Fribert Consult

Main Menu

ZENworks Cool Solutions

24-08-2011, GWAVACon 2012 Registration Open >>

16-08-2011, Content Synchronization Status Report Set - Oracle >>

11-08-2011, GWAVACon EMEA - Novell Sessions Announced >>

09-08-2011, ZENworks 11 Support Pack 1 is released >>

05-08-2011, ENGL Imaging Toolkit 7 BETA - Registration open >>

28-07-2011, ZCM 11 comparison to SCCM 2007 R3 >>

Comparing Novell ZENworks 11 to Microsoft System Center Configuration Manager

Novell ZENworks can offer your business a long list of unique benefits and
advantages. It is based on a new Novell ZENworks 11 platform that combines and
integrates configuration, asset, patch, and endpoint security management for
Windows and Linux desktops. It offers a single, modular architecture that maximizes
flexibility and scalability, simplifies and speeds management throughout the device
lifecycle, minimizes processing demands on managed clients, reduces bandwidth
consumption for management processes and uses standards-based protocols to
seamlessly integrate with your choice of user directory and object database. It lets
you manage systems based on users identities, roles, groups and locations, so IT
can work hand-in-glove with the company’s business priorities and policies. Finally, it
gives you a secure, web-based console for unified control over all your management tasks—from virtually anywhere.

Of course, Novell ZENworks 11 is not the only endpoint and configuration
management solution on the market and Microsoft's System Center Configuration
Manager 2007 ( SCCM ) is one of many that it competes against.

But first, what should you really be comparing?

Novell ZENworks 11 and Microsoft's System Center Configuration Manager offer a
wealth of features. They are designed to manage not just your environment, but
countless others as well. These may be a single site with a few hundred identical
devices, multiple sites with several thousand devices, those that span multiple time
zones and political borders, computers in kiosks, in libraries, on cruise ships; the list
is almost endless.
In fewer words, they contain more features than you would ever need or even use.
Given this, does it make any sense to compare products to each other on a feature
basis? It really doesn't.

You should firstly compare products against the list of capabilities that are required
to manage your environment and only then look at how each product compares
against each other for delivery of that capability.

Notice how we've changed from discussing features to that of capabilities. Lets
define a capability; its a collection of features that satisfy a business requirement.

Build a matrix that calls out the capabilities that you require. Mark these as Must have and Nice to have to indicate their importance. One tip; do not copy from a vendor product flyer.

Once you have built your list, only then start the comparison process. This should
include a proof of concept test for all the solutions under consideration to provide
worthwhile results. After all, you would never purchase an automobile based on the
nice pretty brochure, a test drive is always in order.

Next steps

If you want to find out how Novell ZENworks 11 to Microsoft System Center
Configuration Manager 2007 R3, download the attachment and take a look.

Attachment	Size
novell-zenworks-_11_sccm-2007r3_keystrength_v1-7.pdf	188.97 KB

End-User Computing

Attachment(application/pdf)

28-07-2011, How to Migrate Primary ZCM Servers >>

Deciding how to upgrade your aging ZCM hardware or the best method to move the server from Linux to Windows can be complicated. So let me try to make it easier for you, but first please do some pushups or jumping jacks. I want your mind to be sharp and full of oxygen.

Option 1

Upgrading the original server and then adding the new hardware to the zone is the least preferred.

I don't like it because it has extra steps and it requires that the original server remain in operation for a period until all workstations have the updated zone configuration.

This option does allow you to migrate from a Linux Primary server to a Windows Primary server and the other way around too. Also option 2 will not work if the original server is too small or poorly designed.

Option 2

The second option is nice because you have a backup if the upgrade fails and the old hardware can be retired immediately.

Choosing option 1

Upgrade the original server to version 11 (performed with the iso)
Apply post patches. At the time of this writing, Cumulative Update 2 is recommended, although SP1 is soon to be released. SP1 will be a better choice as you can upgrade directly from 10.x to 11 SP1.
Install the second server (performed with the iso)
Migrate the certificate services
1. Backing Up the Certificate Authority
2. Restoring the Certificate Authority
Migrate the database
Update the closest server rules
Update any switches that are configured with helper addresses for imaging
Monitor the original server for any machines that are still contacting it
Retire the old server. Follow the steps to remove a server from a zone.

Choosing option 2

This option is really easy. Create an image of your old server using any DISK cloning software. See List of disk cloning software for a list
Clonezilla is usually a good choice if you are looking for free
Shutdown the old server
Restore the image
Upgrade to version 11
Have a beer

Editor's Note: With option 2, it's important to be sure that the Operating System you're moving from the first server will run on the second (there may be hardware driver issues for example).

Cool Solutions

27-07-2011, MindWorks: ZEDCM Log Viewer for ZENWorks Configuration Management >>

MindWorks: ZEDCM Log Viewer for ZENWorks Configuration Management

Version: 2011

As your systems grow and complexity increases so does the size of your log files – analysing such files with ZEDCM is simplicity itself. Most engineers use word processors or simple editors like Notepad to view their log files in the early days but as the file size grows things tend to become more difficult. The ZEDCM Log Viewer was designed to solve this problem by an engineer who no longer had the time to parse the logs line by line and hope that he didn’t miss something along the way.

Click to view.

With ZEDCM it is possible to search logs by any error or text. Threads of communications are easy to trace and follow by filtering by thread number. By selecting errors within the log details of the exception are displayed in an easy to follow format.

Filtering is available on a column by column basis of the log view. Right clicking on the Source column for example displays the following filtering options and lists the types with the number of times they occur in the file.

Click to view.

Of course log files change constantly so a simple click on the reload button reloads the current log view with the latest updates.

All in all this is a very intuitive tool designed to help ZEN engineers on a day to day basis.

The cost of the software is $95 which includes all updates and maintenance for twelve months. Subsequent years maintenance will be charge at $50. The software will be maintained to be compatible with all current versions of ZCM. 25% of the revenue from this product will be used to sponsor training events for academic sites who make use of Novell solutions, via the TTP organisation.

The download version of the software is fully function other than only processing the first 100 lines of any log file. When a license is purchased a key is supplied to paste into the license box and unlock the software.

Go here to download the demo version of the software.

Go here to purchase the full license.

If you have any further questions please email Peter Atkins (peter@mindworksuk.com)

Cool Solutions

23-07-2011, New Community Chats for GroupWise, OES, and ZENworks users >>

22-07-2011, Recordings for the Novell Tech Training Webinar Vol. 26 >>

GroupWise Cool Solutions

24-08-2011, GWAVACon 2012 Registration Open >>

24-08-2011, GroupWise: In the News!! >>

GroupWise seems to be in the news a lot recently as customers, analyst and partners continue to find value in Novell's Collaboration Solutions.

GroupWise: E-Discovery

This article, Government Agencies Look Within to Solve E-Discovery Woes recently published on law.com, highlights many of the challenges facing government agencies as their budgets are scrutinized and the demand for resources required for electronic data discovery (EDD) increases. One of Novell’s customer’s is quoted in the article as they also struggle with the burdens of EDD. The customer is NARA (National Archives and Records Administration). Jason Baron, director of litigation at NARA says, “ "At NARA, we use GroupWise, not Outlook, for our own e-mail, making us different from many other agencies.”

GroupWise has many partners who offer solutions in this space including GWAVA with their product Reveal. Computhink, Atempo, Advansys, Gaggle, Globolog, mimecast, MessageSolution, Messaging Architects, Sonian, and SilverDane all have solutions in this space.

Check out the GroupWise Partner page for a list of these partners and how to contact them.

Michael Osterman

Recently, Gert at gwcheck.com, published an interview with Michael Osterman, an industry analyst that covers collaboration. Here is an exerpt from that interview.

I believe that Novell’s problem over the years, and Attachmate’s problem now, has been that senior decision makers in many organizations that use GroupWise aren’t sure where the platform is going or what the long-term roadmap looks like.

As a result, many are migrating to Exchange – not because Exchange is a better system technically, but because Microsoft has done a very good job at establishing a long-term roadmap across all of the company’s messaging and collaboration offerings.

To be sure, Microsoft has offered financial incentives and has been aggressive in its licensing policies, but I believe the fundamental differentiator has been their ability to build confidence among those who make financial decisions about spending for messaging and collaboration platforms.

The bottom line, in my opinion, is that Attachmate/Novell needs to develop a solid, long-term plan for GroupWise and push very hard on the messaging around it.

If corporate decision makers can be convinced that GroupWise has a lower total cost of ownership and that it’s roadmap will satisfy organizational requirements for robust messaging and collaboration functionality for many years to come, most of them will stay with GroupWise – and Attachmate/Novell will be able to gain some new converts, as well.

This message and feedback from Michael Osterman corresponds directly with Novell's new management and their committment to GroupWise, Vibe and Mobility. BrainShare will be the place where we reveal more details about our more rapid release schedule and more aggressive delivery of solutions.

Novell Vibe Press Release by one of our partners

Share your point with Novell Vibe

GroupWise is not the only product that is getting some good press and is being recognized by our customers as real solutions for their business needs. The quote from the article is:

“Whether you need to share a document with your team, create a wiki, engineer a business process or merely blog about the activities of your company, department or team to keep everyone up to date, Novell Vibe will allow you to do just that, and more.”

With our increased integrations between GroupWise and Vibe, these collaboration solutions will become more and more compelling and complimentary.

Firestone – the next release of Novell Vibe is scheduled for mid-Q4 release and includes better file versioning management, Novell Data Synchronizer Vibe Connector which synchronizes Tasks and Appointments from Vibe to GroupWise

GWAVACon Munich

GWAVACon EMEA is being held during Oktoberfest this year in Munich. Alex Evans, Kari Woolf and myself will be attending and presenting GroupWise Ascot, Mobility and Vibe content. Of course, we will be accompanied by Kai Reichert and other local Novell team members.

GroupWise Mobility – version 1.2

Just to make sure you know, Novell DataSynchronizer Mobility Pack 1.2 shipped earlier this month. Two major advancements in this release include support for HTML email for all IOS devices and increased scalability to 500 users per server. Check out Alex Evan's blog for additional details

Dean

Data Synchronizer Cool Solutions

20-08-2011, Crazy Times and People >>

So, I thought I would write about some of the things I have seen and heard in education, some of it can be a bit frustrating and irritating if it was not so ridiculous. So I want to post it here to get it off my chest.

So as a little background. I work for a School district of about 10K kids and 1K employees. We have always used Novell as our NOS and it has served us well. We support 1000 computer per tech and have almost instant service (except of course around school start). We standardized on Windows Desktop about 10 years ago when we had twice the number of techs, half the computers and were 4 months behind on requests. So we have come quite some way since then.

As you might imagine we do not support macs, we do not have macs or ipads, or iphones so we never even looked at integrating them.

So this is where it starts:

We get a new Superintendent. He is not here more then a couple of days before he makes the announcement that we are behind on technology. He tells me this and his sole reason for this is because his iPhone (which we did not support) did not sync to our email and he cannot get his calendar and contacts on it. This was the first time I even knew he wanted it to sync but we are behind because of that.
So I download Novell Datasync, install it and the GroupWise plugin and voala in a matter of less then a day it syncs. I configured his new ipad with the settings ( in the mean time he is using gmail and making his secretaries to copy everything over to gmail). So I get the iPad to work on the local wireless but need to update Internet DNS and let it propagate to configure access outside the network. So the Sup. takes his iPad home for the weekend and I get it back monday to test access via the Internet (which works) but I notice calendar is not showing GW events so I check the settings and he turned off Contacts and Calendar sync for GroupWise. So I guess he just wants the feeling that he can sync it if he wants?

Second Super fun bite. We lost our director and one of my techs meets with the Super to discuss possibly applying for the position. The super just got his new 27" iMac and tells the tech he has already seen a 20% increase in productivity with the new Mac over the PC. The reasoning was that he could run two applications side by side on that humungous screen. I am not sure how he quantified the increase, especially seeing as his PC had a 17" screen and he never used in the first place. I have to give me tech credit though, he said we have been doing that for over a year with dual screens. Not sure if the Super knows that PC's come with 27" screens as well, in fact it would have cost a lot less to just buy one for his current computer then it would have been to buy himself the new Mac. I do not think this guy knows that schools are a little short on money.

Another Super fun bite. One of our schools needs more storage, we use Fiber channel SAN for storage so we get a quote of another enclosure that would add 10TB to the SAN. Anyone that works on SANs know that storage is not cheap for SANs. So we send the req up and the Super stops it because he can not understand why 10 Terabytes is so expensive when he can buy a 1 TB Mac drive for $140. I end up having to give him a lesson on what the difference is between Fiber channel enclosures and hard drives. especially consumer grade drives and corporate grade dirves and the cost differences. This guy is a self professed tech expert, he taught C programming in high school, I guess C programming qualifies you to know everything about computers and networking.

I am sure there will be more to come. I may throw some teacher stuff in to, the Super is a little to easy right now to deviate yet.

Cool Solutions

13-08-2011, Getting notified when you have a new email >>

13-08-2011, GroupWise End of Life? No way! >>

11-08-2011, GWAVACon EMEA - Novell Sessions Announced >>

06-08-2011, Mobility Pack 1.2 Ships: Updated Scalability Recommendations >>

We reached another important milestone today by shipping Data Synchronizer Mobility Pack 1.2.

This Mobility Pack release offers new functionality, increased stability and performance, and resolution for customer-reported issues. Please note that since this release includes security updates, it is available to all GroupWise customers, regardless of maintenance status. For more information on these security updates, please consult the available TIDs. Customers can download Novell Data Synchronizer Mobility Pack 1.2 from Patchfinder or the Novell Customer Center.

Specific product enhancements include the following:

Increased Number of Supported Users: A single Synchronizer server can now support as many as 500 users/devices. I will talk more about this below.

HTML Support: E-mail items that display in HTML format in GroupWise now display in HTML format on Apple iOS mobile devices.

Reply/Forward Icons: If you reply to or forward an item on your mobile device, the typical Reply or Forward icon now displays when you view the item in a GroupWise client.

Plug-in for the Novell Technical Services supportconfig Utility: The Mobility Pack now includes a plug-in for the Novell Technical Services supportconfig tool, which gathers system information for analysis and troubleshooting your Synchronizer system.

