Thursday Nov 22, 2007

SCEA Part 1 Beta exam

I passed the part 1 of the Sun Certified Enterprise Architect Part 1 Beta exam. Now I have to complete the Part II and Part III which is assignment and essay. This beta exam covers the new features of Java EE 5 and I found it very interesting and relevant. Being part of GlassFish community was one of the main reasons for me being able to clear it.

Tuesday May 15, 2007

Selecting certificates programmatically in WSIT

I am involved in porting the jax-rpc based  WS-I Supply Chain Management sample application to WSIT which is based on JAX-WS. I  used Netbeans 5.5.1rc1 with WSIT modules along with GlassFish v2 for this which made it a lot easier than it would have been to do it without IDE support. WSDLs were imported using netbeans which generated the web services classes. Customization files were used to customize the packages of generated classes. Netbeans wizard to create web service references (clients) were then used to create web service references to call other web services. The business logic was filled in and Java DB was used for the database access.

The components involved in this are depicted here.

Configuring security using netbeans was straight forward for almost all of the services and client. The KeyStore and TrustStore part of security configuration for Warehouse A,B,C and Manufacturer A,B,C services and clients was not possible using the security policy assertions in wsdl and wsit-client.xml . This is because the 3 instances of the services use the same base wsdl. Kumar Jayanti showed me the way out with the usage of AliasSelector and CertSelector.

AliasSelector implementation was used to return the correct keystore alias depending on the who the caller was. To determine the caller, a BindingProvider property was set on the client stub's RequestContext as shown below.

WarehouseShipmentsPortType warehouseAStub =
((BindingProvider) warehouseAStub).getRequestContext().put(

In the AliasSelector ,

public class AliasSelector implements com.sun.xml.wss.AliasSelector{

public String select(Map map) {
  if(map == null || map.isEmpty()){
    return null;
    WSIConstants.CALLER_RETAILER)) {
    return "wsi-retailer-sign";

The CertSelector selected the certificate from the TrustStore based on the certificate CommonName and the CALLEE property which was set on the stub.

WarehouseShipmentsPortType warehouseAStub =
((BindingProvider) warehouseAStub).getRequestContext().put(
((BindingProvider) warehouseAStub).getRequestContext().put(

CertSelector implementation extract:

public class CertSelector implements{

private Map runtimeProperties;

public CertSelector(Map properties){
  this.runtimeProperties = properties;

public CertSelector clone(){
  return new CertSelector(this.runtimeProperties);

public boolean match(Certificate cert) {
  X509Certificate xcert = (X509Certificate) cert;
    if(((String)runtimeProperties.get(WSIConstants.CALLEE)).toLowerCase().indexOf("warehousea") != -1 ) {
if(xcert.getSubjectX500Principal().getName().indexOf("CN=WarehouseA") != -1 ){
  return true;

The wsit-client.xml will have the following configuration to point to the instance of AliasSelector and CertSelector.

<wsp:Policy wsu:id="WarehouseSoapBindingPolicy">
    <sc1:KeyStore wspp:visibility="private" storepass="xxx" type="JKS" location="/glassfish/domains/domain1/config/keystore.jks" aliasselector="com.sun.wsi.scm.util.AliasSelector">
    <sc1:TrustStore wspp:visibility="private" storepass="xxx" type="JKS" location="/glassfish/domains/domain1/config/cacerts.jks" certselector="com.sun.wsi.scm.util.CertSelector">

You can use these Selector interfaces to implement any kind of certificate management solution specific to the deployment.
Refer to the articles , ask the experts sessions and blogs for staying informed on this and other topics in web services and security.

Technorati Tags: , , ,

Powered by ScribeFire.

Wednesday Feb 21, 2007

Updated WS-Trust interoperability samples in WSIT

The interoperability samples for WS-Trust were added recently in WSIT. I received some feedback on my earlier blog entry and made it even simpler to run these samples. The simplified steps are given below.

  1. Download GlassFish v2 and install it if you already don't have GlassFish v2. GlassFish v2 has WSIT bundled in it. Start the glassfish server.
  2. checkout ws-trust samples from cvs
  3. cvs -d co wsit/wsit/samples/ws-trust
  4. Set the glassfish.home property in wsit/wsit/samples/ws-trust/interop/
  5. There are 4  scenarios , namely transport-binding,mutual-certificate-10, mutual-certificate-11 , secureconversation-mutual-certificate-11. Go to the desired scenario directory.
    For Eg,
    cd wsit/wsit/samples/ws-trust/interop/src/mutual-certificate-11
  6. run the sample by choosing the appropriate target. The available targets are s-s-s,s-s-m,s-m-s,s-m-m,m-s-s,m-s-m,m-m-s,m-m-m . These target names denote the platform ( sun or ms ) for <client>-<sts>-<server>

  7. For eg,

    ant s-s-m

You can also open the scenarios as netbeans projects and explore them in detail. The important files to look at are the wsdl files in  etc/service/ , etc/sts , the client file in simple/client , the server file in simple/server and the STS implementation in simple/sts. The readme.txt in the wsit/wsit/samples/ws-trust/interop folder gives further details for running the transport-binding and  secureconversation-mutual-certificate-11 scenario.

