Friday Mar 06, 2009

See you @MySQL Conference, 2009

I will be speaking at this conference. Don't miss out this exciting session on GlassFish/MySQL/NetBeans.

Further info: http://en.oreilly.com/mysql2009/public/schedule/speaker/46352

 

Wednesday Oct 08, 2008

Top 20 Risks in Outsourcing(Offshoring) and mitigation tips.

I hope you find this table useful as a measuring tool to begin your Risk Management of such projects.

Please leave your comments/suggestions.

Risk#
Description
Mitigation Plan Synopsis.
1
Poor Selection of Vendor
Consider a detailed Study about vendors
including current processes, customer references etc., rather than blindly believing the track record.
2
Scope Creep- Scope of the project
getting wider with new requirements to be addressed.
Phased approach with milestones and trade offs at various stages.
3
Process and Quality standards incompatible with vendor.
Agreed upon standards and processes must be part of the binding contract.
4
Security breach including Confidentiality, IP and trade secrets.
Require vendors to meet security standards and monitor with effective auditing.
5
Infrastructure breakdown, could be a software/hardware/network
failure that may or may not be directly in vendor's control.
Review and approve Business Continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.
6
Poorly designed disaster recovery systems/processes.
Review and approve Business Continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.
7
Reduced Employee motivation as outsourcing is perceived as loss of job.
Establish Employee retention strategies such as retention bonus, performance map etc.,
8
Political/Cultural unrest.
Be sensitive to cultural issues.
9
Process non-alignment and differing governance model.
Establish compatible and agreeable processes and include them as part of the contract.
10
Increased labor rate as the project progresses. Vendor might try to
justify the increase with reasons such as Inflation, currency conversion fluctuations.
Binding document should contain appropriate forecasts and waivers wherever applicable.
11
Legal and Regulatory risks.
Increase awareness about region specific laws and regulations to better plan for incompatibilities and allowable trade offs.
12
Non-alignment of Management and Reporting Structure with vendor.
Expect Governance model to be included in RFPs.
13
Lack of control or insight into vendor progress.
Well planned milestones, immediate deliverables along with appropriate documentation plan.
14
Country specific issues such as differing laws, educational systems.
Increase awareness of all stakeholders.
15
Higher Project Transition cost.
Factor in a detailed transition cost to overall project cost.
16
Response time not within the acceptable/required limits as the vendor
is spread across time-zone.
Flexible shits to respect time-zones and increased frequency of meetings.
17
Project members of vendor lack project knowledge or technology know-how.
Review vendor team selection process.
18
Knowledge transfer issues such as inability to capture tacit knowledge.
Recorded videos, tutorials, web casts to transfer knowledge.
19
Dependence on a single vendor for all outsourcing needs.
Core processes, deliverables designed to be loosely coupled with vendor's technologies, processes.
20
Cultural differences.
Increased cultural awareness through specialized trainings.

Wednesday Oct 01, 2008

Simple Tips to secure your Web Servers.

1). Introduction


In our global business environment it is imperative for all participants to have a web site. The Web and Electronic commerce sites are growing in numbers every day and so are the threats to them. Businesses are exposed to outside world through web servers. An April' 2006 survey indicates that there are more than 80 million web sites on the internet(1).  

Organizations can protect themselves from threats using common security measures including firewalls, IDS(Intrusion Detection Systems). These common security solutions still do not provide a completely safe environment against sophisticated techniques used by modern day hackers.  The reliance and dependency on their websites for Enterprise corporations have grown to a greater extent with the advancement of technology. Many a times a simple compromise to their web site could cost a lot to the business. Needless to day Security is a prime concern when choosing a Web server.

Security vulnerabilities in web server and the business applications deployed on them pose a big challenge to keeping corporate data and resources safe from snooping, intrusion, or misuse.  Since web servers provide data via an externally or publicly exposed interface, the web server is a well-known target for exploitation. Unprotected and poorly configured web servers are highly susceptible for malicious activity, such as theft or the denial of service to an organization’s resources.  

