Wednesday, December 20, 2006

TAMeB 1st Timer

I'm now in the process of building TAMeB in my sandbox environment. I'm starting out basic with just a TAM Policy Server, Authorization Server, and WebSeal. I'll install these on 3 separate VMs. My TDS Servers are already built and clustered at my dc=MyOrg container. The only thing I'm not sure about is where I should install the Web Portal Manager for TAM. I guess I could just install it on the Policy server for now, but I'm not sure if in production this should be on it's own box or if I can simply install it on some existing WAS server or not. I've already got WAS running on the TIM server as well. Seems like WAS is quickly proliferating around my test environment.

I ran into an error at the end of installing the TAM Policy server. The installation completed with errors and when I reviewed the msg__ammgr_install.log I found very little telling why. This is really all I could see in the log:

(Dec 19, 2006 7:44:26 AM), Setup.product.install, com.tivoli.pd.install.ez.EZ_IsProductConfiguredCondition, dbg, EZ_IsProductConfiguredCondition.evaluateTrueCondition found .configure//opt/PolicyDirector/.configure/PDMgr-PD : false

I then began playing around with the pdconfig tool. This is a really nice tool which quickly allows you to unconfigure and reconfigure your policy server. What I found was when I tried to reconfigure the policy server this tool generated errors that were much more informative than the log. Essentially I was getting LDAP errors that indicated an object wasn't found or a suffix was not found or something to that effect. Whatever it was it led me to a developerworks posting that seemed similar. The fix was to to manually add the suffix secAuthority=Default in my TDS server. Once I took care of that the configuration of the Policy server completed successfully and it started up fine as well. Not sure why I had to add that suffix manually. I'm running TDS 6.0.

The authorization server was my next step and sure enough by the time I completed that installation, I had new errors to deal with. More on that later.

Saturday, December 16, 2006

For a good deep mental exercise...

How does an organization begin to implement role based access control (RBAC)? If your entire enterprise is based on discretionary access control and an implementation of Identity Management begins to take shape you must at some point deal with how to define roles. Apparently this is no simple matter. I ran across a good blog posting on Archie Reeds Secure Identity Management blog here. Archie talks about a panel discussion at Digital ID World this past September. Very interesting. For those looking to implement RBAC (which would likely be anyone doing an Identity Management project) the NIST site might be a place to start:

I'll be looking for all the resources I can get on RBAC over the coming months. It seems that this could be quite a science.

Tuesday, December 12, 2006

High Level Architecture TIM/TAM

This drawing shows how TIM and TAM are connected. Basically the feeds from the HR zone send the identities to ITIM. From there ITIM connects to applications as well as TAM via adapters to create accounts according to policy. The transaction database connected to the TIM (WebSphere App) is where all the audit tracking info is stored (who has access to what and who approved that access). The TIM LDAP is actually a TDS server(s) with all sorts of special objectclasses and attributes used by TIM. This should not be used as your enterprise LDAP and should be dedicated to ITIM. TAM is actually a managed resource as far as TIM is concerned so an adapter is used to connect TIM and TAM.

High Level TAM Architecture

As we have been gathering information about our applications and trying to flush out special attributes and group information that these applications require we are starting to develop our high level TAM architecture. If you click the Read More you will see what we have come up with so far. At least this is what we are trying to achieve with the access management system. As we continue on through the discovery process we will alter the drawing as need be. Using this as a guide really helps when trying to explain to application support people what it is we are trying to do.

Although not having a full understanding of TAMs capabilities is tough. I'll be learning more in the days and weeks ahead. I'm beginning to get more interested in more "down in the weeds" stuff like what does it really take for an application to be "TAM enabled". How exactly does the Access Control info get passed to the application and such. More on that later...

High Level Architecture:

Saturday, December 9, 2006

Made a new friend this week

One of the things I like about working with IBM software is you get to meet some really smart and talented people along the way. This first phase of our Identity and Access Management project is the architecture phase. Since we've never done anything like this before we commissioned Strategic Computer Solutions (SCS) to help guide our way to implementation. They in turn brought someone out from the Tivoli Software Group for the project and this guy really knows his stuff!

Ram Sreerangam pronounced "Rom Shri-rung-gum" flew into Buffalo from Boulder this past week to give us a hand architecting the ITIM and ITAM solution. Even though we've only just begun, it feels like we've made great progress already after talking to a number of application people and network people. At this stage of the game we're just getting the "lay of the land" really. So it sounds like we may have some capacity on our load balancing switches to help with clustering although we may still choose to purchase a separate device depending on how many ports we need and where in the network we need to locate the device. We were able to temper our expectations down to a smaller number of applications to start with as well which is really important for making the project manageable. When you protect an application with TAM it's important to remember that all users who use that application will be affected so trying to pilot this sort of thing with only a few users will require choosing an application that is only used by a few people. At first our thinking was we could get a whole bunch of applications and test with only a few people, but instead we must choose a few applications to start with and then add more applications as we go.

It looks like we will have to implement ITIM and ITAM together. Here's why:

Our production Portal is already using an existing LDAP (running Domino). There's about 30,000 users in that LDAP, but we intend to use TDS as the enterprise LDAP which will also be the TAM user store. Right now, all the users in the Domino LDAP use their Notes Internet Password for authentication into Portal. In the new enterprise directory we may not be storing this password (although maybe we will just to get people started). The main issue is that users will not have a way to administer their passwords without ITIM.

