Directory Services Inc Blog

Setting up GroupWise 8 Web Access Auto Forward

2010-12-02T09:51:00.000-08:00

After you have setup Novells Groupwise Web Access you are not told that it does not have the industry standard  auto forwards functionality.  What is meant by hot having an auto forward is that when the unlucky end user who want to connect to the Groupwise WebAccess service they must type in the full http://webmail.yourcompany.com/gw/webacc.

If you want to make the groupwise web mail service more more accessible to your end users by only having to type in the simple URL address like http://webmail.yourcompany.com you have to include the html shown below in a files call index.html.

This file must be place in the linux directory /srv/www/htdocs/

<html>
 <head>
 <META HTTP-EQUIV="REFRESH" Content="0;url=http://webmail.yourcompany.com/gw/webacc">
 </head>
 <body>
 </body>
</html>

Android Dead Battery Issues Solved

2010-11-15T14:07:00.001-08:00

I bought an Sprint HTC Hero Android phone about a 8 months ago and have been really happy with the new phone. Recently took a trip and the android phone battery just died. There was no warning or other indication that the battery could be having problems.

However, after a a bit of research/Googling the issue some people have had success reviving the battery by putting it into the refrigerator or freezer. I happened to have a deep freezer available and I following the information on the internet I left the battery in the freezer over night. The next morning I retrieved the battery from the deep freezer and wiped off the condensation and voila the battery was back working again.

Achieving dynamic failover and recovery with the Novell User Application

2010-06-23T14:17:00.000-07:00

Have you implemented the Novell user Application with a Microsoft SQL Server cluster and have the JDBC Connection fail every time the MS SQL Server cluster switches over to a member node?

This can be troublesome as you are forced to either script an automatic restart or manually perform the restart. However, there is a way to enable the Novell User App seamless maintain connection when the Microsoft cluster switches between member nodes.

One approach that has worked for me is to use XA transaction specification to enable a truly fault tolerant implementation.

Pre requisites for this solution

MS SQL Cluster using 2005
XA Transaction Enabled on Microsoft cluster

http://msdn.microsoft.com/en-us/library/aa342335(SQL.90).aspx

XA JDBC Driver
XA Capable Application Server such as JBOSS.

Once you have the pre requisites met you will then need to make a copy of the Novell User Application resource files. Typically this is “instancename.xml” such as “userapp.xml” or “idm.xml”. Rename this to an “.org” extension in case you need to roll back to a known working copy.

Now that you have a backup here is an example of what a (XA enabled) userapp.xml file needs to look like.

<?xml version="1.0" encoding="UTF-8"?><datasources> <xa-datasource> <jndi-name>IDMUADataSource</jndi-name> <track-connection-by-tx/> <isSameRM-override-value>false</isSameRM-override-value> <xa-datasource-class>com.microsoft.sqlserver.jdbc.SQLServerXADataSource</xa-datasource-class> <xa-datasource-property name="ServerName">Your Database Server Name here</xa-datasource-property> <xa-datasource-property name="DatabaseName">Your database Name</xa-datasource-property> <xa-datasource-property name="SelectMethod">cursor</xa-datasource-property> <xa-datasource-property name="User">Database User Name</xa-datasource-property> <xa-datasource-property name="Password">Database User password </xa-datasource-property> <xa-datasource-property name="URL">jdbc:sqlserver://xx.x.xx.xx:port Number</xa-datasource-property> <new-connection-sql>select 1</new-connection-sql> <check-valid-connection-sql>SELECT 1</check-valid-connection-sql> <metadata> <type-mapping>MS SQLSERVER2005</type-mapping> </metadata> </xa-datasource> </datasources>

Now that you have made the changes to the DataSource definition files, you can now restart your Application server to make the changes take effect and then watch the log files closely to determine if the configuration works in your environment.

Now that we have the capability to use XA transactions with Microsoft SQL server cluster you can achieve robust highly available application environments (read nearly continuous uptimes 99.999 %) with the Novell User application

Novell Identity Manager and Java Mail Authentication Exception

2010-06-21T15:38:00.000-07:00

I recently came across an interesting situation where I was getting a Java Mail Authentication Exception when attempting to send an email message using the Novell email templates.

I did the usual checks to make sure that I had permission to send mail and I checked the Template permission to double check that I had specified the host IP address and from address in the Default Notification Collection. All the fields were filled out so there should not have been a problem yet I kept getting the “Java Authentication” exception.

To analyze the issue in more depth I setup a tcpdump (tcpdump -vv -x -X -s 0 -i eth0 'port 25') so I could view the traffic generated by the send mail command. I tried to send another email transaction and it wasn’t generating any outgoing traffic.

I then uninstalled and reinstalled the Novell IDM and I was still receiving the Java mail Authentication Exception. After writing several java mail debug utilities, I finally came to the conclusion there must to something incorrect about the way the Novell JVM was seated.

So after forcing the remove of the Novell JVM then reinstalling the Novell IDM system everything starting working! No more java Authentication Exceptions!!.

So here is how to fix the issues.

Step 1. Find the Novell JVM package name. You can get this bye querying for the package.

