Taking Google Maps first, the first thing I can say is that it is fast. I can go straight to a place (e.g. the town where I live) and a great bonus is that there is no clicking and waiting for graphics to reload to view the adjacent parts of a map as Google’s maps are dynamic, interactive and draggable. It also has some cool features. For example, if I search on an address, I get a map with a list of businesses in the area (e.g. “Heritage House, Church Road, Egham”). I can then click through for more matching links (through integration with the Google Local service), or I can get directions to or from the referenced location (e.g. from where I live, to where I work). I use the AA route planner to work out my journeys for expense claim purposes and it sometimes takes a while (although it has the advantage of being able to specify some points to travel through where my journey is not necessarily the most direct one as I avoid south-east England’s traffic hot-spots) – the Google results are almost instant and have the added advantage that I can click on any of the steps to see a detailed map of a junction.
To be honest, Google Local was a bit of a disappointment to me, as it relies on data from Yell.com (i.e. paid advertising), but the integration with Google SMS does look useful. For some time now, Google has also been available using the 466453.com domain name (the phone keypad combination to spell Google) and now Google SMS allows quick and easy search results from a mobile phone.
For a while now, industry commentators have said that Google needs to stay ahead as the search wars hot up. It may be the world’s best search engine right now, but that can’t be taken for granted as there is plenty of competition, particularly in the emerging desktop search market, and some of that competition comes from Microsoft, a company not known for holding back when it wants some market share. I reckon these new services may be just what we’ve been waiting for.
As I was writing my post on Microsoft Host Integration Server (HIS), I came across many unfamiliar terms and IBM technologies. In many cases, some quick googling came up with the answers to my questions but I also stumbled across the IBM archives, which provide a decade-by-decade and year-by-year view of the computing giant’s history.
I began my IT career in the mainframe world. I got my first taste as a 16 year-old schoolboy on a work experience placement (changing tapes on ICL 1900 mainframes at the local hospital) and then as part of my Computer Studies degree I joined ICL, a name now consigned to the history books, where I learnt about Series 39 mainframes and VME as part of my time attached to an operating system support team. It could have been very different – I had the chance to start out with IBM, where I would have learnt about the world of OS/2, RS/6000s, AS/400s and System/390 mainframes. Nowadays I’m employed by a systems integrator, working almost exclusively with Microsoft products, so when I had the chance to attend a session about Microsoft Host Integration Server (HIS) 2004 at Microsoft’s IT Forum Highlights event, I decided to take a look at how a Microsoft infrastructure can integrate with the world of IBM zSeries mainframes and the systems network architecture (SNA) using HIS, which Microsoft claims can leverage existing host assets to integrate IBM mission-critical host applications, data sources, messaging and security systems with new solutions developed using the Microsoft Windows Server System platform.
Michael Platt (an IT Pro Evangelist for Microsoft UK) explained that it is surprisingly difficult to integrate mainframes with Windows systems because of the way they view the network and there are five levels of integration to consider:
Application (e.g. CICS).
Data (DB2 is different on a mainframe to on UNIX).
Different acronyms are used by Windows and mainframe technologies and it is important to outline some terms which may help to put the rest of this post into context:
A PC to host gateway is concerned with translation between PCs and mainframe physical units (PUs) and logical units (LUs).
LUs may be 3270 or 5250 terminals, which originally used co-axial connections over which SNA was run. Then, in the 1980s, SNA 6.2 brought support for peer-to-peer networks. The old co-axial connections were replaced with token ring (and eventually Ethernet) LANs using a data communications and terminal controller (DTC) or dial-up synchronous data link control (SDLC) over X.25 for WANS.
Front end processors (FEPs) relieve some of the processing from the mainframe CPU and these are examples of PUs.
SNA gateways consolidate branch traffic for transmission across the network.
Over time, TCP/IP has become all pervasive, moving from UNIX systems, to desktop PCs, across the WAN and eventually into the data centre, bringing some issues for IBM mainframes, which use a 1920Kb block size. TCP uses a 4Kb block size and so it has always been seen as inefficient to run TCP on a mainframe leading to various approaches that have been taken over the years:
TN3270 is a telnet-based 3270 clear-text terminal emulation session (although SSL and TLS can be used from HIS 2004 onwards); however the mainframe still spends a lot of time performing protocol conversion so this cam be offloaded as a service that then uses native SNA to communicate with the mainframe (allowing more connections).
The host print service was intended to resolve issues with expensive mainframe printing allowing print requirements to be offloaded to departmental printers, but mainframes use extended binary coded decimal interchange code (EBCDIC) to represent characters whilst PCs and other devices use the American standard code for information interchange (ASCII), leading to more conversion.
