Friday, April 20, 2007

TIM AD Password Sync Plug-in

If your considering using the PwdSync plug-in to sync passwords from AD into TIM there are a few things you need to consider. For one thing this is an all of nothing option. All accounts that ITIM manages will be included when you use the AD Password Sync plug-in. So it is important that there are no systems being managed by ITIM which more restrictive password policies than your AD password policy. Otherwise users in AD will set their password to something that passes the AD checks and fails when ITIM tries to sync that password to other systems. The problem is that the user will not know about the failure which will cause more help desk calls.

Also, an important point is that SSL is required for this to work. You will need to export a cert from your TIM server and import it into the PwdSync plug-in. My downloads page contains a detailed document that I typed up with screen shots explaining a but more about these issues that I found not very clear in the install guide. Feel free to check it out. Hopefully it will help to save someone some time.

Downloads {Link}

Tuesday, April 17, 2007

TIM and AD Integration - Group Membership in provisioning

Just as a follow up to my earlier post about the AD Adapter, I figured out how to provision users into the proper groups in AD. What I eventually figured out is that you can't simply type the names of the groups into the advanced provisioning parameters. The adapter is expecting to pass the GUID of those groups through to AD. This GUID needs to be looked up in TIM. So let me take a step back here.

When you get the AD adapter installed and configured the first time you recon the AD all the groups from your AD will be imported into the TIM LDAP in the container defined for the AD Service you created. If you export one of these group objects from the TIM LDAP it would look something like my AD Domain Users group here:

dn: eradgroupguid=5fcbe38c66d1f343b7572848a642a8e9, erglobalid=77847836466036
35175, ou=services, erglobalid=00000000000000000000, ou=CA, dc=ca,dc=com
eradgroupguid: 5fcbe38c66d1f343b7572848a642a8e9
objectclass: erADGroup
objectclass: erManagedItem
objectclass: top
description: All domain users
eradprimarygrptkn: 513
eradgroupcn: Domain Users
eradgroupdn: CN=Domain Users,CN=Users,DC=CA,DC=local

So on the entitlement -> Advanced Provisioning Parameters you will need to add some JavaScript which will look up the GUID for the group or groups you want your user to belong to when provisioned to AD. Also, the Primary Group uses a Token represented in TIM by the eradprimarygrprkn attribute. One way to cheat here is to use the standard view of the provisioning parameters and use the search button to find the groups you want. Then switch to the advanced provisioning parameters view and you will see the GUIDs for the groups you chose:

Click on the screen shot to see a larger view.

The installation and configuration guide mentions that you can set certain Windows registry keys that will change the behavior of the adapter. One of these options is the useGroupCN setting. If you set this to true then you can reference the common name of the group in your provisioning parameters. This option may make it a bit easier for scripting.

I'm still having some issues with the Home Directory behavior, but I think the key to that is also in part how I set these registry configurations in the AD adapter. So far though, I have the AD adapter working pretty well in my sandbox system.

Monday, April 16, 2007

Anyone out there ever Integrated Novell with TAM?

Novell has for a long time been a system used for file and print operations in organizations. Many organizations still use Novell for providing users with their Home directories. Somewhere along the way Novell developed an application which serves up these Home directories and files via a web browser. Novell calls this application NetStorage. A fairly basic application like this allows the user to login with a name and password and veiw their home directory and drag and drop files to and from it. Novell also has a product called iFolder. This application allows you to sync your files from the desktop and is also apparently a web based application. I would like to attempt to protect these applications behind TAM WebSEAL. I'll start with a Windows server and I have already downloaded the eDirectory 8.7.3 code. Before you install Novell you have to acquire a license so I have completed the form for the license and am waiting for a response from Novell so that I can try this out.

If anyone out there has ever attempted this, please let me know your results.

TIM 4.6 AD Adapter

I've spent some time with the TIM AD Adapter this weekend. It's pretty easy to setup and get users provisioned with when you want some simple functionality. However, I'm having a problem in a few areas. Some of the AD attributes such as 'Group' and 'Primary Group' appear to be search types in TIM. So if you were provisioning someone manually from TIM to have an AD account, you would click on the search button on the AD account form and choose the Primary Group as well as any other groups you want the user to belong to. My problem is that when I try to set these in the Advanced Parameters section of the entitlement form, I always get warnings when the users are provisioned that these attributes cannot be set. The AD installation guide gives no clues as to how these attributes should best be set from TIM.