During some of our discussions with application people, we discovered that some of our applications are used by people outside of our usual security domain. Where it was thought that all the users of these applications were from our customers within our regional boundaries (and therefore our network) some applications are used by people outside of our normal boundaries (Internet). So these are candidates for Federation (FIM). We really did not want to deal with a FIM deployment at this time because it involves issues like the asserting party also having a federation product that we could work with. This really gets out of the scope of this project so we will either place those applications lower on the priority list for securing behind TAM and TIM or we may have to decide on a process for storing those Identities from the outside customers in our Enterprise Directory (TAM user store) which means we will have to maintain them.

Next week, Ram will be doing some documentation from Boulder and then he goes on vacation for 2 weeks. When he returns in January I hope to have already setup TAM in a test environment and hopefully documented some more applications for our data modeling effort.

It's also getting close to the time we will need to attend some classroom training for this stuff. Ram helped develop some of the IBM courses and he says the Labs are fantastic. I look forward to checking that out. For your reference:

Recommended roadmap for ITIM v4.6:

Classroom Training: Extending IBM Tivoli Identity Manager 4.6

Recommended roadmap for ITAM v6.0:

Classroom Training: IBM Tivoli Access Manager for e-business 6.0 Deployment and Administration

Classroom Training (optional): IBM Tivoli Access Manager for e-business 6.0 Customization

Been a while...

I've been waist deep in this Identity Management project for the past couple weeks so I haven't posted in a while. So here's what's been happening on that front:

The hardest part about a project like this is the analysis of your applications and network so that you can do proper data modeling and architecture of the solution. We have many different applications scattered all over the WAN and somewhere around 300,000 potential users not including the people outside our network boundaries that might touch an application. While there are many factors leading to how the ITIM organization tree should be defined there are a couple of key questions:

Who will be administering the system? Will you delegate administration to lower levels in the tree? How deep might you do whith that?
Where will roles be defined? Some roles can apply to objects in the subtree where the role exists so depending on how you design the tree could make assigning roles either more or less flexible it seems.

Analyzing applications is enough to give anyone a headache by lunch time...

For the identity and access management system we need to understand a few things about each application:

Who are the users that access your application?
How do they request access to that application and who approves of that access?
Are there different levels of access to the application?
How does that application determine who is in what access level? Groups? Attributes about the user?
Are there any special attributes about a user that the application requires?

Once we start to flesh out and document this information we can beging to do the data modeling - list the attributes and objectclasses we may need to include in the enterprise directory.

For the access management component we will also need to understand what type of application it is. .Net? Java? Mainframe? Is it known to work with Tivoli Access Manager? Is there a Tivoli Identity Manager adapter for it already or will we likely have to develop one? Does the application expose an api so that an adapter can be created for it.

Next week I plan to setup TAM in our sandbox environment so I'm sure to have something to say about how that goes.

Tuesday, November 28, 2006

My first placement rule!

All right I admit it's mostly borrowed from the example documentation. Thanks whomever wrote the docs, but basically my placement rule looks at the value of the location attribute for each user and based on that it assigns the user to a location in the ITIM org tree:

function getContainerName() {
var loc = entry.l.toString();
if (loc == 'E1B Education Campus')
return 'e1b education campus';
if (loc == 'Harkness Career Center')
return 'harkness career center';
if (loc == 'Kenton Career Center')
return 'kenton career center';
if (loc == 'Northtowns Academy')
return 'northtowns academy';
if (loc == 'Potter Road Career Center')
return 'potter road career center';
if (loc == 'Southtowns Academy')
return 'southtowns academy';
else {
return 'Other';
return 'l=' + getContainerName() + ',ou=erie1';

The only problem I had was trying to use wild cards. This code requires that there is an exact match to the value of entry.l so if someone had a typo somewhere I would end up placing them in Other. I was thinking that it might be nice to handle use say 'e1b*' instead of 'E1B Education Campus' that way it wouldn't have to be exact. That doesn't work however. Maybe there is function or method to the entry object that might let me do something like entry.l.contains or something to that effect where I might be able to get away with some wild card.

Anyhow, I'll play around with this more later. I have something working for now so I'm going to focus on getting some adapters installed and I'll re-visit placement stuff later.

Lotus Notes Adapter for ITIM - Some more guesswork

There is some pretty important information missing from the Lotus Notes Adapter for ITIM Here:

1.) Create some Domino databases for the Deny Access Log database and the Notes ID Address Book in particular. But no mention of what template should be used. So what will I use this for? Will I need any particular views in these databases? An IBM tech support rep told me blank databases should be fine. Well then, why didn't the document simply mention that?

2.) Create some Domino groups like, Suspend Group, Suspend HTTP Group, and Delete Group. Ya think they might mention why the three groups? I mean what's wrong with using one group? Is it that important to have these separate?

3.) Then the instructions tell you to install the Shadow Agent using setup.exe. This is wrong because the Shadow Agent is installed using setupShadowAgent.exe. Of course this fails unless you happen to have installed an old JRE that has probably reached end of life. Now if my latest and greatest JRE was fine for installing the adapter, what were they thinking when creating this shadow agent? BTW, the shadow agent did install once I downloaded and installed JRE 1.3.1_19.

I get the feeling that the instructions for this adapter was written by someone who has not done a lot with Domino either.

Wednesday, November 22, 2006

Using TDI to feed ITIM

The document included with ITIM 4.6 and TDI 6.1 on using an HR Feed to ITIM using the JNDI connector works pretty well. You should find this in the ITIM_HOME/extensions/examples/idi_integration directory as well as your TDI_HOME/examples/idi_integration directory. Make sure you go through the entire document. I figured I was done after being half way through it and the TDI assembly line never worked.

