Tuesday, November 28, 2006

My first placement rule!

All right I admit it's mostly borrowed from the example documentation. Thanks whomever wrote the docs, but basically my placement rule looks at the value of the location attribute for each user and based on that it assigns the user to a location in the ITIM org tree:

function getContainerName() {
var loc = entry.l.toString();
if (loc == 'E1B Education Campus')
return 'e1b education campus';
if (loc == 'Harkness Career Center')
return 'harkness career center';
if (loc == 'Kenton Career Center')
return 'kenton career center';
if (loc == 'Northtowns Academy')
return 'northtowns academy';
if (loc == 'Potter Road Career Center')
return 'potter road career center';
if (loc == 'Southtowns Academy')
return 'southtowns academy';
else {
return 'Other';
return 'l=' + getContainerName() + ',ou=erie1';

The only problem I had was trying to use wild cards. This code requires that there is an exact match to the value of entry.l so if someone had a typo somewhere I would end up placing them in Other. I was thinking that it might be nice to handle use say 'e1b*' instead of 'E1B Education Campus' that way it wouldn't have to be exact. That doesn't work however. Maybe there is function or method to the entry object that might let me do something like entry.l.contains or something to that effect where I might be able to get away with some wild card.

Anyhow, I'll play around with this more later. I have something working for now so I'm going to focus on getting some adapters installed and I'll re-visit placement stuff later.

Lotus Notes Adapter for ITIM - Some more guesswork

There is some pretty important information missing from the Lotus Notes Adapter for ITIM Here:

1.) Create some Domino databases for the Deny Access Log database and the Notes ID Address Book in particular. But no mention of what template should be used. So what will I use this for? Will I need any particular views in these databases? An IBM tech support rep told me blank databases should be fine. Well then, why didn't the document simply mention that?

2.) Create some Domino groups like, Suspend Group, Suspend HTTP Group, and Delete Group. Ya think they might mention why the three groups? I mean what's wrong with using one group? Is it that important to have these separate?

3.) Then the instructions tell you to install the Shadow Agent using setup.exe. This is wrong because the Shadow Agent is installed using setupShadowAgent.exe. Of course this fails unless you happen to have installed an old JRE that has probably reached end of life. Now if my latest and greatest JRE was fine for installing the adapter, what were they thinking when creating this shadow agent? BTW, the shadow agent did install once I downloaded and installed JRE 1.3.1_19.

I get the feeling that the instructions for this adapter was written by someone who has not done a lot with Domino either.

Wednesday, November 22, 2006

Using TDI to feed ITIM

The document included with ITIM 4.6 and TDI 6.1 on using an HR Feed to ITIM using the JNDI connector works pretty well. You should find this in the ITIM_HOME/extensions/examples/idi_integration directory as well as your TDI_HOME/examples/idi_integration directory. Make sure you go through the entire document. I figured I was done after being half way through it and the TDI assembly line never worked.

It's important to have the jndiSearchBase as part of the $dn for the users being imported into TIM. I really didn't get this as first, but essentially the users are being added to a virtual container in TIM, then TIM uses the placement rule to determine where in the tree to put the users. If there is no placement rule then they will be added to the root of your org tree. This virtual container is referred to as the Naming Context in the IDI Feed Service you create in ITIM.
You will set this exact value in the JNDI connector -> Search Base parameter. So you then need to get this added to the $dn for the users being imported. The document describes doing this in the feed:

So in my case UpdateITIM is my JNDI connector and jndiSearchBase is the parameter that contained dc=HRLoad. I suppose I could have just hard coded this as well, but it's probably going to get more complicated later anyhow since I may have to create multiple IDI Feed Services for the many identity sources we will be using. Depending on how we actually lay out the org tree and how complex placement rules would need to be we may find the need to use more that one JNDI connector and multiple corresponding IDI Feed Services.

Then again, I haven't started playing around with the ITIM reconciliation stuff yet.

Tuesday, November 21, 2006

Directory Design - What to do about duplicates

We are in the architecture phase of our Identity Management system and one of the haunting questions we have yet to get answers for is "What do we do about duplicate user names?"

