tag:blogger.com,1999:blog-89174947548345227982024-02-20T04:05:05.768-05:00Charles AhartIdentity Management, Travel, Trials and TribulationsCharles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.comBlogger118125tag:blogger.com,1999:blog-8917494754834522798.post-85321936037681308442013-11-11T13:35:00.003-05:002013-11-11T13:35:37.760-05:00Re-certification in IBM Security Identity Manager 6.0 no Person TypesI just find it a little annoying that when creating re-certifications in SIM 6, you can choose persons of type Person or BP Person, or you can choose all Persons, but if you had any custom SIM person classes defined the tool gives you no way to select your own custom Person type. Like the developers got 3/4 of the way developing this feature and said, "Oh, good enough".Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com1tag:blogger.com,1999:blog-8917494754834522798.post-49608583440619682732013-02-18T23:22:00.001-05:002013-02-18T23:22:16.296-05:00What's Hot in Security?These days, I am getting a lot of calls for security solutions. I would say we are busier than ever. Here are what people are asking us for:<br />
<br />
1.) SIEM - Tons of customers are either ripping out old log management solutions and replacing them or they are just now getting around to implementing these. This space is fairly competitive. I'm running into McAfee Nitro, Dell SecureWorks, LogLogic, LogRythm, Tripwire and of course the one we sell QRadar.<br />
2.) Database Security - This is a really hot area right now. So many of our customers are trying to put better controls on their databases. They want to ensure that any unacceptable database queries are stopped or at least alerted on. They want to ensure that even privileged users (DBAs) are controlled. They want to mask certain data from being seen in the tables. They want comprehensive audit reporting. And they want all this with little to no performance penalty on the database. I usually only see Imperva and Guardium in this market space although occasionally the Oracle shops tend to go for Oracle's solution. IBM Guardium rocks in this space.<br />
3.) Application Security - We are working with quite a few customers who develop web applications in house for their Internet/Extranet, etc... There are a few spots where they are looking for help securing these applications. One is adhoc pen testing. Simply periodic testing of their web facing applications to ensure there are no new vulnerabilities. Second is during the software development lifecycle. It is widely known that its much more expensive to fix a bug after it is already deployed to production than catching it before it makes it to Prod. So scanning the source code and checking for vulnerabilities during the development process is much less expensive to resolve. AppScan is tops in this space at detecting and helping to solve these problems.<br />
4.) Identity and Access - Many companies do this already, but I've helped companies who are on their first, second and 3rd deployments of Identity and Access. So this is not really slowing down. The interesting thing about this space is that over the last several years there has been a distinguishing line between Governance solutions and User Admin and Provisioning solutions. Many vendors have both included with-in their respective Identity Management solution, but in almost every case the Governance solution was a different acquisition from the User Provisioning solution. Anyhow this space is mature. For larger companies I am always running into Oracle and CA. We tend to recommend IBM at our company. But in smaller customers, there are many other options out there such as Microsoft, Sailpoint, Aveksa, Centrify and Courion. Sometimes we recommend a combination. We occasionally like an Aveksa + IBM solution for Identity Management. IBM's most flexible and mature provisioning solution accompanied by the user friendly governance offering from Aveksa is sometimes a great match. The options are plentiful.<br />
5.) Privileged User Management - This comes up a lot with customers these days. Controlling what the root and admin users are doing is very important to those who are heavily regulated. The vendors I run into most in this space are CyberArk and Centrify. CyberArk seems to be a favorite among many people. They like the fact that it records video of what the admins are actually doing. Pretty cool. Centrify is a nice solution as well. IBM release a PIM solution at the end of 2012 which integrates its Identity Management offering + ESSO. Check in and check out the privileged user accounts, audit who uses the accounts and what did they access, etc....<br />
<br />
We run into plenty of infrastructure projects as well Firewalls, IDS/IPS, etc...., but every day I get a call about one of the 5 above and not necessarily in that order. Security is very hot right now.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-26189255742811879882013-02-18T22:54:00.000-05:002013-02-18T22:54:02.813-05:00Tulsa, OKVisiting some clients this week I figured I would stay in downtown Tulsa. So I booked a night at the <a href="http://www.marriott.com/hotels/travel/tultd-courtyard-tulsa-downtown/" target="_blank">Courtyard</a>. The Atlas Life building was built in 1922 and they have kept a lot of the charming old doors and some of the decor which is cool. Unfortunately I drew the short straw on the view from my room.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXupEDhTZe1DA-M6q4a9Ce-ubUXqqX4HLZmoKGSqSvB-U1IdqIUBJsL3wR281JE5UxfXzRycO4uzpC9BqHT_o-psruEUnLj9_VwkCqZlw_gfmtTfoXE-hkT-TbAwt7BbD3tLMdXIbGE9aw/s1600/20130218_174129.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXupEDhTZe1DA-M6q4a9Ce-ubUXqqX4HLZmoKGSqSvB-U1IdqIUBJsL3wR281JE5UxfXzRycO4uzpC9BqHT_o-psruEUnLj9_VwkCqZlw_gfmtTfoXE-hkT-TbAwt7BbD3tLMdXIbGE9aw/s320/20130218_174129.jpg" width="320" /></a></div>
<br />Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-64960920101076902142013-02-18T22:41:00.001-05:002013-02-18T22:45:21.802-05:00IBM Security BrandThis is sort of old news, but for some folks its completely new stuff. For a number of years I worked with IBM products in the Lotus brand and then the Tivoli brand. Tivoli was a huge brand including many different kinds of software solutions from asset management to security. I believe there were hundreds of software titles in the Tivoli brand. The security products I worked with were a handful in the ocean of Tivoli products. But at IBM there were other handfuls of security products sprinkled through-out the other brands. With the acquisition of <a href="http://q1labs.com/" target="_blank">Q1 Labs</a> IBM also announce a new brand called IBM Security. Like Tivoli, IBM Security is its own business unit at IBM. Most of the products from all of the other brands that had anything to do with security have been moved with-in the IBM Security organization. This is good. It helps IBM and partners articulate a consistent message and strategy to customers. From support to development the expectation is that all of the products with-in the security organization will gain more consistency in development lifecycle, and will improve integrations between all of the security products.<br />
<br />
So for those who are not up to speed on the new product names and versions, I'll mention some here<br />
<br />
IBM Security Identity Manager (SIM) formerly known as IBM Tivoli Identity Manager<br />
IBM Security Access Manager for eBusiness (SAM) formerly known as IBM Tivoli Access Manager for eBusiness<br />
IBM Security Access Manager for Enterprise Single Sign On (SAM ESSO) formerly known as IBM Tivoli Access Manager for Enterprise Single Sign On<br />
IBM Security Directory Server formerly known as IBM Tivoli Directory Server<br />
<br />
You kind of get the idea. The acronyms are as silly as ever.<br />
<br />
But there are other products from IBM which we are doing much more with:<br />
