Posts Tagged ‘Password Management’

Password Management in Novell Identity Manager

Tuesday, March 29th, 2011

Novell Identity Manager integrates tightly with Novell eDirectory. Part of the benefit of eDirectory is the inherent security built around passwords.  But there are times that Novell’s native tools for managing passwords do not meet the specific needs of the deployment. So let’s briefly explore the options you have for managing passwords within the framework of Novell’s Identity Manager.  For the purposes of this article password management is defined as the ability for a user to set a password, set challenge/response questions and use those challenge response questions to reset a forgotten password.

The first option, and probably the easiest to implement, is to use Novell’s Role Based Provisioning Module (RBPM) formerly known as the User Application.  This tool is easily deployed and fully supports all of the password management functionality.  It is can be branded and is fully supported by Novell.  The drawback to the RBPM is that it may be more than some organizations need when they are looking for just password management.  Additionally an organization may have an existing portal deployment that they want to integrate password management into. RBPM may not be the best fit for these organizations.

Another option is to utilize Novell’s Password Management Framework from their custom development group.  This is a fully functional password utility that is specifically tailored to an organization.  It is supported via Novell’s custom development group and fully supports all of the password management functionality.  The disadvantage of this solution is the additional costs associated with the purchase, development and support of the solution.  It can be integrated into an organizations existing portal solution and is fully supports branding specific to an organization.

If the functionality of Novell’s Password Management Framework (PMF) is what an organization is looking for but they do not wish to make the additional investment in product, support, etc… then a viable option is an open source project called PWM (available at https://code.google.com/p/pwm/).  This solution is very comparable to Novell’s PMF.  An organization may deploy it as is or customize it for their needs.  The advantage of this solution is the reduced product costs.  The disadvantage of this solution is that the organization is essentially self supporting themselves with this solution.  Just as the solutions above PWM fully supports all of the password management functionality.

In RBPM 3.7 there is also a forgotten password web service that is available (http://server:port/warcontext/pwdmgt/service?wsdl).  This is a good way to access basic password reset functionality.  This service does not support all of the password management functionality.  However it is a good option for organizations familiar with writing to web services and only need the basic forgotten password operations.

For organizations that desire the web service approach but need fuller functionality than what the basic web service interface provides there is in RBPM 3.7 REST services available.  The functionality for the REST services is contained in a war file (RIS.war) that sits separate from the User Application and provides access to much more than just the password management features.  The REST services are fully documented in Novell’s RBPM 3.7 online documentation.  This solution can be integrated into an organizations existing portal framework or can be used to build a fully functional site that exposes specific functionality that an organization needs.

There are other options for integrating with Novell’s Identity Management solution for password management that utilize Novell’s APIs.  But in the opinion of this consultant the above listed methods are the most cost effective options and provide the functionality that most organizations need.

As usual if you have questions, comments or concerns feel free to reach out to us at IDMWorks.

Tags: , , , , , , , ,
Posted in Identity Management, Novell, Novell Identity Manager, Password Management | No Comments »

State of the Union

Saturday, October 9th, 2010

Last week Oracle announced they had purchased Passlogix (best known for the V-GO ESSO application) and this got me thinking about the changes in the last 10 years in the Identity Industry.

A decade ago you had start-ups galore.  Business Layers (eProvisioning), Netegrity (SiteMinder), Access360, Thor (Xellerate), Waveset, Oblix, Trulogica, M-Tech and Courion, too name a few, almost all of which were acquired.

Business Layers got acquired by Netegrity who got subsequently acquired by CA.  Access360 got acquired by IBM as part of the Tivoli Identity Manager product.  Thor got acquired by Oracle, Waveset by Sun and subsequently Oracle, Oblix by Oracle as well (I am sensing a trend here by the way).  Trulogica got acquired by HP where it saw its demise.  M-Tech became Hitachi and Courion bucked the trend and stayed Courion.  Even the smaller space tools like Maxware got picked up by SAP.  In fact, up until the last few years, we have remained in the land of the Big Company Identity Stack.

