Thursday Jun 28, 2007

Catalyst Panel on Identity Services Today

I'll be on a panel today, Thursday, June 28, at Burton's Catalyst at the San Francisco Hilton with a bunch of guys that are a lot smarter than me, but it should be fun. I'll be joining moderator Mark Diodati, good friends Phil Hunt from Oracle and Nick Nikols from Novell, as well as Bill Dettlebeck from BEA and Andy Rappaport from CA. We'll be on from 2:50-3:50pm PT, right after Mark provides his analysis on the topic from 2:20-2:50pm PT. It should be interesting. Join us and bring your comments and questions.

Sunday Jun 24, 2007

Bring Out Your Dead! Bring Out Your Dead!

Time for another Burton Catalyst and this year we'll be doing a Monty Python Holy Grail theme. The first line I think of is "Bring Out Your Dead". It will be a great time and you won't want to miss it. This is Bianca's last event for us and we had to get her out of retirement to do it :-). If you've been to our Catalyst events in the last three years she was the one behind them. She is better known to us as "Producer Bianca" since she produces the Identity Management Buzz podcasts that Brandon and I do, and she also writes the blog. Interesting sidenote, my good friend Pat's brother George was an extra in the film. How cool is that!

We'll have all kinds of demos, including: Identity Manager and Approva, DSEE's virtual directory and new web console, and Federation Manager. We'll also demo our open source projects OpenDS, showing off the APP/Atom work, and OpenSSO, showing off the new Sun OpenID implementation. We will also have several partners in the suite with us, like Deloitte and Vaau with our new Enterprise Role Lifecycle Management offering, and PwC with their Foundations offering.

But what you won't want to miss is a special appearance by our President, CEO and star blogger, Jonathan Schwartz, some time around 6:30. He'll talk a bit about how important Identity Management is to Sun, answer a few questions from the crowd. If you're lucky you can get a picture with him.

If you're attending Catalyst you'll definitely want to stop by, listen to Jonathan, grab a hunk of stuffed pig and check out our demos.

Wednesday Jun 13, 2007

Sun and Deloitte unveil new Identity and Access Management offering around Roles

Today we announced an exciting new offering around Enterprise Role Lifecycle Management with one of our key GSIs, Deloitte, around Identity and Access Management (IAM). Identity has lots of hot sub-topics, but few are much hotter than roles, and with good reason. Roles are key to creating an abstraction between users, permissions and the resources to which they provide access. The abstraction makes management of users and what they can access easier, cheaper, scalable and improves security integrity. Roles are also a real key to another hot identity topic - compliance. But ask most companies and they'll tell you roles and role management is a real and non-trivial problem. Few organizations have a proper handle on them, which makes our new offering with Deloitte so timely.

Sun and Deloitte plan to roll out several new IAM offerings. The first consists of Sun's Identity Manager, Vaau's RBACx role mining, role lifecycle management and role reporting capabilities and Deloitte's Role Management for Enterprises (RM4E) service delivery methodology.

We'll be showing a demo of this new offering at the Gartner Identity and Access Management conference in London, June 25-26, and also in our hospitality suite at Burton Group's Catalyst conference in San Francisco, June 28. Come and check it out!

For more information click here.

Wednesday Jun 06, 2007

Sun's OpenID IdP is Live!

We made the announcement at JavaOne that Sun was going to deploy an OpenID Identity Provider just for our employees and it went live last night. I have already created a few OpenID identifiers and verified their use. I'm pretty sure Sun is the first company to set up an employee only OpenID IdP. Very cool!

If you are interested in learning more about our deployment - of course we used our own products! - you can read more here or check out this helpful FAQ.

Sunday Jun 03, 2007

Identity User Group in Washington DC June 6, 2007

I'll be in Washington, D.C. this week on June 6th for another of our Identity Management User Group meetings and I'm looking forward to it. I'll be joined by co-workers Sarah Chapman, Suresh Sridharan and Edward Saba. We've had incredible turnouts recently in New York, Dallas, Paris, and Menlo Park, so I expect a good crowd. It's great to hear what people are really doing, where they are having success and even where they are struggling. It's especially fun to see customers connect with each other and reminds me of my days building the identity infrastructure for Caterpillar. I still maintain relationships I started back then with peers at Alcan, Boeing, Exxon, Motorola, and others.

If you are a customer and somehow missed the notification you can still get registered. Here's the agenda. We will be meeting at Hotel Washington.

