Okay, yesterday I've received message from the customer, saying that some of the update process to Active Directory failed and it causing the virtual user status to update needed. Turn out that the connection test to the Active Directory server is failed, with the error message 'ADsOpenObject(): 0X8007203A', although there's no changes in the Active Directory server. The ping and telnet test work out fine too.
Turn out the problem is in the gateway services. The services run just fine, the status is started. But after we restarted the gateway service, the connection test is working fine, strange. I still don't know what the cause is, maybe there's bug in 6.0sp1 or what I'm not sure. Have to upgrade to version 8.1 fast...
Selasa, 08 September 2009
Kamis, 30 April 2009
lessons learn : Reboot
Okay, this got nothing to do with Identity Management. Its just when you, or someone from your team decide to reboot couple of servers. You need to check the servers type. Because i've got a partner that reboot 3 servers, we already ask for permission. But because 2 of the servers are desktops (sun ultra 40) it turn out that it didn't reboot properly. The cause is, it need a keyboard and monitor attached to the machine in order to do that.
So i have to go to the data center, and make sure the servers is up. But the permission to go to the data center can be a pain , thanks god for the guys here that really helpful and didn't give much comment on the incident.
~stressfullweek
So i have to go to the data center, and make sure the servers is up. But the permission to go to the data center can be a pain , thanks god for the guys here that really helpful and didn't give much comment on the incident.
~stressfullweek
Sabtu, 18 April 2009
OpenSSO Express 7 is released
Yeah .. its a bit confusing since , the previous release of OpenSSO is OpenSSO enterprise 8.0. But the express release is a shorter cycle release (3 month) that also supported by sun. This releases would also be included in the enterprise release (OpenSSO enterprise 8.1). So i think the only difference is the release cycle.
The image on this link probably explain it better.
The image on this link probably explain it better.
Kamis, 02 April 2009
OpenSSO using OpenDS as UserStore
I Finally succeded, installing OpenSSO using OpenDS as UserStore. I'm using OpenSSO 8, OpenDS 1.2.0 and glassfish v2 with 2 domains. The problem is there's no fullguide to implement this. The Docs is scatered all over the internet. I'll try to put a simple guide, and maybe if i have the time i would update it with the detail step :)
Basically what you need to do is this :
OpenDS installation
- prepare your FQDN (using localhost or 127.0.0.1 won't work)
- install OpenDS
- using dc=opensso,dc=java,dc=net as your base context will make the setup easier
- follow this steps in indira's blog so OpenDS have the available schema needed by OpenSSO
- some notes on the guide, since i'm using OpenDS console to manage the directory, the inetuser is added as an auxilary attribute. I've created the OpenSSOUser and ldapUser but i'm still using the Directory Manager as the binding user and it worked. the ldif file that you need to load is only am_remote_opends_schema.ldif and configure_opends_userstore.ldif
OpenSSO installation
the general step is listed here, the detail can be seen in here.
- unzip the open sso zip
- copy the opensso.war to the staging directory for opensso
- login to glassfish administrator and deploy the war
- login to localhost using your FQDN NAME
- follow the wizzard :
-- use the dc=opensso,dc=java,dc=net for your base context
-- when setting up the user store for external ds. use the generic schema
-- if you found the error, cn=mapping tree,cn=config does not exist; matchedDN = cn=config. Copy "98-opends_user_schema.ldif" and "99-am_sm_ds_schema.ldif" from indira's blog. But it shouldn't be necessary , since the ldif file from the OpenDS setup is newer.
- if all went well you can login as amadmin with the password that you've given in the installation steps.
Installing Sample Application
follow these steps to install the mini apps . It shouldn't be a problem and then you can test login to the mini application
Basically what you need to do is this :
OpenDS installation
- prepare your FQDN (using localhost or 127.0.0.1 won't work)
- install OpenDS
- using dc=opensso,dc=java,dc=net as your base context will make the setup easier
- follow this steps in indira's blog so OpenDS have the available schema needed by OpenSSO
- some notes on the guide, since i'm using OpenDS console to manage the directory, the inetuser is added as an auxilary attribute. I've created the OpenSSOUser and ldapUser but i'm still using the Directory Manager as the binding user and it worked. the ldif file that you need to load is only am_remote_opends_schema.ldif and configure_opends_userstore.ldif
OpenSSO installation
the general step is listed here, the detail can be seen in here.
