Integrating Tivoli Directory Integrator and Lotus Connections

Web 2.0 Techniques for reporting operational status

Reporting operational status of an IT system can be a difficult task. Collecting the required information is often time consuming, and finding a suitable delivery mechanism for multiple interested parties can be a challenge. This article discusses an effective mechanism for reporting operational status of an IT system using a Web 2.0 approach with IBM® Tivoli® Directory Integrator and Lotus® Connections.

Share:

Chris Choi, IT Specialist, IBM

Chris ChoiChris Choi is an IT specialist in the Tivoli Security Team based on the Gold Coast, Australia. Chris works in a customer related role, participating in both pre-sales and post-sales activities in Asia Pacific.


developerWorks Contributing author
        level

Neil Readshaw (readshaw@au1.ibm.com), Senior Security Architect, IBM

Readshaw, NeilNeil Readshaw is a Senior Security Architect in the Tivoli Security Team based on the Gold Coast, Australia. In this role, Neil works with customers to define solutions using the Tivoli Security software suite, and works in an enablement role with IBM Business Partners and the IBM technical sales team in the Asia Pacific region.


developerWorks Contributing author
        level

28 January 2009

Introduction

A communication problem

IT systems have many stakeholders. The status of the IT system is of interest to a number of parties and each party has their own perspective on which facets of the project are relevant and valuable. For example, an executive stakeholder might find the status valuable if it has the following attributes:

  • Brief. Executives are busy people so the information must be concise and devoid of irrelevant details.
  • Accurate. The information provided must be up-to-date and correct.
  • Holistic. The information must provide a high-level view of the entire IT system and the resultant business value, as opposed to being an IT dashboard.
  • Accessible. The information must be accessible from anywhere, including Personal Digital Assistants (PDAs), mobile PCs and smart phones.

Examples of reports that satisfy the above requirements include:

  • High-level summaries, such as how many applications have been deployed, how many users are using the system, and how many transactions the system is serving on average.
  • A description of the current state of the IT system or recent changes in the IT system.
  • Measurement against the business goals. What cost savings are being realized? Is the security solution meeting the compliance requirements?
  • Service level agreement-related metrics, such as availability and response time.

See below for more concrete examples.

Identity Management Program: Quarterly report

  • 100 new users added
  • 500 new accounts provisioned
  • 200 password resets performed via self-service
  • 5 password resets performed by Help Desk

E-Business System Migration: Weekly Status

  • 5/10 E-Biz applications migrated
  • 600/3000 users migrated

Contract Tracking System Service Level: Monthly Status

  • Planned outage: 20 hours
  • Unplanned outage: 2 hours

Existing solutions

Operational status is often compiled manually by the project manager. This method is prone to errors and is tedious. These problems are accentuated by the fact that the reports are usually required to be generated on a periodic basis and delivered to diverse audiences with different requirements and expectations.

The delivery mechanisms for these reports can vary, but they suffer from similar problems:

  • Meeting. This is perhaps the most traditional way. The meetings often have too much overhead in preparation, scheduling and execution. It's often hard to find a right time for everyone, and the time of delivery is fixed.
  • E-mail. E-mail seems to be the default communication method. E-mail often gets lost in a busy inbox. E-mail-based reports are not delivered on demand. Instead, they are usually delivered at pre-arranged times.
  • System monitoring solutions. These have the benefit of providing information on demand. However, they can generate too much information and the information generated is often too low level for the intended audience.

Existing solutions have many problems. The following sections will discuss an alternative solution based on IBM Lotus Connections and IBM Tivoli Directory Integrator that addresses these problems.


A Web 2.0 solution

Requirements

Before discussing the alternate solution, it is useful to summarize the key requirements that need to be addressed. The solution must:

  • Automatically collect relevant information from various systems and applications. This is the most critical requirement because automation means cost savings.
  • Provide a holistic view of the IT system. In other words, the solution must be able to collect data from all parts of the IT system.
  • Be flexible so the process of how the data is collected, collated, transformed, and presented can be configured easily.
  • Provide the information on demand and allow the information to be accessible from any device.
  • Allow the users to subscribe to a specific set of information, and make the information available on demand.

