| Subcribe via RSS

SailPoint IIQ: The BuildMap Rule Revisited

Well, I’m behind on posting again. Apologies to those following here who I know were looking forward to this particular post which I promised in person to a number of you.

Build Map Rules in Aggregations

The BuildMap Rule… Just what is a “build map rule” exactly? Maybe you’ve used or even written one, but you admit you still really don’t understand what it’s actually doing or how it really works in the case of account aggregations. I actually get that kind of comment all the time, so don’t feel bad. Let’s crack ‘er open and see if we can crystalize the concept of how this actually works. Once the concept is crystal clear, you’ll know exactly when to use it, and your usage of it will be that much more sophisticated and precise.

Hang On… What Is A Map, First Of All?!

Before we get into what a build map rule is, we first need to cover the concept of a “map” to begin. Again, this is a comment I often get as I am on site implementing Sailpoint IIQ for the first time in enterprises — “what is a map?”

Sailpoint IIQ is built using JEE technology. Therefore, it draws from many paradigms within that reference technology platform. A Map object in Java, or just a “map,” is essentially an indexed name/value pair system. Focusing on strings as the map implementation (it’s possible to have other map types in Java, but we’ll forgo that discussion here), a very stripped down version of a map is something like you might find in a configuration or initializer file of some sort:

name=Chris Olive
address=123 Somewhere St.
city=St. Paul
state=MN
zip=55102

This is also known as a key/value pairing because the name on the left hand side can only occur once. If you are familiar with other programming languages, a Java Map is roughly equivalent to what is called a hash in Perl and Ruby, a dictionary in the older Microsoft development parlances (VBScript, etc.), or a dictionary in Javascript (though popularization of Javascript and it’s object orient model extends this scheme into JSON objects, which again we will forgo delving into in depth in this discussion.)

Here are the equivalent “maps” in some of the languages I’ve mentioned above. If you are familiar with all or any of these, then you know what a Java Map (object) is:

Perl:

my $map = {
   name    => 'Chris Olive',
   address => '123 Somewhere St.',
   city    => 'St. Paul',
   state   => 'MN',
   zip     => '55102'
};

Ruby:

map = {
   :name    => 'Chris Olive', \
   :address => '123 Somewhere St.', \
   :city    => 'St. Paul', \
   :state   => 'MN', \
   :zip     => '55102' \
}

Javascript/JSON:

map = {
   "name"    : "Chris Olive",
   "address" : "123 Somewhere St.",
   "city"    : "St. Paul",
   "state"   : "MN",
   "zip"     : "55102"
};

Java (BeanShell):

// Unfortunately, Java doesn't offer a shortcut way of initializing
// a HashMap. I'll just not comment on that here. :-)
//
// Since Java 5, real Java wants these sorts of things "typed" as
// well.  We'll forgo that and do this BeanShell style as per IIQ.
// BeanShell doesn't require type syntax.

import java.utils.HashMap; // Not required in BeanShell
   :
   :
HashMap map = new HashMap();
map.add( "name", "Chris Olive" );
map.add( "address", "123 Somewhere St." );
map.add( "city", "St. Paul" );
map.add( "state", "MN" );
map.add( "zip", "55102" );

Now, that last example looks somewhat familiar if you’d done any writing (or plagiarizing :-)) of Sailpoint IIQ build map rules already. (Funny how in literary circles, plagiarism is very much frowned upon, whereas in IT, it’s very much encouraged, isn’t it?! :-))

So while we’re here, let me just say that the variable name “map” carries no special significance. People tend to name their variables in simple scenarios according to what they are and the variable name could just has easily been “foo” or “frank” — it’s doesn’t matter (other than when you program that way, things get a little unclear fairly quickly.)

So this would do just as well:

HashMap me = new HashMap();
me.add( "name", "Chris Olive" );
me.add( "address", "123 Somewhere St." );
me.add( "city", "St. Paul" );
me.add( "state", "MN" );
me.add( "zip", "55102" );

IIQ Uses Maps EVERYWHERE

So now that you (hopefully) know what a “map” is, then maybe at least the name has suddenly taken on more significance. “Build Map” means… a Java Map object instance (or just a map) is going to be built. “Why” will be explained in just a moment.

The main thing to emphasize here is… Sailpoint IIQ uses maps literally EVERYWHERE. So just get used to it. And that being said, I can’t think of a concept in Sailpoint IIQ that you need to make sure is rock solid any more than the concept of a map. Again, Sailpoint IIQ uses them literally EVERYWHERE.
More »

Tags: , , , , , ,

SailPoint IIQ: Get Your JavaDocs

November 1st, 2012 | No Comments | Posted in IAM Development, Object-Oriented Development

Interestingly, I was on a call this morning with a lot of really smart people, and I was surprised to learn some of them didn’t know that Java documentation on all the internal Sailpoint IIQ Java objects comes bundled with every install of IIQ. All ya gotta do is set a bookmark to a static URL after a Sailpoint IIQ install, and you are good to go.

