Thursday Jun 11, 2009

Achieving PCI-DSS compliance with Sun Identity Suite of products ..

Are you in the Retail, Financial, Telecom industries? Do you have a system which involves payment via credit cards? PCI Data Security Standard (PCI DSS) is a a standard which is - "The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data." . There is a deadline to be PCI-DSS compliant, and its approaching fast ..

Sun Identity suite of products - Sun Identity Manager, Sun Role Manager, Sun Compliance Manager and Sun OpenSSO can help in meeting several of the requirements, to achieve compliance. A webinar is being organized, which will touch upon these aspects, and offer details on how Sun Identity suite helps. Please register at to attend this webinar, on Wednesday, June 17, 2009 at 10:00 am PDT / 1:00 pm EDT / 17:00 GMT/UTC and 10.30 PM Indian Standard time .

Thursday Jun 04, 2009

Passed - Sun Certified Integrator for Identity Manager Exam

Passed the Sun Certified Integrator for Identity Manager exam this morning. Whew, what a relief. Did some amount of preparation for the last three days, thanks to a lot of prodding and guidance from my friend at Sun Learning, Rajesh. Thanks Rajesh

As explained in the exam objectives, there is stuff from SPML, General IDM architecture, Where IDM fits in, XPRESS language questions using snippets of code, Reconciliation etc etc. Most of the stuff is covered in the IDM-345 class, but I had not done this course. I had done a very old course called IDM-2535 or something like that, five years back ;-)

Finally, why did I do it? Well, I have been working in different areas of Sun Identity Manager since 2005, but had never gotten a chance to validate, what I knew, and if I had covered all the areas of Sun IDM. An exam, I believe, is the best way to validate your breadth of knowledge. Of course, the certifications are no substitute for real world experience, but atleast you can trust that a "certified" person knows the basics ;-)

Monday Mar 23, 2009

Media on the Sun-Deloitte roadshow in India has got a news article on the Sun IDM event done with Deloitte.

Wednesday Mar 11, 2009

Sun - Deloitte Compliance road show

Sun and Deloitte are organizing a roadshow at Delhi and Mumbai on Identity compliance. The details of the roadshow are:

Achieving Compliance and Efficiency - through Identity & Access Audits

The recent proliferation of Fraud, Regulatory and Compliance requirements have increased the cost of compliance, created audit fatigue, and taken valuable cycles away from risk management, compliance, information technology & lines of businesses.

Every organization faces the need to have defined, effective and efficient processes to manage against Fraudulent or Unauthorized Access to their critical business assets and information, by • Granting Right Access to Right People “in-time” • Changing Access “in-time” when users exit the organization, or change role & responsibilities • Performing periodic review of ‘Who has access to what’ • Performing periodic review of Segregation of Duties

To address these needs, Deloitte and Sun have developed a business aligned approach and methodology, which integrates leading Identity and Access Management practices with industry leading IAM technology. Our solution will enhance the quality, automation and efficiency of your access audit, compliance and attestation processes.

We are pleased to invite you to an exclusive invitation only event in which we will present our Point-of-View on how you can Manage Access and meet your Audit & Compliance requirements and secure your critical business assets and information.

Venue Delhi : Hyatt Regency
Date: 17th March 2009
Time: 6:00 pm - 8:30 pm (Followed by cocktail & dinner)

Venue: Mumbai Hyatt Regency Date: 19th March 2009
Time: 6:00 pm - 8:30 pm (Followed by cocktail & dinner)

If you would like to attend, and you are at a fairly high level in the org hierarchy to influence decisions ;-), please drop in a email at mani-dot-chandra-at-sun-dot-com.

Wednesday Feb 25, 2009

Verizon Uses OpenSSO and Directory Server to Enable 75M Users

I had to blog about this. Verizon is live with 40 million users, 1 million logins per day, and peaks at 4,000 logins per minute, using OpenSSO and Sun Directory server !! As an architect, this is the kind of scalability that we like to brag about (publicly!!) . Please see the blogs by Dan Raskin and Nick Wooler. The Verizon presentation is at .

