Tuesday, February 26, 2013

Focus on IBM Security: IBM Security Policy Manager and IBM Security Access Manager for e-Business

Many customers have asked me "Why do I need an additional Authorization product when I have IBM Security Access Manager for e-Business?"

I recently attended a discussion focused on IBM Security Policy Manager (SPM) and IBM Security Access Manager for e-Business (SAMeb). IBM Security Policy Manager can be used in the following ways:
  1. Fine-Grained Authorization Control as opposed to coarse grained SAMeB group to J2EE Role Mapping (Sample: Policy to restrict a money transfer that exceeds $500 in a single transaction)
  2. Authorize and Audit Communications between application modules. (When Modules are independent and belong to different organizations/Access External Interfaces)
  3. Can have Multiple Policies on a service, each with multiple roles
  4. Centralized Policy management for Web Services
  5. Data Power could be used as a Web Service proxy and TSPM as the Policy Decision Point
  6. By Default all web services are denied
  7. Policies can be attached to Web Service/Port/Operation/Message
Here is a side by side comparison:

Next week, Prolifics will be at IBM Pulse in Las Vegas, a leading security intelligence conference. If you would like to learn more about Prolifics' Security solutions, visit booth #E525 and visit our IBM Pulse Page.

For more information about Prolifics, please visit www.prolifics.com or email solutions@prolifics.com.

Rama Yenumula is a Senior Consultant in the Security practice at Prolifics.

Wednesday, February 20, 2013

IBM Pulse Session Preview: Simplifying Administration and Maximizing Time-to-Value with SmartCloud Application Performance Management

In less than 2 weeks, I will be representing Prolifics at IBM Pulse 2013. I am looking forward to attending keynotes and sessions, speaking with industry experts and meeting attendees at Prolifics' booth, but I am most looking forward to presenting in two sessions focused on Application Performance Management.

I am hosting my first session at the start of the conference on Sunday, March 3. During this session, we will explore how our clients have achieved a quick time-to-value, and vastly simplified administration, when deploying IBM SmartCloud APM to monitor their middleware infrastructure by taking a unique approach. Attendees will learn how we simplified the often complex management aspects, and reduced implementation time, by leveraging the APM UI; eliminating the need for Managed System Lists (MSLs) by leveraging the little-known Situation Groups; and how they addressed the unique challenges of monitoring a pooled WebSphere Application Server infrastructure.

To learn more about my speaking session and to see what else Prolifics has lined up for IBM Pulse, click here.

If you are interested in learning more about IBM SmartCloud, I have included a video by Prolifics' APM Practice Director and IBM Champion for Tivoli, Dan Kern. In this video, Dan discusses increasing the availability, visibility and virtualization of business-critical applications with IBM SmartCloud solutions.

For more information about Prolifics, please visit: www.prolifics.com.

Brian Fisher is a Solution Architect at Prolifics focusing on monitoring and application performance management. He is a Technical Sales Specialist equipped with six years of innovative portfolio experience serving a broad base of IBM Tivoli clients, as well as sales specialists.

The Congruence Model for Security

From management literature (Tushman & O'Reilly), the congruence-based problem solving is a method to quickly and accurately identify the root cause of performance or opportunity gaps. In the context of security architecture, the congruence model can be applied to creating comprehensive security assessments for an organization. The model emphasizes analysis of the relationships among four core components of an organization (shown in the graphic below) also called the building blocks whose alignment relationships are the focus of congruent security architecture techniques. The goal is to leverage the relationships and interactions between those core components to reveal the underlying security posture of an organization.

Each congruence relation is important in forming organizational diagnoses that help us understand the current state of security in the enterprise, and the causes of the vulnerabilities. Analyzing these relations tends to define the political map and how the players tend to navigate it. It helps identify organizational behaviors that are helpful, neutral or detrimental to the security architecture initiative.

Analyzing the following three alignments using an appropriate "congruence questionnaire" is crucial to determining the security posture of the enterprise.

