Friday Apr 03, 2009

OpenSSO startup on Glassfish

I have been doing some work with OpenSSO on Glassfish lately and since I typically use Solaris or Linux (or MacOSX), I have not had any issues with the startup of OpenSSO on Glassfish at system startup. This week I had a reason to configure OpenSSO on Glassfish on a Windows virtual machine. I ran into a few challenges in getting OpenSSO to start properly. Here are some notes of what I learned on the topic.

Windows Service Example

Once Glassfish is installed, you can create a Windows Services using the following utility (it can also be created directly with sc.exe): As described here: How do I run GlassFish as a Windows service?, obtain the Glassfish utility to create a Windows Service. Download GlassfishSvc.jar This will allow you to create a Windows Service to start and stop Glassfish.

INSTALL Windows Service

> cd C:\\glassfish
> java -jar glassfishsvc.jar -i -n "Glassfish OpenSSO Domain"  -d "C:\\\\glassfish" -m opensso -a admin 
Now the Glassfish instance can be controlled as a Windows Service. There is one more step. When OpenSSO starts up it looks for a file in the users home directory that installed it (in the home directory, see the .openssocfg/AMConfig_machinename_glassfish_domains_domainname_applications_j2ee-modules_opensso_ file). This file is used to allow OpenSSO to find it's configuration directory in the file system. For more information on this configuration file, see: OpenSSO Install Doc This will not be found by default once the Windows service is created because the Glassfish service will not be running as the user who installed it.

Solution for Windows service for Glassfish with OpenSSO:

For the OpenSSO glassfish instance, goto the Services and login as Administrator to ensure that the OpenSSO bootstrap file is found during startup. If this step is not done, when the service is started, Glassfish will not find the configuration directory, and the Configuration page will be displayed when you goto the /opensso URL. To resolve this issue, open the Windows Services, select the new Glassfish service created, right click and select properties. Select the Logon tab, select This account, enter the account and password of the user used when OpenSSO was configured (see example below).

> sc.exe create glassfish-dmgr binPath="C:\\glassfish\\lib\\appservService.exe \\"C:\\glassfish\\bin\\asadmin.bat start-domain domain1\\" \\"C:\\glassfish\\bin\\asadmin.bat stop-domain domain1\\"" start=manual DisplayName="Glassfish Deployment Manager"

UNINSTALL Windows Service

If you need to remove the Glassfish service, here is an example:
java -jar glassfishsvc.jar -u -n "Glassfish OpenSSO Domain"

If the uninstall does not work, another option is:
> sc delete "Glassfish OpenSSO Domain"

If you get an error, like:
[SC] DeleteService FAILED 1072:
The specified service has been marked for deletion.

The next time machine is restarted, the service will be deleted.

Solaris Manifest Example

For reference Here is an example Solaris manifest for starting Glassfish I use (on both Solaris and OpenSolaris): Note: The following assumes Glassfishv2 is installed in /var/opt and the domain which is installed for OpenSSO is called opensso and is configured to use port80.

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='opensso/glassfishv2/port80' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <dependency name='filesystem' grouping='require_all' restart_on='restart' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    <exec_method name='start' type='method' exec='/var/opt/glassfish/bin/asadmin start-domain opensso' timeout_seconds='600'>
    <exec_method name='stop' type='method' exec='/var/opt/glassfish/bin/asadmin stop-domain opensso' timeout_seconds='300'>
    <stability value='Unstable'/>
        <loctext xml:lang='C'>glassfishv2port80</loctext>

The above xml example can be copied to a file (example glassfish-smf-port80.xml and The following commands can be used to manage the service on Solaris:
# svccfg validate glassfish-smf-port80.xml
# svccfg import glassfish-smf-port80.xml
# svcs port80
# svcadm enable -s port80
# svcadm disable -s port80

Tuesday Mar 10, 2009

Sun Identity Manager 8.1 and Identity Connectors

At the end of last week Sun Identity Manager version 8.1 was released. I waited to post this until the open source project for the Identity Connectors was also made available (see below for more information).

The major new features of the Sun Identity Manager 8.1 release are:

For more information:

Identity Connector project

The Identity Connectors Framework and Toolkit is built to help drive development of Connectors. Connectors provide a consistent generic layer between applications and target resources. The main focus of the API is provisioning operations and password management.

For more information visit the open source project page

Saturday Feb 07, 2009

Identity Suite Essentials Tutorials

A collection of identity management tutorials have just been made public, available: Identity Suite Essentials. This material was originally developed last October by Sun engineers to provide tutorial information for our peers. We are making this available publically in the hope that others find value in the material for becoming acquainted with Sun Identity Manager and OpenSSO Enterprise.