Sunday Feb 15, 2009

"Genpact Enhances Security, Compliance with IDM" - One of Sun's Identity Manager customers in India

From ( :

Sun Identity Manager provides Genpact with role- and rules-based provisioning of policies for users, organizations, resources, roles, or services, which ensures that its security requirements are automatically enforced.

In addition, the Sun solution helps provide Genpact with the ability to easily review the status of access services at any time, which both improves audit performance and helps achieve compliance with governmental mandates. "Sun Java System Identity Manager gives us an exceptional platform for managing identity profiles and permissions, which enhances our overall enterprise security while allowing us to reduce operation costs," said Tom Sheffield, manager, identity & access management at Genpact.

"Sun's Identity Management solution greatly reduces the time it takes to get users up and running productively, change user access privileges and to instantly and securely revoke accounts when their relationship with our company ends." Over the next 2 years, all IT access authorizations for the Genpact global workforce as well as 1700 contractors and partners, located across India, Mexico, US, Hungary, Romania and China, will be integrated into the system, which utilizes identity management technology provided by Sun Microsystems.

Read the complete story at

Tuesday Feb 10, 2009

Sun OpenDS, Sun Directory Server EE - Features comparison

Just like my previous blogpost, on Glassfish ESB, Java CAPS, we also get asked by partners, customers on the differences and where to use, OpenDS or Sun DSEE. There is a good link, which is shown in an iFrame from the OpenDS web site:

Also, apart from the exhaustive list mentioned above, the following points are also worth noting:
  1. Sun DSEE is a old, well established product, used in almost all the large Fortune 500 companies across different verticals. OpenDS is a relatively new product, still in version 1.x, but has shaped up very well, and also has several customers who are using it.
  2. Sun DSEE is NOT open source, and is based on C/C++ code. Sun OpenDS is open source, and is written in Java. But, both are completely standards compliant.
  3. OpenDS, as of now, has only the Directory server. Sun DSEE is a suite of products, Directory server, AD sync, Directory proxy and Virtual Directory.
  4. Sun DSEE has a fantastic, admin console for central configuration and distribution.
  5. and much more ....

Saturday Feb 07, 2009

Two gotchas to keep in mind when using Jboss and OpenSSO

One of our partners were trying out OpenSSO with Jboss 4.x appl server, to host OpenSSO as well run the J2EE apps. They called us, with the following two issues:
  1. The OpenSSO install goes on fine, in Jboss server. However, the moment we restart JBoss, we need to do the setup again !!
    Ans: This seemed to be a know problem, wherein Jboss seems to reinstal the Opensso.war file and hence the previous OpenSSO-OpenDS configuration is wiped out. The solution as described in this helpful blog, was to create a opensso.war directory under and unzip Opensso. This way, the opensso is not redeployed, when Jboss server is started again.
  2. The OpenSSO opensso agent install goes fine, but after install when we access the the opensso sample app, we get a classpath not found error!!
    Ans: The first thing, I need to say is the OpenSSO 3.0 agent for Jboss seems to be in Beta, so we did not try this at all. We used the OpenSSO 2.2 agent for Jboss. The problem seemed to be the change that was supposed to be done in as given in . the problem is that there seems to be a small typo here. The correct syntax is . /opt/jboss-4.0.2/bin/setAgentClasspath$ (that is a . and a space and /opt/jboss-4.0.2/bin/setAgentClasspath$ The Windows instructions are correct, but the Solaris and Linux instructions have an issue. There are no instructions for the OpenSSO ver 3.0 version, hence we did not try these. Also, the agent sample that gets shipped is written for Access Manager (the older version), needs to be changed to reflect the admin console of OpenSSO.

Tuesday Feb 03, 2009

Passed CISA

Whew !! I had taken the CISA(Certified Information Systems Auditor) exam from ISACA in Dec 2008. Finally after a long eight weeks, got an email this morning, that I have PASSED the exam. Wow, this was a tough and long exam, and requires some time to prepare for the exam. I used the CISA review manual, attended a two day refresher course conducted by ISACA Bangalore and did some mock exams (during the last few hours) to prepare for the exam. I am happy, the efforts turned out to be worthwhile.

