Earlier this week, I received an email from a senior member of Passlogix's management team to open up a discussion and also to clarify their position. One of the topics of conversation centred around one of my posts and specifically my statement:
If you "upgrade" from ITAM ESSO to Passlogix v-GO or Oracle's OEM version of v-GO, you will have to buy the product again. Your IBM licenses will not carry over, unless Passlogix and/or Oracle get very aggressive and agree to "upgrade" your deployment and waive the software costs
The next few paragraphs in orange summarise my understanding (not a direct quote, so it includes some of my commentary) of Passlogix's position.
Passlogix's response is that they are working with every customer running IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) 6.0 (the current version and OEM of Passlogix v-GO) to give them options moving forward and to help give them a choice. They will also honour the existing maintenance contracts that IBM has in place, and if the customer chooses to have Passlogix support them directly, there will be no additional charges to do so.
Passlogix also completely agree with my point that upgrading from ITAM ESSO 6.0 (Passlogix v-GO OEM) to ITAM ESSO 7.0 ("blue rinsed" Encentuate) will be a real pain in the behind because it's a "rip and replace". They make mention of the fact that v-Go is an "infrastructure free/event driven technology" and Encentuate is "server based/script driven". I can't confirm that Encentuate is indeed server based and script driven because I have never seen it in action. If it is, then it will be very painful migrating between the 2 approaches. As an aside, I should point out that it's not surprising that they agree! It helps them keep existing customers. I'm sure every single Passlogix employee is being told to say this. Unfortunately for IBM, I'm right. So IBM, you're going to need to work VERY hard to make it worthwhile for a customer to move to ITAM ESSO 7.0.
One last thing that Passlogix would like to remind us is that if you're the type of organisation that MUST evaluate technology before you can implement it, you'll also have to put up with that pain (as will IBM) before you can migrate to ITAM ESSO 7.0.
IBM will obviously tell you that you do not need to evaluate anything and that it should be treated as an upgrade. How you choose to view it is completely your call. Just be aware that these are the 2 differing views and whichever you pick will have implications for your migration or upgrade plan.
At this point in time, here are your choices:
- Upgrade to ITAM ESSO 7.0 when it comes out - No additional software license, maintenance or support costs (unless your maintenance contract is expiring). Lots of services pain. Who pays for the services? If IBM doesn't wear most of it, they aren't trying hard enough.
- Move to Passlogix - No additional software license, maintenance or support costs (unless your maintenance contract is expiring). Services pain will probably be minimal if any. If you have other IBM Tivoli Security products deployed however, keep in mind that future integration points will probably be released for ITAM ESSO 7.0 ("blue rinsed" Encentuate) before Passlogix get a chance to write their integration pieces by virtue of the fact IBM will generally build their integration pieces between internal products first (not always, but this is almost always true within the same IBM product suite). I'm pretty sure Passlogix will continue to support integration between v-GO and the IBM Tivoli products, but they will just be slower in getting them released. There's not a lot Passlogix can do about it of course because they will only be able to build integration pieces into IBM products by working with IBM (unless they wait for APIs to be published, which will make it even slower).
- Move to Oracle - They'll charge you for the software, maintenance and support (does someone from Oracle want to email me to tell me that you won't?). Services pain will probably be minimal if any. If you have other IBM Tivoli Security products deployed however, this is not a smart choice unless you are ready to throw IBM out and replace your whole Identity and Access Management infrastructure with Oracle.