I recently had to walk a client through installing Liferay integrated with SSO and LDAP. Here’s a simple summary of how I got it setup.

I set up the following components:

Application Server:  Liferay 5.2.5 EE / Tomcat 6.0.18 (www.pojoe.ca)

CAS Server:              JA-SIG CAS Server 3.3.3 Final (sso.pojoe.ca)

LDAP Server:          Apache Directory Server 1.5.5 (ldap.pojoe.ca)

Getting Liferay setup is a topic for an entirely different post so here I’m going to assume you have an out of the box Liferay running on your application server. Go over to http://www.liferay.com/web/guest/downloads/portal and get yourself a portal if you haven’t already.

The first thing we’re going to do is install JA-SIG CAS Server 3.3.3 Final.

I drop cas-server-3.3.3-release\cas-server-3.3.3\modules\cas-server-webapp-3.3.3.war into Tomcat rename the war to cas-web and let it deploy.

You’ll need to configure Tomcat to allow for HTTPS connections.

I’ve detailed this process here in another post.

That is pretty much all you have to do to get a basic SSO server up and running.

Next you’ll want to configure Liferay to use the SSO server. This is of course, like everything else in Liferay, simple. =)

The CAS client jar should already be bundled but you can grab it here as well.

Download the CAS client from here.

In portal-ext.properties add the following lines.

##
## Company
##

#
# The portal can authenticate users based on their email address, screen
# name, or user id.
#
#company.security.auth.type=emailAddress
company.security.auth.type=screenName
#company.security.auth.type=userId

##
## CAS
##

#
# Set this to true to enable CAS single sign on. NTLM will work only if
# LDAP authentication is also enabled and the authentication is made by
# screen name. If set to true, then the property “auto.login.hooks” must
# contain a reference to the class
# com.liferay.portal.security.auth.CASAutoLogin and the filter
# com.liferay.portal.servlet.filters.sso.cas.CASFilter must be referenced
# in web.xml.
#

cas.auth.enabled=true

#
# A user may be authenticated from CAS and not yet exist in the portal. Set
# this to true to automatically import users from LDAP if they do not exist
# in the portal.
#

cas.import.from.ldap=false

#
# Set the default values for the required CAS URLs. Set either
# “cas.server.name” or “cas.service.url”. Setting “cas.server.name” allows
# deep linking. See LEP-4423.
#

cas.login.url=https://sso.pojoe.ca:8443/cas-web/login
cas.logout.url=https://sso.pojoe.ca:8443/cas-web/logout
cas.server.name=www.pojoe.ca:8080
cas.service.url=
#cas.service.url=http://localhost:8080/c/portal/login
cas.validate.url=https://sso.pojoe.ca:8443/cas-web/proxyValidate

Startup Liferay and head for the homepage. Once you are there you should go to the “Sign In” and this should direct you to the CAS SSO login page.

Login with test/test and you should land on your Liferay homepage as the authenticated omni user. Create a new user with the screen name “admin” and with the password “secret”. We’ll be using this default user later to test the LDAP integration.

The next thing we’ll do now is setup an LDAP server. We’ll use ApacheDS 1.5.5. Downloaded from here.

After downloading simply run the installer with all default options.

ApacheDS should now be running and listening on port 10389.

Stop the tomcat server and add cas-server-support-ldap-3.3.3.jar to cas-web/WEB-INF/lib if it isn’t there already.

Edit cas-web\WEB-INF\deployerConfigContext.xml as follows:

1. Add the following bean LDAP authentication:

<bean id=”contextSource”>
<property value=”true”/>
<property>
<list>
<value>ldap://ldap.pojoe.ca:10389</value>
</list>
</property>
<property value=”uid=admin,ou=system”/>
<property value=”secret”/>
<property>
<map>
<entry key=”java.naming.security.authentication” value=”simple” />
</map>
</property>
</bean>

2. Remove the demo authentication handler, org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler, from the authenticationHandlers property of the org.jasig.cas.authentication.AuthenticationManagerImpl bean.

3. Add the LDAP fast bind authentication handler:

<bean >
<property value=”uid=%u,ou=system” />
<property ref=”contextSource” />
</bean>

Start tomcat

Open a browser to the URL http://www.pojoe.ca:8080 and authenticate with the following credentials, admin/secret.

The user has signed on over SSO and authenticated with your LDAP server.

My Liferay application was running on the domain www.pojoe.ca and resided on Tomcat 6 in its own VM while my SSO server was running on another Tomcat 6 instance on another VM under the domain sso.pojoe.ca. I wanted to establish an SSL connection between the two over a self-signed certificate.

I started by setting up HTTPS on my SSO server.

• Create the keystore and private key in some directory. I use /opt/tomcat/security

keytool -genkey -alias mykey -keypass changeit -keyalg RSA -keystore server.keystore

• Answer the prompts.  Use sso.pojoe.ca (your domain) when asked for first/last name.  This is critical.

NOTE: From http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

I am using name-based virtual hosts on a secured connection which can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most client browsers will compare the server’s domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client user. In general, only address-based virtual hosts are commonly used with SSL in a production environment.

• server.keystore is generated.

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see the PrivateKeyEntry named mykey in the listing.

• This should be sufficient to begin receiving connections using HTTPS.

• Generate the certificate.

keytool -export -alias mykey -keypass changeit -file mycert.crt -keystore server.keystore

• mycert.crt is generated.

• Import the certificate into the keystore.

keytool -import -alias mycert -keypass changeit -file mycert.crt -keystore server.keystore

• You receive a warning that it already exists in the keystore.  Ignore it.  It is because Java expects separate keystore and trust store files and we are using only one.

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see a TrustedCertEntry named mycert in the listing as well as the PrivateKeyEntry named mykey.

Next I configured Tomcat to use the keystore I just setup. In server.xml uncomment the SSL connector port 8443. I’ve added the keystore file we created.

<Connector port=“8443″ protocol=“HTTP/1.1″ SSLEnabled=“true” maxThreads=“150″ scheme=“https” secure=“true” clientAuth=“false” sslProtocol=“TLS” keystoreFile=“/opt/tomcat/security/server.keystore” keystorePass=“changeit”/>

My SSO server is now ready to rock over HTTPS.