This means, if you have multiple IIQ versions installed (as I do), then you can get the JavaDocs specific to each one of them with a URL for each version. They are all located at the same URL for each install:

http://your-hostname-here:8080/identityiq/doc/javadoc

If you just happen to have Sailpoint IIQ installed on the same machine you are reading this post on, click here and you should see them. Otherwise, adjust the URL above accordingly if you are reverse proxying your Sailpoint IIQ install or used a different context root for IIQ or what have you.

If you are doing any customization at all of your Sailpoint IIQ installation — be it in Java itself or in BeanShell — this URL will be indispensable for you. Set ‘er up and have fun reading JavaDocs to your children at bed time!

Tags: , , , , ,

SailPoint IIQ Security Best Practices

October 15th, 2012 | No Comments | Posted in IAM Development, IAM Engagement, IdM Engagement

Over the last several weeks I’ve been building out an entire Sailpoint IIQ development infrastructure on ESXi — every major version of Sailpoint IIQ since v5.2 on CentOS 6 (essentially RHEL 6), available over a number of major app server platforms for customer and development testing (eg. Tomcat, JBoss, perhaps WebLogic, etc.), including Windows Server 2K8 Active Directory, LDAP and other outlying systems. Today, as I considered the small data center I’ve been building out, I had “on-site flashbacks,” and I thought it would be a good time to talk about Sailpoint IIQ security best practices.

Easy To Forget!

We all get busy and it’s easy to forget — we’re supposed to be security professionals. A lot of you out there have a couple of forensics cases waiting in the wings, there’s that big virus scare Bob in Accounting let loose on the network on “Bring Your Son To Work Day” (yep, he plugged his son’s laptop into the network, didn’t he?! :-(), there’s the perimeter pen testing you and Jane are supposed to be doing on the 15 new apps destined this week for external rollout, there’s the latest audit report due (again!), and… oh yeah, there are these SailPoint consultants on-site the next two weeks helping you __________ your (new) IdM infrastructure, starting in dev (fill in the blank with “rollout”, “upgrade”, “assess”, “shakeout”, “test”, “customize”, or “all of the above” as it suits.)

As you may have noticed with barely concealed glee, Sailpoint IIQ is your new magnifying glass for IAG in the enterprise; it’s really good about going after the details at a minimum (based on RO connections to all your outlying systems), to say nothing of what you may be doing for certifications, reporting, provisioning and workflows — full LCM (if you’re on your way to IAG nirvana!) You’re going to nail non-compliance with this tool.

But what about the tool itself!? Have you stopped to consider the following best practices around secure Sailpoint IIQ deployment? It doesn’t do anything to fully amorize the front of the barn if other individuals in your enterprise can sneak in the back door!

What is your “threat footprint” for Sailpoint IIQ as “an enterprise application” itself?! (That’s the funny thing about Sailpoint IIQ — it audits apps, but it’s an app itself, when you think about it.) I’m not going to say a WORD about what I’ve seen anyone do. :-) Just make sure you are doing the following at some point when you’ve got Bob in Accounting up to sped on network policy and at least one of those audit reports done before your CISO has that meeting with HIS boss, the CEO. :-)
More »

Tags: , , , , , ,

SailPoint IIQ: Creating & Using Rule Libraries

September 19th, 2012 | No Comments | Posted in IAM Development

So you’ve been writing and using simple BeanShell rules in Sailpoint IIQ but you’ve come to a point in your solving of use cases where you’ve got code replication in various places. This, as in other development situations outside of Sailpoint IIQ, is a perfect scenario for consolidating such code into a library of some sort (you are thinking, right?!) and calling that code from the rules you are writing.

Code consolidation is just good, universally accepted development practice. But can this be done in Sailpoint IIQ, and if so, how? Glad you asked. Here’s how you do it. We’ll use an over-simplified example in a very easy use case to illustrate.