The proposed solution satisfies all of the above requirements by utilizing the key features of IBM Lotus Connections and IBM Tivoli Directory Integrator. The following sections examine these two products in more detail.

Delivery using IBM Lotus Connections

IBM Lotus Connections is IBM's implementation of a number of Web 2.0 technologies. Figure 1 illustrates its architecture and key features.

Figure 1: IBM Lotus Connections architecture
Architecture

Lotus Connections is collaboration software that makes sharing information easier, and hence is well-aligned with the requirements for this solution.

Weblog (or blog) is the ideal medium for communicating the project status because of the following reasons:

  • Blog is a Web-based technology and anything on the Web can be accessed from a wide range of devices including PCs, mobile phones and PDAs.
  • Blog is dynamic. People think of it as something that gets updated frequently and the technologies around it support this usage. For example, most blog implementations allows the content to be updated easily via Atom Publishing Protocol.
  • Blog is familiar. It is a widespread technology.
  • Blog supports Web feeds and this is perhaps its greatest strength. Web feeds are subscription-based, which means the users can subscribe to specific channels of interest and be notified of new content in real-time. In addition, many e-mail clients (such as Lotus Notes®) and browsers have a built-in feed reader, so no additional client software is needed to deploy a solution based on blog.
  • Blog allows multiple authors to update the content. This allows some information to be derived automatically while other information can be entered manually by project managers and system administrators.

In summary, the blog feature of Lotus Connections allows the project status to be accessible, easy to update, and be customized for a wide range of audience.

Collection using IBM Tivoli Directory Integrator

Lotus Connections provides a framework for delivering the project status, but in order to complete the solution, we need an effective mechanism of collecting the data.

IBM Tivoli Directory Integrator (TDI) is software that complements IBM software and solutions. TDI is often referred to as the "Blue Glue" because it helps to glue together different software components to create an entirely new software solution. TDI also complements our solution well because of the following properties:

  • It is an integration tool that can easily move, copy, and transform data between applications and systems.
  • It provides a rich set of connectors for connecting to many repositories and network protocols. One of the key requirements for the solution was to be able to connect to all parts of the IT system in order to provide a holistic view.
  • It has an integrated development environment, which is easy to learn and use.

In summary, it is easy to use, easy to deploy, and versatile. TDI helps to automate the process of collecting data from a wide range of sources and publishing the reports to Lotus Connections.

Solution overview

The proposed solution consists of three components:

  • Lotus Connections. The blog feature will be used to host the reports. The prototype discussed in this article will demonstrate the use of three blogs: IBM Tivoli Access Manager (TAM) Blog, IBM Tivoli Identity Manager (TIM) Blog, and Identity and Access Management (IAM) Blog.
  • TDI. TDI interacts with a number of applications and systems to collect the data required to produce status reports. TDI then publishes the reports to corresponding blogs on Lotus Connections.
  • Atom Feed Reader. A feed reader is configured to subscribe to a number of blogs on Lotus Connections. It receives regular updates from the subscribed blogs and notifies the users of new content.

Figure 2 illustrates the solution architecture and how different components interact with each other.

Figure 2: Solution architecture
Solution architecture

This article discusses an implementation that produces reports for TIM and TAM as an example, but the solution can be used for producing reports for all types of applications and systems. The feed reader can be any application that supports Atom Web feeds. Some examples include Internet Explorer, Mozilla Firefox, IBM Lotus Notes, and Microsoft® Outlook.


Prototype implementation

Prerequisites

The following versions of software were used for this article. It is likely that the examples discussed in this article will also work for other versions but the authors' testing was limited to these versions.

