Thursday, May 15, 2014

SSL configuration on Apache web server and Tomcat application server

Below are some common steps that you need to follow for configuring SSL on any app server or web server 

  1. A certificate (.crt) is required, which will be presented to a browser (client) whenever he will request access from that server.
  2. Configure the certificate on your web/app server, and key also if not included in the certificate itself. **Not explaining about SSL in this post as lot of good articles are already available ** .
  3. Enable your app/web server to support https protocol with a specific port.

Configuring SSL on Tomcat 6 :-

  1. Tomcat stores the certificate in a keystore, which can be created using simple java keytool commands.
  2. First you need to create a keystore, and by default it will create a self - signed certificate(.crt) also, which cab be replaced by any (.crt) if you purchase from authorised site.                                   keytool -genkey -alias domain -keyalg RSA-keysize 2048                                                            the default location of the cert created in windows system is C:\Document and Settings\ user name\
  3. After you enter all the passwords and required information you can export the cert using following command :-                                                                                                                              keytool -export -alias domain -file domain.crt
  4. You need to enable ssl in tomcat by adding/uncommenting following line of code in server.xml
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
  keystoreFile="C:\Documents and Settings\user\.keystore"

    5.   To force all the request to redirect to ssl add following to the web.xml
          < security-constraint >
          < web-resource-collection >
          < web-resource-name >Entire Application< /web-resource-name >
          < url-pattern>/*
          < /web-resource-collection >
          < user-data-constraint >
          < transport-guarantee >CONFIDENTIAL< /transport-guarantee >
          < /user-data-constraint >
          < /security-constraint >
    6. Restart and All done!! You should be able to access your tomcat app server using https at port 8443

Configuring SSL on Apache 2

  1. Install openssl to create the self-signed certificate using the below command :-                                  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crt
  2.  The above command will create two files i) domain.key and ii) domain.crt.
  3. Copy these two files in apache\conf folder.
  4. Edit the httpd.conf file and add/enable following entries
           LoadModule ssl_module modules/

         Listen 443
         ServerName localhost
         SSLEngine on
         SSLCertificateFile conf/apachecert.crt
         SSLCertificateKeyFile conf/apachekey.key
JkMount / < app context path >  /* ajp13

       5. Restart and All done!!

Integrating Apache with tomcat :-

Ideally we keep the ports of only web server open so block direct access to app server, and with above configuration we also would need to redirect all request to web applications deployed on tomcat through web server

1. Download mod_jk module for apache tomcat integration. I downloaded the following for using with Apache 2 and windows OS ( tomcat-connectors-1.2.39-windows-x86_64-httpd-2.4.x).

2. Extract the downloaded file and copy the file to the modules folder of apache2.

3. Create a file inside the conf folder of apache2.
# Define 1 real worker named ajp13

# Set properties for worker named ajp13 to use ajp13 protocol,
# and run on port 8009

Note:- Make sure ajp13 connector is enabled in tomcat/conf/server.xml file.

4. Make the following changes in httpd.conf

LoadModule jk_module modules/
JkWorkersFile conf/

JkMount / < app context path > /* ajp13

5. Restart the server and All done!!.

Load Balancer

Apache web server can be used to configure load balancing as well. For testing it I installed two tomcat instances, and deployed same web application on both the instances.

Modification needed in the following files for configuring load balancer

1. worker.properites file
2. httpd.conf file file





 httpd.con file

JkMount / < app context path > /* loadbalancer

Thursday, October 24, 2013

Birthright Provisioning in SailPoint - How to start?

Provisioning through SailPoint, I wanted to do this from quite some time. Certifications are one major requirement for customers but now lot of requests are coming in for provisioning through SailPoint, and customers are comparing Tivoli, Oracle and SailPoint suites to find the best possible provisioning solution.