It's important to have the jndiSearchBase as part of the $dn for the users being imported into TIM. I really didn't get this as first, but essentially the users are being added to a virtual container in TIM, then TIM uses the placement rule to determine where in the tree to put the users. If there is no placement rule then they will be added to the root of your org tree. This virtual container is referred to as the Naming Context in the IDI Feed Service you create in ITIM.
You will set this exact value in the JNDI connector -> Search Base parameter. So you then need to get this added to the $dn for the users being imported. The document describes doing this in the feed:

So in my case UpdateITIM is my JNDI connector and jndiSearchBase is the parameter that contained dc=HRLoad. I suppose I could have just hard coded this as well, but it's probably going to get more complicated later anyhow since I may have to create multiple IDI Feed Services for the many identity sources we will be using. Depending on how we actually lay out the org tree and how complex placement rules would need to be we may find the need to use more that one JNDI connector and multiple corresponding IDI Feed Services.

Then again, I haven't started playing around with the ITIM reconciliation stuff yet.

Tuesday, November 21, 2006

Directory Design - What to do about duplicates

We are in the architecture phase of our Identity Management system and one of the haunting questions we have yet to get answers for is "What do we do about duplicate user names?"

Since we will be pulling user names from over 100 identity sources to populate a single ITIM there is a high probability there will be multiple people with the same name. First of all none of the source systems are synchronized in any way. So we will likely have duplicate names across different systems, but many of these systems also allow duplicate user names as long as the two users are not in the same OU. Since the OUs in the source system will not be anything like the OUs planned in the target system we have to devise some process for dealing with duplicate user names.

ITIM seems perfectly happy creating two identical users in the same OU since in each case the user DN will be unique. ITIM uses the erglobalid to uniquely identify the user in the DIT. The problem with this is that you have to have a way to tell the difference between two people with the same name. When defining static and dynamic roles choosing the correct user name is important.

I hope to learn more about this as we go through this design phase with our consultants (people we assume have done this before).

Monday, November 20, 2006 Server returned HTTP response code: 401 for URL:

OK so we got a step closer today with using TDI 6.1 to feed identities to ITIM. After applying FP0025 and IF0028 to ITIM I can now connect to ITIM using the JNDI connector in TDI. The only problem is when I try to run the assembly line it fails with the error message above. It seems like it has something to do with the URL, but I'm using what's suggested in the example documents. BTW, the only place I've found an actual example of setting up the connector to ITIM is in TDI_HOME\examples\idi_integration. There's an HTML document that shows how to do this, however it's assuming you are using TDI 6.0. I understand that it may be pure luck to get this to work in TDI 6.1, but IBM hasn't told me this can't be done so I'm going to try anyhow.

I did install TDI 6.0 on another machine I have sitting near by. If this trouble drags out too long I may just try doing this on the other machine.

Sunday, November 19, 2006

ITIM 4.6 IF0028 Released

This should fix my problem with TDI 6.1. The good people at IBM Tech Support came through in a pinch on my problem with the JNDI connector. So tomorrow I'll get going on that. A few prerequisites are required. First ITIM 4.6 Fixpack FP0025 must be applied. Also TDI 6.1 FP0001 is required.

And so we go...

Friday, November 17, 2006

Cannot instantiate class:

Now that I've had the time to play around with the ITIM organization tree it seemed like a good time to experiment with feeds. First I created the organizational units and locations needed to contain user accounts. I created some roles and services one being the IDI Feed service (DSMLv2). I have to say that the documentation with TDI and ITIM talks about the planning items that go into choosing a feed type and such but it's nearly impossible to find a document that shows you exactly how to do this step by step. I am taking some of the Tivoli on-line courses to get familiar with ITIM at and they have a nice lab on setting this up. Problem is it's using TDI 6.0. I'm using TDI 6.1. So as the lab tells you to create an event handler this is not possible in TDI 6.1. So I proceed to improvise.

The TDI 6.1 documentation does not have a section on how to connect to ITIM. You would think that someone would have included a section like this, but hence that is not the case. I found one place where I could find help and you wouldn't know it's there unless you remembered to check the TDI 6.1 install directory. In there is an /examples/idi_integration/ folder. I found examples of how to use the JNDI connector to connect to ITIM. but guess what. It doesn't work.

The ITIM DSMLv2Connector code (ITIM's dsml2 JNDI driver) was removed from TDI in the 6.1 release. Why the big mystery. According to IBM they are working on a fix for this which should be available in the near future. So what the heck do I do in the meantime? I don't know how easy it is to run TDI 6.1 and TDI 6.0 on the same machine, but that sounds like a hassle I would like to avoid. I really don't desire setting up a whole separate machine for TDI 6.0 either but I'm not sure I will have a choice. It just irks me that this stuff does not work better than it does. It's bad enough that we need specific patches and fix packs for every single component in order for things to work. Nothing works out of the box and then you think going to the latest version of software is a no brainer and surprise!

Stay tuned.

Tuesday, November 14, 2006

CTGIMO020E The transaction is rolled back

I was working with ITIM 4.6 today creating Organizational Units and Locations. Then I figured it was time to create some users. When I added the user and then clicked submit I received this error:

Error Page
Error message: CTGIMO020E The transaction is rolled back.
Detail: {0}

Luckily I was using Firefox or I would have encountered an even more useless error message from IE like "The Page cannot be Displayed". Internal Server Error".

After some research and some help from IBM, the problem truned out to be the WebSphere Embedded Messaging.