Friday Jan 30, 2009

Buzz about Identity in the Indian media ......

In CXOToday : Sun Reinvents Identity Management Business - By Sonal Desai - Mumbai, Jan 28, 2009 1108 hrs IST

With the rising usage of identity and Web-based services in the last few years, Sun Microsystems is reinventing its identity management business to efficiently protect user administration, authorization, and authentication.

The new thrust on IM is because the network is ushering in a new era of business growth and opportunity. People are using network communications to interact and collaborate in ways that were impossible a few years ago. These new capabilities have quickly created new expectations for today's enterprise," said Manish Malhotra, director (software) of Sun Microsystems India ..". More at at

In ChannelTimes : Sun Microsystems to Appoint Partners for IM Biz By Sonal Desai Mumbai, Jan 30, 2009 1548 hrs IST

Sun Microsystems India that recently announced strategy to reinvent its Identity Management (IM) business is planning to add more value-added partners for the same. The IM solutions will be rolled out across India, and the company will initially target the telecom, BFSI, GEH, retail and manufacturing verticals. According to Manish Malhotra, Director (Software), Sun India, "In India, identity management, SOA and MySQL represent top areas of focus for Sun under the enhanced Sun Partner Advantage Programme with the introduction of the open access channel programme, and a set of new software specialties. The software specialties programme, which was launched in the US in November 2008, is the first such programme we have launched in India. The programme provides Sun and its partners with new ways to reach new customers, open new markets and grow their businesses.". More at at

Monday Jan 12, 2009

Protecting Jboss applications, setting up JDBC authentication and JDBC Password Syntax Transform using OpenSSO

We (myself and Ramesh Nagappan ) recently helped a partner setup a OpenSSO integration with their J2EE applications. The following were the requirements:
  1. J2EE based web application running on Jboss 4.x
  2. The web app used Oracle database as a the user repository
  3. The password field was encrypted in the database
  4. They also needed to integrate Biometric based security for their web application

The following software will be needed:
  1. JDK 1.6.x (preferred) or JDK 1.5.x
  2. OpenSSO bits: Download the file at
  3. Glassfish app server: Download Glassfish from
  4. OpenSSO agent for Jboss 4.0.x
  5. You can find a list of Agents at
  6. There is early access OpenSSO 3.0 agent for Jboss 4.x at

The next set of instructions are:
  1. Install Glassfish app server, this is as simple unzipping the zip file and doing the install instructions in the README file. very simple
  2. Install OpenSSO, this is given in more detail in the next section

The first step is to make sure we have a machine, which has a fully qualified domain name and a static IP address. Before, we start installing OpenSSO, we need to make sure that the server has a fully qualified domain name. This can be done, by means of an entry in the hosts files (in Unix as well as in Windows) like below: myserver