- unzip the open sso zip
- copy the opensso.war to the staging directory for opensso
- login to glassfish administrator and deploy the war
- login to localhost using your FQDN NAME
- follow the wizzard :
-- use the dc=opensso,dc=java,dc=net for your base context
-- when setting up the user store for external ds. use the generic schema
-- if you found the error, cn=mapping tree,cn=config does not exist; matchedDN = cn=config. Copy "98-opends_user_schema.ldif" and "99-am_sm_ds_schema.ldif" from indira's blog. But it shouldn't be necessary , since the ldif file from the OpenDS setup is newer.
- if all went well you can login as amadmin with the password that you've given in the installation steps.
Installing Sample Application
follow these steps to install the mini apps . It shouldn't be a problem and then you can test login to the mini application
Senin, 30 Maret 2009
SAP Future Data
In SAP, employee information is partition into more than one InfoType. Each Infotype has its own use. And betwen each Infotype the data could also be redundant. SAP data could be sent to IDM using two ways. PFAL and Change Pointer. PFAL is a manual action where all of the info type will be sent.While Change Pointer, is a scheduled action where only the changed infotype (delta changes) that will be sent.
By implementation time SAP data can be categorized into two, current and future data. Curent Data is the data that the changes will be executed immediately, while current data is the data that effective changes will happened in the future.
We found a bug in our previous implementor code when handling future data, it treat future data the same as current data. To fix this we'll need to put the data from the active synch form to the deffered task. Each object will be stored plain (SAP Plain XML data). When the deferred task is run, then we assign the plain data to a workflow to process the resource. This approach is better than assigning the workflow from the start. Because if something happened with the workflow (bug, changes) the Deffered Task that hasn't been run will Immediately affected. We didn't need to clear the deffered task and put the object all over again.
By implementation time SAP data can be categorized into two, current and future data. Curent Data is the data that the changes will be executed immediately, while current data is the data that effective changes will happened in the future.
We found a bug in our previous implementor code when handling future data, it treat future data the same as current data. To fix this we'll need to put the data from the active synch form to the deffered task. Each object will be stored plain (SAP Plain XML data). When the deferred task is run, then we assign the plain data to a workflow to process the resource. This approach is better than assigning the workflow from the start. Because if something happened with the workflow (bug, changes) the Deffered Task that hasn't been run will Immediately affected. We didn't need to clear the deffered task and put the object all over again.
Selasa, 17 Maret 2009
IDM 8.1
Hi, did you know that IDM 8.1 has been released ?
Other than bug fixes and patch , there are 5 new feature. The one that interest me much is "External Resource Management". This feature would let you provision external resource that didn't connect directly with Identity Manager, like Laptop and Handphone. Interesting, to but i haven't got the time to explore it yet :)
Other than bug fixes and patch , there are 5 new feature. The one that interest me much is "External Resource Management". This feature would let you provision external resource that didn't connect directly with Identity Manager, like Laptop and Handphone. Interesting, to but i haven't got the time to explore it yet :)
Minggu, 01 Maret 2009
Selective update in bulk action
I find this finding on IdM 6.0sp1, and haven't tested it yet in other IdM version.
Consider this, you want to do bulk action to update bunch of user, but not all the user you want to update share the same attributes. Rather then making separate bulk action to update the attribute, you can 'ignore' update to the attribute by providing an empty value (,,), not empty string(,"",) on your script.
Take this example:
-user01: firstname="locco", lastname="creamer", email="locco.creamer@example.com"
-user02: firstname="nartha", lastname="rover", email="nartha.rover@example.com"
Then we run the followin bulk action script:
"command","user","global.firstname","global.lastname","global.email"
"update","user01","rocco","","rocco.mate@example.com"
"update","user02","martha",,"martha.rover@example.com"
This is the result:
-user01: firstname="rocco", lastname="", email="rocco.mate@example.com"
-user02: firstname="martha", lastname="rover", email="martha.rover@example.com"
Remember, always test your script on your development environment first to avoid any unwanted case.