2). Scope

Major security forums (e.g., SysAdmin(2), Security (SANS) Institute(3) and the Open Web Application Security Project (OWASP)(4)) do a good job of constantly updating the community in great detail about security threats and mitigation techniques. The following are some well known and most often used vulnerabilities that pave the way for attacks against an organization's web server.

  • Communication programs such as Instant Messaging.
  • non-existent/poorly administered backup and logging mechanisms.
  • weak/no/default passwords
  • Cross site scripting(XSS).
  • Unchanged default installation and configuration.
  • Lazy programming techniques.
  • File sharing applications.
 

Though web server security can be enhanced by various automated tools, this blog identifies two sources that play key role in providing a secure environment for web server and the web applications hosted in them. They are Web Server Administrators and Web Application Developers. 

This blog does not cover all of the possible security guidelines/practices that these two entities can practice, but only highlight some of the most obvious and simple techniques and procedures that are very effective in preventing attacks on web server thereby increasing the security. The core theme of this blog is “securing web servers by minimizing vulnerabilities”.

A Web Server administrator is usually a dedicated person or sometimes a team depending on the size of the organization. The administrator's main responsibilities include installing, configuring and updating web servers with the latest patches. The administrator is also responsible for working closely with the development team to fine-tune web server to suite development needs, backup/restore and implement security policy related to web-servers.

A web application developer is a software application developer responsible for automating the business requirements through front-end and back-end e-commerce solutions. Responsibilities include deploying the application in production web servers by working with web server administrator. Web server security is a wide area offering solutions at various levels from network to physical security. All of the attacks on web server happen through vulnerabilities in web applications, hence this blog is focused on the web application developer who builds these applications and the web server administrator who provides a secure container to host these applications. Though there are several ways to prevent such attacks from reaching web server and the applications, they are not fail-proof, so it is important to provide stronger security to the prime targets the web applications.

3). Administrators role in securing web servers.

Let us look at the some of the of simple techniques that a web server administrator to secure web servers.

 

3.1). Configure to prevent DOS attacks:

It is important to configure web servers appropriately and not rely on the default configuration. Configured correctly, it is possible even to prevent Denial-of-service attack from reaching the web-server. Denial-of-Service (DoS) attack is an explicit attempt to prevent legitimate users from using a service by some malicious users of the Server. Such an attack can be launched by sending continuous requests to the server for a particular web resource. Most of the web servers of recent times do provide easy mechanism to prevent such attacks. For example Sun Java System Web Server(5) can detect DoS attack by monitoring frequently accessed URI and denying request, if the request frequency is considerably high. It is very easy to tweak the server to prevent Denial-Of-Service attacks by configuring request limits and monitoring maximum number of connections per virtual server.

 

3.2). Configure not to reveal HTTP headers:

The more information web servers provide about themselves to the outside world, the more vulnerable they are to be attacked. Hackers are always looking for information to exploit vulnerabilities. HTTP response headers are information that is sent from a web server to its client applications(predominantly a web browser). A poorly configured web server might reveal information such as “web server version,  operating system name and version” etc., Web server software like other software products have bugs in them and usually the vendors publicly alert their users of such bugs and strongly encourage them to apply fixes/patches to resolve them. If the version of the web server and the operating system it runs on is known to a hacker, it is easy to find out open bugs/vulnerabilities from its vendors site and base their attacks. Freely available programs such as websniffer (6) reveal http response header information.  Below is a sample output gathered from hotmail.com web site where the web server version is visible.

HTTP/1.1·302·Found
Connection:·close
Date:·Mon,·10·Mar·2008·19:49:52·GMT
Server:·Microsoft-IIS/6.0
X-Powered-By:·ASP.NET
X-AspNet-Version:·1.1.4322
Pragma:·no-cache
Location:·http://mail.live.com/
Cache-Control:·no-cache
Pragma:·no-cache
Expires:·-1
Content-Type:·text/html;·charset=utf-8
Content-Length:·138

The vendors do not turn off such header information as such information could benefit statistical companies such as Netcraft to gather data, but there are documented ways that an administrator could use to turn them off. As an administrator it is important to follow such post installation configuration to make web server more secure.