Performance and Stability Improvements: Synchronization occurs more rapidly and consistently.

Improved Browser Support Synchronizer Web Admin now displays correctly in Internet Explorer 8 and 9 without enabling Compatibility View. Firefox 4 is fully supported.

For additional details on enhancements and resolved issues, you can access the product readme. For a list of the bugs that have been fixed since Mobility Pack 1.1, see Section 8.0, Mobility Pack 1.2 Bug Fixes in the product documentation.

Scalability
As mentioned, we did focus on scalability with this release, and we feel that we have been moving the bar since the initial release last year. We initially recommended 150 users per server, because we had seen issues with initial sync internally. At that point we were running about 220 users on our own server but felt more comfortable with a slightly lower recommendation. With this release we feel comfortable recommending 500 users or devices per server, based on the results we are seeing from our superlab testing.

Regular System
We tested this on a 2 Core 2.2Ghz system, with 4Gb of RAM. In order to better scale the system there are some tweaks that you will have to implement. NOTE: These recommendations are a departure from what we have listed in the documentation - what we have documented is where we are comfortable, given the testing we have done and as far as we can scale internally.

In /var/lib/pgsql/data/postgresql.conf:

set log_temp_files = 0
set max_fsm_pages increased to 409600
set shared_buffers to 256MB instead of 32MB

After making the above postgres configuration changes, you will need to restart postgres. To do that you will need to stop datasync (rcdatasync stop), restart postgres (rcpostgresql restart) and then start datasync again (rcdatasync start).

With this configuration we recommend maximum Users/Devices of 500.

Larger Systems
In our Superlab testing we were scaling way beyond this 500 number, however, this was with demo data and not real world usage. We are actually looking for customers who would be willing to push some limits on their Mobility Pack systems and give us feedback. If you have need to support more than 500 mobile users and/or devices then please let me know. This is what we believe are requirements to scale beyond the 500 mentioned.

Hardware Recommendations:
System Tested:8 Core 2.66Ghz, 8G Ram

Essentially we are finding the Mobility Pack is more CPU bound than anything else, and so really benefits from having additional (and faster) processors. The 8Gb of RAM is what was working for us, though we never consumed anywhere near that when running over 1000 users in the superlab.

Software Recommendations:

# Update the Sync Engine xml:
    * <redeliveryInterval>3480</redeliveryInterval>
    * <workerThreads>16</workerThreads>

The syncengine xml changes <redeliveryInterval>3480</redeliveryInterval> and <workerThreads>16</workerThreads> need to be placed in the <settings> section of the syncengine .xml file. You can add it right below the </log> tag and above the <cacheRetention>0</cacheRetention> setting.

# Update the mobility device threads to 30.
    * <threads>30</threads>

The mobility connector setting <threads>30</threads> needs to be added in the <custom> section of the mobility connector xml file. You can put it right after the <custom> tag on a new line.

# Update the GroupWise Connector threads.
    * <numWorkers>8</numWorkers>

The groupwise connector setting <numWorkers>8</numWorkers> is already in the groupwise connector xml, but the default is 4, so you just need to find the tag in the <custom> section and change the 4 to an 8.

Add "ulimit -n 4096" to /opt/novell/datasync/syncengine/sbin/datasync-connectors right before the line that reads "if [ -f $appBinDir/$appScript ]; then" so it looks like this:

ulimit -n 4096 
if [ -f $appBinDir/$appScript ]; then

# Update the postgresql.conf
    * set log_temp_files = 0 (so you know if you need to adjust work_mem)
    * max_fsm_pages increased to 819200 (based on WARNING message in logs)
    * shared_buffers to 512MB instead of 32MB (based on memory)
    * work_mem increased from 1MB to 10MB based on log messages

With these settings we believe you may be able to scale as high as 1000 with all other options left as default. If you start to change configuration options, like maximum attachment size, or the length of time to keep items, you will see the maximum number of users or devices that you can support decrease.

Again, the settings we have in the documentation are what we are officially stating as supported, but if you need to scale beyond those recommendations then we want to support you to do so. Let us know and we can work with you.

Data Synchronizer Cool Solutions

05-08-2011, Beta Customers Needed: Vibe 3.2 >>

05-08-2011, GWCheck Interviews Bob Flynn, President and GM Novell >>

I had the opportunity to interview Bob Flynn, President and GM of Novell. Attachmate acquired Novell. Novell is now a BU of the Attachmate Group.

Gert: Hi Bob, thanks for making time. You are running the Novell BU within the Attachmate Group. Can you introduce yourself, as for the past and the present roles you have (had)?
Bob: I joined Attachmate in 1998 and prior to that spent nearly 18 years at IBM where I held multiple executive positions including the management of a multi-million-dollar consulting engagement and the leadership of a region-wide $500 million services operation. My home-base is Seattle, however I will split my time in Provo as well as with Novell colleagues, customers and partners around the globe.

Gert: GroupWise is one of the strongest products for Novell. What is your view on the strategy for GroupWise?
Bob: GroupWise is, indeed, a very strategic product for the Novell business unit--one we think was being under-served in the former Novell organization. We intend to raise the profile of GroupWise, increase engineering investment in the product, improve field coverage for GroupWise accounts, and reach out to GroupWise customers to fully understand their needs, prioritize our plans based on top customer requests, and communicate our plans. When The Attachmate Group announced its intention to acquire Novell, we issued a general statement about our intention to support all of Novell's existing product roadmaps. We went a significant step further with one product: GroupWise. Here's what our Chairman and CEO had to say about this product:

"Attachmate Corporation considers GroupWise an important part of our go-forward market strategy. It is a solution that is of great value to both our organization and customers. We have already publicly stated that we will support existing roadmaps and release schedules across the Novell and SUSE product lines and that commitment includes GroupWise. More importantly, we are committed to meeting GroupWise customers' needs well beyond these stated plans. We plan to leverage the collective expertise of the Novell team, invest in GroupWise R&D resources, and deliver key product capabilities customers require—including integration with collaboration products from Novell and others—over the long term."

Gert: Are you involved in the decision process for GroupWise and if so, how? Dean and Alex are the people we know best from Novell. Will we see you too?
Bob: Absolutely. As president and GM, I am ultimately involved in all key decisions for the BU – and very focused on continuing GroupWise, a tremendous asset that makes us unique in the markets we serve. My focus will be on ensuring that Novell’s innovative and battle-tested technology, loyal customers, strong partners, and dedicated employees continue to put us in a great position to achieve our goals and deliver value to customers for many years to come.

Gert: GroupWise supports Linux, Windows and NetWare/OES server platforms. Will this be continued (specially the NetWare support) and will there be changes?
Bob: Providing customers with platform flexibility and choice has always been a hallmark of the Novell brand in general, and GroupWise in particular. That said, however, there will be a few changes with the Ascot release that are related to product lifecycles and industry trends. First, Ascot will offer server-side support on Linux, Windows and OES. NetWare, which has moved beyond the General Support phase of its lifecycle, will not be a supported platform. In addition, we have made a strategic decision to significantly enhance the Ascot Web access client rather than continuing to develop its Linux and Mac clients. This decision reflects the increasing trend toward mobile access for end users--and lightweight support requirements for IT. Customers who want Linux or Mac client support can run the GroupWise 8 Linux or Mac client against an Ascot back-end. Stay tuned for more details here in the Q4 2011 timeframe

Gert: GroupWise is in the Cloud now. Can you tell us more about the solution offered and at whom its targeted?
Bob: One of our trusted partners, HostedEM, Inc., recently released Hosted Enterprise Mail powered by Novell GroupWise. It is the industry's first cloud-based, managed service for Novell GroupWise. Leveraging a Verizon data center, Sonian for archiving, and Kaspersky Lab for e-mail hygiene, HostedEM delivers all the rich features of Novell GroupWise in a secure, scalable cloud environment. Packages are available in North America and start at only $5/user/month.

Gert: Did you get an opportunity to take a look at GroupWise Ascot? How close do follow its development, as it will be in BETA now?
Bob: I am familiar with the upcoming GroupWise Ascot release and look forward to getting this product into the hands of our customers early in the fourth calendar quarter. While this version has been a long time in coming, we have revamped our GroupWise roadmap to deliver more frequent releases, which will translate into greater feature parity with the competition and more value for our customers' maintenance dollars.

Gert: GroupWise runs big time on Linux. Will the Attachmate Group bundle SUSE and GroupWise to target its customers?
Bob: GroupWise already includes an entitlement to SUSE Linux Enterprise Server so that GroupWise customers who want to run on a Linux back-end don't need to pay additional subscription fees to do so.

Gert: Vibe and GroupWise will work tighter. Can you enlighten that?
Bob: As part of our focus, we are investing more in GroupWise. Customers will get broader mobile device support and an innovative experience that bridges e-mail with social communication. We plan to communicate more about our plans here at BrainShare, including more roadmap details, so we continue to encourage customers and partners to join us in Salt Lake City in October!

Gert: What is the future of Vibe? Vibe is a unique collaboration product.
Bob: Both our Vibe products have their respective strengths. Customers like the ease of Vibe Cloud and the depth of Vibe OnPrem. Consolidating into one Vibe product has been our plan since we announced Vibe in 2010. We know what Vibe Cloud features customers use the most and are building those into the combined Vibe platform over time. Some features are already in our Novell Vibe OnPrem 3.1 release; others will make it into our Firestone release coming in October, and still more in our 2012 releases. Moving forward, our single Novell Vibe offering will deliver a powerful social collaboration solution that gives enterprise teams what they need.

Gert: Where can we see you? GWAVACon, BrainShare, Open Horizons summits, etc.
Bob: I’ll be spending most of my time on the road and visiting customers and partners. Events like BrainShare and others are also key on my agenda as I continue to engage and inform customers and partners about the new Novell and what’s ahead for the company.

Gert: Bob, thanks so much. Keep up the good work.
Bob: Thanks for the opportunity! I look forward to staying in touch.

Vibe OnPrem Cool Solutions

05-08-2011, Novell Tech Training Webinar Vol. 27 >>

Identity & Security Management Cool Solutions

24-08-2011, Useful Firefox SAML tool for debugging problems >>

Useful Firefox SAML tool for debugging problems

When debugging the most common SAML setups with Novell Access Manager, the Authentication Request and response including the assertion are sent via the browser using the POST or Redirect profile. HTTP header output can be used to view these SAML request/responses, but the content is both URL and base64 encoded and therefor not very legible. An example output for an Authentication Response including the assertion would look like:

POST /nidp/saml2/spassertion_consumer HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: https://idp126.lab.novell.com:8443/nidp/saml2/sso?...
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTbFXTV5/5.11.3.15590)
Host: windidp.lab.novell.com:8443
Content-Length: 8665
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=B6BF275DCED5C055FFC8E555B8C69B13; bb_lastvisit=1312903696; bb_lastactivity=0; bb_userid=7281; bb_ics_login=true

SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50Om9idGFpbmVkIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93aW5kaWRwLmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9zcGFzc2VydGlvbl9jb25zdW1lciIgSUQ9ImlkMEtMSlJGYWVKQlMwdXZVbkF5OFBRckNmSFpZIiBJblJlc3BvbnNlVG89ImlkVU9pNmNoLjkwT0tadmY4WFV2UXUwYk5Wa2NvIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDgtMTFUMTM6Mjg6MzVaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2lkcDEyNi5sYWIubm92ZWxsLmNvbTo4NDQzL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBJRD0iaWRROVVaazVzMm1WR0lKWmpwUjRnZ0ZIRndPNnMiIElzc3VlSW5zdGFudD0iMjAxMS0wOC0xMVQxMzoyODozNVoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vaWRwMTI2LmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWRROVVaazVzMm1WR0lKWmpwUjRnZ0ZIRndPNnMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PERpZ2VzdFZhbHVlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj5IN2xVT3lmNjZwcTcveWJ4ZG9OK3VvZGkrL0k9PC9EaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PFNpZ25hdHVyZVZhbHVlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KUk1MaHZnKzVSekxGQ2s2NFh5RWlCbXBXeUhLNGY0cCt5VWdMRnhUbE8wWnorZUhMdGpJM0QxOXM3aitKNWEvOWFic3d4YUxJR3VDbwpCbTE1MEc2YWJyeGx5eFRxYjQreGVrWFVNTGR3ZkdlK3FrWVczZ3NOYXk4MzZ5THVkQzdMUkJGNS9uQlhPYUhnZ2w2Qm5DcVY2OGh1ClZjUzBtQWhVUGU5a2xySGtNZU09CjwvU2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUUzakNDQThhZ0F3SUJBZ0lrQWh3Ui82VFZCWEZLa2g3eDdWRnpCYVA2MjVUWXhjdm5xVVd0OVorZUFnSVBpeDd0TUEwR0NTcUcKU0liM0RRRUJCUVVBTURZeEdqQVlCZ05WQkFzVEVVOXlaMkZ1YVhwaGRHbHZibUZzSUVOQk1SZ3dGZ1lEVlFRS0ZBOXZjbU5vWDJodgpjM1F6WDNSeVpXVXdIaGNOTVRBeE1ESTRNVEV6T1RBd1doY05NVE14TURJNE1USXpPVEF3V2pCck1Sa3dGd1lEVlFRREZCQXFMbXhoCllpNXViM1psYkd3dVkyOXRNUXd3Q2dZRFZRUUxFd05PVkZNeER6QU5CZ05WQkFvVEJrNXZkbVZzYkRFUk1BOEdBMVVFQnhNSVRXRnMKWVdocFpHVXhEekFOQmdOVkJBZ1RCa1IxWW14cGJqRUxNQWtHQTFVRUJoTUNTVVV3Z1o4d0RRWUpLb1pJaHZjTkFRRUJCUUFEZ1kwQQpNSUdKQW9HQkFNR1E1cWZDSW51TEVPTG1mRllsanpuYW5lZGIyQklvVUFlUWJyR3JENk80dHZGQjFka3VwK2YxYW9zVEtFb01Vd25FCmdWU09od0duQWczbnhwaVJxNFAxSVlWeVNYVk5ac0pVNFFHSjUvMkphZnUxOG1EdWtBcFlOaTl4cWZMQUtvM1EwZjNOb3V5aVVudDcKTWNYaXJNUzY2dGVpemdBdzduU2xKMWRwTlhvOUFnTUJBQUdqZ2dJaE1JSUNIVEFkQmdOVkhRNEVGZ1FVMTRwMjBoZGlGZVQyVW1VbQpoOUNjYVVLMmlGWXdId1lEVlIwakJCZ3dGb0FVSi8yTzRNbFFRRWtIQVIyV1gwbnB2cjdnWllzd0N3WURWUjBQQkFRREFnU3dNSUlCCnpBWUxZSVpJQVliNE53RUpCQUVFZ2dHN01JSUJ0d1FDQVFBQkFmOFRIVTV2ZG1Wc2JDQlRaV04xY21sMGVTQkJkSFJ5YVdKMWRHVW8KZEcwcEZrTm9kSFJ3T2k4dlpHVjJaV3h2Y0dWeUxtNXZkbVZzYkM1amIyMHZjbVZ3YjNOcGRHOXllUzloZEhSeWFXSjFkR1Z6TDJObApjblJoZEhSeWMxOTJNVEF1YUhSdE1JSUJTS0FhQVFFQU1BZ3dCZ0lCQVFJQlJqQUlNQVlDQVFFQ0FRb0NBV21oR2dFQkFEQUlNQVlDCkFRRUNBUUF3Q0RBR0FnRUJBZ0VBQWdFQW9nWUNBUmNCQWYramdnRUVvRmdDQVFJQ0FnRC9BZ0VBQXcwQWdBQUFBQUFBQUFBQUFBQUEKQXdrQWdBQUFBQUFBQUFBd0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVCdkRmU0RBWU1CQUNBUUFDQ0gvLy8vLy8vLy8vQVFFQQpBZ1FHOE45SW9WZ0NBUUlDQWdEL0FnRUFBdzBBUUFBQUFBQUFBQUFBQUFBQUF3a0FRQUFBQUFBQUFBQXdHREFRQWdFQUFnaC8vLy8vCi8vLy8vd0VCQUFJRUVmK2sxVEFZTUJBQ0FRQUNDSC8vLy8vLy8vLy9BUUVBQWdRUi82VFZvazR3VEFJQkFnSUJBQUlDQVA4RERRQ0EKQUFBQUFBQUFBQUFBQUFBRENRQ0FBQUFBQUFBQUFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQkl3RUFJQkFBSUlmLy8vLy8vLwovLzhCQVFBd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFGbHluSjdWK0d4ZXJlRk4wWVV1MHdremErRGZ0RzFZRCtXeUJVbG1VZGFWCmhsNkpRL1owdXBjNTRQb0k5VEFUMlRIR2VibE9lMzAyZVNicER2UFlQaUEvMjRPV0VBdUsrVW96WDlEOWc4RDRiTnQ3emFvMTQrb0gKMmVQM2ZZSnJVeG5XeW05RDRuM1FHZGtxMmdKWmdPQmtXN0NSd2U1Y3ltZSs3enRkQkxXRHF5VjZUK1RYT1k0S0U5WS8wcjJScWd0QwpNb0Qxd1hBaTIybTBsN09mSjZOdDJreC9XSXdxYUhmVWZvOUUyQmc2bDBIamNnamlkbVNRR3B1bUpKNzRpOER3VnNpSzRNVVM5ajkvCjhOODZ5SWc1Sm4za1FmNFE3ckQ0VWpldTFmTGxmQWlqM1IxbE8rR2lBU0R2RFd6a3dJZzBHYUpGUVQ0MHNIRGRyM1hGWWJnPQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vaWRwMTI2LmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9tZXRhZGF0YSIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3dpbmRpZHAubGFiLm5vdmVsbC5jb206ODQ0My9uaWRwL3NhbWwyL21ldGFkYXRhIj5UcTE1VXh6R2J0Y2NqUG12MDRienJ0YUM5S2JiZ2ZHdmNSQkVYdz09PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJpZFVPaTZjaC45ME9LWnZmOFhVdlF1MGJOVmtjbyIgTm90T25PckFmdGVyPSIyMDExLTA4LTExVDEzOjMzOjM1WiIgUmVjaXBpZW50PSJodHRwczovL3dpbmRpZHAubGFiLm5vdmVsbC5jb206ODQ0My9uaWRwL3NhbWwyL3NwYXNzZXJ0aW9uX2NvbnN1bWVyIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTEtMDgtMTFUMTM6MjM6MzVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTEtMDgtMTFUMTM6MzM6MzVaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vd2luZGlkcC5sYWIubm92ZWxsLmNvbTo4NDQzL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA4LTExVDEzOjI4OjM0WiIgU2Vzc2lvbkluZGV4PSJpZFE5VVprNXMybVZHSUpaanBSNGdnRkhGd082cyI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjxzYW1sOkF1dGhuQ29udGV4dERlY2xSZWY+c2VjdXJlL25hbWUvcGFzc3dvcmQvdXJpPC9zYW1sOkF1dGhuQ29udGV4dERlY2xSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOYW1lPSIvVXNlckF0dHJpYnV0ZVtAbGRhcDp0YXJnZXRBdHRyaWJ1dGU9JnF1b3Q7Y24mcXVvdDtdIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI+bmNhc2hlbGw8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0iR3JlZXRpbmciIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5Ib3dheWE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0ibGRhcG1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5uY2FzaGVsbEBub3ZlbGwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIE5hbWU9InJvbGVzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI+Z2Vlazwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI+TlRTPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5hdXRoZW50aWNhdGVkPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIE5hbWU9ImN1c3Rfc3RyaW5nXzEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5uY2FzaGVsbEBub3ZlbGwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+&RelayState=MA==

The SAMLResponse string includes the SAML response from the Identity server, which is typically an assertion about the user. It is possible to cut and paste this data and put it through a:

URL decoder initially (e.g http://www.opinionatedgeek.com/dotnet/tools/urlencode/Decode.aspx), and the output of the URL decoder into a
base64 decoder (http://www.opinionatedgeek.com/dotnet/tools/base64decode/)

to get the contents of the Authentication Response, but this can be time consuming and can also create uneccesary errors.

A new SAML plugin for Firefox exists which has the ability to dump the decoded SAML communication protocol in a separate header, making it faster to troubleshoot and more legible. The plugin is available from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ and when installed, provides a 'SAML Tracer' option under tools as shown below:

Click to view.

When this option is enabled, a separate Firefox 'SAML Tracer' Window opens up and dumps all the HTTP requests in and out of the browser. It specifically scans the data for SAML requests and when identified, the Orange SAML tag is displayed on the right hand side of the request.

In the example below, we have two SAML tags : the first for the Authentication Request from the browser to the SAML2 Identity Server, and the second for the Authentication Response from the SAML2 Identity Server to the SAML2 Service Provider via the browser.

By Selecting the entry with the Orange SAML tag, you will have the option to select the SAML tab in the lower Window to display the contents of the SAML request or response. In the example below, I selected the initial SAML entry in 'SAML Tracer' Window, which was the SAML authentication request from my SAML2 Service Provider to the SAML2 Identity Server. CLicking on the SAML tab in the lower Windows displays the content of this SAML AUthnRequest.

Click to view.

The corresponding SAML AUthentication Response including the assertion is shown below - note that the same info is available in the Identity Server log files when the DEBUG mode is set for SAML but for security reasons, we mask out the attribute values. WIth this tool, one can confirm tha actual values being sent with the assertion.

Click to view.

Cool Solutions

23-08-2011, New features in IDM 4 and 4.01 - Part 2 >>

When they released Identity Manager 4, I had a lot of fun working through all the new stuff and I wrote a couple of articles looking at what is new in IDM 4, and what came with previous releases.

Those articles addressed some of the new things added at a somewhat higher level of detail.

Some more details about new features in IDM 4 is available in this series of articles on Packages, since Packages are one of the major new features in IDM 4, and they are just plain awesome! I wish they were around years ago!

One of the other major high level features added was the Reporting module, which needs a couple of drivers to support the Reporting module in quite a bit of detail, in the following series of articles:

Data Collection Service:

Managed System Gateway:

Now with IDM 4 SP 1, we did not get a lot of new features as such, beyond the inclusion of three new drivers, from some Novell partners:

RSA by TriVir ( http://www.trivir.com )
Google Apps by Concencus ( https://www.concensus.com )
Blackboard by Omnibond ( http://www.omnibond.com )

The rest is bug fixes, as is to be expected, and worthwhile to see. In Part 1 New features in IDM 4 and 4.01 of this series, I discussed a few of the interesting bugs I saw in the list that Novell published in a TID numbered 7008566. You can search at http://support.novell.com for the TID number, or you can try this ugly direct link. Sometimes a link like this will fail the first time, but work the second. I have no clue why that is.

Defects fixed in the IDM 4.0.1 release

640695 Driver-ManagedSystemGateway - Config Managed System Gateway Driver should support queries across driversets
652290 RMA - Resource Aware RMA fails to locate entitlement based drivers on multiple driversets
652925 Framework - Roles/Resources ENH: Have the UA be able to work with IDM Drivers on different DriverSets

These three bugs really all interrelate and are needed altogether in order to fix the core issue. The relationship between the RBPM process and the User Application is complicated. As I have reported before, the User Application driver, that is needed in the IDM project seems like an odd thing. What is it used for? Well it turns out there are at least two core things needed that relates to these bugs.

First off, it will generate and submit queries into the queue of other drivers. With the release of the Data Collection Server (DCS) and Managed System Gateway (MSG) drivers needed for the Reporting module, this approach is also used there. Well it turns out the first bug was that the User App driver (and implicitly the MSG and DCS) driver, could not properly inject events into drivers that were running on a different server, but within the same driver set. That turns out to be an engine side bug. I am not sure where the actual bug for that is, I think it might be buried as part of one of the others.

Now that helps within the same driver set, which was the stated documented functionality. But what if you have two driver sets? Well that it turned out was not supported in the past.

The third bug, that UA should be able to work with multiple driver sets is a new feature in the User Application, and thus since it is the User App, it should work to allow the MSG and DCS drivers should benefit from, and the Role Mapping Administrator (RMA) uses the same basic facility as well.

This is good news, as before this was an issue. Now the Roles and Resource Service driver (RRSD) still only works with a single User Application instance, since it watches the AppConfig container, which is where the User Application configuration is stored, as a child of the User App Driver object in your eDirectory tree. Get that?

Basically one of the things the User App driver is used for is to be a place to store the User App configuration as eDirectory objects.

One of the objects in the AppConfig container is a place to store the nrfRequest objects. These are used by the RBPM module, to request a Role or Resource change. That is, when in User Application you grant a Role or Resource, it does not directly implement it, rather it writes out a nrfRequest object in the AppConfig container. The RRSD driver sees the event of the nrfRequest object being created and processes it. Since these also have begin and end dates, like a Work Order they can be used to time delay start and end dates for Roles or Resource grants. Which is probably the major reason for implementing this functionality in these two pieces.

Thus a single RRSD is still really the only supported way to set it up as it needs to monitor a User Application driver, and handle objects in a particular scope. If you are interested in more of the inner workings of this process, I worked through them in an article about issues when you do not get User Application working after install:
User App Roles Failing to Apply for Administrators

What is kind of neat, is that the permission model with User Application, is itself granted via Roles and Resources. Thus there is a Role for the Resource Manager and they are set up, based on what you entered in configudpate.sh at install time, the first time the WAR file is unpacked. (I.e. First time a web browser requests the User Application page. It is not when you start JBoss, nor when you finish the install). One nice add on to that article is that in IDM 4, and RBPM 4, there is a button on configupdate.sh to force resetting of these Roles, as if you read my article you will see it is somewhat of a pain to reset it by hand.

Now as it turns out, the functionality to allow the User Application to work cross driver sets, was added in the patch for the User Application. It does require the engine patch, which will work with older User Applications, and I think was back ported to IDM 3.6.1 in engine patch 5, but the User Application patch is only available in RBPM 4 and has not been back ported to RBPM 3.7.

UA/RBPM:

574769 Installation/Build RBPM Install restarts eDirectory without notification/prompt/option/need

This was a really annoying bug. When you ran an install of RBPM, on a server with eDirectory on it, the installer would restart eDirectory without any warning. Nor was this actually noted in the documentation, that a restart would occur. Thus if you had a server that needed the update, but you did not want to restart eDirectory on, this was an unexpected unpleasant surprise. Alas the resolution of this bug is basically to document the fact that eDirectory will be started and stopped several times in the process. The core issue is that of updated files. For Java classes, the JVM is loaded by eDirectory at start time, and that is when it builds its list of classes, and starts loading them. Once that is done, it will not notice an updated JAR file. It will notice a new JAR file, if a call is made that would use it. Thus a restart of eDirectory is needed to get the updated classes into the system.

Designer 4.01:

658693 Application Framework Identity Manager Designer appears to leak memory during normal use.

This bug is one I was quite involved in. The good news is that it REALLY makes a difference. Try Designer 4.01 vs Designer 4.0 and you will see that the memory consumption and performance are very noticeably better. This was actually a fun bug, since it turns out, whatever it is I do every day, leaks memory like a sieve in older Designer builds. What amazes me is how hard it was for someone in engineering to reproduce it. I mean, I just do my day to day work in Designer, and keep finding leaks.

You too can participate if you would like, in tracking down further Designer memory leaks. There is a new bug, tracking additional leaks post Designer 4.01, at: https://bugzilla.novell.com/show_bug.cgi?id=690081 and there are already 5 patched JARs for more leaks found.

What you do is use Designer. Work away as usual, and keep an eye on the memory gas gauge and you can see when you have leaks. When you open Designer, you will see it eat about 80 or so Megs of memory. That is sort of the base Eclipse and IDM plugins consumption. Then go ahead and do your thing. Open your editors, work away, all day long. When you see your memory gauge starting to look saturated, consider taking a few moments, closing all tabs (You can right click in the tab bar to Close All or just Close Others or just the one tab at a time) and then hit the garbage collection icon next to the gauge. Wait about 5 minutes and do it again, just to be safe. It should go down to pretty close to where it was when you opened Designer.

The reality is, that so far the best I have gotten it down too was in the 118 Megs range. Usually I seem to get down to 180 Megs or so after a days usage.