In this blog I am going to write about a simple birthright provisioning solution that can be created to understand how it can be done using the workflows. 
Birthright provisioning is the scenario when every user who is present must have access to a specific application. (Could be ad/exchange or intranet site)
There are other ways also(like roles or provisioning policy etc..) which i will be explaining in future posts.
In brief what I have configured is a open DS ldap server as a application in SailPoint. and then create a new account for a user through LCM as soon as the identity is aggregate in SailPoint(BirthRight!!), and the request will be processed using a workflow which will send a custom form to the manager for approval.
LDAP connector in SailPoint supports direct provisioning hence no connector gateway configuration is required. 

 How to do that :- (Pre-requisite enable LCM and account request)
1. Once you have configured LDAP application in SailPoint, make sure it has "PROVISIONING" added in feature string.

2. Workflow attributes :- Workflow attributes are basically which will hold the required objects and values which will be passed along the different steps of workflow. (For example you wan to pass values from a form filled by manager to next step, where you want to create account  based on the attribute).
It is difficult to initially identity what all variables will be required for provisioning, you can identify the variable required once you select the existing function from the "call method" and hover the mouse over it. It is better to refer existing LCM provisioning workflow and copy the major required variables.

3. Workflow flow :- For creating the workflow in UI, drag and drop the start, setp and end steps from the UI. Make four steps (Approval, Plan, Compile plan, and execute plan).

5. Approval/Form :- In the first setp add a approval and a from, in the form add fields you want to present to user for input, these fields will be available for use in the next step. Add a condition when the form is approved then only go to next step else end. This step can be leveraged to get the necessary input from the manager to create the birthright account.

6. Plan :- In this step you need to create a plan using the ProvisioningPlan class, the identity for which the account is requested will be available as input(identityName), which can be leveraged to create plan object which will be a return variable from this step.

7. Compile and Execute steps:- In next two steps call existing functions from the workflow library compileProvisioningProject and provisionProject. Required variables needs to be added to the argument tab.

8. Trigger :- Update the existing worfklow in Lifecycle events with your new workflow. In the refresh identity cube task "Process Events" needs to be selected which will trigger the workflow for any new identity aggregated.

If everything is configured correctly then a account should be created in OpenDS. 

P.S:- I have not added lot of technical details in this post, but I am sure with the points above somebody who is trying to start with workflows can understand and do it easily.

Saturday, July 6, 2013

Certification creation task

Sometimes in large organizations it is required to a create lot of certifications for many managers, and it is quite time consuming and error prone if done manually. Mostly I have seen requirements for certifications to be created of a particular set of people in a BU or having access to particular application, for a specific manager. And most of the time this manager information does not flow from the HR authoritative source data, so it requires separate discussion with business to identify the reviewers.
In this post I am going to explain how to create a custom task to generate certifications in SailPoint, where in the tasks you can give the inputs like identities to certify and the reviewers.

(In this example I have created a task to take input a population and application name)

  1. Create a new advanced certification and give some default parameters and schedule it for a future date.Rename the new cert created in debug, with some unique name that you can refer in the custom task.
  2. Create a custom task which will have the input parameters for the new certification to be created. 
  3. < ?xml version='1.0' encoding='UTF-8'? >
    < !DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd" >
    < TaskDefinition executor="sailpoint.custom.AutoCerts"  name="AutoCerts" progressInterval="5000" progressMode="String" template="true" resultAction="Delete" type="Generic" >
      < Description>Run Auto Certifications< /Description >
      < Signature >
        < Inputs >
          < Argument name="application" required="true" type="Application" >
            < Prompt>Application< /Promp t>
          < /Argument >
           < Argument name="population" required="true" type="GroupDefinition" >
            < Prompt >Population< /Prompt >
          < /Argument >
         < /Inputs >
        < /Signature >
    < /TaskDefinition >

    This is will create a task with two input parameters "application" and "population"
  4. Now create custom class AutoCerts which will create a new cert with the given parameters. This custom class has three important steps  
    1. Create clone of the certification created in step 1.
    2. Overide the paramters of  certification with the one provided from the task in step 2.
    3. Create a new task with the new certification object an execute it.
 public class AutoCerts extends AbstractTaskExecutor {
 public void execute(SailPointContext ctx, TaskSchedule tskshd, TaskResult tskresult,            Attributes attrs) throws Exception {

