All posts by Filip Bartoš

Case Study: Continuous migration from Oracle Waveset IdM on CzechIdM

On September this year we embarked on a unique event – the gradual transition of Identity Management by former Sun to our own product, Identity Management CzechIdM. The product of the former Sun (today’s official name is the Oracle Waveset) is not longer a new owner by Oracle, further developed or supported. One of our customers has therefore decided to migrate to a fully supported CzechIdM.

Customer’s environment is quite extensive and SunIdM it serves a wide range of systems, we found ourselves as a major challenge: how to convert existing solutions under complicated new product without downtime and minimal change to the user? The answer is very gradual migration project: both Identity Management “you thread” and gradually we combine different systems for full operation. In his article, I’ll introduce you to the architecture and highlight solutions to some of the difficulties with which we encounter during implementation.

The basic idea

Demanding analysis led to the idea of both Identity Management concatenate. Install CzechIdM alongside the old Oracle Waveset and connect the both that will be one to the second one common end system. Indeed, when we provide two-way data flow between the two identity management system may one at a time to disconnect from Waveset and switching for full operation on CzechIdM.

The source of all identities for Waveset before migrating the personnel system Navision. The new installation will CzechIdM throughout the migration source Waveset. Only when they reconnected all systems except for personal, be transferred to the new version of Navision synchronization of identities and Waveset we can definitely off.


1. CzechIdM je nainstalováno po boku Wavesetu

2. Koncový systém je napojen dvakrát – jednou z CzechIdM, jednou z Wavesetu

3. Koncový systém je plně přepojen na CzechIdM

4. Všechny koncové systémy kromě personálního jsou přepojeny

5. Personální systém přepojen na CzechIdM

6. Migrace na CzechIdM dokončena, Waveset vypnut.

Synchronization database

For security reasons, among them Waveset and CzechIdM do not communicate directly; into their midst, we put MySQL database synchronization. For Waveset is a common the ending system in which on-line exports the necessary user data for CzechIdM is the authoritative source.

Synchronizing organizational structure

In addition to information about the identity of Waveset we do CzechIdM had to convert the organizational structure. Finally, we decided to “synchronize together with identities”. We assume that the empty organization is important. Thanks to make do with identity information: organization, create the first identity, which is inside, and erase it with the last deleted identity.

Synchronizing roles

During the gradual migration we encountered the following problem: some permissions and roles relate to systems that have been converted into CzechIdM, some of the systems are still connected to SunIdM. At the same time it must be possible all the roles and all rights to manage through a single administrative interface, which should be in the Waveset interface.

Therefore, in synchronization databases also store information about the assigned roles in Waveset. Some role in Waveset this applies to the systems that the Waveset long are not connected. This do not mind – about which user has assigned role, is propagated via the synchronization database to CzechIdM where the same role already assigned automatically and without approval.

The usual procedure

The usual procedure for the transfer of the current system we direct in the following six steps:

  1. Implementation connector CzechIdM
  2. Transfer of related structures roles and permissions to CzechIdM
  3. Transfer of business processes associated with the system
  4. Enrichment synchronizing database with the necessary identity information
  5. Pairing existing accounts with CzechIdM.
  6. Disconnect the system from Waveset.


In the article I outlined the problems of gradual migration from (Sun IdM) Oracle Waveset to CzechIdM. If you are interested in this topic and want to learn more, or stand before a similar challenge and you need help, email me at!


Managing mail server using CzechIdM

Identity Manager CzechIdM can manage various types of data like filesystems, domain accounts, business systems and also mail server. This article will focus on managing mail server using CzechIdM.

What is it mailserver?

Mail servers are used to proccess e-mails. They can receive them but also forward them to another mail server mainly using the internet. Anyone can get their own e-mail address in the form anything@domain.tld and password. These credentials are used to access mail client – web interface running on the server (webmail) or standard client installed on our pc (Mozilla Thunderbird, Microsoft Outlook etc.). After successful authentication and login client download messages from the server and display them to user. Whether for security (data remain on the company’s servers) or organizational reasons companies often run their own mail servers. With this solution there is new concern for companies – someone must take care about e-mail accounts created on the mail server which takes often a lot of administrators extra time. How to get out of this?


How can CzechIdM help you

CzechIdM can handle accounts on mail server centrally, securely and automatically. All accounts can be created automatically without the intervention of an administrator. For example, with arrival of a new employee can be created their account in company’s personal system. Accounts can be managed via CzechIdM interface. CzechiIdM has really easy graphic interface so special knowledge about mail servers or technologies running on the server is not needed from administrators. You can see example situation on the image below.


Creating account on mail server

Let’s try to create account on mail server. First login to CzechIdM administrator interface and then go to the Users section. From the list of identities we can see that there is only one identity created – identity for user with login name jan.novak. User still doesn’t have account on mail server. Let’s create it. Click on edit link in the row with this user.