Creating A Rule Library

The easiest way to create a rule library from scratch is to go into the Sailpoint IIQ debug pages and grab a rule you already have. Grab the rule XML from the text area and cut and paste it into your favorite editor. Then pare your XML down to this:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="My Library">
  <Source>

// My Library - only a comment for now... :-)

   </Source>
</Rule>

Ha, well I guess… there you go. You can now just use the above as a rule library template instead of digging this out of your Sailpoint IIQ debug pages. :-)

Save this to an XML file on your local hard drive. Make sure you change the name of the library on the 3rd line above to something that makes sense for you. Then import this XML into Sailpoint IIQ. You can import this XML in one of two ways:

(1) Navigate to the System Setup page and choose the “Import From File” option, or…
(2) Import from the IIQ console using the import command.

Now, re-navigate to your debug pages, re-list your rules and you should see a rule named “My Library” (or whatever else you might have named your rule). For updating this rule and actually adding code, you’ll need to edit this rule from right here in the debug pages as it’s not going to show up anywhere else, really. We’ll keep that in mind for later.

The Background/Sample Use Case

Okay, so now you’ve created a rule library — simply a place to stick code that will be shared by other rules. How to we reference this library?

Before we get into that, let’s look at our use case code. We have two build map rules for aggregation — one build map rule called from a CSV connector and the other build map rule from a JDBC connector. In both cases, we’re going to say each needs to build a string formatted a certain way, and we want to isolate this formatting to one place — in our new rule library — and call that code from both rules.

Here is the CSV build map rule:

// Imports.
import sailpoint.object.Schema;
import sailpoint.connector.Connector;
import sailpoint.connector.DelimitedFileConnector;

// Build an initial map from the current record.
HashMap map = DelimitedFileConnector.defaultBuildMap( cols, record );

// Only perform these steps for account aggregations.
if (schema.getObjectType().compareTo( Connector.TYPE_ACCOUNT ) == 0) {
   String path = map.get( "path" );
   String filename = map.get( "filename" );
   String filespec = path + "/" + filename;
   map.put( "filespec", filespec );
}

// Return the resulting map.  For group aggregations, the default
// map falls through and is returned.  For account maps, we return
// the modified map.
return map;

More »

Tags: , , , , , , , , , , ,

SailPoint IIQ 5.5p1 Released w/Install Caveat

February 22nd, 2012 | No Comments | Posted in IAM Development, Travel, Vendor Specific

Just a quick note that Sailpoint IIQ v5.5p1 was released this week. Seems to be working great, has a lot of bug fixes and overall is a quick and smooth install. The release notes (if you have a Compass account) go over the details, so I won’t cover them here.

One caveat to mention is this: Do NOT install Sailpoint IIQ 5.5 and then install the p1 release from scratch. Make sure you install Sailpoint IIQ 5.5 sans p1, then do your XML imports (init and init-lcm), login, and THEN go through the p1 patch cycle. Otherwise… surprise! You will not be able to log into spadmin (due to DB schema changes in the patch). Not a great feeling when it happens. Trust me. :-)

Brought to you live, onsite with Sailpoint, from Boise State University. Hoping to see the blue football field before we leave. :-)

Cheers!

Tags: , , , ,

Quick Guide to Rebranding SailPoint IIQ

January 18th, 2012 | No Comments | Posted in IdM Engagement, Vendor Specific

So you’ve got Sailpoint IIQ all installed and humming on your enterprise servers, and your boss walks in and says “My boss says the CIO wants this rebranded for better internal look and feel, to keep confusion down for identity self-service requests. Can you have it done by Monday?!”

Your answer, even if it’s Friday, should be “Yes, sir!!” Here’s how you can do it, covering just the basics. In this exercise, we’ll cover rebranding:

  • The login banner page
  • The IIQ headers on each page, and…
  • The overall CSS colors on each page providing the final L&F

Let’s get started.

Overview

The tools and “skillz” you will need (as they say) will actually lean more on the graphics side than on the Java or HTML development side for this exercise. In fact, other than careful and proper placement of the resulting graphics files inside your deployed application and application server file system, graphical capabilities and understanding of CSS are going to be your primary concerns. If you are not very good at handling a graphical editor like Adobe Photoshop or GIMP, now’s the time to call your friend, Sally, over in Marketing to lend you a hand.

Assuming you know where Sailpoint IIQ is “rooted” on your application server, we’re going to graphically reconstitute a few files. We’ll assume a Tomcat installation here, which should carry over quite nicely for a JBoss AS installation as well. WebSphere, Glassfish, WebLogic and you other app server flavored peeps out there, try to follow along.

For Tomcat, assuming an installed/deployed path of /srv/tomcat6/webapps, you should/would have /srv/tomcat6/webapps/identityiq for your application root. So then, we’re going to graphically reconstitute:

  • $APP_ROOT/images/login.gif
  • All the header*.gif files in $APP_ROOT/images and…
  • identityIIQ-logo.gif

Furthermore, we’re going to, at a bare minimum, twiddle the background-color CSS attribute on five (5) CSS files. We’ll detail all that when we get to the section on CSS.
More »

Tags: , , , , , , , , ,

IdM Demand In 4th Quarter Kills Blogging (and everything else)!

