Wednesday Feb 27, 2008

o=NetscapeRoot and Identity Synchronization for windows

I have noticed that most common question on the forum is related to the following message:

 "The selected Directory Server is not a configuration directory server. You must select a directory server that has "o=netscaperoot". Please note that merely adding the"o=netscaperoot" entry will not suffice."

The above message may show up when you are trying to install ISW (Identity Synchronization for Windows) 1.1sp1 or 1.1 with DS 6.x. As you are aware, DS 6.x uses the new console and hence it doesn't have any o=Netscaperoot for admin server installation.

You are supposed to use ISW 6.x for DS 6.x compatibility. ISW 6.x build ships the Administration Server. During the core installation, ISW installer detects if there is a local administrator server for the selected Directory Server ( as the configuration registry). If a suitable local adminstration server ( JES 4 or more) is found, ISW core installation proceeds without installing the Administration server. In case the administration server is not found, core installer installs the administration server before installing the core. Since it's a package installation of Administration Server, it's advisable to clean up the machine of any conflicting packages.

Couple of questions answered below:

How does ISW install Administration Server?

Installing a local Administration Server for DS 6.x requires creation of o=NetscapeRoot DIT. For this, ISW uses a template ldif to build up the ldif file with the proper values gathered from the user. This information includes the user "uid=admin" and the port number for the administration server. Firstly, the o=NetscapeRoot DIT is created on a DS 6.x instance, and then the other necessary information under the DIT are uploaded before actually calling the Administration Server installer. Please note that, Administration Server installation is done by Admin Server installer only. ISW merely invokes the installer at the right moment.

What do I do if the administration Server installation fails? Do I need to run the ISW core installer again and go through the pain?

Not really. If the administration server installation fails ( which might happen if the machine is not clean), administration server could be installed from the ISW installer bundle. Read the installation guide for the installer layout. Please remember that you can not install the administration server directly on a DS 6.0 instance without going through the ISW 6.0 installer. The reason is that the ISW installer is responsible for creating the DIT o=NetscapeRoot, without which, you can't install the Administration Server.

Friday Feb 15, 2008

ssltap'ing SSL and TLS


TLS is a more standard version of SSL hence I would refer to TLS in this post for all encrypted communications over the wire. Typically, a client sends a message to the server with certain information like it's public key and the list of algorithms (cipher-suites) it supports for generating the shared key to encrypt and decrypt the application data. The communication prior to sending the encrypted data is called handshake. See what happens during handshake with the ssltap output:

"--> [ " shows the data from client to the server
"<-- [ " shows the data from server to the client

Step 1: A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.

[ssl2]  ClientHelloV2 {
           version = {0x03, 0x01}
           cipher-specs-length = 126 (0x7e)
           sid-length = 0 (0x00)
           challenge-length = 16 (0x10)
           cipher-suites = {
                (0x000066) TLS/DHE-DSS/RC4-128/SHA
                (0x000065) TLS/DHE-DSS_EXPORT1024/RC4-56/SHA
                (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x000063) TLS/DHE-DSS_EXPORT1024/DES56-CBC/SHA
                (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x000061) TLS/RSA-EXPORT1024/RC2CBC56/MD5
                (0x000060) TLS/RSA-EXPORT1024/RC4-56/MD5
                (0x00003a) TLS/DH-ANON/AES256-CBC/SHA
                (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x000035) TLS/RSA/AES256-CBC/SHA
                (0x000034) TLS/DH-ANON/AES128-CBC/SHA
                (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x00002f) TLS/RSA/AES128-CBC/SHA
                (0x00001b) SSL3/DH-anon/3DES192EDE-CBC/SHA
                (0x00001a) SSL3/DH-anon/DES56-CBC/SHA
                (0x000019) SSL3/DH-anon/DES40-CBC/SHA
                (0x000018) SSL3/DH-anon/RC4-128/MD5
                (0x000017) SSL3/DH-anon/RC4-40/MD5
                (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA
                (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA
                (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA
                (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000008) SSL3/RSA/DES40-CBC/SHA
                (0x000007) SSL3/RSA/IDEA128CBC/SHA
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                (0x000005) SSL3/RSA/RC4-128/SHA
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x080080) ????/????????/?????????/???
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x050080) SSL2/RSA/IDEA128CBC/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x010080) SSL2/RSA/RC4-128/MD5
                }
           session-id = { }
           challenge = { 0x351b 0x12fc 0xd003 0x14dc 0x011f 0x58f2 0xba65 0x06c3 }
}

Step 2 : The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher suite, and compression method from the choices offered by the client.

Step 3: The Server sends its Certificate (depending on the selected cipher suite, this may be omitted by the Server).

Step 4: These certificates are currently X.509, but there is also a draft specifying the use of OpenPGP based certificates.