Next I’ll enable HTTPS on my Application server running Liferay.

Create the keystore and private key in some directory. I use /opt/tomcat/security

keytool -genkey -alias mykey -keypass changeit -keyalg RSA -keystore server.keystore

• Answer the prompts.  Use www.pojoe.ca (your domain) when asked for first/last name.  This is critical. See notes from above.

• Copy the mycert.crt certificate from the SSO server to /opt/servers/tomcat/security

keytool -import -alias mycert -keypass changeit -file mycert.crt -keystore server.keystore

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see a TrustedCertEntry named mycert in the listing as well as the PrivateKeyEntry named mykey.

Next we’ll set the JVM parameters to tell the application to use the trust store.

-Djavax.net.ssl.trustStore=/opt/servers/tomcat6.0.18/server.keystore

-Djavax.net.ssl.trustStorePassword=changeit

My Liferay application server and my CAS SSO server can now talk over HTTPS.

Reference:

http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

Social media if you were honest is either loved or hated but with the sudden rise in necessary SEO directed from these sites it’s a necessary medium for anyone in a competitive Web environment no matter how small, here is an article which will help.

Combining SEO Article

Designvent.co.uk

2 days, 2 meetings and 4 micro sites or are they?

The idea that buying multiple domain names us not a new one, placing optimised sites behind those domain names to help business is not a new one but what is the best method?

I was asked yesterday to go ahead and start work on a large site for an existing client, there current site us doing fine but larger businesses are dominating the search engines with multiple landing pages from multiple sites under not only different domain names but different brands but all feeding a sole business. A duplication of the existing site is now afoot, different images, rewritten text and a cms system, the other is a 4 page site just picking at s niche Market but for the same result.

The 2 today are to be created under different domains and new brands but feeding a sole provider although both will be small 4 page sites.

I would argue that the creation of this style of site could harm the Internet long term but I would also argue that if i am not searching for them then will never find them therefore not a worry and as long as my concious is clear that the quality and standard of the final business offering in the chain is up to standard then surely there is no issue?

Designvent.co.uk

vent-SEO.co.uk

We’re excited to announce that on December 2nd  at 10:00am PST / 1:00pm EST we’ll be holding the second meeting of the Enterprise SaaS Working Group on the topic of Access and Identity Management for the Cloud.

One of the recognized challenges with SaaS in the enterprise is the silos of identity that are created by cloud applications. Each service contains its own ‘version of the truth’ around users, permissions and credentials, disconnected from legacy directory services and identity management systems. Based on feedback from our first event, this meeting will focus on the identity management and access control issues that need to be addressed for SaaS to become truly mainstream in the enterprise. Discussion will focus on several questions including:

Participants in the session will include:

• Michael Amend – Director of Enterprise Architecture at Dell, Inc.
• Chris Bedi – CIO at VeriSign, Inc.
• Scott Carruth – VP, Information Systems at Initiate Systems
• Peter Dapkus – Director of Product Management at Salesforce.com
• Steve Coplan – Senior Analyst, Enterprise Security Practice at The 451 Group
• Doug Harr – CIO at Ingres Corporation
• Ryan Nichols – VP Cloudsourcing & Cloud Strategies at Appirio

The discussion will focus on critical issues and corresponding best practices in the areas of access management, authentication, identity synchronization and identity policy enforcement and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

Register now >>

Though cloud and SaaS solutions are seeing rapid adoption in the enterprise, management of these applications is not aligned with traditional IT controls and policies.  SaaS has been deployed and managed largely by business users, with limited input from CIOs and IT organizations.  As these cloud-based technologies replace mission-critical on-premise applications and host sensitive organizational data, enterprise IT is now regaining their ‘seat at the table’.   When seeking to extend policies and controls to SaaS, these IT organizations are disappointed to learn that existing directories and  IT management technologies don’t easily extend to the cloud.  These organizations struggle to achieve alignment of SaaS and cloud solutions with established enterprise identity sources including Human Resources Information Systems (HRIS), directory services, and Identity Management (IdM) solutions.  This alignment and resulting visibility and control is critical for IT and Finance departments concerned with regulatory compliance, governance, and identity and access management.

Given the role that Microsoft Active Directory and associated proxy services play in  providing centralized authentication, access control, and identity synchronization for on-premise applications  it would seem to be a logical integration point to also harness SaaS and cloud solutions.  Unfortunately IT organizations are finding that AD itself does not easily extend into leading SaaS applications, with direct integration difficult if not impossible.

Despite this inability to directly integrate AD with major cloud applications, forward-thinking enterprises are focusing on a “loose coupling” of on-premise Microsoft Active Directory and SaaS solutions through new third party management solutions.  This approach allows an integration path with the existing, deployed directory technologies and does not require major adjustments in the SaaS vendor technology roadmaps.  By integrating the current SaaS and directory solutions, the enterprise can align critical services including user identity and attributes, login services (Single Sign-On), and IT policies.  This alignment can lead to immediate benefits in security, IT efficiency, and governance and regulatory compliance.  In our new white paper, Extending Microsoft Active Directory to the Cloud, we explore the approaches and solutions organizations are leveraging to identity synchronization, policy enforcement and single sign-on (SSO).

Click here to request a free copy >>

As I mentioned in previous posts, anytime we are invested in the market we always want to be cautious.   Although I am not sounding the alarm bell and calling everyone to evacuate, we need to be aware of the potential dangers that lurk ahead.

The bottom chart shows the S&P 500 over the last six months and we see clearly how we have moved up nicely since the dip in early July.  We also notice that the 20 day moving average (red line) is well above the 200 day moving average (blue line).  So far everything looks rosy.

However, if we look at the top two charts, then we begin to see a different picture emerging.  We see that the market internals, measured by the Advance/Decline lines are not moving in tandem with the market, but are in fact diverging from it.

We see that although the market made a new high on November 11, there were no new highs made in the Advance/Decline lines.

