Skip to main content

Hitachi ID Systems Blogs

Archive for September, 2011

Sometimes we forget how fast things change…

Wednesday, September 28th, 2011

I noticed an advertisement in an in-flight magazine yesterday. It was for an HP tablet. I checked the magazine – it was dated September. Just think: this ad was purchased by HP very recently, and in the very short time between advertising purchase and when I picked up the magazine, HP dumped its inventory for $100/unit and killed off the whole division.

The dichotomy between normal time-lines for print advertising and the pace at which IT companies are forced to make and execute on major, strategic decisions couldn’t have been more clearly illustrated.

Amazing.

VMWare Workstation 6.5.5 on Ubuntu 11.04 “Natty Narwhal”

Tuesday, September 20th, 2011

I had the pleasure of upgrading the OS on my laptop the other day. And I use the term pleasure very loosely, because I had to move around about 150GB or data – so much fun.

Anyways, I was not surprised to see that the most recent patchlevel of VMWare Workstation 6.5.x didn’t want to install on my new OS. That’s been my experience with VMWare over the past few years – doesn’t work out of the box on Ubuntu. Insert grumbling noises.

A google search didn’t turn up anything, and it was a weekend job, so I just left it.

Good thing too – turns out that while nobody has published a patch to VMWare Workstation 6.5.5 for a 64-bit install of Ubuntu 11.04, one of the guys at work had already done the work. He asked to remain slightly anonymous – but I’ll share his initials – JN. Nice work JN.

So in case you are reading this and wanting to install VMWare Workstation 6.5.5 on Ubuntu 11.04 64-bit, please try this patch:

hitachi-id.com/largedocs/patches/vmware655onUbuntuNatty.zip

And everyone say thank you to JN for making it (a) work and (b) easy. :-)

– Idan

SPML is dead … long live “SPML envelope” ?

Saturday, September 17th, 2011

I just got a demo from our engineers of an integration they completed for a higher-ed customer. The customer is using a prominent ERP for higher ed and needed to send onboarding and deactivation requests, in real time, to our identity manager. This was to be done using an SPML gateway.

The demo went great – the web services gateway does, indeed, send messages to our system to provision and deactivate students, faculty and staff in real time. Everything works nicely, especially once our guys and the customer’s team worked through crashes in the J2EE app server hosting the software that sends messages to our system.

Did I mention that J2EE sucks and major J2EE servers are crashy junk? Lets leave that for another day.

Just one hitch: when I had a look at the message format, I discovered that while the message envelope was indeed SPML, the message body was not. Indeed, the message body was clear and human-legible, something nobody would accuse SPML of. There are plenty of sample SPML messages out there (google for SPML example if you’re curious) but the key point is that they are nasty, overburdened XML not suitable for human eyes.

Our friendly higher-ed ERP vendor clearly wanted (a) to be seen as a leader adopting standard protocols, such as SPML and (b) to deliver a developer-friendly, legible web service. (a) and (b) are not compatible, so they seem to have found a sneaky way to do both – use the header from SPML but send nice content in the body.

Nice.

We had to write a bit of custom code to parse the message body, but hey – it wasn’t anything like the spaghetti required to parse real SPML, so no complaints.

This is the first time we’ve ever had an actual, honest-to-goodness use case for SPML at a living customer – not a demo for an analyst firm or trade show, so I thought we’d get to exercise more of the standard. I guessed wrong.

SPML *could* be used to manage security in an app, but I’ve yet to meet an app that supports inbound SPML instead of a proprietary API.

SPML *could* be used to notify a user provisioning system of events in a system of record (as happened in our deployment here), in real time, but I’ve yet to meet an application that does that using actual SPML message bodies.

I guess SPML is so ugly that a bunch of cloud vendors invented a simpler alternative – SCIM (simplecloud.info/). I don’t think there is anything particularly “cloud” about SCIM – it’s just that the people pushing it are SaaS vendors and the word “cloud” is sexy these days.

Hopefully SCIM succeeds where SPML failed – perhaps by having a clear schema and simple syntax that humans can read unaided.

Here’s to hoping.

– Idan

Last time: SocGen, this time: UBS

Thursday, September 15th, 2011

Lovely news today – a massive loss due to unauthorized trading at UBS:

http://www.reuters.com/article/2011/09/15/us-ubs-idUSTRE78E15I20110915

I find this one more distressing than the last time this happened, at Societe General, for a couple of reasons:

1) Didn’t anyone learn anything from the last incident?
2) UBS? Seriously? I bank with these guys!

The solutions to prevent this sort of thing are both technical and business ones.

The technical solutions are good controls over access to sensitive systems, including segregation of duties policy enforcement, to ensure that it takes at least two people to do something stupid.

Of course, I’m biased – we make software that can help with the technical part of the fix.

The business part is more contentious, but perhaps more important. I think part of the problem with controls is the ridiculous volume of transactions that investment banks make, hoping to turn a profit on super-fast trades and arbitrage. I don’t think that stuff actually does the economy at large any good — it’s just a part of the casino mentality in the financial industry. One rule I’d impose, if I magically got the power to do so tomorrow, would be to force entities who purchase any kind of financial instrument to hold it for a while. Say for an hour. Or a day.

That doesn’t sound like a big deal to anyone who is a retail investor, but I bet it sends cold shivers down the spine of big institutional investors. What? I can’t buy some stock and sell it again 20 milliseconds later? You’re kidding?

Oh well. I can’t fix the business problems, so I’ll stick to making technology that helps enforce some basic controls: privileged access management, session recording, segregation of duties enforcement, access certification, approvals workflows, etc. You know, the easy stuff.

– Idan

page top page top