My Life, My World

IAM: Building Community

Fri, 03 Jul 2009 07:37:16 -0500

One of our next big steps for the IAM project is to work on building an on-line community. We have looked at a few hosted sites like ning.com and so on. But none of them met our requirements. Being that our project is all about identity, our most important requirement is any solution we select, must be able to use our Penn State credentials. We also want something that is open, so that members of other Universities can join the community.

Yesterday at our IAM TAG (Technical Architect Group) meeting we had a guest speaker, Cole Camplese. Cole gave us a number of good ideas on how to build a community. Right now we are looking at two software solutions, elgg and Drupal + Social Networking Modules. elgg looks interesting, but it does not look easy to integrate with WebAccess. However I did not spend much time investigating that. We do have Drupal up and are continuing to investigate that also. So far that is looking to very interesting. If anyone out there has other solutions that could meet our requirement, please comment on this post.

Day 5 of CAMP (Advanced CAMP)

Thu, 02 Jul 2009 07:48:31 -0500

Ah the last day of CAMP, it was a half day and it was very busy with good topics. The main focus of this morning was a wrap up of CAMP in general. We reviewed a couple of projects during some lighting talks. One of interest to us was OpenRegistry. OpenRegistry is an open source Identity Management System (IDMS). It provide a place for data about all of the people in your identity system. In terms that we use in the IAM project it is a Central Person Registry. The presenter was Benn Oshrin from Rutgers. We (Renee Shuey and I) talked to Benn and a couple of other schools about the whole concept of a person registry last year. They along with a few other schools have gone off and done the design work for OpenRegistry. With any data store the most important part will be the data model. How will you be representing data about the individuals?

For a very long time now I have been involved in the Access Project, a.k.a CACTUS. CACTUS is close to being a person registry, but its not very central. When we started development of CACTUS, we spent a large time working on the data model. The only problem was, we tried to force fit the existing data that lived on the mainframe into a relational database. It came out somewhat OK in the end, but its definitely not a central person registry. The addition of things like billing for services really have nothing to do with the management of identity for example.

So wrapping this up, we the Central Person Registry team (Ed Hayes, Bob Walters and myself) are going to take a very detailed look at the work that is being done in the OpenRegistry space.

Was CAMP worth it? You bet it was. With our starting the IAM project yesterday, CAMP gave us some really good ideas and updates on some important projects.

Day 4 of CAMP

Wed, 01 Jul 2009 07:51:59 -0500

Day number four of CAMP was the first full day of Advanced CAMP. Attendance at this session was much higher, since a large number of the Internet2 major players attended. That day we learned about a number of the major projects that are underway.

I will start with Kauli first. The Kuali Foundation is a non-profit organization responsible for sustaining and evolving administrative software that meets the needs of all Carnegie Class institutions. Here is a link to the project organization. The part that we were interested in was KIM (Kuali Identity Management). Some of its supported concepts include: entities, groups, roles, responsibilities, and authentication. All of the Kuali projects are written in Java, and have GUI interfaces to maintain data. It supports permission assignments for roles and groups. This will be another project that the Penn State IAM team will be looking at.

Next up was the uPortal folks. Being that I spent a large part of my life designing and implementing the Penn State Portal, I was really interested in hearing about where things were at with uPortal. Back in the day, we looked at uPortal for Penn State, but like most efforts, its just was not really ready for us to use. However I was quite impressed with where things have ended up. uPortal is still written in Java and supports JSR 168 portlets. A portlet supports, authentication, user attributes, roles access control, hosting and provisioning and skinning.

Sakai was the next topic. The presenter was Ray Davis from UCB. Sakai is an LMS that has pluggable modules. Its provides a framework, that is Java-based, open source and very extensible via plug-ins. Over 100 different aplications and services can be plugged into it. Sakai 2 was based on Tomcat and Spring. The new version Sakai 3 will use Apache Sling.

Day four had some other interesting lighting sessions that if I have time later, I may blog about. Right now, I wanted to put out some information about some of the major sessions.

Day 3 of CAMP

Tue, 30 Jun 2009 08:00:42 -0500

This was our last day of Basic CAMP. It was a half day session that was a wrap up of CAMP. Once again one of the most interesting parts were the lighting talks. The first talk was from Chris Hyzer from University of Pennsylvania. His topic was Grouper attributes and privileges. This was a very interesting one, at point I was looking at Grouper for our groups solution. At the time, the software was at the early stages, and we just moved forward with what we have today using LDAP. Things have really improved in my opinion. Grouper is about 5 years old, written in Java and can utilize multiple databases. All of your groups, and their membership reside in a database and then they are provisioned to LDAP. This is a very attractive solution as opposed to what we have today where all of the groups only exist in LDAP. This is one of the projects that the Penn State IAM team will be reviewing.