If you have hosted the Microsoft's WCF endpoints in your local intranet and want to try the scenarios against that, edit the in each scenario and change the property

For tomcat, the steps are same, except you set tomcat.home property in step 3.
Try it, explore it, give suggestions and feedback if you have any.

Monday Feb 19, 2007

WS-Trust interoperability samples

Web Services Interoperability Technologies ( WSIT ) enables interoperability between the Java platform and Microsoft's Windows Communication Foundation (WCF). This includes interoperability in the area of WS-Trust. You can now run samples based on the interoperability scenarios of WS-Trust from the WSIT workspace. You can try the various combinations of message flows by choosing either sun or microsoft as your client or server or the STS. The endpoints configured for Microsoft are as listed in the WCF Interoperability Plug-Fest page. You can use this as a model for the real world scenarios you are trying to develop or compare scenarios if something does not seem to be working in your development workspace.

Given below are the steps to try them. This assumes that you have already installed WSIT on either GlassFish or tomcat. If not, follow the steps in this link.

Start by checking out WSIT source code or just the samples.

cvs -d co wsit/wsit/samples/ws-trust/interop

Checkout the certificates needed for interop with Microsoft

cvs -d co wsit/wsit/samples/ws-trust/certs

Edit the and set either the glassfish.home or tomcat.home to the appropriate directory


Copy the directory wsit/wsit/samples/ws-trust/certs/xws-security to {glassfish.home} or {tomcat.home}

Set up WSIT_HOME system property on the server

For Glassfish:

asadmin create-jvm-options -- -DWSIT_HOME==\\$\\{com.sun.aas.installRoot\\}

For Tomcat, set or export the following environment variable in the terminal in which you start tomcat


Restart GlassFish or Tomcat

Go to the interop directory.

cd wsit/wsit/samples/ws-trust/interop/

There are 4  scenarios , namely transport-binding,mutual-certificate-10, mutual-certificate-11 , secureconversation-mutual-certificate-11. As the names suggest, they are based on the security policy used in each scenario.

Select a scenario, go to that directory.

cd src/mutual-certificate-10

Run the scenario by the following ant target

ant s-s-s

The above notation is a short form of saying run the scenario by selecting sun as the client, STS and the server. You can change it to say,

ant s-m-s

in which case, sun client contacts Microsoft's STS, gets a token issued, secures the message with that token and sends it to the Sun server.

You can also run

ant m-s-s

in which case we use Microsoft's Hosted Client to call Sun's STS and Sun's server. Note that this will only work if the sun's endpoints are reachable from Microsoft's public endpoints.

There are other ways to run the samples. You can say

ant -Dclient=sun -Dsts=ms -Dserver=ms

and the sample will run with the combination suggested.

You can also edit the, and set the properties client,sts,server appropriately and just say


The readme.txt in the wsit/wsit/samples/ws-trust/interop folder gives further details for running the transport-binding and  secureconversation-mutual-certificate-11 scenario.

As you have seen, just by changing some command line parameters you can play around with lot of combinations of message flows in WS-Trust scenarios (For eg, you can try s-s-s,s-s-m,s-m-s,s-m-m, m-s-s,m-s-m, m-m-s, m-m-m).

If you want to see those messages , turn on the WSIT message logging properties on the client and server side.

Provide feedback either my mailing to the WSIT mailing lists or by leaving a comment on this blog entry.

powered by performancing firefox

Wednesday Sep 06, 2006

command line completion in GlassFish

"GlassFish ": has powerful command line interface in the form of asadmin. I used the following technique to have the bash shell autocomplete the asadmin commands and options .

1. create the directory (if it doesnt exist already)

mkdir -p /etc/bash_completion.d/

2. create the file /etc/bash_completion.d/asadmin with the following contents

local cur prev opts
opts=`cat /etc/bash_completion.d/commands.txt`
COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
return 0
complete -F _asadmin asadmin

3. download and copy the "file commands.txt ": to /etc/bash_completion.d/

4. source the above script into your current bash shell

source /etc/bash_completion.d/asadmin

Now say you want to start the domain in debug mode, press

asadmin sta[TAB]do[TAB] --deb[TAB]
, you can see autocompletion in action.

I used "this helpful document ": in trying out this. The file commands.txt was generated from the "file CLIDescriptor ": .