Transactions such as adding users will use the ITIM workflow engine which relys on MQ. If MQ is not running then you will get these error messages in your browser. So when I typed:


I got the following:

QMNAME(WAS_tim1_server1) STATUS(Ended unexpectedly)

So it looked like MQ was hosed. IBM sent me the following technote for Unix which solved the problem:

DCF Document ID: 1243466 - IBM Tivoli Identity Manager: Manually re-create the ITIM 4.6.0 Queues (MQ 5.3 and WAS 5.1.1) on UNIX

Problem Desc: From time to time, it is necessary to re-create the ITIM Queues that reside in MQ Series.

Solution: In the commands shown below - typical values for parameters are:


Thursday, November 9, 2006

"Man does not live by bread alone"-- he needs knowledge

Wrapping your brain around a complex Identity Management project during the design phase can be really tough especially if you have never done this sort of thing before. What should our suffix be? Where should the users reside in the DIT? What roles do people have? What IT resources do we want to include in provisioning? Are there existing adapters for those resources or do we have to develop them? How many servers do we need? How many people will it take to manage this? Where do we start?

Over the last year my colleague Andy and I have spent most of our time learning how to develop assembly lines in Tivoli Directory Integrator. The initial focus was on pulling user identities from a few different sources to populate an LDAP. At the time we weren't really sure if we were going to buy ITIM or ITAM or anything else for that matter, but one thing was for sure. Our Portal applications could not authenticate our staff, customers or partners without an LDAP containing all of their identities. Going after low hanging fruit we decided that our customers Active Directories, Novell Directories, and Domino Directories would be the easiest places to get their Identities since they are all standard LDAP servers and we can develop our TDI assembly lines to detect changes in each of those sources and then populate the LDAP.

All this changes with ITIM in play. My whole vision of the directory hierarchy is now different. Maybe now I'm a bit more confused or unsure of what the DIT should look like. In fact we were so concerned with what the LDAP was going to look like before, now with ITIM I'm not sure it really matters any more. Once the TIM organization layout is in place should we really care what the layout of the LDAP looks like as far as Portal is concerned?

After printing 9,000 pages of documentation for TIM and TAM on top of the 3,000 pages we had already printed for TDI and TDS we find that the tough part is wading through all of it in search of the pieces that matter the most. The design stuff is all theoretical and if you can't get through that then it's going to be tough actually setting up a TIM. There's some good IBM Classroom courses, but the times and locations are not always convenient. If your lucky you will hook up with a good IBM Business Partner who has the staff to do this knowledge transfer.

We're working with Strategic Computer Solutions, Inc. (SCS) based out of Syracuse, NY. These people are a well known IBM business partner and they really know their stuff. Through them we also got to know the folks at Software Productivity Strategists, Inc. (SPS) out of Rockville, Md. Another group of highly talented people we found that if it wasn't convenient to go to an IBM training facility for Tivoli courses, you could pay SPS to send a trainer to your location. Now, I'm sure SPS isn't the only place that offers this option, but I'll just say that they have a Tivoli Security expert on staff that is one of the best trainers I've ever worked with. I'm not talking about someone who has done nothing but train people all his professional career, but instead someone who is in the real world implementing Tivoli software in very large enterprises and government entities who then brings that experience into the classroom. And I'm sure being a college professor in the computer science domain doesn't hurt either. The IBM courses are a huge help if you can get them one way or another.

But if you cannot take the courses or if the courses are scheduled weeks or months away you can get started with some on-line courses from Computer Generated Solutions. I recommend these to anyone just getting started with the Tivoli software. Even before you meet with consultants if you can take these on-line courses it will help to provide a sort of level set with what all the software components do, how a simple system is set up and if nothing else you will begin to get the lingo down so that you have half a clue when the consultants show up. I've taken the on-line courses for Tivoli Directory Server (TDS), Tivoli Directory Integrator (TDI) and now I'm going through the ones for ITIM 4.6. The TDS course was pretty good. It answered some of my questions about the basics, but it did not help me get a cluster working, TDI is tough. The on-line course for TDI will help you understand all the components of TDI and the lingo, but its a bit of a stretch to think you will be able to write really functional assembly lines after taking it. I'm finding the on-line courses for TIM to be very good. I recall several "Ah ha" moments during these courses so it seems they are working. Don't get me wrong, these are not replacements for Classroom courses, but they are a great way to get started and I think they are really good precursors to the classroom courses. Also, CGS is really easy to work with as far as payment goes. Our company does most things via PO so CGS allows you to enroll in the Tivoli courses specifying the payment type as being a PO. Then they email you the invoice so your business office can generate a PO and all of this can be transacted electronically so you can access the courses in no time.

As far as training goes for Tivoli, I usually like to buy books and CBT's. For topics like Microsoft Active Directory and Novell NDS and Java, etc... there is tons of options at or Barnes & Noble. What's a little frustrating is that the only thing I could find on Tivoli Security is from IBM's web site (Redbooks and product documentation). IBM Press doesn't even have any good books on the Tivoli Software which I find disappointing, They have a great book at IBM Press for DB2: Understanding DB2 Learning Visually with Examples by Raul F. Chong, Clara Liu, Suylvia F. Qi, and Dwaine R. Snow. It baffles me why no one wrote a book like this for ITIM and ITAM. Oh well, your best place to start learning this stuff is here: Tivoli Education Website

Good luck and happy learning!

Tuesday, November 7, 2006

IBM Tivoli 4.6 Installation on Linux HowTo – For Beginners

I finally finished the document I was working on describing the step by step instructions for installing ITIM 4.6 on Linux. This is a very simplified approach to installing ITIM and is realy just designed to get the system up and running quickly so that one can begin to learn how ITIM works. I found IBM's documentation to be a bit complex and in several areas it was unclear. On my test system I chose to install all the components needed (DB2, TDS, WAS, and ITIM) on one box just to make this as simple as possible.

