TDI Null Entries

/0 Comments/in , , , /by

Tivoli Directory Integrator is a powerful tool that we often use as part of an ITIM migration or rollout. What makes it great is its unique ability to translate data from one source of almost any type into another. It really doesn’t matter if you’re using something as a primitive XLS maintained manually by HR or a complex set of relational databases. TDI can get the data, do any number of out of the box or even custom translations that are necessary to get your data into the form you want it.

Through this data “smoothing” process there will inevitably be some odd-ball data that you find. Whether it is a random string value when you expected a Boolean true/false or a legacy attribute that’s only assigned to 25% of the objects you’re migrating.

And then there’s the “null” entry, which will come up often as well. Null values are pesky because we don’t always know why they’re there, sometimes it’s important that the attribute is moved over whether there is a value assigned or not. Other times we want to clean up our data while we’re moving it, and pull out all any attributes assigned with no value. Luckily for us, TDI has a feature built in to assist with this. Read more

Tivoli Directory Integrator – Before Initialize

/2 Comments/in , /by

As I mentioned in prior PathMaker Group blogs Tivoli Directory Integrator (TDI) is a pretty neat tool that comes packaged with IBM Tivoli Identity Manager (ITIM).  TDI comes out of the box with a multitude of connectors that are used to as the name says, connect to different sources.  One of the most common business processes where TDI is used is to extract data, transform the data and then load the data into different data source (ETL).  For an example, it is common to use TDI to extract account data from Active Directory using an LDAP connector.

Have you ever wanted to build a dynamic iterator filter that can be created when the assembly line is executed?  In the following example the assembly line uses an LDAP connector to iterate Active Directory.  The requirement is to find AD accounts where the “whenChanged” is in the last 5 days and AD entry should be a user account or a user contact and have a mail attribute.
Read more

User Self Service Registration Demonstration

/0 Comments/in , , , /by

This demo video walks through the steps of user self-service registration, a workflow approval for account creation, and the advanced security registration (including OTP) process.

The following systems are used during this demonstration:

OAAM: Oracle Adaptive Access Manager – Advanced authentication and fraud prevention

OAM: Oracle Access Manager – Single Sign-On, authentication services, and web services security

OIM: Oracle Identity Manager – Role based provisioning, user self-service, complex workflow, and permissions attestation

OVD: Oracle Virtual Directory – User source consolidation, data transformation, and DSML gateway

OID: Oracle Internet Directory – LDAP V3 repository, highly scaleable, and user record storage Read more

Knock Knock. Who’s there? Ivanna. Ivanna who? Ivanna steal your data!

/0 Comments/in , , /by

I recently read a story about a vulnerability that was discovered in electronic door looks commonly used in hotels.  The problem centers around a particular popular model of hotel door lock sold to hotels globally. Hackers claim to have discovered that the company left a security port uncovered that allows them to open any of the locks with a universal key of sorts.  The article goes on to say that until this flaw has been fixed it’s more important than ever to make sure to go the extra step of securing your door with the deadbolt and chain.

A lot of people will trust that the basic security of their software/operating system/network (the electronic door lock) is good enough.  They won’t bother adding additional security (the deadbolt/chain) and will end up getting their data hacked in the same way that some hotel guests are going to wake up to find their room cleaned of valuables way better than the maid removes dust and dirt.

Thieves are counting on people to trust standard security and not do their own due diligence to identify vulnerabilities or provide additional security to deal with these deficiencies.  While the average person has no way to determine if the hotel door lock is secure, they can at least provide another layer of security to prevent a breach and loss of property.

Fortunately for you, Pathmaker Group can review your security system and find vulnerabilities and patch them up before data thieves strike.   They can also provide additional layers of identity and access management to secure application access and prevent unauthorized access, even from those already on the inside.  So don’t delay, you never know who’s knocking on the door…

Querying Oracle IAM requests

/0 Comments/in , /by

When a request gets created in IAM to create a user of some sort, workflows can be set up to ensure approval from various actors depending on the business needs. In this situation, sometimes there is a need to review the requests that have been created, outside of the IAM interface. For this purpose, IAM provides API’s that help in querying existing requests.

OIM workflow API does not function properly with the other provisioning API’s and thus it is important to ensure that request processing is done in a separate application. This situation creates challenges in design and forces decoupling of workflow operations from other system operations.

In the following sections, we will concentrate on connection, configuration and querying the OIM workflow engine to prod the existing requests.

Connecting to OIM Service

When writing a web application, specially using SSO infrastructure, it is important to connect as an admin to the web service, and then identify the user who will perform the operation.

First, remote client configuration is set up for workflow services.

