Monday Dec 07, 2009

Load Balancing for Glassfish V2 Deployments and BIG-IP Systems: Addendum

I was recently at a customer who was having issues configuring BIG-IP to load balance to Glassfish (v2.1.1) cluster instances.   They had been following Prashanth's blog directions on how to configure this setup.   The load-balancing piece worked fine; However, BIG-IP would not recognize a Glassfish instance as running in the monitor.  The monitor is extremely simple, it just does a GET and if it gets a valid response then Glassfish is running.   The send string is typically set as:

GET /index.html HTTP/1.0

Glassfish showed no requests in the access logs.  If we used a browser to request index.html it would return correctly.  Oddly, we replaced Glassfish with Tomcat running on the same port.   The monitor send string was unchanged.   BIG-IP immediately recognized the instance as running.    The next step was to watch the traffic.   An easy way to do this was to use tcpmon.   tcpmon is a simple utility that watches TCP traffic.    With tcpmon in between the browser and Glassfish/Tomcat we were able to watch what was going on.   Requests were coming in fine, but only tomcat would respond.   Step three was to really bump up the logging level.   We added this property to <domain.xml>:

-Dcom.sun.enterprise.web.connector.grizzly.enableSnoop=true

This showed that a connection was being established to Glassfish (snip from the logs with IPs changed to protect the innocent)

[#|2009-11-20T11:09:25.515-0600|INFO|sun-appserver2.1|javax.enterprise.system.container.web|_ThreadID=15;_ThreadName=SelectorThread-7780;|Handling OP_ACCEPT on SocketChannel java.nio.channels.SocketChannel[connected local=/10.99.101.29:7780 remote=/1.1.1.1:50627]|#]
[#|2009-11-20T11:09:25.518-0600|INFO|sun-appserver2.1|javax.enterprise.system.container.web|_ThreadID=15;_ThreadName=SelectorThread-7780;|Handling OP_READ on SocketChannel java.nio.channels.SocketChannel[connected local=/10.99.101.29:7780 remote=/1.1.1.1:50627]|#]
[#|2009-11-20T11:09:25.529-0600|FINEST|sun-appserver2.1|javax.enterprise.system.container.web|_ThreadID=21;_ThreadName=httpSSLWorkerThread-7780-0;ClassName=com.sun.enterprise.web.connector.grizzly.DefaultReadTask;MethodName=finishConnection;_RequestID=f902a22c-7228-4c91-8ef4-6ddd686d044a;|finishConnection|#]

My next step was to simplify.   Instead of requesting index.html from either a browser or BIG-IP, we switched to wget.   The http headers are much less verbose for wget.   Matching the BIG-IP send string to what wget sends still had the same effect.   That is when I started thinking back to the golden days of telnet (OK, telnet is still around and you can do this with SSH as well).   If you telnet to an http server port you can type in the GET command to request a page.   The gotcha is that after you finish typing the command you have to hit two carriage returns.   So, I changed the BIG-IP request string to:

GET /index.html HTTP/1.0\\n\\n

BIG-IP showed Glassfish as a running instance, confetti fell from the roof, and there was much rejoicing!

Monday Mar 02, 2009

OpenSSO Authentication with Active Directory (Part 1)

One of the common requests that I get is for a tutorial on how to use Active Directory in conjunction with OpenSSO.   The documentation does what I think is a fantastic job.   I'm going to try and build upon it to provide a step by step tutorial.  Part 2 will be using Active Directory as the User Store and using Authorization services with AD

 This assumes that you have already installed and configured a basic install of OpenSSO.    This configuration uses OpenSSO Express B5, Glassfish v2u2, & Windows 2000.    The FQ hostname for the OpenSSO install is www.idp.com


  1. In the OpenSSO Administration Console, click realm for which you want to add the new authentication chain.
  2. Click the Authentication tab.
  3. Create a new module instance with the following data: 
    1. Primary Active Directory server: ADServer:ADServerPort
    2. DN to Start User Search: dc=example,dc=com
    3. DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com
    4. Password for Root User Bind: AdministratorPassword
    5. Attribute Used to Retrieve User Profile: sAMAccountName
    6. Attributes Used to Search for a User to be Authenticated: sAMAccountName
    7. Search Scope: SUBTREE

      Module Name

      Server and Port

      Attributes

  4. (Optional) Create a new Authentication chaining instance:

    1. Add a new instance for the authentication instance created in the previous step.

    2. Set the criteria to Sufficient.

  5. (Optional) Change Default Authentication Chain to the new authentication chain you just created.

