And virtualize, we did.  I am involved on a crush team who’s objectives include streamlining and automating the build and refresh of environments using VMware virtualization technology, EMC SRDF and BCV technologies.  Since the very beginning Oracle IdM has ran on VMs at VMware except for RAC, but even now that is changing.   In spite of how compelling virtualization is for businesses and IT, it’s not as simple as running IdM on a VM.  Having hard-wired references to hostnames and PKI baked into a cloned copy makes “Instant On” a stretch of the imagination without taking appopriate steps to transform a cloned copy of say Production to make it operate as a completely separate and independent entity.

Cloning OID

VMware worked with some smart consultants at Identigral to create a procedure for reconfiguring a cloned instance of Oracle Internet Directory (OID) which is not exactly a supported and documented feature provided by Oracle, but is in any case effective for the purpose of rapid deployment.  This procedure gave the foundation for executing on my vision of clone automation for Oracle IdM that I shared with Identigral consultants.

Oracle’s OID Product Mgmt team reviewed the solution and suggested (as I would expect) that this is not a procedure to be used for building production instances.  Also, there is the risk that cloning OID will cause some problems with patching and upgrading.  But taking a step back and looking at why we want to rapidly build or refresh an environment in the first place, it’s for testing purposes, not to build a clean or new production environment.  So we have clearance from Oracle on OID cloning methodology, with the usual caveats.

Testing of the procedure proved its effectiveness so far in 2 of 2 exercises.  So now, we have a cloned VM, running a cloned OID, which is setting the table for either cloning OAM or installing it from scratch, or a hybrid of cloning and re-installing.

Cloning OAM

Cloning OAM is not as easy nor as straight forward of an approach.  There are certainly shortcuts for building any new OAM environment, or refreshing an environment (affecting only user data) but for a company whose ambition or need is to build numerous test instances for whatever reason, the argument for taking shortcuts and even automating to a certain extent is compelling. 

To start, as quick as it is to install new servers, and ensuring that there are no corruptions or issues when building the core configuration, the fresh install of OAM servers is a good safe bet.  Once the core foundation is installed, policies and configurations can then be exported from a source, lets say a golden copy from production, and modified to fit the needs of your target environment. 

Here is where the black art of Oracle IdM environment management comes into play.  Attempts by Oracle to offer migration tool set has not been received well, so this creates room for Oracle Consulting, and their partners to add value to IdM customers.  Typically, IdM consultants with years of experiences can have an intuitive knowledge about what should be copied from a source environment, how to massage the data, and then import it into the target environment in a manual approach spanning several days depending on the environment complexity.   This is a valuable, and critical competency that any IdM Administrator should have, and of course the organization who has OAM.  Multiply this exercise of say 40 hours by how many environments you plan to use for testing and development in the coming year and then by $125 or more, and you come up with a figure for annualized maintenance costs just for instance management.

Extreme Cloning

Taking the project to an even more extreme level, a person could justify automating the clone procedures by writing their own scripts to export, transform and deploy on the basis that the one-time development costs are less than the annualized maintenance costs.  The ROI formula I came up with looked something like this:

• Approx. number of hours to build OAM manually = x
• Hourly rate of IdM Admin = y
• Number of environments you will build this year = z

With that you can come up a figure with the following formula:  Annual instance management cost = (x*y)*z

In contrast, lets say that we could develop and deploy scripts to automate a large portion of this work. 

• Approx number of hours to design and build scripts to automate clone activity = x
• Hourly rate of expert programmer who has 3+ IdM experience = y

Then we can perform a basic ROI measure that should allow you to calculate your break even point.  Management will need to know how many environments would need to be built in order for investment in clone automation to pay off.  Depending on how aggressive your IdM initiatives are, it may take more than a year of utilizing your new tool set to see any ROI, not to mention that there are opportunity costs that should be factored in.  (E.g. Your expert programmer is going to be taken off of some other high priority project which can be a setback.)

And to make things even more interesting, recent VMware acquisitions add even more technical capabilities that should ultimately help reduce costs and complexity of  instance management.  I’m looking forward to the assimilation of Spring Source and Ionix into VMware virtualization platform so we can create and share templates for IdM configuration management.  Imagine configurable templates as a feature of your platform that transparently supports duplicating and managing IdM environments without the risk and cost of custom software, including having all of the appropriate monitoring (E.g. Zenoss, EM grid agents) deployed right next to it.

I’d love to hear ways you use VMware to make managing and deploying Oracle IdM easier.  Leave comments here in this blog post or send an email to steve at stevetout dot com.

Here is the password policy of one very large financial institution… seriously?  I have and use a hand full of passwords for various online accounts which I have used since the beginning of time.  Most people will run out of variations on the common pass*word* that they will begin to form really bad habits, making their online accounts less secure.  Like say, writing passwords down on paper or saving them in a insecure file on my computer (which I do from time to time) undermines the very security that was meant to be in the first place. 