Multiprotocol transport networking (MPTN), implemented as IBM Anynet provides an SNA stack for the client, allowing full application to applications communications but because it is implemented in software, it uses significant numbers of of CPU cycles, resulting in performance issues (consequently Microsoft have never offered an MPTN service for HIS).
Data link switching (DLS) uses hardware to tunnel SNA, running TCP/IP across the network itself, but requires expensive routers. Some vendors added additional technology, whilst others never offered DLS. Microsoft’s answer is the distributed link service (also called DLS), which passes data between HIS servers using TCP/IP (UDP and native IP for performance), with SNA at either end.
Today, IBM’s stated direction for SNA over TCP/IP is IBM enterprise extender which uses high performance routing (HPR), an extension to advanced peer to peer networking (APPN). IBM is dropping support for its 374x FEPs and encourages the use of adapters in its open services architecture (OSA), running SNA, TCP/IP, etc. as appropriate. Microsoft supports the same technology, through IPDLC, and the core network integration portion of HIS enables HIS to participate in an IBM enterprise extender environment in a branch office, in a central location, or even within the data centre, directly-connected to the mainframe using gigabyte ethernet.
The HIS transaction integrator (TI) (formerly know as COM transaction integrator for CICS and IMS), has been enhanced to offer support for applications providing web services integration so that developers can pragmatically access the mainframe from a Microsoft .NET application. With TI, Windows developers can use the Windows-initiated processing (WIP) technology to wrap existing line-of-business processes found in IBM AS/400 systems, mainframe CICS and IMS applications, as XML web services or .NET server components. In addition to WIP, TI offers a reverse path through host-initiated processing (HIP), allowing developers to produce bidirectional and asynchronous enterprise integration solutions without using IBM MQSeries.
HIS offers a number of data integration technologies, including:
Industry-standard ODBC Driver for DB2.
Component object model (COM) OLE database providers for DB2 and host file systems (mainframe and AS/400).
.NET framework-enabled managed provider for DB2.
New to HIS 2004 is the DB2 network protocol client (DRDA AR) over which the ODBC, OLE DB and Managed Provider communicate with remote DB2 database servers, allowing these data providers to offer expanded functionality such as two-phase commit for DB2 distributed transactions over TCP/IP and connection pooling when using enterprise single sign-on.
HIS 2004 also supports asynchronous messaging through its MSMQ-to-MQSeries bridge, allowing administrators to link applications that use inter-platform message queueing, with support for MSMQ 2.0 and MQSeries (Websphere MQ) 5.1.
The administration and runtime components in HIS 2004 support a new secure product configuration (with an associated configuration wizard) and are “secure by default” when installed. Only HIS administrators need administrative permissions (whereas in previous versions HIS runtime users were also required to be administrators). although there are some security considerations when upgrading from previous versions. Access request levels can be set as read, read/write, manage, or full control and control methods can be read/write or manage.
Support for enterprise single sign-on (SSO) enables seamless integration of security credentials across Windows Active Directory and IBM host systems for both users and applications, including 1:1 and Group: 1 association, with all the main IBM security systems supported. The HIS enterprise SSO provides the base infrastructure that, along with third-party software products, provides for a secure password management solution including Windows-initiated and host-initiated password synchronisation.
As mentioned previously, with HIS 2004, the telnet 3270 service has been enhanced to offer secure sockets layer (SSL) and transport-level services (TLS) support. Administrators can now increase the overall security of the network when accessing mainframe terminal and printer resources over TCP/IP, including authentication of access to mainframe sessions and encryption of host data between client and server.
HIS 2004 runs on Windows 2000, Windows XP or Windows Server 2003 and support for clustering is provided in order to scale up and out to address the volumes required by large enterprises. HIS uses its own internal domain structure as part of the SNA integration and includes SNA Manager – a Microsoft management console (MMC) snap-in provided for managing key components of HIS, which has been improved to offer better usability through refined wizards and prompts (there is also a command line interface). A centralised SNA diagnostics tool is also provided, allowing administrators to test and troubleshoot network connections and resources.
Setting up a link involves:
Generating a new link service.
Creating an SNA Service connection.
Creating a new display LU.
Assigning LUs to a configured user.
Starting the SNA service.
It is then possible to connect to the mainframe using a 3270 client.
Establishing an advanced program-to-program communications (APPC) application connection involves:
Creating a new APPC connection.
Setting up the local APPC LU.
Setting up a remote APPC LU.
Starting the SNA Service.
HIS diagnostics can then be used to carry out an APPC test.