Step 5: The server may request a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest.

Step 6: The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.


<-- [
(1182 bytes of 1177)
SSLRecord {
   0: 16 03 01 04  99                                   |.....
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 1177 (0x499)
   handshake {
   0: 02 00 00 46                                      |...F
      type = 2 (server_hello)
      length = 70 (0x000046)
         ServerHello {
            server_version = {3, 1}
            random = {...}
   0: 47 ac 4e 2d  b6 b5 8c 87  e4 c0 74 2a  c0 0b 44 c3  | G.N-......t\*..D.
  10: 9a 5a 15 ec  9e 9d 93 d3  e8 ee e1 40  69 be 51 78  | .Z.........@i.Qx
            session ID = {
                length = 32
                contents = {..}
   0: 47 ac 4e 2d  1d b1 82 e2  b7 a9 ec 3f  af d4 b7 7d  | G.N-.......?...}
  10: 32 77 50 af  c9 84 97 78  8a e2 3e 8f  fd 05 0c 26  | 2wP....x..&gt;....&amp;
            }
            cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
            compression method = 00
         }
   0: 0b 00 02 ba                                      |....
      type = 11 (certificate)
      length = 698 (0x0002ba)
         CertificateChain {
            chainlength = 695 (0x02b7)
            Certificate {
               size = 692 (0x02b4)
               data = { saved in file 'cert.001' }
            }
         }
   0: 0c 00 01 89                                      |....
      type = 12 (server_key_exchange)
      length = 393 (0x000189)
   0: 00 80 f4 88  fd 58 4e 49  db cd 20 b4  9d e4 91 07  | .....XNI.. .....
  10: 36 6b 33 6c  38 0d 45 1d  0f 7c 88 b3  1c 7c 5b 2d  | 6k3l8.E..|...|[-
  20: 8e f6 f3 c9  23 c0 43 f0  a5 5b 18 8d  8e bb 55 8c  | ....#.C..[....U.
  30: b8 5d 38 d3  34 fd 7c 17  57 43 a3 1d  18 6c de 33  | .]8.4.|.WC...l.3
  40: 21 2c b5 2a  ff 3c e1 b1  29 40 18 11  8d 7c 84 a7  | !,.\*.&lt;..)@...|..
  50: 0a 72 d6 86  c4 03 19 c8  07 29 7a ca  95 0c d9 96  | .r.......)z.....
  60: 9f ab d0 0a  50 9b 02 46  d3 08 3d 66  a4 5d 41 9f  | ....P..F..=f.]A.
  70: 9c 7c bd 89  4b 22 19 26  ba ab a2 5e  c3 55 e9 2f  | .|..K".&amp;...\^.U./
  80: 78 c7 00 01  02 00 80 6e  d2 d9 f3 13  fb 89 24 f2  | x......n......$.
  90: e9 72 fc e7  dd b8 6b 18  24 e7 4a f2  50 b8 66 89  | .r....k.$.J.P.f.
  a0: 45 64 46 a0  f8 85 45 4c  b4 e0 de a1  ff 3b d8 43  | EdF...EL.....;.C
  b0: c3 2c 5c 3a  5a 56 d6 81  77 e0 39 04  bf ea 11 af  | .,\\:ZV..w.9.....
  c0: 31 b0 a6 0e  75 d3 4a 8c  8f a0 9b 07  14 70 86 93  | 1...u.J......p..
  d0: a0 76 1a 37  4d b6 4a 60  b8 96 8e 6d  2b 67 c3 79  | .v.7M.J`...m+g.y
  e0: d6 4c f0 0f  6d 09 5c f4  de 3d b4 87  05 06 fb f3  | .L..m.\\..=......
  f0: ca 2e 3b 53  27 77 2c e7  24 0c e0 3f  16 76 dc 22  | ..;S'w,.$..?.v."
 100: 0e 58 ca 46  29 b9 aa 00  80 6f 34 80  86 7e 26 46  | .X.F)....o4..~&amp;F
 110: 63 36 45 37  21 15 e1 1a  fc 41 e5 68  08 b0 b5 e8  | c6E7!....A.h....
 120: 38 f3 8b b9  ee 72 eb b6  74 87 a0 c1  af 84 a9 f0  | 8....r..t.......
 130: 47 8e 1f e2  31 97 6f 46  13 02 56 63  3b 82 12 89  | G...1.oF..Vc;...
 140: 82 8c 4f 82  a6 7d 13 3d  03 53 22 b2  3e 60 69 ff  | ..O..}.=.S".&gt;`i.
 150: 1e 4d 1a ed  12 04 4d ac  56 4f 87 32  c9 35 d2 79  | .M....M.VO.2.5.y
 160: 5c c3 67 bc  44 56 4c 45  ba dc a8 59  96 98 fb 3b  | \\.g.DVLE...Y...;
 170: f5 64 ae 1a  47 3d 50 bf  33 c4 87 1f  d2 53 23 e4  | .d..G=P.3....S#.
 180: 6f 6a 82 11  e4 24 7a f8  64                       |oj...$z.d
   0: 0e 00 00 00                                      |....
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}


Step 7:The Client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.)