Since we will be pulling user names from over 100 identity sources to populate a single ITIM there is a high probability there will be multiple people with the same name. First of all none of the source systems are synchronized in any way. So we will likely have duplicate names across different systems, but many of these systems also allow duplicate user names as long as the two users are not in the same OU. Since the OUs in the source system will not be anything like the OUs planned in the target system we have to devise some process for dealing with duplicate user names.

ITIM seems perfectly happy creating two identical users in the same OU since in each case the user DN will be unique. ITIM uses the erglobalid to uniquely identify the user in the DIT. The problem with this is that you have to have a way to tell the difference between two people with the same name. When defining static and dynamic roles choosing the correct user name is important.

I hope to learn more about this as we go through this design phase with our consultants (people we assume have done this before).

Monday, November 20, 2006

com.ibm.dsml2.jndi.DSML2NamingException: Server returned HTTP response code: 401 for URL:

OK so we got a step closer today with using TDI 6.1 to feed identities to ITIM. After applying FP0025 and IF0028 to ITIM I can now connect to ITIM using the JNDI connector in TDI. The only problem is when I try to run the assembly line it fails with the error message above. It seems like it has something to do with the URL, but I'm using what's suggested in the example documents. BTW, the only place I've found an actual example of setting up the connector to ITIM is in TDI_HOME\examples\idi_integration. There's an HTML document that shows how to do this, however it's assuming you are using TDI 6.0. I understand that it may be pure luck to get this to work in TDI 6.1, but IBM hasn't told me this can't be done so I'm going to try anyhow.

I did install TDI 6.0 on another machine I have sitting near by. If this trouble drags out too long I may just try doing this on the other machine.

Sunday, November 19, 2006

ITIM 4.6 IF0028 Released

This should fix my problem with TDI 6.1. The good people at IBM Tech Support came through in a pinch on my problem with the JNDI connector. So tomorrow I'll get going on that. A few prerequisites are required. First ITIM 4.6 Fixpack FP0025 must be applied. Also TDI 6.1 FP0001 is required.

And so we go...

Friday, November 17, 2006

Cannot instantiate class: com.ibm.dsml2.jndi.DSML2InitialContextFactory

Now that I've had the time to play around with the ITIM organization tree it seemed like a good time to experiment with feeds. First I created the organizational units and locations needed to contain user accounts. I created some roles and services one being the IDI Feed service (DSMLv2). I have to say that the documentation with TDI and ITIM talks about the planning items that go into choosing a feed type and such but it's nearly impossible to find a document that shows you exactly how to do this step by step. I am taking some of the Tivoli on-line courses to get familiar with ITIM at http://www.cgselearning.com/tivoliskills and they have a nice lab on setting this up. Problem is it's using TDI 6.0. I'm using TDI 6.1. So as the lab tells you to create an event handler this is not possible in TDI 6.1. So I proceed to improvise.

The TDI 6.1 documentation does not have a section on how to connect to ITIM. You would think that someone would have included a section like this, but hence that is not the case. I found one place where I could find help and you wouldn't know it's there unless you remembered to check the TDI 6.1 install directory. In there is an /examples/idi_integration/ folder. I found examples of how to use the JNDI connector to connect to ITIM. but guess what. It doesn't work.

The ITIM DSMLv2Connector code (ITIM's dsml2 JNDI driver) was removed from TDI in the 6.1 release. Why ...is the big mystery. According to IBM they are working on a fix for this which should be available in the near future. So what the heck do I do in the meantime? I don't know how easy it is to run TDI 6.1 and TDI 6.0 on the same machine, but that sounds like a hassle I would like to avoid. I really don't desire setting up a whole separate machine for TDI 6.0 either but I'm not sure I will have a choice. It just irks me that this stuff does not work better than it does. It's bad enough that we need specific patches and fix packs for every single component in order for things to work. Nothing works out of the box and then you think going to the latest version of software is a no brainer and surprise!

Stay tuned.