Then there’s my wife’s headaches of working with the online account tools of a local bank in a suburb of Seattle, that forced her to have password reset codes sent to her cell phone repeatedly because the bank’s website no longer recognized the browser or PC that she used to login.  That’s typically a problem when your identity is tightly embedded into the PC or browser via cookies or registry values that is supposed to help prevent unauthorized access.  Over course of several days, using one of several different PCs in our house, she managed to re-verify herself and lock out her account 3 times.  What s dreadful password policy that other smart people undoubtedly have endured….  As if we don’t have enough phone calls to make or things to do in one day. *sigh*

 So what’s the answer?

Listen to your customers!   Balance end-user compassion with account security and privacy mechanisms.  Password policy need not be so complex.  Some solutions, such as Oracle Adaptive Access Manager, work on the back end monitoring login attempts based on signature files and patterns of hacking activity, which in turn can result in a huge boost of compassion for your end-users.

So what are your experiences with insane password policies?  How many passwords do you have?

Oracle IdM by Marlin Pohlman

Oracle Identity Management by Marlin Pohlman. This is IdM & GRC 101 as far as Oracle is concerned, folks. It’s comprehensive in scope and decidedly biased towards the incredible technology from the largest software company in the world. After giving a nice overview of each technology in Oracle’s IdM suite, it gives a comprehensive and accessible reference on governance and compliance for multi-national businesses. A must read for any IdM engineer looking to rise above his or her reputation as IdM Admin, and also for managers looking to get a better grasp of the wide ranging technology in the IdM Suite.

A Subscription to Dr. K’s blog Talking Identity – The Dr. is in and he will see you now. Here’s another wish that shows my Oracle bias. The blog contains architectural gems in the world of IdM, and is blazing trails in security and identity issues for cloud computing. Best of all, it’s free!

LDAP Browser/Editor v2.81 – Here it is. The lightest weight LDAP browser/editor on the planet (that I’m aware of) and it’s yours for free, assuming you can still find it. The internet went silent in early 2009 and the publisher’s original download URL disappeared. Where did our friend Mr. Gawor go, anyone? Any ways, the first and last thing I’d ever need to do in IdM is browse, search and edit basic information like user profile attributes, and the occassional import or export of an ldif file. There are no schema editing capabilities, but how often does one really need that? I’ve been doing this job for 10 years and of all the tools I have used, this is at the top of my list.

Oracle Unified Method – Another one of Dr. Pohlman’s brain children, OUM is the next best thing to working with Oracle Consulting, although you may need to work with OCS to get your hands on a copy. This is a wealth of resources to ensure smooth delivery of your IdM projects. From Detailed Design, to QA, Support and Training, it’s all in there. A more or less Oracle flavor of RUP.

Microsoft OneNote – Every now and then Microsoft works out something very cool. Think Windows 7 and Zune HD for example. Love em or hate em, Microsoft is a part of (most) all our daily lives. OneNote is one tool that helps me take names and kick butt every single day. You want a business justification on the mertis of OAM vs. ESSO? Meeting minutes with in-line commentary? Technical analysis and post mortem of the latest production outage? OneNote is an extension of my brain, a place to capture and share all of that unstructured data that is all around. When it’s time to compare notes, present ideas or persuade others quickly without writing a book, just Send > Email Page As PDF and go on with the rest of your day. It’s easy to use, efficient and just amazing tool! My colleagues rarely (if ever) see anything but PDFs from me, and all by design. It’s a game of knowledge management, sharing, presenting and persuading, and for that Office in General and OneNote in particular is your new best friend.

OpenID – The value proposition for OpenID is teriffic! If you tire of filling out registration forms or challenged by remembering your password for the nth time, then it’s time for you to get your OpenID. Not that this hasn’t been tried before (Passport, anyone?) I can’t seem to think of any other way than this time it’s going to be different. It’s not owned by Microsoft or any one vendor, is already being used by some very big hitters like Google, Yahoo, Flickr, etc… and I’m sure there will be lots more in 2010 that come on board. This nifty tool will not only save you time and headaches, as someone more career minded in the Identity and Security industry, it will help you stay engaged with and supportive of the issues that the industry faces right now.

VMware Workstation 7 – And last but not least, VMware Workstation 7 (and not because I’m an employee either *grin* ) – I can step into nearly any business regardless of size, OS, DB or App version and build a slightly replicated environment to test anything from bug fixes, interoperability issues, enhancements or upgrades. It’s an invaluable tool for anything from development to QA, and can save an insane amount of time and money on your IdM projects. I admire any company who bakes this (or VM ESX or Infrastructure) into their development lifecycle. It’s an amazing technology!

Merry Christmas, everyone!