Then there is a tool in most JDK's named jmap that can dump a map of memory that the Designer guys (and gals of course) can look at, to see what bits of memory are orphaned and garbage collection is not cleaning up. I am told that there were a number of objects in Designer that had multiple references to them. That is multiple places in the code would reference the object in memory. If one code path decided to get rid of the object, not all the other locations would clean up their references and thus garbage collection would consider them in use and not clean up the mess. This set of patches was a lot of fun to work through, as each one seemed like it helped a bit. and then after more usage, it would still be leaking (slower, but still leaking) so I would send in another memory dump, another patch and so on.

This is still ongoing, even post IDM 4 SP1, as there look to still be more leaks around. Or at least I seem to be able to find more leaks. I seem to be a real troublemaker when it comes to these!

You can follow the post SP1 shenanigans in bug 690081: https://bugzilla.novell.com/show_bug.cgi?id=690081

At the time of this writing there have been two more sets of patches to try and patch more leaks. I am still finding them so the snipe hunt continues! You can follow along too if you would like.

Regardless, this one set of fixes that made it into SP1 made a huge world of difference in Designer's performance. Ever since Designer 3.0 M2 I think, where the object model in memory to support SVN was changed, this problem has existed and it is a pleasure to see it go away for the most part. They had been making things faster with each release, but the problem was that with all the leaked memory, garbage collection was dragging Designer to a halt as well. In Designer 3.5.1 or 4 to see this kind of performance you had to close the Outline view, and then everything was fast again. But of course, without the Outline view, Designer for Identity Manager is not that useful. Now with this patch, it is much closer in performance, even with the Outline view open.

If you want to contribute, use Designer 4.01, go to bug 690081 and get the latest JAR file patches, and see if you can make it leak. There is no point in testing without the latest patches, only because it will just potentially duplicate existing known/fixed issues. To validate, close all tabs, garbage collect, wait a couple of minutes and do it again, and then you can run jmap to grab a memory dump to upload to Novell.

My jmap is in the JDK/JVM shipped with iManager Workstation. So my path is a bit silly to it:
d:\iman\iMan_27_workstation\imanager\bin\windows\java\bin\jmap -dump:format=b,file=u:\D401-234MB-Apr22.hprof pid#

Replace <pid> with the process ID of your Designer instance. I switched operating systems from Win XP to Windows 7 Pro 64 bit in the midst of this testing and discovered that the PID of interest changed from Designer.exe to the javaw.exe instance eating about a gig of memory. Additionally I found that in order for this to work on Windows 7, due to the very annoying User Access Control functionality, I needed to launch cmd.exe as an Administrator process. That is, Start Run, type in cmd and instead of just hitting enter, hit Control Shift and then Enter, which will launch it as an Administrator and then jmap will work.

When done, you ZIP it up, since memory dumps compress notoriously well, and send it to ftp.novell.com in the incoming directory with a distinctive name, and add a comment to the patch with your file name, and what you did to generate the leak. Clearly there are many many possible ways to generate the problem, and the more hands on deck the better to find them all. I am sure the developer at Novell may feel slightly overwhelmed, but really, we need to just get this issue fixed, once and for all properly.

Cool Solutions

19-08-2011, Integrating Privileged User Manager SSH Relay Feature with Novell eDirectory as Authentication Domain >>

Author: Girish Mutt

Abstract:

The main objective of this article is to give a step by step procedure for customers to help them integrate the SSH relay feature of PUM with Novell eDirectory as the authentication domain. The normal approach will be to use existing PUM framework users to enable the SSH Relay feature. This approach will help customer directly integrate their existing Novell eDirectory environment with the PUM framework thereby allowing usage of single source for all corporate users. In addition to this PUM makes use of the LDAP groups to enable access to SSH relay hosts which allow PUM to make use of corporate directory specific access controls with PUM deployments.

Table of Contents

Introduction
Integrating PUM Manager with Novell eDirectory Authentication Domain
SSH Relay Feature enabling with PUM Manager
Command Control Rule for LDAP Group Matching
Using SSH Relay feature with Novell eDirectory as authentication domain
Glossary of Terms

Introduction

NetIQ Privileged User Management (PUM) helps IT administrators manage the identity and access for superuser, root accounts, and application users by providing controlled superuser/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms.

SSH relay is a new feature added to PUM that enables delegation of privileged credentials to those hosts where PUM agents are not installed. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with corporate Novell eDirectory as authentication domain. It helps to overcome the issue of managing users differently for PUM deployment and existing corporate eDirectory deployment.

This article talks about the various configuration that needs to be performed by a customer to enable SSH relay feature integrated with corporate Novell eDirectory deployment.

Integrating PUM Manager with Novell eDirectory Authentication Domain

To integrate the PUM manager with Novell eDirectory, the following steps need to be performed:

2.1 Create Privileged Account Domain for Novell eDirectory
2.2 Integrate the PUM manager to use Novell eDirectory as authentication domain

2.1 Create Privileged Account Domain for Novell eDirectory

Before we can integrate the PUM to use Novell eDirectory as authentication domain, the account domain details to authenticate with should be added to PUM manager. PUM manager supports creation of the account domain under the command control console installed as part of default manager installation. The various steps to be followed to add authentication account domain to PUM are as follows:

Goto Home/Command Control console -> Privileged Accounts.
Now choose the option Add Account Domain to add a new account domain to PUM manager framework.
Provide all the details as shown in the picture below. Make sure to replace xxx.xxx.xxx.xxx with the IP address of the corporate Novell eDirectory server.

Click to view.

Figure 1: Adding corporate Novell eDirectory account domain details.

2.2 Integrate the PUM manager to use Novell eDirectory as authentication domain

After the addition of the Privileged Account Domain details under privileged accounts of PUM manager, the next step is to add the association between the PUM user framework to directly make use of user accounts in the newly added authentication domain. The following steps should be followed to create that association:

Goto Home/ Framework User Manager console in PUM manager.
Now choose the Users options and select the Account Settings from the left panel.
In the Default Account Settings console, goto Authentication Domain and choose the newly added authentication domain from the drop down box as shown in the picture below.

Click to view.

Figure 2: Associating the Account domain to be used by PUM default account settings.

After the successful association, PUM deployment is now is ready to make use of the corporate Novell eDirectory as the default authentication domain. From this point onwards all users will be managed in the corporate Novell eDirectory and those users, groups can be directly made use of for all PUM administration.

SSH Relay Feature enabling with PUM Manager

To enable the SSH relay feature to a particular host or to a group of hosts, SSH credentials of the privileged users need to be added to Privileged Account under Command Control. The following steps should be followed to create privileged accounts:

Goto Home/Command Control -> Privileged Accounts.
Now choose the option Add Account Domain from left panel.
Add all the details of the host and its privileged credentials as shown in the picture below.

Click to view.

Figure 3: Privileged Account details of the SSH Relay host

After adding the Privileged account details for SSH relay, the next step is to create rules in Command Control so that authorization to access the SSH relay host is given based on the rule. This can be achieved by following the steps below:

Goto Home/Command Control -> Rules.
Choose Add rule option from the left panel and add a rule R1.
Now goto Modify Rule option for the R1 rule. Enable Session Capture to On and Authorize to Yes. Choose Run User as root and select the corresponding SSH relay privileged account added in Privileged Accounts. Choose Run Host as local as we are trying to enable SSH relay as root user to a normal user part of the corporate Novell eDirectory as shown below.

Click to view.

Figure 4: Modifying rule to authorize and associate SSH credential for SSH relay host.

SSH command, which will be part of the Home/Command Control/Commands needs to be added to the rule. This can be easily achieved by dragging and dropping the SSH Session command under commands on to Rule R1 as shown below.

Click to view.

Figure 5: Adding SSH Session command onto rule R1

Command Control Rule for LDAP Group Matching

After the integration of the PUM manager to use Novell eDirectory, the next step will be to enable the LDAP group look up under rule matching which will make use of LDAP groups in eDirectory to decide on access permission for SSH sessions. This can be achieved by creating an Account Group which will be used to match for the LDAP group in Novell eDirectory. The account group can be created by following the steps below:

Goto Home/Command Control -> Account Groups -> User Groups.
Create a new user group using Add User group with name G1 using option from left panel.
Now choose Modify User Group option to edit it. Under Type choose the External Group check box and select the corporate Novell eDirectory account domain to which group look up operation will be done by rule.
Under Users add a regular expression which matches the LDAP group of a user. This regular expression is used to check whether a particular user is part of the group.
When the same is attached to the rule access to Privileged SSH sessions will be granted based on the fact that whether a user is part of the group or not. Thus LDAP group matching is used to grant access to SSH relay sessions.

Click to view.

Figure 6: Modifying User Account Group to match a LDAP group in Novell eDirectory.

Once the User group is modified to match an external LDAP group, it will be added to rule R1 by dragging and dropping on top of the rule R1. Now this rule is able to grant access to SSH relay sessions based on the fact that whether a user is part of the external group or not. Hence PUM makes use of LDAP group look up feature to confirm membership of particular user in Novell eDirectory and then grant access to SSH relay sessions.

Using SSH Relay feature with Novell eDirectory as authentication domain

After the successful completion of all the steps mentioned above, the deployed configuration can now be tried.

Use Case: Rule R1 basically tries to check that the user used as part of SSH relay is in deed part of LDAP group G1. If the user is part of the LDAP group in Novell eDirectory which is the authentication domain, then a list of allowed SSH Relay sessions will be displayed to user and user will be given access to SSH session as elevated root user.

The various steps to be followed to gain access to Privileged SSH Relay sessions are:

From any shell try making use of the SSH Relay feature using the following command:
```
user311@pum-sles11x64:/root> ssh -t -p2222 user311@164.99.184.14
```
Here we are trying to gain access to SSH relay session based on user311 being part of the external LDAP group G1 in Novell eDirectory.
Now user311 is checked to verify whether the user is part of group G1 after providing password. If the user is part of group G1, the user is shown a list of allowed sessions. After choosing the session, user is given access as privileged root user as defined in the rule R1 as depicted below.
```
user311@XXX.XX.XX.XX's password: 
 1) R1 - root@local
Enter option (1-1): 1
Password: 
Last login: Wed Aug 17 16:08:25 2011 from pum-slesx1164.labs.blr.novell.com
pum-sles11x64:~ # id
uid=0(root) gid=0(root) groups=0(root),104(sfcb)
```

Glossary of Terms

PUM- Privileged User Manager
LDAP- Lightweight Directory Access Protocol
SSH- Secure Shell

Attachment	Size
pum-ssh_relayldapgrp.doc	419.5 KB

Cool Solutions

Attachment(application/msword)

17-08-2011, New features in IDM 4 and 4.01 - Part 1 >>

When they released Identity Manager 4, I had a lot of fun working through all the new stuff and I wrote a couple of articles looking at what is new in IDM 4, and what came with previous releases.

Those articles addressed some of the new things added at a somewhat higher level of detail.

One of the core new features in IDM 4 is support for something called Packages. These are a great new idea, and you can read more of my thoughts about them in this somewhat long series of articles:

These are so core to the IDM 4 project that in fact, there are literally almost no other new features added the engine, other than those needed to support Packages. The one exception that I am aware of is down below a little bit (the new GCV).

Data Collection Service:

Managed System Gateway:

With the release of Identity Manager 4 Service Pack 1, there are also new drivers and bug fixes. I thought it would be useful to go through some of the more interesting ones.

Before I begin, there is one thing I wanted to note about the IDM 4 release. So far, beyond the addition of all the things needed to support Packages in IDM 4, there was very little in terms of new features added to the engine. Basically as far as I can tell, the addition of a single new automatic Global Configuration Variable (GCV) is about the sum total.

There is a new GCV which is just like the commonly used dirxml.auto.driverdn which returns the running drivers DN in backslash format (\TREE\o\OU\Driverset\DriverName), we now get dirxml.auto.localserverdn which returns the full DN of the server the driver is currently running on, in LDAP format (cn=DriverName, cn=Driverset, ou=ou, o=o). If you read my series on the Managed System Gateway and Data Collection servers, you will see that there is policy to use this GCV, to do a Source Attribute call to get back the Network Address attribute from the running server, to pick apart and infer the IP address of the server. It is useful if you want to write some self configuring code, such that you do not need to enter a server IP or the like but it can be derived by Policy. I remember lamenting not having this functionality back in the IDM 3.01 days, and I am glad to see it become available.

The service for IDM 4, SP 1 brings with it a couple of other new things as well. First off there are three new drivers for connected systems contributed by various Novell Partners. This is nice going outside the company to get mature drivers made more available.

RSA by TriVir ( http://www.trivir.com )
Google Apps by Concencus ( https://www.concensus.com/ )
Blackboard by Omnibond ( http://www.omnibond.com/ )

You should check out their respective web sites, as TriVir has other drivers and specifically tools for IDM available. Specifically I mean their product IDMUnit which is a great tool for testing your IDM system. Being able to reliably test and validate your system is key to being comfortable with doing upgrades. I.e. If you cannot prove everything is working, how can you validate that your upgrade was successful?

Concensus has a number of other drivers (their Banner driver comes to mind, if you are an educational institute using Banner as your student information system, and they do the SIF Driver as well, in case you are a K to 12 school, and use a SIF complaint Student Information System. Hey they have you covered from K - Grad school at Concensus!). They have been working with this Google Apps driver for a number of iterations and it has matured nicely as it follows the various API changes coming from Google.

The Omnibond guys may seem less obvious, but a fairly impressive number of the built in drivers that have been around for many IDM releases. They already provide the Unix/Linux driver, the AS400 (midrange, i5os, i5 series, etc) driver, the Mainframe drivers (ACF2, Top Secret, and RACF variants), and the Scripting driver. They also have the bidirectional and fan out versions of their various drivers. One of the promised features to come later with IDM 4 was to be fan out versions of some of the existing drivers (like JDBC, and Active Directory) that we have yet to see. The Omnibond guys are the ones who made that a desirable thing! They have done a lot of great work with their drivers, and I am glad to see a new driver from this group. They have a really cool new 'thing' coming, called RaDD, the Rapid Driver Development tool, which is meant to replace the Silverstream Composer product that most IDM folk never saw.