<br />
IBM Security Identity and Access Assurance for one is a bundle of all of the IAM products and later in the year will likely include a SIEM solution again.<br />
<br />
QRadar SIEM is a top notch security intelligence solution in the SIEM space and probably one of the best acquisitions IBM has made in security.<br />
<br />
InfoSphere Guardium is another great IBM product top notch in data security.<br />
<br />
AppScan is also head and shoulders above its competition in many ways and the market shows it.<br />
<br />
So with all of these great solutions under one brand and the security division being led by a security guy, it has been very busy for us IBM leaning security people lately. Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-53767742304366061332013-02-18T19:47:00.002-05:002013-02-18T19:47:57.130-05:00End of Life or New BeginningI was inches from killing this blog once and for all. For the past 2 years it sat idle collecting spam mainly. Every now and then I would meet someone in my IBM circles who would say, "hey I think I've read your blog". I'd replay, yeah I should really get out and do something about that thing.<br />
<br />
Anyhow, Lots of reasons to not keep this thing going. For one, I found it hard to mention in too much detail the kinds of things I was doing at customers sites. Just trying to cleans the information was a task. Second, it really did not attract a whole lot of input from the outside. More often then not, someone was asking me a question about a problem they were having which would lead me on a wild goose chase to try and find a solution. I hate not replying to people, but then again, I have a full time job already. Thirdly, the material is a bit boring at times.<br />
<br />
Well, times change and in my current role I actually do have more I could blog about than before. But it still takes effort to get out here and say something half way intelligent.<br />
<br />
So here it goes. I'm going to try this again for a while and see if I can keep it up. If it goes stagnant again, I'll just kill it altogether.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com1tag:blogger.com,1999:blog-8917494754834522798.post-173508178384792172010-01-12T09:25:00.002-05:002010-01-12T09:48:36.249-05:00Signed up for Pulse 2010 yet?Granted the recession of late has curtailed spending all around, but for many IT departments there are still a number of high priority projects especially in security. If you are already an IBM shop, the Pulse conference is a great way to get a deeper look into the products and solutions that you are considering for the new year. You will spend the time and money doing this research anyhow. Why not come out to Vegas for a look under the hood?<br /><br />Pulse represents a pretty large swath of products. Unlike Lotusphere which focuses Lotus and Portal, the Pulse conference covers all things Tivoli. There are over 300 products in the Tivoli brand so this conference is a bit different than Lotusphere. If you are into Asset Management or Performance and Monitoring, there are specific tracks for you. If you are interested in Security, there is a whole other track for you as well. Within each area, there are a number of presentations from customers demonstrating recent deployments where you will get the real scoop on what their projects were like, the good and the bad. This alone is worth the visit if you are planning a project with Tivoli software this year. Also, you can stop in the hands on labs and actually work directly with the software so that you can get a feel for how the product really works. The labs are staffed by the IBM education team and there are some really sharp people there who can work through the labs with you.<br /><br />Pulse also has areas setup where you can "ask the experts" just about anything. These are basically casual "sit down and chat" spaces where you can be face to face with folks from the product development teams and ask questions. Nothing is too complicated that you cannot get an answer at Pulse.<br /><br />Business Partners and 3rd party vendors setup shop in the showcase floor to show you how they implement the IBM solutions. You may get some really good ideas from these folks how best to leverage the IBM solutions as well as find help getting started with an implementation.<br /><br />The technical sessions are a great way to get a look at some of the other products and solutions you may not have thought about before. There is something here for everyone from c-level folks right down to the hands on IT person so I recommend you come on out and see for yourself. It's well worth the expense.<br /><br />BTW, the recreation is not all bad either. While I do not enjoy gambling, being in Vegas is a spectacle. The Pulse Palooza isn't a bad time either. Free beer!<br /><br />Register for Pulse 2010 --> <a href="http://www-01.ibm.com/software/tivoli/pulse/">http://www-01.ibm.com/software/tivoli/pulse/</a><br /><br />Get a look at what's going on at Pulse 2010 --> <a href="https://www-950.ibm.com/communities/service/html/communityview?communityUuid=dd8bf011-85af-48da-a4dd-21047a08c33e">https://www-950.ibm.com/communities/service/html/communityview?communityUuid=dd8bf011-85af-48da-a4dd-21047a08c33e</a>Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com7tag:blogger.com,1999:blog-8917494754834522798.post-82483833012598637342010-01-08T22:51:00.004-05:002010-01-11T11:49:43.821-05:00TAM ESSO v8.1 - Are you ready for WebSphere?Installing a standalone TAM ESSO IMS Server took about 2 hours to install including the database. That was version 8.0. IBM released version 8.1 this past December and I spent this week going through the upgrade process to see what will be in store for folks who want to jump right into the new stuff. It didn't take the whole week to do this upgrade, however I had to take it slow so that I could capture documentation for future reference.<br /><br />The big news is that TAM ESSO v8.1 requires IBM WebSphere Application Server. When I first saw this I thought "ugggh". But the reality is that you had to know this was coming and it makes sense to run IBM's single sign on solution on their own application server. <br /><br />This changes a lot though. First off, deployments will take a little longer. The fact is, even with the wizard installation tools, WAS is still a big pile of software to install. You also need IBM HTTP Server. Both need to be patched once you install them and you can't even patch the software until you download the patch installer first (IBM UpdateInstaller). But Windows shops should be used to that anyhow as you need install Microsoft's update software in order to get Windows updates.<br /><br />First, is the upgrade worth it? Of course. If you want the best support for your software keep on the latest and greatest. Everyone has heard the same thing on a typical tech support phone call where the support guy asks,"What version of software are you running?" and you say, "1.2". No doubt the support guy will suggest you try the latest version. Sometimes it really comes down to which version has the fewest warts? Because you know that the latest version of software will have something wrong with it, but you hope the latest has fewer warts than the older version and lets face it, which version is getting the most attention?<br /><br />The new version of TAM ESSO does not look any different than the prior release as far as the end user is concerned. But when you think about it, if TAM ESSO is doing it's job, the user does not even know it is there. All the user knows is that they login to Windows, launch their applications and they are magically signed in. Not much to see there. But, for the implementer or tech support team there is plenty to be happy about in the new release.