Next up was Kent Frong, University of British Columbia to talk about their IdM program. UBC is a decentralized campus, they have a major challenge with resources. Hum, I think I have heard that before. They do not have fully dedicated personnel working on IdM. They are striving to make IdM a more collaborative environment. This is one of the goals of our IAM project too.

And finally we heard from Jim Beard, University of Oregon. His topic was IdM implementation from the rear view window. Their school currently uses Identity Manager from Sun. They had a very short timeline for their implementation phase. Like any system, they have realized that the number of people looking at their administrative site has grown in ways they were not anticipating. A lot of these schools use Banner for provisioning their accounts. One of their main goals was to be able to communicate with their incoming students earlier than in the past. Most of them have their accounts set up before they come to campus. Jim touted auditability as a real big bonus of their IdM system. Their security team has been pretty much hands off during the entire implementation. Their advice was sought out at various stages of implementation. Identity proofing for them is done through the registration process. That data is used for the account claiming process. That information goes out to the students in a mailer.

I think I left Basic CAMP with a really good understanding of what's going on out there, which was one the main reasons we went. This is information that is going to help us (Penn State IAM team) go forward with our design and implementation.

My iPhone Oracle Calendar Solution

Mon, 29 Jun 2009 07:18:26 -0500

So last week, I was one of the lucky ones to be able to procure a new iPhone 3GS at the local AT&T store. Definitely impressed with its features, mainly since its my first iPhone. So I set up my GMail and Penn State IMAP which was pretty easy to do. Then, I started looking at my calendar options for Oracle Calendar syncing. I surveyed what was out there, Synthesis and SyncJE. Both of these products are pay only, and I wanted a free solution. I kept reading and then I came across a blog posting from google. The full post found here, discussed how to make your calendar available on your iPhone. So all I needed to do was to get my Oracle Calendar data to Google's calendar. That seemed easy enough, Oracle has an export feature. So I exported an iCalendar file using (a period of previous 1 week to 1 month). I then loaded that into Google's calendar. I noticed that most of my events were there, but not all of them. What was missing were the repeating events. I ran into this problem in the past with the Portal and Oracle calendar, my solution at the time was to use the vCalendar format. So I did that, and low and behold all of my events just showed up in my calendar. Then to access them from my iPhone, I pointed Safari to: google.com/calendar/gp and entered my credentials. Then I was presented with a new interface to my calendar. The only cavaet I can see is that the google calendar will only allow up to import at most 50 events. For me that does not seem to be an issue. Since my calendar is pretty static, doing an upload when I need it does not seem to be an inconvenience.

Day 2 of CAMP

Fri, 26 Jun 2009 07:07:40 -0500

The second day of CAMP was a full day. We started the first session off with a presentation from Steve Carmody (Brown), Liz Salley (UMich Ann Arbor) and Caleb Racey (Newcastle University). The topic was Describing the Solution Patterns and Real World Examples. Liz is from Administrative Computing. She talked a bit about Yahoo's Pattern Library. When dealing with solution problems it is all about finding the vision for what the optimal solution will be. Its pretty much an interative process where you "toss" around the problems for a while and see which ones work and the ones that do not.

                Analysis
Use Case         Taxomony
                Solution

Start at Analysis -> Taxomony -> Solution -> Use Case -> Analysis.

After that presentation, we had another a series of lighting talks. The one that interested me the most was from Astrid Fingerhut (University of Chicago). The topic was on their Trusted Agent Program. The problem is how to gain early access to digital resources for new faculty and staff. So that when they start on their first day, they have all of the necessary access to do their job. This is a pretty common problem in IAM and one that we have ourselves. Their solution is to use what they call "Distributed Authorization", which in effect is delegated registration authorities. They create temporary accounts for these people which last for up to one year before they receive their permanent accounts. As soon as they appear in the payroll feed they gain full access. They have to do a lot of training and hands on for this program. This will be part of our IAM education program. How we implement our solution to this problem is TBD.

After lunch we had a sesson titled, "Environment Scan - What tools work (and don't work). This was a pretty good session too. The part that interested me the most was the presentation from Bob Baily about openLDAP. Being a person who deals with LDAP daily, I was really anixous to hear what was being done with openLDAP. Needless to say there are a number of features that our current LDAP server does not support that openLDAP does. The only problem is we need to balance that with our size. Bob's school has about 5000 people at it. He wasn't sure how it would scale to the size and complexity we need.

Our next session was on policy, what works and what doesn't work. Renee Shuey (Penn State), Liz Salley (UMich), and Andrea Bessing (Cornel). Gave great overviews of what their schools are doing in the policy arena. Here is a link to their presentations.