  6. Click Save.

  7. Either Logout or use a different browser. In this example I have a sample application already installed. If you opt not to use the Authentication Chain, you will need to specify the Authentication module directly. You would need to configure the agent to use a url like http://www.idp.com/opensso/UI/Login?AuthenticationModule=ActiveDirectory

  8. If you've done everything as this tutorial describes you will get this message after you authenticate with your active directory credentials.

  9. The error message above is created because there is no corresponding user in the OpenSSO user store. You can remove this error by changing the profile configuration in OpenSSO. This is located in the Advanced Properties page located under the Authentication tab.  By default this is set to required. You can change to ignore or dynamic. Dynamic will automatically create a corresponding user in the OpenSSO datastore based upon the Active Directory credentials.


Friday Oct 03, 2008

American Express is full of FAIL

Yesterday I made quite a few purchases that I needed.    While trying to get a few items at Wal-mart, my card was temporarily disabled.   This is a good thing.   This means American Express watched my account and noticed all the charges.   The idea is that I contact them to ensure that these charges are legit.    When contacting them, the automated system asked that I enter the first 4 letters of my password.   I was kind of at a loss for this, so I did what I normally do. I pressed 0 repeatedly.   When I spoke to the customer service rep, he asked the exact same question.   This tells me that my password is NOT encrypted or hashed when stored in their system.   Well, they could have another field with the first 4 letters hashed/encrypted but I doubt it.   The fact that AmEx passwords are already very weak (No symbols, small password size) just enfuriates me more.

 </Rant>

Monday Aug 25, 2008

Facebook Security

I had an interesting question from a friend this weekend.  

"What setting do you use on Facebook for security?"

I rambled for a bit about security in general, but I think I answered his question well enough.   I believe I summed it up with one statement, but I'll add some other ideas and tips

  1. Assume Anything and Everything you put on Facebook is public!
  2. See Rule #1
  3. I set privacy setting to either "My Networks and Friends" or "Only Friends".   If its something I would set to "No One", I don't put it on Facebook!

Rule #1 comes into play with everything around Facebook.   As you add friends the risk of personal information escaping increases.   You shouldn't add people you don't know, but since I would classify 70%-80% of the friends I have as non-technical and 95% as non-security focused, I'm still at risk.   The same goes for applications.   I try to be very selective about which applications I use.   I currently only use "Where I've Been", "Books I've Read", "Stadium Tour", "SunWeb News" and "RateBeer".   I never respond to the "Compare yourself" requests.    Some people may think this takes away from the Facebook experience, but I'd rather be cautious.


Thursday Aug 14, 2008

Misconceptions about Java

Its really sad that there are people in the technology world who still don't understand Java.   This gem in the NY Times sums it up:  

...Last year, it changed its ticker symbol to “JAVA,” the name of a popular scripting language, from “SUNW.” 
 

Java is NOT a scripting language.   You have to love when rumors and speculation count as "Business News"  and they even get it wrong.

Tuesday Jul 29, 2008

Podcast Overload

I'm a huge fan of Podcasts.   I listen to them during workouts, yard work, programming, and while traveling.   I've just added a new one that I absolutely love.   Lew Rockwell of http://www.lewrockwell.com/ has joined the podcasting world.   With titles like "How to Buy Gold and Silver", "Who Killed the Constitution", and "The Banks are Broke", you know that this is just a continuation of the great work from his site. My problem is that with another Podcast that actually seems to come out daily.  I'm just running out of time to enjoy all of them/

Technology

  • TWIT - Seriously, how can anyone go without this podcast
  • Security Now - Good intro to security topics
  • Network Security Podcast - I believe this to be the best all around Security podcast.
  • PaulDotCom Security Weekly - Great security podcast, gets pretty technical and in depth.
  • Risky Business, Silver Bullet Security, Securabit - Just started listening, so haven't formed a good opinion

History

  • Dan Carlin's Hardcore History - Dan is an insightful amateur historian that asks great questions.  Wish he was more regular with updates
  • Common Sense with Dan Carlin - Not really history, and this is Dan's main show.   I like Hardcore History better, but this will get you to think
  • History of Rome - Mike Duncan's weekly podcast of the Roman Empire.  I just finished the 2nd Punic Wars.   I wish my History classes had been like this
  • 12 Byzantine Rules - Lars Brownworth's overview of 12 rulers in 18 podcasts.  I wish there were more.