<br /><br />1.) IBM has opened up the doors to more 2 factor devices. Generic smart card support – this will leverage 3rd party products for smart card life cycle management and leverage windows smart card authentication for certificate authentication. Also Serial ID Service Provider Interface (SPI) has been introduced to allow any vendor with a serial ID device to integrate with TAM ESSO. BIO-Key support has been added which will also widen the choices of 2-factor devices supported.<br /><br />2.) Wider platform coverage. Windows 7 is coming and shops already starting to buy machines with Windows 7 want to be sure AccessAgent will work. While IBM does not list Windows 7 specifically in the compatibility list, Kiosk support has been added for Vista and 64-bit Windows is supported for AccessAgent although there may be some issues with certain 3rd party strong authentication devices. Word on the street is that Windows 7 will show up on the list when it is Microsoft certified.<br /><br />3.) New features in AccessStudio should make profiling a little easier. The undo button is a nice option we take for granted in Word documents. I like it in AccessStudio very much. Another really nice feature that was added is the ability to take an existing trigger and convert it to a different type. To me that's a welcome new enhancement. The ability to save your profile as an image was there in version 8.0.1, but it's listed as a new feature for 8.1. I like it nonetheless so thanks IBM. Enhanced logging messages are also a big help. Any time they make improvements to this area, I'll welcome it. <br /><br />4.) Firefox finally! I knew a lot of people that were really turned off by the lack of support for Firefox. At first I was a little the same way, but I got used to using both IE and Firefox anyhow for reasons that have nothing to do with SSO. I look forward to working with Firefox in profiling.<br /><br />Well, I'm off to another SSO project. Stay tuned for more on this later.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com15tag:blogger.com,1999:blog-8917494754834522798.post-52674621765850883492009-12-31T14:14:00.003-05:002009-12-31T14:45:39.628-05:00Subject Alternative Name with GSKitSubject Alternative Name's (SANs) allow you to obtain a single SSL certificate to protect multiple hosts. So lets say you have two LDAP servers (server1 and server2) and you want to enable SSL, but you want to have clients reference only one DNS name (ldapserver) to connect to any of the LDAP servers. Likely you will have a load balancer of some kind in front of the LDAP. One way to do the Certificate Signing Request (CSR) is to specify "ldapserver" in the host name field and then specify "server1" as the SAN. The problem is IKeyMan doesn't have a way of including a SAN in the CSR.<br /><br />This is not a problem for a couple of reasons. For one, you can use the command line tools with GSKit to create a CSR containing a SAN. While the GUI lacks this capability it seems the command line supports it:<br /><br /><span style="font-weight:bold;">gsk7cmd -cert -create -db /keys/tds.kdb -pw password -label junk -dn "cn=tds1,o=bigco,c=us" -san_dnsname tdswin1,tdssrv1 -expire 3653</span><br /><br />The other option is to create the CSR using IKeyMan without the SAN. When you post the CSR certificate into the web form at Verisign or whatever other CA you choose, you should be able to use the CA form to specify the SAN. This way the signed version of the certificate you receive back from the CA will contain the SAN. IkeyMan supports receiving the signed certificate back into the key database with the SAN included so this will work fine. In fact this is the easiest way to do this. For your LDAP servers it is best to create the Key database using IKeyMan and issue the CSR from there. That way you can do the Receive Certificate operation later when you receive the signed certificate back from the CA.<br /><br />Cheers!Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com2tag:blogger.com,1999:blog-8917494754834522798.post-90468408343642869632009-12-22T08:08:00.000-05:002009-12-31T14:13:53.586-05:00TDS Web Admin Tool - SuperuserBe careful changing the credentials for this. When you login to the TDS Web Admin Tool and attempt to change either the user name or password for the superuser (default superadmin) I have seen cases where something got screwed up and the end result was to uninstall and re-install the TDS Web Admin Tool completely.<br /><br />It seems that the tool is a little quirky if you try to change the user name and password at the same time. My best recommendation is to change the username, log out of the tool, then log back into the tool with your new user name and the original password. Then change the password for the user. Log out of the tool, then back in with the new user name and new password.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com2tag:blogger.com,1999:blog-8917494754834522798.post-38696360010544287962009-12-14T13:27:00.000-05:002009-12-31T14:00:31.032-05:00How much do you rely on the TDS Web Admin Tool?I usually setup TDS as an enterprise LDAP, but usually as part of a larger security initiative such as Identity and Access Management. Since LDAP is the underlying user registry for ITIM and ITAM we typically do not use the TDS Web Admin tool for much more than some initial setup and configuration of the LDAP. Beyond that ITIM and ITAM have their own management tools.<br /><br />But, if your goals for LDAP were simpler and you are not implementing an Identity Management solution, well you are limited to a few different tools to manage your LDAP directory:<br /><br />Command Line tools such as ldapsearch, ldapadd, idsldapsearch, idsldapadd, etc....<br />TDS Web Admin Tool (GUI)<br />3rd Party tools such as Softerra's LDAP Administrator<br /><br />Those who are new to LDAP in general and do not prefer to use command line tools, naturally gravitate to the TDS Web Admin Tool. In general its a pretty good tool and in TDS 6.2 it is much better than 6.0 for tasks such as setting up replication, but its still a bit buggy. <br /><br />For example I ran into a problem recently where we had a boolean attribute configured as a mandatory attribute for our objectclass. Using TDS Web Admin Tool to create a new user entry results in an objectclass violation. Meanwhile using idsldapadd works just fine. It turned out to be a legitimate bug with a fix on the way, but there are other quirky issues with this tool.<br /><br />Another problem I noticed in one case I have 5000 entries populated in the LDAP. If I navigate through the directory tree I can see the entries listed, but if I click on an entry it should open up the edit screen for that entry. Instead it does nothing at all. Yet, if I use the directory search tools in TDS Web Admin GUI I can find a specific entry and then click on the entry which correctly opens the edit screen for that same entry. Weird.<br /><br />Another issue which I would consider a bug and I don't know if IBM will ever address this:<br /><br />If I customize the LDAP Schema by using custom schema files I.e. V3.myschema.oc and V3.myschema.at, the Web Admin Tool does not acknowledge this and continues to drop stuff in V3.modifiedschema instead. TDS supports creating custom schema files by allowing you to reference the custom files in ibmslapd.conf. This is one way of keeping your custom schema organized neatly. In fact if you keep all of your custom attributes and classes in order by OID (assuming you are using a legitimately registered OID) then it makes it easy to know what OID to use next for any new attributes or classes. Also, if you have replicas, schema updates to the replicas is a simple matter of copying your updates schema files over to the replicas and restarting them.<br /><br />Anyhow, most folks managing LDAP servers seem to prefer using 3rd Party tools if they need a good GUI style interface, but it would be nice if the Web Admin Tool was a little less buggy.