Thursday Jul 05, 2012

Project OpenPTK Release 2.1 Available

The OpenPTK owners are pleased to announce that release 2.1 is available.  It has been "tagged" in the svn repository. See the download page for details.  

This release is an update to version 2.0.  This release contains bug fixes, enhancements to existing capabilities, and new features.  The most notable change in this release is the use of maven, instead of ant, for the build process.  The adoption of maven has made the project more modular, reduced its download size (less bundled jar files) and will enable the future support of Project OpenPTK in a maven repository.

For full details, see the OpenPTK version 2.1 Release Notes

Wednesday Jan 04, 2012

Project OpenPTK v2.0 released

Version 2.0 "shipped" 

The Project Open Provisioning ToolKit (OpenPTK) has released version 2.0. It has been "tagged" in the svn repository. See the project download page for access instructions ...

Release 2.0 of Project OpenPTK builds on the success of Release 1.x.

The goal ... enable developers to create custom interfaces to a variety of repositories....

Release 2.0 gives the developer more choices for how they want to create custom interfaces. Release 2.0 supports more back-end repositories: SPML 1 and 2, LDAP, JDBC, Oracle Identity Manager 11g. 

Here is a summary of the major new features in version 2.0:

  • Servlet-Based (Engine Architecture)
  • RESTful-based Web Service
  • Service / Operation Level Configuration
  • Client-Side Java API
  • Authentication
  • Authorization
  • Models, Views and Relationships
  • Actions
  • Encryption
  • Templates
  • Definition Functions
  • Enhanced Search
  • Services


For full details, see the OpenPTK version 2.0 Release Notes:

Monday Aug 25, 2008

Secure SPML communications

Last week I got an email from a developer that is using Project OpenPTK. They want to use HTTPS/SSL to secure communications between the Sun Identity Manager and an OpenPTK-enabled application.

I was pretty sure this was "do-able" but I have not had a chance/need to configure OpenPTK using HTTPS/SSL. With that said, I did some research, contacted some co-workers, and set-up a little test lab. The process is relatively straight forward, I used two Glassfish domains (SPML-Server / SPML-Client) and self-signed certificates:

  1. Configure OpenPTK applications to use SSL/HTTPS
  2. Replace the default certificate on the SPML-Server (Sun Identity Manager)
  3. Add the certificate to the SPML-Client (OpenPTK-enabled Application)

The complete (detailed) process is documented in the Project OpenPTK Release 1.1 Installation Guide

Saturday Aug 23, 2008

Third Meeting: Chicago-Area Identity Management User Group

This past Thursday evening we had our third meeting. Sun hosted the meeting in their Itasca, IL office. The attendees included the local Sun Identity team, partners (Laurus Technologies) and users (United Airlines, Motorola, Kraft Foods, Northeastern Illinois University).

To "kick-off" the meeting, the Sun Identity team asked the User Group community for help ... Leveraging the site, they started a new collaboration site focused at sharing Identity Manager knowledge. is a wiki site where registered users can share their workflows, forms, and other artifacts with the community.


6:00 - 6:30Greetings and Catered Dinner
6:30 - 6:45Introductions
6:45 - 7:30What's New with Identity Manager and Role Manager
7:30 - 7:45Break
7:45 - 8:30Integrating Identity Manager and Access Manager (OpenSSO)
8:30 - 9:00User Group business

The first presentation was given by the Identity folks at Sun. They gave an overview of Identity Manager 8.0 and Role Manager 4.0. They covered the new features, integration points and a roadmap. The second presentation was given by Laurus Technologies. They gave a presentation and demonstration related to how you can integrate Identity Manager with Access Manager (they actually used OpenSSO, very cool).