Sun/Java

  • Identity Management Buzz - Covers all things Identity at Sun.
  • Glassfish Podcast - All things Glassfish related, what else?
  • FAMTalk - Only 3 podcasts, but covers Federation very well.   Also cool when I know All of the hosts
  • Java Posse - Probably the podcast that started it all for me back in the Java Cast days.   Four guys having fun and talking Java

Fun/Politics (yes, I combine them into one category)

  • Antiwar Radio - Scott Horton and Charles Goyette combine to do great reporting.   This probably isn't what you think it is, these are free market, pro-capitalist, antiwar interviews.   Gareth Porter, Gordon Prather, Scott Hornberger, Pat Buchanan, Ray McGovern, Scott Ritter, Alan Bock, the list goes on.
  • Mises Institue Media - Hundreds of podcasts from Conferences, conventions, book readings, etc...   This is the definitive site for Austrian Economics.   If you don't know what Austrian Economics is, go to www.mises.org.    I promise you won't be bored and you'll probably understand the world we live in much better.
  • The Math Factor - What can I say, I'm a math nerd.   I enjoy numbers.
  • North Point Ministries: Andy Stanley - Good Pastor and good sermons.   
  • Astronomy Cast - Covers cosmic rays to Quasars and everything in between
  • LSAT Logic in Everyday Life - A short 5-10 minute podcast that covers logical fallacies we face everyday
  • The Lew Rockwell Show - Mentioned above.   I always enjoyed when Lew read speeches or articles on the Mises podcast.
  • Scam School - Fun Video Podcast that teaches tricks you can use to earn free drinks
  • Tiki Bar TV - Learn to make drinks and have fun doing it.  Oh and Lala, Will you marry me?
I didn't provide links, I'm trying to finish this post before a presentation I have to do (Yikes! 15 min left).   I believe that you can find all of them through iTunes.   And YES, they are free
Blogged with the Flock Browser

Tags: ,

Sunday Jul 13, 2008

Working in the Cloud

I tend to travel a lot, so having all my devices synced is of great importance to me.   Lately I've been using two technologies that make my life much easier.

Evernote :  Evernote is like MS Onenote but enhanced for cloud computing.   OneNote seems to be focused towards students, but it does work well for professionals too.   The issue I have with OneNote is that it stores its data locally.   Evernote solves that problem.   Its designed to work on multiple platforms and easily sync between them.   I can make notes on my desktop and view them on my laptop or even my iPhone. 

Weave: This firefox plugin synchronizes bookmarks, cookies, and forms between computers.   I constantly save bookmarks from pages that I wish to read at a later time.   If I save it on my laptop browser, I'll never remember to read it when I'm at my desktop.   Weave now allows me to work seamlessly between them.   FoxyMarks also works, but so far I like Weave better.

Monday Jun 09, 2008

Verisign Identity Protection and OpenSSO

I've owned a Paypal Security Key for some time now. I was recently asked by a customer if Sun Access Manager/OpenSSO can use Verisign Identity Protection, which is really what the Paypal key uses behind the scenes. The answer is YES! While OpenSSO doesn't have a ready out-of-the-box authentication module for VIP, its very easy to create one. I'm not sure if OpenSSO will ever add one since a large portion of VIP is Token Management.  Which tokens are associated with which users is something I would consider out of the scope of OpenSSO. Even if we made it customizable with a configuration page, I can guarantee we won't cover every option. I'm planning on making a simple interface to try this, I'll post when I finish.