Hopefully this helps someone out there who's just starting to learn Tivoli Identity Manager for the first time. I know I could have used it. You can get the PDF here --> {Link}

Thursday, November 2, 2006

AMQ6090: WebSphere MQ was unable to display an error message 20006220

So have you ever heard of software generating an error message saying it was unable to display an error message?

This is what I ended up with after finally getting through all the WAS 5.1 fix packs. The ITIM 4.6 documentation claims that it requires WAS 5.1 with Fix Pack 1, Cumulative Fix 3, and APARs PK00346, PK02976, PK02640. Wow, that's a mouth full of fix packs. I installed WAS with the embedded messaging and one of the tests for a successful install after applying all the fix packs is to start WAS and then check to verify that the embedded messaging queue manager is running. When I typed dspmq I got the brilliantly informative error message. Or should I say non error message?

IBM Technote #1182138 describes a bunch of steps to take if you are running SLES 9 for your WAS 5.1 server. Most of the steps are just temporary until the aforementioned fix packs are applied. One of the optional steps was this:

export LD_ASSUME_KERNEL=2.4.19

In the technote you could export this variable or you could do this:


I opted for the later in my install and never did the export until I tried verifying the installation. So a bit of help from Google and it seems the technote failed to mention that the export is actually necessary to allow the embedded messaging queue manager to run.

Oh well chalk it up to the completeness of IBM's documentation or the lack there of. Bottom line is...

Do the export. And do your self the favor of adding this to a /etc/bash.bashrc.local.

Should we add the dominoPerson objectClass to our users just for a couple of attributes?

This question has been nagging me for a while now. We know that if we want to provide presence awareness in WebSphere Portal for all authenticated users that we will likely need an attribute for that users' Sametime server. There are a number of attributes that we will likely need from the dominoPerson objectClass for our users in LDAP. So does it make sense to have all users inherit the dominoPerson objectClass or would it be better to add those specific Domino attributes to our custom objectClass for users?

One thing I noticed in testing was that our user objects have many attributes we probably wont use since they inherit the dominoPerson objectClass and I can see that many of these are redundant. Some of them already exist in the other objectClasses such as person or inetOrgPerson.

Wednesday, November 1, 2006

Identity Management as a service

Interesting conversations today with our senior tech staff and network experts. Since we are an Internet and application services provider one of the questions that have been on our minds for some time now is; Can we provide identity and access management to our customers using the Tivoli Security software and if so when and how?

We heard from a few people who conveyed a few different problems that we need to deal with.

1.) Users at our customer sites need to log-on to secure wireless networks. For the last few years as wireless networks were initially deployed at these sites there was little to no security. Accessing the network was wide open in many cases. Since then there have been steps to require authentication to access the network. This has been done by having our Nortel equipment authenticate the users via a Radius server which in turn uses an LDAP at the local site. Customers quickly saw a problem with requiring log-on first to the network and then a second time to the local file a print systems (AD or Novell). To solve this the customer sites are implementing SSO solutions so that when a user logs on to the network they are automatically authenticated to the local file and print system as well. Problem is that some systems like Novell require the purchase of Identity Management software since they do not expose their system to integrate with any other SSO solutions.

2.) In some cases customers have already deployed Identity Management solutions to achieve local goals. One driving force is the synchronization of identities, demographic information, etc.... In building our central Identity Management system using Tivoli software we will obviously incur software licensing costs for each managed user internal or external even though those customers may already be paying for an Identity Management system locally.

So problem 1 above is really an access control issue more than an Identity Management issue, however in some cases (Novell for one) customers may find that the only way to solve it is by purchasing Identity Management just to use the specific feature they want to solve the problem.

Problem 2 could be solved if we fast track an Identity and Access Management solution in a model that will solve the problems at customer sites. This would likely result in lower costs for Identity and Access Management in the long run, however this is probably not feasible if customers are looking for solutions today. As it is our pilot project including 7 customer organizations only addresses provisioning users to our own web based applications surfaced via WebSphere Portal. Currently none of the customer located IT systems are in the scope of the current pilot. The architecture project for the pilot is scheduled to occur starting in December 07 so it seems that it could be a while before we are ready to offer Identity Management solutions to customers.

So can we architect our ITIM solution to provide Identity Management to our customers? I understand that in ITIM there is the concept of a multi-tenant configuration which implies that you might have multiple organizations possibly in one ITIM. I thought I heard that IBM was trying to move away from that, however I could be mistaken. This sounds like the approach we may want to take. Our organization as it is sort of is an org within an org with the IT division being one of those orgs. So we could do something like:

->IT Org
->Our Org
->Customer Org1
->Customer Org2
->Customer Org3

I imagine that we could contain all managed users within the appropriate org container and at first the managed resources would be only those that we desire to deal with from our IT Org's perspective. When we are ready, then we could potentially add managed resources at customer sites into the ITIM as needed.

I think some other things we need to consider is what's between the ITIM and the managed resources. Our customer sites are primarily located on our broadband network so there is good capacity between our data center and the customer sites. However, there is the possibility that something breaks that connection and then the managed resources are not accessible from the ITIM. Maybe this is more of a problem for the access control solution than the Identity Management solution.

WAS 5.1 install actually worked

As my luck continues to be good or at least maybe I'm reading instructions better the WAS 5.1 install actually went successfully. I resorted to reverting back a snapshot and starting over. This time I remembered on key ingredient


Seems if you are using SLES 9 there is an embedded messaging issue that can be worked around with this little command. This is only an issue with WAS 5.1.0 so once the 5.1.1 PTF is applied it's no longer a problem. See technote.

One other thing. Do a ulimit -s 8196 in your shell session before you install.