  • Tivoli Identity Manager 5.0 FixPack 3
  • Tivoli Access Manager 6.1
  • Tivoli Directory Integrator 6.1.1 FixPack 4
  • Lotus Connections 1.0.2
  • Apache Abdera 0.4.0

It is assumed that the audience of this article is experienced in developing solutions using TDI. The article will not attempt to educate the audience in how to use TDI. If you are not familiar with TDI, please refer to TDI documentation on the IBM Web site; there's a link provided in the References section of the article.

Custom TDI connector for Atom Publishing Protocol

In order to simplify the interaction with Lotus Connections, a custom TDI connector called "Atom Connector" has been written. This connector allows blog entries to be posted and read via Atom Publishing Protocol. It relies on an Open Source Atom implementation called Abdera to abstract some of the complexities in the protcol. The workings of the connector are not specific to Lotus Connections, so the connector can be used to connect to other applications that support Atom Publishing Protcol.

The connector supports two modes. In "Add" mode, the connector will create a new blog entry based on the input provided. In "Iterator" mode, the connector essentially acts as a Feed Reader. It can iterate over existing blog entries and the entries can then be manipulated within TDI and written to another data store if required.

The following steps must be completed before Atom Connector can be used in a TDI assembly line.

  1. Download the Abdera software package version 0.4.0 from the following Web site.

    Apach Abdera project

  2. Extract the content of the software package to a temporary directory.
  3. Create a directory called abdera under the TDI's solutions directory. For example, <itdi_solutions_dir>\abdera.
  4. Copy the content of the dist directory in the Abdera software package to <itdi_solutions_dir>\abdera.
  5. Copy the AtomConnector.jar file included in this article to <itdi_install_dir>\jars\connectors.
  6. Edit solutions.properties in the TDI solutions directory and add the line com.ibm.di.loader.userjars=<itdi_solutions_dir>\abdera.
  7. Using a browser, browse to https://<lotus_connections_host:port>/blogs/ and export the server certificate to a file. In Internet Explorer, double clicking on the paddle lock icon in the status bar will start a dialog for exporting the certificate.
  8. Import the certificate into the TDI trust store. Please refer to TDI documentation (Chapter 5: Security and TDI) for detailed instructions.

To verify that the connector is correctly installed (it is assumed that Lotus Connections is already installed and configured with at least one blog created):

  1. Start the TDI configuration editor.
  2. Create an assembly line.
  3. Add Atom Connector to the assembly line in Iterator mode.
  4. Configure the connector as shown below.
    Figure 3: Connector configuration
    Connector configuration

    The parameters "User Name", "Password" and "Workspace Name" are equivalent to the parameters that were used to create the blog. Please refer to Lotus Connections documentation for instructions on creating a new blog. Base URL for Lotus Connections is <lotus_connections_server_host:port>/blogs. Collection Name is Weblogs Entries and Service URL Suffix is /services/atom for Lotus connections but might differ for other blog implementations.

  5. Under Input Map, select Connect to connect to Lotus Connections. The status bar at the bottom of the configuration editor should indicate that the connection was established successfully.
  6. Select the Get next entry. The configuration editor should display the details of the last entry in the blog as shown below.
    Figure 4: Successful connector operation
    Successful connector operation

TDI assembly line for producing a TIM status report

In this example, we will create a TDI assembly line for producing a status report for an Identity Management (IdM) project that uses TIM. In such a project, stakeholders might be interested in reports covering what target systems are managed by TIM and how many new accounts are being provisioned by the IdM system. In TIM, the information related to these types of reports is stored in two places:the relational database and LDAP directory. TDI conveniently provides ready-to-use connectors for both of these targets.

Let's configure a TDI assembly line that collects the required data from the TIM LDAP directory by completing the following steps.