The Identity Suite Essentials (ISE) is a collection of tutorials which are designed to provide the student with basic knowledge of these products. This self paced material covers the Sun Java Identity Management Suite. The purpose of these tutorials is to provide a positive first experience with these products. This includes initial installation and configuration of these products in a lab environment.

Thanks to the following contributors:

Friday Jun 27, 2008

OpenDS reconciliation with Identity Manager

In a configuration of OpenDS as a Resource Adapter for Sun Identity Manager, I ran into the following challenges while setting up reconciliation with the LDAP resource. After looking into this, the issue was the proxy user which is used in Identity Manager to connect to the LDAP resource. All normal provisioning succeeds, but reconciliation fails since that uses the server side sorting control to return all users.

Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:

Original ldif file to create the suffix:
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

# bin/ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"

But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "uid=ldapadmin,ou=people,dc=identric,dc=com" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"
SEARCH operation failed
Result Code:  50 (Insufficient Access Rights)
Additional Information:  The request control with Object Identifier (OID) "1.2.840.113556.1.4.473" cannot be used due to insufficient access rights

This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)
aci:  (targetcontrol = "1.2.840.113556.1.4.473")(version 3.0; acl "LDAP Administrator Server Sort"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

dn: ou=People,dc=identric,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: uid=ldapadmin,ou=people,dc=identric,dc=com
givenName: Ldap
sn: Admin
uid: ldapadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
cn: LDAP Admin
userPassword: Passw0rd

Monday Jun 09, 2008

Sun Identity Manager 8 now available

A major new release of Sun Identity Manager is now available. This new release features an advanced role model and advanced reporting features as well as new resource adapters and other updates. We have been using this release internally in advance of showing it to our customers. Along with the open sourced Netbeans developer IDE for Sun Identity Manager, it provides a powerful solution for Identity Management.

For more information:
Sun Identity Manager 8.0 documentation

Download the Identity Manager 8 product:

Complementary Sun Identity product information:
Sun Identity Manager Sun Role Manager 4

Also check out the Sun Identity podcasts:
Sun Identity Management Podcasts The latest podcast covers a Sun partner's (I.C. Synergy) Identity Management Solution (R.A.R.E.). I recently spent some time with them at their offices reviewing their solution. They have some great solutions for addressing common Identity Management challenges.

Wednesday Jan 30, 2008

FAMFest08 coverup

A coverup is quietly going unnoticed......
I had opportunity to attend a great Sun event last week, FAM Fest 08. Top engineers marketing and SEs focused on federation got together with a shared goal. Here is an image of the attendees to document everyone's presence (I am in the blue shirt on the left):

Several blogs have been posted on this topic: FAMFest Complete, in Vegas, Meet the Heroes

But something is amiss. Upon closer inspection of the image:

Notice how the person (let's call him Brad) at the top center looks out of place.... This must certainly be a doctored image as the guy on the immediate right (Let call him Jeffery) has a reflection on his head from lights on the right, while "Brad", and only "Brad", has a clear source of light coming from the left. This is most certainly not possible, not to mention the discoloration and jagged edges.

Seriously, I know that "Brad" was at the event as I talked to him many times, and I even witnessed a picture of "Brad" being taken alone in a hallway and come to think of it, the lighting source was on the left. I would venture to guess that said image was used used as the basis for the coverup. Hopefully this clears up the raging debate regarding determining if the Canadians had a presence at FAMFest08.

DISCLAIMER: my attempt at humor may be weak and feeble, but at least I had to give it a shot after seeing the fine humor coming out of engineering and marketing:

Wednesday Sep 19, 2007

SPML rising above the noise level?

I talk to customers about a lot of identity related topics and in the past few months, the topic of Service Provisioning Markup Language (SPML) has come up on many occasions. This is of course regarding integration to a provisioning infrastructure. The frequency of interest in SPML appears to demonstrate a pattern (at least from my perspective) of the maturity and applicability of the SPML standard to current identity solutions.

First, what is SPML? Service Provisioning Markup Language is an OASIS standard

Sun Java System Identity Manager includes SPML handlers which listen for incoming SPML requests. A sample SPML Resource Adapter is also provided in the REF-KIT for outbound SPML provisioning. In Identity Manager 7.x there are three SPML listeners:

1) The SPML1: http://://servlet/rpcrouter2
Using SPML 1.0 with Identity Manager Web Services

2) The SPML2: http://://servlet/openspml2
Using SPML 2.0 with Identity Manager Web Services

3) The SPMLspe handler: http://://servlet/spespml
Using SPML 1.0 with Identity Manager Web Services

Sample SPML 2.0 Resource Adapter
Identity Manager provides a sample SPML 2.0 resource adapter that can be modified and used to talk to third-party resources that support SPML 2.0 core operations.