Consider this, you want to do bulk action to update bunch of user, but not all the user you want to update share the same attributes. Rather then making separate bulk action to update the attribute, you can 'ignore' update to the attribute by providing an empty value (,,), not empty string(,"",) on your script.
Take this example:
-user01: firstname="locco", lastname="creamer", email="locco.creamer@example.com"
-user02: firstname="nartha", lastname="rover", email="nartha.rover@example.com"
Then we run the followin bulk action script:
"command","user","global.firstname","global.lastname","global.email"
"update","user01","rocco","","rocco.mate@example.com"
"update","user02","martha",,"martha.rover@example.com"
This is the result:
-user01: firstname="rocco", lastname="", email="rocco.mate@example.com"
-user02: firstname="martha", lastname="rover", email="martha.rover@example.com"
Remember, always test your script on your development environment first to avoid any unwanted case.
Rabu, 25 Februari 2009
Rolling out from the hills..
Sometimes last week we're rolling out our ID manager application to production. Before rolling out we have a change management meeting with the client, about how the roll out will happened, which of the client infrastructure will be impacted and need to be included with the roll out, the standard basic stuff.
We already prepare a documentation about rolling out procedure with the estimated time frame. Based on that we do a roll out simulation. The simulation was good, we capture some information that wasn't given by the client that we need for roll out, some problem with our deployment scenario, but as usual, there always be something on the D-day :)
As we roll out, the part that we simulate run smoothly, some minor things happened but isn't something that worry us so much. The problem started when we start installing the gateway and password synch on Active Directory. FYI this part of the roll out that we didn't do simulation on, because we don't have our private AD server, so we only use the AD resource on the UAT environment. It turn out to be a critical point.
As we start to install we're having problems, i mean real problem, our installation show some error problem. Installing gateway and password synch showing that the administration account need more privileges , which is weird. We're doing fine when we setup both the gateway and password synch in our UAT environment.
It turns out that in Windows 2008 environment, when you run a command prompt. You need to specify that it run as administrator, this can be done by right selecting the command prompt icon and choose the run as administrator option. As in our UAT environment we didn't need to do this since we're running on Windows 2003 server.
This is another problem. Because the AD UAT environment Isn't Exactly the same as the production we have lack of confidence when we're facing compatibility/versioning issues.
One other thing worth mentioning is the JMS Setup. We're using weblogic application server. In our UAT Environment we managed to setup 2 server instance. But in production there's only one, so the JNDI for the JMS need to be set to a different name.
The biggest problem that take us days is a reconciliation problem. After successfully installing and setting up new resource, uploading our code, executing clean up script. We finally in the last 3 step of our roll out plan. It was one the process that took the longest time, since we're re-conciliating around 20.000 users.
The first reconciliation failed after couple of minutes., the reconciliation process failed, because the error in the error log over the 100 error threshold limit. The error message we're receiving is, ADsOpenObject(): 0X8007203A: , , The server is not operational. When we check test resource connection it turn out the connection to the AD server is intermittent. it turn out that the domain controller we're having is on a different geographical location with our Identity Manager server. This shouldn't suppose to be a problem but we decided to change to a domain controller that located in the same site with our Identity Manager Server and restart with the reconciliation.
The painful thing about reconciliation is that it need at least one successful reconciliation before it can do incremental reconciliation. After waiting for couple of hours the reconciliation failed arround 50% and this time taking the AD service down with it. Now we're really in trouble. We tried other work around like using bulk action and loading from file. But that doesn't succeeded either. And we also didn't have the full confidence in blaming the AD part since the environment is a bit different with our UAT. And also because we're using IDM version 6.0 with SP1 that didn't have official support for Windows 2008 server. But suggesting an upgrade at a time like this would mean suicide and take longer time to implement. So we're stuck.
After many long night, a successful test with the windows 2008 in the UAT environment , a support ticket. We finally managed to do a full reconciliation. But only after we restart the gateway server.
To do a summary, you need to look at the details on this things in your roll out procedure :
- The Exact Server Version of the Resource, is it still supported, did the internet show a lot of problem with the version of the resource.
- Don't install the gateway services and the password synch on a Domain Controller, because when you need to restart the server there's a lot problem that you will faced, technically and bureaucratically.