//get the application attributes from the task

String appname = (String) attrs.get("application");
String population = (String) attrs.get("population");

//create a new map of population and certifiers 

ArrayList certifiers = new ArrayList();
certifiers.add("abhishek"); // id of user needs to be added

 HashMap> certmap = new HashMap>();
 certmap.put(population, certifiers);

// create object of the certfication created in step 1 and clone it 

CertificationDefinition AbhiCertDef = context.getObject(CertificationDefinition.class, "Abhi Auto Cert");

XMLObjectFactory obj = XMLObjectFactory.getInstance();
CertificationDefinition newCert = (CertificationDefinition) obj.cloneWithoutId(AbhiCertDef ,(XMLReferenceResolver) context);

//overrride the new certfication paramters
 newCert.setName(certName + " - " + new Date());


//create new task to execute the cert

TaskSchedule runcerts= new TaskSchedule();
runcerts.setArgument("certificationDefinitionId", newCert.getId());
runcerts.setArgument("executor", "Certification Manager");
runcerts.setArgument("resultName", scheduleName);

TaskManager tskMgr = new TaskManager(ctx);


Monday, June 3, 2013

Flat Files for application on-boarding

Flat files or mostly known as csv files is the most common format in which applications prefer to give the data. In most of the projects, I have seen people writing a separate utility(java) which will actually validate the flat files, and convert it into a desired format before sending it for import, or store it in a custom database and read using jdbc connectors.
This design actually expedites the process of on-boarding if all teams are agreed upon a fixed format, though for the long term Identity and access management road map this files needs to be replaced with direct connectors to achieve auto provisioning and de-provisioning.
In SailPoint we have some options build in the tool to read and modify the file using rules like(build map, pre-iterate, post-iterate, File parser rule). This rules gives the flexibility of writing custom logic per application, but it requires more effort in maintenance and future enchantments.
So either having a fixed format of file or different format of file for every application, both have advantages and disadvantages, and none of the option can be picked without looking into all aspects of the enviornment.

Monday, May 13, 2013

Scopes in SailPoint IIQ

There is very common requirement in any IDM project that a manager should be able to see the users only who are his direct reports, could be very easily achievable in some tools like in Sun IDM or Tivoli IDM. But in some tools it is really hard to configure like CA IDM, or Aveksa.
In this post I will talk about configuring this feature in SailPoint. 
I will try to explain a simple configuration using an example of department. Let's say there are two departments Banking, and Media, and a banking manager should only see his people in Banking department. 
  • Go to System Setup -> Scopes
  • Enable scoping
  • Select the attribute in Scope identity attribute, which contains the value of department
  • Scope correlation is required if you do not have a specific scope attribute like department, or multiple attribute contains scope values.(not required for this example)
  • Scope selection rule is required in case scope has to be decided in case of multiple scopes returned from the above rule. (not required for this example)
  • Unscoped Objects Globally Accessible, as the name suggests if you want the unassigned scope objects to be accessible.(for example who doesn't have department attribute and no scope is assgined to it).(not required for this example)
  • Identity Controls Assigned Scope , this is also not required for this example. This basically allows all users within the scope to manage users within the same scope, but this will only happen with the combination of correct user capabilities.(not required for this example).
  • Run the refresh task to create the required scopes.
  • The task will create scopes of all departments, and you can view them in scopes option in System Setup.
  •  Not go to identities and identify a user in Banking department, who will be managing all the users in Banking.
  • Go to User Rights tab and in Authorized scopes, select Banking, and assign appropriate user capabilities.
  • Now login with the user you just modified, you will be able to see only those users are under the same scope.
  • A lot complex scope can be created using multiple attributes for scoping and using the custom scoping rule.
Done!! :)