Step 8: The Client and Server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed "pseudorandom function".

Step 9: The Client now sends a ChangeCipherSpec message, essentially telling the Server, "Everything I tell you from now on will be encrypted." Note that the ChangeCipherSpec is itself a record-level protocol, and has type 20, and not 22.

Step 10: Finally, the Client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
--> [
(198 bytes of 134, with 59 left over)
SSLRecord {
   0: 16 03 01 00  86                                   |.....
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 134 (0x86)
   handshake {
   0: 10 00 00 82                                      |....
      type = 16 (client_key_exchange)
      length = 130 (0x000082)
         ClientKeyExchange {
            message = {...}
         }
   }
}
(198 bytes of 1, with 53 left over)
SSLRecord {
   0: 14 03 01 00  01                                   |.....
   type    = 20 (change_cipher_spec)
   version = { 3,1 }
   length  = 1 (0x1)
   0: 01                                               |.
}
(198 bytes of 48)
SSLRecord {
   0: 16 03 01 00  30                                   |....0
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 48 (0x30)
            < encrypted >
}



Step 11: The Server will attempt to decrypt the Client's Finished message, and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.

Step 12: Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification.

<-- [
(6 bytes of 1)
SSLRecord {
   0: 14 03 01 00  01                                   |.....
   type    = 20 (change_cipher_spec)
   version = { 3,1 }
   length  = 1 (0x1)
   0: 01                                               |.
}
]
<-- [
(53 bytes of 48)
SSLRecord {
   0: 16 03 01 00  30                                   |....0
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 48 (0x30)
            < encrypted >
}

Step 13: At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted.

--> [
(101 bytes of 96)
SSLRecord {
   0: 17 03 01 00  60                                   |....`
   type    = 23 (application_data)
   version = { 3,1 }
   length  = 96 (0x60)
            < encrypted >
}


Of course, the communication may be different with different setup but it should give you an idea of what is going on when you establish an SSL connection to a server.

Tuesday Feb 12, 2008

Using HPROF for finding deadlocks



Most of the information here is based on http://java.sun.com/developer/technicalArticles/Programming/HPROF.html. If you are interested in the complete details about HPROF, please visit that site.

To give you little introduction, HPROF is a memory profiling tool which is loaded in the JVM process context when stated as a command-line option. There are tools such as HAT to analyze the output data. Though a subset of the information such as threads-related and monitors etc are available with a jstack dump, HPROF is , however, preferred for a bigger picture that includes memory-related activities such as heap allocation and CPU profiling.

To run HPROF, use either of the following:

java -agentlib:hprof[=options] ToBeProfiledClass

-OR-

java -Xrunhprof[:options] ToBeProfiledClass

You can get a list of HPROF options by

C:\\Documents and Settings\\Administrator>java -agentlib:hprof=help

     HPROF: Heap and CPU Profiling Agent (JVMTI Demonstration Code)

hprof usage: java -agentlib:hprof=[help]|[<option>=<value>, ...]

Option Name and Value  Description                    Default
---------------------  -----------                    -------
heap=dump|sites|all    heap profiling                 all
cpu=samples|times|old  CPU usage                      off
monitor=y|n            monitor contention             n
format=a|b             text(txt) or binary output     a
file=<file>            write data to file             java.hprof[.txt]
net=<host>:<port>      send data over a socket        off
depth=<size>           stack trace depth              4
interval=<ms>          sample interval in ms          10
cutoff=<value>         output cutoff point            0.0001
lineno=y|n             line number in traces?         y
thread=y|n             thread in traces?              n
doe=y|n                dump on exit?                  y
msa=y|n                Solaris micro state accounting n
force=y|n              force output to <file>         y
verbose=y|n            print messages about dumps     y

Obsolete Options
----------------
gc_okay=y|n

Examples
--------
  - Get sample cpu information every 20 millisec, with a stack depth of 3:
      java -agentlib:hprof=cpu=samples,interval=20,depth=3 classname
  - Get heap usage information based on the allocation sites:
      java -agentlib:hprof=heap=sites classname

Notes
-----
  - The option format=b cannot be used with monitor=y.
  - The option format=b cannot be used with cpu=old|times.
  - Use of the -Xrunhprof interface can still be used, e.g.
       java -Xrunhprof:[help]|[<option>=<value>, ...]
    will behave exactly the same as:
       java -agentlib:hprof=[help]|[<option>=<value>, ...]