The Task and People Congruence Relation:
  1. Do people have the required competencies to perform the critical tasks that ensure safety of data and process?
  2. To what extent do the skills, abilities and motives of today’s human resources fit with security planning, architecture formulation and implementation requirements?
Identification goals: task-human resource inconsistencies that inhibit the ability to execute on security strategy.

The Task and Formal Organization Relation:
  1. Do the formal linking mechanisms between units facilitate security task integration, security team building and agility from a product delivery perspective?
  2. Is there a company wide vision for security and a strategy for addressing regulations, audit and security breaches?
Identification goals: task-structure inconsistencies that inhibit necessary integration among SBUs, needed to deliver a comprehensive security solution.

The Task and Culture Relation:
  1. Does the existing culture energize the accomplishment of critical tasks?
  2. Does the informal communication network and informal distribution of power help get the work done?
  3. Is there a reluctance to take action? Is there reliance on being told what to do? Identification goals: culture-task inconsistencies that drag performance down and inhibit consensus on security goals.
This due-diligence analysis can help identify the need for managers and their teams to realign the formal structures, people processes and cultural aspects of their organization with the critical tasks necessary to achieve the overall security vision. Managers and their teams should learn from this process, and even re-initiate the process iteratively within their own SBUs if necessary.

Next month, I will be attending IBM Pulse 2013 in Las Vegas, the industry-leading conference on Security Intelligence. Prolifics will exhibit in the solution showcase and host a number of sessions throughout the conference. To learn more about Prolifics' presence at IBM Pulse, visit: www.prolifics.com/pulse-2013.htm. If you would like to connect with me before the conference, please click here.

Javed Shah is a Practice Director for Security at Prolifics with more than 12 years experience in identity and access management architectures. He has broad exposure developing identity and access management solutions, and system software components that deliver reliable data security, web enablement and user lifecycle management services to customers. Before joining Prolifics, Javed founded and ran a professional services company in India for 6 years. Spanning over a decade, Javed has led identity management projects to successful exits at Nestle, University of California San Francisco, Kaiser Permanente, ABM Industries, BRE Properties, UPS, Tampa General Hospital and E*TRADE Bank. He was also the leader of the ITIM Level 3 defect resolution and analysis team in India where he was responsible for handling all customer defects for North America and Asia. Javed holds a Bachelor’s degree in Computer Science, a Certificate in Implementing and Managing an Enterprise Architecture using the Zachman Framework and the CISSP certification. He is also currently pursuing an MBA from the Haas School of Business, University of California Berkeley.

IBM Connect Session Summary - BP 407 Portal at the Speed of Light: Techniques for IBM Worklight Integration

I recently presented a session at Connect 2013 with Handly Cameron titled: Portal at the Speed of Light: Techniques for IBM Worklight Integration. This session focused on discussing various techniques for integrating IBM WebSphere Portal with IBM Worklight. IBM unveiled Portal and a new feature pack for Web Experience Factory, which took mobile landscape to a different level. In Portal, we have responsive themes Out of the Box with CTC4 templates and in Web Experience Factory we have a Camera builder that integrates with Worklight. Our techniques discussed during the session were inline with these new developments in the Portal space.

Let us take a step back and look at what we discussed during the session. We started off with a quick introduction to Multichannel Applications and Worklight. We then discussed various questions that current IT decision makers have in mind before zeroing in on an approach. And then, we presented our five techniques namely:
  • Standalone Portal – Responsive Web Design
  • Standalone Worklight
  • Using Portal to host application pages
  • Personalized Content driven by WCM
  • Integration with Backend Systems
Finally, we concluded with a Reference Architecture and list of things to keep in mind while selecting an approach.

The message that was conveyed through out the session was loud and clear. Portal could be used Standalone to cater to multichannel devices; Same applies to IBM Worklight. Each of them has their own place depending on the business requirements. The other three approaches talk about inter-play between Portal, WCM and other Backend systems with Worklight. We explained scenarios and presented code snippets where such integration would make sense. Most of the questions at the end were focused on this topic.