 

3.3). Configure to prevent attacks leveraging search engines:

Search engines are so powerful to penetrate deep into web server during their preparation of index database. Popular ones such as Google uses sophisticated queries to get more information about a web site and unfortunately hackers just leverage the same mechanism. It is quite easy for an average surfer to peek into other people's websites using exploits in search engine mechanism. This type of attacks are very simple to execute but often could cause severe damages.(7) Though these type of attacks using search engines are collectively called as “Google Hacking”, the popular search engine Google is most often used. Network printers, VNCs, Automated cameras are some of the quite common targets of such attacks by average surfers. To avoid such attacks, an Administrator should configure “robots.txt” file correctly preventing search engine access to confidential and sensitive information. If the page has already been picked up by Google and has been cached, then tools such as as Google automatic URL removal system(8) should be used to secure web server. Google also provides other options for removing such information(9).

 

3.4). Coordinate placement of information and scripts

 on the web server with appropriate authorities to prevent from URL manipulation attacks.

 

3.5). Avoid installing unnecessary tools, samples and 3rd party software

that comes with web server installation. Most of such tools do not follow the same security standard as the web server and hackers often exploit the server through them. Some of the scripts part of the samples are often used by hackers to stage an attack.

 

3.6). Administer the server with a good patch management system.

It is important to stay up-to-date with the vendor on fixes for bugs in web server. Wherever possible this process should be automated. Good auditing tools such as(showrev on Solaris(10)) will come handy to detect the status of the system.


4). Developers role in securing web servers.

Web applications are common target of attack. Some of the famous attacks on web server manipulating web applications are(source: 11))

  • Attack on a large bank in 2000 by manipulating the account number in URL.  
  • Acme Art Inc.,'s web site was hacked in October 2001 revealing all credit card information.
  • In 2002, a Swedish company's turnover report was accessed by manipulating the year numbers in the URL.
  • A simple attack on Harvard Business School's website by prospective students enabled them to check their admission status in 2002.
  • Famous pet supply retailer Petco and fashion Label Guess were attacked in June 2003 exposing customers credit card information. These attacks used a technique called SQL Injection.
  • In 2004 attack on web servers through the worm named “Santy”.
  • In november 2004, SCO's website logo was replaced by the text “We own all your code, pay us all your money”.

Let us look at the type of attacks that are very common against web applications and simple techniques/tips that the web application developer can use to mitigate these attacks.

4.1). Parameter Manipulation:

Parameter Manipulation is a simple technique hackers use to exploit vulnerabilities in web applications and cause severe damage. This technique modifies data that is being sent from a web browser to a web server.  Hackers modify the values of  Form Fields, Cookies, URL Query Strings, HTTP Headers and Cookies to their advantage to attack. It is important for the web application developer to understand these sources of attack and take preventive mechanism as part of the application design and development. 

 

4.1.1) Form Fields Manipulation:

This is the easiest of attack that can be performed on a poorly designed/written web application. The functionality provided by almost all of the web browsers on the market “the ability to read the html source” is mis-used by hackers to their advantage. HTML forms use visible and hidden form fields to accept user input and pass them to the web server to be used. Hidden form fields serve the purpose of hiding the values from users are most of the times used by web developers to conveniently store local variables required for the application. This is a very bad design as the attacker could simply read the file, find out the hidden field and manipulate the values before sending it to the server . 

Mitigation Techniques: Hidden form fields should be avoided and their usage should be replace by session variables if possible. Other approach would be to encrypt and decrypt the values to be hidden programmatically on the browser and server side respectively using a well known encryption mechanism such as MD5.

 

4.1.2). Cookie Manipulation:

The protocol used widely in internet HTTP is stateless, meaning that it cannot be used for conversational style of communication. Cookies are used to achieve this. Cookies store data to enable such communication. They store data temporarily for a session or permanently depending on the application needs. There are tools such as Winhex(12) to modify the local data. The following example shows a simple modification that can fool a poorly written web application to execute with “administrator” rights. “Cookie: lang=en-us; ADMIN=no; lvar=1 ; “ can be easily modified to “Cookie: lang=en-us; ADMIN=Yes; lvar=1 ;”. 