Saturday, May 11, 2013

Customization rule in SailPoint IIQ

Customization rules in applications can do a lot, and a lot of customization rule thing can be done in build map rule also. The disadvantage of using build map in case of .csv file is, that if there are multiple records for a single user in more than one line, then build map will execute the rule for each and every line (pretty time consuming, if large number of records).
Now the questions is what we can do in a customization rule, well you can modify any resource object created. "Resource Object" this word is quite used everywhere in SailPoint, and not even in SailPoint in lot of other tools same terminology is used. "Resource Object" is actually the complete user/account created after aggregation with all the attributes in schema. So if there are attributes in schema which you need to populate based on some attributes of user, or you want to set the account flags (privileged,service account etc.) , then customization rule is the best choice to write your logic.
Now do we have any disadvantages or limitations in customization rule? I don't think there any limitations to the customization rule, whatever api arguments are available in customization rule are sufficient to query a lot out of SailPoint and update the values as required.

Sample customization rule
its pretty simple

query anything using the context
use object.get() and object.put() to update the resource object 

Friday, May 3, 2013

Identity Risk Model SailPoint IIQ

Risk score is a interesting feature in SailPoint, though I haven't seen many customers interested in using this feature. 
The main reason behind this could be that they have to educate the certifiers(business users) on the risk scores and levels defined in SailPoint, though if planned well it can be very useful and expedite the process of certification.
In this post I will describe how the Identity risk score is configured/calculated in SailPoint.
  •  -Identity Risk score can be configured for three types :-
             - Role Baseline Access Risk
             - Entitlement Baseline Access Risk
             -  Policy Violation Access Risk

  • For each type of entitlement/role/policy as per the discussion with business you assign a specific Risk Score.  
  • Risk score can be assigned on a scale of 1 to 1000. The green color indicates low risk, yellow color indicates medium risk and red color indicates high risk. 
  • The scale can be adjusted  in System Setup-> IdentityIQ configuration -> Risk
  • Based on the risk score defined and on the composite scoring, the Identity risk score is calculated.
  • Risk Score Calculation :- If an identity has an entitlement with risk score 200 , role with a risk score of 100 and its not certified (if not certified then risk score is 1000) , and the compensated score for entitlement is 25%, role is 25% and certification is 50%, so the total risk score will be 25% of 200 + 25% of 100 + 50% of 1000 = 575 for the identity.

Monday, April 29, 2013

Managed Entitlement Customization Rule SailPoint IIQ

Managed entitlement customization rule is quite useful in SailPoint if there are huge number of entitlements, for example some AD groups and descriptions can be set based on the name of the groups.
However, there is a big disadvantage in using this rule, the description will be updated only first time when the entitlements were found and brought into managed entitlements. 
The "Promote managed entitlements" task or "Missing managed entitlement scan" both tasks can be used to find the missing entitlements, and execute the rule to update the descriptions of the entitlements.
But if the rule is not specified in the rules tab of application definitions, and either of the tasks("Promote managed entitlements","Missing managed entitlement scan") is executed, then the entitlements will be updated without any descriptions, and running the rule next time won't update the existing blank descriptions.

Also if there are more than one entitlements attributes with same entitlement value then by default the rule will only updated the entitlement which is passed to it first, to avoid this scenario both entitlement attribute and entitlement value needs to be checked before updating.

Sample rule

String filter = "Update"

//To get the entitlement value
String ent = attribute.getValue();

//To get the name of attribute if there are more than one attribute with same entitlement values
String attr = attribute.getAttribute();

if(ent.contains(filter) && attr.equals("groupA"))

attribute.setExplanation("defualt","This is description of groupA ..... ");

Friday, April 26, 2013

Multiplex application in SailPoint IIQ

Multiplex applications can be used when there are many application which are in same format. Having all the application data in single delimited file, can really expedite the process of on-boarding the applications in SailPoint.

In this post I will describe steps to create multiplex application from a delimited file.

1. Prepare a delimited file with a column which contains appname.

For example


//here ID is the correlation key for authoritative application, appname is the name of the application which will created, ent is the user's entitlement on the application and account is the account name of the user.

