Layer 7 Access Management

3rd Party Service Tools used for Identity Suite's connectors/PX Rules

  • 1.  3rd Party Service Tools used for Identity Suite's connectors/PX Rules

    Posted 05-26-2017 12:37 PM

    Team,

     

    Enclosing processes used to lower the duration of turn-around to build/validate a connectors (via CX, OOTB, or PX)

     

     

     

    ItemConnector TypeFeedback Tool  / ProcessesDescription / Cost
    1Active Directory / LDAP / Mainframe (TSS/ACF2/RACF via LDAP Server for Z/OS), JNDIStep 1:  Jxplorer, Apache Directory Studio, SoftTerra LDAPbrowser/SoftTerra LDAPadmin validate service ID permissions/password to TCP 389 port.
    Step 2:  Openssl s_client -connect hostname:636 -showcerts
    Validate AD DC has a public CA root certificates (not a self-signed cert)
    Step 3: certlm.msc (open on any server/workstation in the domain, to export the CA public cert)
    Export the public CA root certificate
    Step 4:  openssl s_client -connect hostname:636 -showcerts -CAfile public_CA_cert_file_HERE.pem
    Validate that the exported public CA root cert, is the correct one being offered by the endpoint
    Free tools (Apache Directory Studio, Jxplorer, openssl, SoftTerra LDAPbrowser,MS certlm.msc)

    Paid tools (SoftTerra LDAPadmin)
    2CX JNDI Dynamic Connector: LDAPStep 1:    Jxplorer, Apache Directory Studio, SoftTerra LDAPbrowser/SoftTerra LDAPadmin as a feedback tool.
    View the schema, and then open the CX UI to build the new LDAP dynamic connector.
    Estimate 2 hours to build a LDAP connector
    Free tools (Apache Directory Studio, Jxplorer, openssl, SoftTerra LDAPbrowser)

    Paid tools (SoftTerra LDAPadmin)
    3ODBC ConnectorStep 1:  Validate if the DB is using the standard USERS TABLE, where DB User exists.  
    Step 2:  Validate access with Dbvisualizer for service ID and password
     If so, then use the OOTB ODBC connector. 
    If not, then use CX UI to JDBC
    Free tools (Dbvisualizer,openssl)

    Paid tools (Dbvisualizer)
    4CX JDBC Dynamic Connector: DBStep 1:  Validate if the DB is NOT using the standard USERS TABLE.
    Use Dbvisualizer (30 days free), to build and monitor the database for updates for CrUD use-cases to see which tables are in use.
    Step 2: Confirm Reverse Engineering process with GRAPH in the DBvisualizer tool.
    Identify the TABLES and/or STORED PROCEDURES to use.
    Step 3: Focus on the following ORDER:  
    View Profile, View MemberOf, Delete Profile, Delete MemberOf, Create, Create MemberOf, Modify Profile, Modify MemberOf
    Step 4:  Test each use-case multiple times.    Use Jmeter tool.
    Free tools (Dbvisualizer,openssl)

    Paid tools (Dbvisualizer)
    5SOAP / RESTStep 1:   Validate with SOAPUI, if WSDL is available, if able to submit a request.
    Step 2:   Validate if authentication is:   Anonymous, BASIC (bind), WSEE (if WSEE and using PX Rules, adjust the authentication as part of the BODY, and change the PX Rule to Anonymous Bind)
    Step 3:  If SOAP call is to IME TEWS, use the IME VST as part of the feedback process to monitor success.
    Step 4:  Monitor with ims.policyxpress = DEBUG, via the -D JVM switch OR logging.jsp page
    Step 5:  If SOAP/REST is not to IME but a remote system; contact the remote admin resource, to work with you during the testing exercise.
    Step 6: Or determine if there is a native UI, with a service ID that can be used as part of the feedback process.
    Free tools (SOAPUI,openssl)

    Paid tools (SOAPUI PRO)
    6SOAP / REST SCIM ProtocolStep 1:   Validate with SOAPUI, if WSDL is available, if able to submit a request.
    Step 2:   Validate if authentication is:   Anonymous, BASIC (bind), WSEE
    Step 3:  If SOAP/REST call is to internal or cloud web application with provisioning, use the API GW to build the process.
    Step 4:  Monitor with ims.policyxpress = DEBUG, via the -D JVM switch OR logging.jsp page
    Step 5:  If SOAP/REST call is to internal or cloud webapplication; contact the remote admin resource, to work with you during the testing exercise.   
    Step 6: Or determine if there is a native UI, with a service ID that can be used as part of the feedback process.
    Free tools (SOAPUI,openssl)

    Paid tools (SOAPUI PRO)
    7All Connectors - PerformanceStep 1:  Use Jmeter to build a test plan to use LDAP to the IMPS Provisioning Server TCP 20389.
    Step 2:  Adjust the Jmeter test plan to test "through" the IMPS server, down to the connector tier, and then to the newly managed endpoints.
    Step 3:  Add in queries for 1000 entries of user profiles, Add in queries for 1000 entries of group objects, Add in queries for user profile with membership, Add in exact queries to single user profile, Add in update to single user profile, Add in MASS CHANGE update to all selected user identities are updated.
    Free tools (Jmeter,SOAPUI,openssl)

    Paid tools (SOAPUI PRO)

    Service Tool (Blazemeter)

     

     

    If you have examples, I would like to hear what has worked for you.

     

     

     

    Cheers,

     

    A.