Pasword Sync/History and other issues in IDM 6.0

1. CONFIGURATOR CAPABILITES: Creating a new user with Configurator capabilities is possible but the bulk account administrator capability along with several others, will vanish after the password is reset and the expiry date removed from the user object and the user has logged in. If the user is not logged in then the user account is in expired state and might cause problem if we are doing a major migration move.

 

2. PASSWORD SYNC THRESHOLD: New password sync process with JMS, seems to have problems syncing the password immediately. The "passwordsyncthreshold" is an important variable that needs to be set. Default setting is 30secs but 10sec is advised for the time being.

 

3. PASSWORD HISTORY ISSUES: Listed below are the major issues in dealing with password sync, password history in IDM and AD:

 

(a). Password history on IDM is not case-sensitive by default, i.e., all the passwords in the histroy are stored in uppercase. But password history on AD is case-sensitive. This causes the password histories to go out of sync. Hot fix provided by Sun.

 

(b). Resetting password on IDM doesnot put this password in the history unlike a change password. But in AD any change/reset is stored in AD history. This again causes the password to go out of sync. Still looking for a solution.

 

(c). Password change on AD triggers a recursive password change on IDM and AD as the message is passed onto the JMS queue twice and then stops. This behaviour occurs even if the AD resource is listed in the passwordsyncexcluderesourcelist and passwordsyncthreshold is set to more than 10secs. This could either be because of the two workflows coming into play when a password change occurs - ChangeUserPassword WF and SynchronizeUserPassword WF.

 

4. AUDIX AND MAINFRAME ISSUES: Audix and Mainframe adapters are not completely fucntional in the new IDM 6.0 version. Hotfix provided by Sun.

To change a DNS record on your computer

Locate the "hosts" file under "C:\WINDOWS\system32\drivers\etc". Open this using a textpad and add the ipaddress at the end, then enter tab and enter the DNS name to which it should map. Close all the browsers and test by entering the new domain name.

Limitation to the number of Roles in Sun IdM

When number of roles for a particular user are added continuously, at one point, even changing the password or authentication answers and saving the account through the administrator interface of Sun IdM, will fail. This is because the maximum allowed length for the text in the user object is 256 characters. This limitation is removed and set to unlimited in the IdM Version6 SP1.

Remote login to Sun/Unix boxes from Windows/Unix systems and other general commands

Listed below are few generic things, one need to keep in mind:

1. Use Exceed software to rlogin to a remote UNIX/Sun box. With this set-up you can open the BPE from on local Windows system by logging into the remote Sun box.

2. Use the command ./lh setRepo -c to check which database is pointed to the idm repository.

3. If you want to open the BPE on your local Sun box, you need to set the environment so that it will be able to display the GUI. Use the setenv DISPLAY ipaddress:0.0 or refer http://scv.bu.edu/Graphics/xstuff.html.

Auditing Authentication Answers modification in Sun IdM

Whenever there is a modification of answers to the authentication questions of a user in Lighthouse/Sun IdM, this event will not be audited.

Server not booting after a restart

Sometimes the application server where the IdM application is deployed, doesnot come back-up as expected after a maintenance restart. This could be due to the hung Source Adapter Task. To overcome this problem, delete the "source adapter task" TaskInstance if it shows-up on the list.

 

Run the following commands from the lh console:

 

listO TaskInstance (if Source Adapter Task shows up on the list, then delete it)

delete TaskInstance "Source Adpater Task"

delete TaskSchedule SourceAdapterTask

 

Now, restarting the server should work smoothly.

Seven Identity Management Implementation Risks

Here is a list of the seven risky behaviors that could kill your Identity Management project, picked from Mark Dixons blog:

• Poor Pre-Project Preparation
• Poor Requirements Definition
• Large Initial Scope
• Inexperienced Resources
• Poor Project Methodology
• Scope Creep
• Not Using Available Support

Encryption change in Sun IdM Version 6.0

The encryption format in the new version of the Sun Identity Manager 6.0 has now changed. The encrypted password/messages in the older version can be decrypted in the new version, but all new encryptions will appear in a different formats.

Ex: A password was in the older version was encrypted to JAjgwZAUisg=; but in the new version 6.0 it is encrypted to B0730A11D031F50F:1EF3212:10945F4D81C:-7FFE|BOTAoKL58Zp=;

Enabling a Locked User on the Native Resource

Problem here was to enable (or unlock) an account on an Oracle resource through a form. Trying to set 'view.accounts[$(Resource)].enable' to 'true' wouldn't work and checked the Sun IdM doumentation (IDM_Techincal_Deployment) which says that, the "supportsAccountDisable" method in the custom adapter should override the corresponding method in the "ResourceAdpaterBase.class" so that it returns a true value, for the ACCOUNT_ENABLE function to work properly. Later, found that this is already done in the custom adapter. Now the final option of setting the

'view.accounts[$(Resource)].disable' to 'false' worked. The button incorporated into the form is given below:

 

<Field name='view.accounts[$(Resource)].disable'>
  <Display class='Button' action='true'>
    <Property name='noNewRow' value='false'/>
    <Property name='label' value='Enable KCS User'/>
    <Property name='value' value='false'/>
  </Display>
</Field>

Changing Page Title and Subtitle in Sun Identity Manager

To modify the default settings of the page title, sub-title and customize the end user page totally you can refer to the "Private Labeling of Identity Manager" section described in the IDM_Technical_Deployment manual. In brief, you can change the default messages by modifying the text in the "WPMessages_en.properties" file. Extract this file from WEB-INF/lib/idmcommon.jar to the config directory. Edit the required message and restart the application server.

Modifying authentication questions in a policy

Changes to aunthentication question in a LH Policy have to be made and modifying the .xml and reimporting the new xml file did not reflect the changes in the user interface immediately. But if the changes are made in the debug page directly then the changes can be seen immediately in the end user interface. One should avoid making changes from the admin interface (i.e., from Configure->Policies->) page as the "id" assigned to the Question will change and will not propogate to all the user objects linked to it.

Windows Tips: Password-Protect Your Sensitive Files and Folders

Check this article at http://www.pcworld.com/howto/article/0,aid,110663,00.asp which describes simple but useful ways to protect sensitive folders on your Windows Me/XP computer. In short, simply transfer all the folders you want to protect into a compressed zip folder and from the Windows Explorer, goto File->WinZip->Encrypt and enter the password. To disable users to view files in the compressed folder, embed this folder into another folder and compress the latter.