Bulk attestation within Tivoli Identity Manager

Simplifying the setup of attestation for multiple target systems

As part of compliance requirements, organizations are required to perform attestation of a user's entitlements for access to systems. This process usually requires a responsible party (for example, the user's manager) to assert that the user continues to require access to a particular system. IBM® Tivoli® Identity Manager (ITIM) provides account attestation as part of its core functionality, and hence can implement complex attestation requirements. However, setting the attestation for a large number of target systems can be a chore. In addition, when a responsible party is asked to perform attestation for many users of a system as part of a continuous attestation cycle, the task becomes laborious. This tutorial gives the reader some methods for scaling attestation from a manageability perspective, using features available within ITIM 5.0.

Share:

Chris Choi, IT Specialist, IBM

Chris ChoiChris Choi is an IT specialist in the Tivoli Security Team based on the Gold Coast, Australia. Chris works in a customer related role, participating in both pre-sales and post-sales activities in Asia Pacific.


developerWorks Contributing author
        level

Christopher Hockings, IT Specialist, IBM

Christopher HockingsChris works as a Senior IT Specialist and Team Leader in the Tivoli Security Australian Development Lab located on the Gold Coast, Australia. He leads a team of Software Engineers and IT Specialists working with Tivoli Security products.



04 March 2008

Before you start

About this tutorial

This tutorial provides tricks to simplify the steps that are required to create many like services and how to configure the attestation processes for the accounts on these systems. We begin by giving you an overview of the features of ITIM that are used in the tutorial, and then we follow this with a real implementation of managing attestation of accounts on a large number of like systems.

Objectives

This tutorial provides you the knowledge to implement a bulk load and reconciliation of accounts on many like services and follow this up with a bulk attestation scenario for these accounts.

Prerequisites

This tutorial is written for ITIM specialists, whose skills and experience should be at the intermediate level. You should have general experience with deployment of ITIM within a customer environment. You should have some experience with writing Java™ applications. It's highly recommended that you study the ITIM application API documentation at <itim_install_dir>/extensions/doc/applications/applications.html and the example applications at <itim_install_dir>/extensions/examples/apps. This documentation provides valuable insight into the operation of the ITIM APIs used in this tutorial.

System requirements

ITIM 5.0 (with no fix packs) was used for the development of this article. Hence a system capable of running ITIM on Microsoft® Windows® should be used to implement the code within this tutorial. You will need a Java compiler for the source code compilation.


Terminology and environment

What is a like system?

Within this article, a like system is considered any system that resembles another, in that the primary usage characteristics of the system are the same. For example, a cluster of UNIX® machines used for development purposes might be characterised as a set of like systems. Within ITIM, the service definition for each like system is the same, but the characteristics of each (that is,. their IP address, and so on) are different. Like systems typically have the same on-going compliance management requirements.

Environment setup

The environment used in this example includes two systems whose accounts are to be managed by ITIM, as represented in the figure below. Customers would typically establish the provisioning of each of the ITIM service definitions manually. This article shows how to automate the set up of many like systems.

Example environment used
Environment

ITIM accounts have been created for Chris Hockings and Chris Choi. These users are created on the Linux® machines, with the login user name as per the preferred user ID of the ITIM account as shown in the figure below.

ITIM account definition
ITIM account definition

Recertification processes within ITIM

What is recertification

One of the most critical components of compliance reporting (for example, Sarbanes Oxley) in an organization is the ability to report on users that have permission to access a particular system. This applies not only at the time of account creation, but on a periodic basis, a responsible party asserts that access is still required for a particular person. Recertification is the term that ITIM uses to define the attestation process. ITIM attestation is the process of validating a user's permission to an account on a managed system. The validation of a user's account is routed (for example, e-mail) to a responsible party (for example, a manager or system owner), who asserts that a user needs access or no longer needs access. This operation creates an audit record that can be later used for compliance reporting.