The future for HIS
So what about the future for HIS? As a product which started life as running on OS/2 as SNA Server, it may not be the most exciting offering in the Windows Server System, but it is functional, and organisations still buy it! On that basis, as long as there is a market, I can see Microsoft continuing to develop HIS with further support to extend the web services platform to the mainframe.
“The Microsoft network product team is investigating ways of resolving peer-to-peer connectivity problems in Longhorn, and we would like to get customer feedback to help validate some of the design proposals.
Today, there are many situations where users are unable to run such functions as remote assistance, voice/video conversations, and many other peer-to-peer functions because of firewalls, NATs and other network configuration problems. Our goal is to build networking technology into the operating system that will overcome many of these problems, allowing these peer-to-peer scenarios to ‘just work’.
This survey outlines some of the proposals for resolving these connectivity problems, and asks for feedback on them. We would love to get the opinions from a wide range of users, and markets (e.g. consumers, large IT departments, etc) since this would have implications for everyone.”
I last saw the Microsoft Identity Integration Server (MIIS) product in my days at ICL, when it existed as a product called Zoomit Via. Since then, Microsoft has bought the rights to the metadirectory services technology and rewritten the product in various forms with MIIS 2003 being the latest incarnation, implemented as a Microsoft .NET application over SQL Server.
A few years back, the goal for many organisations was a single directory for the entire organisation. Nowadays it is appreciated that there will generally be a number of applications/directories in a heterogeneous infrastructure and that the answer is not to replace them all with a single directory, but to aggregate information via a metadirectory, brokering identity data, facilitating convergence and enforcing data integrity based on business rules.
Whilst identity management is often sold as a security solution it actually offers much more, enhancing user experience, business efficiency and business agility. A badly-implemented identity management solution can actually weaken security, but most of all, poor identity management costs money.
Identity management encompasses:
Directory services – repositories for storing and managing accounts, identity information and security credentials.
Access management – the process of authenticating credentials and controlling access to networked resources based on trust and identity.
Lifecycle management – the processes used to create and delete accounts, manage account and entitlement changes, and to track policy compliance.
On its own, MIIS is simply a data engine. It imports data, creates a consolidated view of that data, and exports data. But what it also does is to facilitate application of business rules to create an identity management solution with typical scenarios for an MIIS implementation being:
Provisioning/deprovisioning accounts (also known as “hire and fire”) – enabling new users to immediately become productive with access to all relevant applications and services.
Identity joining – facilitating attribute flow between connected directories, integrating data to provide a single view of a user’s identity, whilst respecting authority.
It’s important to stress that if an IT department goes out and implements a metadirectory on its own, the project is extremely likely to fail. Business logic needs to be applied. Decisions need to be made about who which systems are authoritative for which data. It seems logical that the human resources department will need to be involved in a hire/fire scenario, but that the facilities management function would be best placed to update telephone numbers. Meanwhile, IT need to be involved in providing access to corporate applications such as e-mail and intranet access, but a local department (e.g. finance) might administer local line of business applications. There may be a requirement to consider precedence – e.g. human resources may enter initial contact details for a user and these may be authoritative until the facilities management group have set up a phone extension and updated the contact details, at which time the as facilities management system becomes authoritative. On top of this, change control is required to close the loop between technology and process. Whatever the organisation, and however small, a metadirectory implementation should start out as a pen and paper exercise.
MIIS consists of a number of management agents which connect directory-enabled applications to an area known as connector space, which is effectively a series of database tables, to which filters are applied to specify rules for data translation. Connector space is synchronised with the metaverse – a logical, consolidated representation of all resources within the organisation.
The term management agent is actually a throwback to Zoomit Via – in fact, one of the advantages of MIIS is that no agents are deployed to connected directories. Instead, the management agents reside on the MIIS server, making native calls into a connected directory (actually, connected directory is a misnomer – connected directories do not have to be directories and there are many management agents for a variety of products). At the time of writing, management agents are available for:
Network operating systems and directory services:
Microsoft Windows NT.
Active Directory Application Mode (ADAM).
IBM Directory Server.
Other metadirectory products.
Lotus Notes and Domino.
Microsoft Exchange Server 5.5.
Telephone switches.XML- and DSML-based systems.
Application (via flat file import/export, or connection to the underlying database):
Microsoft SQL Server.
CSV (delimited, fixed width, attribute value pairs).
In addition, MIIS 2003 service pack 1 provides an MIIS software development kit (SDK) which allows the creation of custom management agents.
MIIS represents all data as objects with a named set of attributes storing the data values. Each object is analogous to a row in a database with the attributes representing the columns. Values within one or a combination of objects (which have to be unique and immutable) are defined as an anchor, assigned a GUID and used to track the object.