The old Composer tool was basically a data mapping tool, that had a utterly horrendous user interface, but was meant to make it easy to map crazy things to XML documents. So it had a TN3270 screen scrapper to allow you to map things you would do on a green screen applications interface to an XML document and the reverse. Or to screen scrape an HTML web page. Their new tool is designed to replace the discontinued Composer product, since there is a real need for this sort of thing.

The SP1 release also brings the release of IDM 4 Standard Edition. The original release of IDM 4 was Advanced Edition only, which was basically a replacement for IDM 3.6.1 with Roles Based Provisioning Module (RBPM) 3.7. IDM 4 Advanced Edition includes the full RBPM support, whereas Standard Edition does not. It still needs pieces of the RBPM components, as the Reporting Module (as an example) uses the User Applications Roles model to determine who gets access to use Reporting. I.e. To use the Reporting tool, you need the Reporting Manager or Administrator Role. Reporting is still in Standard Edition, but it is stripped down. I have not yet had a chance to see if they stripped out functionality, or just did not include as many reports out of the box in order to accomplish this. My guess is they have something that looks at the license code applied, and determines what the interface will allow. Almost like a second level of permissions.

In addition, as with any new release there are all sorts of bug fixes. Luckily for us, Novell actually publishes a list of bug fixes in a TID (Knowledgebase article, Technical something or other, I have no idea what TID really stands for) and I happen to know some of the story behind a couple of these bugs (or at least what they affect), and thought it would be worth sharing.

The TID I refer to is TID 7008566. You can search at http://support.novell.com for the TID number, or you can try this ugly direct link. Sometimes a link like this will fail the first time, but work the second. I have no clue why that is.

Defects fixed in the IDM 4.0.1 release

I read through this list and picked the ones I thought were interesting.

I think I will work through the list one by one. The first number is the Bug number in Bugzilla (http://bugzilla.novell.com), Novell's bug tracking program. Most bugs are at least partially visible to everyone. (Obviously security bugs are hidden, and some comments and attachments that contain customer data have to kept private.)

671675 Engine-DirXML Script Status document generated thru policy not going back thru output transform

This was one a friend was interested in. You can use the do-status token in Policy to send a status event. One of the more interesting uses a college of mine used this for, was in a SOAP driver, where connections come in, should a bad password be attempted the driver sends a warning email, and then a Status event with a level of fatal. As you really do not want to fool around with bad incoming connections. Sure you have a firewall, but even so, this at least means someone knows before anything bad happens. However, you might want this to process through the output transform, in case you have some custom rules doing stuff there. A SOAP driver is a good example, as you might want to convert the Status event into a SOAP document to let the connected web service that either the event succeeded or failed. But if the status is not going back through that channel it won't work. Now regular Status events were making it through, but if your Policy called a do-status token, it did not. Glad to see it resolved.

659272 Engine-Functionality IDM Engine should provide a LDAP extension for getting the Named Password Value

Named Passwords are a great idea, that showed up in IDM 3.5 or so time frame. IDM already had functionality to store encrypted passwords. For example, the driver object password was actually a standard password attribute on the driver object. However the Remote and Application are encrypted values stored as attributes. Thus IDM has the ability to store and retrieve passwords securely, why not extend it to user specified passwords. Thus we got Named Passwords which can be of immense use. Interestingly enough, we also got a Global Configuration Variable type called password-ref, which is defined as the name of a Named Password for this driver, and when you go to the GCV properties pages, you end up setting the Named Password via the GCV. Well now that we have a mechanism for storing passwords in this fashion, it would be nice to be able to use them elsewhere. Perhaps in an external application? Perhaps in an ECMA function call in RBPM? Of course you could reimplement the IDM libraries in your code to get the password, but allowing an LDAP extension to get the Named Password value, much as there is an LDAP extension that allows retrieval of Universal Passwords (Password Policy allowing only of course) seems like a much nicer way to handle this. Now I need to nag Jim Willeke to add support to this to his Universal Password diagnostic tool. I.e. Make an option to get the Named Passwords from the IDM drivers. Not sure if he will go for it or not, but you never know. Personally I know I have forgotten what value was set in the Named Passwords, and need it for some reason.

655638 Engine-Other Identity Manager trace should show DN of object with existing association.

When you are using a Find Matching User token in the Matching Policy set in a driver, there are a couple of possible outcomes. No match found, and thus you proceed to the create Policy Set and so on. A single match found, in which case Creation and Placement Policy Sets are skipped and on to the Command Transform. There a couple of other possibilities if your matching criteria is not strong enough. It could be that more than one object matches. and there is a funny Unicode character returned as the matched user, so your driver can detect this case and do something in relation to this error case. There could be an existing object that meets the criteria, and is already associated. In that case, the driver returns a message that an object is found that is already associated.

Alas, it does not tell you WHICH object was found that was already associated. So in policy, if you wanted to deal with it somehow you would now have to go and query for it again. Or even if you just wanted to forward an error message on to say the Helpdesk to go take a look at it, you would have the same issue.

Now the driver will return the DN of the object in the error message.

DirXML Log Event -------------------
Driver: \RJ-RC4-RH64\system\driverset1\LDAP
Channel: Subscriber
Object: \RJ-RC4-RH64\data\users\pusery
Status: Error
Message: Code(-9063) Object matching policy found an object that is already associated: data\users\pusery.

I still have a bunch more interesting bugs to discuss so stay tuned for the next part of this series.

Cool Solutions

17-08-2011, Sentinel 7 HA step-by-step >>

Index:

Introduction
Preparation
Installing SLES11 SP1 x64 HA extension
Configure shared storage
Configure HA cluster
Configure HA resource
Configure stonith resource
Configure LVM resources
Configure file system resource
Configure IP resource
Install and configure Sentinel

Introduction:

The basic idea of this solution is to install Sentinel into a shared storage (SAN) so that any machine in our cluster can easily mount this as a directory and has everything needed to run that instance of Sentinel. The solution provides a fallback mechanism that allow another machine to take over the sentinel server in case the current machine running it is offline for some reason. Keeping that in mind, we should not expect most of the active operations to be kept after the current node suddenly went down. What we have instead is a highly available sentinel server that will continuously listen to events and perform tasks that it was configured with. The structure of this cluster is similar to another Cool Solution article written by Jan Kalcic. Many thanks for the excellent write up!

For the first part, we will mostly use Yast to setup most of the components of the cluster software stack. Since Yast provides a ncurse interface. You won't need to have access to the graphical UI of your cluster's machines. However, the second part will use a GUI-only application, crm_gui, for configuring cluster's resources. The equivalent command line application is crm which can also be used. For more information on crm, please refer to the official Novell HA Extension’s documentation.

For a production-level Linux HA solution with shared storage, it is recommended to implement a fencing mechanism into the cluster. The idea is that one shared storage should be accessed (write to) by one node at a time. If something causes a communication error and another node tries to write to the shared storage, data on the shared storage will be corrupted. Shared storage needs to be protected/fenced when this happens. There are different ways to implement fencing and stonith is one of the methods supported by SLES. In this tutorial, I will cover implementing a stonith resource using Split Brain Detector (SBD). Read more about SBD in the documentation.

Preparation:

1. Two machine running SLES11 SP1 x64.
2. SLES11 SP1 x64 High Availability extension iso image file.
3. For shared storage, I will employ another SLES11 SP1 x64 machine to provide iSCSI targets. Again in production environment, the shared storage will also have to be HA just as the cluster. This HA solution doesn't include HA storage solution. Please discuss with your storage administrator first about how to set this up!
4. Four static IPs:
     4.1. Two static IPs for each of the node.
     4.2. One static IP for the iSCSI machine.
     4.3. One static IP for the cluster, this will be assigned dynamically to the node currently running Sentinel.
5. Four host names:
     5.1. Two host names for each of the node (for this tutorial, I will use "node01," and "node02")
     5.2. One host name for the iSCSI machine (I will use "iSCSI")
     5.3. One host name for the cluster (I will use "cluster")
6. Please contact your network administrator about the usage of static IPs and host names in your company's network environment!

Install HA extension:

1. Download from: http://download.novell.com/Download?buildid=9xvsJD...
2. You will need an Novell account.
3. Download iso file to each machine.
4. Go to Yast, Add-on products, Add.
5. Select local ISO Image.
6. Browse to iso image.
7. "Software selection and system tasks" window appear: click on "High Availability" check box.
8. Configure your HA extension subscription if you already have one.
9. Do the same thing for the other machine.
10. Set host name. Go to Yast, Network Settings.
11. Go to Hostname/DNS tab.
12. In "Hostname" text-box: node01.
13. Do the same thing for the other machine and the iSCSI machine as well..
14. Check for connection between our machines:
15. From each machine check to see if you can ping the other two using their host names.
16. If this failed, you may want to contact your network administrator.

Though in the mean time, we can still continue our work by modifying the local /etc/hosts file to resolve host names in our cluster to specific IPs. You can either directly edit /etc/hosts or using Yast -> Hostnames. Either way, your /etc/hostnames file should contains these lines:

10.0.0.2 iscsi
10.0.0.3 node01
10.0.0.4 node02
10.0.0.5 cluster

Configure shared storage:

The iscsi machine will provide 2 block devices. One shared block device which will be use as a SBD device. The SBD device only require 1 MB. The other block device is used to store sentinel installation. We can point our iSCSI resource (LUN or Logical Unit Number) to any file or block device in our machine. The easy way is to create a file with all zero using the dd command and copying from /dev/zero, which obviously generates a infinite stream of 0. These two commands will create a 1 MB file and a 10 GB file. Change the value of count to create a file of your desired size.

dd if=/dev/zero of=/1024 count=1024 bs=1024
dd if=/dev/zero of=/sharedrive count=10240000 bs=1024

1. Go to Yast, iSCSI Target.
2. Install the required software.
3. Set service to start on booting.
4. Go to Global tab and disable authentication. This is because SLES-HA resource agent for iSCSI doesn't support authentication.
5. Go to Target tab. Add a target and accept the auto-generated name.
6. Add a LUN and point it to /sbd
7. Add another LUN and point it to /sharedrive.

Now we will mount it on the same machine and format our LUN as a ext3 partition:

1. Go to Yast, iSCSI Target.
2. Install the required software.
3. Set service to start manually.
4. Go to Discovered Targets tab and click Discovery.
5. Enter the IP address of iscsi host and press Next.
6. Click on the iSCSI target and login. Switch to Connected Targets to verify that we had login to the share storage.
7. Go to Yast, Partitioner.
8. Click + on the left of Hard Disks to expand. Select the new iSCSI disk with no partition.
9. Click add to add a new partition. Format the new partition as ext3 but do not mount the partition.

Configure HA cluster:

1. On node01: go to Yast, Cluster.
2. As this is our first time, we will be presented with a wizard window.
3. Bind network address: the network address of your cluster. Ours will be: 10.0.0.0
4. Multicast address: this multicast IP is needed to provide multicast communication for nodes in our cluster. Consult with your network administrator about what value you are allowed to use. For our purpose, we'll use "239.0.0.1" with port "694."
5. Redundant channel: if there is another networking channel available.
6. Check "Auto generate Note ID" then click "Next."
7. Check "Enable Security Auth" and click on "Generate Auth Key File." This will create an authentication key that allow other nodes to join your cluster. The key is store in /etc/corosync/authkey. We will need to copy this file to the other node later.
8. Check "On--Start openais at booting" and click "Start openais Now."
9. Make sure is that "Enable mgmtd..." is checked to allow the cluster to be managed by crm_gui.
10. On the sync host panel, we'll add hostnames of the cluster's nodes by clicking add.
11. Click "Generate Pre-Shared-Keys." This key is needed for syncing configuration file between nodes and we will also have to copy it to the other node. The key file is stored in /etc/csync2/key_hagroup.
12. On the sync file panel, click "Add Suggested Files" to automatically generate a list of common file to sync between nodes.
13. Click "Turn csync2 ON" then click "Next."
14. Now, the hacluster user should be created. Go to Yast, User and Group Management.
15. Set Filter to System Users. Click on hacluster user, then click on edit. Change the password and press OK. When configuring node02, we will also use this password for the hacluster user.
16. Now we want to copy configuration files and authentication key to the other node. This can be done using the scp command.
     16.1. scp /etc/corosync/corosync.conf node02:/etc/corosync/corosync.conf
     16.2. scp /etc/corosync/authkey node02:/etc/corosync/authkey
     16.3. scp /etc/csync2/csync2.cfg node02:/etc/csync2/csync2.cfg
     16.4. scp /etc/csync2/key_hagroup node02:/etc/csync2/key_hagroup
17. Install open iscsi-client on cluster's node
18. Go to Yast, iSCSI Initiator. Install the open-iscsi package. Set "Service Start" as "When Booting."
19. Go to Discovered Targets tab. Click Discovery. Enter iSCSI host's ip address.
20. Login to the iSCSI target. Set Login as automatic. If login's successfulled, the login column will report true.
21. We may as well create the directory for mounting the shared storage: mkdir -p /opt/novell/sentinel

1. Now we will go to node02:
2. Go to Yast, Cluster.
3. We won't be presented with the wizard window because the configuration file is already copied over.
4. Click on Service tab. Check On -- Start openais at booting then click on Start openais Now.
5. Click on Configure Csync2 tab. Click on Turn csync2 ON then click Finish.
6. Again, we'll go to Yast, User and Group Management to set the password for hacluster user.
7. Install open iscsi-client on cluster's node
8. Go to Yast, iSCSI Initiator. Install the open-iscsi package. Set "Service Start" as "When Booting.
9. Go to Discovered Targets tab. Click Discovery. Enter iSCSI host's ip address.
10. Login to the iSCSI target. Set Login as automatic. If login's successful, the login column will report true.
11. Again, remember to create the shared storage directory: mkdir -p /opt/novell/sentinel.

Our cluster should be up and running now. Enter crm_mon to the command line to see if it is. We should get something like this:

============
Last updated: Fri Aug 5 16:38:36 2011
Stack: openais
Current DC: node01 - partition with quorum
Version: 1.1.2-2e096a41a5f9e184a1c1537c82c6da1093698eb5
2 Nodes configured, 2 expected votes
0 Resources configured.
============

Online: [ node01 node02 ]

Configure HA resource:

In this section we'll configure individual resource for our cluster. An resource is a service/application that is monitored by the cluster. All of our resource will be monitored by the cluster software stack so that if they stop running for any reason, the cluster will notice and start up the exact resource on the other node thus providing high availability.

