Thursday, December 31, 2009

Subject Alternative Name with GSKit

Subject Alternative Name's (SANs) allow you to obtain a single SSL certificate to protect multiple hosts. So lets say you have two LDAP servers (server1 and server2) and you want to enable SSL, but you want to have clients reference only one DNS name (ldapserver) to connect to any of the LDAP servers. Likely you will have a load balancer of some kind in front of the LDAP. One way to do the Certificate Signing Request (CSR) is to specify "ldapserver" in the host name field and then specify "server1" as the SAN. The problem is IKeyMan doesn't have a way of including a SAN in the CSR.

This is not a problem for a couple of reasons. For one, you can use the command line tools with GSKit to create a CSR containing a SAN. While the GUI lacks this capability it seems the command line supports it:

gsk7cmd -cert -create -db /keys/tds.kdb -pw password -label junk -dn "cn=tds1,o=bigco,c=us" -san_dnsname tdswin1,tdssrv1 -expire 3653

The other option is to create the CSR using IKeyMan without the SAN. When you post the CSR certificate into the web form at Verisign or whatever other CA you choose, you should be able to use the CA form to specify the SAN. This way the signed version of the certificate you receive back from the CA will contain the SAN. IkeyMan supports receiving the signed certificate back into the key database with the SAN included so this will work fine. In fact this is the easiest way to do this. For your LDAP servers it is best to create the Key database using IKeyMan and issue the CSR from there. That way you can do the Receive Certificate operation later when you receive the signed certificate back from the CA.

Cheers!

Tuesday, December 22, 2009

TDS Web Admin Tool - Superuser

Be careful changing the credentials for this. When you login to the TDS Web Admin Tool and attempt to change either the user name or password for the superuser (default superadmin) I have seen cases where something got screwed up and the end result was to uninstall and re-install the TDS Web Admin Tool completely.

It seems that the tool is a little quirky if you try to change the user name and password at the same time. My best recommendation is to change the username, log out of the tool, then log back into the tool with your new user name and the original password. Then change the password for the user. Log out of the tool, then back in with the new user name and new password.

Monday, December 14, 2009

How much do you rely on the TDS Web Admin Tool?

I usually setup TDS as an enterprise LDAP, but usually as part of a larger security initiative such as Identity and Access Management. Since LDAP is the underlying user registry for ITIM and ITAM we typically do not use the TDS Web Admin tool for much more than some initial setup and configuration of the LDAP. Beyond that ITIM and ITAM have their own management tools.

But, if your goals for LDAP were simpler and you are not implementing an Identity Management solution, well you are limited to a few different tools to manage your LDAP directory:

Command Line tools such as ldapsearch, ldapadd, idsldapsearch, idsldapadd, etc....
TDS Web Admin Tool (GUI)
3rd Party tools such as Softerra's LDAP Administrator

Those who are new to LDAP in general and do not prefer to use command line tools, naturally gravitate to the TDS Web Admin Tool. In general its a pretty good tool and in TDS 6.2 it is much better than 6.0 for tasks such as setting up replication, but its still a bit buggy.

For example I ran into a problem recently where we had a boolean attribute configured as a mandatory attribute for our objectclass. Using TDS Web Admin Tool to create a new user entry results in an objectclass violation. Meanwhile using idsldapadd works just fine. It turned out to be a legitimate bug with a fix on the way, but there are other quirky issues with this tool.

Another problem I noticed in one case I have 5000 entries populated in the LDAP. If I navigate through the directory tree I can see the entries listed, but if I click on an entry it should open up the edit screen for that entry. Instead it does nothing at all. Yet, if I use the directory search tools in TDS Web Admin GUI I can find a specific entry and then click on the entry which correctly opens the edit screen for that same entry. Weird.

Another issue which I would consider a bug and I don't know if IBM will ever address this:

If I customize the LDAP Schema by using custom schema files I.e. V3.myschema.oc and V3.myschema.at, the Web Admin Tool does not acknowledge this and continues to drop stuff in V3.modifiedschema instead. TDS supports creating custom schema files by allowing you to reference the custom files in ibmslapd.conf. This is one way of keeping your custom schema organized neatly. In fact if you keep all of your custom attributes and classes in order by OID (assuming you are using a legitimately registered OID) then it makes it easy to know what OID to use next for any new attributes or classes. Also, if you have replicas, schema updates to the replicas is a simple matter of copying your updates schema files over to the replicas and restarting them.

Anyhow, most folks managing LDAP servers seem to prefer using 3rd Party tools if they need a good GUI style interface, but it would be nice if the Web Admin Tool was a little less buggy.

Thursday, November 26, 2009

AccessStudio vanishes?

Anyone who has spent any considerable amount of time profiling applications must have noticed this. Your toiling away on a profile for hours, testing some password change workflow or something and suddenly AccessStudio just disappears into thin air. And at least the first time you saw this it was probably after having made numerous changes in the state machine without saving your work right? And to top it off, trying to simply re-launch AccessStudio wont help, because there are still pieces of it running somewhere in Windows voodoo land so it will complain if you attempt to run another test session. Chalk it up to yet another reason to re-boot your Windows machine.