Warnings
--------
  - This is demonstration code for the JVMTI interface and use of BCI,
    it is not an official product or formal part of the J2SE.
  - The -Xrunhprof interface will be removed in a future release.
  - The option format=b is considered experimental, this format may change
    in a future release.


You don't really need to compile a java file to use the HPROF. You can use -J option with javac to see the output.

ex. javac -J-agentlib:hprof= ... file.java ( note that there is no space between -J and -agent)

http://java.sun.com/developer/technicalArticles/Programming/HPROF.html very well explains how to gather and analyze the heap dumps and the CPU usage. Therefore, I would cover there how can you use the HPROF to gather information about the threads, deadlocks and monitors etc.

Take a  deadlock situation

I would refer to the code at http://examples.oreilly.com/jenut/Deadlock.java.

Pasting the code from site:

// This example is from _Java Examples in a Nutshell_. (http://www.oreilly.com)
// Copyright (c) 1997 by David Flanagan
// This example is provided WITHOUT ANY WARRANTY either expressed or implied.
// You may study, use, modify, and distribute it for non-commercial purposes.
// For any commercial use, see http://www.davidflanagan.com/javaexamples

/\*\*
 \* This is a demonstration of how NOT to write multi-threaded programs.
 \* It is a program that purposely causes deadlock between two threads that
 \* are both trying to acquire locks for the same two resources.
 \* To avoid this sort of deadlock when locking multiple resources, all threads
 \* should always acquire their locks in the same order.
 \*\*/
public class Deadlock {
  public static void main(String[] args) {
    // These are the two resource objects we'll try to get locks for
    final Object resource1 = "resource1";
    final Object resource2 = "resource2";
    // Here's the first thread.  It tries to lock resource1 then resource2
    Thread t1 = new Thread() {
      public void run() {
        // Lock resource 1
        synchronized(resource1) {
          System.out.println("Thread 1: locked resource 1" )  ;

          // Pause for a bit, simulating some file I/O or something.  
          // Basically, we just want to give the other thread a chance to
          // run.  Threads and deadlock are asynchronous things, but we're
          // trying to force deadlock to happen here...
          try { Thread.sleep(50); } catch (InterruptedException e) {}
          
          // Now wait 'till we can get a lock on resource 2
          synchronized(resource2) {
            System.out.println("Thread 1: locked resource 2" ) ;
          }
        }
      }
    };
   
    // Here's the second thread.  It tries to lock resource2 then resource1
    Thread t2 = new Thread() {
      public void run() {
        // This thread locks resource 2 right away
        synchronized(resource2) {
          System.out.println("Thread 2: locked resource 2" ) ;

          // Then it pauses, for the same reason as the first thread does
          try { Thread.sleep(50); } catch (InterruptedException e) {}

          // Then it tries to lock resource1.  But wait!  Thread 1 locked
          // resource1, and won't release it 'till it gets a lock on
          // resource2.  This thread holds the lock on resource2, and won't
          // release it 'till it gets resource1.  We're at an impasse. Neither
          // thread can run, and the program freezes up.
          synchronized(resource1) {
            System.out.println("Thread 2: locked resource 1" ) ;
          }
        }
      }
    };
   
    // Start the two threads. If all goes as planned, deadlock will occur,
    // and the program will never exit.
    t1.start();
    t2.start();
  }
}


C:\\Documents and Settings\\Administrator>java -agentlib:hprof=monitor=y Deadlock
Thread 1: locked resource 1
Thread 2: locked resource 2
<CTRL> + <BREAK>
2008-02-12 23:59:47
Full thread dump Java HotSpot(TM) Client VM (10.0-b19 mixed mode):

"DestroyJavaVM" prio=6 tid=0x00963800 nid=0xe34 waiting on condition [0x00000000..0x0090fd4c]
   java.lang.Thread.State: RUNNABLE

"Thread-1" prio=6 tid=0x0acff400 nid=0xb44 waiting for monitor entry [0x0b09f000..0x0b09fa94]
   java.lang.Thread.State: BLOCKED (on object monitor)
        at Deadlock$2.run(Deadlock.java:56)
        - waiting to lock <0x06c2ea60> (a java.lang.String)
        - locked <0x06c2ea98> (a java.lang.String)

"Thread-0" prio=6 tid=0x0acfe800 nid=0xc20 waiting for monitor entry [0x0b04f000..0x0b04fb14]
   java.lang.Thread.State: BLOCKED (on object monitor)
        at Deadlock$1.run(Deadlock.java:34)
        - waiting to lock <0x06c2ea98> (a java.lang.String)
        - locked <0x06c2ea60> (a java.lang.String)

"Low Memory Detector" daemon prio=6 tid=0x0ace3c00 nid=0xc78 runnable [0x00000000..0x00000000]
   java.lang.Thread.State: RUNNABLE