Mitigation Techniques: Cookies should be avoided to the extent possible and replaced with session variables. In some cases where cookies need to be used, they should be encrypted and validated against session information stored on the server side.

 

4.1.3). HTTP Headers Manipulation:

HTTP headers hold control information on HTTP request coming from a web client to a web server. Though it is not easy to modify the headers, hackers sometimes make programmatic alterations to the headers often times to take control of the web site or to act as a precursor for other manipulation attacks. One of the field in HTTP header that has been known to get altered is the REFERER field. Simple tools such as modifyheaders(13) makes the job of hackers easy.

Mitigation Techniques: As a web application developer, never rely on REFERER field.

 

4.1.4). URL Manipulation:

HTML forms are submitted to the server using one of GET or POST http methods. When GET is used, the parameters and values passed to the server are added as part of the URL. This enables malicious users to modify the URL and alter the parameter values to their advantage to orchestrate an attack.

Mitigation Techniques: Using session tokens, avoiding parameters in the query strings, encrypting parameter values embedded in query strings especial are some of the effective way of avoiding URL Manipulations.

4.2). Cross-site scripting(XSS):

This type of attack is enabled by vulnerabilities in web applications wherein malicious code can be injected(could be html or client-side application) to carry out the attack. Most common way of XSS attack is to bypass access controls. Generally another script or executable is invoked as part of the malicious code to cause damage.

Mitigation Techniques: Simple programming techniques such as filtering out dangerous characters as part of the validation will help. XSS vulnerability scanners come handy during development of such web applications.

 

4.3).SQL Injection:

SQL Injection attacks are done by injecting SQL strings to access database through web applications. This is an easy attack to carry out if the application that is the target of the attack dynamically creates SQL Queries based on user entered parameters that are not validated. For example, a basic HTML form might have two input fields to allow users to log in to a Web site with a username and password. If the database query that looks up the information relies on the user's input for its variables, without validating that input, the database can be compromised by adding a string to the password input field. For example the query SELECT \* FROM Users WHERE UserName ='" + txtuid.Text + "'", conn);   that is hardcoded in the web application, can be easily altered as txtuid is user input value. The modification could be changes to the parameter values to cause destruction or appending destructive SQL command(s) to the end of the query strings by using malicious input field values. 

Mitigation Techniques: Using bound parameters(PREPARE statements), Limiting database permissions to segregate users, Using stored procedures are some of the good practices to prevent SQL Injection.

It is also important to test the application during development using automatic SQL injection tools. For example SQLMap(14) is one such automatic blind SQL injection tool. SQLNinja(15) is another one.

 

Golden Rules to follow: 

1).Never trust input, especially user input, always validate input.
2).Do Not Make Security Decisions Based on Parameters Accessible on the Client-Side.
3).Follow well established/tested security standards.
4).Use scanning tools: Most of the parameter manipulation attacks can be prevented if developers use scanning tools. A lot of scanning tools are available to identify such vulnerabilities during web application development period itself. Leveraging such tools combined with awareness and intelligent coding would prevent most of parameter manipulation attacks. Some of the popular web application scanners are listed here
1).Scando Web application scanner from Kavado
2).WebInspect from SPI Dynamics
3).Web Vulnerability Scanner from Acunetix.
4).AppScan from watchfire.

Conclusion:

This blog presented some of the simple techniques/tips that are very effective for securing web servers.  As web application developer/web server administrator it is important not to ignore these fine details failing which the business loss is enormous. 
Though it is easy to overlook some of the security measures amidst challenges such as time constraint, open sourced web server exposing their source code, accountability issues, it is imperative that having a secure web server is something that all organization involved in e-commerce should consider as their number one priority.

