Skip navigation
All Places > CA Security > CA Identity Management > Blog
1 2 Previous Next

CA Identity Management

24 posts

Goal #1: Simplify Application Onboarding

 

In part I of this blog, I presented an overview of the five goals we want to achieve to ensure that our identity and access management (IAM) Ops Software Factory runs smoothly. Well, I’m finally back with part II. Today, my IMAG Jedis, wherever you are in this universe, together we will focus our attention on simplifying application onboarding.

 

We all know that enterprise-scale IAM operations is much more than just onboarding identities and managing their lifecycle. Think about it: When was the last time you even considered onboarding only user identities, as if doing so were tantamount to achieving singularity in a blackhole? It was inevitable (and right) that IAM operations move on from user onboarding to aligning application onboarding to meet the demands of modern business. No longer can we think of user identities and application accounts separately. From HR to commerce and everything in between, each identity has an associated entity in the form of a CA Identity Suite application endpoint.

 

Each endpoint is critical to your business and user experience, and endpoints are often tied to one or more enterprise processes. From provisioning to workflow to accountability, the fabric of your enterprise DNA has many aspects. Let’s start by asking ourselves these questions:

  • How can users access the application faster?
  • How can the application be integrated faster so that the business doesn’t have to wait as long?
  • How can I govern access to business applications?
  • How can I use what others are already doing to accelerate value?

 

To enable your business processes—and answer the above questions—enterprise applications need to be integrated with a solution such as CA Identity Suite in an agile manner that consists of:

  • Connectivity to the applications
  • Management of accounts and entitlements within the applications
  • Control of access to the applications

 

OK, assuming you’re convinced that simplifying application onboarding is the way to go, how do you get it done?

 

CA Identity Suite Deployment Xpress lets you onboard an application’s various user populations with a wizard-based approach. Deployment Xpress’s predefined business process use cases (such as employee onboarding and contractor termination) allows you to integrate applications more easily and quickly, giving users faster access. Better yet, Deployment Xpress Market Place allows you to download and leverage best practice use cases on the fly. The use cases ship with pre-built, simple-to-use, intuitive user interfaces that can be branded with your corporate theme in CA Identity Portal, which enhances your user and customer experience.

 

If you want to integrate applications using APIs with CA Identity Suite, CA API Gateway is tailor made to your needs. In this approach to application onboarding, you don’t have to rely on OOTB connectors or invest in developing extensive custom connectors: You can simply follow a policy-based low-to-no-code approach.

 

Last but not the least, we need to remember governance. Like it or not, we all need to run periodic certification campaigns to ensure that access is validated and verified across all enterprise applications. The new AppXpress capability and services allow you to onboard connector and connector-less applications into CA Identity Suite in a matter of minutes, align them to master user data and run campaigns through your consolidated CA Identity Governance universe.

 

I highly recommend that you develop questionnaires, templates and job aids to help your application owners, business stakeholders and operations managers create more structured and simplified application onboarding. If you have questions or comments, or need help, please post your thoughts below.

 

Next up: The challenge of creating an enterprise IAM framework that supports security and compliance needs without having to deal with performance issues that impact your CX. 

Are you planning or in the middle of a CA Identity Governance implementation, or are you onboarding applications in preparation for an entitlements certification campaign or a privilege cleanup exercise? If so, you are not alone. We have seen a big uptick in the customers who are pursuing these activities, and many have asked CA Services to help find ways to speed the process, improve quality, and reduce risks.

Because of the demand, we are expanding the availability of a solution to those challenges with a new service. If you have implementation or onboarding in your future, and realize you may have logistical issues with large numbers of apps to be certified, you may want to learn more about App Onboarding Service for CA Identity Governance from CA Services.

The error you are seeing is a known issue with 12.6.8 CR1. To resolve this please try the steps below.

1. Backup and remove dxserver executable within dxserver/bin directory
2. Extract the installer package (Data1.cab) and remove the dxserver executable from that directory
3. Place the new dxserver executable in the dxserver/bin directory and properly name the file
4. Run the installer, right after the installer passes the version check. Place the original dxserver executable back.
5. Complete install.

