IGI & NFS Mounts

Monday, 29 July 2019
The IBM knowledge base reads like it was constructed by a technical writer who has very little experience of actually using the products they are describing. At least, that is how I read most of the official documentation.

Frequently, documentation might tell you how to do something, but it won't necessarily tell you why you should do it; what circumstances would require you to do it; and even the steps described are often missing some key piece of information.

The documentation that supports how to create an NFS Mount Point for Enterprise Connector input files is a case in point:

  • the documentation describes what you need to do, ish
  • the documentation is lacking why you need to do it
  • the documentation only provides one side of the NFS equation

Why would you move your files to an NFS Mount Point?

If you have an IGI cluster (and if you are running a Production Service, you really ought to have a cluster), then you MUST use NFS for your input files! You need all of your cluster members to be accessing the same source repository for your files and the ONLY way to do that is via NFS.

What do you need to do at the NFS Server side?

Well, let's take a Red Hat based system as an example for hosting our input files. You would perform the following tasks:
yum -y install nfs-utils
useradd -u 50001 identity
mkdir /nfsroot
mkdir /nfsroot/connectors
chown -R identity:identity /nfsroot/connectors
echo "/nfsroot,no_subtree_check)" > /etc/exports
systemctl start nfs
systemctl enable nfs

NOTE: Change to your subnet as appropriate.

NOTE: Update your firewall rules to allow traffic on ports 111 (TCP/UDP) and 2049 (TCP).

What do you need to do at the IGI Appliance side?

Navigate to Manage > Network Settings > Network File System, then click on the New icon.

Complete the following:

  • Host Name: Linux Server Name or IP Address which hosts your NFS service
  • Remote Directory: /nfsroot
  • Local Directory: linuxserver

NOTE: Change linuxserver to whatever label you desire.

What do you need to do at the IGI Application side?

Navigate to Enterprise Connectors and create your CSV based connector as normal but within the Input Folder attribute, use the following syntax:

NOTE: Change linuxserver to whatever you set within the Appliance.
NOTE: Ensure that the application folder exists on the Linux Server for the relevant application you are creating a connector for. (Ideally, this would mirror your application name, right?)

And that, my friends, is that!

IAM Respite - Champagne Time

Thursday, 31 January 2019
I say Champagne Time. I don't really mean that. I mean there's a bottle of Champagne up for grabs as part of my Guinness Six Nations 2019 predictor game.

It's a simple game. 15 matches. 15 score predictions. The most accurate person walks off with Champagne (or a substitute drink of their choice).

It's free to enter; takes only marginal skill; and enhances the joy of the tournament.

Don't be shy - give it a go and forget all about that Identity & Access Management stuff for a few minutes.

IGI Internal Events

Monday, 16 April 2018
IGI gurus should understand that adding rules to Live Events is really the only way you are going to get maximum value from your IGI deployment. Out of the box features within identity tools are rarely sufficiently detailed enough to allow for production deployment and there is always a need to enhance these processes with organisation-specific rules and definitions.

IGI gurus will also be aware that the firing of rules can be somewhat hit and miss. Placing objects into the USER_ERC table will fire a Live Event on the IN queue, but writing an advanced rule to perform a SQL update of the same database table using the internal scheduler will NOT fire a Live Event!

Similarly, modifying a user in the Administration Console will not fire an event either unless you specifically "Enable Internal Events" on your Settings tab.

Enabling Internal Events, however, will only allow a handful of events to trigger a rule, For example, you can add business logic to the Add Entitlement event, but you cannot add business logic to the Publish Entitlement event or the Add Entitlement to an OU event. Maybe one day this will be enabled (and I really hope some of the IBM Development Team read this)!

Anyone who has ever enabled internal events, then clicked on the Monitor/INTERNAL tab to view the events may be sorely disappointed. I call it the "Tab of Disappointment" and why? Well, it will be empty. No matter what events are being fired, it will be empty. That is, until you add this little gem to your system:

    event : EventBean(  )
 *  Version: 1.0
 *  Date   : 2018-02-28
 *  Purpose: Saves the event so it is viewable in the logs

This piece of code should be added to the BEFORE ruleflow within Rules/Live/Internal. This code instructs the platform to always save the event within the database tables which makes the event visible in the Monitor/INTERNAL tab.

Now you can see what is going on in your system and maybe even replay events.

NOTE: Should you wish to look in your log files for anything you may be spewing out from your rules within Rules/Live/Internal, you may have to look at the accessgovernancecore_event_out.log file. Don't ask why!