Thursday Mar 01, 2007

Directory Server Enterprise Edition 6.0 is NOW available

Directory Server Enterprise Edition 6 is finally available. There are a lot of great new capabilities, including:

  • New web console enabling administration and monitoring for the entire directory service from anywhere
  • Enhanced and extended command line interface (CLI) enabling scripting of virtually anything you can do via the console
  • Virtual directory capabilities which provide an aggregate view of identity information from disparate data sources, including multiple LDAP directories and relational databases
  • Customizable data distribution for massive horizontal scalability
  • Unlimited number of master servers
  • Prioritized replication
  • Operation routing and load-balancing
  • Overall improved performance, but also for static groups and access control

Look for more posts on this in the future and check out our Identity Buzz Podcasts where the next one will be on DSEE 6.

How to download: You can download DSEE 6 by going here, but you do need a Sun Download Center account. You can select either the Sun Java Enterprise System or the Sun Java Identity Management System. Once you click on the "Get Downloads & Media" you will then click on the word "Multiplatform" near the top. Next you say need to accept the terms and pick what an item for your operating system. You can scroll down and select the DSEE 6 zip download, which I recommend.

Let me know what you think.

Thursday Feb 15, 2007

Getting a Thawte Certificate and Using it with AIM

I created directions for friends to get a Thawte certificate for use with programs that support its use, like AOL Instant Messenger and Thunderbird. I am tired of trying to find the initial email and then forwarding it so I finally wised up and am blogging it. Hopefully it will 1) save me time 2) be helpful to somebody and 3) get me started blogging again (my hat is off to those of you who are disciplined enough to blog consistently AND do your day job).

Here are the steps:

Last updated on 2006/11/10

To get your own personal certificate to use in AIM (it will work in Firefox and Thunderbird too) follow these steps. DO NOT BE TURNED OFF BY THE LENGTH :-) It isn't near as bad as it looks and I would HIGHLY recommend it.

NOTE: You need to do the following from within the Firefox (Netscape will work fine too) browser. The steps are Firefox specific and easy. If you don't have it go to You only have to use Firefox to fetch the cert from Thawte so you can export it and use it in AIM (or another app that supports using certs for signing and or encrypting).

1) Go to

2) At the bottom click on "Click here to get your Personal E-Mail Certificate now!"

3) Click Next to agree to Terms and Conditions, then enter your name and age (lie if you want) then click Next

4) Enter your email address then click Next (you will use this in step 13)

  • You won't get spam, but the cert is email specific.
  • I create a cert for both my work ( and personal addresses

5) Click Next

6) Enter your Personal (login) Password and confirm it then click Next (you will use this in step 13)

7) Select your 5 password questions then click Next

8) Confirm all the information you entered then click next

9) Retrieve the email you will be sent to the address you entered above

10) Click on the link in the email address

11) Enter the Probe and Ping values from the email into the web page then click next

12) You now have a Thawte account (no certificate - yet, sorry) - Click Next

13) Enter the email address (which is basically your username now at Thawte) and the password from step 4&6

14) Click Request under X.509 Format Certificates

15) Select Mozilla Firefox/Thunderbird... then Click Request

16) Click Next when asked for Certificate Bearers Name - it should show your name.

17) Select the email address (initially there will be only one) then click Next

18) Click Next where it talks about Strong Extranet Identifiers

19) Click Configure to customize certificate extensions

20) Select: Digital Signature, Non-repudiation, Key-encipherment, Data-encipherment (see step 36 below if you are a PKI weenie and are offended by creating a cert for both signing and encrypting)

21) Scroll down and also select S/MIME and SSL Client Authentication (in case you want to use it for those too)

22) Click Accept

23) Click Next and accept the 2048-bit high grade key and your private key will be created

24> Wait for popup to go away.

25) Scroll down and click Finish

26) Scroll down under the heading "Certificate Manager Page" and click on the word "here" to go to the Certificate Manager Page

At this point your certificate is being created - you can see in the list that it will say "pending" for the new cert. You will receive an email at the address you used when it is ready for you to install. It can take a while so be patient.

27) After you get the email the Certificate Manager Page will show the cert as being "issued". You can fetch this certificate in one of two ways.

28a) You can click on "Navigator" (even though this is for Firefox) on the line for the issued cert. This brings up a page that shows you details about your cert and at the bottom you can click Fetch. Nothing will seem to have happened, but that is not the case. Your certificate has been installed in Firefox.


