My Sojourn at the states

November 28th is when I came to St.Louis planning to complete an ongoing project. There were many issues without answers. And once I was at the client's place, only then I understood all what they did to bring up the issues. Kept resolving one by one to complete the LDAP ActiveSync Identity management project. Although not everything was complete I still had to move out of the place. One best thing that happened was the LUNCH at RUCHI, the Indian restaurant. Wow, it was an amazing lunch.

Then on Sunday, we have left to Salt Lake City, an amazing place expect for the climate. It was freezing for me. I have never ever experience what negative temperatures were like before here. I was walking on the roads when it was -6. Its killer cold for me. Lot of Indian restaurants around.

Finally after a two tough-cold weeks at Salt Lake City, I am moving to Austin tomorrow. Expecting to meet some old friends. Will update

NetBeans 6.0 Integrated Development Environment Ready for Action

I shouldn't be doing the talking here ... so .... click

Few Questions to ask when you are designing an Identity Management Project

Hope this helps for some. This is basic, I shall keep adding. Visit this blog for more.

• What resources do you have?
• What are your resource schema?
• How do you want your mapping from Identity manager to be done?
• What are the accountIds I get to access your resource?
• Does that accountid have the right privileges to access all the items the identity manager needs access to?
• If you are doing Active sync from LDAP do you have the changeLog enabled?
• Is the ID provided, access the changelog?
• How many object classes do you have in your LDAP?
• Should all of them be managed?
• How many object classes you have in AD?
• Do you know that only one object class can be managed from one resource instance in AD?
• What are the additional attributes you want to populate in Identity Manager?
• How do you create users on every resource?
• If you are following any non-generic process to populate users on your Authoritative source/sources then please let us know HOW?
• What is the password policy on each resource?
• What is the password policy you expect the Identity Manager to have?

Is your Identity Management Implementation complete?

I have question? Who exactly is implementing the complete Identity solution? My identity management experience is just 3 years, by December 12th. I have worked with various clients. I have not found even a single organization using the Identity management product (which ever they bought) to the fullest. I mean the provisioning capabilities of the product are not used properly.

And the major reason people state is, they are not clear about their organizational roles. How long? I mean it has been longtime organizations started having the need to implement IdM solutions and still no one's figured out how to make it complete? The sales pitch of many identity sales guys says, other than compliance one can achieve profits by limiting calls to the help desk, reduce the number of administrators managing resources and all such other stuff, but is it happening?

I have seen many orgs, asking us just to send an email to the admin rather than provisioning. The admin creates the user and says done to make the audit log. Thats it, the auditor is happy and so is the company. Is this what is Identity Management?

What is the way ahead for all these implementors and organizations? Investing this much on the solutions/products?

A different thought:
How about saying a discplined approach from the beginning of an organization would have avoided this mess? Security/Process these terms come in only after the mess has already happened. Recently I was talking to an ISO in a big company and he said first I need the process to be in and then we can think of security. Wow, dude are you into information security?

If an organization can have processes set from day one and follow them and be disciplined, things will be better.

Some hero from some workgroup creates a beautiful html page and says from today we can use this for some XYZ work. Its launced and the hero is rewarded. Later after 10 years when this page becomes critical and the creator has already left the organization without any documentation, pffffffhhhh then you know what happens.

So any new entreprenuers? Guys be cautious today to avoid huge unnecessary investments tomorrow.

SUN Identity Manager: Deserialization failed for xmlString

Did you ever see this error when accessing the repository objects via the BPE? Ok this was an error recently my friend got. I thought I should mention the reason so that someone who get it sometime can quickly refer.

What my colleague did?:
He imported the netbeans plugin for idm into netbeans and configured a project. When he was configuring the repository, he gave the existing repository as the one that needs to be used by netbeans. Thats it, NetBeans changed the serial numbers of few tables of the Identity manager repo. Thus this error.

Solution:
I think we need to do an LH SETREPO and things should be working.

Are you using the Metaview of SUN Identity Manager?

Are you? If your answer is a NO, then it is suggested that you better stick with it. This feature currently has few bugs, which are yet to be corrected in the SUN Identity Manager release 8.0. It really plays with your attributes in such a way, that you hardly have an idea of what is happening.