SPML is capable of many things and the operations use SOAP / HTTP, however, due to the extensible nature of SPML to support extended operations and schema differences, SPML does not provide a .wsdl interface to define it's operations. This is not a limitation of Identity Manager, it is just how SPML was designed. It allows for tremendous flexibility using this approach.

The SPML options for interfacing with Identity Manager assume that you are using an SPML api. There is an openspml java api for SPML.

For an implementation which needs a web service with .wsdl defined web service (like a SOA infrastructure or .net application, for example). This effectively acts as a wrapper with specific operations around the more general purpose SPML interface which is exposed.

Since there is a java openspml api available, a web service which is specific to an implementation (for example CRUD operation with specific user attributes used in a deployment) in a .wsdl interface which in turn invokes spml operations to Identity Manager. This approach assumes that a Java application server is available to host the web service since the openspml apis are written in java. This approach could be hosted on the same application server or on a remote Java application server which uses SPML to contact Identity Manager. I have been involved in several examples of using this approach to integrate with Sun's Identity Manager in the past 6 months. This approach enables the provisioning infrastructure to do it's normal job of user provisioning and compliance auditing, but enables it to be accessible in new and interesting ways.

Friday Jul 27, 2007

OpenPTK is coming ...

As discussed on the Discovering Identity Blog post, we just had a US software meeting where our team demonstrated a project which has been in the works for quite some time now. We are preparing to open source the project and looking into our options and approach.

Here is a photo of Mark taking a photo of us at the event:
Thanks Mark for the kind words.

The project was started by a few engineers at Sun to demonstrate the value of our Identity products. Here is a brief description:

OpenPTK is being proposed as an open source User Provisioning Toolkit exposing API's, Web Services, HTML Taglibs, JSR-168 Portlets with user self-service and administration examples. The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3.

A brief overview of the project can be found at the site. More information will be coming soon on this project.....

Thursday Jun 14, 2007

Identity Manager 7.1 Netbeans module, WOW!

Identity Manager 7.1 was just released. One of the most exciting new features is the new Netbeans module for Identity Manager. A Netbeans module was introduced last fall with Identity Manager 7.0, but the 7.1 release includes significant new feature enhancements.

This plugin requires Netbeans 5.5. The .nbm module is available in the product download, I have been a huge Netbeans user over the years and have been migrating a lot of Identity Manager content to the new Netbeans module format. I will blog in more details about these topics and how I am using them in the new Netbeans module soon...
  • Creating new build targets
  • Custom Identity Manager artifacts
  • CVS Integration
  • Creating custom ant targets

Major features provided by the Identity Manager IDE include (from docs):

Integrated Explorer window that allows project, directory-based, or run-time views of a project Identity Manager IDE projects are integrated with a Configuration Build Environment (CBE)
  • Action menus for document modification
  • Custom editors, including:
    • Object property sheets and graphical value editors for enumerating XML object properties and editing basic object types, XPRESS, and XML objects without typing XML
    • Drag and drop palette for adding approvals, workflow services, workflow tasks, users, and so forth to XML source without typing XML
    • Registered waveset.dtd definition file that enables syntax highlighting and auto-completion for XML elements and attributes
  • Integrated debugger for forms, rules, and workflows
  • Rule tester for verifying standalone and library rules
  • Form tester for testing forms in an external browser
  • Checkout View feature allows you to check out, modify, and check in Identity Manager views (such as a user view).
  • CVS integration

Monday Mar 19, 2007

Important trends in the Digital Identity marketplace

My esteemed collegue, Mark Dixon, of Discovering Identity is preparing a list of Important trends in the Digital Identity marketplace for JavaOne.

I posted some relevant information on my blog back in Jan.: Identity Predictions for 2007

In addition to the items listed below, I had some comments to add:

In the next few years, the convergence of user centric (convenient yet initially unsecure) and established federaton standards (SAML, Liberty, WS Federation) will take place to enable a cohesive identity strategy with secure web services (still a few years away). The popularity of user centric identity is growing rapidly, but not for secure environments. It is unclear how this will manifest itself but it could be through OpenId and CardSpace, etc evolving to include SAML 2 as a foundation for their next revisions.