"CompilerThread0" daemon prio=10 tid=0x0acd4800 nid=0xb9c waiting on condition [0x00000000..0x0af5f640]
   java.lang.Thread.State: RUNNABLE

"HPROF gc_finish watcher" daemon prio=6 tid=0x0acd3000 nid=0x5d0 runnable [0x00000000..0x00000000]
   java.lang.Thread.State: RUNNABLE

"Attach Listener" daemon prio=10 tid=0x009f6c00 nid=0xf58 runnable [0x00000000..0x00000000]
   java.lang.Thread.State: RUNNABLE

"Signal Dispatcher" daemon prio=10 tid=0x009f2c00 nid=0xd1c waiting on condition [0x00000000..0x00000000]
   java.lang.Thread.State: RUNNABLE

"Finalizer" daemon prio=8 tid=0x009e6800 nid=0xdac in Object.wait() [0x0ac1f000..0x0ac1fa94]
   java.lang.Thread.State: WAITING (on object monitor)
        at java.lang.Object.wait(Native Method)
        - waiting on <0x02a90b38> (a java.lang.ref.ReferenceQueue$Lock)
        at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:116)
        - locked <0x02a90b38> (a java.lang.ref.ReferenceQueue$Lock)
        at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:132)
        at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:159)

"Reference Handler" daemon prio=10 tid=0x009e2400 nid=0xd0 in Object.wait() [0x0abcf000..0x0abcfb14]
   java.lang.Thread.State: WAITING (on object monitor)
        at java.lang.Object.wait(Native Method)
        - waiting on <0x02a90a40> (a java.lang.ref.Reference$Lock)
        at java.lang.Object.wait(Object.java:485)
        at java.lang.ref.Reference$ReferenceHandler.run(Reference.java:116)
        - locked <0x02a90a40> (a java.lang.ref.Reference$Lock)

"VM Thread" prio=10 tid=0x009df400 nid=0x328 runnable

"VM Periodic Task Thread" prio=10 tid=0x0acf6c00 nid=0xc38 waiting on condition


JNI global references: 1339


Found one Java-level deadlock:
=============================
"Thread-1":
  waiting to lock monitor 0x009e66ec (object 0x06c2ea60, a java.lang.String),
  which is held by "Thread-0"
"Thread-0":
  waiting to lock monitor 0x009e5abc (object 0x06c2ea98, a java.lang.String),
  which is held by "Thread-1"


Java stack information for the threads listed above:
===================================================
"Thread-1":
        at Deadlock$2.run(Deadlock.java:56)
        - waiting to lock <0x06c2ea60> (a java.lang.String)
        - locked <0x06c2ea98> (a java.lang.String)
"Thread-0":
        at Deadlock$1.run(Deadlock.java:34)
        - waiting to lock <0x06c2ea98> (a java.lang.String)
        - locked <0x06c2ea60> (a java.lang.String)

Found 1 deadlock.

Heap
 def new generation   total 960K, used 214K [0x02a90000, 0x02b90000, 0x02f70000)

  eden space 896K,  23% used [0x02a90000, 0x02ac5890, 0x02b70000)
  from space 64K,   0% used [0x02b70000, 0x02b70000, 0x02b80000)
  to   space 64K,   0% used [0x02b80000, 0x02b80000, 0x02b90000)
 tenured generation   total 4096K, used 0K [0x02f70000, 0x03370000, 0x06a90000)
   the space 4096K,   0% used [0x02f70000, 0x02f70000, 0x02f70200, 0x03370000)
 compacting perm gen  total 12288K, used 1660K [0x06a90000, 0x07690000, 0x0aa900
00)
   the space 12288K,  13% used [0x06a90000, 0x06c2f2a8, 0x06c2f400, 0x07690000)
No shared spaces configured.

Dumping contended monitor usage ... done.

Note: you can either collect the stats at the end of the program or you can use Ctrl-\\ (on Solaris) or by typing Ctrl-Break (on Win32) to dump the conent in between


You can see above that HPROF has detected the deadlock. If you want to analyze the java.hprof.txt you can have a look below



Analyzing the output (java.hprof.txt)
=============================

THREAD START (obj=50000138, id = 200003, name="Signal Dispatcher", group= "system";)
THREAD START (obj=50000138, id = 200004, name="Attach Listener", group= "system";)
THREAD START (obj=50000138, id = 200002, name="HPROF gc_finish watcher", group ="system";)
THREAD START (obj=50000138, id = 200001, name="main", group ="main";)
THREAD START (obj=5000015e, id = 200005, name="Thread-0", group ="main";)
THREAD START (obj=5000015e, id = 200006, name="Thread-1", group ="main";)
THREAD END (id = 200001)
THREAD START (obj=50000138, id = 200007, name="DestroyJavaVM", group ="main";)