Sorry, I have no solution, but am looking out for one. I have seen this problem in 8.0.0 and 8.0.1 so maybe the new 8.1 version will be better. I look forward to upgrading.

Thursday, November 19, 2009

TAM ESSO and support for Java

TAM ESSO supports Java applications for sure, but if you haven't deployed it yet there are a few issues which you might need to be aware of.

First, when you install AccessAgent on a computer, the installer will try and find any instances of Java on the computer and will add support for that Java. After installing AccessAgent find the directories on your computer where Java is installed and you should see the following files at these locations:

\jre\lib\accessiblity.properties
\jre\lib\ext\jaccess.jar
\jre\lib\ext\EncAwtAgent.jar

Some applications may get installed with their own Java. If the AccessAgent installer does not detect that Java then you will have problems profiling the Java application and AccessAgent will not detect the profile for SSO.

If you wish to add support for the application after AccessAgent has already been installed there is a script which you can run located here:

C:\Program Files\Encentuate>JavaSupport>

For example lets say you have a Java application called "XYZ App" installed which has its own instance of Java under its own program directory. Launch the script specifying the location of the JRE:

C:\Program Files\Encentuate\JavaSupport>JVMSupport.vbs /d C:\Program Files\XYZ App\jre

Going forward you would probably want to have AccessAgent support this Java on any machines with this application installed without having to go to all of your workstations to run this script. The JVM paths can be specified at the time you install the AccessAgent on end user machines. The SetupHlp.ini contains parameters for specifying these JVM paths. This part is clearly documented in the TAM ESSO installation and administration guides, but I'll mention it here:

SetupHelp.ini parameters:

JVMInstallationDirectories
OldJVMInstallationDirectories


AccessAgent Seems Slow?

One thing that seems relevant here is that AccessAgent can appear noticeably slower when profiling or testing with Java applications. By default AccessAgent is logging all activity at LogLevel=3. This is a pretty good level for debugging. However, normally for production you probably do not need the logging to be at this level. AccessAgent performs considerably better at LogLevel=1 or 0. So if you see issues with the profiles appearing slow especially for Java applications, you may want to go ahead and drop that LogLevel down:

HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\DeploymentOptions\

BTW, if AccessAgent seems slow, it may not be the fault of the LogLevel or TAM ESSO at all. There are other outside factors which could affect the performance of AccessAgent including some antivirus, but in most cases you will not notice any change in performance of your desktops with TAM ESSO. With all that is going on it performs excellent.

Monday, November 16, 2009

Change Listening Ports on your IMS Server

TAM ESSO IMS Server listens on ports 80 and 443 by default. Typically this is perfectly fine. However, you may have a situation in which you need to change these default ports and it is not well documented how to do this.

1.)Edit the server.xml file located at :\Encentuate\IMSServer8.x.x.x\conf

The following is an excerpt from my server.xml file. The lines to change are in bold. In my case I changed the default listening port to 89 and the redirect and connector port to 1443.

Connector
port="89"
minProcessors="5"
maxProcessors="400"
enableLookups="false"
redirectPort="1443"
acceptCount="100"
debug="0"
server="EWS/2.0"
connectionTimeout="20000"
useURIValidationHack="false"
disableUploadTimeout="true"
algorithm="IbmX509"

Connector
port="1443"
minProcessors="400"
maxProcessors="800"
enableLookups="false"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
useURIValidationHack="false"
disableUploadTimeout="true"
clientAuth="false"
keystoreFile="ims/certs/keystore/ssl_keystore"
SSLImplementation="encentuate.tomcat.EncentuateSslImpl"
algorithm="IbmX509"
keyAlias="ims"
sslProtocol="SSL_TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RS


2.)Edit the accessAnywhere.properties file at :\Encentuate\IMSServer8.x.x.x\ims\config

Modify the port setting in the following stanza:
# The IMS Server's SSL port
IMS_SERVER_SSL_PORT=1443

3.)Restart the IMS Server for changes to take effect.

Saturday, October 10, 2009

Another Quirk with Tivoli Common Reporting...

Just thought I would mention this. The report package you download for Tivoli Common Reporting may produce an error like the following:

Error CTGTRD040E










To get around this I unzipped the report file and re-zipped it using WinRAR. For some reason TCR 1.1.1 has a problem with some zip files. Something about not liking directory names as zip file entries. Anyhow, WinRAR did the trick.

Can't find TAMeB Reports?

Just in case you are hunting and pecking for reports for TAMeB using Tivoli Common Reporting, I assume you've seen the documentation for auditing TAMeB. It's only 500+ pages. :-)

The basic idea is that you will first install Tivoli Common Reporting (integrated in the WebSphere Integrated System Console). Then you need to download the reports from the support web site. Why they don't simply include these with TAM is a mystery. Oh and good luck finding them by searching reports, or audit reports, etc.... If you search for "Operational Reports" you will find them. Go figure.