To summarize - If anyone is heavily invested in WebSphere Portal, then migrating to and employing Responsive Design helps tremendously in targeting multi-channel devices seamlessly. Responsive Themes are available Out of the Box and personalized content could be created to target users more closely. In addition to that, IBM entitlement provides 2 additional licenses for Worklight if the application talks directly to Portal. This would be a nice way to use that entitlement to create mobile applications from Portal targeting multichannel devices. Alternatively, if WebSphere Portal is not in the mix, IBM Worklight could present a promising solution standalone delivering enterprise capabilities across devices.

To access our presentation from IBM Connect, please click here: Portal at the Speed of Light: Techniques for IBM Worklight Integration.

As an IBM Champion for IBM Collaboration Solutions, I was also interviewed on my work with Worklight, Portal and Mobile. To watch the interview, click here or below.

Find out more about Prolifics' week at IBM Connect here: Prolifics @ IBM Connect.
To learn more about Prolifics, please visit www.prolifics.com.

If you would like to talk about this presentation in depth, please connect with me in one of the following ways!
Twitter: @LaksSundar
LinkedIn: Laks Sundararajan
Email: Laks Sundararajan

Laks Sundararajan is a Solution Architect at Prolifics, an IBM Champion for Collaboration Solutions and a key member of highly specialized team working on IBM WebSphere Portal, Content Management and Collaboration technologies. He has led implementations of many global projects using IBM WebSphere Portal and has extensive background in design and development of enterprise portals. He specializes in providing Enterprise SOA solutions leveraging WebSphere Portal, Content Management and Tivoli. He holds a Masters in Information Technology from Carnegie Mellon University and Graduate Degree in Engineering from BITS, Pilani.

Wednesday, February 13, 2013

Prolifics Thought Leaders Named IBM Champions in 2013!

The IBM Champion program recognizes innovative thought leaders in the technical community. An IBM Champion is an IT professional, business leader, developer, or educator who influences and mentors others to help them make best use of IBM software, solutions, and services.

Meet Prolifics' 2013 IBM Champions!
Prolifics is proud to announce that 15 of our thought leaders have been recognized as IBM Champions for 2013. Prolifics has long demonstrated technology leadership through deep skills, a proven methodology, and high customer marks. Our technical staff has consistently developed innovative and creative solutions for Prolifics' clients and has dedicated themselves to rigorous and ongoing training - raising the bar and bringing thought leadership to the entire industry. Many of Prolifics' Champions selected by IBM have been published in several trade journals and often speak at conferences. Additionally, their custom-solutions implemented for customers worldwide have been honored with several awards.

Congratulations to all of our IBM Champions!

Handly Cameron - ICS
Laks Sundararajan - ICS
Alex Ivkin - Security
Dan Kern - Tivoli
Greg Hodgkinson - Rational
AJ Aronoff - WebSphere
Steve Fraser - WebSphere
Leland Irwin - WebSphere
Eric Markowitz - WebSphere
Vladimir Serebryany - WebSphere
Ashraf Souleiman - WebSphere
Prithvi Srinivasan - WebSphere
Neha Dhawale - WebSphere
Arup Datta - WebSphere
Rajiv Ramachandran - WebSphere

To learn more about our IBM Champions, visit: http://www.ibm.com/developerworks/champion/
For more information about Prolifics, visit: www.prolifics.com

Tuesday, February 12, 2013

The Messaging Whisperers: The Zero Downtime Series

A retail organization I recently worked with had a simple explanation for why downtime is bad. They do a billion dollars a year of business on the web and so one day’s worth of business is a loss of several million dollars. But that isn’t the problem. The real problem is that downtime means losing customers forever. (They’ll try another retailer and they may never come back).

The Zero Downtime Series is all about avoiding outages with IBM WebSphere MQ and WebSphere Message Broker. Multi-instance queue managers and brokers are a great way to achieve high availability at a low cost. (There will be another blog entry on idle standby licenses for MQ and Message Broker, which can help make high availability more affordable).

The first part of the series is a comparison between active / active and active / passive.