During the "business" part of the meeting, we talked about how to improve the User Group. Here is what the members asked for:

  • Want to hear customer stories
  • Have meetings during business hours
  • Allow remote attendance (webex)
We updated out list of future meeting topics. We had two customers offer to give a presentation on what they are doing with Identity Manager. The next meeting has been set for Thursday November 13th, 2008. It will be a breakfast meeting held at the Sun Itasca IL office, a webex session will be available those users that can't attend in-person. The current agenda (subject to change):
8:30 - 9:00Greetings and Breakfast
9:00 - 9:45Customer Story: Motorola
9:45 - 10:30Customer Story: To Be Confirmed
10:30 - 11:00User Group business

Sun Microsystems, Inc.
Two Pierce Place
15th Floor, Skyline Conference Room
Itasca, IL 60143

Future topics:

  1. Sun Role Manager SOD and Compliance
  2. Sun Identity Manager and and Access Manager integration
  3. Directory Server non-people use
  4. Federated Access Manger 8 feature update
  5. Sun JavaCaps 6 feature update
  6. Password Sync with Active Directory
  7. Identity Manager to enable business growth
  8. PKI integration
  9. Customer Stories
  10. Panel of Customers for Role Manager
  11. Identity as a software service (SaaS)
  12. ESSO
  13. External facing deployments
  14. Role Rationalizaton: best practices, customer deployments

If you wish to be imformed (sent emails) of User Group activities, please send an email to RequestChicagoIdmLUG at Sun dot COM and you will be added to the mailing list.

Thursday May 01, 2008

Late Night with Project OpenPTK

Tuesday night the OpenPTK team had a meeting @9:30 PM Central that went past midnight. Derrick, Terry and I talked about what was going to be in release 1.1, the plans for 1.2 and 2.0 of the project. We got a lot of new features added to release 1.1 and the plans for the future look good. We're getting more help from the community, which is great. We've posted the minutes of the meeting (thanks Terry) on under the meeting minutes forum.

Saturday Apr 26, 2008

First sfbay Idm user group meeting

Last week I was invited to speak at the first sfbay identity management user group meeting. The meeting was held at the Sun Santa Clara facility. I gave an overview of Project OpenPTK. We had users from The Gap, Hitatchi, Weyerhauser and Safeway. It was a good first meeting. If your interested in joining the user group, please send an email to "REQUEST_SFBAY_IDM_LUG AT sun DOT com"

Wednesday Apr 16, 2008

How To Extend OpenPTK

Extending OpenPTK, the User Provisioning Toolkit by Masoud Kalali -- Project Open Provisioning ToolKit (OpenPTK) is as an open source user provisioning toolkit exposing APIs, web services, HTML taglibs, and JSR-168 portlets with user self-service and administration examples. OpenPTK hides the implementation differences between different user stores, allowing developers to use multiple stores with a common API. Masoud Kalali shows how to use and extend the toolkit.

Thursday Mar 20, 2008

An Overview of Project OpenPTK


OpenPTK is an open source project that provides a collection of tools and sample applications that Web and Java developers can use to integrate custom applications with user provisioning systems. Using industry standard interfaces, developers can build flexible user management applications that support Enterprise-class, department/group level and Web 2.0 type user provisioning environments.


Most intranet and Internet applications require user authentication. Applications either have an intergrated data store (e.g. RDBMS) or leverage an network service (e.g. LDAP) for validating users. Managing the "life cycle" of user data has become challenging. There are different user provisioning strategies:

  • An enterprise typically implements a provisioning solution such as Sun's Identity Manager to manage user data across multiple applications and services.
  • Departments (or group level) many only have a single application that has a dedicated user data store. The volume of user management activities is usually small.
  • Web 2.0, Internet facing, applications typically leverage a scaleable / available network service for storing user information.