 

References:

(1): http://news.netcraft.com/archives/2006/04/06/april_2006_web_server_survey.html
(2): http://www.samag.com/
(3): http://www.sans.org/
(4): http://www.owasp.org
(5): http://docs.sun.com/app/docs/doc/819-2629/gdhhn?l=en&a=view&q=denial+of+service
(6):http://web-sniffer.net/
(7):http://www.theregister.co.uk/2001/11/28/the_google_attack_engine/
(8):https://www.google.com/support/bin/topic.py?topic=360
(9):http://www.google.com/support/webmasters/bin/topic.py?topic=8459
(10):http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqf8?a=view
(11): http://www.acunetix.com/websitesecurity/application-scanning-wp.htm
(12):http://www.x-ways.net/winhex/
(13): http://modifyheaders.mozdev.org/
(14): http://sqlmap.sourceforge.net/ 
(15): http://sqlninja.sourceforge.net/

Sunday Jun 22, 2008

GlassFish V3 TP2 Refresh is here....

A refresh of "GlassFish V3 Technology Preview 2 Application Server" bundle is available now for download. More information on the preview is available here.


The installation program of this refresh bundle, developed using OpenInstaller  has a graphical user interface. This distribution is available as a download in addition to a platform-independent zip file. The installer is available as a self-extracting executable on all of the supported platforms.(Windows, Unix).


Please follow the installation instructions under https://glassfish.dev.java.net/downloads/install/v3-preview2.html.


Also make sure that you register the product when prompted by installer. Registering your installation provides you with Access to latest information on product patch and bug updates, very useful screen casts and tutorials covering various technologies part of GlassFish and product support offerings.


Attached are some of the screen shots taken out of the installer run. 








Happy Installing!!!. 

Watch this section..

I will soon be writing/sharing with you my thoughts on different areas such as Database, Security, Servers(App/Web), Product Marketing, IT Policies, Knowledge Management, Interesting analysis of strategical paths that some companies have adapted. Please visit back soon and I hope I can entertain you. 


"The more you share, the more you learn.". 

Wednesday Mar 26, 2008

GlassFish bundle with MySQL Community Server

"Sun Java System Application Server 9.1 Update 1 with MySQL Community Server" bundle is available now for download.

GlassFish is the name for the open source development project for building a Java EE 5 application server. Visit https://glassfish.dev.java.net/ for more info.

MySQL is the world's most popular open source database software, with over 100 million copies of its software downloaded or distributed throughout its history. Visit http://www.mysql.com/ for more info.

I was the Engineering Lead for this exciting project that provides a distribution of GlassFish V2 U1 with MySQL Community Server 5.0.

Bundle Features.

  • MySQL Connector/J version 5.1-6 is included in this bundle. This JDBC Driver is installed under <Installation Directory>/lib to conveniently create a JDBC connection pool pointing to MySQL database through  Glassfish's powerful Administration console.
  • The installation program automatically creates an option file to be used by MySQL based on the size of  target deployment environment. This option file can be used after installation without the need for modifications in most cases.
  • To provide a better out-of-the box experience on windows platforms, Program Group items for Starting and Stopping MySQL Server are provided by the installer.
    They are installed under "Programs > Sun Microsystems > Sun Java System Application Server 9.1 Update 1 with MySQL Community Server > ....".

    Look for items titled "Start MySQL 5.0 Database" and "Stop MySQL 5.0 Database".

  • A windows service by name "ASMySQL" will also be created if the user chooses to do so during installation. This service is configured with start-up mode set to "manual".
  • The MySQL binaries included in this distribution are self-contained and do not interfere with other MySQL instances running on installing environment. This is accomplished by the installer generating an option file to be used for all of mysql command line programs. On Windows environment, the interfaces to start and stop MySQL(Windows Program Group/Items and Windows Service), are automatically configured to use the generated option file.

Where to get it?


How to Install this bundle?


  • Refer installation guide from http://docs.sun.com/doc/820-3797 to install this bundle.  NOTE: This guide has instruction set covering other bundles of GlassFish V2U1 also, so be sure to follow the instructions specific to installing "Sun Java System Application Server 9.1 Update 1 with MySQL Community Server".

 

Sample Setup/Usage:

Refer http://weblogs.java.net/blog/msreddy/archive/2008/03/java_ee_5_sampl.html for details on how to setup/deploy/run a sample Java EE application with MySQL bundled in this distribution.

 

Acknowledgment:

Many people to Thank for their support and help at various stages of this project with aggressive schedule.