One thing is clear, the adoption of federation is not as rapid as it could be and until it is well established, it will be very difficult to enable real Identity enabled web services on top of that foundation. This is recognized as an issue which must be addressed since projects like are forming to provide a simpler solution for the secure invocation of identity enabled web services. The maturation and deployability of the identity standards will take place once there are sufficient tools to enable cross vendor interoperability and seamless integration into web services infrastructures. This maturation process is starting to happen now that the federation standards are stable and adequate to provide that foundation.

Monday Mar 05, 2007

You're on deck....

Last Thursday I went to the Dallas Ft. Worth UNIX Users Group
which will now be hosted at the Dallas Sun Office. I volunteered to assist in hosting the meeting since I was interested in the main topic being presented:
Since I currently use the Linux and Windows versions to run my Solaris images and am just starting to use the MacOSX beta version. It turns out there was a bit of confusion on the start time for the main speaker and I was asked to do an impromptu presentation about Sun Identity Solutions. I was a bit surprised, but jumped in and started discussining "Integrated the Identity Software Stack", a slide deck I had created at the end of last year for a Sun / partner event, not knowing if the unix users audience would care about the topic. The speaker showed up after 20 minutes and I turned the reigns back over glady, but was asked to return to present at a future meeting of that group, in June. I will be happy to present to that audience, especially since I will have a bit of time to tailor the conversation for that audience.

Friday Feb 23, 2007

No root for you

I was on site at a POC for our Identity Management suite recently and was in the uncomfortable position of not being given root access on an AIX server which was setup for us to use, nor anyone who had root access to work with to perform several installs (Identity Manager, Access Manager, Access Manager agents, Directory Server, etc.).

Now installs is one thing, and we got over that (eventually). But for performing provisioning operations, I definetly appreciate the features in Solaris RBAC and Profiles. This is a much cleaner approach to using other alternatives (sudo). There was a great article written by a Sun collegue posted to BigAdmin a while back, but when forced to use another OS, one really starts missing what we take for granted in Solaris. Using Sun Java System Identity Manager With RBAC Profiles in the Solaris OS

Tuesday Feb 20, 2007

Is Identity Management Complex?

It can be, unless you have the right processes, expertise and technology. This includes, but is not limited to a great provisioning product: Sun Java System Identity Manager.

Announced today is a new offering to assist: Sun Extends Leadership in Identity Management With Three New Professional Services:
  • Sun Human Resources Synchronization Service
  • Sun Role Management Service
  • Sun Password Management Service
These new services combine best practices, proven methodologies and Sun expertise, as well as utilize the Sun(TM) Velocity Identity Deployment Tool.

The Sun(TM) Velocity Identity Deployment Tool is a very impressive tool which makes this possible.

This validates the acquisition last year of Neogent. Not only are the talented individuals welcome to Sun, but also the expertise, best practices, and technology to make this possible.

It's also great to see: " Both Deloitte and Accenture are working with Sun to establish their approach and training programs to enable them to leverage these Identity Management services in the market place.

Monday Jan 22, 2007

Give me Liberty....

Here is a way to get involved in the Liberty Federation standard adoption: openLiberty was established to provide easy access to tools and information to jump start the development of more secure and privacy-respecting identity-based applications based on Liberty Federation and Liberty Web Services standards

Sunday Jan 07, 2007

Identity Predictions for 2007

It's the beginning of a new year. I am not usually one to make new years resolutions, but here are a few items which I expect to be hot topics related to Identity Management, or at least things I expect to spend a lot time on:
  • Compliance and Auditing - well, yes, I'm starting with the easy and most obvious one. This is, of course not new, but I think people will start becoming ready to take full advantage of solutions like Sun's Identity Manager to address compliance requirements. This includes Periodic Access Review as well as proactive audit compliance policy scanning and continuous compliance during provisioning. While these features have been in our product for some time now, the customers I talk to are considering not only basic minimal identity auditing requirements, but also more advanced topics like these and how they can reduce the manual effort required to meet their compliance requirements.
  • Federation - It's not a secret that the US is not leading the world in the adoption of federation deployments. However, the signs seem to be pointing to the time being right for federation deployments taking off this year. This With SAML, Liberty, (and WS Federation) all in various stages of adoption and maturity, there are more choices and solutions to meet customers requirements.
  • Identity Integration - This is kind of a catch all category for what I have spent a lot of time doing in the last few years and expect to take to a higher level this year. This includes:
    • Integration of the user experience around Provisioning and Access Management (merging the realtime access management and administrative provisioning services into a seamless solution)
    • Web Services integration with provisioning (using SPML), and integration of identity provisioning solutions with composite applications and SOA's
    • Better standards based protection of web services - This includes Liberty enabled web services as well as Securing Web Services Using the SAML




« April 2014