Anyhow the link to the reports:

http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=operational+reports&uid=swg21303439&loc=en_US&cs=utf-8&lang=en

Tuesday, August 4, 2009

TDI 7 - Eclipse anyone?

So I think that most of us using TDI over the past few years can say mostly good things about the product. Personally it's one of my favorite tools in the Tivoli Security stack being largely a non-developer type I feel empowered when I make cool things work with it. However most people would also agree that the products implementation of Swing might be a bit off. Just weird stuff like if you have a pop up window and you hit the enter key you expect the OK button to depress. And sometimes resizing windows is a little weird. I've even had to close the tool kit and reopen it sometimes just to make things work.

All that is pretty much gone with the new TDI 7.0. Oh and I believe there is a fix pack out already. I'm just starting to play with this new version. It takes some getting used to if your not comfortable with eclipse, but I look forward to working with it.

BTW, there is a pretty cool tutorial out there you can check out:

http://sites.google.com/site/tdi7islive/

Nice job who ever took the time to do this!

Wednesday, July 8, 2009

Risk - ignore, accept, mitigate, insure

Tivoli security professionals are pretty much in the Risk Mitigation business. Any organization who has any identity information in house on employees, customers, or partners will at some point address the risk of losing this information. And subsequently they will ask:

"What's the chance of losing that information?"
"What's the cost to us if that information gets lost?"
"What should we do about it?"

The answers are undoubtedly, ignore the risk, accept the risk, mitigate against that risk, or just buy some extra insurance.

Organizations large and small are thinking about how important it is to deprovision accounts that are no longer needed. Doing this via e-mail is not going to work well. This is one main reason Identity Management systems exist.

These latest security breaches illustrate the headaches organizations face when they fail to ensure that their former employees are removed from accessing their IT systems:

http://datalossdb.org/incidents/2152-unauthorized-access-by-a-former-employee-exposes-names-addresses-and-social-security-numbers-of-past-and-present-employees

And this one was even more brazen by an American Express employee. Holy crap $1 million. This guy had a good job watching over the systems that hold data for many of us. I'm not sure how you prove that a laptop which is reported stolen wasn't really stolen. This dude should go to jail for a long time.

http://www.kpho.com/money/19936013/detail.html

Why hire consultants?

I have always thought of myself as a consultant. Perhaps I'm just a people pleaser, not to the extreme that I'm compulsive or anything, but that I genuinely like to help others. I can recall the days when DOS 5 was a huge deal. I was networking computers using ArcNet, LANTastic and Novell 3. A 386 DX2/66 with 4MB of RAM was smoke'n fast.

I recall some of the best advice I got from a guy named John Posey (John if your still out there thanks for all your help). He said, "Chuck, run out and buy yourself a DOS book." The past mystery of my Commodore 64 seemed silly once I read that DOS book. It was clear to me then that if one could read, one could do this technology stuff. Oh how things have gotten so complicated.

So, why should you hire consultants?

1.) Well, look I understand all you geeks out there who are highly skilled can certainly figure all this stuff out yourself. Like I just said, if you can read, you'll get there eventually. But, the bottom line is there just isn't time for everyone to know everything. Take TIM, TAMeB, TFIM, TAM ESSO, TCIM, TSOM, and the rest of the Tivoli Security products. If you want to implement any one of these or some of them, you can certainly buy the software, read the manuals and go for it. The fact is though, it doesn't always work like the manual says. So, you may have to do it a few times until its right. And that's OK. But, businesses today are more concerned with ensuring that the technology is solving business needs. They are not necessarily interested in making you an expert at installing Tivoli software. That perhaps is better left to consultants.

2.) Good consultants are in this game because they like to help people. At least that's the experience I have seen with the colleagues I work with. And the objective is to enable customers to be self sufficient in steady state maintainability of the products and solutions.

3.) We really have seen many use cases, configurations and different applications of these software products so you can save a ton of time in the planning phases of your projects by using consultants.

4.) Consultants in the security business have a lot of friends doing the same thing which can help in getting the right skills on the job. Solutions using enterprise software like Tivoli will often require many different skills. There will rarely be one guy/gal who can do it all. Although I've worked with some amazingly bright people in this business, there are usually multiple people involved in average Identity Management projects. Utilizing a good consulting group will help you succeed. For Tivoli, an IBM Business Partner is key for a couple reasons:
a.) IBM Business Partners have unique relationships with IBM which helps to deliver solutions most cost effectively.
b.) IBM Business Partners can bring versatile project management skills to your project which may involve IBM and Non-IBM products and solutions
c.) IBM Business Partners can bring low cost resources into your project as well as subcontracted IBM resources which helps to drive down the cost of your project while maintaining a strong IBM presence in the success of the project
d.) IBM Business Partners have a vested interest in seeing the IBM solution succeed.