Anil Gaur, Abhijit Kumar and Eduardo Pelegri-Llopart for their support throughout this project, Carla Carlson for Program Management, Alex Pineda and his group for testing, Steve Carusso and his team for ensuring Compatibility, Carolyn Wong for all her help in hosting the bundle, Terena Chinn-Fuji for Release Engineering, Chinmay Srivatsava for providing documentation, Sreenivas Munnangi for verifying samples integration with this bundle and many others.



What can you do with your Mac keyboard?


If you have a Mac or Macs(Actually I have two :-)), then try the
following keys(at your own risk :-))

  • Hold down Shift when you click on the "Yellow" minimize button of a window.
  • Open up a Terminal window, type command "KillAll Dock", don't press
    enter yet, now open up any other window and try step 1. When the window
    is sliding down, go back to terminal window and press enter to complete
    KillAll command. Watch what happens. :-)  Don't panic, if you reset the application, then it will back to normal. 
  • Ctrl + Option + Cmd + 8, Look at your screen colour, press the combination again to toggle
More to come....

Tuesday Oct 09, 2007

Glassfish and Solaris Zones

Want to know how GlassFish/Sun Java System Application server could be installed on Solaris zones?
Have issues setting up installation environment for such scenarios? Please look at my latest article
on Installing GlassFish on Solaris Zones.

http://developers.sun.com/appserver/reference/techart/glassfishsolariszones/ 


Tuesday Aug 21, 2007

glassfish, SJSAS distros...

There are many distributions of Sun Java System Application Server built on top of glassfish. Here is a list of them. This list applies only to the current version of glassfish(V2) and Sun Java System Application Server 9.1.

  • An ant based installer to install glassfish that can be downloaded from here. This is a simple ant script based installer, creates a domain, often used for quick setup. This does not support upgrades, patching.
  • Sun Java System Application Server 9.1(built on top of glassfish) has its own installers.
    • File based installation(underlying product binaries are available as zip files) gets distributed as a). A bundle that includes Sun's High Availability Database and Java SE. and b). A bundle that does not include Sun's High Availability Database and Java SE.     
    • Native package based installers for linux and solaris platforms, Only one distribution that comes with Sun's High Availability Database and all the other required shared components including Java SE.  Requires to be logged in as "root" to perform installation.
    • SDK installers:   Two types Java Application Platform SDK and Java EE SDK. These installers are distributed as the following bundles  
      • Sun Java System Application Server
      • Sun Java System Application Server + Java SE
      • Sun Java System Application Server + Java SE + Tools.

             Please visit http://java.sun.com/javaee/downloads/index.jsp for more information  

Except for the ant based glassfish installers, all other installers are patchable and upgradeable.

For file based installation, in-place binary upgrade would mean installing a full distribution on top of an existing install base.
The installer is designed to take care of this. Upgrade and Patching is currently not tested on SDK installers. Though "Sun Java System Application Server" component part of SDK installers would support upgrade/patching, other components included in these distributions may or may not support it for each particular release.
For native package based installers, binary upgrades are handled through installer and patches will be handled through native patching wherever possible.
Application upgrade(domain upgrade) for all of the above installers are handled through upgrade tool bundled and installed as part of the product binaries.

Monday Aug 20, 2007

Wierd windows short-cut keys

I came across this blog entry http://blogs.sun.com/sundararajan/entry/my_son_s_windows_magic. I have observed this + interestingly one can also use "ctrl + alt + right arrow key" and "ctrl + alt + left arrow key" to rotate the whole desktop view :-)

 


How to configure glassfish to run as windows service?


The glassfish installer does not currently support this. However the command line
to do this is pretty simple, except for the number of slashes to worry about(a real head-scratcher).

Here is an utility that automates this.

http://www.ryandelaplante.com/rdelaplante/entry/creating_a_windows_service_for

BTW, this is automated as part of Sun Java System Application Server 9.x Platform Edition installation.

How to increase swap size in solaris?

One way to do this: 1). Create a file with the size to be increased using 'mkfile' command. 2). Add the area occupied by this file as swap area using 'swap' command. Ex. mkfile 50m tempswap swap -a tempswap However for faster access to this area, recommended to create a partition and use that as swap area.