New CA Highlight blog post: Leave legacy authentication behind and rebuild trust. Insight from David Duncan, VP, Product & Solutions Marketing, Security, CA Technologies.

I’ve received requests from many of you to discuss best practices for performance tuning of CA Identity Suite, so that is today’s topic.

 

Call me biased, but I am firmly convinced that CA Identity Suite is the most comprehensive identity and access governance (IMAG) solution in the industry—and the most scalable. CA Identity Suite comprises three key applications:

  • CA Identity Manager
  • CA Identity Governance
  • CA Identity Portal

These applications, embedded in your business processes and your IT infrastructure, are supported by several commercial technologies such as application servers, databases, LDAPs and operating systems. In the last 18 years, I’ve done almost countless IMAG assessments and CA Identity Suite health checks for customers of all sizes in a wide variety of industries. Those health checks all start with one seemingly simple question: What constitutes optimal performance, now and in the future? But as simple as it seems, you’ll be surprised how elusive the answer can be.

 

Performance tuning is easier to accomplish if we first establish qualitative metrics (such as the customer experience) and quantitative metrics (such as transaction speed) for the business process in question, say, user login. Your qualitative and quantitative metrics for user login (or any other process) will drive the metrics for individual solutions and components.

 

During this stage, it’s important to understand that each enterprise has its own unique metrics. To be successful, your organization needs to establish its own particular metrics rather than duplicate or approximate those of another enterprise—even if that enterprise is a leader in your industry.

 

After determining your metrics, you need to construct your test scenario, test data and test data automation. You then need to run them using a performance testing tool such as CA BlazeMeter and a testing automation tool such as CA Test Data Manager (CA TDM) to generate test data and verify results.

 

Testing your use case for metrics is not enough; you need the right set of eyes and ears to find out what’s going on. Gone are the days when monitoring server uptime, process, CPU and hard disk utilization were enough. The Application Economy demands a much more effective monitoring system that contributes to a successful digital transformation and a superior customer experience. This requires sophisticated low-level monitoring of components that can monitor the business process.

That’s where CA Application Performance Management (CA APM) enters the picture. Having worked with most of the performance monitoring tools on the market, I can assure you that none comes close to the capabilities and insights provided by CA APM (formerly CA Wiley). CA APM monitors CA Identity Suite tasks, events and business logic, providing full drill-down monitoring of low-level entities within a business process.

 

The powerful combination of CA BlazeMeter, CA TDM and CA APM allows performance testing and tuning for continuous delivery (#Agile) of CA Identity Suite. These tools provide the necessary insights for tuning the performance and adjusting the capacity of these CA Identity Suite components:

 

  • CA Identity Manager Server, CA Identity Portal and CA Identity Governance Server JVMs running on IBM WebSphere, Oracle WebLogic, RHEL WildFly or RHEL JBoss EAP
  • CA Identity Suite runtime and operations databases running on Oracle and/or Microsoft
  • CA Identity Suite user stores running on CA Directory, LDAP, Active Directory and other support databases such as Oracle and Microsoft
  • CA Identity Suite provisioning server and directory running on CA Directory
  • Supported operating systems such as Windows Server, RHEL, and Oracle Solaris
  • Network components

Whether you have performance issues or you want to build a highly scalable, high-performing CA Identity Suite infrastructure to enable your digital transformation, the CA Services team has the expertise to help you do precisely that. CA Services tunes the performance of Identity Manager by conducting technical health checks and, if requested, a full business process review. CA Services also specializes in performance testing and SaaS-based monitoring.

 

Please feel free to reach out to CA Services to find out how to engage us to facilitate your digital transformation and create a superior customer experience.

Four Steps that will help you to determine whether you should upgrade.

 

It’s a known fact: CA customers running the most recent version of CA Identity Manager (IM) log fewer support tickets and have less severity 1 issues than customers on older versions.  

 

That leads us to the question, “When is the right time to upgrade my CA IM solution?” I’m here to help you make that decision, and CA has several technical tools that help clients determine when to upgrade.

 

Step 1 in the process is to determine the current solution level by running a tool that CA provides. The tool, which extracts a lot of information about an organization’s IM solution, is called iminfo.bat (for MS Windows environments) or iminfo.sh (for UNIX environments). The top lines in the file named “…\CA\Identity Manager\Provisioning Server\bin\caim_iminfo.txt” show the current solution’s build level:

 

 

This tool should be run on every server that houses one or more CA IM components, as components on different servers are sometimes at different release levels.