More later.

Monday, October 30, 2006

On Track - ITIM 4.6

My ITIM installation is going much better now that I've had a chance to start from scratch a few times. VMWare is so invaluable here. I've got a clean Linux server with all the ITIM software downloaded and extracted. I created separate directories for all the components so that everything we need is easy to find. I'm running SLES 9 with Service Pack 3 applied as recommended by at least some of the components.

The DB2 install went great the 3rd time I tried it. Looking back now I think one of my problems was caused by applying Fix Pack 1 for DB2 V8.2. The fix pack installed just fine, however I believe I forgot to update the instance I had created prior to installing the fix pack. The stupid thing is that the error message you get when you try to start db2 does not give you any clue that the fix pack had anything to do with it. You have to run db2iupdt on each instance after applying a fix pack. It sure would be nice if IBM would just make that automatic when applying the fix pack in the first place. Anyhow, there is probably good reason for the way it works.

Once I was past all the DB2 stuff, the next component to install was TDS 6.0. There's a few other gotcha's with TDS, but for the most part if you follow the instructions carefully it will work pretty well. There are quite a few steps to do this right and for TIM you have to configure the referential integrity plug-in towards the end. A few of these steps can really cause you problems if you don't plan ahead and document things properly. Before installing any software I had already created all the user accounts I needed for the DB2 Admin, the TIM user, TIM Instance owner, and the TDS Instance owner. I documented each before hand so that during the install things would not get confused. So far so good. I'm at least part of the way through this. WAS is next and then TIM after that.

I'm documenting all the steps as I go and capturing screen shots as well. I'll call these my "newbe" ITIM instructions. Maybe they will benefit someone in the future. I'll post them as soon as I get through this and clean them up. So far the instructions are already 45 pages long, but there's quite a few screen shots.

Thursday, October 26, 2006

Don't sneeze.... Don't even blink....

Round two. Second verse same as the first. I got no where with my TIM server since the TDS part of my installation just tanked. Not sure what the problem was, but since the TDS server would not start in anything but config only mode and I could not add the suffix to the directory I decided to attempt to remove the database and instance then re configure. This just kept getting worse and worse. I tried using the idsxinst tool and it looks like somehow I may have removed the instance with out the database. And once that was done, there was no way to get rid of the database from what I could tell. If I re-installed TDS and tried to create another instance and database with the same name, this failed. I decided it was time to start over.

Gotta love VMWare. Thankfully I simply reverted to my snapshot and I was back in business. Only I had to install Firefox and then the java plugin so that I could use the IBM download director to download all the Tivoli code again.

Once I got all the code again I took another snapshot so that will save me time if I end up back at the beginning again.

So this is attempt #2.

A.) All my user accounts are already created:

db2inst1 for the ITIM Instance
enrole for the ITIM user
db2admin for the db2 admin account
db2fenc1 for the db2 fenced account
idsldap for the TDS instance

B.) Installed db2 8.2

This went fine. I configured the db2inst1 instance and the install completed successfully.

C.) Next, I logged in as db2inst1 and ran the db2fs (First Start). Just for kicks, I ran the Control Center just to make sure things looked like they were installed right.

D.) Then I installed the db2 8.2 fixpack 1. This went well.

E.) Now is where the fun began. Time to create the TIM database. My db name will be itimdb.

So you login as the instance owner (In my case db2inst1)
Then type db2 at the prompt. This will put you in the db2 Command Line Interface (CLI)

F.) Now I'm supposed to type:

db2 => create db itimdb using codeset UTF-8 territory US

What I actually typed was
db2 => create db intimdb using codeset UTF-8 territory US

And I saw this the moment I hit enter and just instinctively I hit ctrl-c or something to that effect and I exited the CLI.

People, this is not good as I found out about 15 minutes later.

I typed db2 again at the prompt so I was right back in the CLI

This time I typed what I was supposed to type and it worked just fine:

db2 => create db itimdb using codeset UTF-8 territory US

Next, I had to type a few more commands to setup the database:
db2 => update db cfg for itimdb using applheapsz 2048
db2 => update db cfg for itimdb using app_ctl_heap_sz 1024

Again, both of those commands went successfully.

Now it was time to stop and start db2. NOT.

Stopping db2 was fine, but when I tried to start db2 here's what I got:

10/26/2006 21:10:26 0 0 SQL1042C An unexpected system error occurred.
SQL1032N No start database manager command was issued. SQLSTATE=57019

This was about the point I wanted to scream, which is why I say don't sneeze and don't blink when you are setting this stuff up. It seems that one wrong move and you just blew up your database. I've looked at the db2diag.log file for some help and it basically shows some severe entries on the intimdb. It seems that maybe my whole instance is hosed. I've tried a lot of things so far, but nothing I do seems to make a difference.

I may just be getting set to start all over again.

Maybe the 3rd time will be a charm?

Monday, October 23, 2006

Problem with TDS 6.0

OK, I know this whole install is not starting off well, but I'm sure it's just a couple of oversights on my part somehow. First of all I'm missing a bunch of files from the /opt/ibm/ldap/V6.0/sbin directory, one of them being idscfgdb. I've installed TDS successfully at least 4 or 5 times so this should not be a big deal. I think it's time to go back to the TDS install documentation and try that route unless I can figure out how to fix this. More tomorrow...

Tuesday, October 17, 2006

TIM Server

It's been a few days since I've posted, but with the weather related issues going on around here there's not much to talk about besides the weather. The past few days I've continued to work on getting TIM installed on our test server. I'm just installing everything on one Linux server for now just to try and keep it simple. Yet, this so far has not been so simple. DB2 installed OK it appears, but then when I got to the steps to install TDS things started going south. I sent this to IBM Tech Support just to get another set of eyes on the problem.