Tuesday, November 14, 2006

CTGIMO020E The transaction is rolled back

I was working with ITIM 4.6 today creating Organizational Units and Locations. Then I figured it was time to create some users. When I added the user and then clicked submit I received this error:

Error Page
Error message: CTGIMO020E The transaction is rolled back.
Detail: {0}

Luckily I was using Firefox or I would have encountered an even more useless error message from IE like "The Page cannot be Displayed". Internal Server Error".

After some research and some help from IBM, the problem truned out to be the WebSphere Embedded Messaging.

Transactions such as adding users will use the ITIM workflow engine which relys on MQ. If MQ is not running then you will get these error messages in your browser. So when I typed:


I got the following:

QMNAME(WAS_tim1_server1) STATUS(Ended unexpectedly)

So it looked like MQ was hosed. IBM sent me the following technote for Unix which solved the problem:

DCF Document ID: 1243466 - IBM Tivoli Identity Manager: Manually re-create the ITIM 4.6.0 Queues (MQ 5.3 and WAS 5.1.1) on UNIX

Problem Desc: From time to time, it is necessary to re-create the ITIM Queues that reside in MQ Series.

Solution: In the commands shown below - typical values for parameters are:


Thursday, November 9, 2006

"Man does not live by bread alone"-- he needs knowledge

Wrapping your brain around a complex Identity Management project during the design phase can be really tough especially if you have never done this sort of thing before. What should our suffix be? Where should the users reside in the DIT? What roles do people have? What IT resources do we want to include in provisioning? Are there existing adapters for those resources or do we have to develop them? How many servers do we need? How many people will it take to manage this? Where do we start?

Over the last year my colleague Andy and I have spent most of our time learning how to develop assembly lines in Tivoli Directory Integrator. The initial focus was on pulling user identities from a few different sources to populate an LDAP. At the time we weren't really sure if we were going to buy ITIM or ITAM or anything else for that matter, but one thing was for sure. Our Portal applications could not authenticate our staff, customers or partners without an LDAP containing all of their identities. Going after low hanging fruit we decided that our customers Active Directories, Novell Directories, and Domino Directories would be the easiest places to get their Identities since they are all standard LDAP servers and we can develop our TDI assembly lines to detect changes in each of those sources and then populate the LDAP.

All this changes with ITIM in play. My whole vision of the directory hierarchy is now different. Maybe now I'm a bit more confused or unsure of what the DIT should look like. In fact we were so concerned with what the LDAP was going to look like before, now with ITIM I'm not sure it really matters any more. Once the TIM organization layout is in place should we really care what the layout of the LDAP looks like as far as Portal is concerned?

After printing 9,000 pages of documentation for TIM and TAM on top of the 3,000 pages we had already printed for TDI and TDS we find that the tough part is wading through all of it in search of the pieces that matter the most. The design stuff is all theoretical and if you can't get through that then it's going to be tough actually setting up a TIM. There's some good IBM Classroom courses, but the times and locations are not always convenient. If your lucky you will hook up with a good IBM Business Partner who has the staff to do this knowledge transfer.

We're working with Strategic Computer Solutions, Inc. (SCS) based out of Syracuse, NY. These people are a well known IBM business partner and they really know their stuff. Through them we also got to know the folks at Software Productivity Strategists, Inc. (SPS) out of Rockville, Md. Another group of highly talented people we found that if it wasn't convenient to go to an IBM training facility for Tivoli courses, you could pay SPS to send a trainer to your location. Now, I'm sure SPS isn't the only place that offers this option, but I'll just say that they have a Tivoli Security expert on staff that is one of the best trainers I've ever worked with. I'm not talking about someone who has done nothing but train people all his professional career, but instead someone who is in the real world implementing Tivoli software in very large enterprises and government entities who then brings that experience into the classroom. And I'm sure being a college professor in the computer science domain doesn't hurt either. The IBM courses are a huge help if you can get them one way or another.