 

Step 2 is to consult CA’s support matrix, which helps clients determine whether they’re on track with their IM solution, or if they’ve fallen behind and are therefore at risk of losing support. If that’s the case, they need to start planning an upgrade.

In fact, upgrade planning should be an ongoing activity, especially if your organization has a high level of solution acceptance and use. Just like every other agile product deployment these days, it makes sense to always have a backlog as well as a few sprints actively going on or coming up.

 

Which leads me to step 3, the IM capabilities roadmap. It behooves customers to have a roadmap in place, so that day-to-day operation of the solution don’t get in the way of adding value where it’s most needed. (When Services helps a client implement IM, we provide an initial set of capabilities and give them a roadmap for enhancements.) A best practice is to revisit the roadmap every 12 months to make sure it’s still relevant and valid. The answer depends on how long the solution has been in place and how long ago the roadmap was created.

 

Step 4, the final step in determining whether an upgrade is in your immediate future, is to gather feedback from your user community. In my experience over the last eight years, a lot of clients don’t take the time to get feedback from their users. Satisfaction surveys or other modes of getting feedback are invaluable in helping organizations determine the capabilities that most need to be upgraded or added. In a future post, I will discuss the kinds of questions that yield the most useful feedback in a satisfaction survey.

 

As for my next post, I’ll talk about how CA Services can help you create a comprehensive upgrade plan that will justify the (really very reasonable) expense of an upgrade and help you get leadership buy-in on the project. Stay tuned!

For millions of people who use applications for activities like managing photos, making travel reservations, conducting their daily banking business and/or managing retirement funds, CA Single Sign-On (SSO) is central to a successful user experience.

 

Effectively managing your Identity and Access Management (IAM) platform’s performance doesn’t start when you integrate an application into the solution; it starts the very day you begin evaluating requirements for IAM. Decisions large and small—product and platform selection, network and directory design, application integration patterns, even log settings—can affect IAM platform performance. Often, though, organizations make those decisions without considering downstream effects.

 

If you saw my CA World presentation “Who’s Minding Your SSO Store?” you’ll remember that we talked about SSO key performance indicators and how to monitor them. We also discussed how to estimate capacity and useful ideas on how to model the load on your IAM environment. Once you’ve done all that math, and you’re certain you have the capacity, it’s time to test SSO.

 

At that point, you have a whole new set of questions in front of you:

 

  • How do I test SSO?
  • What tools should I use?
  • Do we have a testing solution in house? Does our team understand how to test this?
  • Are there open source testing tools that I should consider?
  • How difficult is testing

 

Because most IT professionals don’t have a breadth of testing knowledge, capabilities and experience at their fingertips, let alone the tools for generating the necessary load for testing a solution, I’m going to walk you through the issues and best practices over the next few weeks.

 

We’ll explore tools and methodologies, starting with the foundation—directory instances. I’ll talk about strategies and walk you through each step for building a realistic test script, the tools we use to do it and how to execute it.

As you know, the user store is the most critical component of any CA SSO environment. If the user store can’t handle the load and starts to perform slowly, the negative effects cascade throughout the entire solution. Soon users get failed login attempts because the policy server has no free threads—they’re all busy waiting for the directory. Then users get server errors because there are no free connections because requests are held up waiting for threads—yep, they’re waiting for user directory requests.

 

That’s why we’ll start our journey at performance and capacity testing of your CA SSO user store. I’ll show you how to use Apache JMeter to build and execute a test plan for your user store, and with the power of CA BlazeMeter, throw as much load at the server as it can take.

 

Next we’ll move on to testing your Apache and IIS web servers to ensure that they’re tuned and ready for the load you’ll generate. Depending on how you have the webservers configured and tuned, your policy server configuration and host configuration objects should and will change—we’ll explore why and how.

 

Finally, we’ll put it all together and test your full CA SSO stack—web server, access gateway, policy server, user store, session store, and everything else. We’ll make sure you have monitoring in place to quickly troubleshoot bottlenecks and build a test program that can become a repeatable part of your process for every app protected by CA SSO.