The threads of our interest are main (id = 200001) , Thread-0 ( id = 200005) and Thread-1 (id = 200006). It shows that the SIGQUIT signal

Explanation of Thread states
=======================

R — Runnable
S — Suspended
CW — Condition Wait
MW — Monitor Wait
ZO - Zombie

monitor dump
============

MONITOR DUMP BEGIN
    THREAD 200001, trace 300000, status: ZO
    THREAD 200002, trace 300000, status: R
    THREAD 200003, trace 300000, status: R
    THREAD 200004, trace 300000, status: R
    THREAD 200005, trace 300029, status: MW
    THREAD 200006, trace 300030, status: MW
    THREAD 200007, trace 300000, status: R
    MONITOR Ljava/lang/String;
    owner: thread 200005, entry count: 1
    waiting to enter: thread 200006
    waiting to be notified:
    MONITOR Ljava/lang/String;
    owner: thread 200006, entry count: 1
    waiting to enter: thread 200005
    waiting to be notified:
MONITOR DUMP END


The above shows that both Monitors are of type String and first monitor is owned by Thread-0 and Thread-1 is waiting to enter into it. The second monitor shows exactly the opposite.

Monday Feb 11, 2008

Why to use Volatile in multithreading?

Typically, a shared variable is protected using a mutex. The intent
of the mutex is not just to protect while making changes to the
variable, but also to share the same value across multiple threads. In
simple words, threads might keep their own copies of the shared
variables for some optimization. However, this copy is updated with the
main copy when a synchronization block is observed during execution.

Alternatively,
you can use volatile keyword with the variables which are accessed
(READ) without mutexes If you don't have any mutexes in the getters, it
would be generally safe to declare those variables volatile.Remember
that a final variable can't be volatile.

Life of a java class from loading to exit

Step 1. Loading of the class. Throws subclasses of LinkageError ex. ClassFormatError, NoClassDefFoundError.

Step 2. Linking of the class:
The process of taking a binary form of a class or interface type and combining it into the runtime state of the Java virtual machine,
    a. Verification – instruction code is verified.
    b. Preparation – static variables and method tables are created .
    c. Resolution – Checking symbolic references from loaded class to other classes. Resolution translates the names into explicit references.Also checks for  field/method existence and whether access is allowed.

 Step 3. Initialization of the static variables and initializers.Note that the static variables have already been created during the Preparation phase.

Step 4. main(..) is executed.

Step 5. A class or interface may be unloaded if and only if its class loader is unreachable.

Step 6. The Java virtual machine terminates all its activity and exits when one of two things happens:
 - All the threads that are not daemon threads terminate.
-  Some thread invokes the exit method of class Runtime or class System, and the exit operation is permitted by the security manager.

Abstract class vs. Interface

At design-level, an interface describes the functionalites which could be implemented differently across various implementations. Therefore, it de-couples an architecture in terms of the functionalities. Whereas, an abstract class talks about the responsibilites of the classes under a hierarchy. It creates an inheritance hierarchy where subclasses provide
their own definitions for the inherited methods.


As an example, I might decide to write an interface called Accessor to access a data source.I would design GenericAccessor as an abstract class which implements Accessor. GenericAccessor could implement multiple interfaces to implement a range of functionalities which have been divided across multiple interfaces. So it means that GenericAccessor could be an Accessor and a Listener at the same time. If I were to design GenericAccessor as an abstract class, I would be putting all the functionalities inside the single class which
doesn't me incorporate re-usability into the design.

A few interesting facts:


Interface:
only final static variables are allowed to be declared.
all the declared methods are public
Abstract classes:
both instance and static variables are allowed
can have any kind of methods.
 

Wednesday Jan 30, 2008

A day with IBM DB2

It was fun working with DB2 after having already experienced Oracle and mySQL. It started with the installation of DB2 on a Solaris 10 SPARC machine. I was interested in running a command-line installation but sadly it doesn't configure the database for you. Installation is quite easy and I easily sailed past that. I desperately needed some reference to configure the db2. Nevertheless, a search on google brought me to http://www.ldas.ligo-wa.caltech.edu/doc/db2/doc/html/installDB2.html. It is a good site which explains the necessary steps like user creation etc to configure the db2 (You might want to be little cautious as it discusses an old release of db2). It also lets u know how to create a sample database.