Read more

7 Minutes of Terror

/0 Comments/in , , , , /by

Last month we witnessed an amazing feat of science & engineering with the landing of NASA’s Curiosity Rover on Mars. Before this could be accomplished years of preparation through innovation, design & testing had to occur. It all culminated towards what the NASA scientists and engineers at JPL call “the 7 minutes of terror” – the 7 minutes between when Curiosity entered the Mars atmosphere and when it was expected to land. Of course we know now that it was a fantastic success – but what made it so? How does an organization accomplish such a fantastic undertaking?

Well it got us here at PMG thinking; what is it that we do together with our clients that makes projects a success? We know we’re not rocket scientists, but it’s still fun to day dream & draw some interesting connections between the Curiosity mission and our own business and philosophies.  Read more

ITIM Provisioning Policy Priority

/0 Comments/in , , /by

A provisioning policy in ITIM (IBM Tivoli Identity Manager) basically grants access and set entitlements to the ITIM managed services based on the provisioning policy membership.

Each provisioning policy consists of information and settings on the following tabs:

  • General
  • Members
  • Entitlements

Of course, there are factors to consider: Role Memberships, service selection policies and policy join behaviors to name a few but this blog is just looking at the value of the required priority attribute.

The priority setting is a required value on the General tab of the provisioning policy configuration.  This is a required numeric attribute and the lower the number the higher the priority of the Provisioning Policy. Read more

Using WebSphere Process Server in your SOA Infrastructure

/0 Comments/in , , , , /by

WebSphere Process Server (WPS) is the runtime engine for artifacts produced in a business-driven development process.   It allows orchestration of business assets into highly optimized and effective processes to meet business goals.  It is a single, integrated, runtime foundation for deploying service-oriented architecture or SOA based business processes.  Built on open standards, it deploys and executes processes that orchestrate services (people, information, systems, and trading partners) within your SOA or non-SOA infrastructure.  It helps increase efficiency and productivity by automating complicated processes that span people, partners, and systems.  It helps cut costs by enabling flexible business processes with reusable assets, thus reducing the need to hard-code changes across multiple applications.  It has the ability to track the state of process instances, handle human intervention, and deal with exceptions.

WPS is mounted on top of WebSphere Application Server (WAS) with its robust J2EE runtime and offers a new level of abstraction so the task of integrating applications and services becomes much easier. Read more

7th Phase of growth – Security of the enterprise’s IT/IS Investment

/0 Comments/in , , /by

So congratulations, you were just named Chief Information Officer of your company and now moved into your new office.  Looking through the top desk drawer you find a note with three sealed envelops attached.  The note says when you have your first major crisis, open envelop one, the second one open envelop two and the third one open envelop three.  Being the type “A” personality, the one that got you here, you decide to open all three now.  The first one says this is your first crisis blame it on me, your predecessor. The second one says this crisis is yours and you will need a plan to solve it.  The third one says “Oops”, prepare three envelops and leave them in the top draw for your successor.

At this point being a Type “A”, you decide that you are going with envelop two and throw away the other ones.  Your first step is to evaluate your staff and their capabilities.  Looking at their performance records you can learn some of the basics, but you will not be satisfied with just that limited amount of information.  You know about Maslow’s hierarchy of needs.  Although this was explained in a paper by Abraham Maslow in 1943, it still applies today.  The phases are: (1) Physiological (breathing, food, water, sleep, etc.); (2) Safety (security of body, employment, resources, morality, the family, health, property, etc.); (3) Belonging (friendship, acceptance by the group, social needs, sense of belonging); (4) Esteem (self-esteem, confidence, achievement, respect of others, respect by others); (5) Self-actualization (morality, creativity, spontaneity, problem solving, acceptance of facts).  You are aware that Self-actualization is the goal, studies show that only about 2 % are performing at this level.  As people move up the hierarchy with their needs, if suddenly there is a need below, a person will revert back to that level.  (i.e. if someone is working at a self actualization level and can’t breath he would abruptly revert to the Physiological level or if threaten to safety. Read more

Strengthening the Authentication of Your Users

/0 Comments/in , , , , , /by

They say a chain is only as strong as its weakest link.  In the world of IT systems, you don’t want that weak link to be user authentication.  Once a hacker gains access to a system as a valid (potentially high level) user, the amount of damage they can do is unlimited.  There are different ways to validate a user’s identity and they have different levels of security.  Using the three little pigs as an analogy, let’s take a look at the options:

1)      The straw house – This is what we call single factor authentication.  This just involves something you know or have.  An example for physical security is a badge that is tapped on a door reader to gain access.  If someone gets hold of the badge, that’s all they need to walk into the building.  Another in the IT world is the familiar user ID and password.  It’s what a majority of users use to gain access to their computer’s OS and applications. This has the potential to be fairly secure, but often times isn’t due to poor password choice.  Users frequently pick passwords that are easy for them to remember which means they are easy for hackers to crack. Once they know the password they have total access to the system/application.  Read more