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com5tag:blogger.com,1999:blog-8917494754834522798.post-44334834159925099872009-11-26T23:49:00.000-05:002009-12-31T12:01:19.601-05:00AccessStudio vanishes?Anyone who has spent any considerable amount of time profiling applications must have noticed this. Your toiling away on a profile for hours, testing some password change workflow or something and suddenly AccessStudio just disappears into thin air. And at least the first time you saw this it was probably after having made numerous changes in the state machine without saving your work right? And to top it off, trying to simply re-launch AccessStudio wont help, because there are still pieces of it running somewhere in Windows voodoo land so it will complain if you attempt to run another test session. Chalk it up to yet another reason to re-boot your Windows machine.<br /><br />Sorry, I have no solution, but am looking out for one. I have seen this problem in 8.0.0 and 8.0.1 so maybe the new 8.1 version will be better. I look forward to upgrading.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com1tag:blogger.com,1999:blog-8917494754834522798.post-977190874547856862009-11-19T13:57:00.000-05:002009-12-31T11:48:30.669-05:00TAM ESSO and support for JavaTAM ESSO supports Java applications for sure, but if you haven't deployed it yet there are a few issues which you might need to be aware of.<br /><br />First, when you install AccessAgent on a computer, the installer will try and find any instances of Java on the computer and will add support for that Java. After installing AccessAgent find the directories on your computer where Java is installed and you should see the following files at these locations:<br /><br />\jre\lib\accessiblity.properties <br />\jre\lib\ext\jaccess.jar <br />\jre\lib\ext\EncAwtAgent.jar<br /><br />Some applications may get installed with their own Java. If the AccessAgent installer does not detect that Java then you will have problems profiling the Java application and AccessAgent will not detect the profile for SSO.<br /><br />If you wish to add support for the application after AccessAgent has already been installed there is a script which you can run located here:<br /><br /><span style="font-weight:bold;">C:\Program Files\Encentuate>JavaSupport></span><br /><br />For example lets say you have a Java application called "XYZ App" installed which has its own instance of Java under its own program directory. Launch the script specifying the location of the JRE:<br /><br /><span style="font-weight:bold;">C:\Program Files\Encentuate\JavaSupport>JVMSupport.vbs /d C:\Program Files\XYZ App\jre </span><br /><br />Going forward you would probably want to have AccessAgent support this Java on any machines with this application installed without having to go to all of your workstations to run this script. The JVM paths can be specified at the time you install the AccessAgent on end user machines. The SetupHlp.ini contains parameters for specifying these JVM paths. This part is clearly documented in the TAM ESSO installation and administration guides, but I'll mention it here:<br /><br />SetupHelp.ini parameters:<br /><br /><span style="font-weight:bold;">JVMInstallationDirectories<br />OldJVMInstallationDirectories</span><br /><br />AccessAgent Seems Slow?<br /><br />One thing that seems relevant here is that AccessAgent can appear noticeably slower when profiling or testing with Java applications. By default AccessAgent is logging all activity at LogLevel=3. This is a pretty good level for debugging. However, normally for production you probably do not need the logging to be at this level. AccessAgent performs considerably better at LogLevel=1 or 0. So if you see issues with the profiles appearing slow especially for Java applications, you may want to go ahead and drop that <span style="font-weight:bold;">LogLevel</span> down:<br /><br /><span style="font-weight:bold;">HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\DeploymentOptions\</span><br /><br />BTW, if AccessAgent seems slow, it may not be the fault of the LogLevel or TAM ESSO at all. There are other outside factors which could affect the performance of AccessAgent including some antivirus, but in most cases you will not notice any change in performance of your desktops with TAM ESSO. With all that is going on it performs excellent.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-62915987188583483972009-11-16T10:32:00.004-05:002009-12-31T10:55:43.222-05:00Change Listening Ports on your IMS ServerTAM ESSO IMS Server listens on ports 80 and 443 by default. Typically this is perfectly fine. However, you may have a situation in which you need to change these default ports and it is not well documented how to do this.<br /><br />1.)Edit the server.xml file located at <Drive>:\Encentuate\IMSServer8.x.x.x\conf<br /><br />The following is an excerpt from my server.xml file. The lines to change are in bold. In my case I changed the default listening port to 89 and the redirect and connector port to 1443.<br /><br /> Connector<br /> <span style="font-weight:bold;">port="89"</span><br /> minProcessors="5"<br /> maxProcessors="400"<br /> enableLookups="false"<br /> <span style="font-weight:bold;">redirectPort="1443"</span><br /> acceptCount="100"<br /> debug="0"<br /> server="EWS/2.0"<br /> connectionTimeout="20000"<br /> useURIValidationHack="false"<br /> disableUploadTimeout="true"<br /> algorithm="IbmX509"<br /><br /> Connector<br /> <span style="font-weight:bold;">port="1443"</span><br /> minProcessors="400"<br /> maxProcessors="800"<br /> enableLookups="false"<br /> acceptCount="100"<br /> debug="0"<br /> scheme="https"<br /> secure="true"<br /> useURIValidationHack="false"<br /> disableUploadTimeout="true"<br /> clientAuth="false" <br /> keystoreFile="ims/certs/keystore/ssl_keystore"<br /> SSLImplementation="encentuate.tomcat.EncentuateSslImpl"<br /> algorithm="IbmX509"<br /> keyAlias="ims"<br /> sslProtocol="SSL_TLS"<br /> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RS<br /><br /><br />2.)Edit the accessAnywhere.properties file at <Drive>:\Encentuate\IMSServer8.x.x.x\ims\config<br /><br />Modify the port setting in the following stanza:<br /># The IMS Server's SSL port<br /><span style="font-weight:bold;">IMS_SERVER_SSL_PORT=1443</span><br /><br />3.)Restart the IMS Server for changes to take effect.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-62690014251573379412009-10-10T16:05:00.005-04:002009-10-10T16:11:35.506-04:00Another Quirk with Tivoli Common Reporting...Just thought I would mention this. The report package you download for Tivoli Common Reporting may produce an error like the following:<br /><br />Error CTGTRD040E<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWZ-Z1Acy6P-_kOZG_QlDYgsG-RzilcZRYTjEUn25AwAgTrPr8GIHIQBXXuMGVx8IuA9-h_HHRbJRwz3j4XMwDFnaqn5ky1AjbCowHRzv3fFMjFg_oIOOI9q5F_Fp8epEZxjhBGLonyS3p/s1600-h/clip_image002.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 200px; height: 143px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWZ-Z1Acy6P-_kOZG_QlDYgsG-RzilcZRYTjEUn25AwAgTrPr8GIHIQBXXuMGVx8IuA9-h_HHRbJRwz3j4XMwDFnaqn5ky1AjbCowHRzv3fFMjFg_oIOOI9q5F_Fp8epEZxjhBGLonyS3p/s200/clip_image002.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5391065355028605378" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br />To get around this I unzipped the report file and re-zipped it using WinRAR. For some reason TCR 1.1.1 has a problem with some zip files. Something about not liking directory names as zip file entries. Anyhow, WinRAR did the trick.