Sunday, September 14, 2008

What version of TDI are you using?

It took me a while to find this tech note one day so I figured I would post a link to it for future reference. Pretty handy.

Determining the TDI 6.1 Fixpack level

Wednesday, August 13, 2008

LDAP - What's in a string?

Sometimes when I'm doing projects I run across some things that make me wonder.. Huh?

When you are building LDAP objectclasses and attributes for your Identity Management project, should you be using Directory String or IA5 String for your typical attributes? Actually there are several string types supported by LDAP:

IA5String, DirectoryString, PrintableString, OctetString, PostalAddress, CountryString and NumericString.

Most often in the projects I have worked on we would use DirectoryString for most custom attributes. Looking at the RFC's you can pick up bits and pieces about the differences beteen IA5String and Directory String. My friend Thom Anderson does a great comparison of these two string types. Read on:

"The IA5 is more constrained than Directory String. You can think of it is ASCII on steroids . . . ASCII is a 7-bit protocol and for years, persons have been finding themselves with an eight-bit byte wondering what to do with the extra bit. Normally, they use the ‘zero’ value of the extra bit for ASCII characters and then use the ‘one’ value for things such as special characters (early IBM PC) or European characters (IA5). Although the ‘IA’ in IA5 means ‘international alphabet. It does not include all languages as that would require more than 8 bits. That is where Directory String comes in. Directory String is basically UTF-8, a version of Unicode that has only 8 bits for Western languages, but requires more bits (in 8-bit increments) as one moves East."

"Only in IA5 can you be assured that the number of characters and number of bytes is the same. Of course, that would limit one to Western characters, but that is not such a bad thing. In many cases, it will not make any difference. In the U.S. ASCII is sufficient and it is a subset of both IA5 and UTF-8."

Thursday, June 26, 2008

Interesting observation about the erglobalid

Most of the implementations I have worked on do not require a large complicated TIM Organizational structure, however every now and then it is a requirement to have many OUs. In fact you may have a requirement for many thousands of organizational units as bizarre as that might sound. So it's nothing new that you can import these objects. TDI is a handy tool for helping to pull this off by the way. There was a recent post on the developerworks web site about this:

Since I have been on a recent project where we had a need to import several thousand OUs one of the questions we asked ourselves was how do we assign an erglobalid to all of these which we can be sure might not already be in use? One way might be to build in some random generator of our own and lookup to TIM to verify that it is not already in use before we choose that number. Another way we thought well we can just assign a sequential number because it is not likely that TIM will have an obvious pattern especially since we haven't yet put any users into TIM. We tried this method and it worked pretty well so we figure the first erglobalid we will use is say erglobalid=11111111110000000001 and then just increment it from there. No problem so long as we don't happen to stumble on one that is already in use. And if that happens the TDI assembly line bombs out and then we'll have to deal with it.

One of my IBM friends recently discovered that we could actually use any ASCII characters as our erglobalid. I never really gave it much thought, but it is really a string anyhow. Internally TIM will use a numeric string. Apparently TIM will never use any alpha or non-numeric characters in the erglobalid. So if you want to be sure that you generate an erglobalid that is sure to not already be in use, just use letters or something other than numbers. Or maybe even a combination of the two.

Just to try this out I threw together this ldif of two Org units and imported it into my TIM tree no problem:

dn: erglobalid=ABCDEFGHIJKLMNOPQRST,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erparent: erglobalid=2989976714741706113,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
ou: Fred
objectclass: top
objectclass: organizationalunit
objectclass: erManagedItem
objectclass: erOrgUnitItem

dn: erglobalid=abcdefghi!@#$%^&*()_,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erparent: erglobalid=2989976714741706113,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erglobalid: abcdefghi!@#$%^&*()_
ou: Barney
objectclass: top
objectclass: organizationalunit
objectclass: erManagedItem
objectclass: erOrgUnitItem

At least if you create your OU's this way you can always tell which erglobalids were created by TIM and which ones were created by your import processes. Just thought this was interesting.

Tuesday, May 20, 2008

Dinner at the Blue Zoo

One of the greatest benefits of a conference is to get your colleagues and business associates together in the same place long enough to learn more about each other and to figure out ways we can help each other. Again, tonight Mike James came through with a fantastic dinner at the Blue Zoo. I guess they are known for their sea food so naturally I had some fish. The Scallops were just awesome. I had the Corvina with some kind of warm crab and mustard sauce which was excellent. Oh and the Pinot Noir was again very good here.

The Sirius Tivoli Security contingency along with our IBM friends. On the right side of the table from the front is Jeff Whitehead, then Keith Zunker, Mike James (Host), myself, then Bob Ramsey. From the left side we have Larry Miller, cant remember, Moe, Bill Steadman, and Tim Nicolaou and finaly at the far end of the table Brian Ebersol.

Pulse - Day 2 a little more like a typical IBM Conference

OK, now we are rolling. It's starting to feel like a conference. I walk from my hotel to the Pulse shuttle and these Disney cast members were standing out there handing out coffee's. Now thats what I'm talking about!

