Not only does my knee still work, but I can still snowboard too. We went to Rabbit Hill on Sunday the day after I got back from Brainshare, and again yesterday. Rabbit Hill closes for the season this weekend so we had to get our last few runs in.
Yesterday was very warm, and the snow was melting fast. The wax on my snowboard didn’t like the snow, resulting in progressively less sliding ability all day, and a buildup of gross slimy dirt on the base of the board. Jenn’s board did that too, but not as bad. Apparently, the factory wax is better for warm weather than the wax Scott Currie put on my new board when I bought it from him. I have to figure out how to get the crud off before we go to Marmot Basin for our (probably) last boarding outing of the season.
TUT361 IDM 3 and Provisioning – Beyond the Out-Of-The-Box Templates.
This is very disjointed because it is just a brain-dump written during the presentation and not edited at all.
The workflow pieces are similar to the transformation rules in DirXML. They are documents defined in XML and attached as attributes to entities in the eDirectory driver object for the workflow driver (the user application driver).
There are lots of templates in the IDM manager for creating workflows, that have predefined XML files. These can be used in wizards in iManager or in the Eclipse Designer tool. The iManager piece is the default tool, and it can be used to fill out the standard templates. If you want to go beyond the templates you need to dig in to the XML or use Designer.
You can manually edit the documents by grabbing them inside iManager and getting the into EMACS (insert your xml editor here). Then you are kind-of back into the DirXML (Identity Manager 1) world. Woohoo. That’s where I spent some time when we implemented our identity management stuff.
You can extend the schema with custom attributes, and use them in custom workflows, putting data widgets on the forms on the user application to access them. You can also show any data that is available in the directory abstration layer namespace. These attributes are shown inside the iManager tool. The schema used in the workspace is all in the namespace of the directory abstraction layer of the user application, not the namespace of eDirectory.
There is a function in the xml called flowdata, which allows you to pass your custom data along with the workflow, through the steps.
One limit of the tools, is that the iManager interface is only able to generate Entitlement-type workflows, because that’s all the templates do. For other types of workflows, you have to do custom workflows.
The workflow XML allows you to insert custom controls into the form elements to manage attributes in the directory, including any custom attributes you may have added to the schema.
Some of the tools shown in this demo were just released this week and are available on Cool Solutions.
In the xml, the Process element is the root of the process definition xml document. It is localizable. Form elements are the request and approval form data elements. They can contain data fields, display-labels, props (properties) and controls. Control types determine the display type of the data on the form. They consist of a whole bunch of visual types like text, linebreak, staticlist, datepicker, textarea, etc, depending what you want to display and what data you need to collect for your workflow. Each control can have an Editiable property which can be true or false. There is also the abiltiy to use a regular expression as a property that validates data input on the forms. The DN Display element shows data from the directory abstration layer, and a True False element is just a boolean selector element.
Data-item elements define which data-item elements are available in the workflow. You can hard-set them, or use flow-data.get functions or other functions, to obtain them from the work-flow process. You have to define a data-item in order to pass data from one phase of the workflow process to the next.
All processes have one or more start activities. Attriibutes of start activities are “audit” which can be off or on and forces auditing, and there is a timeout attribute that expires the workflow. Elements of the start activities are Notify, for email notifications, with all the settings you need to alert your auditor or process participants.
It really seems that what you would do is do a lot of your work in Designer, in the gui tool, and then when you get to tweaking, you would do that in a text editor.
I gotta get this working in Engineering.
I just talked to my Mom, and apparently Dad’s doing well today after his quadruple bypass yesterday. He ate breakfast, and was sitting up and acting alert this morning. I also just found out they changed the power supply out in his pacemaker to boot. Anyways, the mood has lightened all around our family today.
We did find out, however, that we’re going to have to go through all this again next week as Jenn’s dad Klaus goes in for a bypass on next Wednesday. It never rains.
I took notes at some sessions that were not super-technical rather than live-blogging. I also ran out of power a couple of times and coudn’t blog in the sessions so I did dead-tree blogging instead. I’ll be adding some more postings for ones I haven’t covered yet as I get time.
Stuff I haven’t posted yet includes:
- Canadian Brainshare Reception
- GroupWise 7 Overview and Futures
- OES Server Overview and Futures
- What’s New With Novell Enterprise Linux Desktop 10 very cool
- Counting Crows Concert
- Identity Manager 3 – Configuring the User Application
- E-mail Archiving Solutions
and later today
- Advanced ZENworks Linux Management
As you can see, I have a lot of writing to do. I have some time Friday afternoon, so I’ll catch up then.