So how did we get there?

Back in the day IDM was slowly being looked at as the next wave in Risk and security.  The issue at the time was that the products were very green and lacked the technical maturity to make implementation a worthwhile process.  Sure, the low hanging fruit of automagically creating an Active Directory or Netware account was a breeze but the implementation around single sign-on, strategic workflows and approval/escalation to a host of applications was not a smooth process.  In fact in the early 2000s the process involved prior to the technology was still being ironed out.  Many of the projects we worked on required a high level of customization and as a result the time to implement took in some cases years to complete.  During these multi-year engagements a good number of projects failed to get off the ground or changed scope so many times that in the end the effort was deemed a failure or not what is was originally sold as.

Eventually sanity won out and most organizations realized that Web Access Management, Provisioning and further more Federation and Role Management were separate sides of the Identity Management box.  Instead of one large “Big Bang” a step by step approach gained traction as a method to actual success.  Many of the larger organizations even split Access Management and Identity Management into strongly separate buckets with their own teams and infrastructure.  Gone are the days where Access Manager and Identity Manager are viewed as the same application.  Today the products are treated as interconnected but individual pieces complimenting each other even when they fall into the same stack.  This can be seen in the job reqs that many organizations release when looking for a technical resource.  5 years back recruiters were still looking for the Jack-of-All trades Engineer/Developer/Architect/PM that knew the SSO, Provisioning, Federation, Role Management and Password Management tools from the 4 different vendors (my personal favorite being when the recruiter would then say a “junior” resource for said position was OK as a method to justify the sub-par rate, as if such a “junior” person existed with that level of knowledge).

The big company buy-up of the old Venture Capital backed firms yielded a greater maturity in the market and a fierce rivalry in the market place.  In fact the biggest players are now Oracle, IBM, CA, Novell, and to a lesser extent BMC and a hard charging Microsoft.  What is interesting though is as of a few years back the next generation of VC based IAM start-ups popped up and we are seeing history repeat itself with the next wave of industry consolidation.

For instance, take a look at the Role Management and Identity Governance market place.

Bridgestream Roles and Vaau RBACx got scooped up by Oracle and Sun and subsequently Vaau won the application war as Oracle’s preferred Role application (under the unfortunately named Identity Analytics banner).

Aveksa and Sailpoint popped up to not only compete in the same space but to offer superior products to manage compliance with HIPAA, SarBox and the like moving beyond solely role management into the governance and compliance management space.

Eventually, as is the case in the IAM space one, one or both companies are likely to be acquired.  Where they will land is open to conjecture but like all Venture Capital based opportunities you are either a resounding success in the sales game or you are a cheap acquisition target.  I have my own guesses as to what comes next for both companies but alas that is a topic for another blog entry.

As for the announcement of Passlogix being acquired, Oracle has a strong set of tools in the space covering all facets of Identity and Access Management.  They are truly becoming the Walmart of the Identity World.

Tags: , , , , , , , , , , , ,
Posted in Access Management, Aveksa, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Password Management, RBAC, Role Management, SailPoint, Security & Risk, Sun Identity & Access Management, Vaau | 1 Comment »

GINA Chaining Problems

Friday, October 8th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

I resolved a problem for a client recently that brought light to a potential problem that isn’t always apparent with Desktop Password Reset applications, like Passlogix SSPR (Self-Service Password Reset) software.  The GINA chain created by using multiple GINAs (Graphical Identification and Authentication DLL) can be broken or malformed to create a loop which will put the machine into a state where a user cannot log onto the machine.

Before I explain the problem and solution, a little background about SSPR and GINAs.  The SSPR software consists of a client software package that adds a title bar to the standard Windows logon. The client connects to a web server that prompts the user to answer security questions before allowing the user to reset his/her Windows password.  This is a great tool that is easy to use and can drastically reduce helpdesk calls.  The real power of the tool is that the prompt to reset the user’s password is available even if the user can’t log into the machine.  Other tools use a standard website, but require that the user be logged into Windows to get to an internet browser.