1. From the command line, enter crm_gui.
2. Click Connection menu, Login. We should be able to login using the IP address of either node or the cluster's IP after it had been setup.
3. Click CRM Config tab.
4. Change Default Resource Stickiness to a positive value (1). This makes all the resources in the cluster to prefer to remain in the current location.
5. Change No Quorum Policy to ignore. Since our cluster consists of 2 node, losing a node is the same as losing quorum in the cluster. In this case, we want the cluster to keep going instead of shutting down the entire cluster.
6. Click Apply.

Configure stonith resource:

1. Use the command sbd -d /dev/sbd create to initialize the SBD device. Substitute /dev/sbd with the 1 MB block device provided by the iSCSI host. This can be done in any node.
2. Type sbd -d /dev/sbd dump to check what has been written to the device. Something like this should be displayed:

Header version : 2
Number of slots : 255
Sector size : 512
Timeout (watchdog) : 5
Timeout (allocate) : 2
Timeout (loop) : 1
Timeout (msgwait) : 10

3. The SBD daemon must be started before and stopped after the cluster software stack. This is because it constantly monitoring the stage of the cluster. To do this, create the file /etc/sysconfig/sbd with the followsing content:
     SBD_DEVICE=”/dev/sbd”
     SBD_OPTS=”-W”
4. Copy this file over to node02 using scp /etc/sysconfig/sbd node02:/etc/sysconfig/sbd..
Type in sbd -d /dev/sbd allocate node01 to allocate a slot in the SBD device to node01.
5. Type rcopenais restart to restart openais. A message will be displayed saying that SBD is starting.
6. Switch to node02, type sbd -d /dev/sbd allocate node02 to allocate node02.
7. Again, type rcopenais restart.
8. Go to crm_gui, Resource tab. Add a new primitive as follows:
     8.1. ID: stonith_sbd
     8.2. Class: stonith
     8.3. Type: external/sbd
     8.4. Attribute sbd_device: /dev/sbd.
9. Go to Management tab and start the stonith_sbd primitive.

LVM resources:

LVM gives great flexibility to manage storage because it allows partitions and block devices to be managed dynamically (resizing and replacing). The addition of cLVM extension (Clustered LVM) allows LVM to operate in a cluster environment. First, we will set up a cLVM resource to start clvmd in every node. This requires the resource to be of type clone instead of primitive.

1. Go to crm_gui, Resources tab. Add a new clone resource named base-group-clone.
2. On Group tab, add a new group named base-group.
3. On Primitive tab, add a new primitive as follows:
     3.1. ID: control
     3.2. Class: ocf
     3.3. Provider: pacemaker
     3.4. Type: controld
4. Add another primitive:
     4.1. ID: clvm
     4.2. Class: lvm2
     4.3. Type: clvmd
     4.4. Instance Attributes: set daemon_timeout to 30
5. Hit Apply then Cancel when asked to add another primitive or group.
6. Go to Management type and start the base-group-clone resource. The clone resource will be started on both nodes.
7. Now we need to create create a LVM configuration on one node. cLVM will take care of distributing LVM config to the other node.
8. Go to Yast, Partitioner on node01.
9. Go to Volume Management tab. Add a new Volume Group named clustervg.
10. Select the bigger block device after the SBD device to add to the volume group.
11. Expand Volume Management tab, click on clustervp and add a new Logical Volume named clusterlv.
12. Use all available space and format the logical volume as ext. Check to not mount it.
13. Go back to crm_gui, Resouce tab. Add a new group named sentinel.
14. Click OK to add a new primitive:
     14.1. ID: LVM
     14.2. Class: ocf
     14.3. Provider: heartbeat
     14.4. Type: LVM
     14.5. Instance Attributes: volgrpname is set to clustervg
     14.6. Add another attribute: exclusive with the value of true. This will make the volume group available to only one node at a time.
15. Go to Management tab and start the sentinel group. Whichever node running the LVM resource will have a block device /dev/clustervg/clusterlv and this will be the partition to install Sentinel onto.

Configure file system resource:

1. Go back to the sentinel group and add another primitive resource:
     1.1. ID: sentinelfs
     1.2. Class: ocf
     1.3. Provider: heartbeat
     1.4. Type: Filesystem
     1.5. Initial state of resource: default
     1.6. Add monitor operation: checked.
2. Instance Attributes:
     2.1. device=/dev/clustervg/clusterlv.
     2.2. directory=/opt/novell/slmcluster
     2.3. fstype=ext3
3. Go to Operations tab add an operation:
     3.1. Name: start
     3.2. Timeout: 60
     3.3. Optional/Start Delay: 5

This will cause the resource to wait 5 seconds after the previous resource has started. This is because the iscsi drive doesn't seem to appear immediately. Go back to Management tab and start sentinelfs.

Configure IP resource:

1. Click Resources tab, edit sentinel group.
2. On Primitive tab add a new primitive:
3. Create clusterip resource as follows:
     3.1. ID: clusterip
     3.2. Class: ofc
     3.3. Provider: heartbeat
     3.4. Type: IPaddr
     3.5. Initial state of resource: Default to "Started" or inherit from its parent
     3.6. Add monitor operation is checked
4. On Instance Attribute tab, click on ip. Click Edit and type in our cluster IP 10.0.0.5 for Value.
5. Click Apply then click Cancel since we don't need to add another primitive for now.
6. Click Apply again. The sentinel group will appear on the screen now.
7. Click Management tab. We will see sentinel group and clusterip resource listed.
8. Click on sentinel group and click the start button to run it. The clusterip is shown as running. Trying pinging the cluster's IP, 10.0.0.5, or the cluster's hostname, cluster, to double check.

Install and configure Sentinel:

In this step, we will install sentinel onto the shared storage. This should be performed on whichever node that is currently running sentinel group since the shared storage is mounted there. We'll assume this will be node01.

1. First, download sentinel package onto node01.
2. We will use the --location parameter to tell the installer to set /opt/novell/sentinel as the root(/) directory for the installation. The general directory structure of sentinel is as follows:
     2.1. /opt/novell/sentinel: executables and libraries.
     2.2. /var/opt/novell/sentinel/data: data files.
     2.3. /var/opt/novell/sentinel/log: log files are in the directory .
     2.4. /var/run/sentinel/server.pid: the process ID (PID) file.
     2.5. /etc/opt/novell/sentinel: configuration files.
     2.6. /usr/bin and /usr/share: other binaries
3. So if we tell the installer to use /opt/novell/sentinel as the root directory (/), it will go ahead and create all those directory above inside /opt/novell/sentinel. The command to install Sentinel now should be: ./install-sentinel - -location=/opt/novell/sentinel/. After the installation, we should see: "etc opt usr var" the command ls /opt/novell/sentinel.
4. Verify that sentinel was installed and run successfully. We also want to setup any collector/connector or do any configuration that we want right now. The turn off sentinel server (service sentinel stop).
5. From the command line, type in chkconfig --del sentinel. This will delete sentinel server from the list of services that are started when booting. This is because the cluster will take care of starting and stopping sentinel itself.
6. After sentinel's stop, copying over the novell user's home directory from node01. This can be done using the scp command (scp -pr /home/novell/ node02:/home/).
7. Also, copy over the init script (scp /etc/init.d/sentinel node02:/etc/init.d/sentinel)
8. Type into the command line: grep novell /etc/passwd. Note down the output (something like this: novell:x:108:1000::/home/novell:/bin/bash) . This line add the novell user to the system which we will use for node02.

1. Switching to node02:
2. In this step, we will switch the shared storage to node02 and create a novell user so that we can run sentinel from the share storage on node02. To do this, append /etc/passwd with the line novell:x:108:1000::/home/novell:/bin/bash.
3. Enter vi /etc/passwd. Press “a” to start editing the text file. Add the line for novell user to the end of the file then press “esc,” then “:qw” and enter to save the file.
4. The home directory for novell user was already copied over. Change the owner of the home directory to novell user with this command: chown -R novell: /home/novell.
5. In crm_gui, do to Management tab, right click on sentinel group, Migrate Resource and migrate to node02. Check to see if the shared storage is mounted on node02.
6. From the command line, type /etc/init.d/sentinel start. This will start the sentinel server on node02. Check and make sure everything is running properly and all the configurations are preserved. Stop sentinel server using /etc/init.d/sentinel stop.
7. Now we are ready to add a primitive for sentinel server.

1. Get sentinel server resource agent here. (The resource agent script cannot be published atm. It will be added to the article in a later day).
2. Create a directory on node01 for the resource agent (mkdir -p /usr/lib/ocf/resource.d/sentinel)
3. Put this script on node01 as /usr/lib/ocf/resource.d/sentinel/sentinelserver.
4. Give it executable priviledge with chmod +x /usr/lib/ocf/resource.d/sentinel/sentinelserver.
5. Create the same directory on node02: mkdir -p /usr/lib/ocf/resource.d/sentinel. Copy resource agent script to node02: scp /usr/lib/ocf/resource.d/sentinel/sentinelserver node02:/usr/lib/ocf/resource.d/sentinel/sentinelserver
6. You may need to disconnect and reconnect in crm_gui for the sentinelserver resource agent to be available.
7. Go to crm_gui again and add a sentinelserver primitive to sentinel group:
     7.1. ID: sentinelserver
     7.2. Class: ocf
     7.3. Provider: sentinel
     7.4. Type: sentinelserver
     7.5. Initial state of resource: default
     7.6. Add monitor operation: checked
8. Go to Operations tab add a start operation:
     8.1. Name: start
     8.2. Timeout: 300
9. And a stop operation:
     9.1. Name: stop
     9.2. Timeout: 300

Now go to Management tab and start the sentinelserver primitive. After a couple of minutes, it will be showed as running. Right click on the sentinelgroup and try to migrate onto another node to test if fallback is working.

Cool Solutions

17-08-2011, Allowing Perl extensions to access cli methods in other NPUM Modules >>

12-08-2011, Configuring Privileged User Manager Rules to Restrict Audit Reports >>

How to configure rules so that a manager is restricted to audit reports of only those employees who report to him?

Many a times in an organization managers are expected to review the audit reports of their employees so that they can take appropriate action in case any risky activity is executed by an employee.

Compliance Auditor in Privileged User Manager (PUM) console provides a feature where one can review all audit reports. It provides some filters which we can restrict what reports should be shown to which manager. In order to achieve this a few configurations are required which is explained using a use case below:

Use Case:
Assume that we have two managers - Manager1 and Manager2.
Emp1, Emp2, Emp3 – reports to Manager1
Emp4, Emp5 – reports to Manager2
Manager1 and Manager2 – they report to Director1.

So in above case, Manager1 should be able to review audit reports of Emp1, Emp2 and Emp3. Manager2 should be able to review audit reports of Emp4 and Emp5.
Director1 should be able to review reports of all 5 employees and 2 managers.

Solution:
This can be achieved by doing following configurations in PUM:

I. Framework User Manager Configuration:

Create Manager1 user and Manager1Group. Add manager1 in this group.
In Manager1Group assign required roles:
1. Secaudit – Read
2. Secaudit – console
3. Secaudit – write
4. Secaudit - audit
5. Secaudit – Manager1TeamRole (This role you need to type in, it is not in dropbox)
6. Audit – read
7. Audit - write
Similarly create Manager2 user and Manager2Group.
In Manager2 Group add above roles except for change to role Secaudit - Manager2TeamRole
Create a group called DirectorGroup and add above two groups as sub-groups. Add director1 user in this group. Director1 will inherit above two group roles.

This role creation is used later in Compliance Auditor to restrict the access of audit reports which will be explained later.

II. Command Control Configuration:

Create a UserGroup called Manager1. Add manager1 and Emp1, Emp2, Emp3 to this group.
Add a UserGroup called Manager2 and add manager2, emp4, emp5 to this group.

Create rules as follows:

        Begin Rule: Default Audit
                Audit Group = "Default Audit"
        End Rule: Default Audit

        Begin Rule: Audit Mgr - Manager1
        If (user IN Manager1)
        Then
                Audit Group = "Manager1Team"
        End If
        End Rule: Audit Mgr - Manager1

        Begin Rule: Audit Mgr - Manager2
        If (user IN Manager2)
        Then
                Audit Group = "Manager2 Team"
        End If
        End Rule: Audit Mgr - Manager2

By creating the above rules whenever Emp1, Emp2 or Emp3 starts a session in a system where PUM agent is installed, all their sessions are tagged with Manager1Team Audit Group. Similarly all sessions of Emp4 and Emp5 are tagged with Manager2Team.

III. Compliance Auditor Configuration:
Create Compliance Auditor Rules as follows:
Create two Rules as Follows:

Manager1Reports:
- Audit Role – Manager1TeamRole
  This is same name as given in FrameWorkUser manager group.
- Filter Category – Command Control
- Filter – AuditGroup – Manager1Team
  This is same name as given in Command Control rule value.
Manager2Reports:
- Audit Role – Manager2TeamRole
  This is same name as given in FrameWorkUser manager group.
- Filter Category – Command Control
- Filter – AuditGroup – Manager2Team
  This is same name as given in Command Control rule value.

As a result of the above rules, Compliance auditor will collect audit reports in following fashion:

Manager1Report will collect all those audit reports where sessions are tagged as – Manager1Team. i.e. all emp1, emp2 and emp3 reports are collected.
Manager1Report will collect all those audit reports where sessions are tagged as – Manager1Team. i.e. all emp4 and emp5 reports are collected.

Thus required functionality is achieved as follows:

When Manager1 logs into PUM console and checks reports in Compliance Auditor, he will see all reports collected by Manager1Reports. This is because manager1 is assigned Manager1TeamRole in Framework user manager and Manager1Report is also restricted to that role.
i.e. Manager1 can view reports only of Emp1, Emp2 or Emp3.
Similarly Manager2 would be able to see reports only of emp4 and emp5.
When Director1 does login, he will see reports of all employees as due to inheritance he is assigned both Manager1TeamRole and Manager2TeamRole.