IO163: Novell Identity Manager Overview and Futures
Key concept is that there is a main Identity Vault for Identity Manager. It doesn’t have to be authoritative for everything, but it conttains the whole identity for individuals, aggregated from whatever sources throughout your systems that are authoritative for each piece.
An example is if you have your HR system to be authoritative for most user attributes, but other place are authoritative for filesystem access, and maybe the email system is authoritative for email addresses. This is an example of “Role Based User Provisioning”, where an intial resource creation in one system kicks off an automated provisioning process that creates accounts on servers, dekstops, mail systems and enterprise applications.
The corollory of this is “Role Based De-Provisioning”, which means a single event should be able to kick off a workflow that ensures that access is quickly and completely revoked for departing staff members. We need work in this area, as we have been managing it with paper workflow, and it could be faster if we automated some of it.
IDM 3 was released in 12/2005, and in addition to having much improved configuration tools and tasks and an expanded list of datastore connector drivers, they have included a very amazing workflow tools that incorporate dynamic provisioning workflows for all kinds of iidentity requirements. It also incorporates a lot of features that enable identity regulatory compliance for organizations that have strong regulatory requirements.
Auditing is a key functionality. People who are responsible for resources are able to see exactly who has been given access to what.
We should look at IDM3 to auto-deploy Linux accounts on our gazillion Linux servers. Alternatively, get LDAP LUM integration working.
A new security feature is the ability to have encrypted attributes end-to-end. That includes encrypted data stored right inside the identity vault. Passwords, secrets etc. can be stored inside eDirectory in encrypted form for the use of IDM.
The presenter went through the workflow features again. This is pretty cool technology that we could really leverage. It occurs to me that you need strongly documented policies for corporate work processes if you want to implement this kind of workflow stuff. Detailed documentation would need to be developed and approved with the all the stakeholders prior to implementation. Once the documentation is produced, in general there is no actual programming required for most basic workflow operations.
The system also includes functionality of eguide, but also integrated with the workflow engine, plus email, instant messaging integration, and other advanced features.
Oops, out of laptotp power. Switching to dead-tree blogging. Should be updated later.
TUT273: Novell IDM 3 – Configuring the Workflow Based Provisioning System
This is part of the user application that runs as a J2EE war file on JBoss. It uses database tables to contain it’s data, and it supports the embedded MySQL database that comes with it, or SQL server or Oracle.
The user app includes search, list, org chart portlets, password self service, lightweight user admin, workfow, personalization and portal provisioning portlets. There is an eclipse plugin available on novell forge to manage this.
The main focus of the presentation was demonstrating a lot of the workflow features, but not a lot about setting up workflows. They described the functionalities of IDM3 workflow, including user requesting a provision, and then the whole approval process in the web application.
Then they went into iManager and went through the tasks of configuring a workflow. This is done using an IDM driver for the user application / workflow, that was very similar to any other IDM driver. It should be possible to use this in conjunction with a driver that can talk to SQL Server, to provide automatic provisioning of users from Deltek Vision, with approval and input from network administrators, and that kind of stuff. The iManager tools were very gui-ish and have the ability to let you set up groups for approval, so that anyone in the group can approve a given request for access, and you can setup additional data entry, like setting properties on the provisioning request in-process. You can make requests time-out, or escalate up the chain of command, or fancy stuff like that. It requires a lot of configuration of your actual identity store data, like manager heirarchy and stuff like that if you want it to work.
All in all, it looks like we could implement the hire/fire/cleanup of users with this much more easily than in a custom application.
We need to try it out in Engineering like Ed suggested.
I love coming to Brainshare, but this year I had a personal family event that I would have preferred to be home for. My dad went in for open heart surgery today. We’ve all been worrying about it since a couple of weeks ago when it was first sheduled for last Thursday. Then it was cancelled, and then rescheduled for today. He went in before dawn this morning, and after over 5 hours of work they came out and told my mom that it went well, they’d repaired four blood vessels, and he was doing well. I recon she about fainted.
I can’t keep my cellphone on all the time hear because Verizon bends you over to the tune of about $300 of roaming charges for the week, without any calling, so I couldn’t get a call. Jenn was tasked with emailing me and I kept clicking Sent/Retrieve in Evolution today until the colour just about wore of the pixels on the icon. Finally I got the message from Jenn that he did OK and was in recovery. What a relief. If anybody reads this, we’d appreciate you sending your good thoughts to him as he recovers.
