This week I relished in the announcement here and this Metalink article that Oracle recently made about support for running Oracle on VMware virtualized environments. Then again, for those of us who have been doing the same for awhile now, it’s not *that* big of a deal. Or is it?

Having spent a fair amount of time at the VMware booth at Oracle Open World and witnessed the intense interest in virtualizing everything Oracle, from RAC and Database servers; at the VMware Booth Dave Welch from House Of Brick Technologies attests it has had Tier 1 workloads on VMware since 2006 (and seen $ millions of capex/opex reductions), there were no shortage of folks from the audience taking note; to Middleware and as I have discussed Oracle IdM on VMware as well. Sadly, there are others from various industries who have not even begun to virtualize their Oracle infrastructures due to Oracle’s previous stance on support running their products on VMware.

VMware Snapshot Manager

Beyond the benefits of snapshots and virtualization for the Upgrade scenarios there are the extraordinary stories for consolidation itself to be told. Infrastructure consolidation invariably leads to other interesting possibilities such as cloning (which I talk more about here) for building out new environments, making your infrastructure portable to make building out cloud infrastructure more efficient, to even being the key to your cloud security, as Art Coviello talked about at the RSA conference this week.

So in all honesty, I don’t feel that the announcement from the Evil Empire in Redwood Shores is for me so much as it is for other large companies I know exist out there with sizable physical infrastructures. I have seen success and failures due in large part to the virtualized environment (or lack thereof) so to encourage those of you who have not gone down that path, that now you have an open doorway to bring your support issues and take another hard look across your IT infrastructure of prime opportunities for consolidation and to better realize benefits from this Age of Virtualization, which arguably is already giving way to the Age of Cloud Computing or Agility as VMware executives like to describe it.

With that being said, a huge thanks is due to Oracle, who is now only slightly less evil, for getting out of the way of IT innovations, economic recovery and for giving the power of choice back to the customer.

As always, feel free to leave your comments here in the blog thread. And if you are in need of assistance or want more resources on virtualizing your Oracle environment with VMware, head over to http://www.vmware.com/oracle for more information.

It’s been a little over a week since OOW, and finally getting back into the swing of things. I should say up front that while I spoke at Oracle Open World, this was not a general session like VMworld, but instead I spoke from the VMware booth at Oracle Open World. Not only was it great hanging out with some really cool folks from the marketing teams from VMware (which I never get to do) I also had the chance to speak directly with Oracle and VMware partners and customers about the cool things that me and my team at VMware have been working on over the past 18 months. It was a throwback to my consulting days at Oracle, which were great, but with the liberty to share more about doing things with VMware than the ordinary Oracle Consultant does.

My short presentation was focused on helping Oracle IdM customers get a handle on the top pain points that a company might encounter from an operations perspective, and I offered some insights on the challenges one will face and a VMware specific solution to the problem. In essence, if you can build your Oracle IdM foundation on VMware vSphere starting Day 1, it will lend itself to dramatic time/cost savings and speed with regards to building out new environments and horizontally scaling those environments as your business and IT infrastructure evolves.

Also, as an EMC company, VMware employees enjoy a great partnership and access to world-class tools and support for managing the Oracle database, which is the very foundation for Oracle IdM. As such, another of the practices we use at VMware, which I also discussed in the talk at OOW, is not as much VMware focused as it is on the EMC technology, but it has to be included to paint a complete picture for improving efficiency of your operations environment. Of course, some of you were quick to point out that EMC’s SRDF isn’t the only company to provide block level copy of Oracle data, we happen to think it’s a really good one worty of your consideration. For more about this process, you can view my VMworld presentation on managing Oracle data with SRDF, or you can get more from your local DBA or straight from EMC, such as EMC’s own Oracle Storage Guy.

For those of you who didn’t attend either talk or catch the link on my Twitter post, here is my OOW presentation. Being only given 30 minutes I could not go into too much technical detail here, so please forgive me. You can, however, talk with your in-house IdM Architect/Admin or IdM consultant about how you can build your Oracle IdM environment similar to the way I talk about in my presentation.

