domingo, 20 de julio de 2014

SDK and API: New era - TPAM integrated in ChangeAuditor

Silence in my blog during 3 months, It’s a long time I know but I have had working hard to understand all new products, all new features, doing a new presentations with one idea/challenge…Integrate, integrate and integrate all products because the customer need solutions they don’t need products or just ideas (It’s my personal opinion)

For this reason, last week I wrote this tweet

image

The first thing to achieve this challenge it’s all product should have SDK / API because It’s need to use a language to talk together to integrate them.

After working 3 days with SDK in ChangeAuditor and API provide by TPAM, I integrated both platforms (beta version) to run together. This integration adds new features/capabilities:

  • Real time activity in ChangeAuditor from TPAM
  • Fine granular auditing
  • Full audit and connected to real identity trail
  • Correlate events with any platform monitored by ChangeAuditor (Active Directory, Exchange, SharePoint, SharePoint Portal Server…so on)
  • Granular control over when an alert is issued (in TPAM environment)

Screenshot below you can see the plug-in user interface I have developed (It’s professional, isn’t it?). It’s information about coordinator server, user, password, TPAM ip address…configuration parameters

image

In this video you can see an example when users are managing information in TPAM

(Note: when you click on CAforTPAM.exe file new program icon in the notification area will be show it)

New post, I’ll write in this week with new features that Bryan Patton suggested me (good ideas, thanks Bryan!!!)

I hope this helps!

I want to thank you, Tim Sedlack, for helping me with this challenge.

jueves, 3 de abril de 2014

Video: WebSSO in PAM using QESSO

Most of the customers when you speak with them about Privileged Account Management (PAM), Controlling and Auditing Super-user Access always ask the same question: Does it possible to manage my corporative applications without IT staff know the password, I mean, provide session with Single Sign-On (WebSSO and Legacy SSO) in all applications (Tomcat, Windows, Redhat, NetApp, EMC…etc)?. That way, I will reduce and mitigate risk

The answer is: Sure!! No problem!!!

This video demonstrate how you will be available to provide SSO in all customer’s applications. Just need to combine with PAM other tool: Enterprise Single Sign-On. It’s easy and helpful.

WebSSO in ALL Customer applications with PAM

 

I hope this helps!

miércoles, 26 de febrero de 2014

Step 1: Catching WMI alert from ChangeAuditor

Last post I wrote was about ChangeAuditor and Dell One Identity Manager integration (ChangeAuditor and D1IM better together). After 2 days looking into ChangeAuditor How to manage the alerts, database schema, views, tables…so on. I got it!!.

These scripts and forms developed in this post are Beta 1 version but when I have more time (night time) I’d like to create a vb.net program with real service and GUI to manage this information…I think it's enough to show how it works (I’m presales guy not developer guy !!!)

Lab’s Scenario:

  • Domain Controller with ChangeAuditor Agent
  • Server with ChangeAuditor Coordinator and ChangeAuditor Add-on v.1.0 Beta version (image below) and fake “services”

image

 

Configure Real time Monitoring

  • Click over “Add Real-Time monitoring” button

image

  • Configuration parameters:
    • All WMI Alerts configured in ChangeAuditor
    • Add filter to Alert:
      • Who / What / Where
    • Trigger a script (command line textbox) and/or call Identity Manager Web Services
  • Click Add to save data

 

Manage Alerts

  • Click over “View Real-Time monitoring” button

image

Information about alerts configured (enabled or disabled status, parameters configuration…)

  • Click Close

 

ChangeAuditor

Alert configuration in ChangeAuditor choose Alerts and WMI checked

image

 

“Services”

Running script in background to detect any WMI alert trigger by ChangeAuditor

image

image

I’ll record a video with total sequence

Hope this helps you

jueves, 6 de febrero de 2014

ChangeAuditor and D1IM better together

Reading rabbit icon by Flameia DesignAfter checking many events and alerts in platforms such as Active Directory, Windows Files & Folders, Mailboxes, SharePoint, the registry changes since different Service Packs and/or HotFixes has been applied…. I might say that ‘the whole environment is under control with ChangeAuditor’… but we have to verify that those accesses are the right ones. And by referring to ‘right access’ I mean that the action done by the user/employee is the appropriate one because is her/his job, it is within their duties and expectations from the organization. It is truly a breach in Compliance and a gap in Enterprise Governance when an audit system does not talk/use/consume real and real-time information from an identity management solution. The IAM platform becomes the real and only one repository since the organization has an identity catalog around the entity ‘employee’ and fully understand entitlements, roles, requests, policies, approvals, etc.

The way to do this is through the integration of Dell One Identity Manager (D1IM) and ChangeAuditor (auditing platform) in order to control and monitor what users can do and are actually doing in the environment. The unique combination of these applications will provide insights on what one is entitled to do, what is being done and will highlight any inconsistency for business matters.

Actual Scenario

image

Integration Scenario ChangeAuditor – D1IM

image

 

I hope this helps!

martes, 21 de enero de 2014

Enterprise Single-Sign On

After investing the last two months in several Proof of Concepts (PoCs) with Dell One Identity Manager, I’m catching up with my blog (too much without posting). This year, I will be writing all posts in English but if anyone need information about the Identity and Access Management discipline in Spanish I will be more than happy to help.