  1. Create a base directory. "/opensso_bits"
  2. Install GlassFish. If you already have GlassFish running, go to next step.
  3. Start Glassfish instance and make the following changes to the instance on which opensso is being deployed (fam)
    cd /bin
    ./asadmin start-domain
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\\\-client"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\\\-server"
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\\\-Xmx512m"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\\\-Xmx1G"
    Note: We are making the the JVM option to run in server mode, and increasing heap memory to be 1GB, by using the above commands.
  4. Restart the glassfish instance.
    cd /bin
    ./asadmin stop-domain
    ./asadmin start-domain
  5. Deploy OpenSSO on the Glassfish domain Then go to, you should get the configuration page. We can either select the express configuration setup or the customized setup. Most of the details should be pre-filled. If you have issues, you have the right permissions as the user running the glassfish/opensso etc. After everything, you'll see a message "Configuration Complete", "Proceed to Login". Click on "Proceed to Login"
  6. Login as amadmin with the corresponding password.
  7. Go to Access Control tab, click on the opensso realm name, click on Agents, click on 2.2 agents and click New (This is needed as the Jboss agent is still in the older 2.2.x agent family. When we get the newer 3.0 agents, the steps will be different. I have just found after we did this exercise, that there is a nightly build early access 3.0 agent for Jboss 4.x at
  8. Create new Agent, with name TestProfile and password (these data will be used while configuring the agent).
  9. Create a new Policy to protect the Jboss application, with the following data:
    	Rule :\*
    	Subject: Can be authenticated users, or roles etc
    	Conditions: Optional
  10. Installation of OpenSSO agent for Jboss 4.0.x. The documentation is available at
    Unzip the OpenSSO (Access Manager Agent) in a temporary directory.
    Go to the directory
    Run agentadmin – install (two dashes) command. 
    A sample command list is given below (Please change it as per your Jboss installation) directory
    JBoss Server Config Directory : C:\\jboss-4.0.5.GA\\server\\default\\conf
    Access Manager Services Host :
    Access Manager Services Port : 9090
    Access Manager Services Protocol : http
    Access Manager Services Deployment URI : /opensso
    Agent Host name :
    Agent permissions gets added to java permissions policy file : false
    Application Server Instance Port number : 8080
    Protocol for Application Server instance : http
    Deployment URI for the Agent Application : /myapp
    Encryption Key : 9fwEMd2mKLH8OPDLZ1lW8edVxfJRYu3+
    Agent Profile name : TestProfile
    Agent Profile Password file name : /opensso/agentpassword
  11. The next changes are in the web.xml file of the JBoss J2EE application, please see the section “Installing the Agent Filter for the Deployed Application on Agent for JBoss Application Server 4.0” at
  12. Restart JBoss

Setting up JDBC Authentication and tackling encrypted passwords ..

The partner application used a Oracle database table for user authentication, and the password field in the database was encrypted. Hence, we needed to do the following steps to make the JBoss app use the JDBC authentication module of OpenSSO :
  1. The password field in the database was encrypted, hence we have to create a custom class (it is the original source code) which will encrypt the password and then return this password to the OpenSSO JDBC auth module. The source code of the sample password transform class is given below. To compile this, add opensso.jar to your classpath.
    import com.sun.identity.authentication.spi.AuthLoginException;
    import com.sun.identity.authentication.modules.jdbc.\*;
     \* A very simple test implementation of the JDBC Password Syntax Transform.
    public class MyPasswordTextTransform implements JDBCPasswordSyntaxTransform  {
         \* Creates a new instance of ClearTextTransform. 
        public MyPasswordTextTransform() {
         \* This simply returns the clear text format of the password. 
         \* @param input Password before transform
         \* @return Password after transform in this case the same thing.
         \* @throws AuthLoginException
        public String transform(String input) throws AuthLoginException {
            if (input == null) {
                throw new AuthLoginException(
                    "No input to the Clear Text Transform!");
            return input;
  2. Copy this class to the opensso/WEB-INF/classes directory. I have a problem relating to using a package for this class, and opensso not being able to load this class, this is yet to be resolved. If this is only a class name, then there seems to be no problem.
  3. Copy the JDBC driver of the database to the OpenSSO Lib directory
  4. Under the Authentication tab, create a New Module instance of JDBC. The JDBC fields are fairly self explanatory. The prepared statement should be changed to reflect the database schema.
  5. Change the transform password syntax field from com.sun.identity.authentication.modules.jdbc.ClearTextTransform to be MyPasswordTextTransform
  6. Create a new Authentication chain, and add the JDBC module created in the previous step with Required flag
  7. Change the Default authentication chain to be the new JDBC authentication chain.
  8. Log out, and try accessing with a user which is present in the database.
  9. If there are issues, log back in as amadmin and debug the issues. Most of the issues could be with JDBC connectivity.

Setting up Biometric Authentication with OpenSSO..

We relied on our expert, Ramesh Nagappan's expertise as documented in this article at The Biometric module will be one more authentication module in the authentication chain. Its recommended that Biometric authentication be combined with another factor like username/password or digital certificates. Setting this up will require the following:
  1. Biometric scanners like Fingerprint scanners, which are certified to work with Sun OpenSSO. Install the scanners in the client PCs and install drivers, and test that they are working. The client desktops will also need to have a latest JRE installed.
  2. Install the Biometric server software
  3. Setup the Biometric authentication on the opensso server
  4. Test everything works
Hope this blog has been useful !!!!