The final session for the day was a break out session where we were given an opportunity to meet with our peers and discuss some of the problems we are dealing with.

Day 1 of CAMP

Thu, 25 Jun 2009 08:10:26 -0500

Our first day of middleware CAMP was a short one, only a half day. Needless to say that half day was a very good one. Tom Dopirak, CMU began the first session with a presentation on Access Management Building Blocks. The abstract for the session was:

The CAMP program provides an approach to analyzing, designing, and implementing access management solutions. In this session, we will present an overview of the building blocks we'll be using in the workshop, define a few terms, and look at how these blocks can be used to help you address access management challenges.

As you can tell from the abstract, the bulk of the presentation focused on terminology that would be used later throughout CAMP. He did dive a little bit into the policy process at CMU, which is a multi-step one. More information about it can be found here.

The next session was presented by Rob Carter (Duke) and Scott Fullerton (U of Wisconsin at Madison). Its focus was on categorizing access management challenges. They proposed a categorization scheme for categorizing the various use cases that exist in the IAM realm. The result of some of their work can be found here. I found this a very interesting session, because our IAM group is starting to accumulate use cases and at a some point we will be going through the exercise of categorizing them and trying to determine the similarities that exist amoung them. Oh yeah at some point, we will have a space set up so that use cases can be submitted to us.

The final session for the day were the lighting talks. A person had 5 minutes to present a topic and 5 minutes for questions. The list of topics can be found here. I presented a topic on Workflow at Penn State. I gave an overview of the problem related to what the Workflow project is solving and then talked about the IAM things (like roles). I was lucky that I talked fast to make my presentation. A number of the other talks were really good too. Jim Beard's talk about password challenges is pretty much what we are dealing with right now. They are going down the path of a one-time use password with questions. This is going to be a thorny problem for us (IAM and Penn State), right now our process for password resets needs some work.

EduCause & Internet2 Summer CAMP

Wed, 24 Jun 2009 07:11:36 -0500

So last week a number of us, attended Summer CAMP in Philadelphia. Hum, your mind must be wondering about a camp in Philly. Well it was not that kind of camp. CAMP stands for Campus Architecture and Middleware Planning. The focus of CAMP this time was on all things Identity and Access Management, otherwise known as IAM. Want to learn more about IAM visit the current IAM home page. Camp was divided into two parts the first two and a half days were called Basic CAMP, and the final day and a half was focused on Advanced topics. In the next posts to follow, I plan on diving into some of the material that was presented at CAMP. On a side note, our original plan to get to Philadelphia was going to be by car. But we changed that around and took the Amtrak out of Harrisburg. Being the train nut that I am, that was the perfect way to arrive and leave the city.

Has facebook gone to the dogs?

Fri, 27 Feb 2009 13:19:44 -0500

Interesting question isn't it? People use facebook for different things; networking, dating, complaining, you name it. Just yesterday my step-daughter Courtney sent me an invite for something call Dogbook. Yes, it seems that within facebook you can build a network for your pet, in this case my dog. Oh yeah, it also includes cats too. So I gave it a try, we have three dogs, a min pin, a yorkie and a big question mark. I set up a dogbook for our min pin, felony, fel for short. I was able to set up information about him, favorite things to do, and then build a network of friends for him. So what's the value? I'm not sure yet. I was able to find groups to joins for other min pins. So there could be something there. But right now, I am just not sold. It definitely does show that social networking is exploding into other directions that I would have never guessed. And yes, I do update fel's status when he does something new.

newser rocks!

Thu, 26 Feb 2009 12:48:47 -0500

Like most of you out there in blog land, I read a lot of tech news and views from a variety of sources. Some of my favorites are digg.com, lifehacker.com and slashdot.org. Just recently I came across a post about a news aggregator site called newser.com. newser was mentioned as being the future of on-line newspapers, and I agree. Last night on Fox Business, I heard that most of the stock prices of the major newspapers are actually less than the price of the paper itself. I receive the CDT at home, but with a site like newser, I could be convinced to cancel my subscription.

VirtualBox

Thu, 26 Feb 2009 07:36:03 -0500

I am a big Mac user, right now I am typing this post on my iMac. Also in my office, you will find a MacBook and a Mac Mini. At home, I have a Mac Mini too. But there are times when I need to run other operating systems for testing like Windows and a flavor of Unix. Since all of my Macs are Intel-based, I am able to take advantage of the virtualization software that is available. I have tried Parallels and VMware Fusion. Under both of those products, I installed a licensed copy of Windows XP and Ubuntu. In the end, I really liked VMWare for its features and performance. Heck, I even went out and purchased a copy for home. Now the landscape has changed a bit. A while back, Sun released VirtualBox as Open Source, which is another VMWare-like environment. From the VirtualBox site:

VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software.