5.) Good consultants will pass on their experience and knowledge to you. I tend to share as much as I know because I believe in educating people, I will also learn some new things. Every good project should have some time dedicated to knowledge transfer, but even when that dedicated time is not there, you will still learn a lot from a good consultant.

6.) Consultants save you time and money in the long run. Lets face it, time is money. If a project is being managed properly, there will be some realistic goals and objectives. If the goal is say 6 months from now we will have xyz product installed and configured and you already have a full time job, then how likely will you meet that goal? Hire the consultant and get the job done.

Tuesday, June 30, 2009

Changing LDAP Suffix

Of course when building an LDAP it's best practice to choose wisely and carefully your LDAP structure to minimize any ugly rework later. This is a no brainer. But, I've been working on setting up a demo test system for TFIM. And, as I am not a web developer I'm going to use the demo apps that come with Tivoli Federated Identity Manager 6.1. But this Federation demo assumes that there are specific configurations done in your LDAP first.

Now, I already had a working TAMeB system with TDS and WAS, etc.... So I wanted to use what I had to minimize the work in setting up TFIM. I built another TAMeB environment to act as my partner site as well. Installing TFIM and creating the Federation domain was no problem. Even creating the Federation agreements and exporting both sides was straight forward. But when it came to configuring TAM for TFIM I ran into an unforeseen snag at the point where this program wants to configure for the demo apps:

tam:/opt/IBM/FIM/tools/tamcfg # java -jar ./tfimcfg.jar -action tamconfig -cfgfile /opt/pdweb/etc/webseald-default.conf

...
Press 1 for Next, 2 for Previous, 3 to Repeat, C to Cancel: 1
Perform configuration for demo application (y/n): y
Checking for DN cn=elain,o=identityprovider,dc=com.
FBTTAC062E Error checking for the DN cn=elain,o=identityprovider,dc=com in the user registry:
HPDMG0761W The entry referred to by the Distinguished Name (DN) must be a person entry.


You may need to create this registry entry manually or use the itfim-pre-install-tool.jar to create it for you.
Press 1 to Repeat, 2 for Previous, C to Cancel:

So, I really didn't consider that the demo apps for TFIM would be relying on specific users to exist in TAM/LDAP and even a specific LDAP structure. This is sort of lame. I need these demo apps for my testing, yet I'm forced to have a specific set of users and LDAP design. Annoying.

I set to work making the necessary changes to my LDAP, however one problem was that my suffix was already dc=ca,dc=com and the LDAP will not allow me to create a new object for the demo "o=identityprovider,dc=com". This means I need a new suffix at dc=com which the LDAP will not allow since a suffix already exists containing dc=com. No worries, I figure I'll just do a db2ldif and export my users and groups, etc... (TAM is using these already), then blow out the LDAP, delete the existing suffix and create a new one "dc=com", then just add the "dc=ca" domain under the suffix and finally do a ldif2db.

This all worked right up until I realized that the ACLs do not go back into the LDAP. The db2ldif utility will capture the ACLs and they will be right there in your LDIF file, but for some reason when you use the ldif2db these ACLs do not go back into the LDAP. Additionally I tried a bulkload with the -A and still no ACLs. I know that I must be missing something. Rather than spend a lot of time troubleshooting this I ended up configuring the ACLs for TAM manually on my "dc=com" object so that I could get back to business. If anyone knows what I may have missed, feel free to let me know.

Regards

Wednesday, June 3, 2009

Which product version do you have?

The Tivoli security products contain several components and middleware making it sometimes difficult to know exactly what versions and fix packs you are at for all of the pieces. Also, you may only need this information once in a while maybe for troubleshooting a problem or planning some upgrade or change to the environment. So you ask, "what was that command again to determine the version of TIM, TAM, WAS, TDI, etc...? And as usual for every piece of the puzzle the commands or procedure for determining the versions and fix packs are different. Then, finding this information on the IBM Support site or the Information Center for some pieces is difficult. You would think that for each product the first chapter of the Problem Determination Guide would start with "How to determine your product version and fix pack level". NOT!

I'm simply listing here the results of my hour and 1/2 of internet searches here to hopefully save time when I need this info again. There are by the way some very good IBM Wiki sites for this info. I've listed some below. It's crazy though that these Wiki's did not show up in my searches of the IBM Support site.

Check Version Info for TDS 5.2

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268258&loc=en_US&cs=utf-8&lang=en

Example:

rpm –qa | grep ldap
rpm –qa | grep db2
rpm –qa | grep gsk
ls –l /usr/ldap/bin
ibmslapd -V

If the Web Administration Tool is installed and configured please collect the output of:
ls -l /usr/ldap/idstools/IDSWebApp.war

Check for version info for TDS 6.0

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268261&loc=en_US&cs=utf-8&lang=en

Example:

rpm -qa | grep -i ldap
rpm -qa | grep -i db2
rpm -qa | grep -i gsk
ibmslapd -V
idsilist -a

If the Web Administration Tool is installed and configured collect the output from:
./opt/ibm/ldap/V6.0/idstools/deploy_IDSWebApp.sh -v