28b) You can click on the link in the email you received.

29) Now we can go see the certificate. In Firefox click on the menu Tools and then Options. On the left side select Advanced and then click on the Security tab and click View Certificates.

30) You should see a branch for Thawte Consulting and the first certificate under it will be the one you just created and installed. Click on that certificate to see the details and confirm it is the one you just fetched. It should say that it is an Email Signer Certificate and Email Recipient Certificate. You won't have your name in your cert, just your email. If you get notarized by enough Thawte Notaries (like me) you can get enough points to get your real name in your cert. Interesting, but not important. :-) Let's get the cert into AIM. Click Close.

31) With the new certificate highlighted, click on Backup.

32) You can name the file whatever you want. I put all my certs in a folder called "My Certs". Here is how I name my certs that I've exported: .sign-encrypt.p12, where " is the actual email address you used to create this certificate. The p12 extension will be done for you. That is the one I use in AIM. I have another just like it for use within Sun. Enter the name you want to use and click OK.

33) You will next be asked for the master password for the Software Security Device. This is just a password for the file that holds your certs. If you don't have a password for this already you will probably be prompted twice. Remember this! Click OK.

34) Next you have to secure the exported certificate itself. Enter this password twice and click OK.

Here is how to use the certificate with AOL Instant Messenger

35) Go to AIM and select the menu My Aim, then Edit Options and then Edit Preferences.

36) Scroll to the bottom and select Security. You will then see that there is a place for your certificates. One for encryption and one for signing. Don't be appalled :-) I use the same cert for both operations. Yes, this is against best practices in the public key (PKI) world, but it is easier. However, there is nothing to prevent you from creating two certs and having one with an encrypt extension and the other with a signing extension. The reason corporations don't usually do this is because signing is a personal thing that ONLY the individual should be able to do. Encrypting, and more importantly, decrypting is something companies want control over, at least when it applies to things they own - like your email. I'll stop here as it is already probably more info than you wanted.

37) Click Advanced and then click Import

38) Browse to the file that you exported earlier and click Open.

You are now ready to do secure point to point instant messaging with me and anyone else who has a cert installed. No, this will not work between heterogeneous instant messaging clients - at least not yet.

Friday Nov 17, 2006

See Sun at the Gartner Identity & Access Management Summit in Vegas

Yes, the high rollers from Sun's Identity Product Management team will all be in Las Vegas at Gartner's Identity and Access Management Summit from November 29-December 1 2006. Come and visit Sun in Booth #4 and you could win a Bose Noise Cancelling Headset! But more importantly we will be giving demonstrations of:

Booth hours are:

  • Wednesday, November 29 from 11:45am - 1:45pm
  • Wednesday, November 29 from 5:15pm - 7:15pm
  • Thursday, November 30 from 11:30am - 1:30pm

Sun specific sessions include:

  • Wednesday, November 29 at 2:45pm - Get the Most out of Your Identity Management Project
  • Wednesday, November 29 at 3:20pm - Beyond Security: Looking at the Benefits of Identity Management (Equifax Case Study)

Wednesday May 17, 2006

Atom Server for Directory

I'm really enjoying my first JavaOne and one of the most enjoyable things has been hooking up with an old friend, Trey Drake, who I worked with soon after I started at Sun. Back then we created a UDDI server based on our Directory. It's still in the cvs tree, but Trey strongly discouraged me from resurrecting it, though I'm not very good at listening

Trey is now at Maximus and doing all kinds of cools stuff with REST and AJAX, which I'm only starting to get my head around. Anyway, we attended a session by Dave Johnson called "Java Technology and REST: Implementing the Atom Protocol", which was excellent. We both had the same idea afterwards, which was that this could be used to develop a server to support directory entry maintenance. He has promised to build something we can buy in a few months and I plan to hold him to it. He's the real java developer, but I'm starting to believe that NetBeans could make this easy enough that even I could tackle it.

Sunday Apr 30, 2006

Thunderbird Needs LDAP Help

I've been a Thunderbird user for a while, but the LDAP functionality in the email addressing lookups is becoming quite annoying. We have an external LDAP server that is accessible from both our intranet and the internet when properly authenticated. It leverages both our market leading Directory Server and our Directory Proxy, both part of Directory Server Enterprise Edition. This allows me to set the directory and avoid having to switch it depending on how I'm connected. However, Thunderbird's LDAP implementation makes using it painful. When it functions properly, lookups while composing email messages works great. But when it doesn't you have to wait for the LDAP searches to timeout. It can take a long time to address an email to lots of people. The address book is even worse.