What are the prerequisites

Within ITIM, in order to deploy a recertification policy, a number of prerequisites need to be satisfied:

  1. A service must exist for a particular managed system.
  2. A provisioning policy must exist for assigning a system's accounts to an ITIM person.
  3. A reconciliation process must be completed that ensures those accounts are assigned to the ITIM persons.

When these prerequisites are in place, the attestation process can be established.

Implementation lifecycle

At a high level, the implementation requires the following configuration tasks:

  1. Using the ITIM API to bulk loading a set of like services
  2. Manually setting up a provisioning policy for those services
  3. Using the ITIM API to perform the reconciliation process for each of the services
  4. Manually configuring a bulk recertification policy for the services; and
  5. Using the grouping capability of ITIM 5.0 for approving the attestation requests

The following sections walk you through these configuration stages before exercising a bulk attestation process.


Automating bulk load of like services

When a new system is to be provisioned within an IBM Tivoli Identity Manager (ITIM) environment, there are some manual configuration tasks that need to be performed. However, when a customer has many of UNIX® systems that need to be defined, the manual process becomes burdensome for the administrator. In order to reduce this manual effort, a simpler way of establishing service definition is to use a Java™ application that leverages the ITIM API. This section shows how to do this.

First, the administrator should load the service profile to be used for each service definition. In this example, we will use the Posix Linux® profile, which is installed by default in ITIM 5.0.

In order to represent the list of services to be configured, we have created a CSV file containing the attributes of the like services to be created. The first row must contain the LDAP attribute names for the service object that will be created in the ITIM LDAP server. The attribute names for various service types can be determined by looking in the form designer, which maps the user-friendly service form name to the actual LDAP attribute name of the service object. Each subsequent line in the CSV file represents one of the bulk load services.

Below is a sample CSV file with the systems defined within the test environment. Note the LDAP attribute names for the service definitions.

Services csv file
Services csv file

The following section shows code snippets from CreateServices.java, included in the additional resources of this tutorial. This Java class reads the CSV file format above in order to create the services.

public class CreateServices
{

  private static final String DEFAULT_ORG_ID = "erglobalid=00000000000000000000";

  /**
   * Command line argument names (prefixed by "-")
   */
  private static final String PROFILE_NAME = "profile";

  private static final String SERVICES_FILE = "servicesFile";

  private static final String SERVICE_PREFIX = "servicePrefix";

  public static boolean run(String[] args, boolean verbose)
  {
      Utils utils = null;
      Hashtable<String, Object> arguments = null;

      try
      {
          utils = new Utils(utilParams, verbose);
          arguments = utils.parseArgs(args);
      }
      catch(IllegalArgumentException ex)
          .
          .
      }
      try
      {
          String tenantId = utils.getProperty(Utils.TENANT_ID);
          String ldapServerRoot = utils.getProperty(Utils.LDAP_SERVER_ROOT);

          PlatformContext platform = utils.getPlatformContext();
          Subject subject = utils.getSubject(platform);

          String profileName = (String) arguments.get(PROFILE_NAME);
          String servicesFile = (String) arguments.get(SERVICES_FILE);
          String servicePrefix = (String) arguments.get(SERVICE_PREFIX);

          //Read the CVS file containing the service information.

          while((line = br.readLine()) != null)
          {
              utils.print("\nline: " + line);
              AttributeValues avs = new AttributeValues();
              String[] values = line.split(",");
              for(int i = 0; i < names.length; i++)
              {
                  //Prepend the specific prefix for the service
                  //name so the services created for the purpose
                  // of bulk recert can be identified easily.
                  if(names[i].equalsIgnoreCase("erservicename"))
                  {
                      values[i] = servicePrefix + values[i];
                  }
                  utils.print("name: " + names[i] + ", value: " + values[i]);
                  AttributeValue av = new AttributeValue(names[i], values[i]);
                  avs.put(av);
              }

              Service service = new Service(profileName, avs);
              String defaultOrg = DEFAULT_ORG_ID + ",ou=" + tenantId + ","
                                  + ldapServerRoot;

              OrganizationalContainerMO containerMO = new OrganizationalContainerMO(
                  platform, subject, new DistinguishedName(defaultOrg));

              ServiceManager manager = new ServiceManager(platform, subject);
              ServiceMO serviceMO = manager.createService(containerMO, service);
          }

      }
            .
            .
      }

      return true;
  }

}

The best way to build this application is to copy CreateServices.java file to <itim_install_dir>/extensions/examples/apps/src/examples/api directory then run the build script (build.bat) in <itim_install_dir>/extensions/examples. Upon the completion of the build, the examples.jar file containing CreateServices.class is created in <itim_install_dir>/extensions/lib.