Projection refers to the process of importing an object from a connected directory and creating an equivalent object in the metaverse. Where an object already exists in the metaverse, the transaction is a join. Provision is the reverse transaction – exporting from the metaverse to an connected directory via a management agent; however, management agents do not map data sources directly in and out of the metaverse and each object is staged within the connector space. The connector space object is then synchronised with its associated metaverse object.
MIIS is configured using the Identity Manager tool, which has five views:
Operations – for defining and performing run profile operations.
Management agents – for configuring management agents.
Metaverse designer – used to define the metaverse schema.
Metaverse search – a search function for the metaverse.
Joiner – used for resolving issues when mapping objects to one another.
With the exception of time and date information, object attributes are only updated in the connector space, with rules being used to define precedence and also any conversion on the data (e.g. generating a display name from a given name, initials and a family name). Rules placement needs to be considered, with inbound being a good location if the altered attributes are to be exported to many systems (known as import attribute flow) whereas outbound may be more appropriate if data is merged and only pushed out to one connected directory (known as export attribute flow).
The connector space model provides two main advantages:
Connector space provides a unified method of viewing data from disparate data sources, but it is not necessary for all of the attributes associated with each object in each of the connected directories to be mirrored in connector space (it is possible to view the connector space data using SQL Server Enterprise Manager – the MicrosoftIdentityIntegrationServer database has a table called MMS_Connector_Space).
Synchronisation can be previewed before it is implemented.
Run profiles are actions to move replicated objects to/from connected directories or the metaverse via the connector space, with import/export run profiles referring to transactions between connector space and a connected directory and synchronisation run profiles referring to the synchronisation of objects between connector space and the metaverse. These run profiles are part of the management agent configuration, specifying which object types and attributes are to be imported, exported or synchronised. It is important to note that the work of the management agent is triggered by a run profile and that MIIS is not event-driven. This is because not all directories can generate events; however run profiles can be scheduled, or code could be provided which would trap an event and trigger a run profile.
A management agent’s schema reflects the objects and attributes in the connected directory’s schema and if the source schema is changed, the management agent’s schema may be refreshed. The configuration of a management agent can be saved as XML). After a management agent has been created and an import taken place, the objects in connector space are referred to as disconnector objects (i.e. they are not yet connected to objects in the metaverse). The metaverse schema is completely isolated from the schema of a management agent.
A projection rule maps a connector space object type to a metaverse object type and only one rule may be configured per connector space object type. During the configuration of the management agent, attribute flow must be declared – i.e. which attributes are mapped, in which direction, and any name transformations that are required.
If join rules are defined, they are always run before any projection rules. Join rules can specify multiple conditions (based on connector space and metaverse attributes) and if these are met, the connector space and metaverse objects are joined and attribute flow initiated. If there is more than one import flow, then the metaverse designer can be used to set attribute flow precedence. If the rules do not result in a unique join, then the object remains a disconnector and the joiner must be used to resolve the issue (or the design revisited as it is possible that the rules are not appropriate). Note that joining to a non-indexed attribute can result in performance issues but these are easily resolved by setting the appropriate attributes to indexed within the metaverse designer.
For complex rules, rules extension functionality allows scripting in any .NET language, to provide advanced mappings as a method of manipulating data as the management agent synchronises objects between connector space and the metaverse. Implemented as a .NET framework assembly in the form of a dynamic link library (.DLL) file, this contains routines that are called as the management agent processes its rules.
Outbound data flow is similar to inbound, except that there is one golden rule to remember – MIIS cannot confirm an exported change until it has been imported again from the connected directory. Therefore an import should always be performed directly after an export to confirm the status of the connected directory.
Object deletion rules are specified for each object class to define what happens to the metaverse object when it is deleted from a connected directory, using either a rules extension, or options to remove the object when it is deleted from either the last connected directory or through a specified management agent. Deprovisioning is supported within the management agent configuration, with options for:
Making the object a disconnector.
Making the object an explicit disconnector (i.e. do not reconnect).
Delete the object at the time of the next export.
Unfortunately, provisioning using MIIS still requires coding – although the product is maturing and codeless provisioning is expected to be included in the next release. One method of automating directory updates is to save rules after creation (e.g. as VBScript) and to schedule execution of the script.
Password synchronisation is supported for any connected directory with a password application programming interface (API). Many management agents have this functionality built in and support real-time password synchronisation, via the password change notification service. This requires an agent to trap plain-text password entry before encryption (unless reversible encryption is supported – which it generally won’t be), but MIIS can detect changes in Active Directory. Changes are queued in case MIIS is offline at the time of the change, with the management agent encrypting the password details using a key that is only known by MIIS. There is also a web-based self-service password management application within MIIS, which will take password changes and replicate them out to all connected systems.