 

Along the way, I’ll stop by for a webinar on May 17th  CA SSO Performance Testing with CA Blazemeter and host sessions on performance testing on the Communities site. I hope you’ll join us for everything!

Let’s say you implemented an IDM solution about a year ago. Everything hummed along just fine for a while, but now momentum has slowed and you’re experiencing a stall. Here’s how to prevent that stall by doing the right things from the very beginning.

 

Tip #1: Automate to Foster End-User Participation

Perhaps more than any other enterprise security domain, identity management and governance processes require active and meaningful participation from end users, which can be difficult to foster when processes are manual and/or ad hoc. Consistent, automated processes provide users with a better experience, deliver high satisfaction and increase efficiency. What’s more, the interface needs to be hospitable to the business user, not just the IT-savvy user. In fact, a recent Aberdeen report indicates that a focus on the user experience can increase user productivity by 60 percent and user satisfaction by 80 percent.

 

Tip #2: Drive Adoption

In driving adoption, training is a must-have—especially the combination of formal education and informal knowledge transfer.

CA Education has a lot of excellent courses for IDM that are excellent for implementers and administrators. In my experience, clients who take advantage of these courses are invariably better prepared for governance when we leave.

Also essential is to leverage ongoing technical knowledge transfer from our technical people—the consultants—to your team’s technical people. We work with your team to show them the ins and outs of the solution, including configurations, log reading, daily backups and recovery, to name just a few. We work hand in hand with the client to be certain the client team is ready to take over governance of the solution. Alternatively, we can provide short- or long-term application management services.

 

Then there’s the all-important documentation. I’m not talking about reams of paperwork, but we make sure we leave behind enough material so that a year after implementation, when the client wants to expand the project, they have what they need to move quickly. Plus, they don’t have to review everything and figure out what the previous team had in mind.

CA Communities are a great forum for customers, CA colleagues and partners to share experiences, knowledge, and information about new offerings.

 

Tip #3: Keep Current on Releases

Software is dynamic and undergoes continuous improvement. CA Identity Management is a great example of how feedback we receive from our clients results in new capabilities. Approximately every six months, CA releases a new service pack with new capabilities and code modifications. Because upgrades are inevitable, it’s just logical—and essential—to plan ahead. By doing so, you get both new capabilities and program modifications. Most clients plan upgrades in 18-month cycles. Look for a future blog to deep dive into the planning process.

 

 

Tip #4: Minimize Customization

This is so crucial to preventing stall that it has its own post. If you haven’t read it already, take a look.

I welcome your input on what works for you in avoiding the dreaded stall. Please feel free to leave your comments.

As organizations enter emerging markets by acquiring companies that are successful in those markets, the burden falls to IT departments to introduce new services, maintain security and reduce costs by integrating and streamlining operations, all while onboarding acquired employees. Often, that requires customization of your IDM solution, such as interfacing with legacy systems that need to be kept, at least for the time being.

 

Currently, 70% of IDM implementations I work on have some customization, but it’s tending down. I would estimate that in the past, 70% of IDM implementations had a lot of customization. In discussing whether or not to customize, I remind the customer that once CA leaves the premises, the client is responsible for governance of those customizations, so they need to retain the technical skills to keep it going.

 

But often, there’s a better solution. CA Services offers several rapid IDM deployment scenarios that reap value in three short months.

 

Deployment Xpress simplifies the process of deploying common IDM use cases, such as password reset, forgotten password reset, and birthright provisioning to common endpoints such as Active Directory, without custom coding. Clients select the use cases they need, and Deployment Xpress automatically creates the basic code and policies. A virtual appliance makes installation/configuration quick and easy.

 

Our best advice to customers is to stay on the field of play with out-of-the-box capabilities, but sometimes they need endpoints for which we don’t normally provide provisioning connectors. In those cases, we use Connect Xpress, an out-of-the-box tool, to create a new connector quickly.

 

Another option is IDM Policy Xpress, where we can do a lot of logic in policies out of the box, so that clients don’t have to code their own Java or C++ code. This is a huge advantage, for two reasons. First, governance is much less of an issue once CA Services leaves the premises. Second, when the client later decides to do a migration or upgrade (or any other work), there is no need for the client to have the right skill set to manage custom components.