In the past, when I was asked about an opinion about Enterprise Single Sign-On (ESSO) I always said the same: ‘It’s a good company approach but if the organization wants to avoid more issues/problems it should evolve/develop their applications again’. Now, I have realized that this was mistake to say that since it’s quite complicated to change the applications in a company when that app was developed 10 years ago and it sits at the company’s core. What should an organization do in this scenario? There’s the need of a technology that adapts the application to the new era and helps users and administrators to manage the situation in a modern, flexible way. Environments are complex enough and technology should make users and admin’s lives easier and avoid the problems of the past. We have to deal with the management of passwords in a discipline that, not surprisingly, is called ‘Password Management’. We have to deal with the issue of ‘I forgot my password!’ in an ESSO environment and there’s technology around to do that.

This post today will become a step-by-step guide to install Dell Enterprise Single Sign-On (known as QESSO since it comes from the Quest acquisition) in your company. It’s easy to install and, more important, it’s easy to deploy and configure. You will be able to publish your commercial or homegrown applications that you need for the SSO environment.

 

  • Begin Autorun.exe

image

  • Click, under Advanced Installation. Enterprise SSO – x64 (It’s my lab platform)
  • Use the guide (below) to go on with installation process.

image

  • First step, to Schema Extension

image

  • click Next

image

  • Type Account Name, Password and Domain. click Next

image

  • Click Next

image

  • Click Yes

image

  • After schema extension has been installed, click Next

image

  • Choose the domain to set up. Click Next

image

  • Choose the location where IAM will store it’s configure, in this case, “Store configuration data under program data/IAM” and press Next

image

  • Choose With controller…option. Click Next

image

  • Select Enable the use of software. Click Next

image

  • Select Enable the access control…. Click Next

image

  • Choose Program Data/IAM container. Press Next

image

  • Select all organizational units you want to manage with QESSO and Press Next

image

  • Click Next
  • Select Active Directory to authentication users. Click Next

image

  • Type Domain Controller. Press Next

image

  • Type Login and Password with Administrator privileges . Press Next

image

  • Click Next

image

  • Click Next

image

I Hope to help you

lunes, 25 de noviembre de 2013

Dell One Identity Cloud Access Manager: WebSSO (3/3)

Una vez instalado y configurado CAM, comenzaremos la configuración de cada una de las aplicaciones que van a ser gestionada desde el portal de Cloud Access Manager. Cómo puede observarse en la página de administración (imagen inferior), nos aparece un mensaje en color naranja con los siguientes pasos a seguir, entre ellos se encuentran “Front-End authentication”, “Roles”…etc En nuestro caso vamos a definir cómo método de autenticación (“Front-End authentication”) para acceder al portal de CAM, por parte del usuario final, directorio activo de Microsoft y vamos a añadir dos roles básicos de acceso

image_thumb16_thumb

  • Seleccionar de la sección Front-end Autjentication, botón Add…
  • Pulsar Microsoft Active Directory, pulsar Next

image_thumb17_thumb

  • Añadir el dominio, usuario y contraseña para verificar si las credenciales son correctas. Pulsar Next

image_thumb18_thumb

  • Pulsar Next (en la ventana de doble factor de autenticación)

image_thumb20_thumb

  • Incorporar el nombre del “Front-End authentication

image_thumb21_thumb

  • Pulsar Yes, Edit Roles

image_thumb22_thumb

  • Añadir los usuarios Administradores dentro del rol de administración, y los usuarios que van a “consumir” el portal, en el rol de usuarios

image_thumb23_thumb

image_thumb24_thumb

Ahora, unicamente tendríamos que configurar las aplicaciones a publicar en CAM. Estas configuraciones las veremos en los próximos artículos.

Artículos relacionados:

Dell One Identity Cloud Access Manager: WebSSO (2/3)

Dell One Identity Cloud Access Manager: WebSSO (1/3)

 

Espero que os sirva de ayuda

miércoles, 20 de noviembre de 2013

Dell One Identity Cloud Access Manager: WebSSO (2/3)

Una vez entendido el concepto de WebSSO y cómo funciona Cloud Access Manager nos ponemos manos a la obra

Proceso de instalación:

  • Iniciar Autoru.exe
  • Seleccionar Prerequisites
    • Pulsar Instalar Framework 4.5

image_thumb

  • Seleccionar la pestaña Install

image_thumb[1]

  • Aceptar I agree…Pulsar Next

image_thumb[2]

  • Seleccionar Production Installations

image_thumb[3]

  • Añadir el usuario, contraseñar, servidor dónde se va a instalar el producto. Pulsar Next

image_thumb[5]

  • Pulsar Install

image_thumb[6]

image_thumb[7]

  • Pulsar Launch

image_thumb[8]

  • Pulsar Next

image_thumb[9]

  • Añadir las contraseñas para gestión de CAM vía Administrador

image_thumb[11]

  • Incoporar los datos de SQL Server y pulsar Next

image_thumb[12]

  • Pulsar Next

image_thumb[13]

  • Pulsar Next

image_thumb[14]

image_thumb[15]

 

Artículos relacionados:

Dell One Identity Cloud Access Manager: WebSSO (1/3)

Dell One Identity Cloud Access Manager: WebSSO (2/3)

 

Espero que os sirva de ayuda