Check for version info for TDS 6.1

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268263&loc=en_US&cs=utf-8&lang=en

Example:

/opt/ibm/ldap/V6.1/bin/idsversion
rpm -qa | grep -i gsk
idsilist -a

If you are using DB2 v9.1 or higher issue the following command:
/usr/local/bin/db2ls

Otherwise issue:
rpm -qa | grep -i db2

If the Web Administration Tool is installed and configured, please collect the following:
/opt/IBM/ldap/V6.1/idstools/deploy_IDSWebApp -v

Check version of the TDS Web Admin Tool (Any version)

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21320615&loc=en_US&cs=utf-8&lang=en

Check for Version of WebSphere

http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=version&uid=swg21306756&loc=en_US&cs=utf-8&lang=en

Example:

versionInfo.sh in the app_server_root\bin directory.

Check for version info for TAMeB

http://www.ibm.com/software/info/testinfo.jsp?uid=IC000043

Example:

pdversion

Check for version info for TIM

http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+Product+Fixpack+Levels

From the TIM Admin Console, open the "About" page

Example:

Server name: secperf12
Version: 5.0.0.3
Build number: 200809241018
Maintenance level: IF0014
Build date: September 24 2008
Build time: 10:18:08 GMT-05:00

Check for version info for GSKit

http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+GSKit+Fixpack+Level

Check for version info for TDI 6.0


http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+Tivoli+Directory+Integrator+Fixpack+Level

Check for version info for TDI 6.1

http://www-01.ibm.com/support/docview.wss?uid=swg21302983

Example:

Unix/Linux -
1) cd /usr/ibm/common/acsi/bin
2) //source the setenv.sh
. /var/ibm/common/acsi/setenv.sh
3) //run the listIU.sh
./listIU.sh | grep -i tdiserversiu


Check for version info for TIM Agents


http://www-01.ibm.com/support/docview.wss?rs=644&context=SSTFWV&dc=DA420&dc=DA480&dc=DA490&dc=DA430&dc=DA410&dc=DB600&dc=DA400&dc=D600&dc=D700&d

c=DB520&dc=DB510&dc=DA500&dc=DA470&dc=DA4A20&dc=DA460&dc=DA440&dc=DB550&dc=DB560&dc=DB700&dc=DB530&dc=DA4A10&dc=DA4A30&dc=DB540&q1=version&uid=s

wg21140454&loc=en_US&cs=utf-8&lang=en


Example:

Run agentCfg -> Configuration Settings

Tuesday, June 2, 2009

INFO: ssl.disable.url.hostname.verification.CWPKI0027I

From what I can tell there can be a number of reasons you might get this error during TAM Configuration or unconfiguration. In my case I made a small mistake while in a hurry and also because in my test lab, I don't take as much care as I would typically take as with a production system. I did not unconfigure Web Portal Manager before removing WAS. This should not be a big deal, but apparently it is.

I'm preparing my TAM Test Lab to also support TFIM. In doing this I upgraded my TAMeB components to 6.1 FP002. But, also I chose to replace the WAS 6.1 server with a WAS 6.1 ND because I plan to do some other clustering stuff as well.

The TAMeB upgrade and patches worked fine. Afterwords, TAM, pdadmin, WPM was all fine. But after manually removing WAS 6.1 and installing WAS 6.1 ND, WPM was hosed. To install WPM, I simply installed it using the GUI installer as I have done before only this time WPM did not show up in the ISC as it should even though the installation said it was successful. So, I then realized that when I had removed WAS and installed WAS ND, I had never unconfigured WPM.

Attempting to unconfigure Web Portal Manager using pdconfig or amwpmconfig resulted in this:

Tivoli Access Manager administrator ID: [sec_master]:
Tivoli Access Manager administrator password:******** *java.lang.IllegalStateException: HPDAZ0602E Corrupted file: Insufficient information to contact a Policy Server.


Then I realized the JRTE needed to be reconfigured for the new WAS 6.1 ND so I ran through the JRTE configuration again for my latest Java 5 location and for the WAS 6.1 ND JRE. Then the next problem was this:

Enter the IBM WebSphere Application Server or Deployment Manager
installation full path [/opt/IBM/WebSphere/AppServer]:
Policy server host name [tam]:
Tivoli Access Manager policy server port number [7135]:
Enter the Access Manager policy server domain [Default]:
Tivoli Access Manager administrator ID: [sec_master]:
Tivoli Access Manager administrator password:******** *Enter the hostname of the IBM WebSphere Application Server
or Deployment Manager[tam]:
Enter the SOAP Admin port number of the WebSphere
Application Server or Deployment Manager [8880]:
Is WebSphere security enabled (y/n) [n]?
Unconfiguration of:
Access Manager Web Portal Manager
is in progress. This might take several minutes.