There was a day when I would have hunted down the code and participated. I'm too lazy and stupid now. I could stay at a Holiday Inn Express (which I don't mind), but asking my buddy Neil Wilson to fix it is probably a faster path to what I want. This is when having a well read blog would be nice. Oh well.

Sunday May 15, 2005

What is an identity worth?

Clearly a bit removed from the kind of identity issues we were talking about all last week at Digital ID World, but nonetheless an interesting look into the importance of non-human identity and the role of the courts. Seems the ad campaign for Certs from around 40 plus years ago that they are "two, two, two mints in one" initially hurt its owner, Cadbury Schwepps, to the tune of millions of dollars in custom duties. The details, provided by Chris Gaither from the LA Times, cleverly titled A Case of Mint-staken Identity, describe how a court initially ruled that Certs did not qualify as something that "promotes oral hygiene", which I guess means it's just candy. Fortunately for them, their appeal won a reversal this past Wednesday. I'm sure the legal fees were only a couple times more than the tax ;-)

Friday May 13, 2005

My famous friend, Pat!

Today, Sun and Microsoft demonstrated cross-domain single sign-on into each other's environments using new specifications the two companies have been working on jointly, namely the Web Single Sign-on Metadata Exchange protocol and the Interoperability Profile.

You can view the entire webcast here. Pat Patterson, a Sun co-worker, shows up around 17 minutes into the press briefing, but you should watch the whole thing.

Pat and his Microsoft counterpart, Don Schmidt, do a great job of describing federation, how it works and the specific benefits companies can achieve as a result.

Way to go, Pat!

Wednesday May 11, 2005

Murphy's Law of Identity

Here is my take on at least one version of Murphy's Law of Identity: Regardless of the cost related to potential identity theft, people will give up their password for a candy bar.

Now, how many of the passwords provided are real is another story, but based on what Nico Popp from Verisign shared during his keynote yesterday morning here at Digital ID World, it might be higher than you think. Nico told us that people freely gave their passwords when offered a $10 Starbucks card. Supposedly one guy, clearly too honest for his own good, said he forgot his password, went back to his office, got his password off some sticky note, gave it to his secretary and told her to go get him a Starbucks card. Incredible. Did he say they're doing it again today at the main entrance to the Hyatt Regency? :-)

What's your take?

Sunday May 01, 2005

Now THAT is an Identity Crisis

It may just matter which airline you choose to fly on some day, if you ever have an experience like Michelle Bearden. Michelle had her purse stolen on a trip to Phoenix and lost ALL her identification. She had a real identity crisis and it almost kept her from making it back home to Tampa. The most interesting part of the story to me was that even though the TSA requires a match of IDs to boarding passes, they allow each individual airline to make their own determination of how to handle passengers without a valid ID. Lucky for Michelle that Joe Hodas, spokesperson for Frontier, the airline she was traveling on, wasn't taking tickets that day. Joe's comment was, "I'm surprised she got on the flight". Frontier must be so proud of Joe.

On a recent trip my boss asked why I had a spare driver's license in my bag. I joked that it was because I was dead serious about high-availability and fault-tolerance. Now I'm thinking it isn't such a dumb idea after all. As many things as I've lost when I travel, I better call American and find out their no-ID policy right away.

The article also mentioned there are no stats on this problem, but I would hope that something of this nature doesn't encourage RFIDing humans. I know we've been doing that with pets for a while and I'm sure you're all as excited as I am that June 2005 is National Microchipping Month. However, I'm not quite interested in one for myself yet. I'll just hang loose in Phoenix.

Thursday Apr 21, 2005

Verticals go horizontal

A couple weeks ago I shared a prediction with James Governor, during a visit in his London office, that I thought a large bank or wireless telco would soon buy the other. It only makes sense. When you're using your cell phone to purchase a diet coke from a vending machine like they are in Japan, it isn't exactly visionary. Anyway, it hasn't happened yet, but James did just send me a link describing NTT DoCoMo's inquiry into buying a third of Mitsui Sumitomo Card, Japan's #2 credit card. This could get really interesting, though thanks to the vending lobby we still have to fight vending machines to take paper money here in the US, so maybe talks between Citigroup and Verizon are a bit off in the distance.



« June 2016