Friday Sep 15, 2006

JavaDB integration JavaEE SDK

Derby and glassfish

1. Introduction.

The objective of this blog is to explain in detail the following.
    - how javadb is closely integrated with Java EE 5.0 SDK.
    - how javadb is configured for better out-of-the box experience.
    - overview of  how javadb is used internally by SDK.

This blog is written using Java EE 5 SDK, the latest version can be downloaded from  http://java.sun.com/javaee/downloads/
Java EE 5 SDK all-in-one bundle was used to run through the examples used here.

2. Contents.

Javadb integration
Start/Stop javadb through application server commands
Javadb and EJBTimer
Javadb database and callflow
Using javadb tools
Further readings

3. Javadb integration.

    3.1 Installation.

Javadb binaries are always installed directly under Installation root directory/javadb.  The binaries include the javadb core jar files,
useful javadb utilities(dblook, sysinfo and ij) and a few a native scripts to perform functions like start, stop database. The functionality
of start and stop scripts are also available through application server command line interfaces.

   3.2 Application Server domain and javadb database.

 Every application server domain created out of the default installer as well as the ones explicitly created using 'asadmin create-domain'
 command will contain the following.

    3.2.1. A javadb database to be used by EJBTimer Service.

  The name of this database is 'ejbtimer' used to store information about EJB timers and is to be used by Timer Service that is part of
  this SDK. This database is owned by the user owning the domain. The differences compared to J2EE 1.4 SDK are
    a). Pointbase database was used for storing EJBTimer information.
    b). The ejbtimer pointbase database is owned by the user who initially performed the installation, not by the owner of application server domain.
  This database gets created under <domainroot>/<domainname>/lib/databases/ejbtimer, where <domainroot> by default will be <SDKInstalllRoot>/domains.
  A default domain by name domain1 is automatically created by SDK installer, 'ejbtimer' database is configured to run in "embedded mode"  inside application
  server's JVM.

  3.2.2. A JDBC connection pool by name "__TimerPool" is configured to point to 'ejbtimer' database. This pool is used by EJBTimer service.    

  3.2.3. A JDBC Resource with the jndi name of "jdbc/__TimerPool" that is configured to use __TimerPool.

  3.2.4. A JDBC connection pool by name "__CallFlowPool" is configured to point to 'sun-callflow' database. This pool is used by CallFlow module.      

  3.2.5. A JDBC Resource with the jndi name of "jdbc/__CallFlowPool" that is configured to use __CallFlowPool.

Entries 3.2.2 through and 3.2.5 can be viewed from SDK's powerful administration console. From your browser, go to http://localhost:<admin port>
to start the Administration Console, where <admin port> by default will have 4848 unless changed during SDK installation process.

Log in with the administrator user name and password. After logging in on the left hand side of the console, click to open
"Resources" to view the entries. (Timer related entries are circled in the following image).






Alternatively, run 'asadmin list-jdbc-connection-pools' to view the list of JDBC connection pools and 'asadmin list-jdbc-resources' to view the list of of JDBC
resources that have been created.

NOTE: None of these above components should be deleted.  Doing so will result in undesirable product behavior.


4. Start/Stop javadb through Application Server.

      Java EE 5 SDK's command line interface 'asadmin' supports starting and stopping network server through 'asadmin start-database' and 'asadmin stop-database' commands.

      Prior to understanding what these commands do, it is important to differentiate the two modes of javadb database serverEmbedded and Network mode.
      Refer to this link that has a very good explanation of them. http://db.apache.org/javadb/papers/javadbTut/ns_intro.html

    4.1 Starting javadb.

 'asadmin start-database' command starts javadb network server in shared mode  to enable connections from other hosts in network. By default javadb network server(engine)
will only requests from clients local to the machine.
Syntax: asadmin start-database [--dbhost 0.0.0.0] [--dbport 1527]  [--dbhome install_dir/javadb]
 


--dbhome specifies the root directory of the database to be created if one is not specified, default is the current directory.