Organizations need to implement a set of basic user management capabilities. For End Users, a solution needs to provide; "Forgotten Password" and "Self Service" functionality. For User Administration, a solution needs to provide fundemental Create, Read, Update, Delete and Password operations. Provisioning solutions and user data stores most likely provide these basic user management capabilities through their native interfaces. The problem is that these native interfaces may not meet the organization's requirements. Organizations have expressed the need to intergrate user management systems with different custom "End User" experiences/interfaces. Commonly requested interfaces include:

Remote Web Interface: Organizations need a Web interface, for user provisioning, that can be deployed remotely from the system that host the provisioning solution.
Command Line Interface: Administrators need an interface that allows them to perform provisioning from a comamnd-line interface, either interactively or from a shell script.
Portal / Portlet Interface: Enterprise and Departmental organizations may have to provide user provisioning interfaces into an existing Portal infrastructure.
WSDL-based Web Service: Developers need to integrate user provisioning into a SOA environment and are requiring Web Services that can be used by SOA development tools.

Because of these requirements for custom end-user experiences, organizations will build applications that leverage different types of development environments. The "End User" application (experience) may need to support a rich-native desktop interface, a browser-based interface, a Web Service or a command-line interface. Developers will design solutions that integrate an orgaization's interface experience with the various user data stores. Developers will most likely have to learn the details related to interacting with the various user data stores. Web developers may not be prepared to deal with Java APIs that are need to access the data store(s).


Project OpenPTK is a three-tier architecture which enables developers to focus on the business application interface, not on the underlying user data store. There's a number of "Consumer Tier" interfaces which address various development options. The "back-end" user data store is abstracted through the "Service Tier". The "Framework Tier" integrates the Consumer and Service tiers while also managing configurations, logging/debugging and provisioning operations.

Project OpenPTK Architecture

Consumer Tier interfaces/examples:

User Management Lite (UML): A JSPs/Taglib-based web application which provides basic user administration, and self-service functions.
Command Line Interface (CLI): Provides basic provisioning operations. The CLI can be part of custom scripts that administrators can use to automate provisioning tasks.
JSR-168 Portlets: Provides "Forgotten Password", "Self Service" and "User Administration" capabilities. These portlets can be integrated into a customers existing JSR-168 compliant Portal server.
WSDL-based Web Service: Provides User provisioning operations. Web Service clients (e.g. Java CAPS and soapUI) can reference the WSDL from this service and create custom integration solutions.

Service Tier implementations:

SPML: The Service Provisioning Markup Language is the external interface used by Sun's Identity Manager user provisioning solution.
SPE: Sun's Identity Manager, user provisioning solution, contains a Service Provider Edition interface for user provisioning.
JNDI: The Java Naming and Directory Interface API is used to access LDAP-based (e.g. OpenDS) user data stores.
JDBC: The Java Database Connectivity API is used to access Relational Database user data stores (e.q. MySQL).

Developers can use Project OpenPTK's interfaces and APIs to handle user provisioning operations without having to worry about the back-end user data stores. User provisioning applications that leverage Project OpenPTK can easily support multiple different user data stores through the use of its flexible configuration mechanism.

Project OpenPTK is a formal open source project hosted on and is part of the Identity Management community. Project OpenPTK founders: Scott Fehrman, Derrick Harcey and Terry Sigle are Pre-Sales Systems Engineers supporting Sun's Identity Management products.

The Project OpenPTK site contains source code (via svn), documentation, distributions and tracks issues. Anyone is welcome to join the community as an Observer and please subscribe to the "user" and "announce" mailing lists.

Wednesday Jan 09, 2008

First Project OpenPTK meeting for 2008

The Project OpenPTK team had their first meeting of the year. We posted the notes on as a new Forum called Meeting Minutes. We talked about ope issues and new ideas. Here's a summary of ideas for new features:

  • JDBC Service
  • RESTful Web Service
  • Authentication
  • Solaris Naming Service

Monday Dec 03, 2007

LDAP/JNDI Service for Project OpenPTK

Today we posted an announcement related to a new feature that was just added to Project OpenPTK. The new feature is a Service that enables OpenPTK-based applications to provision users to LDAP-based directory servers.