Different scenarios could occur from this point:

• We may dip down modestly and essentially create a nice place to add more to our current position and the market continues in its’ upward climb.

• We may begin a phase where the market is stuck in a “trading range” where it moves up and down in a narrow range, essentially going nowhere.

• We may continue in a downtrend that is more prolonged than the previous dips we have seen and has the potential to take us lower than the lows we experienced back in March 2009.

If that last scenario comes to pass we would have already sounded the alarm and be in SDS.

In the meantime we keep a long term outlook in a rising market while being aware of the pitfalls along the way.

Microsoft Geneva:

“provides companies with simplified user access and single sign-on, for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web to facilitate collaboration, increase security and reduce cost.”

There are 3 components to Geneva which now have more official names:

Geneva Framework = Windows Identity Foundation: provides developers pre-built .NET security logic for building claims-aware applications

Geneva Server = Active Directory Federation Services (ADFS) 2.0: a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access

Geneva Cardspace = Windows Cardspace: helps users navigate access decisions

The aim of Geneva is to provide a true “Single Sign On” (SSO) experience to users across the various platforms that they come across, be they corporate and/or personal.

For example, once a user is logged in with their corporate domain credentials they could then access Microsoft Online Services such as Hotmail, MSDN, LiveSpaces etc; without being prompted to enter their @hotmail/@live credentials. All this requires is 1 Geneva Server and a Windows Live Tool currently called “Microsoft Online Services Federation Utility”.

Federation Gateway

The Microsoft Federation Gateway is a cloud based identity service, that extends beyond your corporate domain out into the internet. This is the hub for all the connections users want to make to external MS technologies, be it Azure, Live or BPOS (MS use CRM Online as an example on the MSDN site).

The above shows the federation of identities between partners. An example of how the data flows between the different points of the SSO setup can be seen below:

You can find more information about the Microsoft Federation Gateway on MSDN here.

A slide from PDC 2008 showed an example of Geneva working with a BPOS component for the US:

The full 1hour+ video of the “Identity Roadmap for Software + Services” presentation video from PDC 2008 can be viewed here on Channel 9.

I know that BPOS, Microsoft’s hosted offerings of Exchange & Sharepoint (among others) will start using ADFS 2.0 at some stage next year. Most likely when the 2010 versions are deployed to the cloud, which I expect to be around late calendar Q3 so August/September. This is where I’m particularly keen to see what Geneva can do for SSO…it should make it pretty much seamless for corporate users whether they’re accessing on-site applications such as Exchange, their Online brethren, custom developed applications, hotmail, MSDN and more…and that will be excellent!

I use a variety of different MS Online Services and have at least 3 different logins for them…I’ll be interested to see if Geneva can look after that for me BPOS currently comes with a separate SSO client which needs to be installed for each user and comes with it’s own unique set of issues, so having a corporate wide SSO would definitely be better. Also, you currently need to re-enter your details for OWA with BPOS as it’s on an HTTPS connection…I assume Geneva would remove that need?

Some great technical documents, step-by-step guides and Virtual Machine demos of Geneva can be found on the Technet site here.

Apropos my Fave Photographer’s Website ( PhotoShelter Users, here on FB and if you know her, Rachel Reiss who is a GREAT trainer and support stakeholder!)

“The business implication became clear to me last year when I posted an album of portraits, and then a “friend” hired me to photograph him. **** Posting images on Facebook is a way to passively market yourself to a qualified audience for free.**** [YUP! TELL MY ALTER EGO THAT!][PAPPARAZZO STARTS BABBLING INCOHERENTLY... AND IN ITALIAN!]

So I’m pleased to announce our new “Post to Facebook” feature that we released today. You might say to yourself, “well, duh!” And I would nod my head in agreement. It’s an obvious piece of functionality. But we’ve done it slightly differently than other implementations that I’ve seen…” (Murabayashi, 2009)

Here is the entire post, with VERY detailed instructions (which is why I’ve stayed with them, their obvious proclivity towards mentoring us into the realms of SEO and other Web-driven aspects of the imaging business…)

http://bit.ly/4sqONT

Past : How did it started

NSM expands to NordSecMob, which is an Erasmus Mundus masters course coordinated by TKK. NSM programme is one of high quality masters course which attracts quite many international students every year. I also happen to be a recent graduate of NSM.

The idea to make this service germinated probably in heads of NSM planning officer/ NSM coordinating professor. The vision was to make a service, which acts as a knowledge sharing platform for incoming international students in NSM program. Also, OtaSizzle platform presented an amazing opportunity.

Three students from the current NSM final year took this challenge as their summer job. They were guided by Jani Heikkinen, Olli Mäkinen and myself. Our focus with the developers was to  come up with a service, which serves a need and can be finished within the set time constraints.

We spent quite a bit of time focusing on listing the problems faced by the NSM students. One of the commonly identified problem was lack of information for new moving students to a foreign country(Scandinavia: NSM runs in Finland, Sweden, Norway, Denmark and Estonia) . No doubt about the scandinavian hospitality but still students have challenges with information about everyday things like : shopping stores, course information etc.

Once we were able to identify the problem we want to address, we started to see the solution in form of a service, which acts as one stop shop for information needed by an international student coming to study in NSM program. We had a consensus to build a framework to categorize the information and tap into collective intelligence of NSM students. The developers did a great job in making service which is not only working but also has good amount of seed content.

Also, I would like to mention here some of the lessons we learnt from the development process.

1. OtaSizzle platform works : (Kassi as an example service, which rocks!)

I have no doubt in saying this that with strict limits of time constraints and learning curve for developers (to learn ruby on rails), it would have been nearly impossible to develop such a feature rich service without a reference service like Kassi (and OtaSizzle platform). So, credit not only goes to developers and initiators but to Kassi and OtaSizzle platform.

2. Sharing to the outer world/lowering barriers for using the service

When we have to compete for attention from existing service platforms like Facebook etc, which is not that easy. We realized that using small javascript snippets from existing platforms makes life easy, like Facebook Share. We hope that this approach will be copied in future OtaSizzle services too.