Then I knew I was at a conference when we were herded into a dining tent on the Dolphin parking lot for a continental breakfast. Now, I'm pretty sure I recall having full breakfasts at Lotusphere, unless things have changed recently or something. But, hey the have loads of Starbucks around.

Open General Session was great. Typical of Lotuspherean quality and extravaganza the Pulse Open session was great. The speakers message was pretty clear, demonstration was informative and the guest speaker Lance Armstrong had a great story to tell. I never knew that he was diagnosed with cancer before he had ever one a Tour de France. I never knew that there was no team around who wanted him after he recovered from the cancer. What a fantastic story and very inspirational. I felt bad for Lance when half way through his speech someone from the audience passed out and they had to call paramedics. I mean how weird. Lance is talking about the surgical procedures on his brain and about doctors and stuff and some guy passes out. Granted I felt bad for the guy who got sick and thankfully he was alright after being attended too, but Lance is a trooper for coming back and picking up where he left off.

So, while at the conference this week one of my ToDo's was to get through some certs if possible. So I winged it in the cert lab on the Tivoli Solution Advisor Security test. I really have not had time to prepare for this being on a project lately so I figured I would just wing it on experience. So I passed that early in the day. I actually thought about taking a practice test first, but the real tests are free this week so I figured if I didn't pass then my test would be like practice and I would just take it over later this week. If you are thinking about taking this test, make sure you understand the appropriate meanings (as defined by IBM) for things like "baseline document", "context document", and any other design artifacts relative to an IAM project.

Met Bob Kalka today. If you are doing Tivoli Security in any way you have something to thank Bob Kalka for. Or at least I do. Many of the presentations and positioning information I have used in the past came from Bob. He's a great speaker as well and really knows the security stuff. It was a pleasure talking with Bob today and he reminded me I have to reach out to Chris Craver when I get a chance. See there are not too many Tivoli Security people in the world and when one lives in the same town as you, it's a good idea to keep in touch!

Hit a couple sessions today, but I spent a great deal of time in the Expo talking to Encentuate and some other Tivoli dudes. Met the guys from SecureIT. I'm looking forward to playing around with their stuff soon. Found out some new things about Tivoli Training. Watch for more emphasis on instructor led Online training. Tivoli is putting in some efforts here.

Anyhow, more later

Monday, May 19, 2008

Pulse Business Partner Day

OK, so not quite the excitement that a typical Lotusphere event would be. Last night I camped out at the ESPN Zone like I would any Lotusphere for the Turtle party. Obviously no party really, just lots of people waiting in line to eat dinner even up until after 10:30pm.

I'm staying at the Port Orleans Riverside so to get to the Board Walk, naturally I Disney Bused it. See, this time of year theres a lot more families around so it is busier in general than around the time Lotusphere runs so traveling to the board walk was like ano hour ordeal.

The Business Partner Summit was not exactly a jaw dropping experience. I met a lot of people which was nice and we got some advance word on what the general message was going to be this week. This apparently is the first time Tivoli has brought all the software including Maximo under one conference so I guess it feels a little like a Lotusphere from right after 911. Over 800 Business Partners and about 4000 customers so not bad. The BP Welcome Reception was great. Finally I got to meet up with my "peeps". Up until then I figured I was the only Sirius employee at the conference. Turns out we have 6 or 7 of us attending this year.

Many thanks to Mike James (our channels rep) who sported for Dinner at Shula's tonight. Their 12oz filet was top notch. The Pinot Nior wasn't bad either. ;-)

Well after dinner the old folks had to turn in so I meandered around in search of after dinner festivities. Mind you I'm a trained conference attendee so if there is a party I will sniff it out. I have my old friend Bill Brown to thank for this rare skill. Anyhow, I noticed a nice crowd forming at the Blue Zoo down stairs at the Dolphin. When you see a potential party like this the key is to assume you belong there. Walk up to the waitresses at the club entrance and ask which way to the party. Without question your wrist will be fitted with some fruity colored arm band and your drink order filled. Whomever was hosting that gig, thank you very much for the Amstel Lights!

Well, it really was a productive day anyhow. I was on the job registered by 9:30am and planning my week as I normally do for a good conference. All in all it was a slow start, not the big bang that Lotusphere usually is, but hey maybe the opening general session will get things going.

Monday, May 12, 2008

5 Days until Pulse 08

I was a long time Domino guy since the beginning of Notes/Domino 5.0.a. I think my first Lotusphere was in 2002. I don't think I've ever been to a more passionate geek fest than the one Lotus puts on. I recall seeing the same faces each year with the ever popular Turtle parties to kick off each 'Sphere. Lotus developed quite a cult following over the years at least while I was involved.

So a while back I let go of Lotus (around v6.x) and switched hats to Tivoli (Security that is). This year is my first Tivoli conference (See IBM Pulse 2008). So far my expectations are not all that high. For one, a number of my IBM friends from ISST are not going. Boo! Apparently the way IBM is recording the big profits this year is quite simple. They don't spend any money. Not even on new business cards. So I'm not sure I will see many familiar faces at Pulse. But hey, I'm optimistic that it will be a very valuable experience. I had the Lotusphere Conference down to a science, especially when finding the best parties for the evening. Looks like I'll have to start from scratch this year at Pulse.