Tuesday May 16, 2006

WS-Trust in WSIT

Project Tango is a Sun initiative focused on delivering interoperable Web services technologies. Web Services Interoperability Technology (WSIT) is an open-source implementation of next generation Web services technologies that deliver interoperability between Java EE and .Net to help you build, deploy, and maintain Composite Applications for your Service Oriented Architecture. It is focused on four main categories: Messaging, Metadata, Security, and Quality-of-Service (QoS).

The main standard for security in Web Services is WS-Security. WS-Security introduces the concept of security tokens for encoding secuirty information for the purpose of authentication, auththrization, confidentiality, integrity, etc, of  messages exchanged. It also defines the mechanism of carrying security token with the messages for message level security. WS-Trust is introduced to address the issues when the security tokens are not consumed by the service provider. This is the case, for example, when the Web Service client and the Web Service provider sit in different security domains and have no direct trust relationships. The protocols defined in WS-Trust allow for establishing a Security Token Service as a trust authority for brokering trust among Web Services consumers and Web Services providers.

Project Tango provide a general framework for building a Security Token Service based on any existing authentication, authorization and identity management system. The integration of WS-Trust into WS-Security framework makes it transparent to applications for using Security Token Service on top of WS-Security to secure Web Services.

All the policy elements and configurable parameters for this can be set using the netbeans attributes editor. The editor simplifies to a great extent the otherwise difficult job of writing the wsdl (wsit.xml) and the client side configuration (wsit-client.xml) with correct policies.

It is also a great learning experience to use this combination of Netbeans + glassfish + WSIT for those who want to learn about webservices standards. Download , use , learn and participate in it.

WS-SecureConversation in WSIT

Project Tango is a Sun initiative focused on delivering inter operable Web services technologies. Web Services Interoperability Technology (WSIT) is an open-source implementation of next generation Web services technologies that deliver interoperability between Java EE and .Net to help you build, deploy, and maintain Composite Applications for your Service Oriented Architecture. It is focused on four main categories: Messaging, Metadata, Security, and Quality-of-Service (QoS).

WS-SecureConversation defines extension to the WS-Security standard. It addresses two major issues for using WS-Security in multiple message exchanges: performance and security weakness while using encryption keys repeatedly. It introduces the concept of security session in terms of security context with authentication state and negotiated session keys for securing messages. It also defines derived key mechanism which allows new key materials to be used to increase the overall security.

The security context is represented by a security context token and can be applied within the WS-Security framework. The sharing and managing of the security context is based on the general framework in WS-Trust.

Sun and Microsoft have been successfully working together in testing many interoperability scenarios in secure conversation. The integration of all the components in WSIT is well designed and transparent to anyone who wants to build and use secure web services. Netbeans provides easy to use wizards and editors to rapidly develop , customize and assemble web services and web service clients. GlassFish provides a top class production ready container to develop and run your services. Together, all these open source components projects provide great value to developers and companies engaged in web services. So, use it and participate in it by joining the project, reporting issues, providing feedback or bug fixes, proposing enhancements and helping other users of this community project.

For information on Web Services Interoperability Technology (WSIT), please go to For more information on the open source project on, please go to project page at

Saturday Apr 29, 2006

NexentaOS: A dream come true

This is my first blog and "NexentaOS": is the inspiration for this. After having used "solaris 10": , "OpenSolaris": and ubuntu, I was dreaming of having the best of both to improve my productivity. Solaris is known for its reliability and in solaris 10, it had an amazing set of features that a developer couldnt live without like DTrace, zones, SMF, improved TCP/IP stack, great compiler/debugger,profiler tools in "Sun Studio": , great java and "netbeans": support etc. Ubuntu had good installation, package management and ease of use features. In NexentaOS I found the best of both worlds which is indeed my dream come true.

I downloaded the iso from nexenta , burnt the cd, and started the installation process on my workstation. I tried to do manual partitioning, but as the warning said it is for advanced users only. So I selected automatic partitioning, and the desktop profile. Probably due to my old cd drive, the installation stalled midway, so I had to abort the installation and reboot. Then I tried minimal installation, which went through without any problems. After booting to the command line login screen, I tried apt-get to install the remaining packages. Somehow some of the packages were not found on the repository, so I tried adding unstable repository to /etc/apt/sources.list. This resulted in some broken packages, so I reverted back to the testing repository. Then as a last resort I booted back to the install cd, selected the upgrade option and this installed the required desktop packages and I was able to login to gnome and got a pleasant surprise at the great look and feel and the availability of the usual set of tools and software. I knew that firefox is version 1.0.7 as in ubuntu, and I wanted firefox 1.5. When I tried the tarball from "": , it gave an error because moz_patch_checker.dtksh was using /usr/dt/bin/dtksh. I replaced dtksh with /usr/bin/bash and firefox worked fine.

So far so good, I now have to experience all the features of this budding offspring of opensolaris.

A screenshot is "here":




« June 2016