Also, at the same time how a user can start using the service with least effort is critical. The first step towards that is using Single Sign On or similar authentication technologies.

However, all this is just a beginning, we still have lot to learn (how to bring the content in from other platforms and how to take it out) for making our service co-exist (not compete) in this fight where everybody is seeking attention of users.

Present: a continous struggle

One of the main challenge with NSM service is low user base which is due to the handful number of students we have in the NSM program. There are 10-20 students at any time in TKK studying in NSM masters(first and second year students combined). This challenge can be also seen as an opportunity that we can have a really cohesive group because the number is small.

I see two main challenges in making such a service successful.

1. We solved the technology problem but not the culture problem!

To have a vibrant community ( any posting forum) to have sufficient online activity, we must have offline activity as well. The NSM course staff is quite generous and provides opportunity for students to have some offline activity. But, still most of us who come from different cultures to a foreign country and to make a cohesive group we need to have more of offline activities together to help each other with collective intelligence of the group.

2. What is user’s incentive to post (everyone might want to read)?

Majority of the collective intelligence have to come from people who have passed out of NSM program. The current students are seekers of information. We are still in process of figuring out the incentives.

Future: Where do we go from here….

It all started to address the small group of NSM students but it was very soon clear to us that TKK runs many international masters and others might find similar problems. ( there are infact few hundred students coming to TKK every year)

So, in the true Aalto spirit , the NSM service can mature and grow as something which can be used by a wider group of international students and help them bring closer. However, in the process we might have to change quite a few features in the service.

Last, but not least, I request the readers of this post to share to us if they have any ideas to make the community active . Also, thanks a lot for reading the post

please check out the service if you have not yet and let us know your valuable feedback.

It’s been a while since my last post, mainly because we are still in a bull market as we have defined it (20 day moving average above 200 day moving average) and there isn’t anything new of a significant nature.  The market internals appear overbought, but that is to be expected in a new bull market.  So we continue being in SSO and maintain our long-term outlook.

Having said that, we are always aware that the market can turn swiftly against us so we are vigilant and can never be sleeping at the wheel.  A word of caution: the S&P 500 is currently at 1045 and there is a point of resistance at 1121 which we will need to break through in order to continue advancing.  We may see the market stall at that point or near it (we got as high as 1101 on October 21st).  There is also a trendline in the same area which is an additional point of resistance.

Let’s take what the market gives us, while maintaining a cautious stance.

While billions of dollars will be spent on SaaS and cloud applications by the end of 2009, executives continue to question data security inside the cloud.  A recent article in CIO Magazine notes a growing majority of execs are worried about cloud security.  These executives recognize that each SaaS application, like Salesforce.com, represents a potential highway of highly sensitive corporate data outside the firewall and outside IT’s security protocol.  While no means exhaustive, here is a list of mistakes we’re seeing companies make when deploying SaaS applications, creating unnecessary risk and cost for their organizations:

1. Creating the ‘three-headed admin’ – granting multiple people administrator-level roles inside a single SaaS application, or having multiple admins share the same credentials.  Aside from the obvious security issues, resulting SaaS app management data typically ends up reflecting multiple perspectives of users and permissions.
2. Hoping that everyone ‘locks the door’ – relying on manual workflows, phone calls and emails to de-provision SaaS users’ access in an accurate and timely fashion across SaaS apps.   If there’s not an automated way to guarantee deprovisioning across all apps, then it’s unlikely that it’s happening.
3. Applying a short term ‘band-aid’ for management – using trouble ticketing and help desk systems to coordinate administration between central IT and departmental SaaS admins.  This is typically a short term fix that just kicks critical provisioning and identity management issues down the road, and does it in a way that creates more pain later.
4. Attempting the IT ‘end-run’ – not engaging IT on management and support until SaaS app(s) become “mission critical” within the organization.  As SaaS and cloud are now becoming more mainstream technologies, IT is regaining their seat at the table to help extend existing policies and controls – ignore this dynamic at your own peril.
5. Delegating policy enforcement – relying on individual SaaS administrators to enforce corporate policies for roles and permissions.  Most organizations have access control policies and controls exist for on-premise apps and data, but few think about how to extend them to SaaS and cloud applications prior to deployment, particularly in environments with distributed administration.
6. Believing in a management ‘silver bullet’ – assuming that existing on-premise directories (such as Microsoft Active Directory) or identity management tools (including SSO) extend to support all SaaS-related identity challenges.  They don’t.
7. Creating ‘two sets of rules’ – treating SaaS governance differently than on-premise applications with regard to user identity and compliance.  Governance frameworks and best practices should consistently apply to applications no matter how they’re delivered.
8. Failing to create a ‘rearview mirror’ for audit and compliance – failure to identify and approach for capturing an audit trail of access, usage, user change and permissions history.  Though delivered by a 3^rd party, companies are still responsible for implementing and enforcing access control policies, and for demonstrating it at audit time.
9. Forgetting about compliance reporting – wasting 20-30 executive hours each quarter to manually compile reports for internal or external compliance audits.  Forgetting to consider compliance reporting needs up front when evaluating SaaS vendors and overall SaaS/cloud strategy can be painful.
10. When in doubt, spending more – buying unnecessary subscription seats because of a lack of visibility to actual subscriptions and current usage.

We’d be interested in hearing what others are seeing and hearing in these areas as well…

Sorry about the lack of recent posts, I’ve been pretty focused on the markets lately.

Last week the bears broke some technical setups where the bulls had a big upper hand. I started to sell positions at that point and increased my selling this week as the charts got uglier. Thursday was absolutely short covering. Looking at the up/down volume and advance/decline ratio’s from Wednesday to Friday, you can see an almost symmetrical reversal that means the market was overwhelmingly short, covered and put the shorts back on. This current short setup has a target of $1023.90 on the /ES (E-Mini S&P500 Futures). Let’s take a look at some charts:

You can see here that we bounced off of our long term downtrend line and today we closed below our nearer term support uptrend. I’d like to hope that if we close above it things will be fine but I think that is unrealistic. It’s hard to imagine why the market should be much higher than 1200 considering the long term structural issues that the U.S. is still facing. Even if the dollar continues to fall, we are net importers; so while international corporations may get revenues in stronger currencies, they still have to pay to much for input costs. a weaker dollar would be nice if we were still a manufacturing based economy but we aren’t. Next Chart.