I'm following the instructions for installing ITIM 4.6, more specifically the IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments. So far this experience has left little to be desired. Chapter 2: Installing and configuring a database was not too bad. We installed DB2 successfully although the step to run db2fs does not work. We just got an error. I forged ahead and successfully created a database for ITIM and db2 started up ok etc...

Next the instructions say to install TDS 6.0. This code came from the passport site bundled with ITIM 4.6. It's included with one of the supplemental packages. When installing TDS it saw that DB2 was already installed. This process allowed me to create an instance (idsldap) and it automatically created a Linux user and group with the same name. Next, I applied FP 00003 which I downloaded from the support web site. At this point the instructions say to stop and start LDAP using ibmdirctrl -D admindn -w adminpw -h hostname -p port, etc.... This doesn't work. It just says something like "can't contact the ldap" or something like that. Also in the instructions it says to create the suffix using idscfgsuf . This doesn't work either. I can't even find any file on the linux machine with this name at all. While the instructions don't say to do this, I opted to try creating the suffix using idsxcfg instead. This worked just fine as I've done it this way in the past. Finally since starting the LDAP does not work using ibmdirctrl I instead started up LDAP using idsslapd - I idsldap. This worked, but the LDAP would only start in configuration only mode. Now I figured that maybe this is because the suffix name still has to be added to the directory. So next according to the instructions it says to make an ldif of my suffix and do an ldapadd. This too fails. Then I figured instead I'll try starting up the web administration tool and add it that way. Again a failure. The web server starts up, but when I try to web to the server on port 12100 I get a "page cannot be displayed".

My intention was to get an ITIM server up and running to learn it. We are starting the architecture phase of our project in the next 3 weeks, but in the meantime I wanted to learn. My plan for this test system was to install DB2, WAS, TDS, and ITIM all on the same box. Simple enough I figured. How wrong was I about that? I would hope that I don't have to hire an army of IBM professional services staff to install this test system.

Saturday, October 14, 2006

Buffalo get's pounded...

Wow, no one was ready for this one! Thursday evening we left work around 4:00pm. It was snowing, but not too bad. Traffic was slow though and we in my car pool were yelling at the slow pokes who forgot how to drive in the snow. Actually the roads seemed more like it was just raining because the snow wasn't really sticking to the roads yet. It was only 45 degress or so anyhow. Well as we got into Amherst it just got worse and worse. We stopped at our car pool spot and I cleaned off my car. The snow was so heavy it was like 4 inches of slush with a few inches of powder on top. Instead of going to the gym like I normally would on a Thursday I figured going straight home would be smarter because traffic would just be getting worse as the later it got. Good thing too because later that night people all over the Buffalo area started loosing power. We were fine at our house so I really didn't think anything of it.

The next morning though it was like Armageddon outside. The snow was just pounding the area and the trees and bushes were being flattened by the heavy slush/snow combination. I got up at about 6:30am thinking that I would still be going to work, but soon figured out everything was shut down. By mid day we saw reports that over 300,000 people were without power. Now usually a power outage in our area might last just a few hours, but the snow was bringing down trees all over Buffalo and the surrounding suburbs and taking power lines with them. I'll have to post some pictures as soon as I find a cable to transfer them off my camera phone. In the meantime pictures can be found:

Thursday, October 12, 2006

How easy is it to change the authoritative sources for Identities?

We had an interesting meeting today regarding our planning of the ITIM architecture. Since we are a service provider the initial goals of our Identity Management project revolve around delivering services to our customers. So we want to provision our customers to the applications they have "signed up for". We call it participation. If a customer participates in a service they are entitled to access a given application. Depending on what type of user is sponsored by that customer, they may have access to do certain things while others have access to do other things. In most normal Identity Management implementations the HR system is authoritative for staff identities. In our case we are building our ITIM with the identities of our customers as well as our own so what is essentially becoming the authoritative source for identities is some system that is easily accessible like an LDAP (Novell, Active Directory, or even Domino) where the bulk of the customer identities exist. But, what if later on we want to change this?

Some parts of our conversation today was about trying to see into the future. Lets say that today we want to deliver our customers to applications. So to do that we connect up to the customers' directory and pull out the Identities and attributes we are interested in to feed the ITIM. Since connecting up to that customers' HR system could be a political issue going after the identities in the customers' email system of file/print system is easier. Also, since many of these systems are LDAP's the connectors already exist in TDI to detect changes. So we can count on the customers to maintain their users as normal and as users get added or removed from their directories we will detect those changes and take action accordingly in the ITIM.

But, what if later on the customer asks us to provide a complete Identity Management solution for them using our existing ITIM. The relationship with our customers today make this a likely scenario since we are their primary technology service provider already. Maybe we would rather handle each customer on an individual basis doing a separate identity management project for each with separate ITIMs. Or, maybe it would be better to just architect our ITIM so that if we do choose to provide Identity Management to the customer sites we can do it with one big ITIM. This was one of the more complicated discussion items we are pondering. I think some more answers will flush out in the discovery phases of our Identity and Access Management project, but I thought it would be a good discussion item for the blog.

More fun with DB2...

OK so it really helps to do things right the first time. I finally did in fact install DB2 successfully using the Setup Wizard. Had a little glitch since I never dropped the original instance, but once I realized that we were in business. Still though the db2fs still fails and I think maybe it's a path issue. I think now it's time to read some more documentation. I would have made much more progress than this however half of the day I was in meetings. More tomorrow on this.

Wednesday, October 11, 2006

Fun with DB2...