 

When it comes time to migrate to a new release or environment, Config Xpress eases and facilitates a simplified graphical migration of IDM environments. This out-of-the-box tool supports the migration of and delineation of all IDM objects and their dependencies in the environment, including roles, policies, tasks and workflows, among others. It also provides a graphical comparison that establishes the differences between two configurations, without losing yourself in thousands of lines of XML code.

 

So before you decide that a customized solution is the only way to go, consider the semi-custom route with CA’s Xpress products.

In a leading market survey, 66% of IT security officers stated that their identity and access management processes were too manual and insufficiently automated. This indicates that many organizations get less than full value from their identity management (IDM) solution.

 

As a CA Services senior security architect, I’ve been involved in dozens—if not hundreds—of IDM implementations. Here’s some advice for getting the most from your solution…with the least amount of blood, sweat and tears.

 

Tip #1: Get involved from the start and stay committed. While outside experts are almost always key to success, the client’s IT leaders will be held accountable for success or failure. That means they need to identify the right people on their team—the people with the right technical and soft skills—to collaborate with the service provider and take ownership of project success when the service provider leaves the premises. The service provider can help identify the required skills.

 

Requirements gathering takes place before the implementation officially starts—in fact, often before the contract is signed. This is a critical juncture in for project success, because the implementation will be designed and executed based on the requirements the architect gathers from client stakeholders. Don’t scrimp on the time or commitment that stakeholders allot to this phase.

Our clients are always working on many projects, so it’s often a challenge to ensure that the right people are involved, but I can’t overstate how important it is for them to participate through every phase of the project—and beyond.

 

Tip #2: Include a business analyst on your internal project team. About 50% of CA Services’ implementations are new solution deployments. The other 50% are migrations, where clients want to expand their use of IDM or upgrade to the next release—or even jump four or five levels.

Migrations present the risk of impacting the client’s business, so requirements gathering focuses on identifying risks and determining the client’s risk tolerance—which, more often than not, is close to zero. We always advocate for including a business analyst on the client team, because analysts are invaluable in identifying risks and risk tolerance.

CA Services often mitigates risk by doing a parallel build. We build a new hardware-software infrastructure with three environments—development, testing/QA and production. We plot out the course for migrating and testing the objects the business needs from existing environments to the new, parallel environments.

In typical migrations, clients want to expand IDM value by automating more business functions, resulting in fewer daily routine tasks for security staff. Expanded value also stems from extending the solution’s reach into new provisioning areas such as a mainframe environment or another database. After we identify how the client wants to expand IDM value, we go into the same kind of thought process as for new deployments—identifying the hardware and software the client should add so that we can provide the new function. During this process, business analysts are essential team members.

 

Tip #3: Test data needs to be real data, and testing can’t be given short shrift. Unrealistic data causes headaches for everyone—and a less-than-effective solution. Allow plenty of time for testing: Time “saved” on testing translates to time spent on fixing issues later.

CA Services architects now regularly recommend using BlazeMeter and JMeter to ensure that we have a broad set of tasks to run quickly—and the same way every time—to validate the implementation or migration. You’ll see more about these tools in future posts.

If your tests aren’t broad-based enough, you’ll go to production with a failed effort. By taking the time to automate the tests and run enough tests, everyone will be confident when you migrate that you’ve seen 95% of what you expect to see. And users aren’t impaired in their ability to do their work.

 

Tip #4: Never underestimate the effort required; the larger the organization, the more time it will take. This piece of advice speaks for itself.


Here you go! CA Technologies releases the latest CA Identity Suite 12.6.8 version with the following exciting features:

  • Identity Analytics
  • Support for CA Business Intelligence (CABI) 6.2

We also support you with the following enhancements:

  • Access certification
  • CA Identity Portal enhanced mobile support
  • Access Request suggestions engine
  • Voluntary Product Accessibility Test (VPAT) in support of section 508 and WCAG2.0
  • CA Advanced Authentication enhanced support
  • Windows 10 support
  • CA Identity Portal database support

Install or upgrade the latest version of CA Identity Suite and enjoy the amazing features. To know more about CA Identity Suite, see our product documentation.