So I kicked the tires on it, and the results have been very good. Again my main use is to fire up an OS and maybe do some testing and that's about it. In the hard times we are in financially as a country, you really cannot beat the cost ($0.00).

I was audited (Oh my!).

Wed, 25 Feb 2009 12:32:12 -0500

This one of my first posts about things in my world that have nothing to do with software. So back to the audit, no it was not the IRS. I had an energy audit performed on my house. With rumors of really high oil and energy prices, I decided to take some action back in the summer and see if there were things I could to keep things under control. In the back of my mind, I figured the audit would go well, since my house was constructed in 2000. Ha, was I really wrong.

So I contacted the auditor, who in the end turned out to be someone I went to high school with, go figure. Anyways, John came out and told me about the process. We started off with a questionnaire about how we (my wife Sheri and I) feel about the house. Is it really cold in the winter, and warm in the summer and many other questions like that. Actually, there were three pages of questions. After the question period, John went around the house looking for things and then started in the basement and worked his way upstairs to the attic. The last thing he performed was a blower door test. You can read more about that here. John assured me the house would do well. Well it did not. Based on the results of the test, he felt that I had huge holes in my ductwork and I was loosing energy in other places. Ouch! So here were some of the recommendations:

Fix my basement insulation, as it was installed incorrectly.
Insulate my water pipes
Seal behind my sinks.
Seal other areas that had drafts.
Add additional insulation to my attic.
And many other things (10 pages worth).

In the end, the things were easy to fix and the costs were minimal. The audit itself ended up only costing me $300.00. I plan on having a follow up audit later this summer to see if there are any more things I can do before the electric caps are removed. From a tech standpoint, it was really interesting to see how technology was being used to determine the problems with my house. Opps, sorry this was not supposed to be a post about software. Ha!

Can you name that tune?

Wed, 25 Feb 2009 12:21:10 -0500

Back in the day, there used to be a TV game show called, "Name that tune". The premise behind the show was the contestants would state how many notes of a song they needed to identify it. It was interesting to see people do that with one note, talk about luck.

So fast forward to present day, a lot of times we are asked to solve a problem by programming solution. Based on the type of problem and its solution, you may try to play the same game with a programming language. I can solve that problem in 2 lines of Perl or 30 lines of "C", which is better? Well it depends on the type of problem you are trying to solve, of course. Over my twenty-some years of programming, I have used the following languages: Ada, "C", C++, Java, Perl, Lisp, Prolog, Pascal, Visual Basic, and so on. All of these languages have their distinct advantages and disadvantages. I think the most important part is when you try to name that tune, you are thinking about things like:

Will my selected language scale to the user base (current and future)?
Do I need to worry about any special security concerns?
If I pick a language like Ada, will someone be around to maintain it and/or cover for me when I am out?

You get idea, these are very important questions to ask. Just because you can name that solution in 3 lines of Perl, does not really make it the correct solution for the problem.

I'm hooked on the beans...

Fri, 14 Nov 2008 19:51:26 -0500

For the longest time, I have been in the quest for the perfect development environment, and I've had little luck until this past week. Now do not get me wrong there are loads of great environments out there, and I have used most of them. Back at Raytheon, I used Rational Rose, StP, Visual Basic and Symantec Visual Cafe for Java. When I came to Penn State, I did a lot of Java, so I continued to use Symantec and its various follow-ons. Then I branched out to other languages and platforms. I'm not your average programmer who in a day just uses one language. Monday for example, I was coding some "C", PL/SQL (Oracle), shell script and Java. And all of it was done using "vi" on UNIX. My desktop is a Mac, but I just never found something that worked for me. I tried Eclipse and I really wasn't impressed. So I almost came to the conclusion that I was just going to be stuck using "vi". Now do not get me wrong, I am really good with "vi", and the other UNIX tools, but I was missing the features of an integrated environment. Well folks, good news I found my environment and its NetBeans. I am running version 6.5 on Mac and its great. I ended up loading all of the plug-ins for the languages that I deal with. And to make matters even better, Wednesday I found a PL/SQL plug-in. Now I can develop stored procedures, compile and debug them from my desk. Being the old programmer that I am, I have to admit that I did switch the editor to use "vi" bindings. Some things are just hard to give up.

Wired on blogging.

Tue, 21 Oct 2008 13:01:52 -0500

From www.wired.com - Twitter, Flickr, Facebook Make Blogs Look So 2004. Its a pretty interesting read. As of late, I'm finding less and less time to blog. Twitter, facebook and del.icio.us do make my life a lot easier.