Jun 1, 2009 10:58:47 PM com.ibm.ws.ssl.config.SSLConfigManager
INFO: ssl.disable.url.hostname.verification.CWPKI0027I
java.lang.NullPointerException
at com.tivoli.pd.jwpmcfg.WPMConfigure.unconfig(WPMConfigure.java:572)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:615)
at com.tivoli.pd.jwpmcfg.WPMConfigWrapper.unconfig(WPMConfigWrapper.java:325)
at com.tivoli.pd.jwpmcfg.AMwpmcfg.interactUnCfg(AMwpmcfg.java:447)
at com.tivoli.pd.jwpmcfg.AMwpmcfg.main(AMwpmcfg.java:271)


So after scratching my head enough times and poking around I discovered that all I needed to do was delete /opt/PolicyDirector/etc/amwpmcfg.properties. This allowed me to reconfigure the Web Portal Manager using pdconfig and now Web Portal Manager shows up properly in the Integrated Solutions Console as it should. So I only lost 4 hours messing around with this silly issue. Just goes to show how a simple mistake can cost you 1/2 day of work.

Cheers!

Tuesday, May 19, 2009

LDAP: error code 52 - Unavailable

OK, There may be numerous reasons for this error, but of course TDS just doesn't come right out and explain it for you. This was a weird one in my case because I was simply trying to delete a password policy which I had no problems creating just moments ago. I was trying a quick and dirty test which turned into several hours of troubleshooting in the midst of my other duties.

Well I tried to delete this password policy using the TDS Web Admin Tool and this is what resulted:

GLPWSA124E Failed to delete the password policy object.

Then I attempted to use my trusty LDAP Browser/Editor and different error, but same result:

10:19:52 PM: Failed to delete entry cn=pwPolicy1, CN=IBMPOLICIES
Root error: [LDAP: error code 52 - Unavailable]


So, just for kicks I enabled trace logging:

ldtrc on

I restarted the server and attempted to delete my password policy again. Here's what showed up in the log:

137:23:14:33 T115510160 Delete operation for DN CN=PWPOLICY1,CN=IBMPOLICIES requested by CN=ROOT.
137:23:14:33 T115510160 select_backend: g_backends=0x9928310, dn=CN=PWPOLICY1,CN=IBMPOLICIES
137:23:14:33 T115510160 select_backend: selected CN=IBMPOLICIES
137:23:14:33 T115510160 subtreeDn=CN=IBMPOLICIES
137:23:14:33 T115510160 The update is not from a supplier.
137:23:14:33 T115510160 send_ldap_result2: err=10 matched=[] text=[]
137:23:14:33 T115510160 WriteToSocket: Sending msg to client


So, I'm thinking "who cares if the update is from a supplier or not?" This got me thinking about a replication issue. Now when I built my replicas for this test lab, I did not configure replication for CN=IBMPOLICIES. At the time I had no desire to replicate these.

In looking at this further I see that the replication topology is all hosed for CN=IBMPOLICIES.

Peer 1:









Peer 2:









So, then how to clean this mess up? I found a handy tech note on the IBM Support Web Site. I know this was referenced by the good folks at L2 Support who put on an STE a while back. It just took me a while to relate the fact that I couldn't delete this simple password policy to a replication issue. Anyhow, the tech note:

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=cn%3dibmpolicies&uid=swg21226577&loc=en_US&cs=utf-8&lang=en

For some things there may not be a technology solution for..

This recent example in New Jersey about a "clerical error" which led to sending peoples names and SSN #s to the wrong place --> http://www.nj.com/news/index.ssf/2009/05/3k_unemployed_nj_residents_may.html is one of those examples where people just have to have a better system of doing things even if it does not involve a computer or software solution. I mean maybe it comes down to having more conscientious people working in those positions that handle sensitive information. This was a clerical error so I'm trying to imagine a handful of hard working individuals manually stuffing envelopes with the wrong reports to the wrong companies and wondering how did their managers articulate what reports go into what envelopes? Or was it blatantly obvious which reports go in which envelopes and the people stuffing them were just oblivious to what they were doing?

Someone very close to me works in one of our illustrious social organizations in the Peoples Republic of New York and I hear stories all the time about the lackadaisical attitudes, complaining, and just general acceptance of mediocrity in the workplace. Managers sometimes hiding in their offices making no improvements to processes or efficiencies rewarding peoples laziness with overtime hours because people do not understand the meaning of hustling on the job.

Sometimes all it takes is for people to care enough about what they do to avoid these mistakes. I make no claim to understand the work environment of the folks at the NJ Department of Labor and Workforce Development, after all when humans are involved there certainly can be error and there may not necessarily be a technology solution for it.

Friday, May 15, 2009

Who's Identity Information is safe anymore? Probably no ones.

I reading up on the latest security breaches and stumbled onto this web site which has recorded hundreds of known security breaches since 2005. Check it out here:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

It's amazing how many different ways your personal identity information could be compromised. So much of this can be prevented with the proper security measures. I don't know if the number incidents is rising or not, but it seems the same vulnerabilities continue to be exploited, lost equipment, compromised web sites, internal users' mishandling of data.