Why is this important? The new LDAP/JNDI Service demonstrates that User Provisioning applications (which leverage Project OpenPTK consumer interfaces) can be abstracted from the back-end user repository. Prior to this announcement, OpenPTK-based applications could only leverage the SPML Service. Developers can now build User Provisioning interfaces that could use LDAP for Search and Read operations while SPML would be used for Create, Update and Delete operations.

The Test Samples and Example applications provided in the Project OpenPTK source download have been tested with both LDAP/JNDI and SPML. The Command Line and User Management Lite examples can easily switch between back-end user repositories by either updating a configuration file or by specifying a context at run-time.

The OpenDS directory server was used for development and testing. It was so easy to download, install and configure. Another must have tool, if your working with LDAP, is the Apache Directory Studio.

This is just the beginning of what the Project OpenPTK team has planned for this new LDAP/JNDI Service.

Monday Nov 12, 2007

Source Code Posted

Last Friday the Project OpenPTK team (Derrick, Terry and I) did an initial check-in of the source code. You can download the pre-built samples and browse the source code. Details related to the source code can be found on Our initial check-in was about 120 files and included over 15,000 lines of code (that's minus blank lines and comments). The Javadocs for the Java API are available on

Friday Oct 12, 2007

Announcing Project Open Provisioning ToolKit (OpenPTK)

Derrick Harcey, Terry Sigle and I (Systems Engineers in Sun's Software Practice) publically announced Project OpenPTK at Sun's Customer Engineering Conference (CEC) 2007 in Las Vegas, Nevada.

In addition to my co-founders (Derrick and Terry), i'd like to thank lots of other people that helped make this project possible. The three of us put in a lot of evenings and weekends.

  • My wife: I spent a few weekends and evenings writing code and having conference calls. I woke her up sometimes while dicsussing issues during 1:00 AM conference calls.
  • My two boys: while they were either at swimming lessons or at Tae Kwon Do classes, I would occasionally bring my laptop to write code or read technology books for research.
  • My management supported this project since day one. Thanks for supporting our vision.
  • Sun's engineering, marketing, open source and legal teams.

Being a member of Project OpenPTK has allowed he to see, first hand, that Sun believes in and supports open source projects.

Friday Aug 26, 2005

Using Solaris RBAC Profiles, By Example

Recently I had a need to configure the Sun Java System Identity Manager for provisioning users to Solaris. Identity Manager uses Resource Adapters to communicate with resources (Solaris). When you configure a Resource Adapter, you need to specify a userid/password that has the ability to execute user and group management commands. One of the options is to use the sudo utility. Solaris has a far better solution to this problem ... Role Based Access Control (RBAC).

I documented the process of setting up a new Solaris Role (Identity Management) and the creation of a "proxy user" (idmadm). This step-by-step process is available as an article from the BigAdmin Feature Article site.

Wednesday Aug 10, 2005

Identity Manager as a Solaris 10 SMF service

I use Solaris 10 to demonstrate the Sun Java System Identity Manager. Setting up Identity Manager on Solaris 10 was easy, it had everything I needed ... a JSP/Servlet container and an RDBMS. Solaris 10 had Apache/Tomcat and MySQL already installed.

By default, Apache/Tomcat and MySQL used traditional start-up scripts. I decided to create a Solaris 10 SMF service for Identity Manager. I ended up creating two services, one for the MySQL database and the other for Apache/Tomcat. The Identity Manager service (idmgr) has a dependancy on the MySQL service (mysql).

Documenting my Solaris 10 SMF experiences evolved from my journal "chicken scratchings" to emailed notes to finally a technical whitepaper. The whitepaper was an internal only document. Thanks to a bunch of great co-workers we got it posted as a BigAdmin Feature Article. You can get it here.

If you're thinking about creating your own Solaris 10 service, take a look at the article. It includes step-by-step instructions and manifests that can be modified for your specific service.


Scott Fehrman


« July 2016

No bookmarks in folder


No bookmarks in folder

Ref. Material

No bookmarks in folder