TUT269: Novell iChain Migration to Novell Access Gateway
There are two ways Access Manager will ship: As a Linux version or as a NetWare version. The Linux version can be installed on one machine, but the NetWare one will require two. The Linux one is based on SLES 9 SP3 and the NetWare one is NetWare 6.5 SP5.
There is a common management interface that lets you manage all pieces in one interface, and manage a bunch of them together with a common configuration set. The new one supports working behind a NAT firewall, rather than right on the gateway.
They talked about the data flow, which consists of a lot of little arrows labelled A, B, C and so on pointing in different directions between various multicoloured boxes. The highlight is that they built it so that it was componentized so they could use parts of it to validate web sites like iChain, and plugins to talk to java application server plugins to authenticate web applications, and to authenticate ssl-vpn users.
They showed some significantly complicated architectures with L4 switches, multiple access gateways, multiple firewalls, and all kinds of stuff that we don’t need. We can get by pretty much with a one-box gateway at each Internet gateway, like we do now with iChain. I expect the best way to go to the new version will be to build a new one in the local gatway site, on new hardware, then convert the other one to a second one in the other gateway site.
The proxy server component stores the protected resrouce configurations, in xml files one per publicly accessible server. The identity server machine stores the roles and policies for authorization, formfill, and identity injection (formerly called OLAC).
The user experience should be the same. The migration probably has to be done over a period of time. Hardware requirements are still being determined and a white paper for hardwaqre sizing will be available later. On linux, the Access Gateway supports multiple CPUs and takes advantage of them for performance. It doesn’t support SLES9-64, only 32-bit.
There are a lot of new features in it that support very large installations, but we probably won’t use most of the high availability server pieces.
TUT200: Virtualization Technology in the Data Centre
Today’s problems in addition to security, identity, etc. also include the same old thing to do with underutilized servers, overprovisioned datacenters, and inefficient use of our IT infrastructure componentry. Virtualization is one approach to reduce this inefficiency. The other area it addresses is high availability and business continuity.
In virtualization, emerging trends are standards, open source, federated identity, automated policy-based provisioning, and virtualization of workload on commodity platforms.
IT stuff will be operated as services. Some you will operate yourself, and some you will consume from others. In general, you will consume ubiquitous services like power, water, datacomm, payroll, order fulfillment, email, crm, erp. You will operate strategic benefit services like design, scm, derivative trading models, manufacturing, erp, crm. This varies of course depending on what type of business you are in and what types of services are strategic for your business.
Sugar CRM supports various methods of consuming their software. First you can outsource it to them. Second you can install it and run it yourself. Third you can buy it on an appliance and run it yourself but get it maintained by Sugar.
A key focus is to make IT manageable. If you want to go to utility-based computing using virtualization you need management tools to really leverage it. Novell has most of this stuff available in Enterprise 10 Linux, along with ZenWorks.
Reasons for virtualization:
Devide physical server into multiple vms for higher utilization.
Unite physical servers into one large vm for scale and availability.
Flexible management of your workloads (migrate your services to lower-loaded machines).
Available solutions: User mode linux, VMware, Virtual Iron (combine physical machines in to larger virtual ones or subdivide into smaller ones) and Xen (paravirtualization). VMware is the most mature, and Xen is the fastest. VMware and Virtual Iron have the best management tools right now. Xen requires modified guests or hardware assistance via vt technology in processors. Xen 3.0 adds the ability to run unmodified guests on vt processors and the ability to dedicate physical devices to guests while hiding them from the hosts.
OSes that work on Xen without vt assist include Linux, NetBSD, FreeBSD, NetWare viX, and they are working on Solaris.
With Xen, there is a host OS, but it stands beside the guests, rather than underneath them. It just provides physical device redirection, but doesn’t actually virtualize the processor or anything like that. The performance impact on guest vms in Xen is minimal.
The idea of NetWare going forward is to Xen-virtualize it on SLES, to allow you to maintain it indefinitely if required, so that hardware vendors don’t have to keep developing drivers. Linux and Windows drivers get developed quickly and then vendors move to NetWare drivers, maybe, if they have time. Xen lets them concentrate on Linux and Windows and let Xen take care of NetWare.
If you want to test this today the virtualized NetWare is not available, but you can virtualize OES Linux. Use the SUSE Enterprise Beta 8 as a host, and get the latest Xen for SUSE release from novell forge because the one on SUSE Beta 8 is not the latest.
Guest configurations are stored in /etc/xen. The files are kind of similar to grub menu.lst files. disk images for VMs can either be on shared storage, or can just be subdirectories on Domain0′s filesystem. If you want to get migration capability, you need shared storage that can be mounted by multiple hosts.