2. Create a delimited file type connector in SailPoint.

3. In the build map rule of the connector, we will define a rule to set new application name and unique account names

import sailpoint.connector.DelimitedFileConnector;

Map map = DelimitedFileConnector.defaultBuildMap(cols,record);
String appname = (String)map.get("appname");
String account = (String)map.get("account");
//This will create new apps Multiplex1 and Multiplex2


//This will identify the accout names in multiplex applications
return map;

4. Create the aggregation task, and check the check box "Automatically create applications".

Advanced Policy Violation in SailPoint IIQ

Advanced policy violation in SailPoint can be used to create any custom violation condition, based on the account or identity attributes.
It allows you to write a custom java code(rule), so that you can write any logic to find the violation.

In this post I will describe how you can write a rule for advanced policy violation.

1. Go to policy and create a new policy of advanced type.

2. Create a new policy rule for this policy, a policy can have multiple policy rules which will define the set of violation definition.
For example you can create one policy called Dormant accounts, and create separate rules as per different application requirements for the Dormant account condition.

3. In the new policy rule, select rule as selection method and write the custom rule there.

Now identity is one of the input parameter of policy violation, so if we are writing policy violation for a specific application, then we need to filter the links form the identity specific to a single application.

 Here is to code snippet to filter the links
//create a policy violation object which is return object from this rule
PolicyViolation v = null

//get the application context for the desired application
Application app = context.getObject(Application.class, "< Application-Name >");

//get links for all the accounts in the application
List appAccounts = identity.getLinks(app);

//This statement is very important, otherwise the identities which don't have any application accounts will throw null pointer exception while executing the policy.

//Create a iterator to iterate through the application accounts
 Iterator itr = appAccounts.iterator();
    Link link = (Link);   
    // here you can write the logic to find the violation condition
   // once the violation is found do the following to update the policyviolation object

                                     v = new PolicyViolation();                                

                                     //this statement is very important otherwise the violation wouldn't show up in your certification. This will attach the applications to the violations.
                                     v.setRelevantApps("< all apps as java.util.list >");

 P.S :- Feel free to post your comments.

Thursday, April 25, 2013

Custom task in SailPoint IIQ

Custom tasks are quite useful in SailPoint implementations. Customers brings up lot of different requirements for reporting and certifications which cannot be achieved using default tasks or ootb configurations.

Custom tasks also speeds up the process if the code is written accurately.

In this post I will explain how to build the custom task in SailPoint.

1. First you need to create a task definition with required parameters (jnput and output), which is required for the custom class java method which executes in background.

Sample custom task.xml

< ?xml version='1.0' encoding='UTF-8'? >
< !DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd" >
< TaskDefinition executor="sailpoint.custom.AbhiA"  name="AbhiACustom" progressInterval="5000" progressMode="String" template="true" resultAction="Delete" type="Generic" >
  < Description >Run Multiple aggregation< /Description  >
  < Signature >
    < Inputs >
      < Argument name="application" required="true" type="Application"  >
        < Prompt >Search Application< /Prompt >
      < /Argument >
     < /Inputs>
    < Returns>
      < Argument name="output" type="String" >
        < Prompt >Result< /Prompt >
      < /Argument >
    < /Returns >
  < /Signature >
< /TaskDefinition >

  •  < TaskDefinition executor="sailpoint.custom.AbhiA"   this defines the name of the class which will be executed to execute the task
  •  < Argument name="application" required="true" type="Application" > this defines the input parameter of the task. The custom java code AbhiA will take input parameter as "application" variable. The type="Application" will create a drop down for application. Similarly you can have a type text for simple text input.
  • < Prompt >Search Application< /Prompt > this defnes the text which will be displayed in UI to the user.
  •  &lt; Returns > < Argument name="output" type="String" >  this defines the output parameter, in the custom task java code all output result will be passed to this output string.