The other thing I haven't figured out is setting the person's Home directory. There are a couple ways to do this. On the user profile tab in the Active Directory Users and Computers UI you can choose a static Home directory. Something like c:\users\cahart. So in my TIM provisioning policy on the advanced parameter list I place a c:\users\%username% for the Home directory, this works fine. However if I want to use a UNC instead there are different attrs to set. One for the drive letter you wish to map and one for the UNC path of the share. So on my ad server (ad1) I create a share called users. In my AD user profile it might look like \\ad1\users\cahart and the drive letter mapped would be H:. When I try to set these attributes in TIM they do not get set at all when the user is created in AD. I don't get any errors, but the attributes in the user profile just end up blank.

In the TIM AD Adapter there are some registry options you can set to TRUE. I've set 3 or 4 of these and so far I haven't seen any difference. As I work with this some more I'll follow up this post.

Tuesday, April 10, 2007

Deploying an Integrated IBM Tivoli Security Solution -- Average at best

So far the I would grade the quality of the IBM Training classes for Tivoli Identity Manager on average about a C+.

This latest class Deploying an Integrated IBM Tivoli Security Solution was not the class it was advertised to be. Go ahead and click the link and read the course description yourself. I'll tell you below what's wrong with the description:

1.) The first sentence says "Presented as a case study". NOT. There is virtually no lecture whatsoever which would be a good thing if the labs better explained what the company objectives were. On several occasions I had to ask what the point was to some of the things we were doing in the labs.

2.) The second sentence says "using TIM 4.6, TAMeb 6.0 and TAM for ESSO". NOT. None of these versions of software are included in this course. In this course they use TIM 4.5, TAM 5.1 and there is no integration or mention of TAM for Enterprise Single Sign On (ESSO).

3.) In the last sentence of the initial description it says "this course shows how to integrate these products to provide services to disparate business units while maintaining security policies." NOT. There was no such discussion illustrating the providing of services to disparate business units.

In the Topics section where it lists bullet points, the first 3 bullet points are covered in this class using the old TIM and TAM software (TIM 4.5 and TAM 5.1). The 4th and 5th bullet point are not covered at all. The last bullet point maybe partially .

So if the inaccurate course description was not enough, the next problem seems to be common with the Tivoli training classes. The machines being used are simply not powerful enough to do this work. In this class each student was issued two desktop PCs. Each PC allegedly had a 2Ghz processor with 1.7GB of RAM. This should be OK for most of what we need to do, but the reality is that the machines perform poorly to the point that it disrupts the learning process. The first day we ran into enough problems that forced the instructor to re-build new images of the machines after class that day so that we could re-group and try again the second day. So the class ended up finishing early the first day because the machines were reduced to uselessness since the TAM Policy server kept hanging the machine on almost every student in the class.

Day 2 was better, but still machines were plagued with performance issues causing us to reset the VM's and in some cases left our TAM Policy server databases corrupt. We did manage to get through most of the day today completing the required labs by the end of the day.

The problem is that we just don't seem to be even close to a real world use of these products. I have no problem taking the class using old software. I may run into this older software in the field so I'm fine with working with the older product, but there simply is not enough real world training in this class and it simply is being incorrectly advertised as one thing and delivering another.

In one lab we are deploying this web application called Mantis (a help desk application) that runs on WebSphere. That's fine. We need some kind of app to put behind TAM. One of the exercises in this deployment has you doing this migrateEAR5 to externalize the roles and security info from this web application to TAM. There was no lecture explaining that. The labs did not tell you why you were doing what you were doing. Like robots we are supposed to just do what the lab says to do. Luckily the instructor was very informative on this topic when I asked him to explain why we were doing this, but stopped short of really getting into what kinds of things we need to look for in a web application that might make it compatible with TAM. Why couldn't the class demonstrate an ASP/.Net app, do a comparison to the Java app and show us what we need to look for when considering integrating any web application behind WebSEAL? Not everyone uses WebSphere applications.

I have to say if you are considering taking this course, don't bother. There has got to be a better one.

Sunday, April 1, 2007

If you're looking for a good test application for your sandbox...

IBM has a J2EE bench marking application for WebSphere that is occasionally used in some of the Tivoli training classes. I noticed this past week in the Extending TIM 4.6 class some of our labs involved provisioning users to an application called Trade 3. The goal of one lab was to provision the Trade accounts using a customized assembly line in TDI. This Trade application was used in a couple different labs in the course and I thought this would be a great application to add into my sandbox.