In addition to presenting at the VMworld booth I also got a chance to talk to a director at Oracle about collaborating on some white papers for publication on OTN on best practices and configuration specs for building and running Oracle IdM on VMware vSphere. There is nothing like this that I am aware of, and if there is (please share your stories with me) then this will just make it an official collaboration between VMware and Oracle. We are just getting started, and I would expect this to be available to the public sometime in Q1 of 2011. You can follow my blog’s RSS feed or my Twitter as that is where I will make the announcement when these papers are available. Another way is to check www.vmware.com/oracle for the latest updates on this collaboration.

On a final note, I received some some sad news last week on the heels of Oracle Open World that Oracle will be losing Rohit Gupta to run another company in the Bay Area. Rohit has been around the Oracle IdM space as long I can remember Oracle being in this business (circa 2005) in field enablement and product management. I got a chance to hear Rohit speak in person at Burton Catalyst this year, as the last speaker to an audience of very thirsty IT guys and a bunch of long winded corporate sponsors, he hit the grand slam with a speed 2 minutes under his allotted time with grace, humor and a technical acumen that’s refreshing coming from a VP. Rohit, you will be missed by many and I’m confident you will succeed famously at BMC as you did at Oracle. And if not, I’m sure there could be an open door for you at VMware.

Have a great week, everybody and feel free to comment here on my blog and get some conversations going about how you’ve put any of these ideas to use in your environment.

Do you want to learn how VMware manages Oracle Data and Oracle Identity Management middleware with EMC and VMware technologies? Are you curious how VMware rapidly builds new Oracle OID and Access Manager environments with it’s own products?

I will be in San Francisco at VMworld next week presenting “Automated Refresh of Oracle Data” during the Oracle Storage Guys session at VMworld. Look for Session ID: EA7061 on the topic of Creating an Internal Oracle Database Cloud Using vSphere in your handbook. I will be sharing how we shaved days off our Environment Refresh processes and significantly reduced error rates using EMC’s SRDF/TimeFinder and custom scripts managed via PPM workflows to achieve greater levels of efficiency and accuracy.

It will be presented twice, so you can catch this session on Monday or Thursday at the following times.

Monday: Moscone South Room 308 @ 12:00-1:00 PM
Tursday: Moscone West Room 2007 @ 10:30-11:30 AM

Also, if you are headed to Oracle Open World in September, look for me at the VMware booth. I will be there to talk about how VMware, in addition to the EMC/SRDF solution described at VMworld for bootstrapping Oracle DB instances, uses vSphere to clone and build out new Oracle Identity Management environment. I blogged about how awesome this is awhile back, but this will give you a chance to hear a 6-month progress update and ask any questions. Stay tuned for more details on which days and times.

See you there!

I grew up in a painting family and was raised by a father who was a skilled crafstman, an expert with a lifelong career in painting.  The thing you would expect, that our house would always have a fresh coat each season, or a fresh paint at all, is far from reality.  It’s like the saying cobblers children have no shoes.  As I grew old enough to form my own values and ideals about the future, I vowed to never let my family or my children go without shoes so to speak.  At VMware, we are pursuing the dream of IT As A Service, putting new kicks on our feet, and accelerating the use of virtualization across our own IT landscape.

And virtualize, we did.  I am involved on a crush team who’s objectives include streamlining and automating the build and refresh of environments using VMware virtualization technology, EMC SRDF and BCV technologies.  Since the very beginning Oracle IdM has ran on VMs at VMware except for RAC, but even now that is changing.   In spite of how compelling virtualization is for businesses and IT, it’s not as simple as running IdM on a VM.  Having hard-wired references to hostnames and PKI baked into a cloned copy makes “Instant On” a stretch of the imagination without taking appopriate steps to transform a cloned copy of say Production to make it operate as a completely separate and independent entity.

Cloning OID

VMware worked with some smart consultants at Identigral to create a procedure for reconfiguring a cloned instance of Oracle Internet Directory (OID) which is not exactly a supported and documented feature provided by Oracle, but is in any case effective for the purpose of rapid deployment.  This procedure gave the foundation for executing on my vision of clone automation for Oracle IdM that I shared with Identigral consultants.

Oracle’s OID Product Mgmt team reviewed the solution and suggested (as I would expect) that this is not a procedure to be used for building production instances.  Also, there is the risk that cloning OID will cause some problems with patching and upgrading.  But taking a step back and looking at why we want to rapidly build or refresh an environment in the first place, it’s for testing purposes, not to build a clean or new production environment.  So we have clearance from Oracle on OID cloning methodology, with the usual caveats.