There is a link to another great web site full of the latest statistical information about breaches which I find very interesting:

http://datalossdb.org/

Protecting peoples' identities is an ongoing battle which most security professionals recognize must be fought on many fronts. There's not too much you can do about an employee whom you place trust to not misuse data, but you can certainly implement good auditing tools which security managers can use to help keep the honest people honest. Then of course there is always human error. Well, again even though people make mistakes there are some safeguards that can be put in place to prevent people from doing stupid things like inadvertently sending out mail with peoples SSNs on the labels. As for the missing or stolen equipment, well there's some great disk encryption solutions out there.

Makes you think twice about giving any company or government your information doesn't it?

Thursday, April 23, 2009

Can you teach a bear to dance?

Any of you Identity Management professionals out there probably know where I'm going with this. How many times have you been in design discussions with a customer and just cringed at what they were trying to do? Do you tell the customer they are crazy? Or do you suck it up and do your best to just make something work? Sometimes you don't have a choice, but one thing I've learned is that it is very important to make the key stakeholders understand that we may be able to teach that bear to dance, but it ain't going to be pretty and the bear might not like it very much.

Some people are convinced that if you can write code then you should not really have many boundaries. True, that if it's software and the APIs are available you can do just about anything. But that doesn't always mean it should be done.

Identity Management projects induce much change in an organization. Sometimes folks have a tendency to look for a way to code around having to ask someone to accept a change in their routine or what they know. This doesn't always work.

People, when rolling out an Identity and Access Management solution get ready to make a few changes in your life. New Identity? For sure. New Logon ID? Perhaps. New password? Likely. Single Sign On? Sure, but hopefully your not trying to make a bear dance. :-)

Tuesday, March 31, 2009

IBM's Enterprise Single Sign On - The new stuff

Well, maybe it's not really so new. IBM acquired Encentuate about a year ago. Since then they have had time to "blue wash" the product and build up the Information Center, support and all sorts of other helpful sites and documentation. Today the product looks like it is happily at home within the TAM family.











Last year when IBM first acquired Encentuate, I quickly got signed up as an Encentuate partner while IBM was working through the red tape. I was anxious to see the new stuff, because I was hoping that it would be much better than the prior software. You know how sometimes you equate newer with better? I know thats silly, but I get a kick out of new software. I got the same excitement when I first downloaded and kick started SLES 10 for the first time. I was pleasantly satisfied with my first experience with the Encentuate product. It's ease of installation and most of all the accuracy of the documentation was a welcome surprise.

Lately, I have had some time to get a much closer look at the new TAM ESSO v8. There is support for a wide array of application types including Windows, Web, Mainframe HLLAPI, Mainframe or cursor-based, TTY, Java applet, and more. It is safe to say that 80% - 85% of your applications will work with TAM ESSO right out of the box!

Implementing TAM ESSO is a cake walk compared to your typical Identity Management endeavor. Still, the most difficult part of implementing TAM ESSO or any SSO product for that matter is the odd ball applications where the single sign on product has trouble detecting the Logon window. For your project you may have 20 applications that work flawlessly with SSO, then you might have 2 applications that for what ever reason cause a problem. So while it might take 10 minutes to profile each of the 20 good applications, it could take 10 hours to profile 1 difficult application. This is a key differentiator between the different SSO products on the market and I think TAM ESSO is the best that I have seen in this regard. So then you have to look at the tool(s) that come with a product to help you profile those tough applications. Again TAM ESSO v8 shines above others with its AccessStudio.










The AccessStudio is a state engine tool which gives you control over what happens at each window event that occurs for your application. Youl literally have the ability to add your own triggers, customized xpath statements, and actions during the logon process of a given app. You can even call out some JavaScript or VBScript and the tool makes it very logical to customize the behaviour of TAM ESSO. AccessStudio even has a testing function to allow you to test the logon process with your custom profile and shows you step by step which window events are happening and what triggers aand actions during the process are taking place. This way you do not have to upload the profile to the server before you are done testing it. The cool thing about the AccessStudio is that even for a profile which requires customization, you can still use the wizard to auto-generate the profile, then simplu enable state editing of the profile to make your customizations. I think the AccessStudio tool is much more powerful than the tools we had to work with for the old product. Therefore, it might take a bit more effort to learn how to recognize all of the states and how to customize them, but the wizard built in to AccessStudio properly automatically recognizes most of your apps so that should mean quicker deployments and quicker ROI.