You can see on this chart that the most recent surge took place on higher volume. However, the volume faded on the way up and picked up steam on the way down which is not a good sign if you’re a fan of Dow Theory. The good news is we have a long term inverted head and shoulder pattern (I admit I have seen better ones) which could give us support around $970.

I normally wouldn’t have given much weight to the H&S pattern (green line of support) but it also coincides with what should be a strong 50% fib retracement at 985. It is also an area where the shorts will be taking profits at their targets.

I will be in a conservative bear mode (and short through SH or SDS if the market somehow manages to rally back above 1065) until we get down below 990 where I will begin going long again. I will also consider a small long position through SSO around 1018-1020 where there is another decent long set-up.

Get your shopping lists ready everyone!

-MJB

Looking for a retracement day.  We’ll try and catch the south end of the morning’s volatility and look for a 50% retracement.

Place a limit order for 220 shares of SSO at $33.11, with a stop of 1% and a target price of $33.97.  We may have to adjust our target at noon, so be sure to check on direction if it is needed.

She’s finally TWENTY ONE!! yay~~~~ >_<

(Guess where we were taking this picture at! haha)
To celebrate Diana’s birthday, we went to a french restaurant, Floataway Cafe

The entrées were so so good and large!
French restaurant.. we were expecting small little portions,
but we were dead full when we were done lol

I will post some pictures from after dinner party at our place soon!
Oh, I also have a picture of Diana when she officially turned 21 at 12:00am on Oct. 25th.. although I don’t know if you would like for me to post it on here Diana lol

HAPPY BIRTHDAY DIANA

In this blog post we will be enabling Oracle Single Sign On for OBIEE. We have already set our authorisation to align with Oracle Internet Directory (OID), meaning that we can create users within OID that can access OBIEE. We can also assign users to groups through OID as well as set row level security in OID. We will no focus on Authentication using Oracle Single Sign On.

To help us carry out this task, we will be reading chapter 11 of the Oracle Business Intelligence Enterprise Edition Deployment Guide. Chapter 11 is titled “Enabling Oracle Single Sign On for Oracle Business Intelligence”. The deployment guide outlines the following steps which are required to enable Oracle Single Sign On with OBIEE.

• Register Oracle BI as a partner application to the Oracle Single Sign On Server
• Configure Oracle BI for SSO
• Configure BI Presentation Services to Use the Impersonate User
• Configure BI Presentation Services to Operate in the SSO Environment

Register Oracle BI as a partner application to Oracle Single Sign On Server

Registering Oracle BI with OSSO is carried out via a command line entry. Before carrying out the command line, we need to set the ORACLE_HOME as follows:

export ORACLE_HOME=/app/oracle/oas

Following the Deployment Guide, the entry I carried out for my environment is as follows:

./ssoreg.sh -oracle_home_path /app/oracle/oas -config_mod_osso TRUE -site_name gelliohost.gelliodomain.com:7777 -remote_midtier -config_file /app/oracle/oas/Apache/Apache/conf/osso/biosso.conf -mod_osso_url http://gelliohost.gelliodomain.com:7777

After running the above entry, you should receive a successful return message as illustrated in Figure 1 below.

Figure 1

Configure Oracle BI for SSO

The deployment guide first asks us to copy the biosso.conf file to the directory Oracle_HOME/Apache/Apache/conf/osso. In our case this file already exists.

Our next step is to edit the file ‘mod_osso.conf’ in Oracle_HOME/Apache/Apache/conf. We added the following line to this file:

OssoConfigFile /app/oracle/oas/Apache/Apache/conf/osso/biosso.conf

This can be seen in Figure 2 below:

Figure 2

The next step is to add the the following lines into the file:

<Location /analytics>

Header unset Pragma

OssoSendCacheHeaders off

AuthType Basic

require valid-user

<Location>

This is illustrated in Figure 3 below.

Figure 3

The deployment guide then asks us to uncomment the line:

#include “Oracle_Home/Apache/Apache/conf/mod_osso.conf”

in the file httpd.conf. Upon inspection of this file it was found that the line was already commented out.

We then restarted the Application Server.

Configuring BI Presentation Services to Use the Impersonator User

The first step is to create a new user in the RPD to be used as the Impersonator User. Go into the administration tool and then go into Security Manger. Create a new user and call the user ‘Impersonator’. Provide a password for the new user, in my case P4ssw0rd, and ensure that the new user is assigned to the Administrator group. See Figure 4 below.

Figure 4

We now need to make some changes using cryptotools. Before running cryptotools, there are a couple of things that we first need to carry out to avoid cryptotools returning an error. The first is to update the LD_LIBRARY_PATH to include the web/bin directory in OracleBI. To do this I used the following command:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/oracle/obi/OracleBI/web/bin

The next step is to provide security permissions to a file that is required by cryptotools. Without running the following command, you will receive a security error if running Oracle Enterprise Linux 5.

chcon -t textrel_shlib_t ‘/app/oracle/obi/OracleBI/web/bin/libsamemoryallocator8.so’

To run cryptotools, we run the command below from the /app/oracle/obi/OracleBI/web/bin

./crpytotools credstore -add -infile /app/oracle/obi/OracleBIData/web/config/credentialstore.xml

The following attributes were provided to this program:

Credential Alias: impersonation

Username: Impersonator

Password: P4ssw0rd

Do you want to encrpyt the password: y

Passphrase for encryption: P4ssw0rd

Do you want to write the passphrase to the xml: n

Figure 5

Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase

Our next step is to modify the instanceconfig.xml file located in /app/oracle/obi/OracleBIData/web/config

Following the Deployment Guide, we made 2 new entries in the instanceconfig.xml. The first entry relates to the credential store:

<CredentialStore>

<CredentialStorage type=”file” path=”/app/oracle/obi/OracleBIData/web/config/credentialstore.xml” passphrase=”P4ssw0rd”/>

</CredentialStore>

The second entry relates to the Authorisation tag for Single Sign On. The entry for us was:

<Auth>

<SSO enabled=”true”>

<ParamList>

<Param name=”IMPERSONATE” source=”serverVariable” nameInSource=”REMOTE_USER”/>

</ParamList>

<LogoffUrl>

http://gelliohost.gelliodomain.com:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2Fgelliohost.gelliodomain.com:7777%2Fanalytics%2F

</LogoffUrl>

<LogonUrl>

http://gelliohost.gelliodomain.com:7777/pls/orasso/orasso.wwsso_app_admin.ls_login

</LogonUrl>

</SSO>

</Auth>

Figure 6

Now if we we go to our OBIEE url, in my case http://gelliohost.gelliodomain.com:7777/analytics, we should be redirected to the single-sign on login screen as illustrated in Figure 7 below.

Figure 7

We should still be able to log in using our OID users, for example, user_1 in our case.

Figure 8

We can see in Figure 8 that we are now logged in as user_1. When we click on Log Out, we should see the single-sign on logout page as illustrated in Figure 9.

Once last note: as we now have our authentication and authorisation for security handled by both Oracle Internet Directory and Oracle Single Sign On, we will no longer be able to log into OBIEE with an existing user in the Repository. ie, We can not log into the Dashboards with the Administrator user through the Single Sign On login page. In order to maintain the Dashboards, there is a method of logging into the Dashboards using URL parameters. The following URL allows me to still log into the dashboards using the Administrator user.

http://gelliohost.gelliodomain.com:7777/analytics/saw.dll?Dashboard&NQuser=Administrator&NQPassword=P4ssw0rd

We find very few people today that would dispute the notion that SaaS and cloud applications have become mainstream technologies in SMB and the midmarket.  The challenges for the SaaS industry are also changing as a result.   With the battle over the viability of the on-demand model largely won,  the questions are now turning to the operational and IT management  implications of a SaaS-centric environment.

Our customers and prospects here at Conformity are forward-thinking organizations that are aggressively leveraging the cloud delivery model for multiple, if not a majority of their business applications.  Given our strong  belief in the SaaS and cloud model, we believe that they are a good indicator of trends we’ll shortly be seeing more broadly in the market.    All of these organizations are struggling with what their management processes and approaches look like in a purely ‘on-demand’ model.   Among these multi-SaaS organizations we’re consistently seeing three general problem domains:

1. User provisioning and administration – as they’re optimized for different problem sets, all major SaaS applications have fundamentally different ways of thinking about users, roles, profiles and permissions.  Organizations have tended to have separate business administrators for say Salesforce.com, NetSuite and SuccessFactors.  Each of these admins as a result has had to develop a separate model of their organization, deparments and role structures, with the result being that various siloed identity stores have been created across the organization.  These stores are are all independent from each other and from on-premise directory services (Microsoft AD) and identity management solutions.  Normalizing these identity stores in support of centralized, streamlined administration and reporting is a common theme we’re hearing, and what what our solution here at Conformity is addressing.
2. Single sign-on (SSO) / authentication – another common challenge we’re hearing is the desire to provide end-users the ability to access multiple SaaS applications (and often on-prem apps as well) using a single set of credentials, both for end-user convenience and security purposes.  This is the problem set being  addressed by vendors such as Ping Identity, Tricipher and Symplified.
3. Data integration – the final theme we’re hearing is around cross-application data integration, and the desire to integrate multiple ‘best of breed’ applications across a common business processes or workflow.  This issue set consists of integration of cloud apps to both cloud and on-premise applications.   This is the domain being addressed by vendors such as Cast Iron Systems, Pervasive and Boomi.

While the data integation challenge is fairly distinct from the first two challenges, significant market confusion exists around provisioning and SSO, and whether a solution in one addresses both areas.  The short answer is no – the very simple analogy we use is that SSO tells you if you should let the visitor knocking on the front door into the house – provisioning and permissions management provides guardrails around what they can and cannot do once they’re in the front door.  Both are needed, but complementary capabilities – more to come on this….

Volatility in the ebb and flow of the S&P 500’s valuations declined for the third straight quarter in 3Q09. The average daily change in the value of the S&P 500 index for 3Q09 was ±0.8%, down sequentially from ±1.3% in 2Q09, from ±2.0% in 1Q09, and a nightmarish ±3.3%—the highest level of volatility in a quarter since the inception of the S&P 500 index—in 4Q08 (as discussed in the previous articles, This Volatility is Off the Charts! in April 2009 and Not Your Father’s Market Volatility in July 2009).

Wenn man abends unterwegs ist, frägt man sich: Schläft die Stadt eigentlich mal? Aber bei Heimfahren stellt man dann so 20 vor Zwölf fest, daß man die letzte Bahn grad‘ noch erreicht (in Bärlieen würden die länger fahren .. aber da ist’s auch nicht so warm ..! (-;)

Im Bus hat man gleich nach dem Einsteigen den Eindruck, daß die Gefrierfleisch aus einem machen wollen. Wenn‘s dann an’s Aussteigen geht, freut man sich eigentlich wieder auf die Wärme! .. hmm; .. Ying & Yang .. bei all den Chinesen hier?

Die ‚Völkervielfalt‘ hier ist irre:

.. Inder (einige Frauen tragen Sari .. das hat was ..; die jungen Frauen sind teilweise unglaublich hübsch, die älteren .. teilweise richtige ‚Mamas‘ (.. ich hätte da nix zu lachen .. !(-;)

.. Chinesen (tendenziell die Mehrheit); sie sind halt wie sie sind .. man guckt ned wirklich rein!

.. Malayen, Phillipinen, Indonesier, Engländer (ziemlich viel!), Aussies und n’Haufen Expats aus .. einfach von überall her (auch Uli und Jutta aus Malsch hen se nei‘glasse!)!