Note: There is an alternate way of doing the same which is explained in brief below:

Create FrameUserManager users and groups as done earlier.
You need NOT assign Audit Group in Command Control.
In Compliance Auditor Rule, add the Audit Role as done earlier, but use Command Control Filter where you define Submit User. Add multiple Submit User filters with or condition. So for Manager1Report rule add –
SubmitUser – Emp1 OR
SubmitUser-Emp2 OR
SubmitUser-Emp3

You will achieve the same result. This approach is tedious, as if one manager has 1000 employees reporting to him or so, then creation of the above rule with submituser filters will not be easy and non readable.

Attachment	Size
frameworkusermanager_group_role.jpg	31.64 KB

Cool Solutions

Attachment(image/jpeg)

09-08-2011, Talking about Entitlements - Part 3 >>

Novell Identity Manager introduced the concept of Entitlements several versions back. In fact, I am not sure when they got added, I imagine around the Identity Manager 3 or 3.5 time frame.

There are three entitlement granting agents available from Novell right now.

Roles Based Entitlements (RBE) driver,
Roles and Resources driver (part of RBPM 3.7)
Workflow (via Grant Entitlement or Role activity)

In Part 1 of this series Talking about Entitlements - Part 1 I talked about Entitlements in general, and the first of those agents, the Roles Based Entitlements driver.

In Part 2 of this series Talking about Entitlements - Part 2 I talked about the Roles and Resources driver, which is part of the Roles Based Provisioning Module (3.7 and 4).

In this article I want to talk about what it means for a driver to support entitlements.

If you read the documentation, then you will see that some drivers are reported to support entitlements with either the configuration file (Pre-IDM4) or via a Package configuration (Post IDM 4). On a side note, the documentation is getting better, but if you happen to be reading it and see something wrong, or missing, or maybe just a simple addition that would clarify things, then make sure to click the Add Comment link at the bottom of every page (Online docs only, no idea how to do this for the PDF versions, sorry). This opens a bug for the documentation writers to look at. They alas, do not often get back to you, but magically in the darkest of night changes will appear. It is worth doing, since it makes the docs better for everyone involved.

At the moment, the following drivers are said to support entitlements in IDM 4.01. I have grouped them into three categories. There are the simple case, where the documentation says they support entitlements out of the box. Then there are those that either do not specifically say they support it entitlements or else explicitly say they do not support them. Finally there is a third category for utility drivers, where Entitlements would make no sense to implement at all.

Entitlements supported out of the box (14 in total):	These are not yet configured to support entitlements out of the box in IDM 4.01 (12 in total):	Makes no sense to use entitlements (6):
Active Directory Blackboard (New driver in IDM 4.01) eDirectory Google Apps (new in IDM 4.01) GroupWise LDAP Linux/Unix Lotus Notes Mainframe (CA Top Secret) - Bidirectional Mainframe (RACF) - Bidirectional Midrange (AS400/i5) - Bidirectional SAP Portal SAP User Management Fanout Scripting	Avaya PBX Delimited Text JDBC JMS PeopleSoft Remedy RSA SAP HR SAP User Management Salesforce.com SOAP Sharepoint	Entitlements Service Linux Unix Settings Null Loopback ID Provider Work Order

You will notice that there are some drivers where Entitlements make no sense, the third category. I.e. The Work Order driver does not entitle some object to something, rather it delays actions for a period of time. The ID Provider is more of a service driver to generate unique ID's within the system. The Entitlements Service driver is one of the granting agents that actually processes entitlements, but of course does not itself contain any entitlements.

I think that the list is instructive (and the fact there are over 30 drivers) by itself, but understanding what supporting entitlements means is probably most important.

As discussed in part 1 and 2 of this series, Entitlements are just attributes. They are granted by something (Currently 3 supported agents that grant entitlements), they are really just a value in a multi valued attribute and they store the results in another attribute.

So supporting entitlements is not really a driver side issue. The driver really has to do nothing to support them, it is all a policy thing in the engine. Now there happen to be some specific tokens that if you use them, everything works better, but even if you did not, most of the system would still work.

For example, we have a condition test. If Entitlement. As usual, there is equality testing, for a valued entitlement. There is availability testing, which is helpful. This one has some subtle bits worth talking about later.

There is an Implement Entitlement action in Policy Builder. Why would you use this? Well that will make a bit more sense later when talking about how you might actually use entitlements.

In the Argument Builder there are two nouns, Removed Entitlement, and Entitlement. These allow you to select the entitlement that is changing to use. (You need to pass a nodeset of the entitlement to the Implement Entitlement, and this is the easiest way to get the proper one to pass in).

That is just 4 tokens in total to handle entitlements, yet they seem to have so much power in the system. How does that all come together?

Well if you look at any of the current drivers from my list that actually support entitlements out of the box, you can see how they do it. The principle is simple, how you implement it can get complicated.

The most basic thing to remember is that the entitlement for this 'thing' is a gatekeeper. You can't get this 'thing' until you have the entitlement first.

Those of you who are familiar with IDM should immediately know where this should be handled. Those who do not immediately get it, you should really take a few minutes and read David Gersic's truly excellent (in the Bill and Dave sense) series on what each policy set in the driver flow does:

Of course this should be implemented in the Create policy set. Specifically the Subscriber channel Create policy set. The Create rule is where you specify minimum requirements before creating something in the connected system. Just like many drivers will veto a User create if there is no nspmDistributionPassword in the event, since usually you want a password before you create a user. At this point in the policy set you would want a rule that requires a specific entitlement or else the event is blocked. This works for later modify events, as since the object is not yet associated, the modify gets converted to a synthetic add and thus ends up back in this rule again.

Now before you may have noticed I referred to entitlements being the gatekeeper for a 'thing' in a connected system. I used that term specifically as there are at least three good examples in shipping drivers of things that Entitlements could enable you to get. The obvious one is a User object, an account. But less obvious is the fact there are Group entitlements, where getting the entitlement means you get added to a groups member list. Even less obvious at first, but makes great sense once you think about it would be an entitlement for a mailbox (whether that is in Exchange, GroupWise, or Notes/Domino).

These three are by no means the only options, they just happen to be the three I know of. In principle and in practice you could add an entitlement for anything that makes sense in your target system. Perhaps you have some physical device you represent in the system. An entitlement would be a good way to indicate it if the target system provisions it somehow. Perhaps you have some structure that is basically like a group in your target system, but it represents an access role, you could use an entitlement to represent it as well. For simplicity lets just consider Users as the thing of interest.

As was discussed in the first two articles in this series, the Roles Based Provisioning Module (RBPM) builds Roles out of other Roles and Resources. Resources, generally map one to one against Entitlements. Thus by representing these other 'things' as entitlements, then the RBPM module can deal with them.

So where else should we enforce the entitlement requirements?

Well on an add event (synthetic or otherwise) we will get a Match attempt made, we should decide if we let a match even proceed, without an entitlement or block it. This could let us block it even before it hits the Create policy set.

Then we have the additional case of managing what happens when an Entitlement is changing. What should you do when you revoke an entitlement for an already associated user, or even grant an entitlement to an already associated object (say in the case of a mailbox entitlement.)

If you look at the various drivers that have implemented entitlements in Policy you will see that they often have a Global Configuration Variable (GCV) to control whether a revoke event maps to a delete or disable in the target system. As always, this is a case by case thing. Each use case should be considered separately. This is typically done in the Subscriber channel Command Transform.

In fact, I think this is why in some of the listed drivers as not having Entitlement support in Policy, are lacking such support.

Some of the drivers are just plain too generic to make sense to pre-build any kind of entitlement handling. This is probably the JDBC and Delimited Text drivers are lacking such support. What does an event mean in the Delimited Text driver? Well it depends on so much context of how you choose to implement it that providing one in advance is almost impossible.

Same thing with the SOAP driver. Every SOAP system seems to be different. Though in reality, the SPML and DSML configurations basically are generalized SOAP API's for handling User like objects, so they could probably get some kind of entitlement enabled. But it would only be useful in a couple of cases. Now that sounds like a reasonable excuse to avoid it, but most drivers I have looked at use a GCV to control whether Entitlement enforcement should be enabled or disabled. In which case the SOAP driver could benefit where it works by turning on the GCV and then off for when it will not be helpful.

The Sharepoint and Salesforce.com driver I suspect it was just an oversight

The SAP HR case is interesting, as really this is more of a Publisher channel driver, focused on getting authoritative information into the identity system. Sort of the same thing for PeopleSoft.

Thus so far it looks like we need some kind of rule in the Matching or Create policy sets to handle users who do not yet exist in the target system.

Then we need something in the Command transform to handle the case where an entitlement is being revoked on an existing user. (If the user does not yet exist, and they get granted an entitlement, then that generates a synthetic add and then the policy in the Match or Create will control it. But for Group or Mailbox style entitlements we should probably handle granting as well, since the user can already exist with or without the extra entitlement).

I think the way to do this is to mock us some sample rules in Designer, and build them into a Package and then attach it. The good news is that the Package may not work with versions of IDM before 4.0 but it is really easy in an empty Driver set to just import the policy in Designer 4.01 (there are some huge memory leak fixes between 4 and 4.01 so get rid of 4 and upgrade to 4.01 before you do anything else!) and then look at it, and copy the policies into an older driver.

On top of all this we need to remember to handle the Entitlement to Resource mappings that RBPM needs in order to work. This was all discussed in an article by Volker Schreuber and John DaSilva, and I wrote a nice companion piece explaining what their policy is doing. So I think that is worth including in the Package as well.

Volker and John's article: Convert Driver Entitlements to New RBPM 3.7 Resource Model

My commentary on it: Converting Entitlements to Resources, more details

This should all fit nicely into a reasonable Package. Now the problem is, really you need to customize this more and into what you need. The good news is you can use the Package I provide and copy the policies into your own Package, so that you can easily manage upgrades and versioning as you work on it. Basically no one set of rules will suit every case, nor even most of the cases, but lets see how many can be handled.

If you want to read more about Packages, since they are lots of fun and very interesting, take a look at this somewhat wordy series on the topic:

I am still developing the rules and thus the package that will contain them over the next article or two, so bear with me, I will attach it when I am done in those articles.

If you have any use cases you think would be useful to handle it would be great to add them, so let me know in the Comments down below.

Cool Solutions

03-08-2011, Change the Order of Search Attributes in IDM DNLookup Controls >>

Background

The DNLookup search control is a frequently used form control in custom forms, but it can also be found in several native IDM dialogs and is used to search and retrieve DNs from the Identity Vault.

The way a DNLookup control shows up depends on the definition of the corresponding entity (e.g., the 'user' entity) and the attributes declared for that entity (e.g., 'Given Name', 'Surname').

The attributes shown in the drop-down list are specified in the directory abstraction layer (DAL): Attributes that are declared with the "Search" and "Required" flags set, will show in the drop-down list for searchable attributes, as well as in the result table of the identified matches.

Now, there have been numerous requests to change the order in which these attributes are displayed when pressing the DNLookup, but the order of the attributes is predefined and cannot be changed. Often it depends on the order in which the selected attributes where added to the entity.

Well, in fact the order is stored in the xmlData attribute of each entity object in eDirectory:
For each entity, you'll find an eDirectory object of the type 'srvprvEntity' which is located in a container underneath the user application driver container (CN=EntityDefs,CN=DirectoryModel,CN=AppConfig,CN=User Application Driver,[your driver set container])

Much of the declaration of the entity is stored in the 'xmlData' attribute of the entity object. You can manually edit the xmlData string, search for the "<attributes>..</attributes>" tag and find each entity attribute declaration in a separate "<attribute>..</attribute>" tag.
Changing the sequence of the "<attribute>..</attribute>" tags will modify the order in which the respective attributes are displayed in the search control.

The hard way

There have been several comments in the Novell forums that explain extensively how you could use iManager or other tools to locate and edit the entity objects and change the xmlData. To find such instructions, Google for "Sequencing of DAL Entity Attributes for a DN Lookup Control"

While the approach suggested there works fine, there are some smaller drawbacks:

not everybody feels comfortable editing the objects,
the procedure is prone to human error
the procedure is time consuming

The easy way

This Cool Solution presents a simple User Application form that provides an quick and easy-to-use GUI to update your entities and change the attribute order of your DNLookups.

How it works:

The form presents a GUI showing the entities of your system that can be used in a DNLookup control.
You select any of the available entities
The form reads and decodes the xmlData and presents you with the searchable attributes in their current order
You may re-order the list according to your needs
You may view the effects of changing the attribute order on the xmlData contents by selecting the 'Show xmlData' check box.

To save your changes, press 'Submit' and the updated xmlData will be stored within a no-approval workflow
Before the applied changes get visible in your DNLookup controls, you need to flush the User Application cache ('Administration' tab in User Application)

How to install this Cool Solution on your system

To be on the safe side you should import the current DAL entities into IDM Designer before changing any attributes, and backup the entities (e.g., into Subversion or by exporting them to a file)
Use IDM Designer to import the entity definition "srvprvEntity.xml" and the query definition "query_srvprvEntity.xml" into your DAL
Check the imported entity definition for "srvprvEntity" and modify the "Search Container" location to reflect the location of the "EntityDefs" container on your system under the driver set container.
Deploy both, entity and query, to your IDM system
Flush the User Application cache
Import the workflow PRD into your Provisioning Request Definitions
Optionally update the trustees of the form
Test the form
As usual, when externally modifying DAL objects, make sure to re-import the modified entity into your Designer project

Troubleshooting

If the form shows no entities, make sure that you have updated the search path for the entity definition "srvprvEntity"
If the form shows the entities, but no search attributes, make sure that you have sufficient rights to read the entity definition and the xmlData attribute
If the changes you've made seem to not be reflected in User Application, make sure you have flushed the UA cache
If the problems persist, check the status of your re-order request and check the jboss server log for errors

Attachment	Size
cool_solutions_-_reorder_search_attributes.zip	20.76 KB

Cool Solutions

Attachment(application/zip)

02-08-2011, Talking about Entitlements - Part 2 >>

Novell Identity Manager introduced the concept of Entitlements several versions back. In fact, I am not sure when they got added, I imagine around the Identity Manager 3 or 3.5 time frame.