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com3tag:blogger.com,1999:blog-8917494754834522798.post-77953622749694450262009-10-10T15:32:00.002-04:002009-10-10T15:37:37.055-04:00Can't find TAMeB Reports?Just in case you are hunting and pecking for reports for TAMeB using Tivoli Common Reporting, I assume you've seen the documentation for auditing TAMeB. It's only 500+ pages. :-)<br /><br />The basic idea is that you will first install Tivoli Common Reporting (integrated in the WebSphere Integrated System Console). Then you need to download the reports from the support web site. Why they don't simply include these with TAM is a mystery. Oh and good luck finding them by searching reports, or audit reports, etc.... If you search for "Operational Reports" you will find them. Go figure.<br /><br />Anyhow the link to the reports:<br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=operational+reports&uid=swg21303439&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=operational+reports&uid=swg21303439&loc=en_US&cs=utf-8&lang=en</a>Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-2689273845284133872009-08-04T15:46:00.002-04:002009-08-04T15:53:22.460-04:00TDI 7 - Eclipse anyone?So I think that most of us using TDI over the past few years can say mostly good things about the product. Personally it's one of my favorite tools in the Tivoli Security stack being largely a non-developer type I feel empowered when I make cool things work with it. However most people would also agree that the products implementation of Swing might be a bit off. Just weird stuff like if you have a pop up window and you hit the enter key you expect the OK button to depress. And sometimes resizing windows is a little weird. I've even had to close the tool kit and reopen it sometimes just to make things work.<br /><br />All that is pretty much gone with the new TDI 7.0. Oh and I believe there is a fix pack out already. I'm just starting to play with this new version. It takes some getting used to if your not comfortable with eclipse, but I look forward to working with it.<br /><br />BTW, there is a pretty cool tutorial out there you can check out:<br /><br /><a href="http://sites.google.com/site/tdi7islive/">http://sites.google.com/site/tdi7islive/</a><br /><br />Nice job who ever took the time to do this!Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-52186575568082896862009-07-08T23:46:00.003-04:002009-07-09T00:12:43.486-04:00Risk - ignore, accept, mitigate, insureTivoli security professionals are pretty much in the Risk Mitigation business. Any organization who has any identity information in house on employees, customers, or partners will at some point address the risk of losing this information. And subsequently they will ask:<br /><br />"What's the chance of losing that information?"<br />"What's the cost to us if that information gets lost?"<br />"What should we do about it?"<br /><br />The answers are undoubtedly, ignore the risk, accept the risk, mitigate against that risk, or just buy some extra insurance.<br /><br />Organizations large and small are thinking about how important it is to deprovision accounts that are no longer needed. Doing this via e-mail is not going to work well. This is one main reason Identity Management systems exist.<br /><br />These latest security breaches illustrate the headaches organizations face when they fail to ensure that their former employees are removed from accessing their IT systems:<br /><br /><a href="http://datalossdb.org/incidents/2152-unauthorized-access-by-a-former-employee-exposes-names-addresses-and-social-security-numbers-of-past-and-present-employees">http://datalossdb.org/incidents/2152-unauthorized-access-by-a-former-employee-exposes-names-addresses-and-social-security-numbers-of-past-and-present-employees</a><br /><br />And this one was even more brazen by an American Express employee. Holy crap $1 million. This guy had a good job watching over the systems that hold data for many of us. I'm not sure how you prove that a laptop which is reported stolen wasn't really stolen. This dude should go to jail for a long time.<br /><br /><a href="http://www.kpho.com/money/19936013/detail.html">http://www.kpho.com/money/19936013/detail.html</a>Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com9tag:blogger.com,1999:blog-8917494754834522798.post-75642051285205340312009-07-08T22:35:00.002-04:002009-07-08T23:33:48.682-04:00Why hire consultants?I have always thought of myself as a consultant. Perhaps I'm just a people pleaser, not to the extreme that I'm compulsive or anything, but that I genuinely like to help others. I can recall the days when DOS 5 was a huge deal. I was networking computers using ArcNet, LANTastic and Novell 3. A 386 DX2/66 with 4MB of RAM was smoke'n fast. <br /><br />I recall some of the best advice I got from a guy named John Posey (John if your still out there thanks for all your help). He said, "Chuck, run out and buy yourself a DOS book." The past mystery of my Commodore 64 seemed silly once I read that DOS book. It was clear to me then that if one could read, one could do this technology stuff. Oh how things have gotten so complicated.<br /><br />So, why should you hire consultants? <br /><br />1.) Well, look I understand all you geeks out there who are highly skilled can certainly figure all this stuff out yourself. Like I just said, if you can read, you'll get there eventually. But, the bottom line is there just isn't time for everyone to know everything. Take TIM, TAMeB, TFIM, TAM ESSO, TCIM, TSOM, and the rest of the Tivoli Security products. If you want to implement any one of these or some of them, you can certainly buy the software, read the manuals and go for it. The fact is though, it doesn't always work like the manual says. So, you may have to do it a few times until its right. And that's OK. But, businesses today are more concerned with ensuring that the technology is solving business needs. They are not necessarily interested in making you an expert at installing Tivoli software. That perhaps is better left to consultants.<br /><br />2.) Good consultants are in this game because they like to help people. At least that's the experience I have seen with the colleagues I work with. And the objective is to enable customers to be self sufficient in steady state maintainability of the products and solutions.<br /><br />3.) We really have seen many use cases, configurations and different applications of these software products so you can save a ton of time in the planning phases of your projects by using consultants.<br /><br />4.) Consultants in the security business have a lot of friends doing the same thing which can help in getting the right skills on the job. Solutions using enterprise software like Tivoli will often require many different skills. There will rarely be one guy/gal who can do it all. Although I've worked with some amazingly bright people in this business, there are usually multiple people involved in average Identity Management projects. Utilizing a good consulting group will help you succeed. For Tivoli, an IBM Business Partner is key for a couple reasons:<br /> a.) IBM Business Partners have unique relationships with IBM which helps to deliver solutions most cost effectively.<br /> b.) IBM Business Partners can bring versatile project management skills to your project which may involve IBM and Non-IBM products and solutions<br /> c.) IBM Business Partners can bring low cost resources into your project as well as subcontracted IBM resources which helps to drive down the cost of your project while maintaining a strong IBM presence in the success of the project<br /> d.) IBM Business Partners have a vested interest in seeing the IBM solution succeed.<br /><br />5.) Good consultants will pass on their experience and knowledge to you. I tend to share as much as I know because I believe in educating people, I will also learn some new things. Every good project should have some time dedicated to knowledge transfer, but even when that dedicated time is not there, you will still learn a lot from a good consultant.