· rpm -qa | grep -i jvm

you should get something like

(novell-NOVLjvml-3.6.10-20090519)

Step 2. Remove the Novell jvm package

· rpm -e novell-NOVLjvml-3.6.10-20090519

Step 3. Remove the Novell IDM package using the uninstaller.

· Change to the directory (/root/idm/Uninstall_Identity_Manager)

· Run the uninstaller (./Uninstall_Identity_Manager)

· Reinstall the Novell IDM System.

A Perspective on Identity Management

2010-05-26T19:55:00.001-07:00

Organizations have many mundane tasks that are crucial to the organization’s ability to function efficiently on a day to day basis. These tasks such as provisioning and de-provisioning of user accounts are driven by internal and external changes in the organization due to policy, personnel changes and regulatory compliance mandates.

While these tasks can be done by manually by your internal IT staff it does not enable the organization to timely and consistently execute on these repetitive and mundane tasks like an Identity Automation system. Further, these tasks are also a direct expression of what the organization policy is in regards to providing access to physical and electronic resources. What must be considered is that internal IT Staff may be very good at providing these services, what happens when they are sick, on vacation or leave for another job. More likely, what if they are swamped with infrastructure project are over worked or buried in other day to day tasks.

Regardless of reason for the absence of these key personnel it impacts the organization negatively. The result is access permission (keys) to the organization’s services are not properly maintained resulting in potentially security breaches, delay in servicing request and impacting other projects or departments. For example, a terminated employee may gain improper access to data or services while the operational personnel are struggling to with day to day workloads. Correcting these issues will result in an expenditure of time and effort from employees, managers and support personnel to identify and correct the required access controls. Take an afternoon to perform the exercise of quantifying this type of potential breach, and then multiply it by the number of times per week this could (and probably does) happen. Congratulations, you just found your IDM budget!

When you look at it from this perspective, providing an Identity Automation system to address these key day to day tasks is an critical organizational objective. However, making the best technological choice to support the organization short term, medium and long term goals in this space is not quite as easy as it seems.

We will be addressing these questions in upcoming posts, so please subscribe.

3 Reasons Identity Management is a “MUST”… and strategies to make it affordable

2010-05-18T09:02:00.000-07:00

(Repost from Digital Avenger Blog http://digitalavenger.wordpress.com)

Let me be clear about what I’m saying. Identity Management for companies with employees that have access to critical data is a MUST, not a want. Over the years I have had the privilege to work with many companies large and small, who have different business needs. In many cases I hear all the reasons, (and sometimes excuses) for not implementing a solution, policy or methodology. Sometimes these reasons even make perfect sense! In making any business decision, the choice to do, or not do anything is weighed by what I call the “risk vs. reward scale”. Regarding Identity Management (IDM), if you have employees with access to critical business information, you MUST put at least basic IDM in place!

So what is Identity Management? Bill Brant, CEO of Directory Service, Inc. says “IDM is the technological automation and enforcement of business policies and processes to manage the lifecycle of electronic credentials, entitlements authorization and compliance mandates.” If you are in management like me, let me translate in English. IDM automates your logins so your company is secure, and you don’t lose millions of dollars, PLUS it increases productivity so you can make millions of dollars. The following are my top three reasons IDM is a must, not a want.

Reason One (1): Provision of new employee credentials

Companies that do not have Identity Management spend days to weeks to properly provision a new employee, and with a high probability of improper provisions. The popular method used to accomplish this task is a simple email request.

Typical email thread:

HR to IT Admin: “Jack is starting today with us, can you get him a login?”

IT Admin to HR: Sure what does he need?

HR to IT Admin: “He is working in Sales, ask his supervisor.”

IT Admin to Supervisor: “Jack is starting today, and I need to get him a login, what accesses does he need?”

Supervisor to IT Admin: “I don’t know, how about just copy the access rights from Jill, she’s been here a while, so whatever she has must be right?

Risk to the company: Jill was the Engineering Manager and Marketing Supervisor before becoming the top sales person in the company. Each new position gave her role specific rights that were never properly taken away as she changed roles. Now she is being used as the “template” for user rights to new hires. Jack the new hire, just gained access to engineering blueprints, and new “go to market” strategies. In addition, the back and forth emailing took two weeks because the supervisor was on vacation. Adding a face slap to a poke in the eye, Jack the “new hire” is still being paid even though he had no access to do his job. Sound familiar?

IDM to the rescue: A company with IDM could implement automated provisioning of credentials by role. A company would define the accesses any given role can have, and further, lock out accesses for roles they should not have i.e. the janitor does not need access to the accounting system. The IDM system’s automatic provisioning process tool performed this task in seconds, and Jack was properly provisioned before he sat at his new desk.

Reason Two (2): Deprovisioning of terminated employee credentials.

In a company without Identity Management the same situation occurs as in the scenario above, but with more immediate consequences. The popular method of conducting deprovisioning of credentials in a company without Identity management is by way of a simple email request.

Typical email thread:

Supervisor to HR: “Jack has been terminated immediately for bad attendance. Please put all the termination protocols in place. He has been removed from the facility, but he did not have his badge with him.”