As a reminder, since it is handy to have the XML floating around, an Entitlement is DirXMLEntitlementRef attribute value, that would look something like this if you queried for it in Policy:

<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.11.4904">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <instance cached-time="20110221221739.710Z" class-name="User" src-entry-id="813253" timestamp="1298326659#1">
      <attr attr-name="DirXML-EntitlementRef">
        <value timestamp="1298326653#2" type="structured">
          <component name="nameSpace">1</component>
          <component name="volume">\ACME-TEST-05\services\IDM\DriverSet\ADDriver\EntitleTest1</component>
          <component name="path.xml">
            <ref>
              <src>RBE</src>
              <id>services\IDM\DriverSet\Entitlement Policies\RBE-RoleTest1</id>
              <param>SponsoredAffiliate</param>
            </ref>
          </component>
        </value>
      </attr>
    </instance>
  </output>
</nds>

There are three entitlement granting agents available from Novell right now.

Roles Based Entitlements (RBE) driver,
Roles and Resources driver (part of RBPM 3.7)
Workflow (via Grant Entitlement or Role activity)

In Part 1 of this series ( Talking about Entitlements - Part 1 ) I talked about Entitlements in general, and the first of those agents, the Roles Based Entitlements driver.

In this article lets talk about the next agent, the Roles and Resources driver, which is part of the Roles Based Provisioning Module (3.7 and 4).

This driver is interesting as it actually does a whole bunch of different things, and I wish I had the time to go catch it in the act of doing each of those various things.

For example, it is not just the Roles driver as it was in IDM 3.6.1 with the Roles Based Provisioning Module (RBPM) or as it was called back then just the Provisioning module. With the release of IDM 3.6 and RBPM 3.7 (and the same is true of the RBPM in IDM 4) it because the Roles and Resources driver as it also manages Resources now.

Resources are an additional abstraction layer on top of basic entitlements, primarily because the entitlement names for groups would be the GUID in the connected system, which is pretty darn ugly and there is no way an end user would succeed at picking their entitlement from the list in that circumstance. So Resources map, usually one to one, to Entitlements. This way, the Resource is named HR-Accounting-AD and the entitlement is an ugly GUID (By ugly I mean a 16 or 20 digit hexadecimal value).

Now Resources can be assigned to Roles. There are three levels of Roles provided for in the RBPM model.

Thus a Role can be made up of other Roles, each of which may also be made up of other Roles, but at the lowest level they probably have some Resources attached to them. The Resources are really just pointers at Entitlements, so when someone is granted a Role the driver has to parse that apart, add the Role, then enforce whatever the Role defines in terms of other Roles (I think this is the case, I have not actually tested whether it drops an attribute value for each Role that is included in a Role or just the parent Role.) and the Resources they entitle the user too, and finally the Entitlements that the drivers will actually react too and grant the underlying privilege.

That is one busy little driver, isn't it? Notice that this happens in the Roles and Services driver, not in the User Application per se. The distinction is that the RBPM module (Usually managed via the User Application, either in a user request for a Role, or a Workflow process that grants a Role, or possibly even Role Mapping Administrator deciding to modify some Role definitions.) has granted a Role. This is expressed by the creation of a RoleReq object in the AppConfig container. There are other objects stored there, things like PRD (Provisioning Request Definitions), the DAL (Directory Abstraction Layer) configuration, the Roles catalog, Roles definitions and so on.

A quick diversion about User Application and the AppConfig container. Why does the User Application (A Web application) need an IDM driver? Well there are a couple of reasons, but one of them is as simple as the User Application (Web app) needs a place to store its configuration in eDirectory, which is in the AppConfig container, underneath the User App DirXML-Driver object. Inside the AppConfig are a LOT of objects and containers. Under RoleConfig, there is a Requests container object which is where RBPM writes out an object, when you assign a Role.

This is the sort of thing you would see in the User App log, when such a Role grant occurs:

2010-09-16 12:31:21,761 INFO  [com.novell.idm.nrf.service.RoleManagerService] (http-0.0.0.0-8080-2) [Role_Request] Requested by cn=admin,ou=admins,o=acme,dc=com, Target DN: cn=securityadmin,ou=Security,ou=admins,o=acme,dc=com, Source DN:cn=secAdmin,cn=System,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application,cn=IDM,ou=Drivers,o=acme,dc=com, Request DN:cn=20100916123121-e080d05cee9f4df3801bb878e315a402-0,cn=Requests,cn=RoleConfig,cn=AppConfig,cn=User Application,cn=IDM,ou=Drivers,o=acme,dc=com, Request Category: 10, Request Status: 0, Original Request Status: 0, Correlation ID: 5443c88adc2642a38417434a6c6a73d3

You can read more about some of this Roles granting and troubleshooting, specifically for the built in Roles that you set at first User App startup in this article:
User App Roles Failing to Apply for Administrators

The LDIF of such an object looks something like this:

dn: cn=20100916123121-e080d05cee9f4df3801bb878e315a402-0, cn=Requests, cn=Rol
 eConfig, cn=AppConfig, cn=User Application, cn=IDM, ou=Drivers, o=acme, dc=c
 om
nrfStartDate: 20100916163121Z
nrfCategory: 10
nrfRequester: cn=admin,ou=admins,o=acme,dc=com
nrfSourceDN: cn=secAdmin,cn=System,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application,cn=IDM,ou=Drivers,o=acme,dc=com
nrfTargetDN: cn=securityadmin,ou=Security,ou=admins,o=acme,dc=com
nrfCorrelationId: 5443c88adc2642a38417434a6c6a73d3
objectClass: nrfRequest
objectClass: Top
nrfImmediate: TRUE
cn: 20100916123121-e080d05cee9f4df3801bb878e315a402-0
nrfDescription: RBPM Security administrator assignment request.
nrfDecisionDate: 20100916163121Z
nrfStatus: 50
nrfRequestDate: 20100916163121Z

There are a number of attributes and objects involved in this process, some I understand, some not so much, after all, this is well documented, right? (Actually, if someone can find any documentation about this aspect I would love to read it, please forward on any links you have).

You can see that the name is a CN with the date stamp, then a GUID which is probably a tracking number against the RBPM database but I am not sure. I would have thought that would be the nrfCorrelationId. I imagine then that the nrfCorrelationID is probably a value out of the User Application database that can be used to reference this event back to a request made in (or through) User Application. The 'through' User Application reference is to something like the Access Governance Suite, which can read out your various roles and entitlements (not necessarily the eDirectory/Identity Manager entitlements we have been discussing here) in a variety of systems and try to first calculate some likely suggested Roles. But over time to also validate that the Roles are enforced correctly, and report on them. Once you use the Access Governance Suite to generate some Roles, it can push it back into User Application, and this might affect a number of users, thus AGS is using User App at the way to get at the Roles and Resources definitions, but not directly through the User Application interface. (It is using SOAP or REST I imagine to do this work). Additionally, the Role Mapping Administrator works in a similar fashion to help manage Roles and Resources. We are starting to see a fair bit of tooling in Identity Manager use the User Application as the base for its approach. Reporting as an example uses the Roles model to authorize access to Reporting. Thus an eDirectory administrator means nothing to Reporting in terms of access. That user would need to be made a Reporting Admin or Manager to work in Reporting. I am torn on how I feel about the bifurcation of permissions.

The nrfStartDate, nrfRequestDate, nrfDecisionDate, and if there is an end date, the nrfEndDate, are all date stamps for when stuff happened. The Start and End date stamp for the Role. The Request Date, is when it was requested, and the Decision Date is when it was actually either approved or granted. Thus you could in principle see how long approvals for Role Requests are taking. Note that I show the representation of the object via an LDIF export, which reports time in LDAP's format. In reality these are Time syntax attributes in eDirectory and it is actually stored in CTIME, which is a count of seconds since the very beginning of 1970 (January 1st right at the turn of midnight). Alas, this is a signed 32 bit integer and runs out of

nrfCategory is 10, 20, or 30 I believe, based on the three levels of Roles that are supported in RBPM. There have been requests for more levels, and someone always has a model that uses more, but for sake of simplicity three levels seems to usually be enough.

nrfRequester, nrfTargetDN, nrfSourceDN are all DN (Distinguished Name) syntax attributes, that point at the various objects involved. The Requester is the one asking for the Role. The SourceDN is the Role itself that is being discussed. As you can see from its DN, it too exists in the AppConfig object, under the RoleConfig and then RoleDefs containers.

nrfImmediate is interesting, and I assume it tells the Roles and Services driver process on the event, instead of on some polling interval. There is a similar flag on a DirXML-WorkOrder object as used by the Work Order driver. There the DirXML-nwoSendToPublisher flag is used to trigger an event in the Work Order drivers filter, and if true, the event is processed. I imagine this attribute is being used the same way. This way the Roles and Services driver can poll on some reasonable interval (1, 5, or say 30 minutes) and then if an event is needed post haste, this flag is available to get it flowing as soon as it is requested.

nrfStatus is something I would like to see better defined. I have watched in trace on the Roles and Services driver and clearly there is a progression. I have seen 0, 20, 30, and 50 go by. I assume there may be additional states, but I have not had the time to dissect the log to figure it out. Again, if you happen to have figured it out already, or found a documentation source, please let me know! Clearly 0 looks like the beginning state, and 50 the completed state. But what do those intermediate values mean? And are there error states? Inquiring minds want to know! After writing this complaint, I searched and found it, certainly not in an obvious spot in the docs, but I will take what I can get. User Application API

Here are the values. Interesting to see the allowed states, it tells you a bit about the processing that the Roles and Services driver does in the background.

NEW_REQUEST 0 Set by the User Application on a newly created nrfRequest object.

SOD_APPROVAL_START_PENDING 2 The Role Service driver attempts to start the SoD workflow again. This is used for requests in the SOD_APPROVAL_START_SUSPENDED mode.

SOD_APPROVAL_START_SUSPENDED 3 Occurs when the Role Service driver is not able to start an SoD workflow. A driver task then resets these requests to SOD_WORKFLOW_START_PENDING to retry the starting of the workflow.

SOD_EXCEPTION_APPROVAL_PENDING 5 Set by the Role Service driver after successfully initiating an SoD exception workflow.

SOD_EXCEPTION_APPROVED 10 Set by the SoD exception workflow when the exception is approved.

APPROVAL_START_PENDING 12 The Role Service driver attempts to start the workflow. The request must be in APPROVAL_START_SUSPENDED mode.

APPROVAL_START_SUSPENDED 13 Occurs when the Role Service driver is not able to start the approval workflow. A driver task then resets these requests to APPROVAL_START_PENDING to try to start the workflow again.

APPROVAL_PENDING 15 Set by the Role Service driver after successful role assignment workflow.

APPROVED 20 Set by the role assignment workflow when the exception is approved.

ACTIVATION_TIME_PENDING 25 Set by the Role Service driver after obtaining all necessary approvals and the activation time has not yet been reached.

PROVISION 30 Set by the Role Service driver after all the necessary approvals have been approved and the role activation time has been reached.

PROVISIONED 50 Set by the Role Service driver after a role has been provisioned.

PROVISIONING_ERROR 80 Set by the Role Service driver when an error occurred during provisioning/deprovisioning

SOD_EXCEPTION_DENIED 90 Set by the SoD exception workflow when the exception is denied.

DENIED 95 Set by the role assignment workflow when the exception is approved.

CLEANUP 100 Set when nrfRequest workflow should be cleaned up (deleted). This is intended to be triggered by a batch process some configurable amount of time after the request has either been fulfilled or denied.

As I surmised there are a number of possible error states actually only two 3 and 80 it looks like. But because more than just simple approval is involved, we need more states. There is the entire SOD (Separation of Duties) flow that needs to be both accounted for and handled. Of course Denial is not just a river in Egypt (D-Nile, get it?) and needs to be handled as well.

So the values I have noticed were for simple approvals that succeeded. 0 for new, then 20 for Approved, then 30 for Provision, and 50 for Provisioned.

I think playing around with the Roles and Services driver to better understand what sort of things it does under the covers would be worthwhile, and I guess I should add it to my list of things I need to look at. The log is quite informative in terms of understanding what is going on inside the driver. Very little happens in policy, most of it is happening in the shim, and the good news is that it traces a fair bit of information from the shim in the process, which makes it possible to better understand.

The final agent for handling entitlements is the User Application Workflow, where you can assign a Role, in which case it is basically the same process as above, as that generates an nrfRequest object which is handled by the Roles and Services driver.

What I am unclear on, is if the Entitlement granting activity in a workflow directly grants the entitlement or uses the nrfRequest mechanism. That is something worth looking into further. This activity predates the notion of a Roles and Services (or even the Roles driver before Resources became available) so it probably grants it directly.

The payload of the Entitlement is interesting, and there is a DTD that defines its contents. The engine does require that the path.xml component have valid XML, or else it throws a nice error, which I had captured, but lost on a reboot.

The DTD is referenced here:
Novell Entitlement Document Type Definition (DTD)

Cool Solutions

Main Menu

This release introduces a long list of customer-driven features, including critical database support, to all ZENworks 11 products. Starting immediately, customers and partners will now have access to ZENworks 11 Support Pack 1 at http://download.novell.com and the Novell Customer Center.

Comparing Novell ZENworks 11 to Microsoft System Center Configuration Manager

But first, what should you really be comparing?

Next steps

Option 1

Option 2

Choosing option 1

Choosing option 2

GroupWise: E-Discovery

Michael Osterman

Novell Vibe Press Release by one of our partners

GWAVACon Munich

GroupWise Mobility – version 1.2

Introduction

Integrating PUM Manager with Novell eDirectory Authentication Domain

SSH Relay Feature enabling with PUM Manager

Command Control Rule for LDAP Group Matching

Using SSH Relay feature with Novell eDirectory as authentication domain

Glossary of Terms

Introduction:

Preparation:

Install HA extension:

Configure shared storage:

Configure HA cluster:

Configure HA resource:

Configure stonith resource:

LVM resources:

Configure file system resource:

Configure IP resource:

Install and configure Sentinel:

Background

The hard way

The easy way

How it works:

How to install this Cool Solution on your system

Troubleshooting

This release introduces a long list of customer-driven features, including critical database support, to all ZENworks 11 products.
Starting immediately, customers and partners will now have access to ZENworks 11 Support Pack 1 at http://download.novell.com and the Novell Customer Center.