This pre-logon title bar is implemented by using a custom GINA.  The Windows logon process uses a file named msgina.dll which provides the Windows logon box that everyone is familiar with.  SSPR installs a custom GINA name ssogina.dll.  In order to use both GINAs, a GINA chain is created.  The top GINA is set in the Windows registry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL.  After the SSPR install, the GinaDLL will be set to ssogina.dll.  Passlogix then adds custom registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Passlogix that points the product to the msgina.dll.  The GINA chain is created where SSPR GINA points to the MSGINA and allows both to function. Many products including hardware-encryption, VPN, smartcard, and fingerprint software all use custom GINAs to enable pre-Windows login functionality.  Multiple custom GINAs can be added to the GINA chain.

The problem arises when the GINA chain contains 3 or more GINAs and products are installed/uninstalled.  The problem is all about order of installation and subsequent uninstallation.  In a 3 GINA chain example, the PointSec GINA points to the SSPR GINA, which the points to the MSGINA.  This GINA chain would be created if SSPR is installed first and then PointSec is installed.  Take the same GINA chain (PointSec->SSPR->MSGINA), if SSPR is uninstalled and then reinstalled, which is common if the product were to be upgraded, the SSPR would be set as the top GINA.  The problem arises because the PointSec registry keys were not changed during the SSPR uninstall.  The GINA chain is now SSPR->PointSec->SSPR->PointSec->SSPR and on and on forever.  This causes a loop in the GINA chain and the machine never calls the MSGINA and the machine is unusable.

To remediate this problem, you can run Windows in Safe Mode (which disables custom GINAs) and reset the GinaDLL key to msgina.dll.  That will allow users to log into Windows again.  The overall solution is to make sure the GINA chain is cleaned up when products are uninstalled.  Calling in custom scripts or adding registry keys in an MSI during uninstallation can be used to forcibly set the GINA chain to the desired settings.  Manipulating the GINA chain normally involves a little extra design, configuration, and testing, but can save you from incapacitating entire groups of machines when deploying software.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Access Management, Enterprise Single Sign On (ESSO), Password Management, Tips & Tricks | No Comments »

Baby Steps – Password Management

Thursday, July 29th, 2010

To build on an earlier posting, I would like to touch on the phased approach to implementing an Identity Management solution. I was recently on an engagement where the customer requested that we implement an identity management product and an single sign on product to perform a simple phase one approach. The project had a primary focus on password management on the Identity Management side and Web SSO to a handful of key applications for the customer. Within three weeks we implemented password synchronization from AD to IdM and three secondary resources, Forgotten password management using custom Questions and Answers, and password reset via a web interface. We also implemented Web SSO to a handful of key enterprise applications.

The key point here is that the project was focused and limited to a specific achievable goal. The project was a success in a short period of time and produced a quick win for the vendor, the customer and our team. Password management and Web SSO are fairly straight forward and simple parts of an Identity and Access Management project and they produce highly visible and easy to quantify ROI for the customer. The visibility is across the board.

The end user experience of being able to login once to access much of their entitlements, to clicking on a simple link if they forget their passwords, to having their passwords automatically synchronized across the enterprise when they change it.

System Administrators and Help Desk personnel are able to focus on more important aspects of their jobs and less on resetting passwords.

Management can watch as the number of help desk tickets and the productivity of their System Administrator teams improves.

Password Management is a great first step towards easing the administrative burden on some of the same teams that will be key in implementing future phases if the IAM infrastructure. It is a great strategy that many enterprises miss out on when they attempt a “Big Bang” implementation and end up with a fragmented solution and a stressed out project team. I can’t stress enough how important it is to only bite off only what you can chew and allow the ‘Process’ to work for you.

Tags:
Posted in Access Management, Best Practices, Identity Management, Password Management, Roadmap | No Comments »