The Trade application is a simulated Stock Trading application which is designed to demonstrate J2EE as well as provide a benchmarking tool for your WebSphere Application Server. It requires either DB2 or Oracle for its data and user repository. Trade 3 requires WAS 5 so if your sandbox consists of a single TIM server then you could install Trade 3 on that same box using your existing DB2 instance and the WAS that is hosting your TIM application. You can find instructions on setting up Trade 3 here:

To set this application up you will need to download the install files and scripts. There is a readme.html included in this download. I would recommend you instead follow the instructions in the technical article because they are more complete there. Get the trade3 install kit here:

Now I'll admit I spent at least 4 or 5 hours Saturday trying to install the Trade 3 application on my TIM server where I'm running WAS 5. This did not go too well probably (now that I look back) because I was following the readme file instead of the tutorial instructions. One of the steps in the process runs a JACL script that installs resources setting up connectivity to DB2 etc... I kept getting errors trying to execute some of the lines from the resource JACL. There was something about a provider1 variable being non-existent.

There is also a Trade 6 application designed to run on WAS 6. Luckily I have a VM in my sandbox running WAS 6 since this is already required for TAM WPM I decided to try and install the Trade 6 application on my WAS 6 server. This meant I was going to have to install yet another DB2 server which I hadn't planned on, but that is OK because having DB2 on my web box is not a bad idea anyhow in trying to keep my VMs capable of running stand alone. I should be able to get the same experiece from my ITIM Lab excercises this way as I would running the Trade 3 app on my TIM server although this way I will need to run both my tim VM and my web1 VM at the same time. That's OK.

So you can find Trade 6 here:

Definitely follow this tutorial to set this up though. This is much better than the readme file included with the download. Again I had some problems with connectivity to DB2. Follow the tutorial to the point of testing the DB2 connection from WAS Admin console. If you have a problem it may be the DB2 configuration and TCP port being used. Pay close attention to what you use to name the service/port. The tutorial can be found here:

I also saved these files on my downloads page as well:

So I plan to use the Trade 6 application as a place to test provisioning users as well as a good application I can protect behind TAM WebSEAL. Sounds like Fun!

My TIM & TAM Sandbox design

I consider my professional life with TIM and TAM to be a constant learning experience. With all the middleware included inside the Tivoli Security software you may never completely learn it all. Some people are good at writing code. Others are good at recognizing how to fit business processes into Tivoli Security solutions. Yet other people are good at communicating the value of Tivoli software to customers. Within the Tivoli Security suite of software there are many complex areas to develop skills. I find that in the field some people lean more towards TIM skills and others lean more towards TAM. In either case you will get exposed to TDS, TDI, WebSphere App Server, and DB2. It's quite a challenge. If you are like me you may be involved in both TIM and TAM at the same time and this is fine, but you may find your skills developing more in one over the other simply because of time and personal preference.

I've been in the process over the last several weeks of building a sandbox on my lap top. This is a place where I can prototype things I need to do in the field and serves as a place to learn. Since this software will require many hours of experience in order to learn it there is no better place to have all the components installed than on your personal machine. Obviously you will need a smoking fast machine to do this, but it can be done.

I have a Lenovo Thinkpad T60p (Core 2 Duo and 3GB RAM). So far I'm using three virtual machines in VMWare Workstation 5.5.3. The VM's:

1.) Host Name: tim
OS: SUSE Linux Enterprise 9 SP3

Note: Obviously you would not put all this on one
server in production, but this works fine
for testing.

2.) Host Name: tam
OS: SUSE Linux Enterprise 9 SP 3
RAM: 512MB - 768MB

* I'm running TDI on each of these servers because
of some adapter testing. TDI is providing the feeds to
TIM which is why I'm running TDI there. However
I plan to test the new TAM connector for TDI which
must be installed where there is a TAM Java Runtime
so I also installed TDI on the TAM server.

3.) Host Name: web1
OS: SUSE Linux Enterprise 9 SP 3
RAM: 512MB - 1GB

* To test TAM WebSEAL I wanted to have a web server
with some applications to protect behind TAM. This
server is a good place for Web Portal Manager
(PDAdmin) and the IBM Trade 6 App as well as
possibly Portal (not sure if I really have enough RAM
for that though)

I don't always run all 3 VM's at the same time. If I'm working on Feed type stuff then I may only run the TIM server. If I'm dealing with provisioning to TAM then I would need both TIM and TAM up and running. If I'm testing security between WebSEAL and some web applications then I would need TAM and Web1 up and running. I have run all 3 VM's at the same time so as long as I don't have to be reading and PDF's or email or anything else at the same time this is no problem. This design works well for me because it's flexible and covers a lot of testing options for me. Some future VM's I will be working on include Active Directory for provisioning users to AD as well as Lotus Notes. I will probably run a Domino server on the same box as AD so that I can test both using the same VM. At 10GB of disk space per VM I think that I may soon run into disk space limitations so it may be near time to purchase a portable USB drive. We'll see.