Tuesday Dec 30, 2008

Sun Identity Manager now supports MySQL 5.0.60SP1 Enterprise Edition as a production repository!

A long pending demand from our customers and from the field, was to support MySQL as a repository in production (it was only supported in development so far) for Sun Identity Manager. This has come true with the release of the 8.0.4 patch, where MySQL 5.0.60SP1 is now supported in production. if you have a valid sunsolve account, you can download the Identity manager patch at
With this, the TCO offered by the Sun Identity Manager + MySQL combination will be very compelling and competitive.

Friday Oct 24, 2008

Sun Identity Compliance Manager released

Sun Identity Compliance Manager, a cost-effective solution for achieving identity compliance, has been launched. Sun Identity Compliance Manager was created to provide a targeted solution for addressing the compliance issues related to identity and access to systems, applications, and data that are often the leading drivers for companies purchasing Identity Management products.

How Customers Benefit
Customers can address compliance challenges head-on with features that enable them to successfully manage access and entitlements, enforce SoD, track requests, and report status.
  • Access Certification
    • Automates existing processes for certifying the access assigned to user by business managers and application owners
    • Provides a glossary that translates cryptic access permissions into business-friendly terms
    • Sends reminder notices and escalations for aging certifications
    • Policy Enforcements
      • Enables enterprise-level monitoring of access for conflicts in segregation of duties and security policy, such as role-versus-actual exceptions and terminated-users-with-active-accounts exceptions
      • Supports inter- and intra- application security policy enforcement
      • Includes a comprehensive list of best practice segregation of duties controls out of the box
      • Provides complete lifecycle management of a policy violation
      • Offers a mitigating control for violations that are not fixed
      • Enables manager sign-off to be acquired on policy violations
    • Compliance Dashboard
      • Delivers an enterprise view of certification status including outstanding reports and decisions made during a certification
      • Provides an enterprise view of policy exceptions
      • Tracks policy exceptions by type and business unit
      • Provides historical trending analysis for policy exceptions, certification decisions, and role approvals

    So, now within our Identity management suite of products, we have Sun Identity Manager, Sun Role Manager and Sun Identity Compliance manager. Where do you use what? :
    1. Identity Manager : Provides comprehensive user provisioning and identity auditing for efficiently and securely managing identity profiles and permissions across the enterprise and beyond, reducing costs and compliance risk.
    2. Role Manager : A role-based compliance solution that conducts role mining to analyze user access patterns and define roles for managing access to enterprise resources. Streamlines access control and identity compliance by engineering and managing roles.
    3. Sun Identity Compliance Manager : In situations, where you do not need the complete role management, and need only Identity Compliance and you need it quickly, you can use Sun Identity Compliance manager. The features of this product are a subset of Sun Role Manager.

Thursday Feb 09, 2006

Sun Identity Manager 6.0 released

The new version of Sun Identity Manager 6.0 (our fantastic user provisioning product) has been released. The highlights of this release are:

Release 6.0 is a full product install of the Sun Java System Identity Manager. For details of patches required for different platforms, complete list of bug fixes and added features, please read the Release Notes.
New features include:
1. New Resource Adapters for Blackberry, SuSE, and Java Enterprise Systems Messaging and Calendar Service
2. SuSE 9.0 Platform support
3. Support for digitally assigned approvals
4. A New look and feel

The Sun Identity Manager is available for public download. Yes, you read that right ;-)

Monday Oct 10, 2005

Sun Identity Manager 5.5 Active Sync adapter for Siebel 7.7

A quick note, the Sun Identity Manager 5.5 Active Sync adapter for Siebel 7.7 integration document has been published at You can also find other integrations between the Sun Java ES products (like Portal and Access manager) and Siebel at

Ramblings of a Sun engineer based in Bangalore, India. Strictly my own views and not my employer's.


« July 2016