Active / Active vs Active / Passive vs Active / Active / Passive:
Multi-instance queue managers can be arranged in several configurations with different costs and benefits. Three of these configurations are:
  1. Active / Passive (One queue manager on two machines. During a failure the queue manager runs on the standby machine).
  2. Active / Active. (Two queue managers on two machines. During a failure both queue managers run on the same machine).
  3. Active / Active / Passive (Two queue managers on three machines. During a failure the failed queue manager runs on the third machine.)
In order to compare costs and benefits, lets consider a case where CPU intensive transformations are being done and that four CPUs are required to meet expected response time.

1. Active / Passive Case
Both the primary and standby machines are quad core. The primary uses regular MQ licensing and the standby machine uses idle-standby licensing (which is only 20% of the cost of regular MQ licensing).
  • Total cost:
    • 2 Quad core machines (or VMs); plus
    • Licensing for 4.8 CPUs: 4 for primary and .8 for standby (20% of 4)
2. Active / Active Case
There are two variants of the Active / Active Case:
  • Need to meet performance requirements during a failure
  • Performance requires do not need to be met during a failure
If performance requirements need to be met during a failure then, two quad core machines are required for the active / active case. Both machines need to be fully licensed.
  • Total cost:
    • 2 Quad core machines (or VMs); plus 
    • Licensing for 8 CPUs (4 for the first machine and 4 for the second machine)
  • Active / Active is good for IO bound message handling (since the traffic is spread over two machines).
  • If performance requirements do not need to be met during a failure, then two dual core active / active machines could be used. This case requires caution. Having performance cut in half (at best) is a significant penalty. (Also be sure to check memory etc). This requires careful capacity planning (as does everything).
3. Active / Active / Passive Case
All three machines are dual-core. The first queue manager runs on the first machine. The second queue manager on machine two. Either Queue Manager can fail over to the 3rd machine.
  • Total Cost:
    • 3 dual core machines (or VMs); plus
    • Licensing for 4.4 CPUs - 2 for the first machine and 2 for the second machine and .4 for the 3 machine (20% of 2)
  • The active / active / passive case has even lower licensing cost than the active / passive case, while having the same ability to handle IO bound messages as the active / active case

Next week, I will be hosting a live webinar titled: Message Broker as your Enterprise Service Bus. During this webinar, I will discuss Message Broker approaches and techniques to reduce complexity by dividing challenges into smaller, more easily manageable pieces. To register, click here.

Have a question? Want to connect?
LinkedIn: AJ Aronoff
Email: aj@prolifics.com

Additionally, I would like to share some excellent articles and walkthroughs for mult-instance queue managers:

AJ Aronoff is the Infrastructure and Messaging Practice Director for Prolifics and an IBM Champion for IBM WebSphere. AJ first joined Prolifics as a Developer, then specialized in WebSphere MQ. He has 25 years experience in the IT field — 17 of those years at Prolifics. As a Prolifics consultant, he has done MQ design, implementation, infrastructure, monitoring and security assignments at several large financial, insurance, retail and communication firms (Bloomberg, Credit Suisse, Deutsche Bank, DTCC, Fidelity, ITG, JPMC, Och Zif, Tokyo Marine, Pep Boys and British Telecom). He has presented on security and infrastructure at Impact, Hursley comes to Minneapolis and Palisades, and MQ User Groups. His customers use Omegamon to monitor over a thousand systems across the globe.

Friday, February 8, 2013

Building Social Media Toolbars on WebSphere Portal 8

The Business Case
Social Media Toolbars are a popular user interface pattern for many websites today. Providing links to your social media channels helps promote your brand, connects users to your social venues, and can aid both the user and the site owner in communicating information through additional channels and formats. This article discusses an approach to building social media toolbars that can be re-used in your WebSphere Portal 8 themes. You can optionally allow business stakeholders some ability to manage the social media links including; changing the order of links within the toolbar or activating and deactivating individual media links. This solution may also allow you to leverage the features of Portal security and personalization to allow for advanced targeting scenarios.