This is based upon the steps provided by Terry Gardner on the wikis.sun.com site.   I've added my own entry

  1. Download all the Software you will need: Glassfish, Netbeans, OpenSSO, and VIP Test Drive. I used Glassfish V2U2, Netbeans 6.1, and OpenSSO v2 B4. I also used JDK 1.6u6
  2. Install the Software. I'll leave this exercise up to you, since I don't want to write all the install steps
  3. You'll need to create a Web Service reference from the vip_testdrive.wsdl. In Netbeans 6.1, go to the Services Tab, New WebService, and point to the WSDL file.
  4. Create the VIPWebServiceClient.java We only need the Validate method for Authentication. VIP provides a very rich set of services for enabling, disabling, and synchronizing tokens
  5. Create VIPPrincipal.java
  6. Create VIPLoginModule.xml
  7. Create VIPLoginModule.java. For my interface I only use Validate() and expect the end-user to provide username, tokenID, and the OTP. In a real deployment, you would most likely use the username to discover what Tokens are registered with the user. Then use that information so the user doesn't have to remember their tokenID. You may also notice that I'm not using a password. I really just wanted to prove that Access Manager/OpenSSO could integrate with VIP. So, THIS IS NOT 2-FACTOR AUTHENTICATION!   You only get "Something you have" with this module. I'll leave it up to you to build the "Something you know". And NO, I don't consider username to be something you know. 
  8. Move VIPLoginModule.xml to the config/auth/default directory
  9. Package the .class files into a jar file and place it in WEB-INF/lib
  10. You will need to add the Client Cert to the application server keystore. That was a pain in itself since java expects JKS type keys and VIP provided P12. I'll cover this in another post
  11. Restart Application Server
  12. Visit http://yourmachine.com/opensso/UI/Login?module=VIPLoginModule

  13. Generate a OTP using the VIP utils provided.   The TokenID for this example is VSST57152657 and the OTP is 000138.   This is a time based token.   VIP also contains event based tokens.

  14. Once you've filled in the correct values, you should be authenticated to OpenSSO

Conclusion

Building an Authentication Module for OpenSSO was easier than I thought. I spent most of my time trying to import the Client cert. The other issue I battled was Verisign's Web Service. It uses different URIs depending on what you are doing. These are NOT defined in the WSDL, but at run time. The Sample code they provide inserts them. For example /mgmt/soap is for activation or deactivation, and /val/soap is for validation. The VIP sample uses AXIS, but I wanted to use JAX-WS.

If you get a chance, I recommend getting the "Football" token for Paypal. Its a great second factor for security.

Saturday Jun 07, 2008

Gurley Police... Seriously??

Ok,  I have a good upcoming post about integrating Verisign Identity Protection with OpenSSO.   I'm reading through the EUL again to make sure I don't violate any Verisign policies before I post on it.   Hopefully I can post later today.   With that said, I really have to vent about a strange experience with Gurley, AL police yesterday.   I was driving over to Hunstville, AL from Atlanta for a friend's wedding. I'm heading West on Highway 72. There was a wreck right at Little Cove Road and 72, which is where I need to exit. So, I drive another 30 yards, turn into an Exxon station which backs up to Little Cove Road. I'm now on Little Cove Road past the wreck. About 500 yards down, there is a Gurley Police car blocking the road refusing to allow me to go away from the wreck! He's actually forcing people to turn around and go back toward the accident. Needless to say, I wasn't happy about this display of ignorance. Turned around, got back on 72 West, Drove 1/2 mile further, turned on Rock Cut rd, turned on Little Cove rd about 200 yards on the other side of the officer. The whole time shaking my head and wondering why people don't use their brain like they should.   

<script type="text/javascript" src="http://www.google.com/jsapi?key=ABQIAAAAsagaAH_QR8jD38WoviiKYBTYOHRYQyaJRrni1yug5Vdmd9NpfRTVL68dt5gjUVPZL03bsec-ykdGmQ"></script> <script type="text/javascript"> google.load("maps", "2.x"); // Call this function when the page has been loaded function initialize() { var map = new google.maps.Map2(document.getElementById("map")); map.setCenter(new google.maps.LatLng(37.4419, -122.1419), 13); var point = new GPoint(-34.698296,-86.381164); var marker = new GMarker(point); map.addOverlay(marker); var point = new GPoint(34.697484,-86.389661); var marker = new GMarker(point); map.addOverlay(marker); } google.setOnLoadCallback(initialize); </script>

Monday May 05, 2008

CommunityONE, JavaONE, and Other Ramblings

I just finished the day at CommunityONE.   There were some great announcements, such as Sun's release of OpenSolaris.   If you get a chance download it and try it out!  CommunityONE covered a wide range of topics, including Netbeans, Glassfish, Linux, MySQL, OpenSolaris, and other Open Source technologies.