Running the bulk load example

To run the CreateServices application, a number of environment variables need to be set up. This includes the Java™ class path. To simplify the running of the application, a script should be written. Again, the best place to start is to copy the existing shell script or batch file for one of the example applications. For this example, the batch file is as follows:

@echo off

@rem ********************************************************************
@rem *
@rem * Licensed Materials - Property of IBM
@rem *
@rem * Source File Name = createServices.bat
@rem *
@rem * (C) COPYRIGHT IBM Corp. 2003, 2007 All Rights Reserved
@rem *
@rem * US Government Users Restricted Rights - Use, duplication or
@rem * disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
@rem *
@rem ********************************************************************

call setEnv.bat

set OPTS=-ms256m -mx512m

"%JAVA_HOME%/bin/java" %OPTS% %SYSTEM_PROPERTIES% -cp "%CP%"
        -Djava.security.auth.login.config=%LOGIN_CONFIG%
        -Dapps.context.factory=%PLATFORM_CONTEXT_FACTORY%
        -Ditim.user=%ITIM_USER%
        -Ditim.pswd=%ITIM_PSWD%
        examples.api.CreateServices %*
@endlocal

The use of this batch file is as shown below.

usage: createServices -[argument] ? "[value]"

-profile        Profile name of the new Service to create
-servicesFile   CSV file containing the service information
-servicePrefix  Prefix to prepend to the service name

Example: createServices -profile?"PosixLinuxProfile"
                        -servicesFile?"services.csv"
                        -servicePrefix?"bulk_"

When the bulk load of services has been performed using the script (and the csv file above), you should see the following services within the ITIM console.

Services created
Services created

Setting up the provisioning policy

When the desired services have been created in ITIM, create a manual provisioning policy that authorizes all users to be granted an account on these systems. Using the target type of "Service Type" will allow multiple services of the same type to be included in this policy. For example:

Provisioning policies
Provisioning policies
Entitlements
Entitlements

Having done this, the system is now in a state where:

  • All users have an ITIM account
  • Accounts on the end systems have been created
  • The bulk services have been setup
  • An associated provisioning policy has been applied.

The final step is to link the ITIM users with those accounts on the managed systems, that is, the systems need to be reconciled. Note: In this example the default adoption policy is enforced since the preferred user ID of the TIM account matches those account login names on the Linux machines.


Running a reconciliation

When there are a large number of services, running reconciliations for those services manually is time consuming and error prone (since human interaction is required). A Java application can be written to simplify this step. The source code below shows how this has been achieved in this example:

Now the account data needs to be reconciled from all the services that have been created. Note, in this example the default adoption policy is enforced, because the preferred user ID of the TIM account matches those account login names on the Linux machines.

public class ReconServices
{

  private static final String DEFAULT_ORG_ID = "erglobalid=00000000000000000000";

  /**
   * Command line argument names (prefixed by "-")
   */
  private static final String PROFILE_NAME = "profile";

  private static final String SERVICE_FILTER = "serviceFilter";

  public static boolean run(String[] args, boolean verbose)
  {
      Utils utils = null;
      Hashtable<String, Object> arguments = null;

      try
      {
          utils = new Utils(utilParams, verbose);
          arguments = utils.parseArgs(args);
      }
      catch(IllegalArgumentException ex)
          .
          .
      }

      try
      {
          String tenantId = utils.getProperty(Utils.TENANT_ID);
          String ldapServerRoot = utils.getProperty(Utils.LDAP_SERVER_ROOT);