Once the configuration was done, I wanted to test the sample database access using my java code. I set  the db2jcc4.jar ( found in the /opt/IBM/db2/V9.5/java) in the CLASSPATH and a sample application below worked.

 public static void main(String[] args) throws Exception
{

 String url = "jdbc:db2://HOST_NAME:50002/sample";
 Class.forName("com.ibm.db2.jcc.DB2Driver";);
 Connection conn = DriverManager.getConnection(url, "ldasdb", "ldasdb";);
 Statement stmt = conn.createStatement() ;

  // Execute the query
  ResultSet rs = stmt.executeQuery( "SELECT \* FROM staff" ) ;

  // Loop through the result set
  while( rs.next() )
       System.out.println( rs.getString(1) ) ;

   // Close the result set, statement and the connection
   rs.close() ;
   stmt.close() ;
   conn.close() ;
}

Nice! I am almost done and I need to use the existing SQLs to create a database and some tables. See how it goes below:

 1. go to the installation path and run db2 for a db2  prompt ( use ldasdb for this)
 2. create a database or use sample database mentioned in the page
 db2 => create database vdtest
 3. Connect to the database
 db2=> connect to vdtest

4. Create a table

Now my old SQL fails because  you need to mention in the primary key that it is not null. Well, I don't know if it was obvious or not :) but I did change the SQL to "UID       VARCHAR(15)     NOT  NULL PRIMARY KEY" from "UID       VARCHAR(15)      PRIMARY KEY" and the table is created.

5. Inserting records

Once again I hit a roadblock here. But it turned out to be the column names following the table name in the INSERT statement. Workaround was to take the column names from the INSERT.

INSERT INTO USER_HOBBY  VALUES ('TEST000','Art',1)

Didn't have the time to investigate how to insert only for a few select columns...Saving it for some other time :)


 

Monday Jan 14, 2008

Unable to retrieve a backend BIND/MODIFY/SEARCH connection

 


If you are working with Sun Java System Directory Proxy Server (aka DPS) 6.0+ and noticing the following error, you might be interested in this article:

/app/dps/slapd-dps/logs $ ldapsearch -D "uid=ldapadmin,ou=admins,dc=abc,dc=com" -w password -b "dc=abc,dc=com" -p 389 uid=user1 dn
ldap_simple_bind: Operations error
ldap_simple_bind: additional info: Unable to retrieve a backend BIND connectioN

For some of you,the message may be related to a different operation type like ADD or SEARCH etc. However, the reason stays the same. As it is evident from the message, there is no connection available in the pool to serve the request.If you have the default DPS settings, very likely, you would see it when your DPS instance is stressed. By default, MAX connections in a
pool is set to 1024 and it should generally suffice for a normal dps instance.
I see this when I stress my DPS instance with SLAMD. Typically, a stress test utilizes all the available connections forcing the new clients to wait for a connection to be free.

Internally, a Worker thread does wait for the time specified in connectionPoolTimeoutInMillisec prior to declaring that there is no connection available. The attribute
connectionPoolTimeoutInMillisec resides under cn=config and its default value is 3000.

In case you are getting troubled with this frequently, it means that number of connections in your pool isn't sufficient. Either you can set the MAX to the higher value ( default is 1024), or you can increase the timeout to a higher value ( or, 0 for infinite wait).

Thursday Jan 10, 2008

मेरा पहला हिंदी Blog

हिंदी में blog करने का ये मेरा पहला अनुभव है. उम्मीद है की ये शौक जारी रहेगा.

Tata unveils NANO ( Cheaptest car ever)

Finally, we get to see the cheapest car. Priced at USD $2,500 , now everybody can own a car. Have a look yourself.

Let us look at the specification ( shamelessly copied from www.timesofindia.com ):

Looks: The snub-nosed car keeps in the tradition of the Fiat 500, Nissan Micra and the Smart.

Dimensions: 3.1 metres (10.23 feet) long, 1.5 metres wide and 1.6 metres high. Can seat four to five people.

Engine: A two cylinder 623 cc, 33 horsepower rear mounted, all aluminium, multi-point fuel injection petrol engine can power the car to top speeds of 105 kilometres per hour (65 miles per hour).

Fuel Efficiency: 20 kilometres per litre, or 50 miles per gallon is claimed.

Pollution: Exceeds Indian regulatory requirements and can meet strict Euro IV emission standards. In terms of overall pollutants, Tata says the car is better than two-wheelers manufactured in India currently.

Safety: Car exceeds current regulatory requirements with a strong passenger compartment, crumple zones, intrusion resistant doors, seat belts, strong seats and anchorage.

Initial Annual Production Target: 250,000 units to rise later to 350,000. PRICE: Basic model price 100,000 rupees (2,500 dollars) plus tax and transport costs, which will bring on the road price to at least 120,000 rupees. The price of two deluxe models that will include air-conditioning and other features to be announced later.

Nearest Domestic Car Rival: Maruti 800, part of Japanese-owned Suzuki Maruti stable whose base model sells for about 4,800 dollars -- nearly double the price of the Nano.

Nearest International Rival: China's Chery QQ which retails for 3,600 dollars.