I was using this feature recently and only landed in horrible times. When I referred to my seniors at SUN, they said they never use it as it has problems.

So to my suggestion to all SUN IdM folks out there is ... do not use Metaview please.

MetaView of SIM vs MIIS

Metaview feature of Sun Identity Manager, I don't know how many of the Identity professionals use it. However I wanted to take you through the architecture of it. It would be great for people who know MIIS.

The features are ...

Identity Attributes:
This feature allows you to configure the incoming and outgoing attributes. You will be able to create a new attribute, choose whether it should be stored in the identity manager, choose its source and destinations (resource). This is a feature that is exactly available in MIIS. You can also set the precedence for the source, like you may choose the first source and then the next which would be able to populate this attribute, again a feature of MIIS.

Identity Events:
Have you been into the third tab of Microsoft Identity Integration Server, where you can configure the delete rule? Yes, its the same way here. You will be able to configure the events like DELETE, DISABLE, ENABLE etc. You need to create a new event type, specify a rule on how it should be recognized and then actions to be performed.

These features are very specific to active sync because that is what a Synchronization engine works for.

Recently I have been working with these features and every moment I was feeling the MIIS features.

Bulk Loading

This may look novice to experienced professionals.

Have you ever did a bulk load of users into Sun Identity Manager? The findings I have are ...

Every attribute that comes under the waveset should be represented in the global namespace and the other attributes should be addressed as accounts[RESOURCE].attrName.

ex:
command,user,global.firstname,global.lastname,password.password,password.confirmPassword,waveset.resources
create,henryea,Earl,Henry,P@ssw0rd,P@ssw0rd,AD

Hope this should be useful to someone.

Using "lh console" when your SUN Identity Manager Application is down

I have just encountered a different kind of a problem. I have set the trace parameters in my Sun Identity manager. I have configured it to trace few adapters and finally gave a large number for the file size. Restarted the server and it failed saying ...

java.lang.NumberFormatException: For input string: "9999999999

So to correct this error I have got two options

1. Changing the System Configuration file using the lh console command

go to wshome\bin
Execute the following commands:
./lh console and press enter
You'll get to the configurator> prompt
Atthe promt, type
export -v c:\syscon.xml CONFIGURATION
now open the file c:\syscon.xml and scroll down till you find the required attribute to change.

Sun Positioned in Leaders Quadrant for Web Access Management

Image Source: Gartner's Website

The picture does the talking. SUN's Access Manager is listed in the leaders quadrant in the Gartner's magic quadrant for Web Access management. Sun Access Manager is a key product in the SUN Identity Management Suite.

Give a read on what experts have to say ...

1. Gartner

2. SUN

3. News Link

com.mysql.jdbc.packetTooBigException

Did you ever get this? I got it when I was working with Sun Identity Manager. The best solution is to edit the the mysql file, my.ini (windows) to add max_allowed_packet parameter under [mysqld] section and restart the MySql server.

# SERVER SECTION
# ----------------------------------------------------------------------
#
# The following options will be read by the MySQL Server. Make sure that
# you have installed the server correctly (see above) so it reads this
# file.
#
[mysqld]

max_allowed_packet=32M

SUN's strength in Role Mining just got bigger and better - acquired Vaau

SUN just acquired VAAU.

Vaau's solution is very good at Role Mining and Role Classification, the RBACx product suite is very robust in this respect. However Vaau's solution is always dependent on some Identity management solution like SUN Identity Manager.

As I wrote in previous blog about the strength of SIM 8.0, which would be very strong in Role mining, role engineering etc.

The acquisition of Vaau really completes Sun's story around Enterprise Identity Management and Role-Compliance and will keep Sun in the forefront of Enterprise Identity Management.

Read More

What is org.apache.jasper.JasperException?

I have been successfully running an instance of the SUN Java Identity Manager 7.1 since long. Suddenly one day after I reboot my machine I see this error.


I am very curious to know why exactly this happens with something which was working perfectly.

I shall post the solution once I find it, however if someone can throw some light on this it would be great. Thanks

Happy Diwali

Happy Diwali to one and all.

May this festival of lights bring prosperity, peace, love success for everyone.

About Diwali: The very reason why we celebrate this festival is to mark the victory of God/Good over evil. Two different stories that we hear are ...