But if you cannot take the courses or if the courses are scheduled weeks or months away you can get started with some on-line courses from Computer Generated Solutions. I recommend these to anyone just getting started with the Tivoli software. Even before you meet with consultants if you can take these on-line courses it will help to provide a sort of level set with what all the software components do, how a simple system is set up and if nothing else you will begin to get the lingo down so that you have half a clue when the consultants show up. I've taken the on-line courses for Tivoli Directory Server (TDS), Tivoli Directory Integrator (TDI) and now I'm going through the ones for ITIM 4.6. The TDS course was pretty good. It answered some of my questions about the basics, but it did not help me get a cluster working, TDI is tough. The on-line course for TDI will help you understand all the components of TDI and the lingo, but its a bit of a stretch to think you will be able to write really functional assembly lines after taking it. I'm finding the on-line courses for TIM to be very good. I recall several "Ah ha" moments during these courses so it seems they are working. Don't get me wrong, these are not replacements for Classroom courses, but they are a great way to get started and I think they are really good precursors to the classroom courses. Also, CGS is really easy to work with as far as payment goes. Our company does most things via PO so CGS allows you to enroll in the Tivoli courses specifying the payment type as being a PO. Then they email you the invoice so your business office can generate a PO and all of this can be transacted electronically so you can access the courses in no time.

As far as training goes for Tivoli, I usually like to buy books and CBT's. For topics like Microsoft Active Directory and Novell NDS and Java, etc... there is tons of options at amazon.com or Barnes & Noble. What's a little frustrating is that the only thing I could find on Tivoli Security is from IBM's web site (Redbooks and product documentation). IBM Press doesn't even have any good books on the Tivoli Software which I find disappointing, They have a great book at IBM Press for DB2: Understanding DB2 Learning Visually with Examples by Raul F. Chong, Clara Liu, Suylvia F. Qi, and Dwaine R. Snow. It baffles me why no one wrote a book like this for ITIM and ITAM. Oh well, your best place to start learning this stuff is here: Tivoli Education Website

Good luck and happy learning!

Tuesday, November 7, 2006

IBM Tivoli 4.6 Installation on Linux HowTo – For Beginners

I finally finished the document I was working on describing the step by step instructions for installing ITIM 4.6 on Linux. This is a very simplified approach to installing ITIM and is realy just designed to get the system up and running quickly so that one can begin to learn how ITIM works. I found IBM's documentation to be a bit complex and in several areas it was unclear. On my test system I chose to install all the components needed (DB2, TDS, WAS, and ITIM) on one box just to make this as simple as possible.

Hopefully this helps someone out there who's just starting to learn Tivoli Identity Manager for the first time. I know I could have used it. You can get the PDF here --> {Link}

Thursday, November 2, 2006

AMQ6090: WebSphere MQ was unable to display an error message 20006220

So have you ever heard of software generating an error message saying it was unable to display an error message?

This is what I ended up with after finally getting through all the WAS 5.1 fix packs. The ITIM 4.6 documentation claims that it requires WAS 5.1 with Fix Pack 1, Cumulative Fix 3, and APARs PK00346, PK02976, PK02640. Wow, that's a mouth full of fix packs. I installed WAS with the embedded messaging and one of the tests for a successful install after applying all the fix packs is to start WAS and then check to verify that the embedded messaging queue manager is running. When I typed dspmq I got the brilliantly informative error message. Or should I say non error message?

IBM Technote #1182138 describes a bunch of steps to take if you are running SLES 9 for your WAS 5.1 server. Most of the steps are just temporary until the aforementioned fix packs are applied. One of the optional steps was this:

export LD_ASSUME_KERNEL=2.4.19

In the technote you could export this variable or you could do this:

source setupCmdLine.sh

I opted for the later in my install and never did the export until I tried verifying the installation. So a bit of help from Google and it seems the technote failed to mention that the export is actually necessary to allow the embedded messaging queue manager to run.

Oh well chalk it up to the completeness of IBM's documentation or the lack there of. Bottom line is...

Do the export. And do your self the favor of adding this to a /etc/bash.bashrc.local.

Should we add the dominoPerson objectClass to our users just for a couple of attributes?