Try to access the IAM Connector Server UI on HTTP://JCS_HOST:20080/main

Credentials to Connector Server UI:

Default username: Admin

Password: <Should be same password as provisioning manager>

 

 

If you can't access that site please attempt the following.

1) Stop the Java Connector Server service

 

2) Create a backup folder under ..\Connector Server\Data\ and copy the following folders into it:

..\Connector Server\Data\activemq

..\Connector Server\data\cache

..\Connector Server\data\derby

..\Connector Server\data\port

 

3) Create a backup folder under ..\Connector Server\jcs\data\jdbm\ and copy the following folders into it:

..\Connector Server\jcs\data\jdbm\etasa

..\Connector Server\jcs\data\jdbm\SA Configuration

 

4) Restart the Java Connector Server service (this will also recreate all of the above moved folders which will rebuild the filesystem DBs in use).

 

5) Once the JCS is fully up try to access the IAM Connector Server UI again

 

6) If you have any custom OSGi bundles that were previously deployed you can re-deploy them

 

7) Retest access of the endpoints from the Provisioning Manager

How long have you been at CA ganla02 ? IMG-20131212-WA0004.jpg

I have been in CA from past 3 years 10 months.

 

What was the career path that led you here?

I was working on security products (mainly Identity and Access Management products) in my previous company. I was moved into a project which involved supporting CA Siteminder and eventually moved to CA Support based on that experience.

 

What product do you support?

CA Identity Manager, CA Directory and Cloudminder

 

What keeps you at CA?

The work culture of CA and management support for employees. Also employee benefits.

 

What is your passion outside of work? What do you like to do?

I love to read. I also watch lots of movies. Writing is my passion. I write short stories whenever I get time

 

What is your educational background?

I completed my Bachelors of Technology from Mahatma Gandhi Institute of Technology, Hyderabad

 

How has support changed since you started?

Customer First has become the supreme motto for support and its getting stronger every year . Everything we do, we try, we stop or continue doing, it’s all for the customer happiness. This is how a Support Team should think and that is what getting implemented in CA Support.

 

Why should people be involved in the communities?

Like a social network platform is used to interact with likeminded people, CA communities can also be used effectively to interact with different individuals who are interested in different products and technology.

Also, customers can also use this platform to share their ideas and check if their ideas are getting implemented.

 

Why should customers read Knowledge Articles?

Self –service is always faster. Client can get immediate resolution for their problem if they can find an appropriate Knowledge Article. This saves the time for the client and after all Time is gold.

 

Follow the Support Engineer Hereganla02

In version 12.6.6 of Identity Portal the endorsed folder was copied manually to the application server.

In 12.6.7 version, the installer was supposed to do this automatically so this step is not documented.

However, the installer is not performing this action and the manual step is still needed.

The relevant files are located in the endorsed folder under the installation of SIGMA:

SIGMA_BASE_FOLDER\SIGMA\jdk-endorsed-jars

 

Each application server deals with the files differently.

In JBoss copy the two JARs to the JDK endorsed folder (if it does not exist then create it).

After you complete this step, the JDK endorsed folder should have the following content:

c:\Program Files\Java\jdk1.6.0_45\jre\lib\endorsed\geronimo-jaxws_2.2_spec-1.1.jar
c:\Program Files\Java\jdk1.6.0_45\jre\lib\endorsed\jaxb-api-2.2.6.jar

 

In Tomcat, create a folder named "endorsed" under the Tomcat home folder:

c:\Tomcat 7.0\endorsed\

Copy the two JARs to the JDK endorsed folder.

After you complete this step, the JDK endorsed folder should have the following content:
c:\Tomcat 7.0\endorsed\geronimo-jaxws_2.2_spec-1.1.jar
c:\Tomcat 7.0\endorsed\jaxb-api-2.2.6.jar

Restart the Tomcat application server.

We have made available a new NPS survey for those Identity Suite users who would like to provide their input to us and their relative satisfaction with our products.  If you would like to complete this short survey, please go here:  https://survey.qa.medallia.com/?product-communities&product=CA%20Identity%20Manager

 

thank you

Sumner Blount

Director, Identity Suite Product Marketing