Thursday, March 22, 2018

AliCloud ECS Web Hosting

I have been playing a bit of Tencent Cloud and Ali Cloud lately due to some projects in China. 

And I was experimenting how easy it is to host a sample web site on Ali Cloud. It should be a 5-mins job. It took longer for me last night.

I kept hitting into this error - "This site can't be reached".

I ssh into the server and found there wasn't any iptables enabled. The Apache HTTPd daemon was up and running. 

I just couldn't figure out why. I google for some clues.

Pretty good documentation here from Alibaba Cloud documentation team. (Yes, pretty surprised! The English was good.)


The steps by steps were clear and concise. It made me look like a clown for not being able to make my sample website work!

I had no choice. I paid 1 year upfront, so I must get value out of it. I raised a support ticket and while I was waiting for a response, I came across a sub-menu "Security Groups". No harm taking a look.

Bingo! The "firewall" is not configured within the server via the iptables. It is to be configured via the ECS console.

I added a new rule to accept Inbound HTTP 80 traffic and that did the trick!

What's the point of documenting so much when the essential point is not covered?


Friday, March 9, 2018

Identity Governance of Unstructured Data

I received an email from SailPoint this morning. It has just published a white paper on how to secure access to unstructure data. 

It examines each of the organizational and technical barriers to securing unstructured data and provides practical advice on how IAM managers should respond to this risk. It explains how identity governance can be extended to better secure unstructured data to meet privacy and compliance requirements.

So far, there are only 2 products that can govern unstructured data. 1 from SailPoint (I think they bought over a product called WhiteBox). The other is One Identity Manager - Data Governance.

Identity Manager - Data Governance Edition protects your organization by giving access control to the business owner rather than the IT staff. The business owner can grant access to sensitive data. With the Identity Manager restricted access functionality, you define access policies for your organization. You have the power to analyze, approve and fulfill unstructured data access requests to files, folders and shares across NTFS, NAS devices and SharePoint, ensuring that sensitive, unstructured data is only accessible to approved users.

The primary targets are Windows Shared Folders/Files, especially within SharePoint.

I know there is already a project on-going in Australia that adopts Identity Manager - Data Governance Edition. Wishing them a successful implementation!

In my opinion, Data Governance is quick to win (for Sales), but very hard to exit (for Implementers).

Will I take this up? :)


Friday, March 2, 2018

Gartner Magic Quadrant - IGA 2018

The latest Gartner Magic Quadrant is out. Congrats to the One Identity folks! They have made it to the Leaders quadrant (from Challengers last year). 

In the trip to Bangkok in February for One Identity APJ UNITE Partner Conference, I was sharing with the marketing folk that we need more effort in creating awareness for One Identity IDM. We all know One Identity IDM is selling like hot cakes in Australia, for years. It's well known there down-under, but not in the Asia region, even though many would agree this is a pretty good product.

I like its architecture when compared with Oracle and CA.

With this latest announcement, let's make in-road to Asia!


Friday, February 2, 2018

Tyk 2.5 API Gateway available with OpenID Connect integration

Tyk has just released a new version of their API Gateway - v2.5.

Prior to this release, Tyk already provides OAuth 2.0 and a few other authentication methods

With OpenID Connect, the solution looks more complete now as OpenID Connect is picking up.


Monday, January 29, 2018

WeChat Login Web Integration

We have a Chinese customer who wants to implement WeChat login for the custom IDM User Portal which we have developed for them.

The implementation is pretty straight-forward as WeChat Login for Web Applications supports OAuth2 protocol. There is even a very good documentation written in English.

Now, the difficult part comes ... setting up of Developer Account. This is by no means easy as the check is very stringent.

To begin with, the registration page is in Chinese! And if you are a company, you need to submit company registration certificate, applicant's identification card, company bank account information etc.. And finally, if you are an overseas company, you need to pay USD 120 for verification fee.

And you are not guaranteed of having your application being approved.  :)

I'm praying hard. Just submitted and transferred USD120 to Tencent.


Friday, January 26, 2018

Kong API Gateway CE 0.12.0 - Circuit Breaker feature

The latest Community Edition version is Kong CE 0.12.0, just released today.

Coincidentally, there is a new feature in Kong that is similar to the one released by CA API Gateway 9.3 - Circuit Breaker.

Support for health checks! Kong can now short-circuit some of your upstream Targets (replicas) from its load balancer when it encounters too many TCP or HTTP errors. 
You can configure the number of failures, or the HTTP status codes that should be considered invalid, and Kong will monitor the failures and successes of proxied requests to each upstream Target. We call this feature passive health checks. 
Additionally, you can configure active health checks, which will make Kong perform periodic HTTP test requests to actively monitor the health of your upstream services, and pre-emptively short-circuit them. 
Upstream Targets can be manually taken up or down via two new Admin API endpoints: /healthy and /unhealthy.

More technical with implementation details at GitHub - Add active and passive health checks.

Pretty cool!


Thursday, January 25, 2018

CA API Gateway - 9.3 (New Features and Enhancements)

CA just released API Gateway 9.3 - New Features and Enhancements are listed here

There is a new feature which I think is pretty cool - Apply Circuit Breaker assertion.

The Apply Circuit Breaker assertion defines thresholds for failure conditions which, when exceeded, prevent blocks of your policy from executing for a configurable period. 
This is ideal for avoiding bottlenecks that arise due to request processing slowdowns that are caused by sluggish or malfunctioning back-end systems. 
Once the Apply Circuit Breaker assertion detects a circuit has exceeded a threshold, the assertion fails and none of its child assertions execute. Depending on the surrounding policy logic, a failed Apply Circuit Breaker assertion could cause further branching or it could fail the entire policy.

After a predetermined timeout period, the circuit resets and the bypassed portion is once again live.

Going to try it soon! :)