December 15, 2007

My Sojourn at the states

November 28th is when I came to St.Louis planning to complete an ongoing project. There were many issues without answers. And once I was at the client's place, only then I understood all what they did to bring up the issues. Kept resolving one by one to complete the LDAP ActiveSync Identity management project. Although not everything was complete I still had to move out of the place. One best thing that happened was the LUNCH at RUCHI, the Indian restaurant. Wow, it was an amazing lunch.

Then on Sunday, we have left to Salt Lake City, an amazing place expect for the climate. It was freezing for me. I have never ever experience what negative temperatures were like before here. I was walking on the roads when it was -6. Its killer cold for me. Lot of Indian restaurants around.

Finally after a two tough-cold weeks at Salt Lake City, I am moving to Austin tomorrow. Expecting to meet some old friends. Will update

December 13, 2007

NetBeans 6.0 Integrated Development Environment Ready for Action

I shouldn't be doing the talking here ... so .... click

Few Questions to ask when you are designing an Identity Management Project

Hope this helps for some. This is basic, I shall keep adding. Visit this blog for more.
  • What resources do you have?
  • What are your resource schema?
  • How do you want your mapping from Identity manager to be done?
  • What are the accountIds I get to access your resource?
  • Does that accountid have the right privileges to access all the items the identity manager needs access to?
  • If you are doing Active sync from LDAP do you have the changeLog enabled?
  • Is the ID provided, access the changelog?
  • How many object classes do you have in your LDAP?
  • Should all of them be managed?
  • How many object classes you have in AD?
  • Do you know that only one object class can be managed from one resource instance in AD?
  • What are the additional attributes you want to populate in Identity Manager?
  • How do you create users on every resource?
  • If you are following any non-generic process to populate users on your Authoritative source/sources then please let us know HOW?
  • What is the password policy on each resource?
  • What is the password policy you expect the Identity Manager to have?

December 12, 2007

Is your Identity Management Implementation complete?

I have question? Who exactly is implementing the complete Identity solution? My identity management experience is just 3 years, by December 12th. I have worked with various clients. I have not found even a single organization using the Identity management product (which ever they bought) to the fullest. I mean the provisioning capabilities of the product are not used properly.

And the major reason people state is, they are not clear about their organizational roles. How long? I mean it has been longtime organizations started having the need to implement IdM solutions and still no one's figured out how to make it complete? The sales pitch of many identity sales guys says, other than compliance one can achieve profits by limiting calls to the help desk, reduce the number of administrators managing resources and all such other stuff, but is it happening?

I have seen many orgs, asking us just to send an email to the admin rather than provisioning. The admin creates the user and says done to make the audit log. Thats it, the auditor is happy and so is the company. Is this what is Identity Management?

What is the way ahead for all these implementors and organizations? Investing this much on the solutions/products?

A different thought:
How about saying a discplined approach from the beginning of an organization would have avoided this mess? Security/Process these terms come in only after the mess has already happened. Recently I was talking to an ISO in a big company and he said first I need the process to be in and then we can think of security. Wow, dude are you into information security?

If an organization can have processes set from day one and follow them and be disciplined, things will be better.

Some hero from some workgroup creates a beautiful html page and says from today we can use this for some XYZ work. Its launced and the hero is rewarded. Later after 10 years when this page becomes critical and the creator has already left the organization without any documentation, pffffffhhhh then you know what happens.

So any new entreprenuers? Guys be cautious today to avoid huge unnecessary investments tomorrow.

December 11, 2007

SUN Identity Manager: Deserialization failed for xmlString

Did you ever see this error when accessing the repository objects via the BPE? Ok this was an error recently my friend got. I thought I should mention the reason so that someone who get it sometime can quickly refer.

What my colleague did?:
He imported the netbeans plugin for idm into netbeans and configured a project. When he was configuring the repository, he gave the existing repository as the one that needs to be used by netbeans. Thats it, NetBeans changed the serial numbers of few tables of the Identity manager repo. Thus this error.

Solution:
I think we need to do an LH SETREPO and things should be working.

December 9, 2007

Are you using the Metaview of SUN Identity Manager?

Are you? If your answer is a NO, then it is suggested that you better stick with it. This feature currently has few bugs, which are yet to be corrected in the SUN Identity Manager release 8.0. It really plays with your attributes in such a way, that you hardly have an idea of what is happening.

I was using this feature recently and only landed in horrible times. When I referred to my seniors at SUN, they said they never use it as it has problems.

So to my suggestion to all SUN IdM folks out there is ... do not use Metaview please.

MetaView of SIM vs MIIS

Metaview feature of Sun Identity Manager, I don't know how many of the Identity professionals use it. However I wanted to take you through the architecture of it. It would be great for people who know MIIS.

The features are ...

Identity Attributes:
This feature allows you to configure the incoming and outgoing attributes. You will be able to create a new attribute, choose whether it should be stored in the identity manager, choose its source and destinations (resource). This is a feature that is exactly available in MIIS. You can also set the precedence for the source, like you may choose the first source and then the next which would be able to populate this attribute, again a feature of MIIS.

Identity Events:
Have you been into the third tab of Microsoft Identity Integration Server, where you can configure the delete rule? Yes, its the same way here. You will be able to configure the events like DELETE, DISABLE, ENABLE etc. You need to create a new event type, specify a rule on how it should be recognized and then actions to be performed.

These features are very specific to active sync because that is what a Synchronization engine works for.

Recently I have been working with these features and every moment I was feeling the MIIS features.

Bulk Loading

This may look novice to experienced professionals.

Have you ever did a bulk load of users into Sun Identity Manager? The findings I have are ...

Every attribute that comes under the waveset should be represented in the global namespace and the other attributes should be addressed as accounts[RESOURCE].attrName.

ex:
command,user,global.firstname,global.lastname,password.password,password.confirmPassword,waveset.resources
create,henryea,Earl,Henry,P@ssw0rd,P@ssw0rd,AD

Hope this should be useful to someone.

December 4, 2007

Using "lh console" when your SUN Identity Manager Application is down

I have just encountered a different kind of a problem. I have set the trace parameters in my Sun Identity manager. I have configured it to trace few adapters and finally gave a large number for the file size. Restarted the server and it failed saying ...

java.lang.NumberFormatException: For input string: "9999999999

So to correct this error I have got two options

1. Changing the System Configuration file using the lh console command

go to wshome\bin
Execute the following commands:
./lh console and press enter
You'll get to the configurator> prompt
Atthe promt, type
export -v c:\syscon.xml CONFIGURATION
now open the file c:\syscon.xml and scroll down till you find the required attribute to change.

Change the value of 9999999 in the line to 512 and save the file.

Now at the configurator> prompt, type the following command and press enter:
import c:\syscon.xml

Reboot the appserver and launch the idm web application.

To Generalize this way we can change any of these configurations.

2. Editing the MySql repo

1) SELECT * FROM object o where type='Configuration' and name = 'SYSTEM CONFIGURATION';
2) Go to the xml column at the very end of the table and look for the string pattern "Attribute name='maxFileSizeKB'". Get the exact number of 99999s that you plugged in.
3) Run the following update to do a "in-place" update. (I have updated the file size to be 1KB - 1024. Replace with the number of your chocie)
update object set xml=replace(xml, "", "") where type='Configuration' and name = 'SYSTEM CONFIGURATION';

Hope this information would be worth for the IDM Fraternity