<br /><br />6.) Consultants save you time and money in the long run. Lets face it, time is money. If a project is being managed properly, there will be some realistic goals and objectives. If the goal is say 6 months from now we will have xyz product installed and configured and you already have a full time job, then how likely will you meet that goal? Hire the consultant and get the job done.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-41144020487849997512009-06-30T10:07:00.003-04:002009-06-30T10:38:16.479-04:00Changing LDAP SuffixOf course when building an LDAP it's best practice to choose wisely and carefully your LDAP structure to minimize any ugly rework later. This is a no brainer. But, I've been working on setting up a demo test system for TFIM. And, as I am not a web developer I'm going to use the demo apps that come with Tivoli Federated Identity Manager 6.1. But this Federation demo assumes that there are specific configurations done in your LDAP first.<br /><br />Now, I already had a working TAMeB system with TDS and WAS, etc.... So I wanted to use what I had to minimize the work in setting up TFIM. I built another TAMeB environment to act as my partner site as well. Installing TFIM and creating the Federation domain was no problem. Even creating the Federation agreements and exporting both sides was straight forward. But when it came to configuring TAM for TFIM I ran into an unforeseen snag at the point where this program wants to configure for the demo apps:<br /><br />tam:/opt/IBM/FIM/tools/tamcfg # java -jar ./tfimcfg.jar -action tamconfig -cfgfile /opt/pdweb/etc/webseald-default.conf<br /><br />...<br />Press 1 for Next, 2 for Previous, 3 to Repeat, C to Cancel: 1<br />Perform configuration for demo application (y/n): y<br />Checking for DN cn=elain,o=identityprovider,dc=com.<br /><span style="font-weight:bold;">FBTTAC062E Error checking for the DN cn=elain,o=identityprovider,dc=com in the user registry:<br /> HPDMG0761W The entry referred to by the Distinguished Name (DN) must be a person entry.</span><br /><br /> You may need to create this registry entry manually or use the itfim-pre-install-tool.jar to create it for you.<br />Press 1 to Repeat, 2 for Previous, C to Cancel:<br /><br />So, I really didn't consider that the demo apps for TFIM would be relying on specific users to exist in TAM/LDAP and even a specific LDAP structure. This is sort of lame. I need these demo apps for my testing, yet I'm forced to have a specific set of users and LDAP design. Annoying. <br /><br />I set to work making the necessary changes to my LDAP, however one problem was that my suffix was already dc=ca,dc=com and the LDAP will not allow me to create a new object for the demo "o=identityprovider,dc=com". This means I need a new suffix at dc=com which the LDAP will not allow since a suffix already exists containing dc=com. No worries, I figure I'll just do a <span style="font-weight:bold;">db2ldif</span> and export my users and groups, etc... (TAM is using these already), then blow out the LDAP, delete the existing suffix and create a new one "dc=com", then just add the "dc=ca" domain under the suffix and finally do a <span style="font-weight:bold;">ldif2db</span>.<br /><br />This all worked right up until I realized that the ACLs do not go back into the LDAP. The <span style="font-weight:bold;">db2ldif</span> utility will capture the ACLs and they will be right there in your LDIF file, but for some reason when you use the <span style="font-weight:bold;">ldif2db</span> these ACLs do not go back into the LDAP. Additionally I tried a bulkload with the -A and still no ACLs. I know that I must be missing something. Rather than spend a lot of time troubleshooting this I ended up configuring the ACLs for TAM manually on my "dc=com" object so that I could get back to business. If anyone knows what I may have missed, feel free to let me know.<br /><br />RegardsCharles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com2tag:blogger.com,1999:blog-8917494754834522798.post-23719353809126934612009-06-03T11:12:00.005-04:002009-06-03T11:32:15.017-04:00Which product version do you have?The Tivoli security products contain several components and middleware making it sometimes difficult to know exactly what versions and fix packs you are at for all of the pieces. Also, you may only need this information once in a while maybe for troubleshooting a problem or planning some upgrade or change to the environment. So you ask, "what was that command again to determine the version of TIM, TAM, WAS, TDI, etc...? And as usual for every piece of the puzzle the commands or procedure for determining the versions and fix packs are different. Then, finding this information on the IBM Support site or the Information Center for some pieces is difficult. You would think that for each product the first chapter of the Problem Determination Guide would start with "How to determine your product version and fix pack level". NOT!<br /><br />I'm simply listing here the results of my hour and 1/2 of internet searches here to hopefully save time when I need this info again. There are by the way some very good IBM Wiki sites for this info. I've listed some below. It's crazy though that these Wiki's did not show up in my searches of the IBM Support site.<br /><br /><span style="font-weight:bold;">Check Version Info for TDS 5.2</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268258&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268258&loc=en_US&cs=utf-8&lang=en</a><br /><br />Example:<br /><br />rpm –qa | grep ldap<br />rpm –qa | grep db2<br />rpm –qa | grep gsk<br />ls –l /usr/ldap/bin<br />ibmslapd -V<br /><br />If the Web Administration Tool is installed and configured please collect the output of:<br />ls -l /usr/ldap/idstools/IDSWebApp.war<br /><br /><span style="font-weight:bold;">Check for version info for TDS 6.0</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268261&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268261&loc=en_US&cs=utf-8&lang=en</a><br /><br />Example:<br /><br />rpm -qa | grep -i ldap<br />rpm -qa | grep -i db2<br />rpm -qa | grep -i gsk<br />ibmslapd -V<br />idsilist -a<br /><br />If the Web Administration Tool is installed and configured collect the output from:<br />./opt/ibm/ldap/V6.0/idstools/deploy_IDSWebApp.sh -v<br /><br /><span style="font-weight:bold;">Check for version info for TDS 6.1</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268263&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268263&loc=en_US&cs=utf-8&lang=en</a><br /><br />Example:<br /><br />/opt/ibm/ldap/V6.1/bin/idsversion<br />rpm -qa | grep -i gsk<br />idsilist -a<br /><br />If you are using DB2 v9.1 or higher issue the following command:<br />/usr/local/bin/db2ls<br /><br />Otherwise issue:<br />rpm -qa | grep -i db2<br /><br />If the Web Administration Tool is installed and configured, please collect the following:<br />/opt/IBM/ldap/V6.1/idstools/deploy_IDSWebApp -v<br /><br /><span style="font-weight:bold;">Check version of the TDS Web Admin Tool (Any version)</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21320615&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21320615&loc=en_US&cs=utf-8&lang=en</a><br /><br /><span style="font-weight:bold;">Check for Version of WebSphere</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=version&uid=swg21306756&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=version&uid=swg21306756&loc=en_US&cs=utf-8&lang=en</a><br /><br />Example:<br /><br />versionInfo.sh in the app_server_root\bin directory. <br /><br /><span style="font-weight:bold;">Check for version info for TAMeB</span><br /><br /><a href="http://www.ibm.com/software/info/testinfo.jsp?uid=IC000043">http://www.ibm.com/software/info/testinfo.jsp?uid=IC000043</a><br /><br />Example:<br /><br />pdversion<br /><br /><span style="font-weight:bold;">Check for version info for TIM</span><br /><br /><a