Some competitors of the new TAM ESSO product would say that a downside to the new TAM ESSO is that it requires a server or multiple servers. The fact is that you do need at least one server because TAM ESSO uses a RDBMS (either MS SQL, Oracle or DB2) to store policies, profiles, credentials, and report data. The old product did not require a server because it stored information in a directory (Active Directory, Novell, or LDAP) which typically already exists in most companies. I personally don't think it makes a difference. The solution can be virtualized just like anything else out there and most companies have hundreds of servers already. Having more servers typically reduces risk by not having all your eggs in one basket. Virtualization is there to allow you to reduce the need for physical hardware and make better use of the processing power that often sits idle on many physical servers. But that's not the only reason to appreciate the requirement of a server for TAM ESSO. The advantage is that you can implement TAM ESSO without any direct impact whatsoever to existing enterprise directories. The old product required schema extension to the Active Directory. While I still do not think that is a big deal (its what directories were designed to handle), some admins hesitate to extend their schema and since it affects their production system, it is something you have to plan appropriately for. Additionally, multi-forest and multi-domain AD systems presented a few challenges for how you deployed the old product. Again, I don't think that is a huge deal either, however the need for a server in the new TAM ESSO product provides another added benefit... reports. TAM ESSO v8 will gather compliance reports such as who accessed what applications, what machine were they logged into when accessing those apps, what credentials where being used, etc.... The old product provided nothing like this and if it had, the addition of a server would likely be a requirement. A typical IBM server should be able to handle 36,000 user authentications per server per hour so depending on the size of your organization a single server would do the trick. The servers can be clustered and load balanced so the solution scales very well.

Password reset is one of the common reasons companies buy a Single Sign On product like TAM ESSO. The password reset feature worked much the same way the old product worked. From the logon dialog you click reset password and right within the logon dialog itself, you are presented with challenge/response questions. If the desktop is locked, a link can be added to the locked dialog which taked you to the AccessAssistent to reset your password. One difference between the old product and the new product is that you cannot just purchase and deploy only the password reset feature. The old product allowed for licensing just the password reset because it was really a separate set of code (web application and GINA piece). The new product is licensed as one product so to do just password reset you still need to deploy the IMS server. Of course you can use just the password reset function of the new product, however you cannot just purchase that component.

Support for me is a key differentiator when purchasing a security product. I used to be an IBM, Novell, Microsoft, and others customer so quality of support is key to my choosing of any product. First, the IBM documentation for TAM ESSO v8 is fantastic compared to the old version. Maybe the Encentuate team should get the kudos for this. All I can say is that for the most part, the documentation covers a lot of ground and is pretty darned accurate. Much more understandable and logical than the old stuff I had to deal with. There are also a couple of great resources which I should point out:

The developerworks site for TAM ESSO is being monitored and the reponses are very quick and helpful. There are some folks who really know the software well regularly posting answers to questions on the site and since I don't know their names all I can say is "Thank you!" to whomever they are. The URL to the site:

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1592&start=0

The IBM OPAL web site contains over 200 profiles for applications out there. This is way cool because again part of the effort for implementation is to build these profiles. Some take minutes and some take hours so if you are deploying TAM ESSO, you may be able to take advantage of these. Why re-invent the wheel? The URL to OPAL, search for Tivoli Access Manager for Enterprise Single Sign-On:

http://www-01.ibm.com/software/brandcatalog/portal/opal


There is a great Wiki for TAM ESSO with documentation on how to build custom profiles, architecture diagrams, deployment scenarios. This is great information to help you get started with your project. Checkout the URL here:

http://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Home

Also, don't forget to check out the information center as well. Bottom line, if I were a customer looking to choose a single sign on product I would choose IBM's new TAM ESSO over any other because it is one of the best if not the best at recognizing logon windows for any type of application, not just the typical Windows and Web apps. The support is top notch and there is a great deal of information publicly available to help you become self sufficient. If I were a customer I would hire consulting help for a short term "getting started" type of approach to help my internal staff get a jump start with help from folks who have done it before.



Wednesday, March 18, 2009

Whew! The fingers are a bit rusty.

I sort of feel like I've neglected a child or something. The past year has been so overwhelmingly busy that I have failed to keep this blog up to date in any meaningful way. I hope to change that this year as I continue on this path doing Tivoli Security.
Anyhow, besides a siginficant amount of traveling over most of 2008 and the beginning of 2009, I had also embarked on a major home construction project. It seems my whole life is about projects even at home. So just in case someone thinks that I have been sitting on my duff and not posting things to my blog here is a small glimps into my home project:
First off just to provide a prospective, I was involved in a fairly complex TIM/TAM/TFIM project on the East coast for all of 2008 and the first part of 2009. So, I would often leave my home in Buffalo on Monday morning and travel back home on Thursday night or Friday. Practically every weekend and any week nights I had available in 2008 were spent finishing my basement.
The kids were in need of some rec space. Living in the North you tend to spend several months in hibernation so finishing the basement was essential to providing a little more space for the kids to be kids. On top of that I desparately needed an office. It's been too long that my filing cabinets had been stored in my walk in closet off our master bedroom. Then my wife was also getting fed up with me camping out at our dining room table to do my work. Picture two lap tops, two external hard drives, power stripss laying across the dining room floor and papers strewn across the dining room table. Of course all of those Tivoli lab guides and classroom materials and CDs laying around doesn't help either.
So, I finished my basement and in all this took about 10 months between February 2008 and December 2008. I still have some trim work and doors to do and of course we will have to furnish it now. Feel free to view my pictures on Flickr:

Before:










After: