Design Patterns for Programmers

Posted on by Abhishek Choudhary in Technology

In 1986, Chernobyl was the result of bad designs/coding. Huge disasters in the world happen due to naive and inappropriate logic built into systems.

From a refrigerator to your car, a mobile to a rocket, everything runs on a microprocessor. It is a logic builder’s responsibility to take care of some cliched issues that might crash the entire system.

In 1995 at Sun Microsystems design patterns were developed by visionaries christened as GOF (gang of four).

This Video blog is an attempt to lucidly present the design patterns, which have to be considered by every programmer, irrespective of platform of development, for impeccable results.

In this presentation, we spoke about almost all the design patterns which are mostly used in Software Development.In a nutshell, the following are the various aspects of design patterns covered as part of the video:

  1. Creational Design Pattern – 7 design patterns.
  2. Structural Design Pattern – 6 design patterns.
  3. Behavioral Design Pattern -11 design patterns.

 

 

Sailpoint – Refresh Identity Cubes

Posted on by Sandilya Krovvidi in Identity Governance, Sailpoint

In Sailpoint’s Identity IQ Refresh Identity Cubes” is one among the most important internal tasks. Refresh Identity Cubes helps in building 360 degree purview of an identity based on all the data aggregated from external sources.

The following video is an extensive discussion on various aspects of Refresh Identity Cubes.

The various aspects that are covered as part of this video are:

  1. Mechanisms to filter the identities to be considered for Refresh.
  2. Various options in the Refresh Identity Cubes.
  3. Using Multi-threading to improve the performance

 

 

 

 

Sailpoint Unix Integration

Posted on by Sandilya Krovvidi in Identity Governance, Sailpoint

Unix is the mother of all operating systems and also is the foundation for Tim Berner Lee’s invention.

Every enterprise has a huge Unix foot print spanning across thousands of servers running various legacy applications.

As part of the mammoth task of securing the IT environments, securing the Unix servers would be the first step.

At ENH iSecure, we thrive to achieve complete and impeccable solutions leaving nothing to chance.
As a part of these efforts, we are speaking about Identity Governance in Unix with the help of Sailpoint’s IIQ.

The following is a video where we speak about governance of Unix using Sailpoint’s IIQ.

The following is a demo on Unix integration with Sailpoint.

IdentityIQ parallel and serial approvals

Posted on by Mahesh Bitla in Identity Governance, Sailpoint, Technology

 Introduction

Out of the box Sailpoint’s IdentityIQ provides numerous workflows for provisioning, we can implement our custom workflows according to the necessity. Similarly, parallel and serial approvals are workflows used in an enterprise to manage the access of the user.

Requirement

In the world of IAM, one thing every developer should remember is that “Right thing must be accessed by the Right user at a Right time“, from the above sentence we can say that an access must be rightfully distributed to the user.

In this requirement a user in an enterprise requested an entitlement or role using IdentityIQ then that access must be approved by the work groups which are maintaining that privilege.

Understanding parallel and serial approvals in IdentityIQ

The following video illustrates about parallel and serial approvals.

Working demo of parallel and serial approvals

The following video demonstrates how parallel and serial approvals accomplishes.

 

 

 

PlainID – Product Overview

Posted on by Mahesh Bitla in Identity Governance, PlainID, Technology

PlainID is a young Authorization Management software company. They found an innovative approach to simplify and optimize dynamic, fine grained access to resources and data.

Following video demonstrates about the PlainID product Overview, Architecture and practical implementation of the product in the field of Identity & Access Management.

 

Data loading into Active Directory using a simple java program

Posted on by Mahesh Bitla in Technology
  • Data loading into Active Directory implies creating AD Accounts and corresponding Exchange mailbox accounts using employee data existing in a database.
  • Java program is developed in a fashion which reads the credentials from XML, retrieves employee data from the database, creates an account with a default password in active directory and enables the account as well.
  • The PowerShell script is executed to create exchange accounts for all the users.

Requirement schematic

  • The below process flow diagram explains the requirement lucidly.

requirement

Demo

  • The working demo of this program is embedded.

Documentation and Code

The Documentation and Code for above demo can be downloaded from following links.

 

Solving problem SailPoint IdentityIQ “Mark Invalid Error”

Posted on by Mahesh Bitla in Identity Governance, implementation-problems, Sailpoint, Technology

Problem description 

When we try to correlate the accounts into SailPoint’s identityIQ using multiple authoritative sources the following
exception may arise.

Why this happens

The main reason for this error is ambiguity of accounts. After the account aggregation task completed when we try to run the task refresh identity cubes. Task is not running and error is displays as Task stopped by user. When you see the log file there a exception named Mark Invalid.

 

.erroe_scrn_sht

Case 1

The main cause for this error is, If you have added more than one authoritative sources marked for one identity. The following exception will arise. that means you have added two Authoritative sources representing the same data if run the aggregation task the accounts will be populated with their name then If we perform refresh identity cubes task the accounts will not linked its respective manager account because there will be an ambiguity between two accounts which has to be correlate as manager account.

Case 2

In other cases if you have any accounts or identities not properly deleted.

Solution

The solution I found is to get backup of the rules and application into a xml file using the console.Shutdown the application server and drop all the tables in database using the sql scripts provided by identityIQ then create the tables using the scripts. Import the init.xml using the iiq console.Then import the xml file which represents the application object. Then if you run the aggregation and correlation tasks you can see that all the identities and their managers are correlated in identity warehouse.

Requirements Gathering for an IDM Solution

Posted on by Sudha Shanmugham in Identity Governance, Technology

Requirements Gathering

Understanding the AS-IS and TO BE states of the enterprise IT infrastructure is the most important key to achieve success for any Identity management. Approaching such challenge with a wonderful questionnaire would lead to a win-win situation for both the customer as well as the implementer.