I'll try to blog about some of the sessions I attend.

 

While watching TV in my room I was presented with this screen.   Are we really at the point where this is deserving of being on the root menu??

If you haven't figured it out, I'm talking about Option 4.


Thursday Apr 17, 2008

Sun IDM Developer Wiki

I've created a Wiki Space at Sun's new Wiki site that hopefully will be a store for Sun Identity Manager examples.   I'm hoping to leave the permissions pretty open so that everyone can contribute.    You will need to be registered if you don't already have a Sun Online Account.   To Register simply select "Log In", then "Register Now"

http://wikis.sun.com/display/sunidmdev 

 

There is another just starting IDM wiki site at http://idmdev.wikidot.com/how-to-edit-pages 

Thursday Jan 31, 2008

Another Free Java Programming Course

For those of you wanting some good introductory programming courses for Java look no further than The RoboCommunity.  This site was created by a Professor Diane Wolff at Virginia Western Community College.   She attended her first JavaOne  last year and has been Java enthusiastic ever since, establishing her own Java Users Group and this FREE online community.   While there, she purchased a WowWee Robot, and has been using it to get junior high and high school students to get excited about Java and Technology careers.

If you get a chance join the community and don't miss this years JavaOne.   Registration is now open!

Oh, the reason I use "another" in my title is because Sang Shin's JavaPassion is one of the best free Java courses around

Good Luck Diane! 

 

Monday Nov 26, 2007

"I Fought the Law" and the Law kept postponing the trial....

I've been harassed about not keeping my blog up to date, so I'm vowing to do better.   I've been working a good bit with IDM and AM/FM, so I should have some good material to post.    Unfortunately for you, I have to vent first.

I'm currently fighting a traffic violation that I received at the beginning of the year.    The police officer claims I ran a stop sign.   I didn't and there is no way he could even see the stop sign from where he was parked.   Very large green things called "Trees" blocked his view.   I received the ticket back in March...  I'm still waiting for my day in court.   Everytime I go in for my court date, its postponed because the officer is currently stationed in Iraq.    Currently its scheduled for January, but that looks doubtful.    Sadly, the court system is doing everything it can to "Save me time".   If I would just pay the fine for a crime I didn't commit, I wouldn't have to come to court over and over.    Sorry, No chance I'm going to admit to something I didn't do.   

Could be worse, Another fella in court was given a ticket in June 2006 (For not having his headlights on 30 min prior to Sunset) around 5PM EST.

Friday Dec 01, 2006

Getting JSPWiki working in Sun Java System Web Server 7

I just got JSPWiki working in SJSWS 7.   I'm creating this wiki really for myself.   I try to be organized, but I tend to have various pieces of information scattered across multiple systems.    Text files here, pdf doc there, ...    In whatever medium I use, its organized, the hard part is just discovering where I put it.   My goal is to move all my various tips and tricks to a Wiki.    Since I do travel, I'll have the ability to always update it, wherever I go.

Now, Getting JSPWiki installed wasn't too bad.   It didn't quite go as simply as the guide. I do want to thank Siriam and Marina for creating this doc.  The trouble I had was that when I tried to start the WebServer, I would get multiple Java errors concerning the jspwiki.properties file.   Since the application never started, I couldn't use the /JSPWiki/Install.jsp to set my properties.   All I had to do to fix this was edit the jspwiki.properties file beforehand.  Make sure to set you Working directory, Page directory, and Staging directory.   Also make sure these directories exist and permissions are properly set.   With that fix I was 90% complete.   The only additional step was to follow the instructions  Joe Mocker has for getting JAAS configured correctly.

 Everything is up and running!   Now I'm just trying to get some theming done.   
 

Tuesday Oct 10, 2006

Access Manager working with other SSO Products

Dealing with Competitor products and their licensing policies.......[Read More]
About

bounds

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Links
Blogroll

No bookmarks in folder