Sales: Tata will focus on selling the car in India for the next two to three years, before eyeing Latin American and Southeast Asian markets.

Market: India's car market is a huge draw because car penetration is just seven per 1,000 people, compared to 550 per 1,000 in such countries as Germany or 476 in France, according to the Society of Indian Automobiles.

Company Details: Tata Motors is India's largest vehicle company with revenues of 7.2 billion dollars in 2006-2007. It is the leader in commercial vehicles, such as trucks and buses, and the second largest in passenger vehicles. There are over four million Tata vehicles on Indian roads.

Interestingly, Mr. Tata thought of this when he saw a family getting wet in the rain. What a feat -- especially when Tata Motors is going to buy out Jaguar!!

Wednesday Dec 12, 2007

Checking configuration in DPS

A quick recap of the commands to verify the configuration:

bash-3.00# dpconf info -p 5390
Enter "cn=Proxy Manager" password:
Instance Path : /space/dps_tiko
Host Name : void
Port : 5390
Secure port : 5636
SSL server certificate : defaultServerCert
Server version : Directory Proxy Server 6.2 (More recent than "dpconf" version)

bash-3.00# dpconf get-server-prop -p 5390
Enter "cn=Proxy Manager" password:
allow-cert-based-auth : deny
allow-ldapv2-clients : true

bash-3.00# dpconf list-ldap-data-sources -p 5390
Enter "cn=Proxy Manager" password:
dsmmuc05

bash-3.00# dpconf get-ldap-data-source-prop -p 5390 dsmmuc05
Enter "cn=Proxy Manager" password:
bind-dn : none
bind-pwd : none
client-cred-mode : use-client-identity
connect-timeout : 10s

bash-3.00# dpconf list-ldap-data-source-pools -p 5390
Enter "cn=Proxy Manager" password:
MasterPool
defaultDataSourcePool

bash-3.00# dpconf get-ldap-data-source-pool-prop -p 5390 MasterPool
Enter "cn=Proxy Manager" password:
client-affinity-policy : read-write-affinity-after-any
client-affinity-timeout : 20s

bash-3.00# dpconf list-attached-ldap-data-sources -p 5390 MasterPool
Enter "cn=Proxy Manager" password:
dsmmuc05

bash-3.00# dpconf get-attached-ldap-data-source-prop -p 5390 MasterPool dsmmuc05
Enter "cn=Proxy Manager" password:
add-weight : 1
bind-weight : 1
compare-weight : 1

bash-3.00# dpconf list-ldap-data-views -p 5390
Enter "cn=Proxy Manager" password:
MasterView
root data view

Friday Dec 07, 2007

"Error handling error: 122, Dacl is NULL:"

If you happen to see this error message ("Error handling error: 122, Dacl is NULL:") while installing DSEE, most likely it is caused by the FAT32 partition.

I noticed this while installing DSEE on my XP laptop. It failed while configuring the Cacao. Moving to an NTFS partition solved the issue.

Friday Sep 28, 2007

My worst flight ever on Air France/Air India

I would surely like to forget this. My Paris trip started with getting stranded at Gare' D lyon railway station for nearly 2 hours while waiting for the taxi. A gentleman came forward and helped us in getting a taxi. Later I realized that he was the taxi agent and it was his own taxi which cost me fortune. Alas!! Like it was not enough, I reached to the airport and the Air India Flight (operated by Air France..dunno what it means) attendant told that it would cost me 1200 euros if I check in my 4 luggages ( I was traveling with my wife). I told them that I am traveling from USA and I took a break in Paris for tourism. However, they didn't budge. I had to throw the stuffs from my suitcases. Since it is not allowed to throw the suitcases, I gave my suitcase to the guy at the counter.  Unfortunately, I had to throw the scrapbooks and the other toys I was getting for a new-born relative. I had to shell out 500 euros for the rest of my stuff.

If you ever read this, just make sure that you don't end up paying for a third passanger like I did. I can atleast stop traveling these flights for some consolation.





Powered by ScribeFire.

Saturday Aug 18, 2007

Workaround for Creative Vision M drivers on XP

I have had a hard time finding out why was it failing to recognize the portable device. Found a link on the website explaining that the MTP device needs some windows libraries to be detected. Follow these steps to get your vision M recognized by the XP:

Download an instalation of windows media player 11
Don't install it, just unpack using winrar
Start a file: umdf.exe
Go to device manager and remove your player
connect it once again and all should be fine


Powered by ScribeFire.

Wednesday Jul 18, 2007

iPhones flood wireless LAN at Duke University

See http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027279&source=NLT_PM&nlid=8.

Looks like Apple should stop selling it now ;).

About

This is the blog of a software engineer, specialized in identity management. Kunal Sinha works in Directory Services Engineering (OpenDS) team from Austin,Texas.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today
Bookmarks