What kind of blogger would I be if there weren’t blatantly long periods of time where I’m not blogging?! There are a lot of people, especially in IT, who commit to blogging who, get off to a good start, and then taper off to nothing. I’m in danger of being such a person, but I’m aiming to change that here soon.

It’s just been the busiest 4th quarter (and especially December) I’ve ever had in my entire 20+ year career. Business and demand in the Identity Management space is just booming, and there have been more concurrent end-of-year projects (of any sort) than I can ever remember. Qubera gigs at a major software house, a major US investment firm and a leading California educational institution have had me absolutely hopping. 2012 is quite frankly looking ominous and scary. Identity Management is in high demand and with new, innovative products like Sailpoint IIQ v5.5 out in the 4th quarter and more IdM product movement in the magic quadrant, the demand is high in the industry right now.

That being said, here’s what’s coming up, and not necessarily in this order:

  • Branding Your SailPoint IIQ Site – If you’ve got your eyes on Sailpoint IIQ or already have it in house and want/need to rebrand your site for internal L&F purposes, I’ll lead you through how to do it. It’s quite simple actually.
  • It’s Time To Change Travel Regulations around electronics – Recently I’ve read a number of articles on just how far behind the FAA is on the (non-existant) “dangers of electronic devices on airplanes.” As a consultant who does a fair amount of travel (not a ton, but enough), I have some thoughts on this. It’s definitely time for some changes.
  • Managing Your Vendor Relationships – I recently read a great article from Gigaom on some of the big-time vendors which happen to operate (most of them) in the Identity Management space. The article brought up some great points and as a Solutions Architect and Technical Engagement Manager who has to advise clients on these relationships, I had a few insights and comments to make which may be helpful.
  • iPhone versus Android Comparison – I recently had the opportunity, thanks to purchasing a new iPhone 4S for a family member, to side by side compare the iPhone with an upper-end Android device, the HTC EVO 4G which I carry. Hint: There is no comparison. I was truly blown away. I’ll let you know which device wins as I throw my lot into the “smart phone wars.”

I’m going to whip out that FAA airline article now, but stay tuned for more.

Tags: , , , , , , , ,

Developer Tomcat Settings for Sailpoint IIQ Sandboxing

October 10th, 2011 | No Comments | Posted in IAM Development, IAM Engagement

Working on IAM projects and out on client sites for Qubera Solutions, our technical peeps all have developer sandboxes we use for prototyping, setting up read-only connectors to outlying systems (eg. PeopleSoft, AD, LDAP, JDBC connections, etc.), doing RBAC analysis and just about anything GRC related. We sandbox just about everything we can or run pre-configured VMware VMs on laptops outfitted with as much memory as we can. (My Macbook Pro is spiked out at 8gb RAM.)

Generally we use Tomcat for the app server piece but not always. None of this is earth-shattering news. Any developer or integrator of note at Any Company USA and around the world is going to have at least “A” sandbox running if not multiple. Just whether those sandboxes are configured and tweeked properly is going to be the only question, really.

As it relates to Sailpoint IIQ, first of all, me running a Macbook Pro, it’s technically “not supported.” But the IIQ deployment, like Oracle Waveset, is just a WAR. For the middleware piece (the DB layer aside), you essentially deploy a WAR, import your objects from XML, and you are off and running. Nevertheless, the “non-supported” aspect of a MacBook tended to rear its ugly head and I had frequent hangups in Tomcat until I tweeked a few things. It turns out setting my JAVA_OPTS to the following not only helps, but seems to be recommended from a trusted source. (I don’t have permission to credit here, much as I would like, so just take it for what it’s worth.)

I’ll “split this up” in a syntactically correct way so this doesn’t extend the page on the blog entry, but you can put these settings all on one line; hopefully that is obvious:

JAVA_OPTS="-server -Xms3072m -Xmx3072m -XX:NewSize=1024m -XX:MaxNewSize=1024m"
JAVA_OPTS="$JAVA_OPTS -XX:MaxPermSize=1024m -XX:CodeCacheMinimumFreeSpace=2M"
JAVA_OPTS="$JAVA_OPTS -XX:ReservedCodeCacheSize=64M"
JAVA_OPTS="$JAVA_OPTS -Dsun.lang.ClassLoader.allowArraySyntax=true"

More »

Tags: , , , , , , , , , , , , , , , ,