Today I spent most of my day accomplishing very little. Our test environment for Identity and Access Management largely consists of a pretty beefy Dell server with loads of memory. We're running VMWare GSX Server so all of our test servers are VMs. I figured building a Linux server and downloading all the necessary software should be a simple enough task and largly it was except for a few issues getting software.

I am always remided why the world will be slow to adopt Linux on the desktop. After having the Linux server all set I needed to download all the Tivoli Identity Manager software from the IBM Passport site. It sure would be easier if IBM would make this stuff available via FTP. I generally build my Linux servers to boot to run level 3 since most of it's real use does not require a GUI. But when you download all the components needed for ITIM it's about 2.7GB of software and at least 6 or 7 components so using the Download Director is preferred. Problem is that requires the Java plugin for the web browser which in my case is Firefox. Of course with Linux installing this plugin is completely manual. BTW, I'm using SLES 9. OK so finally got beyond that point and downloaded all the software to the server.

Next, try and figure out what software is what when the downloaded files are cryptic names like C485PLZ.tar.gz. The ITIM documentation requires that you install DB2 8, WAS, TDS, and the TIM components. DB2 and WAS needs to go first since TIM will need to see that they exist. I'm planning to install everything on a single server for this first test to try and keep things as simple as possible although that's almost funny given this software. My first attempt at installing DB2 essentially failed due to the poor documentation. The DB2 accounts were created and I chose to use the db2 Install script instead of the wizard only because I didn't feel like running X Windows. I figure what the heck the text mode installer should work fine. Problem is the ITIM documentation didn't specify how to do this so I referred to my handy IBM Press book Understanding DB2. Nice book, but the section on installing DB2 shows you how to install DB2 using the install script, but after your done nothing works. It does not create an instance for you. When you try to run the db2fs to verify the installation I just got an error unable to find command: db2javit. WTF? Maybe I have to specify the PATH properly? Who knows. Moving forward I decided to see if I could create an instance. That worked, but DB2 would not start and still the db2fs did not work. The silly IBM Press book does not clearly show you how to do everything required to install and make db2 work with using the Install Wizard. So after burning several hours on this, I will resort to trying again tomorrow using the GUI.

BTW, I actually do have experience installing DB2, but by installing TDS and of course there was a wizard that sort of walked you through everything. Oh well maybe more success tomorrow.

Friday, October 6, 2006

Welcome to my blog

I have followed a number of blogs in the Lotus Notes world for some time and while my job over the past several years has primarily revolved around supporting collaboration systems with Lotus Notes and Domino, I have found myself dropped into the world of Identity Management as of late.

First, our organization started looking at building a better web presence and being able to deliver applications to staff and customers using WebSphere Portal. It was also a "no brainer" early on to integrate our Domino infrastructure into Portal since so many of our productivity applications were already in Domino. Another key to deploying WebSphere Portal was the fact that it needed an LDAP with our users and customers identities. It just so happened that our Domino infrastructure already consisted of a centrally located server with replica's of all our customers' Domino directories. Within a few days, I had a Domino LDAP up and running with 30,000 users that we could connect up to Portal for authentication. Way cool. The other benefit here was that our customers continue to maintain their Domino directories as they always have and as changes occur, our LDAP is updated automatically thanks to Domino replication. This would be a reasonable LDAP for the time being while we learn Portal and explore the possibilities for delivering our applications and services in new ways.

A year later we recognized what we had in the back of our minds early on. For one the Domino LDAP we had configured was limited to only our Domino customers unless we desired to manually add users and maintain them. Two, we expect to someday have maybe hundreds of thousands of entries in our LDAP and we were questioning the scalability of Domino for that purpose. Our IBM consultants recommended using Tivoli Directory Server and since it comes included with several of IBM's other software offerings it seemed logical.

Over the last year my colleague and I have spent a significant amount of time getting to know some of IBMs software for building an enterprise LDAP. Tivoli Directory Server and Tivoli Directory Integrator. This has been quite an experience. For those of you Domino experts out there, if you ever get the chance to work with TDS or TDI you will quickly be reminded how cool Domino is. Take replication for example. This is nothing for Domino. Creating a replica is one of the easiest operations. TDS on the other hand is far more complex and the documentation is severely lacking. I remember countless tech support calls before we were able to successfully get two TDS servers to replicate in a cluster. TDI is some seriously cool software. I'll have to post a separate entry about that, but as cool as it is we always ran into issues that made us wonder if this stuff was really ready for prime time. Either way our experience with TDI has been good and we have used it successfully to build prototypes for detecting changes in disparate systems and writing those changes to TDS.

After a year of this TDS LDAP, TDI and developing assembly lines to detect changes in directories and write them to an enterprise LDAP we recognized that building the LDAP was certainly not enough. We always new that access control and provision were going to be necessary, but in what order? Do you build the LDAP first? Provisioning system first? Access control? After countless hours reading talking with consultants, meeting internally trying to figure out our requirements, it was finally clear that Identity and Access Management was the next step to pulling all this together. We finally realized that our goal is to synchronize user accounts from many (as many as 100 or more) disparate systems to the Identity Management system and then provision those users to LDAP and any other managed resource including Portal and applications surfaced by Portal.

So here we are at the beginning of a very large Identity and Access Management project. As I mentioned at the beginning of this post I follow many very good blogs about Notes and Domino. After scouring the Internet for some good blogs about Tivoli security software, I have come up with really nothing even close to the blogging community for Domino. The only thing close is the Tivoli forums on IBMs web site. So, I figure maybe I'll blog about my experiences with Identity Management. With any luck I'll learn something along the way and possibly contribute in some small way.