.. (Achtung: Jetzt auf wird’s .. bla, blubb .. halbakademisch) Wenn man an die ‚Deutsch- Identitätsdiskussion‘ zuhause denkt, .. ich glaube, daß Singapur-Staatsbürger wohl nur drüber lächeln würden .. Vielfalt ist hier vielleicht (vielleicht?!) Programm? .. auf jeden Fall ist Singapur eine ‚Integrationsmaschine‘ (Nationalitäten, Religionen (ohne ‚Krach‘!), Kulturen, ..)[1] . Auch hier ist man wohl auf Zuwanderung angewiesen; auch Singapur wird immer älter.

Die Stadt hier ist ‚phänomenal‘ organisiert: Die MRT (Mass Rapid Transportation .. = S-Bahn) ist gut ausgebaut, schnell, nicht ganz so kalt, .. man kauft sich eine Chipkarte mit Guthaben, hält die Chipkarte (die im Geldbeutel steckenbleibt .. das fasziniert mich Landei besonders!) im Einsteige- und Ausstiegsbahnhof an ein Lesegerät und (abrakadabra!) der Betrag wird eingezogen .. und teuer ist’s auch nicht (.. die Stuttgarter S-Bahn kostet etwa 3-5 Mal soviel! .. und so hübsche Inderinnen gibt’s dort auch nur wenige .. (-:)

Was ist ist bei uns gelaufen? Am Donnerstag sind wir gegen 18h von Bintan zurückgekommen und gingen abends in ein traumhaftes Restaurant ‚Indochine‘ mit Terasse am Boat Quay zum Geburtstagsessen aus. .. traumhaft! Warmer Abend, sehr gutes Essen, guter Wein .. wirklich wunderschön! Uli hat’s gefallen – und das ist wichtig!

Am Freitag ging ich mit Uli ins MANN+HUMMEL Büro (.. mal gucken, ob der da auch was Ordentliches schafft .. er tut’s!). Ich hatte ‚Bürotag‘, .. ja, (Kommentare sind nun nicht erforderlich .. (-:)!!) ich habe wirklich was g’schafft.

Am Abend (.. man gönnt sich ja sonst nichts!) waren wir in ‚Esplanande Concert Hall‘ (die Leute nennen diesen (Nobel)komplex ‚Durian‘ (Stinkfrucht .. damit wird auf die Architektur hingewiesen, sieht nämlich aus wie eben diese Frucht!) bei Singapore Symphony Orchestra. .. sehr schön: Mozart Klavierkonzert – die Pianistin war eine typische (ausgehungerte!) Ostküstenamerikanerin. (.. abber g’schbielt hat se guud!) und Bruckner (.. sehr schön, .. n’Mordskrach!).

Die Konzerthalle ist (.. es ist ja nicht, wie bei armen Leuten hier!) vom Feinsten, mit Orgel, .. Man geht hier auch wohl nicht ganz so schick ins Konzert (.. alle Kleidungsstile ..von Chucks bis zum Abendkleid) .. hat auch was!

Heute Vormittag haben sich dann Lisa und Julia für eine Woche nach Tioman/ Malaysia verabschiedet (mit Bus und Fähre). Ihr Zwei, danke für Eure Gesellschaft es war sehr nett und angenehm (bei Ebay sagt man dann: Jederzeit wieder! (:-) .. und jetzt hängen wir so rum .. Wochenende und Urlaub!

Ach so .., laufen war ich heute auch noch. Das gibt aber noch was Separates über Laufen in Südostasien (.. bei derre Hitz‘ und schwere Beine nach spätestens 20 Minuten ..!).

[Thomas]

“Your pay will be low; the conditions of your labor often will be difficult.  But you will have the satisfaction of leading a great national effort and you will have the ultimate reward which comes to those who serve their fellow citizens.”

- President Johnson, addressing the first 20 VISTA members who began their service in January, 1965.

Hawaii Habitat for Humanity would like to extend a warm welcome to our two new AmeriCorps VISTAs, Amanda Johnson and Liz Bowen.

Volunteers in Service to America, (VISTA) members build capacity in nonprofit organizations and communities to help bring individuals and communities out of poverty.  VISTA members dedicate at least one year of service to non-profit work while completely immersing themselves in their communities.

Amanda Johnson will be carrying out her one year commitment as the Research and Training Associate for the State Support Organization.  Amanda’s background in advocacy for non-profit organizations includes serving as the Action Coordinator for the Student Global AIDS Campaign at her alma mater, interning at Project 40/40, a branch organization of Clinton’s HIV/AIDS Initiative (CHAI), and volunteering her time with several other campus organizations.   Her plans for Hawaii Habitat for Humanity include setting up affiliate, volunteer, and staff learning opportunities based on assessments of the affiliates’ interests and  transforming the State Support Office into an information hub that can keep the public up-to-date on Hawaii’s seven home-building affiliates.

Liz Bowen, LEED-AP, will be carrying out her AmeriCorps year as the Green Building Associate for the State Support Organization.  Liz’s background in sustainability consulting includes working with developers, engineers, architects, business owners, and governments in achieving realistic and accountable sustainability targets.  Her plans for Hawaii Habitat include developing affordable green housing workshops and training programs for the affiliates, energy modeling to determine possible modifications for highest comfort and efficiency, securing cost-effective green materials, and researching funding and partnerships.

When we first invited people to become Solvers on hypios, we were essentially asking them to create new online identities.  We asked them to fill in personal details like their name, occupation, location, and interests.  We gave them the option of adding a picture or avatar, and finally (politely) requested that they share their newly-created profiles with other Solvers by tweaking their privacy settings.  Now, we’ve simplified things by adding a Facebook Connect button.  You can join hypios using the Facebook profile you already have.

Having trouble keeping track of all your usernames and passwords?