href="http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+Product+Fixpack+Levels">http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+Product+Fixpack+Levels</a><br /><br />From the TIM Admin Console, open the "About" page<br /><br />Example:<br /><br />Server name: secperf12<br />Version: 5.0.0.3<br />Build number: 200809241018<br />Maintenance level: IF0014<br />Build date: September 24 2008<br />Build time: 10:18:08 GMT-05:00<br /><br /><span style="font-weight:bold;">Check for version info for GSKit</span><br /><br /><a href="http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+GSKit+Fixpack+Level">http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+GSKit+Fixpack+Level</a><br /><span style="font-weight:bold;"><br />Check for version info for TDI 6.0</span><br /><br /><a href="http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+Tivoli+Directory+Integrator+Fixpack+Level">http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+Tivoli+Directory+Integrator+Fixpack+Level</a><br /><br /><span style="font-weight:bold;">Check for version info for TDI 6.1</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?uid=swg21302983">http://www-01.ibm.com/support/docview.wss?uid=swg21302983<br /></a><br />Example:<br /><br />Unix/Linux -<br />1) cd /usr/ibm/common/acsi/bin<br />2) //source the setenv.sh<br />. /var/ibm/common/acsi/setenv.sh<br />3) //run the listIU.sh<br />./listIU.sh | grep -i tdiserversiu <br /><br /><span style="font-weight:bold;"><br />Check for version info for TIM Agents</span><br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=644&context=SSTFWV&dc=DA420&dc=DA480&dc=DA490&dc=DA430&dc=DA410&dc=DB600&dc=DA400&dc=D600&dc=D700&d c=DB520&dc=DB510&dc=DA500&dc=DA470&dc=DA4A20&dc=DA460&dc=DA440&dc=DB550&dc=DB560&dc=DB700&dc=DB530&dc=DA4A10&dc=DA4A30&dc=DB540&q1=version&uid=swg21140454&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=644&context=SSTFWV&dc=DA420&dc=DA480&dc=DA490&dc=DA430&dc=DA410&dc=DB600&dc=DA400&dc=D600&dc=D700&d<br /><br />c=DB520&dc=DB510&dc=DA500&dc=DA470&dc=DA4A20&dc=DA460&dc=DA440&dc=DB550&dc=DB560&dc=DB700&dc=DB530&dc=DA4A10&dc=DA4A30&dc=DB540&q1=version&uid=s<br /><br />wg21140454&loc=en_US&cs=utf-8&lang=en</a><br /><br />Example:<br /><br />Run agentCfg -> Configuration SettingsCharles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com1tag:blogger.com,1999:blog-8917494754834522798.post-78868095259853689162009-06-02T16:25:00.003-04:002009-06-02T16:56:14.907-04:00INFO: ssl.disable.url.hostname.verification.CWPKI0027IFrom what I can tell there can be a number of reasons you might get this error during TAM Configuration or unconfiguration. In my case I made a small mistake while in a hurry and also because in my test lab, I don't take as much care as I would typically take as with a production system. I did not unconfigure Web Portal Manager before removing WAS. This should not be a big deal, but apparently it is.<br /><br />I'm preparing my TAM Test Lab to also support TFIM. In doing this I upgraded my TAMeB components to 6.1 FP002. But, also I chose to replace the WAS 6.1 server with a WAS 6.1 ND because I plan to do some other clustering stuff as well.<br /><br />The TAMeB upgrade and patches worked fine. Afterwords, TAM, pdadmin, WPM was all fine. But after manually removing WAS 6.1 and installing WAS 6.1 ND, WPM was hosed. To install WPM, I simply installed it using the GUI installer as I have done before only this time WPM did not show up in the ISC as it should even though the installation said it was successful. So, I then realized that when I had removed WAS and installed WAS ND, I had never unconfigured WPM.<br /><br />Attempting to unconfigure Web Portal Manager using pdconfig or amwpmconfig resulted in this:<br /><br /><span style="font-weight:bold;">Tivoli Access Manager administrator ID: [sec_master]:<br />Tivoli Access Manager administrator password:******** *java.lang.IllegalStateException: HPDAZ0602E Corrupted file: Insufficient information to contact a Policy Server.</span><br /><br />Then I realized the JRTE needed to be reconfigured for the new WAS 6.1 ND so I ran through the JRTE configuration again for my latest Java 5 location and for the WAS 6.1 ND JRE. Then the next problem was this:<br /><br /><span style="font-weight:bold;">Enter the IBM WebSphere Application Server or Deployment Manager<br />installation full path [/opt/IBM/WebSphere/AppServer]:<br />Policy server host name [tam]:<br />Tivoli Access Manager policy server port number [7135]:<br />Enter the Access Manager policy server domain [Default]:<br />Tivoli Access Manager administrator ID: [sec_master]:<br />Tivoli Access Manager administrator password:******** *Enter the hostname of the IBM WebSphere Application Server<br /> or Deployment Manager[tam]:<br />Enter the SOAP Admin port number of the WebSphere<br /> Application Server or Deployment Manager [8880]:<br />Is WebSphere security enabled (y/n) [n]?<br />Unconfiguration of:<br />Access Manager Web Portal Manager<br /> is in progress. This might take several minutes.<br /><br />Jun 1, 2009 10:58:47 PM com.ibm.ws.ssl.config.SSLConfigManager<br />INFO: ssl.disable.url.hostname.verification.CWPKI0027I<br />java.lang.NullPointerException<br /> at com.tivoli.pd.jwpmcfg.WPMConfigure.unconfig(WPMConfigure.java:572)<br /> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br /> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)<br /> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br /> at java.lang.reflect.Method.invoke(Method.java:615)<br /> at com.tivoli.pd.jwpmcfg.WPMConfigWrapper.unconfig(WPMConfigWrapper.java:325)<br /> at com.tivoli.pd.jwpmcfg.AMwpmcfg.interactUnCfg(AMwpmcfg.java:447)<br /> at com.tivoli.pd.jwpmcfg.AMwpmcfg.main(AMwpmcfg.java:271)</span><br /><br />So after scratching my head enough times and poking around I discovered that all I needed to do was delete /opt/PolicyDirector/etc/amwpmcfg.properties. This allowed me to reconfigure the Web Portal Manager using pdconfig and now Web Portal Manager shows up properly in the Integrated Solutions Console as it should. So I only lost 4 hours messing around with this silly issue. Just goes to show how a simple mistake can cost you 1/2 day of work.<br /><br />Cheers!Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com24tag:blogger.com,1999:blog-8917494754834522798.post-1627138316371682332009-05-19T22:18:00.008-04:002009-05-19T22:44:03.578-04:00LDAP: error code 52 - UnavailableOK, There may be numerous reasons for this error, but of course TDS just doesn't come right out and explain it for you. This was a weird one in my case because I was simply trying to delete a password policy which I had no problems creating just moments ago. I was trying a quick and dirty test which turned into several hours of troubleshooting in the midst of my other duties.<br /><br />Well I tried to delete this password policy using the TDS Web Admin Tool and this is what resulted:<br /><br /><span style="font-weight:bold;">GLPWSA124E Failed to delete the password policy object. </span><br /><br />Then I attempted to use my trusty LDAP Browser/Editor and different error, but same result:<br /><br /><span style="font-weight:bold;">10:19:52 PM: Failed to delete entry cn=pwPolicy1, CN=IBMPOLICIES<br />Root error: [LDAP: error code 52 - Unavailable]</span><br /><br />So, just for kicks I enabled trace logging:<br /><br /><span style="font-weight:bold;">ldtrc on</span><br /><br />I restarted the server and attempted to delete my password policy again. Here's what showed up in the log:<br /><br /><span style="font-weight:bold;">137:23:14:33 T115510160 Delete operation for DN CN=PWPOLICY1,CN=IBMPOLICIES requested by CN=ROOT.<br />137:23:14:33 T115510160 select_backend: g_backends=0x9928310, dn=CN=PWPOLICY1,CN=IBMPOLICIES<br />137:23:14:33 T115510160 select_backend: selected CN=IBMPOLICIES<br />137:23:14:33 T115510160 subtreeDn=CN=IBMPOLICIES<br />137:23:14:33 T115510160 The update is not from a supplier.