Testing of the procedure proved its effectiveness so far in 2 of 2 exercises.  So now, we have a cloned VM, running a cloned OID, which is setting the table for either cloning OAM or installing it from scratch, or a hybrid of cloning and re-installing.

Cloning OAM

Cloning OAM is not as easy nor as straight forward of an approach.  There are certainly shortcuts for building any new OAM environment, or refreshing an environment (affecting only user data) but for a company whose ambition or need is to build numerous test instances for whatever reason, the argument for taking shortcuts and even automating to a certain extent is compelling. 

To start, as quick as it is to install new servers, and ensuring that there are no corruptions or issues when building the core configuration, the fresh install of OAM servers is a good safe bet.  Once the core foundation is installed, policies and configurations can then be exported from a source, lets say a golden copy from production, and modified to fit the needs of your target environment. 

Here is where the black art of Oracle IdM environment management comes into play.  Attempts by Oracle to offer migration tool set has not been received well, so this creates room for Oracle Consulting, and their partners to add value to IdM customers.  Typically, IdM consultants with years of experiences can have an intuitive knowledge about what should be copied from a source environment, how to massage the data, and then import it into the target environment in a manual approach spanning several days depending on the environment complexity.   This is a valuable, and critical competency that any IdM Administrator should have, and of course the organization who has OAM.  Multiply this exercise of say 40 hours by how many environments you plan to use for testing and development in the coming year and then by $125 or more, and you come up with a figure for annualized maintenance costs just for instance management.

Extreme Cloning

Taking the project to an even more extreme level, a person could justify automating the clone procedures by writing their own scripts to export, transform and deploy on the basis that the one-time development costs are less than the annualized maintenance costs.  The ROI formula I came up with looked something like this:

• Approx. number of hours to build OAM manually = x
• Hourly rate of IdM Admin = y
• Number of environments you will build this year = z

With that you can come up a figure with the following formula:  Annual instance management cost = (x*y)*z

In contrast, lets say that we could develop and deploy scripts to automate a large portion of this work. 

• Approx number of hours to design and build scripts to automate clone activity = x
• Hourly rate of expert programmer who has 3+ IdM experience = y

Then we can perform a basic ROI measure that should allow you to calculate your break even point.  Management will need to know how many environments would need to be built in order for investment in clone automation to pay off.  Depending on how aggressive your IdM initiatives are, it may take more than a year of utilizing your new tool set to see any ROI, not to mention that there are opportunity costs that should be factored in.  (E.g. Your expert programmer is going to be taken off of some other high priority project which can be a setback.)

And to make things even more interesting, recent VMware acquisitions add even more technical capabilities that should ultimately help reduce costs and complexity of  instance management.  I’m looking forward to the assimilation of Spring Source and Ionix into VMware virtualization platform so we can create and share templates for IdM configuration management.  Imagine configurable templates as a feature of your platform that transparently supports duplicating and managing IdM environments without the risk and cost of custom software, including having all of the appropriate monitoring (E.g. Zenoss, EM grid agents) deployed right next to it.

I’d love to hear ways you use VMware to make managing and deploying Oracle IdM easier.  Leave comments here in this blog post or send an email to steve at stevetout dot com.

Authentication and password policies are the bane of my existence.  I really feel sorry for millions of consumers who have no idea whats going on (exactly) with the crazy and absurd requirements that companies put in place for logging in to view account balances or make payments.  As I have a few ideas about whats going on,  the fact that I have to call into a customer service help desk on almost a monthly basis for a password reset can only highlight that neither customers nor businesses are having much fun.   Banks and other online bill-pay sites seem compelled to make remembering passwords so difficult that I could pull my hair out.

Here is the password policy of one very large financial institution… seriously?  I have and use a hand full of passwords for various online accounts which I have used since the beginning of time.  Most people will run out of variations on the common pass*word* that they will begin to form really bad habits, making their online accounts less secure.  Like say, writing passwords down on paper or saving them in a insecure file on my computer (which I do from time to time) undermines the very security that was meant to be in the first place. 

Then there’s my wife’s headaches of working with the online account tools of a local bank in a suburb of Seattle, that forced her to have password reset codes sent to her cell phone repeatedly because the bank’s website no longer recognized the browser or PC that she used to login.  That’s typically a problem when your identity is tightly embedded into the PC or browser via cookies or registry values that is supposed to help prevent unauthorized access.  Over course of several days, using one of several different PCs in our house, she managed to re-verify herself and lock out her account 3 times.  What s dreadful password policy that other smart people undoubtedly have endured….  As if we don’t have enough phone calls to make or things to do in one day. *sigh*

 So what’s the answer?