  1. Start the TDI configuration editor.
  2. Create an assembly line.
  3. Add a Loop component that inherits from LDAP Connector.
  4. Configure the Loop component to connect to the TIM LDAP directory and retrieve the list of services. The list of services corresponds to the list of target systems managed by TIM. The figures below show the Loop component's configuration.
    Figure 5: Loop component configuration
    Loop component configuration
    Figure 6: Loop component input map
    Loop component input map
  5. Add a Script component for constructing the list of services as shown below.
    Figure 7: Script for constructing the list of services
    Script for constructing the list of services

Next we will need to produce a report and post it on Lotus Connections as a blog entry.

  1. Add an Atom Connector in Add mode to the assembly line created in the previous exercise.
  2. Configure the Atom Connector as shown below.
    Figure 8: Atom Connector configuration
    Atom Connector configuration
  3. In the Output Map, map title and content attributes to the desired blog title and content respectively. The content can be a plain text or HTML. Examples of these mappings are shown below.
    Figure 9: Atom Connector Output Map (content)
    Atom Connector Output Map
    Figure 10: Atom Connector Output Map (title)
    Atom Connector Output Map

Now that the assembly line is complete, click Run Assembly Line to run the assembly line. Ideally, the assembly line will be configured to run as a scheduled task, so that the reports can be published on a regular basis.

Regardless of the method of execution, when the assembly line is executed successfully the end result should be that a blog entry is created on Lotus Connections. The figure below shows an example blog entry.

Figure 11: Blog entry for TIM status report
Blog entry for TIM report

Similarly, an assembly line can be created to collect the information on the accounts provisioned from the TIM audit database.

  1. Create an assembly line.
  2. In the Prolog - Before Initialization hook, add the following script.
    gCount = 0;
  3. Add a Loop component that inherits from JDBC Connector.
  4. Configure the Loop component to connect to the TIM audit database and determine the number of accounts that were provisioned. The figure below shows the Loop component's configuration.
    Figure 12: Loop component configuration
    Loop component configuration
  5. Add a Script Component for counting the number of accounts provisioned as shown below.
    Figure 13: Script for counting the number of accounts provisioned
    Script for counting the number of accounts provisioned

The steps for configuring the assembly line to post the blog entry is identical to the previous example, so it will not be reiterated here. The resulting blog entry for the required report is shown below.

Figure 14: Blog entry for TIM status report
Blog entry for TIM report

TDI assembly line for producing TAM status report

TDI provides a ready-to-use connector for TAM. If required, TAM Connector can be used to collect the information regarding TAM users. However, for the sake of diversity, in this exercise we try using the Command Line Connector, which let you execute an arbitrary shell command. This connector is handy when a CLI application needs to be used for collecting the required data for the report.

Complete the following steps to create an assembly line that produces a report on the number of TAM servers installed and configured in a TAM environment. It is assumed that the TAM runtime component is installed and configured in the system hosting TDI.

  1. Start the TDI configuration editor.
  2. Create an assembly line.
  3. In the Prolog - Before Initialization hook, add the following script.
    gAcldCount = 0;
    gWebSEALCount = 0;
    gOtherCount = 0;
  4. Add a Command Line Connector.
  5. Configure the Command Line Connector to invoke the pdadmin utilty, which is a CLI management tool for TAM. The "server list" command, in particular, lists all the configured TAM servers in the environment. The figure below shows the connector's configuration.
    Figure 15: Command Line Connector configuration
    Command Line Connector configuration
  6. Add a Script Component for counting the number of servers as shown below.
    Figure 16: Script for counting the TAM servers
    Script for counting the TAM servers

Again, the steps for configuring an Atom Connector to post a blog entry for this report are identical to the ones used in previous examples.

The figure below shows the resulting blog entry when the assembly line executes successfully.

Figure 17: Blog entry for TAM Status Report
TAM Status Report

TDI Assembly Line for producing IAM status report

In the previous examples, we demonstrated that it is trivial to configure TDI to collect the report data from a single source. Consequently, it is equally trivial to configure TDI to collect the report data from multiple sources and collate them into a single report.

