Signed in as:
filler@godaddy.com
Signed in as:
filler@godaddy.com
The Mercury Cyber Object Exporter shares its origins with the current PS Labs Object Exporter, which is the XML Object Exporter module of the Standard Services Framework (SSF). The author originally noticed some small and some large differences between the output of the IdentityIQ Deployment Accelerator (IIQDA) XML writeback and the XML Exporter, and initially published modifications to Compass in order to match output file naming and formatting.
After tackling formatting, the effort to replace the XML Exporter reverse tokenization was undertaken. Without the IIQDA code, the effort required an independent effort to process the XPath. This change was integrated into the author's custom code. From there this code was put into a Plugin and expanded to include the features presented in this product. This code was developed independently of the PS Labs plugin, but shares some code with it, since they both have the same open source ancestor.
This plugin is compatible with any IdentityIQ system that can accept plugins and has the Plugin database active.
The MC Object Exporter Plugin provides Object Export functionality with additional zip file support. It is currently used at several clients to perform weekly archiving of all code assets. It also is capable of being used with the SSB for "round tripping" of the code assets: similar to the round tripping function of the IIQDA, only with the ability to do this for every file with one action.
Plugins can be installed four ways:
The plugin installs the MCPlugin Object Exporter and MCPlugin Zip Folder TaskDefinition templates to your environment. In order to create a functional task instance, choose the New Task dropdown and find one of these two templates, depending on your needs. This will create a new task for you to fill in the details.
The zip folder task is intended to be used with the XML Export functionality or the Account Extract functions of the MC Spoofing Plugin. It's main job is to zip files into a zip file.
Creating a task using the MCPlugin Zip Folder template creates a new task.
The full description of reverse tokenization is too extensive for this document. To simplify, here are some general guidelines for building an XPath expression.
- Start with the object type like `/Application` or `/TaskDefinition`
- When specifying an individual Element, use `[name\='name\ of\ the\ object']`
- Notice the backslash escaping of = and space
- Next follow the XML elements in order, i.e. `/Attributes/Map`
- For an entry you will use `/entry[key\='map\ key']`
- Follow logically to the end of the XML
- If the tokenized element is an attribute, specify its name like `/@value=%%TOKEN%%`
- If the tokenized element is an element, specify its name like `/value=%%TOKEN%%`
- Attribute tokens are simply `%%TOKEN%%=Text`
- Element tokens must be specified as XML such as `\<Boolean/\>`
- List tokens will be specified as XML such as `\<List\>\<String\>192.168.0.10\</String\>\</List\>`
- For pretty tokens you can add \n to the end of a line and continue on the next line.
Merge files use the \<ImportAction name="merge"\> Element to limit the elements in the XML. You will want to have a baseline export of a new installation and put the following files into the merge folder in folders like you would a normal export:
- AuditConfig/AuditConfig-Auditconfig.xml
- All of the Configuration files
- Dictionary/Dictionary-Passworddictionary.xml
- All of the ObjectConfig files
- UIConfig/UIConfig-Uiconfig.xml
Old meets new. The old functionality was not functional. It relied on using the target.properties file as the reverse token such as:
%%TRAINING_GROUPS%%=ou=groups,dc=training,dc=sailpoint,dc=com
But as you can see this is backwards, the left side is what should searched on. Since the code reads in the reverse tokens into a Map, you could not have two strings reverse token to the same token, such as:
%%TRAINING_GROUPS%%=ou=groups,dc=training,dc=sailpoint,dc=com
%%TRAINING_GROUPS%%=ou=groups,dc=training,dc=sailpoint,dc=net
Only the last one will work. So I reversed this and now the tokens are presented as follows:
ou=groups,dc=training,dc=sailpoint,dc=com=%%TRAINING_GROUPS%%
ou=groups,dc=training,dc=sailpoint,dc=net=%%TRAINING_GROUPS%%
Both of these strings will tokenize to %%TRAINING_DC%%. But this does not solve an additional problem, that of capitalization. Since AD is largely case insensitive, we want the following all to tokenize to the same:
ou=groups,dc=training,dc=sailpoint,dc=com=%%TRAINING_GROUPS%%
OU=groups,DC=training,DC=sailpoint,DC=com=%%TRAINING_GROUPS%%
OU=GROUPS,DC=TRAINING,DC=SAILPOINT,DC=COM=%%TRAINING_GROUPS%%
The above would work fine for those 3 combinations of capital and lowercase but not for:
oU=groups,dc=Training,DC=sailpoint,Dc=com
Reverse tokenizing these strings is not as simple as a toLowerCase() compare, becasue the code does a xml=xml.replace(string1,token) and so every combination of upper and lower case letters have to be executed.
This was implemented using a technique that tries every combination. This is activated by adding a third % sign to the end of the token, such as this:
ou=groups,dc=training,dc=sailpoint,dc=com=%%TRAINING_GROUPS%%%
However, notice that a line length of 42 characters above has 4 trillion combinations. In order to reduce the number of iterations, logic was added to iterate only over alphabetic characters. This takes the above string down to 34 alpha characters, for only 17 billion iterations. This is still too much.
If you are using this technique you would want to break this up into sections as follows:
ou=groups=%%GROUPS_OU%%%
dc=training=%%TRAINING_DC%%%
dc=sailpoint,dc=com=%%LDAP_DOMAIN%%%
This only requires 256 + 1024 + 65536 iterations.
This functionality was developed specifically for tokenizing the Profile sections of IT Roles, which cannot be easily modeled as XPath. It also can be used for tokenizing Java Code, which is not recommended. Instead, put environment specific variables into a Custom object and read that data on the fly.
Mercury Cyber
Copyright © 2024 Mercury Cyber - All Rights Reserved.
Powered by GoDaddy
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.