<br />137:23:14:33 T115510160 send_ldap_result2: err=10 matched=[] text=[]<br />137:23:14:33 T115510160 WriteToSocket: Sending msg to client</span><br /><br />So, I'm thinking "who cares if the update is from a supplier or not?" This got me thinking about a replication issue. Now when I built my replicas for this test lab, I did not configure replication for CN=IBMPOLICIES. At the time I had no desire to replicate these.<br /><br />In looking at this further I see that the replication topology is all hosed for CN=IBMPOLICIES.<br /><br />Peer 1:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0IwGoMHKYdzI141qMXclsCJb7PbzjSv82qfCLRziTzhplbGPchU1JhctTyZPKVHcfWL62FD0_JYGcw6WuxGrZY4QzUMaCYTpIo2mExH4KgrZdW6x76cVTKCavjS_A1RtoAEm_w4ISf4iH/s1600-h/1.gif"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 200px; height: 120px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0IwGoMHKYdzI141qMXclsCJb7PbzjSv82qfCLRziTzhplbGPchU1JhctTyZPKVHcfWL62FD0_JYGcw6WuxGrZY4QzUMaCYTpIo2mExH4KgrZdW6x76cVTKCavjS_A1RtoAEm_w4ISf4iH/s200/1.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5337729441580421250" /></a><br /><br /><br /><br /><br /><br /><br /><br />Peer 2:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYkaODd7eEq4OgaNol_hRfQ2UTK3asEqpovYTALCna7-QkIrZ2lcuN6CJOSwPSMcLhv9qcfNIHfv6sf_Bia5Wzu1LOuh-B8KyU9H2afzrHH2TsRRuUJ6crdkwIUXMWP4mfqsWNo5MhYrBE/s1600-h/2.gif"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 200px; height: 132px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYkaODd7eEq4OgaNol_hRfQ2UTK3asEqpovYTALCna7-QkIrZ2lcuN6CJOSwPSMcLhv9qcfNIHfv6sf_Bia5Wzu1LOuh-B8KyU9H2afzrHH2TsRRuUJ6crdkwIUXMWP4mfqsWNo5MhYrBE/s200/2.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5337729699578797378" /></a><br /><br /><br /><br /><br /><br /><br /><br />So, then how to clean this mess up? I found a handy tech note on the IBM Support Web Site. I know this was referenced by the good folks at L2 Support who put on an STE a while back. It just took me a while to relate the fact that I couldn't delete this simple password policy to a replication issue. Anyhow, the tech note:<br /><br /><a href="http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=cn%3dibmpolicies&uid=swg21226577&loc=en_US&cs=utf-8&lang=en">http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=cn%3dibmpolicies&uid=swg21226577&loc=en_US&cs=utf-8&lang=en</a>Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com3tag:blogger.com,1999:blog-8917494754834522798.post-56221837885346647922009-05-19T11:52:00.002-04:002009-05-19T12:13:25.596-04:00For some things there may not be a technology solution for..This recent example in New Jersey about a "clerical error" which led to sending peoples names and SSN #s to the wrong place --> <a href="http://www.nj.com/news/index.ssf/2009/05/3k_unemployed_nj_residents_may.html">http://www.nj.com/news/index.ssf/2009/05/3k_unemployed_nj_residents_may.html</a> is one of those examples where people just have to have a better system of doing things even if it does not involve a computer or software solution. I mean maybe it comes down to having more conscientious people working in those positions that handle sensitive information. This was a clerical error so I'm trying to imagine a handful of hard working individuals manually stuffing envelopes with the wrong reports to the wrong companies and wondering how did their managers articulate what reports go into what envelopes? Or was it blatantly obvious which reports go in which envelopes and the people stuffing them were just oblivious to what they were doing?<br /><br />Someone very close to me works in one of our illustrious social organizations in the Peoples Republic of New York and I hear stories all the time about the lackadaisical attitudes, complaining, and just general acceptance of mediocrity in the workplace. Managers sometimes hiding in their offices making no improvements to processes or efficiencies rewarding peoples laziness with overtime hours because people do not understand the meaning of hustling on the job. <br /><br />Sometimes all it takes is for people to care enough about what they do to avoid these mistakes. I make no claim to understand the work environment of the folks at the NJ Department of Labor and Workforce Development, after all when humans are involved there certainly can be error and there may not necessarily be a technology solution for it.Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-10059316742263302352009-05-15T15:57:00.003-04:002009-05-15T17:23:49.811-04:00Who's Identity Information is safe anymore? Probably no ones.I reading up on the latest security breaches and stumbled onto this web site which has recorded hundreds of known security breaches since 2005. Check it out here:<br /><br /><a href="http://www.privacyrights.org/ar/ChronDataBreaches.htm">http://www.privacyrights.org/ar/ChronDataBreaches.htm</a><br /><br />It's amazing how many different ways your personal identity information could be compromised. So much of this can be prevented with the proper security measures. I don't know if the number incidents is rising or not, but it seems the same vulnerabilities continue to be exploited, lost equipment, compromised web sites, internal users' mishandling of data.<br /><br />There is a link to another great web site full of the latest statistical information about breaches which I find very interesting:<br /><br /><a href="http://datalossdb.org/">http://datalossdb.org/</a><br /><br />Protecting peoples' identities is an ongoing battle which most security professionals recognize must be fought on many fronts. There's not too much you can do about an employee whom you place trust to not misuse data, but you can certainly implement good auditing tools which security managers can use to help keep the honest people honest. Then of course there is always human error. Well, again even though people make mistakes there are some safeguards that can be put in place to prevent people from doing stupid things like inadvertently sending out mail with peoples SSNs on the labels. As for the missing or stolen equipment, well there's some great disk encryption solutions out there.<br /><br />Makes you think twice about giving any company or government your information doesn't it?Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0tag:blogger.com,1999:blog-8917494754834522798.post-89495785770174761742009-04-23T20:38:00.003-04:002009-04-23T21:00:10.605-04:00Can you teach a bear to dance?Any of you Identity Management professionals out there probably know where I'm going with this. How many times have you been in design discussions with a customer and just cringed at what they were trying to do? Do you tell the customer they are crazy? Or do you suck it up and do your best to just make something work? Sometimes you don't have a choice, but one thing I've learned is that it is very important to make the key stakeholders understand that we may be able to teach that bear to dance, but it ain't going to be pretty and the bear might not like it very much.<br /><br />Some people are convinced that if you can write code then you should not really have many boundaries. True, that if it's software and the APIs are available you can do just about anything. But that doesn't always mean it should be done.<br /><br />Identity Management projects induce much change in an organization. Sometimes folks have a tendency to look for a way to code around having to ask someone to accept a change in their routine or what they know. This doesn't always work. <br /><br />People, when rolling out an Identity and Access Management solution get ready to make a few changes in your life. New Identity? For sure. New Logon ID? Perhaps. New password? Likely. Single Sign On? Sure, but hopefully your not trying to make a bear dance. :-)Charles Aharthttp://www.blogger.com/profile/10028247520218687517noreply@blogger.com0