In the simplest implementation you might implement the html markup for the social media toolbar directly in your theme html or a dynamic content spot using a JSP file. The hard coded solution is extremely simple and may be acceptable if you have no need to for any of the following: - You have no need to share the links across themes. - You don’t need any personalization capabilities or security authorization. - You are comfortable with a development and deployment cycle to manage the links.

However there is an alternative approach that is nearly as simple to implement and allows much greater flexibility and re-use. We want to store the social media bar links in our portal page taxonomy under a hidden page label. When we do this, we can then preserve the same links across themes and allow the theme to read and display the social media links.

The Implementation
First let’s setup some basic custom theme helper code.

In the dynamic content of a your custom theme locate the file includePortalTaglibs.jspf and add the JSTL core taglib.

Next, we want to be able to locate all external links under our hidden portal label. To do this we are going to use a custom uniquename for our label so we can find this label using the Navigation Model SPI. In order to get the navigation node for the uniquename we create a helper function in the helper.jspf called “getNodeByUniqueName”.

Add the import statements highlighted below in the file named “helper.jspf”:

Next, we’ll use a JSP Init method to perform the JNDI lookup of the navigation model home. We also declare the instance members for “navModelHome” and “ctx”.

To complete our helper code we implement our helper method in the JSP static block.

Now we have a helper method to return a NavigationNode for a given uniquename string. Keep in mind this method may throw runtime exceptions in certain scenarios. Later for our case we want to invoke this method in a way that catches any additional exceptions beyond the checked ModelException. Users of this helper method should also check for a null return value.

Next we need a new dynamic content JSP page to render our social media bar.

The code listing is given below:

The above code listing deserves some explanation. In the declarations at the top we include our helper and common tag library includes.

Next we look for two parameters. The first is the uniquename of social media label from Portal - Manage Pages portlet that contains our external links and metadata. The second is an optional parameter for a separator markup we optionally may place between groupings of items in our social media bar. When possible you should try to achieve this using CSS instead of the separator markup parameter.

In the next section we call our helper function “getNodeByUniqueName” in order to get the NavigationNode to iterate over. We conditionally process the lookup of children under the navigation node if the social node is not empty.

We initialize a category variable to track changing from one grouping of social links to the next. This is our indicator to output the separator markup.

Next, we use the Portal EL Beans to get the metadata for each external URL managed by the portal:

  • link.css.classname
  • link.category
  • “Page Icon” property

With this we conditionally output the separator markup, and finally we output a link using the CSS class name from the page properties.

The image icon URL is optional and changes the content of the anchor tag. Depending on how you wish to implement the social media icons. You can use CSS for the anchor tag alone to render the images. If you provide the icon URL the tag is used. Using CSS only may be preferable as you can use glyphicons.

Now that we have a JSP to render our social media toolbar, we can place this into the static resource(s) of our theme as a dynamic content spot. You can register the dynamic content spot as a theme resource environment provider property per – “Creating a dynamic content spot”. For the purpose of this article we’ll simply use the resolver URI directly.

The code listing below shows adding the social media bar dynamic spot to the “theme_en.html” file:

Note the protocol and URI resolves to our JSP in the anchor with relation attribute of “dynamic-content.” We also give the uniquename parameter in the query string.

This is total code needed to implement the solution aside from site specific css.

Portal Page Management
We need to create our Portal Label and add some links. To do this; navigate Portal Administration and select Manage Pages.

Navigate to Content Root > Hidden Pages. Create a new Label under Hidden Pages.

Enter “Social Media Links” under the title, and give the label the same uniquename you used when creating the dynamic content spot.

Next, add a new URL under the Social Media Links label

In this example, I used an image for Page Icon property. If you wish to set page parameters for link.category or link.css.className you must first click Ok to Save the URL. You then return to edit the URL and can modify the page metadata. An example of this appears below:

The screen capture below shows a representative URL’s Page Parameters being set.

Repeat the URL creation process for each link you wish to show in the toolbar.