Our next example produces a report for an IT project with much broader scope. Identity Management and Access Management projects are often executed jointly. Many organizations prefer to group them together under the name of Identity and Access Management (IAM). This type of project requires the report data be collected from two distinct software systems: an Identity Management system such as TIM and an Access Management system such as TAM. The following steps will demonstrate how a TDI assembly line can be configured to collect data from both systems and produce a report covering all aspects of the IAM project.

  1. Start the TDI configuration editor.
  2. Create an assembly line.
  3. In the Prolog - Before Initialization hook, add the following script.
    gServiceNames = null;
    gAcldCount = 0;
    gWebSEALCount = 0;
    gOtherCount = 0;
  4. Add a Loop component that inherits from LDAP Connector.
  5. Configure the Loop component to retrieve the list of services from the TIM LDAP. The configurations are identical to ones used in the previous example.
  6. Add a Script component to construct the list of service names. The configurations are identical to ones used in the previous example.
  7. Add a Command Line Connector.
  8. Configure the Command Line Connector to retrieve the list of configured TAM servers. The configurations are identical to ones used in the previous example.
  9. Add a Script component to count the number of configured TAM servers. The configurations are identical to ones used in the previous example.
  10. Add an Atom Connector and configure it to post a blog entry. The connector's configuration are shown below.
    Figure 18: Atom Connector configuration
    Atom Connector configuration
    Figure 19: Atom Connector output map (content)
    Atom Connector output map
    Figure 20: Atom Connector output map (title)
    Atom Connector output map

Running this assembly line produces a blog entry similar to below.

Figure 21: Blog entry for IAM status report
Blog entry for IAM status report

This is obviously a simplified example but it successfully demonstrates how easy it is to produce a comprehensive report using TDI. Ultimately, you want to configure more connectors to produce a report similar to below.

Figure 22: Blog entry for IAM status report
Blog entry for IAM status report

All the assembly lines that were used as examples are available as attachments to this article.

Setting up Web feeds

Subscribing to Web feeds is a simple process. When you are viewing a blog via a browser such as Firefox, clicking on the RSS feed icon (shown in the figure below) will trigger the subscription process.

Figure 23: Subscribing to Web feed
Subscribing to Web Feed

The Web feeds can then be viewed by selecting the Web feed folder as shown below.

Figure 24: Feeds folder in Firefox
Feeds folder in Firefox

Some feed readers, for example IBM Lotus Notes and Microsoft Outlook, can be configured to retrieve just the title or the entire content of the blog entry. The figure below shows the built-in feed reader for IBM Lotus Notes.

Figure 25: Feed reader in IBM Lotus Notes
Feed reader in IBM Lotus Notes

As it can be seen from these examples, the advantage of using this subscription-based model is that users can browse the blogs and subscribe only to those blogs that they are interested in. This process is entirely driven by the consumers of the reports and requires no additional work on the part of the authors of the reports.


Conclusion

This article demonstrated that Web 2.0 and IBM software can help to implement a more effective means of reporting operational status of IT systems. TDI automates the collection, authoring and publication of the information. The Lotus Connections Blog feature and Web feeds allow the status information to be more accessible and consumable in the enterprise.


References


Download

DescriptionNameSize
TDI configuration and Atom Connectortdi_cfg_and_connector.zip11KB

Resources

  • Share your questions and views on this article with the author and other readers in the Tivoli Security Discussion Forum .
  • To learn more about Tivoli Security, visit the developerWorks Tivoli zone . You'll find technical documentation, how-to articles, education, downloads, product information, and more.
  • Get involved in the developerWorks community by participating in developerWorks blogs .

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into IBM collaboration and social software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Lotus, Security
ArticleID=362204
ArticleTitle=Integrating Tivoli Directory Integrator and Lotus Connections
publish-date=01282009