HR to Supervisor: “Out of Office Reply” I’m sorry, but I’m out of the office the next two weeks on my honeymoon. I my absence please contact the supervisor”.

Supervisor to Manager: “I just fired Jack, and need the termination protocols, but HR is out of the office, what now”?

Manager to Supervisor: “Who is her Backup in HR?”

Supervisor to Manager: “I am, but I don’t know the protocol.”

Manager to HR: “when you get back from your honeymoon, please terminate the supervisor, he hired Jack who we think may have stole engineering plans and sold our marketing plan to the competition after he was terminated because he still had his accesses for the last two weeks! Of course we cannot prove it.” (side note to reader Yes IDM applies here too for compliance and auditing, but that is another article… Marc).

Manager to CEO: “I have no idea how our engineering blueprints and our marketing plan got into the hands of our competition?” It must have been Jill, she has rights to both of those areas. By the way, I’m hearing our client list is being aggressively called by our competition as well. It couldn’t have been Jack, he’s been fired for weeks now.”

Ok obviously I was on a little bit of a roll there with the Manager reply, but I think you get the picture.

IDM to the rescue: A company with IDM could implement automated deprovisioning of credentials by Identity. In this scenario, Jack could have been deprovisioned before he was even out the door. If he tried to access his client database from home, he would have been locked out.

Reason Three (3): Identity Synchronization and Password management

Did you ever think that 3M would produce the world’s largest and most used Identity Management and password vault tool! It is true! Its call the “Post-IT” note, and it can cost you millions.

Some people may get basic Directory Services and Identity Management confused. Directory Services are a key part of IDM because this is where the Identities are managed. For example, Active Directory, eDirectory, LDAP, are all network directory services. What about your applications that maintain their own “directory service database? This may be your custom built Inventory application, or ERP system for example. How do you get these systems to talk? If you do not have Identity management, you create separate login credentials for each sub system, and have your end users become the (Identity Management). This becomes the Identity Management by “Post-IT” note that was mentioned earlier.

IDM to the rescue: With IDM, companies can synchronize their user passwords between directories and application directory databases giving your end users a single password to manage for all systems. The next step would be to implement SSO, or single sign on, which automatically uses a single login event to sign into multiple databases eliminating the need to manually login to multiple systems many times. I stop short of saying SSO is a “MUST” for all businesses, but it sure is up on the list of “should haves”. I reserve the right to be on the fence on the “SSO vs. Identity sync only” discussion depending on the client needs.

Password management is bundled into this category, but I could add this to the list on its own. Some may argue that this is not IDM because it is a directory service component, but I believe it is a component of IDM, so take it for what it is worth. Password management in this scenario would be more than just enforcing strong password policies; it would include “self service password” assistance using challenge response questions and secure authentication methods like multi factor authentication and one time passwords.

Strategies that make it affordable:

There are many different products out there that can facilitate Identity Management and Access Controls. Some of the best are made by Novell, Sun, Oracle and IBM. Recently, the Identity Management space has become somewhat commoditized in what I would call the “basic IDM” space. This would be the space I touched on today, with provisioning / deprovisioning, password management, and synchronization of identities. Some of this functionality is being built into the OS and Directory Services of some vendor products from Novell and Microsoft. Novell has Domain Services for Windows, eDirectory, and the IDM bundle edition that ships with Novell Open Enterprise Server 2 (OES2). Most major directory services vendors have free self service password management tools available for eDirectory, Active Directory, Sun Directory Server etc). New companies are building targeted IDM solutions based on open source like, GreyTower from Directory Services, Inc., and Sun. These solutions can be implemented without licensing costs, but also sell support and maintenance if you need it.

Take the first steps. Contact your trusted Identity Management advisor and discuss your options. Make sure they are not tied to any single vendor or you will get a single option presented that may not fit your business. Remember, IDM is a MUST!

Hello, from your new contributor... New things in store.

2010-05-18T08:53:00.000-07:00

I'm happy to have been invited to contribute to the Directory Services Blog. In my blog "Digital Avenger, I have written a few articles from my point of view on subjects including Identity Management. In the upcoming months I expect to contribute some of my thoughts here on some of the Identity Management strategies and methodologies that I hope help educate and challenge your views of Identity Management. I'll be the first to admit, I'm not the nuts and bolts guy. That would be Bill Brant, CEO of Directory Services whom I've been working closely with over the years. I'm the big picture guy, and at the end of it all, I'll do my best to be honest and forthcoming.

I'd like to leave you with a taster. Bill and I have been working on some new tool sets and methodologies for Identity Management and integration by leveraging a product authored by Bill that will add flexibility and agility to your Identity implementation, while bringing existing licensing costs down. The foundation Open Source product has been in use for years in some very large companies all over the world, but we are expanding the focus and scope to solve several business processes over several market segments. Our simplest goals are always to fulfill at least one of the following, and hopefully all: 1. Reduce Costs 2. Increase Productivity 3. Minimize Risk.

To keep informed, please subscribe. We are looking for Case Study Organizations and Early Adopters.

I'm looking forward to hearing from you. Take care, and I hope you enjoy.

-- Marc Potter