Listen to your customers!   Balance end-user compassion with account security and privacy mechanisms.  Password policy need not be so complex.  Some solutions, such as Oracle Adaptive Access Manager, work on the back end monitoring login attempts based on signature files and patterns of hacking activity, which in turn can result in a huge boost of compassion for your end-users.

So what are your experiences with insane password policies?  How many passwords do you have?

Oracle IdM by Marlin Pohlman

Oracle Identity Management by Marlin Pohlman. This is IdM & GRC 101 as far as Oracle is concerned, folks. It’s comprehensive in scope and decidedly biased towards the incredible technology from the largest software company in the world. After giving a nice overview of each technology in Oracle’s IdM suite, it gives a comprehensive and accessible reference on governance and compliance for multi-national businesses. A must read for any IdM engineer looking to rise above his or her reputation as IdM Admin, and also for managers looking to get a better grasp of the wide ranging technology in the IdM Suite.

A Subscription to Dr. K’s blog Talking Identity – The Dr. is in and he will see you now. Here’s another wish that shows my Oracle bias. The blog contains architectural gems in the world of IdM, and is blazing trails in security and identity issues for cloud computing. Best of all, it’s free!

LDAP Browser/Editor v2.81 – Here it is. The lightest weight LDAP browser/editor on the planet (that I’m aware of) and it’s yours for free, assuming you can still find it. The internet went silent in early 2009 and the publisher’s original download URL disappeared. Where did our friend Mr. Gawor go, anyone? Any ways, the first and last thing I’d ever need to do in IdM is browse, search and edit basic information like user profile attributes, and the occassional import or export of an ldif file. There are no schema editing capabilities, but how often does one really need that? I’ve been doing this job for 10 years and of all the tools I have used, this is at the top of my list.

Oracle Unified Method – Another one of Dr. Pohlman’s brain children, OUM is the next best thing to working with Oracle Consulting, although you may need to work with OCS to get your hands on a copy. This is a wealth of resources to ensure smooth delivery of your IdM projects. From Detailed Design, to QA, Support and Training, it’s all in there. A more or less Oracle flavor of RUP.

Microsoft OneNote – Every now and then Microsoft works out something very cool. Think Windows 7 and Zune HD for example. Love em or hate em, Microsoft is a part of (most) all our daily lives. OneNote is one tool that helps me take names and kick butt every single day. You want a business justification on the mertis of OAM vs. ESSO? Meeting minutes with in-line commentary? Technical analysis and post mortem of the latest production outage? OneNote is an extension of my brain, a place to capture and share all of that unstructured data that is all around. When it’s time to compare notes, present ideas or persuade others quickly without writing a book, just Send > Email Page As PDF and go on with the rest of your day. It’s easy to use, efficient and just amazing tool! My colleagues rarely (if ever) see anything but PDFs from me, and all by design. It’s a game of knowledge management, sharing, presenting and persuading, and for that Office in General and OneNote in particular is your new best friend.

OpenID – The value proposition for OpenID is teriffic! If you tire of filling out registration forms or challenged by remembering your password for the nth time, then it’s time for you to get your OpenID. Not that this hasn’t been tried before (Passport, anyone?) I can’t seem to think of any other way than this time it’s going to be different. It’s not owned by Microsoft or any one vendor, is already being used by some very big hitters like Google, Yahoo, Flickr, etc… and I’m sure there will be lots more in 2010 that come on board. This nifty tool will not only save you time and headaches, as someone more career minded in the Identity and Security industry, it will help you stay engaged with and supportive of the issues that the industry faces right now.

VMware Workstation 7 – And last but not least, VMware Workstation 7 (and not because I’m an employee either *grin* ) – I can step into nearly any business regardless of size, OS, DB or App version and build a slightly replicated environment to test anything from bug fixes, interoperability issues, enhancements or upgrades. It’s an invaluable tool for anything from development to QA, and can save an insane amount of time and money on your IdM projects. I admire any company who bakes this (or VM ESX or Infrastructure) into their development lifecycle. It’s an amazing technology!

Merry Christmas, everyone!