This question has been nagging me for a while now. We know that if we want to provide presence awareness in WebSphere Portal for all authenticated users that we will likely need an attribute for that users' Sametime server. There are a number of attributes that we will likely need from the dominoPerson objectClass for our users in LDAP. So does it make sense to have all users inherit the dominoPerson objectClass or would it be better to add those specific Domino attributes to our custom objectClass for users?

One thing I noticed in testing was that our user objects have many attributes we probably wont use since they inherit the dominoPerson objectClass and I can see that many of these are redundant. Some of them already exist in the other objectClasses such as person or inetOrgPerson.

Wednesday, November 1, 2006

Identity Management as a service

Interesting conversations today with our senior tech staff and network experts. Since we are an Internet and application services provider one of the questions that have been on our minds for some time now is; Can we provide identity and access management to our customers using the Tivoli Security software and if so when and how?

We heard from a few people who conveyed a few different problems that we need to deal with.

1.) Users at our customer sites need to log-on to secure wireless networks. For the last few years as wireless networks were initially deployed at these sites there was little to no security. Accessing the network was wide open in many cases. Since then there have been steps to require authentication to access the network. This has been done by having our Nortel equipment authenticate the users via a Radius server which in turn uses an LDAP at the local site. Customers quickly saw a problem with requiring log-on first to the network and then a second time to the local file a print systems (AD or Novell). To solve this the customer sites are implementing SSO solutions so that when a user logs on to the network they are automatically authenticated to the local file and print system as well. Problem is that some systems like Novell require the purchase of Identity Management software since they do not expose their system to integrate with any other SSO solutions.

2.) In some cases customers have already deployed Identity Management solutions to achieve local goals. One driving force is the synchronization of identities, demographic information, etc.... In building our central Identity Management system using Tivoli software we will obviously incur software licensing costs for each managed user internal or external even though those customers may already be paying for an Identity Management system locally.

So problem 1 above is really an access control issue more than an Identity Management issue, however in some cases (Novell for one) customers may find that the only way to solve it is by purchasing Identity Management just to use the specific feature they want to solve the problem.

Problem 2 could be solved if we fast track an Identity and Access Management solution in a model that will solve the problems at customer sites. This would likely result in lower costs for Identity and Access Management in the long run, however this is probably not feasible if customers are looking for solutions today. As it is our pilot project including 7 customer organizations only addresses provisioning users to our own web based applications surfaced via WebSphere Portal. Currently none of the customer located IT systems are in the scope of the current pilot. The architecture project for the pilot is scheduled to occur starting in December 07 so it seems that it could be a while before we are ready to offer Identity Management solutions to customers.

So can we architect our ITIM solution to provide Identity Management to our customers? I understand that in ITIM there is the concept of a multi-tenant configuration which implies that you might have multiple organizations possibly in one ITIM. I thought I heard that IBM was trying to move away from that, however I could be mistaken. This sounds like the approach we may want to take. Our organization as it is sort of is an org within an org with the IT division being one of those orgs. So we could do something like:

->IT Org
->Our Org
->Customer Org1
->Customer Org2
->Customer Org3

I imagine that we could contain all managed users within the appropriate org container and at first the managed resources would be only those that we desire to deal with from our IT Org's perspective. When we are ready, then we could potentially add managed resources at customer sites into the ITIM as needed.

I think some other things we need to consider is what's between the ITIM and the managed resources. Our customer sites are primarily located on our broadband network so there is good capacity between our data center and the customer sites. However, there is the possibility that something breaks that connection and then the managed resources are not accessible from the ITIM. Maybe this is more of a problem for the access control solution than the Identity Management solution.

WAS 5.1 install actually worked

As my luck continues to be good or at least maybe I'm reading instructions better the WAS 5.1 install actually went successfully. I resorted to reverting back a snapshot and starting over. This time I remembered on key ingredient


Seems if you are using SLES 9 there is an embedded messaging issue that can be worked around with this little command. This is only an issue with WAS 5.1.0 so once the 5.1.1 PTF is applied it's no longer a problem. See technote.

One other thing. Do a ulimit -s 8196 in your shell session before you install.

More later.