MIIS is available in two product editions – MIIS 2003 Enterprise Edition (with the complete set of management agents and features), and the cut-down Identity Integration Feature Pack for Active Directory (AD), which includes AD and Active Directory Application Mode (ADAM) management agents, supports Exchange GAL synchronisation and is a free download from the Microsoft website, although it does require the use of Windows Server 2003 Enterprise Edition.
MIIS 2003 service pack 1 extended the reach of MIIS, bringing extra functionality in the shape of additional management agents, password synchronisation with the Windows desktop and improved provisioning capabilities. It also allows the use of SQL Server 2000 Standard Edition (reducing cost as there is no longer a dependency on SQL Server 2000 Enterprise Edition). More management agents will be released over time (SAP and PeopleSoft management agents are expected next) and future enhancements will be aimed at lowering the cost and risks of directory management.
There is also an MIIS resource toolkit 2.0, which adds functionality and flexibility for remote administration and configuration of MIIS.
So what about the future for MIIS? One former colleague, who knows more about identity management than I do, suggested that the product is already pretty capable, and that it is only its Microsoft “badge” which is preventing it from being taken seriously. Meanwhile Microsoft is busy preparing the next version of MIIS (codenamed Gemini and due for a 2006 release), aiming to catch up with the competition (rumour has it that the following version will be Apollo, just as in the Russian and American space race of the 1950s, ’60s and ’70s).
MIIS Gemini is intended to lower the costs and risks associated with identity management and is currently addressing:
Workflow for provisioning and self-service (using the Windows Orchestration Engine from Windows Server 2003 Release 2).
Improved support for clustering (failover is supported now, but the workload stops – e.g. an in-progress import operation will not complete).
Computed attributes (dynamic groups).
Cross-forest group management.
Capacity planning documentation.
Additional management agents for UNIX systems, OpenLDAP and generic LDAP (whilst most vendors support LDAP, some have their own extensions and a generic LDAP management agent will be provided).
A couple of months back, I blogged about a driver to provide direct access to virtual floppy disks. Today, I’ve come across a number of sources (most notably Thomas Lee and Steven Bink), that pointed me in the direction of a similar tool for directly mounting ISO CD images in Windows XP – the Microsoft Virtual CD Control Panel. Although unsupported, and not even searchable on the Microsoft download center, this tool is referenced in the MSDN Subscriptions FAQ. There are other tools for manipulating ISO images, but what I like about this is that it simply allows me to mount an ISO as another drive in my system, in the same way that Virtual PC can capture an ISO image and use it as the CD drive.
The UK IT industry is a small world and I frequently attend events where I bump into people that I haven’t seen for a while. A couple of months back I turned up at a course and found myself next to a former colleague from 10 years back. This week I’m attending an SMS training course at QA where the instructor is Bernie Kilshaw, who delivered much of my Microsoft Official Curriculum (MOC) training in my days at ICL, including all of my training for Microsoft Windows NT 5.0 (later renamed Windows 2000).
Yesterday, Bernie reminded me of a Windows tip which I had forgotten about, but which is very useful – the ability to right-click on a file and view it in Notepad (or any other chosen application) using the Send To menu.
To set this up requires the ability to view hidden folders within Windows Explorer. Once that has been turned on (in the folder options), simply create a shortcut to Notepad (or any other chosen application) in the %homedrive%%homepath%\SendTo folder.
For those who do have a tablet PC that’s running Windows XP Tablet PC Edition 2005 (i.e. the SP2 version), Microsoft has now released the (dubiously named) Experience Pack for Tablet PC including six new programs that they claim “will help you be more productive and creative” (some of these were previously available as unsupported downloads):
Ink Desktop – allows the notes to be taken directly on the desktop for quick and easy access later.
Snipping Tool – lets the tablet pen be used to select a portion of a website, document, or other content on the screen. Handwritten comments can then be added and the composite image pasted into another program (such as an e-mail message).
Ink Art – allows painting with a tablet pen.
Media Transfer (requires Windows Media Player 10) – allows the copying or streaming of media files from another computer (e.g at home) to a tablet PC, to enjoy access to music, home videos or digital photo albums whenever and wherever.
Ink Crossword – lets users solve crosswords on their tablet PC using a tablet pen. Twelve puzzles are included and a daily puzzle can be downloaded free of charge with further puzzle packs available for purchase online.
Energy Blue Theme Pack – previously released as a separate download, which now appears to be unavailable.