- Do a simulation so you'll find out if there's some data that you still need from the user.
- List all of the xml object that you will upload to the server. Make sure it wouldn't overwrite a configuration on the server like a Resource, config, etc.
- Prepare alternative method if your data loading process failed
Okay its time for some rest :)
We already prepare a documentation about rolling out procedure with the estimated time frame. Based on that we do a roll out simulation. The simulation was good, we capture some information that wasn't given by the client that we need for roll out, some problem with our deployment scenario, but as usual, there always be something on the D-day :)
As we roll out, the part that we simulate run smoothly, some minor things happened but isn't something that worry us so much. The problem started when we start installing the gateway and password synch on Active Directory. FYI this part of the roll out that we didn't do simulation on, because we don't have our private AD server, so we only use the AD resource on the UAT environment. It turn out to be a critical point.
As we start to install we're having problems, i mean real problem, our installation show some error problem. Installing gateway and password synch showing that the administration account need more privileges , which is weird. We're doing fine when we setup both the gateway and password synch in our UAT environment.
It turns out that in Windows 2008 environment, when you run a command prompt. You need to specify that it run as administrator, this can be done by right selecting the command prompt icon and choose the run as administrator option. As in our UAT environment we didn't need to do this since we're running on Windows 2003 server.
This is another problem. Because the AD UAT environment Isn't Exactly the same as the production we have lack of confidence when we're facing compatibility/versioning issues.
One other thing worth mentioning is the JMS Setup. We're using weblogic application server. In our UAT Environment we managed to setup 2 server instance. But in production there's only one, so the JNDI for the JMS need to be set to a different name.
The biggest problem that take us days is a reconciliation problem. After successfully installing and setting up new resource, uploading our code, executing clean up script. We finally in the last 3 step of our roll out plan. It was one the process that took the longest time, since we're re-conciliating around 20.000 users.
The first reconciliation failed after couple of minutes., the reconciliation process failed, because the error in the error log over the 100 error threshold limit. The error message we're receiving is, ADsOpenObject(): 0X8007203A: , , The server is not operational. When we check test resource connection it turn out the connection to the AD server is intermittent. it turn out that the domain controller we're having is on a different geographical location with our Identity Manager server. This shouldn't suppose to be a problem but we decided to change to a domain controller that located in the same site with our Identity Manager Server and restart with the reconciliation.
The painful thing about reconciliation is that it need at least one successful reconciliation before it can do incremental reconciliation. After waiting for couple of hours the reconciliation failed arround 50% and this time taking the AD service down with it. Now we're really in trouble. We tried other work around like using bulk action and loading from file. But that doesn't succeeded either. And we also didn't have the full confidence in blaming the AD part since the environment is a bit different with our UAT. And also because we're using IDM version 6.0 with SP1 that didn't have official support for Windows 2008 server. But suggesting an upgrade at a time like this would mean suicide and take longer time to implement. So we're stuck.
After many long night, a successful test with the windows 2008 in the UAT environment , a support ticket. We finally managed to do a full reconciliation. But only after we restart the gateway server.
To do a summary, you need to look at the details on this things in your roll out procedure :
- The Exact Server Version of the Resource, is it still supported, did the internet show a lot of problem with the version of the resource.
- Don't install the gateway services and the password synch on a Domain Controller, because when you need to restart the server there's a lot problem that you will faced, technically and bureaucratically.
- Do a simulation so you'll find out if there's some data that you still need from the user.
- List all of the xml object that you will upload to the server. Make sure it wouldn't overwrite a configuration on the server like a Resource, config, etc.
- Prepare alternative method if your data loading process failed
Okay its time for some rest :)
Kamis, 12 Februari 2009
Testing in Identity Manager
If you're using firefox, there is a plugin called selenium ide that you can use to test your customization. This extension act like a robot so you can automate the test.
Kamis, 08 Januari 2009
Complete manual activity without having to approve the activity
In form, create field with name ':complete' and set the value to 'true'
<field name=':complete'>
<default>
<s>true</s>
</default>
</field>
<field name=':complete'>
<default>
<s>true</s>
</default>
</field>
Langganan:
Komentar (Atom)