Some things on my agenda:

1.) Meet the folks at SecurIT - I'm interested in any companion products to TIM
2.) Take a test or two
3.) Get through a bunch of Security Sessions - Not sure which ones yet
5.) Hopefully find some info on Encentuate - Labs, Sessions, Demos, anything
6.) Need to do some TFIM - Labs, Sessions, etc...
7.) Find some good parties
8.) Work the Showcase
9.) Learn something new - I'm open to suggestions here. Anyone know what is hot hot hot? Besides security.
10.) Buy some Tivoli gear.

Anyhow, I'm hoping this conference will be valuable and hopefully Ill meet some cool people with the same type of passion I used to meet at Lotusphere.

See you at Pulse!

Monday, March 24, 2008

Getting up to speed on the new TAM ESSO

It's been a bit slow to get access to the Encentuate product so that I can finally start working with it. Business Partners have to sign up directly with Encentuate in order to become a partner and have access to resources more quickly. Otherwise you have to wait for the IBM machine to do it's thing which can sometimes be a little sluggish.

From what I've read on Partnerworld there are some nice benefits to the new product and the acquisition as a whole:

1.) IBM owns it, therefore the buck stops at IBM. When TAM ESSO was OEM'd from Passlogix, some of the tech support issues were not great. For instance if it was a Passlogix product we had to open a PMR through IBM, then IBM Support would have to open a ticket through Passlogix. Most of the time IBM Support could solve the problem. There are some really good support people there who really knew the product well. But every now and then stuff had to go back to Passlogix and it was not always quickly resolved.

2.) Functionality seems to be more complete in the new product. For instance Encentuate has over 300 proven applications that work. Some applications were tough to get working with TAM ESSO 6 or simply didn't work.

3.) There seems to be a wider list of supported and working 2 factor devices. Physical Access cards are also supported. They even support Sonar as a convenient sign-off option and active RFID so you don't have to "tap" in or out.

4.) There options for roaming and multiple users seems to be well documented and flexible.

5.) It has won several awards for most complete end point coverage, most comprehensive session management, widest choice of 2 factor authentication, and price for value proposition.

6.) Integrates with Active Directory and LDAP, but does not require schema extension. We don't get too many AD Admins objecting to schema extension, but every now and then it does happen. It also is sometimes an issue when the IT department evaluating an SSO solution does not actually own the AD environment therefore schema extension is not an option.

7.) Reports. There are audit reports built-in which tells you who accessed what application, etc.... I have yet to see these, but I know many customers I have spoken to recently desire this ability. This is not available in TAM ESSO 6.

8.) Works with Novell Client. I had a few customers running Novell so were using Novell's client. TAM ESSO 6 does not work with Novell. The new Encentuate product does.

Now some of the things that could be considered the down side:

1.) Requires a server (running Tomcat). TAM ESSO 6 did not require it's own server since it was largely a client side application. Encentuate uses a server to keep track of users, what apps they can access, credentials, and just about everything. It looks like credential caching is typically enabled so I do not know yet how critical the server is for end users accessing their applications, but it is likely very important and could be important enough that clustering this thing will be necessary.

2.) Because this Tomcat server is required for this solution, it would not surprise me to see IBM integrate this into WebSphere. I'm looking for some direction from IBM on this. This is not necessarily a bad thing at all, but it will be interesting to see what happens.

3.) The Windows GINA is replaced. This is also not necessarily a bad thing, just a big difference from before.

4.) Possibly more complicated to implement. Now this depends on how good the training and documentation is. The added functionality of Encentuate could make installing a bit more complicated, however the original TAM ESSO product was so poorly documented in my mind that it too was more complicated than it needed to be and in some cases the documentation was just wrong.

We'll see how it goes. More on this later...

Thursday, March 13, 2008

Will the real TAM ESSO please stand up?

At last IBM went all in and bought a full featured Single Sign-On product (see Encentuate) that it can now call its own instead of the OEM arrangement with Passlogix. Now we wont have to play this game where we call IBM for support and when they can't figure it out they go to Passlogix for a fix and maybe the problem gets resolved and maybe it doesn't. IBM has top notch tech support in my experience and while they have some great people fielding the current TAM ESSO calls, I think the new deal will make things much better.

As for the features and functions of the new TAM ESSO product (call it version 7), well from what I have seen in the past the Encentuate product has the goods, Web, Host Based, Java, and Client Server support, but one thing stands out for sure and that is the reporting built-in. I've heard from a number of customer who want to know who accessed what and when, etc... with respect to their users of SSO and there are some decent reports built-in to the Encentuate product that was lacking in the TAM ESSO 6 (Passlogix) product. I am working on getting my hands on the new stuff asap so I can kick the tires a bit. Maybe I'm a little strange, but I get excited when it's time to learn something new.

So what about the folks using the original TAM ESSO (Passlogix)? Certainly IBM has a strategy to migrate to the new stuff. I'll be getting some of those details very soon.

Press Release

Woo hoo, something fresh to blog about!