The Rendered Output
The social links created in Page Management will now be presented in the theme(s) that render the social media bar dynamic content spot.

This is one possible solution to building social media bars in WebSphere Portal 8 Themes. The solution allows a Portal administrator or business user to create new toolbar items (excluding the supporting CSS or images.) The same user can activate and deactivate a link. The links in the toolbar can be reordered. The links could be different for authenticated users based on a user’s identity by using “assign permissions” or by using personalization rule mappings. Most importantly the link data is decoupled from a particular theme and its presentation of the links.

Tim Reilly is a Technology Manager with Prolifics. He has led the implementation of many global projects using IBM WebSphere Portal and has extensive background in design and development of enterprise portals. He specializes in providing Enterprise Java and Portal solutions leveraging WebSphere Portal, Content Management, Tivoli and 3rd party integrations. He has over 10 years of experience with Websphere Portal and is a former Apache Software Foundation committer.

Creating the Intranet “Classifieds” Feature using IBM WCM 8 – Part 3

In this blog series on WCM Based “Classifieds” intranet solution, we covered the Site Area, Authoring and Presentation Templates, HTML & Menu Components, Categories, Authoring Tools Component so far. In this final part of the blog we will look at the Workflow and Permissions and finally Creating the Page and Portlet.

Workflow and Permissions
  • Workflow
    • The following workflow is used to manage the item lifecycle. By default, the item enters the first stage “WS_DraftMktpl”; it has a scheduled move action which moves the item to next stage in 1 min. The next stage contains the Publish action and publishes the item on the live site.

    • We could also use an approval process for each kind of item by inserting one more stage between the Draft and Publish stages for approval. Approver rights can be assigned to a group or person in the Approval stage, ensuring all content is approved manually by a group/person before it gets published.
  • Permissions
    • In order to enable users to post, edit and delete items on the live site, we configured the following permissions.
      • Page and Content Viewer Portlet– Map “User” role “All Authenticated Users”
      • Demo_Lib – Map “Contributor” role to “All Authenticated Users”
      • Demo_Lib\Content – Map “Editor” role to “All Authenticated Users”

First, you need to assign all authenticated users access to pages and the portlet, which render the content. Next, you want to assign permissions for Demo_Lib(you content library) and Demo_Lib\Content in order to provide edit, delete and create functions to end users.

All these permissions are set using Portal Administration Console.

Creating the Page and Portlet
Page - Here we create a Portal Page anywhere in the Portal page hierarchy and make sure end users have appropriate permissions to access that page.

Portlet - Place a Web Content Viewer (JSR 286) portlet on the above page. Edit the portlet and add the below settings.

    • Select the HTML component that renders the Marketplace view. This is a convenient feature in WCM 8 where we can directly render components instead of placing them on Content Items first.
    • Next, select the three authoring templates to act as input when you click the button “Post Item,” providing users with an option to select one of these to add as the new item.

In short, the solution is useful for building a classifieds-like site within your intranet or Internet site using Portal and WCM 8. This article only gives the general idea and concepts that can be used to build such a solution, but you can tweak it in numerous way to meet your specific requirements. Essentially, the main enabler of this solution is the use of the Authoring Tools component and the appropriate permissions to provide that component to end-users.

In the example we used in this blog series all the three items can be created using a single button that gives users a choice to pick an authoring template. This was our client requirement; you may divide your site into different sections based on different item types and have a different button for each item type. So, based on your requirements, you can choose an appropriate option to select authoring templates within the Authoring Tools component.

Manmeet Gill is a Senior Consultant at Prolifics, an IBM Bravo Award Winner and a key member of specialized teams working on IBM WebSphere Portal, Content Management, IBM Forms and Collaboration technologies. He is certified in IBM WebSphere Portal and IBM Web Content Manager and has over 8 years of IT experience. Besides specializing in IBM technologies he is a double black snowboarder, an advanced windsurfer and a superbike enthusiast. He holds a Bachelors Degree in Engineering from MSR Institute of technology, Bangalore.