2. Now create you java class to define the method for custom task

package sailpoint.custom;

import sailpoint.api.SailPointContext;
import sailpoint.object.Attributes;
import sailpoint.object.TaskResult;
import sailpoint.object.TaskSchedule;
import sailpoint.task.AbstractTaskExecutor;

public class AbhiA extends AbstractTaskExecutor {

      public void execute(SailPointContext ctx, TaskSchedule tshd,               TaskResult result, Attributes args)
      throws Exception {

            String output = "output";

            String appname = (String) args.get("application");
            result.setAttribute(output, "Hi Custom task executed" + appname);

      public boolean terminate() {

            return false;

  •  The custom class will extend the AbstractTaskExecutor task and implements the execute method.
  •  To get the input arguments for the task defined in SailPoint use the following statement args.get("application") where "application" is the name defines in customtask.xml file.
  •   To redirect the result of your task to the output paramter defined in customtask.xml use the following statemen    result.setAttribute(output, "Hi Custom task executed" + appname);

3. Execute the task and you are done!!

Using Web services in SailPoint IIQ

SailPoint has a lot of predefined REST web services which can be used to call specific functions from a web service client.
If you have requirement to execute a task or report without using the Sailpoint UI or console directly, then you can use the web services option, or it can be any general requirement.

Web services can be used in two different ways in Sailpoint.

  • Using IIQclient class
  • Creating custom web service 

Using IIQclient class
  1. Import the identityiq.jar file in eclipse. This jar contains the class sailpoint.integration.IIQClient; which contains the default functions provided by sailpoint to call the web services.
  2. Create a sample class to create a object of iiqclient class to call the functions available publicly 
  3.  Download the  REST API Integration pdf from compass, which has all the functions listed in details.

 Custom Web Service
  1. Creating custom web service as per the needs is the best option to develop the function as per requirements.
  2. Create a custom web service method class which will extend BaseResource class.
  3. BaseResource class will give you the context object of sailpoint to create methods as required.
  4. Create a class which will extend the to include the method create in step3
  5. Go to web.xml and modify the value of to your custom class.
  6. Now you can call the custom webservice using any client which can all REST web services.
  7. The return type of REST web-services is JSON, which needs to be converted to process it properly.



public class CustomWebServiceMethod extends BaseResource{

      public void getApplication() throws GeneralException
public class CustomWebService extends SailPointRestApplication{
      public Set < Class < ? > > getClasses()
            Set < Class < ? > &gt classes = super.getClasses();

Saturday, June 23, 2012

Two instance of tomcat

Yes, you may need to run two separate instance of tomcat in same machine if you have limited memory in your system and you have to work on big applications.
It is very simple :-
1. Download tomcat 6.0 .
2. Install the first with default settings.
3. Start the instance and verify if it is installed and working.
4. Execute the installer again with custom settings
5. In the configuration options page change the ports mentioned to
 Server shutdown port 8006
Http connector  port 9090
AJP connector port 8008
and change the service name to :- tomcat62
6. In the installation path change the tomcat directory name to tomcat62.
7. Install and verify.
Hopefully both instance should work

Sunday, January 30, 2011

Extending/Creating CA e-trust directory schema

For CA Identity Manager user e-trust directory is must to use ldap. In the post I am writing few basic things which are require to know in CA-etrust Directory

1. Creating new schema -

After you install the etrust directory open the command prompt and run the following command

dxnewdsa <> <> "<>"


dxnewdsa corpstore 11389 "dc=com"

where "dc=com" is root dn
corpstore is directory name and 11389 is the port number

2. Extending the e-trust scehma

for extending the etrust schema create a new file with extenstion .dxc. The contents of file will be in following format

schema set attribute (1.1) = {

name = employeeID

ldap-names = employeeID

syntax = caseIgnoreString



schema set object-class (1.1) ={

name = CAPerson

ldap-names = CAPerson

subclass-of inetOrgPerson

must-contain objectclass




The syntax is very simple in the first section you have to write all the attributes with schema set attribute(1.2) and then the properties of the attribute and in the second section write the name of the new class and the attribute comma separated after "may contain"
After the file is created add the new schema file in default.dxg file in schema folder

Wednesday, January 26, 2011

Uninstalling .net 1.1 framework

.net framework 1.1 sometime create lots of problems and does not allow to install higher .net versions. Uninstallation is also not possible from windows add/remove program option, so I found a very nice utility in msdn blogs to clean up the .net 1.1 and install the higher version of .net as required.

The utility can be downloaded from