At ENH iSecure, we face the challenge of requirements gathering with a strong questionnaire that helps us understand the requirements of the customer very easily. The following list comprises of some important questions during the initial requirement gathering which are part of the questionnaire:

Identity Vault establishment:

Identity vault establishment is the first step of any Identity management implementation. It involves creating a central identity store which shall be the heart of the implementation. As part of the identity vault establishment and future management, we would put up the following questions to the customer:

Initial Creation of Identity vault:

1. What are the sources that help us create the identity vault?
They can be delimited files present at the Unix location or active directory or a HRMS.
2. Are these sources distributed across multiple applications? In case they do find all the applications across which the trusted sources are distributed.

Regarding the Identity vault maintenance:

1. Are there any specific organizational requirements regarding updation of identity vault? Sometimes it is possible that such updations happen at a specific date to match the server loads and burst in server loads because of sudden peaks in usage. For example, Universities which admit many students at spring or fall.
2. How often would we want the incremental updations to happen to the identity vault? How often are complete updations expected?

Information related users:

1. What are the various types of people whom the identity management solutions monitors? For example, employees, contractors, rehires, customers and any other types of users.
2. What are the various operations that could happen to the users of the identity management system? For example, promotion or termination of employees could be operation on the user. Expiry of contract for contractors could be a situation.
3. Identity management solutions maintains users in various states. For examples most of the identity management solutions have an active, disabled or terminated states for users. How are these states expected to change with respect to various actions on the users?

Provisioning related information:

1. What are the various target applications that are present in the IT infrastructure that need to be monitored by the solution?
2. How does the communication to the applications from the identity management solutions happen? Is there a bus service that is running that needs to be passed through or can they be directly communicate to?
3. Are there any rare applications for which we do not have any prebuilt connectors to work with? In such cases we need to develop connectors for communication to happen.
4. What are the various accounts and privileges to be provided to various kinds of users with different attribute values?
5. In case there is any change is user attributes or state of the user , how to deal with the transition to new state of user? For example, in rehire kind of scenario, we temporarily disable the users. Also in case there is a state change, all the accounts that need to provisioned in the state have to be provisioned.

Requests based provisioning:

1. Is there a requirement for users to request various accounts or privileges in various applications? What are the various resources that a particular kind of user can request and what is it that they can’t request?
2. How should the various requests be processed? Is there any complex approval process that is involved? For example sometimes it is required that IT Admin as well the manager are expected to approve provisioning an account.

Enabling Active directory SSL authentication

Posted on by Mahesh Bitla in Technology

Using JNDI we can access the active directory, but if we want to access the active directory using the secure port we need to get the certificate issued by the active directory certification services.

The certificate helps to authenticate the server over SSL.

SSL authentication is useful when we need to perform the administrative stuff like changing password using JNDI.

Active directory enables us to access the server over SSL using the certificate issued by that server.

To access the active directory using the JNDI we need to get the certificate issued by the active directory and import that into java key tool.

 

1.     Creating and exporting certificate file

We can export the certificate which can accept the SSL authentication in many ways. But in this article we are exporting the certificate using the internet explorer and command prompt.

Note: to export the certificate, server should be installed with active directory certification services. Refer the following link to install the ADCS

         i.            Exporting the certificate using the internet explorer
  • Open in the internet explorer in the windows server and click on internet options
  • navigate to content and click on certificate

1

  • In the certificates tab navigate to trusted root certificates and click on the certificate with your server name. (in this case server name is ADSERVER)

 2

  • A new popup will populate with certificate name that you have selected, in that click on details tab and select copy file option.

 

 

3

 

  • Then new popup windows will appear, in that click next.

 

4

 

 

  • select the option do not export private key and click next

 

5

 

  • Select the base 64 encoded and click next.

6

 

  • Provide the path and name to certificate.
  • Verify the options and click on finish.

7

 

 

 

      ii.            Exporting the certificate using command prompt
  • open command prompt in your windows server
  • navigate to the folder where you want save certificate
  • enter the following command to export the certificate

> certutil -ca.cert sslcert.cer

 

 

2.    Importing certificate into java keytool

 

After exporting the sslcert.cer file, copy the file into host machine installed with java.

The following steps explains to import sslcert.cer file into java key tool in various environments

        i.            Linux
  • Open the terminal in the folder which containing the exported file
  • execute the following command

# keytool -importcer -keystore JAVA_HOME/jre/lib/security/cacerts -file sslcert.cer

  • Default password for the keystore is: changeit
  • Enter yes to import the certificate to key store

     

     ii.            Windows
  • Open the command prompt in administrator.
  • navigate to the folder containing exported certificate file
  • Execute the following command

> keytool -importcer -keystore JAVA_HOME/jre/lib/security/cacerts -file sslcert.cer

  • Default password for the keystore is: changeit
  • Enter yes to import the certificate to key store

 

 

Solving the problem with privileged ports in ODSEE instance creation

Posted on by Sandilya Krovvidi in Technology

It is possible that creation of an instance in Oracle Directory Server might end up with the following error message:

port number 389 is a privileged port.

This happens because all the ports less than 1024 on Linux are treated as privileged. Most of our well know ports like 389 for the LDAP, 80 for HTTP, 443 for HTTPS reside in this range of ports.

Linux enforces that the services cannot be created at the privileged ports until and unless the privileges are escalated.

In this particular case, we can start the instance using the following command:

sudo dsadm start <path-to-instance>

The main reason for need for extra privileges when we use the privileges may be because there is a chance that the firewalls do not block traffic from these ports. Any attacker who might be interested in stealing your data over the network could be opening such ports so that he could escape firewalls. To reduce the attack surface, it is enforced that the privileged port need root access.