1. Few people say, its the day when Lord Krishna along with Lordess Satyabhama fought and killed Narakasura.

2. Few others say, that Lord Rama killed Ravana and liberated Lordess Sita this day.

That is the piece of information I know :-)

Anyway have a great festival.

HP Security Handbook

Was just reading some blogs and suddenly found this.

This handbook contains a chapter on Identity management. I should say, its lucid and wonderful. To read the other contents ...

Happy Andhra Formation Day - November 1st

Every time we get holiday on November 1st, sure everyone born in Andhra Pradesh remembers Sri Potti Sriramulu garu.

Is remembering him enough? Does enjoying a holiday alone, makes us a proud and responsible Andhrite?? I am sure we all dont think so. This person gave up his life just to bring this state to us. He gave up food, water, shelter comforts everything for us. Today the state proudly boasts of big time IT parks, huge growth in infrastructure and many other goodies. However, to the very truth, today there are many Potti Sriramulus out there who dont have water to drink and food to eat.

All of these people (freedom fighters) brought us freedom which we couldn't handle properly. Who ponders about this? I am sure all of us do, in our offices, at cubicles at social gatherings etc. Then why dont we have the right results? Because actions are pending.

The first best action which we all should implement is ... I think, we should vote. Every time there is election, wherever we are in India, we should make a point that we go back and vote, because we are educated enough to choose the right leaders.

The second best thing we can do is to save the natural resources like Water, Food, Vegetables etc.

I thought to mention my thoughts this way about a great day.

JAI TELUGU TALLI

Puzzling???

I have been to Visakhapatnam recently. I took a pic at the airport. Can you see the picture clearly and make out whats wrong there?

Ok, chance 2.

Got it? The emergency exit door in the airport was locked with a big size steel lock. I just wonder how did they get the idea of locking the emergency exit. This is how things are.

Is it really necessary to show verbal aggressiveness?

I think Indian cricketers are putting up a bad show. Why should somebody show facial aggressiveness or be aggressive verbally? Actions of the game are the ones which are supposed to be spoken, rather than shouting or using abusive language on the other team.

Phlegmatism should be practised by our team. When they are on the international stage they need to follow the law and rules. If the other team resorts to verbal aggressiveness and uses abusive language the team is expected to lodge a compliant with the authorities. Or, if the example of Arjuna Ranatunga be taken, he has asked his entire team to leave the field quietly when Muttiah muralitharan was given no-ball thrice mentioning his action wasn't right.

Similarly our countrymen can simply walk away from the field saying they used abusive language rather than retaliating in the same fashion. If done so, what difference exists between them and us.

My fellow countrymen, we are professionals and lets be so.

What is BSI according to Germany?

What is BSI according to Germany?

BSI is a kind of organization in Germany which is equivalent to NSA in USA. It is trying to provide standards and guidelines to all the government organizations as well as private organizations in their country. The countrymen who designed Enigma now have an organization something like NSA. Does that mean we are going to see new algorithms replacing Triple-DES etc?

Also there is a new framework coming up from SOx especially for Europe called the EuroSOx. People argue it would be similar, however.

CEC - SIM v7.x?

Are you hanging with any version other than 7_1_1???? If you are then get ready to be completely outdated soon. Yes you got it right ... it Sun Identity Manager 8.0 set to release very soon.

I have written the new features of 7.1 after it got released. This time I have the privilege of writing about 8.0 even before its release. The top best feature of this version would be Role Management.

Features:

Flexible Role Modelling
Bi - Level RBAC
Business Roles
IT Roles
Also provision for Multilevel RBAC
Offers Role Subtypes, defaults being Business, IT, Application and Asset
New Sub-Types can be created
Extended attributes on Role Subtypes

Now you will also be able to search on Role Subtypes, for example "all application roles" etc.

New Role Features ...

Activation:

• Required: Get activated directly
• Conditional: Rule based, i.e. if the user object is getting an update and it requires few other privileges then it is allocated
• Manual: Implicit
  

Role start date and End date: What other granularity can one ask for?

Role Change Approval Process: If the actual Role definition itself is set to change then it should go through an approval process.

These are very few of the amazing features of 8.0. Keep waiting for it to release.

SUN Identity Manager rocks.