Now you can see user edit form. Click on “User’s role and controlled organisations” tab. CzechIdM is role-based system. Access to each system can be granted by assigning the role to identity. On the image below we can see that identity jan.novak doesn’t have assigned any role. Click on “Assign role” button.



The role that we’re looking for is in our example called “Roundcube user”. This role represents user account on mail server. Let’s click on “Add” link in the row with this user.



Now we can see the role “Roundcube user” in the list of roles assigned to identity jan.novak. To save this change we must save form by clicking on “save” button.



The displayed message informs us about succesfully assigned role to identity jan.novak and sucessfully created user account on mail server.



Our sample mail server keeps users in simple MySQL table. The list of existing users in this table can be shown directly in CzechIdM. To do that we must go to the “Systems” section and find mail server system in the shown list of connected systems (in our example it’s “Roundcube database (JDBC connector)”).



Click on the link “Show accounts” in the row with this system. Now we can see all existing accounts. In our example it’s just one user – jan.novak.



As we wrote above, users accounts are stored in easy mysql table so we can also verify existence of account using simple SQL command:

mysql> select * from users;
| userid | domain | password |
| jan.novak | czechidm.tld | d41d8cd98f00b204e9800998ecf8427e |
1 rows in set (0.00 sec)

We can see that account of user jan.novak really exists in this MySQL table. Let’s try to login to webmail client with this new account.



Enter the user credentials and click to “Login” button. In our example have all users e-mail address in form name_of_identity@czechidm.tld. We can see that user were succesfully created. Mailbox is empty because it’s a new user account.



We have seen that user account can be created in a few clicks without special knowledge of technologies running on the server. Simply we can also block, delete show info about accounts.




In this article we described how can CzechIdM help you to manage mail servers. If you found this article interesting, feel free to contat us at

CzechIdM and Exchange 2007

One of our customers decided to abandon the old version of Microsoft Exchange, namely version 2003, and upgrade to a newer version – MS Exchange 2007. Our Identity Manager CzechIdM takes care of all accounts across the information system – it automatically creates, updates and deletes accounts according to the user lifecycle.

Let’s have a look at the migration from MS Exchange 2003 to MS Exchange 2007 from the point of view of the Identity Manager CzechIdM. We are going to discuss what changes had to be done and what are the main differences between the connection of MS Exchange 2003 and MS Exchange 2007.



Continue reading

Dynamické vytváření dokumentů

Při vytváření elektronických dokumentů často narazíte na situaci, kdy stále dokola vytváříte ty stejné dokumenty a pouze v nich měníte dokola ta stejná data. To Vás časem omrzí a začnete hledat způsob, jakým vaší práci zefektivnit a co nejvíce automatizovat. Ale jak na to? Můžeme zvolit některou z knihoven určených pro práci s konkrétním typem dokumentů nebo s dokumenty pracovat sami. Tento článek obsahuje informace, jak takovou situaci vyřešit bez jakékoliv knihovny pro práci s dokumenty a konkrétně s ukázkou na dokumentu OpenDocument Writer (.odt). Stejně tak je však možné pracovat i s dokumenty .xls, .doc atd.
Continue reading

Responsivní design

Tématem tohoto článku je moderní trend týkající se front-end prostředí webových aplikací – Responsivní design. Responsivní design se stále více mění z něčeho, co “bylo dobré mít” na něco co “je nutné mít”. Není se tedy čemu divit, že se toto téma v současné době všude probírá a vývojářům nedá spát.

Continue reading

Interní školení v BCV: Umění telefonické komunikace

Také jste někdy volali do cizí firmy a už v polovině hovoru jste si říkali “už aby tenhle rozhovor skončil”? Byl hovor nepříjemný, dlouhý nebo jste se v něm střetli s neochotným člověkem? Podobná situace se jistě stala každému z nás. Telefonní komunikace je často podceňovaná a přitom často vytváří první dojem potenciálního zákazníka na firmu. Protože si jsme významnosti tohoto typu komunikace plně vědomi, uspořádali jsme si v BCV interní školení komunikace po telefonu. Školení se skládalo jak z teoretické části, tak i z praktické, kde si každý mohl vyzkoušet vyřešit řadu rozličných situací.

Continue reading

Prezentace Metasploit framework

V rámci interních školení u nás proběhla prezentace o Metasploit framework. Metasploit framework je nástroj, který nám dokáže poskytnout velké množství informací o bezpečnostních chybách v systému. Jak už z popisu vyplývá, je známý především mezi lidmi, kteří se pohybují okolo bezpečnosti – tedy vývojáři, analytiky, hackery, atd. Jaká témata jsme v prezentaci probrali se dozvíte z agendy níže.

Continue reading