          PlatformContext platform = utils.getPlatformContext();
          Subject subject = utils.getSubject(platform);

          String profileName = (String) arguments.get(PROFILE_NAME);
          String serviceFilter = (String) arguments.get(SERVICE_FILTER);

          String arr[] = serviceFilter.split("=");

          String defaultOrg = DEFAULT_ORG_ID + ",ou=" + tenantId + ","
                              + ldapServerRoot;

          OrganizationalContainerMO containerMO = new OrganizationalContainerMO(
                                       platform,
                                       subject,
                                       new DistinguishedName(defaultOrg));

          //Search for the services. Could've used getServices method on
          //ServiceManager but at the time of writing there seem to be
          //a bug in that method.
          SearchResultsMO srMO = new SearchResultsMO(platform, subject);
          ServiceManager manager = new ServiceManager(platform, subject);
          manager.getServices(containerMO, arr[0], arr[1], srMO);

          Collection services = srMO.getResults();
          .
          .

          //Iterate over the services and run a recon.
          ReconManager reconManager = new ReconManager(platform, subject);
          Iterator iter = services.iterator();
          while(iter.hasNext())
          {
              ServiceMO serviceMO = new ServiceMO(platform, subject,
                                    ((Service)iter.next()).getDistinguishedName());
              reconManager.runRecon(serviceMO, new ReconUnitData());
          }
      }
      catch(Exception e)
      {
      .
      .
      }
      return true;
  }
}

The usage of this application is shown below.

usage: reconServices -[argument] ? "[value]"

-profile        Profile name of the Service to recon
-serviceFilter  A filter used for searching services

Example: reconServices -profile?"PosixLinuxProfile" -serviceFilter?"erservicename=bulk_*"

We advise that you use this application with care as starting reconciliations for multiple services all at one time might overload the system. The reconciliations can also be scheduled via the ITIM API. Please refer to the API documentation for more details.


Creating and executing a recertification policy

Now that the services have been created and reconciled, it's time to create a recertification policy.

  1. Navigate to Manage Policies->Manage Recertification Policies;
  2. Click on Create button to create a new attestation policy; and
  3. Specify a name for this policy, for example, "Bulk Recertification Policy".
Policy name
Policy name
  1. Click Next to continue.
  2. Select Accounts as the target type and click Next to continue.
Target type
Target type
  1. Click Add to add the targets for this policy.
Add targets
Add targets
  1. In the search field, specify the service name prefix used when creating the services. For example, "bulk_".
Search targets
Search targets

All the services created via the Java TIM API application in the previous step should be returned.

  1. Select the checkbox on the heading row of the result table to select all the services that were returned.
Select targets
Select targets
  1. Click OK to continue and complete the attestation policy wizard. Set the desired schedule and the workflow participants such as the service owner or the manager.

Actioning the recertification as a workflow participant

When the attestation policy is executed, the workflow participants are notified. The participants can see the approval activities in the self service console as well as in the administration console. These approval activities share the same activity ID; hence will be grouped together in the console, as shown below. This is a new feature of TIM 5.0.

View Activities
View Activities

When you click on the grouped activity, a list of individual activities is displayed, as shown below. The summary information contains enough information for the workflow participant to decide whether or not to approve the attestation.

Grouped approval
Grouped approval

On this list, the checkbox on the heading row can be used to select or deselect all the activities and approve or reject them in bulk. Note that the administrator can configure the number of entries that are shown on a single page in a “to-do” list. The default in a TIM deployment is 10, however, for bulk operations, the administrator might want to increase this number.


Summary

Conclusion

Setting up the attestation of accounts for hundreds of target systems can be burdensome. However, for many organizations this can be an important compliance requirement. This tutorial shows ways to automate the creation of service definitions for like systems, perform bulk reconciliation and attestation, whilst highlighting the handy shortcuts that ITIM 5.0 provides in performing this work.

Resources

More downloads

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security, Tivoli
ArticleID=288745
ArticleTitle=Bulk attestation within Tivoli Identity Manager
publish-date=03042008