It quickly gets annoying to have to fill out a new form with your name and hometown each time you want to join a site. Once you’re signed up, you have to remember which username and password combination you’ve used for each network.  In theory, this protects your privacy.  Social networking sites keep your data to themselves, in their own walled gardens, safeguarding your personal details.  In practice, this can be frustrating.  You may have befriended your colleagues on Facebook, but if you decide you want to contact them through Linked In instead, you all have to create separate Linked In profiles and reconnect through those pages.  You also have to deal with the etiquette of different networks.  As Patty Seybold notes in an Outside Innovation post, an executive who never checks his company email may reply instantly to casual messages sent via Facebook, moving business onto supposedly social platforms.

This poses an obvious problem for companies like hypios, whose platform is based on a social network of Solvers.  According to a recent ReadWriteWeb post by Alex Korth, users’ most significant issues lay in having to sign up for multiple profiles, re-enter and synchronize personal data, and their inability to export this data (even though it was personal information).  hypios’ success as a marketplace for solutions depends on our ability to broadcast problems to a wide network of Solvers.  The more Solvers we can recruit, the better the chances that we can help Seekers find the solutions they need.  If Solvers can join using existing profiles, they can also import the social networks they’ve built with these profiles.

How openID standards can make your identity portable

Fortunately, online identities are becoming more and more portable, thanks to open ID initiatives.  OpenID standards allow you to create one account for several sites. The ID can come from an email account (on Google or AOL, for example), a social network profile (your Facebook or myspace account), or another single sign-on (SSO) provider.  You sign in by giving your password to the ID provider, who then confirms your identity to a website or application.  For example, if you want to use your Facebook account to log in to the hypios network, hypios will never see your password. Instead, Facebook checks your password and confirms your identity to hypios, keeping your account secure.

Some application providers have also become ID providers, namely Google and Facebook.  Last December, both companies launched ‘Friend Connect’ features, which allow users to log in to different websites using previously-created identities.  However, as blogger John McCrea pointed out in his post about the launches , Google’s connect feature is built on open-source technology, while Facebook’s uses its own proprietary sources.  And while Facebook initially focused on integrating with major sites like Digg, Google promised to add a social component to any and every website by making it easy to cut-and-paste its code.

Who can you trust with your identity?

Of course, all of this depends on your trusting a provider with your personal information in the first place.  There are privacy, security, and practical concerns:

• One irate former Facebook user, Leif Harmsen, told a New York Times blogger that “Facebook does everything to make you more dependent,” such that “it is not ‘your’ Facebook profile.  It is Facebook’s profile about you.”  In fact, Facebook ended its Beacon program after users complained that purchases they’d made on partner sites were automatically posted as ’stories’ in their Facebook profiles.
• Besides concerns over commercialization of personal information, there are security worries.  Just as an OpenID provides users with access to multiple sites, it gives hackers the same freedom.
• More practically, if an ID provider service goes down, users will be unable to sign on to any of the sites at which they use their IDs.

Why ‘open’ ID doesn’t mean ‘open to the whole Internet’

We think it’s important to remember that having an OpenID doesn’t mean that your profile becomes more open, though.  (Even if Facebook is encouraging its users to make some elements of their profiles open to everyone on the Internet.)  Though more and more websites will integrate social networks, ID providers will only reveal the details you’ve chosen to give out. It’s the same information, just displayed on more pages around the Internet.

As Alex Korth of ReadWriteWeb points out, however, ‘open’ IDs may eventually lead to interoperable IDs and a ‘web of identities’ much like the ‘web of data’ that will form the semantic web.  Just as data will point to other data with URIs, social connections will point to each other through OpenIDs.  Depending on how much information our friends share, a typical search query on the web of identities could poll social connections’ favorite books or vacation destinations by looking at purchase histories or status updates.

It could also help Solvers use each other as resources, whether by polling connections about the best new textbooks or soliciting advice on a scientific problem from like-minded people.  At the very least, it could help Solvers find others who have worked on similar problems or have matching interests.

Given our interest in the semantic web, we think this could be a really exciting way to connect with people.  No matter what ID provider you choose or how you use your online identity, we hope that openID integration will make it easier for you to become part of our network.

Photos from mandamonium and Arkangel on Flickr.

Share this post!

As you are already aware, Central Desktop is a leader in the SaaS arena when it comes to security. Central Desktop partners with Alchemy Communications, Latisys Data Center, Akamai, and McAfee to provide its customers and partners with state-of-the-art perimeter, network, server, application and data security to ensure privacy and availability. McAfee runs a daily security test on Central Desktop – you can read the results here anytime.

Our Security Page gives you an overview of the Perimeter, Physical, Network, Server, Application and Data Security that Central Desktop offers.

If you are working within a company, organization or market that demands the best security available – I highly recommend considering the following features that come standard with the Enterprise and Community Edition of Central Desktop.

Advanced Password Security Settings –

The Enterprise Edition adds an additional layer of Password Security by allowing the administrator to adjust a range of password options such as: enforcing a minimum password length, disabling the password save option, enabling password complexity and implementing password change frequency.

TLS Encryption and Trusted Email Domain Support –

The TLS (Transport Layer Security) Encryption and Trusted Email Domain feature allows you to control access and send encrypted emails to trusted users. Email domains that are listed as Trusted Domains will receive a TLS encrypted email with all of the contents of the discussion, comment or documents available for the user to read. Email domains that are NOT listed as a Trusted Email Domain will only receive a generic email notification with a direct link to login to Central Desktop.

Trusted IP Addresses -

The Trusted IP Address feature allows Administrators to restrict access to Central Desktop by IP Address or IP Range. Only listed IP addresses will be allowed access to Central Desktop. This is ideal for companies and organizations that need to restrict access to Central Desktop via a VPN or office location IP address. This feature can be configured at the Company level and at the individual User level.

Custom Terms of Service & Privacy Policy –

The Custom Terms of Service & Privacy Policy feature allows Administrators to force Internal Members and External Members to agree to custom Terms of Service and Privacy Policy when they register with Central Desktop. This feature enables companies to comply with certain confidentiality or terms of use required under certain corporate policies or statutory requirements.

Single Sign-On Redirect –

The Single Sign-On (SSO) Redirect features allows companies and organizations a secure way to create a Single Sign-On experience from Central Desktop to 3rd applications, so that users don’t have to login twice when clicking from Central Desktop to another application.