    4.2 Stopping javadb.

'asadmin stop-database' [--dbhost 0.0.0.0] [--dbport 1527]



--dbhost is the host name or ip address of the javadb database. The default is the IP address 0.0.0.0, which listens on all interfaces.
--dbport can be used to start the javadb server process on a port other than 1527.


5. Javadb database and EJB Timer.

EJB Timer service provided by SDK is used to schedule a timed notification to happen at specific time, after a duration of time, or at timed
intervals. This service uses javadb database to persist EJB timer information. As mentioned in the previous section, a javadb database
created automatically as part of the application server domain 'ejbtimer' is used for data storage. SDK comes pre bundled with this sample
application to demonstrate how to schedule timed notification of enterprise beans.


    5.1 About the timer sample application.

TimerSessionEJB is a stateless session bean that shows how to set a timer. This application is installed under <SDKInstallDir>/samples/ejb/misc/apps/timersession.
For added convenience, this application similar to other sample applications is also available as a pre assembled app along with source code and the build environment.
The pre built ear file is used here rather than building the application. However it is highly recommend  to change the application source and descriptors if required to understand
timers better.

    5.2 Deploying timer sample app to SDK.

   -Change directory to <SDKInstall>/samples/ejb/misc/apps/timersession.
   -Include SDKInstall/bin to PATH,
   -Run 'asant deploy' will deploy the "timersession.ear" file to the default domain(domain1).
   -Run 'asadmin list-components' to verify the deployment.


    Alternatively the deployment can also be verified through "Administration Console"
 

  

    5.3 Running the timer sample.


To run the application client, set your current directory to <SDKInstallDir>/app_dir/samples/ejb/misc/apps/timersession. Then type the following command:
<SDKInstallDir>/bin/appclient -client timersessionClient.jar -xml install_dir/domains/domain1/config/sun-acc.xml.

The output from the timer client is sent to domain_root_dir/domain_name/server/logs/server.log.  After about 30 seconds, view
<SDKInstallDir>/domains/domain1/logs/server.log and you will see the following lines:

TimerSessionBean: setSessionContext
TimerSessionBean: ejbCreate
TimerSessionBean: start createTimer
TimerSessionBean: ejbTimeout




          For more info on this Sample, Refer to the bundled samples documentation available in the sample's Root directory.

6. Javadb database and callflow.

CallFlow enables monitoring of application(s) behaviour that are deployed in Application Server. When CallFlow is enabled(either through Administration console OR through
command line interfaces) a database by name 'sun-callflow' is created under '<domainroot>/<domainname>/lib/databases/ejbtimer, where <domainroot> by default will be
<SDKInstalllRoot>/domains. A default domain by name domain1 is automatically created by SDK installer.

'sun-callflow' database is configured to run in "embedded mode"  inside application server's JVM. All the runtime information about monitored applications(s)  are stored in this
database. This database if required can be cleared using Administration Console. For more information on CallFlow please refer to CallFlow home page.
 


7. Using javadb tools.

Javadb comes with a minimal set of tools and they are ij, dblook and sysinfo. SDK also includes several useful scripts that can help you use javadb.
The following scripts are available for use in the <appserver_install_dir>/javadb/frameworks/[NetworkServer/embedded]/bin directory:

startNetworkServer.ksh/bat — Script to start the network server

stopNetworkServer.ksh/bat — Script to stop the network server

ij.ksh/bat — interactive JDBC scripting tool

dblook.ksh/bat — Script to view all or part of the DDL for a database

sysinfo.ksh/bat — Script to display versioning info regarding the javadb environment

NetworkServerControl.ksh/bat — Script which provides a means of executing commands on the NetworkServerControl API

To Configure Your Environment to Run the javadb Utility Scripts, following should be done
-Set the javadb_INSTALL environment variable to the <appserver_install_dir>/javadb directory
-Unset your CLASSPATH environment variable.
-You can also optionally set the following properties:
            javadb_SERVER_HOST to the host on which the network server will listen. Can also be set to 0.0.0.0 to enable all listeners.
            javadb_SERVER_PORT to the port number on which the network server will listen.



8. Some useful Links.

    



    

About

sathyan

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today