/IP values out directly in the database prior to launching your freshly imported development environment. For this, you need to know where IT Resources are stored in the database.

While there are more tables to hold other metadata, the following 3 have the key information:

  • SVR – Contains all the different resource names (ie.  AD Server, iPlanet User, Exchange Server, etc…)
  • SPD – Contains a list of all the fields (ie. Server Name, SSL, Port, Root DN, etc…)
  • SPV – Contains values for all fields – This list is encrypted, but since all we want to do is blank them, it’s ok.

The following SQL code will show you a list of the Resources, Fields, and Values

select svr.svr_name, spd.spd_field_name, svp.svp_key,svp_field_value
from svp
inner join spd on spd.spd_key = svp.spd_key
inner join svr on svr.svr_key = svp.svr_key;

Browse through the results and look for the field names that suggest a server name or ip address. This will depend on each resource, but common names are “Server Address” or “Server Name”. For each resource you want to blank out, note the corresponding key (column svp.svp_key).

For each field, run the following UPDATE statement substituting the svp_key value for X,Y,Z

UPDATE SVP SET svp_field_value = '' WHERE svp_key in (X,Y,Z)

That’s it. You can now safely launch your development OIM instance without worrying it may touch production data. Please note that if you have custom or funny adapters that don’t user server names/ip as the source, for example a file path, you need to figure out which field name is the correct one that stores your production resource.

Questions? Ask at IDMWorks.

Tags: , ,
Posted in Identity Management, Oracle Identity Manager, Tips & Tricks | No Comments »

Novell Identity Manager Personal Lab

Monday, May 24th, 2010

When I’m not pursuing trout I often find myself in need of an isolated Identity Management solution for development and/or testing purposes.   I have built a number of solutions for this over the years but the one I describe here is my favorite to date.  This document is not intended to be a step by step build document but rather a high level guide for building your own isolated environment.

The products I am using in this solution are as follows:

Novell eDirectory 8.8.3
Novell Identity Manager 3.6.1
Novell Identity Manager 3.6.1 User Application w/ Provisioning
Novell SUSE Linux Enterprise Server 10 SP2

I’m a Mac guy so I stated by installing VMWare Fusion on my MacBook Pro.  I allocated 1GB of RAM to the virtual machine and I did a base install of SUSE Linux Enterprise Server 10 SP2 (SLES).  I have found that the solution runs well enough in 1GB of RAM.  After installing SLES the next step will be to install Novell eDirectory.  eDirectory can be installed as root or non-root.  I chose to install it as root for this solution.  It just makes things easier.  If you choose you may install the solution as non-root as well.  eDirectory will install it’s files under /opt/novell/eDirectory.  Once you have completed the installation you will need to configure an instance.  I prefer to use the ndsmanage utility for this.  It’s located at /opt/novell/eDirectory/bin/ndsmanage.  I do not place my instances under the /opt/novell directory.  I normally create a new location such as /edir to place my eDirectory instances.  For this solution I configure two eDirectory instances.  I configure mine as follows:

SFBIDV     /etc/sfbidv/sfbidv.conf     NCP port 524  LDAP port 389 & 636  HTTP port 8028  HTTPS port 8030
SFBLDAP    /etc/sfbldap/sfbldap.conf      NCP port 525  LDAP port 390 & 637   HTTP port 8029   HTTPS port 8031

Only the first instance of eDirectory will start automatically upon reboot of the server.  It is started with the /etc/init.d/ndsd script. You can configure the second instance to behave the same by following a number of TIDs on Novell’s website or you can do it manually with the ndsmanage utility.  Remember if you installed as root you must be logged in as root to start and stop the instances.  This is easily done with a sudo statement.  Also I do install iManager on the server as well.  It runs on ports 8080 and 8443 on Tomcat.

You’ll want to setup a tree structure for each of the trees.  I typically work with something like the following:

o=sfb
o=sfb,ou=services
o=sfb,ou=services,ou=servers
o=sfb,ou=services,ou=idm
o=sfb,ou=services,ou=admins
o=sfb,ou=vault
o=sfb,ou=vault,ou=people
o=sfb,ou=vault,ou=groups

After you have installed eDirectory the next step is to install Novell Identity Manager into each of the new trees.  I configure driverset objects under the ou=idm,ou=services,o=sfb container.  I don’t partition the driverset separately for this solution.  I like to configure an eDirectory to eDirectory driver to communicate between the two trees.  This is easily done by crossing the ports on the drivers.  When configuring the drivers I set the up as follows <ip address>:8196:8197 on one side and <ip address>:8197:8196 on the other.  This will allow the two drivers involved in an eDir to eDir connection to communicate with each other on the same TCP/IP address.

I also go ahead and configure the UserApplication driver at this time.  You can install this on either tree, you’ll only need one.  I normally install it against the IDV.  In addition to the UserApplication driver I also like to install a Entitlements Service Driver, a WorkOrder driver, and maybe a loopback driver.  When I install the User Application I configure a MySQL instance on the server.  I also like to configure a separate database on the MySQL server and install a JDBC driver in the IDV to communicate with the database.  But I don’t install that driver until after I setup the database.

Next you may wish to install the Novell Identity Manager User Application.  I typically install MySQL before I run the UserApp install (the UserApp installation has a MySQL installation with it).  I configure UserApp to use MySQL and JBoss.  You will want to change the ports that JBoss is listening on since it will conflict with the Tomcat server that is already running on the server (you can also configure Tomcat differently if you wish).  I run JBoss on 8081 and 8444.

In addition to these components I will sometimes setup an Apache server where I can create a little website that uses PHP to front my MySQL database that I have my IDM driver configured to communicate with.  I do this just because I can and it makes the solution a little “slicker.”  You can also just use SQuirreL to insert and modify records in the database.  I run SQuirreL on my Mac and just login to the MySQL database from my Mac instead of running it inside of the VM.

That’s basically it.  You can add additional components if you wish but I have found that this gives me the components I need to test out a number of scenarios in a controlled environment.  Hopefully you will find it as useful an environment as I have.  Good luck and happy provisioning.

Tags: , , ,
Posted in Novell, Novell Identity Manager | No Comments »

Newer Entries »