Wednesday Jan 17, 2007

Verisign trial Cert

For Update Center project we plan to sign the hosted jars and they are verified on the client side. This way only trusted jars can be downloaded and installed by the GlassFish Users. I wanted to test this code with a trial certificate. Verisign makes this process very easy.

The list of SSL certficate packages are available on verisign website . I clicked on the Trial button to generate a trial certficate. Once the contact information is filled out. A form is shown asking the type of server platform, use of the certficate and the CSR. The following steps create the CSR. First a key pair needs to be generated. The following generates a key name "mykey" in the specified mykeystore file.

chandu(sv96363):~ -> keytool -genkey -keystore ~/public_html/mykeystore -keyalg rsa -alias mykey
Enter keystore password:  changeit
What is your first and last name?
What is the name of your organizational unit?
 [Unknown]:  Application Server
What is the name of your organization?
 [Unknown]:  Sun
What is the name of your City or Locality?
 [Unknown]:  Santa Clara
What is the name of your State or Province?
 [Unknown]:  California
What is the two-letter country code for this unit?
 [Unknown]:  US
Is, OU=Application Server, O=Sun, L=Santa Clara, ST=California, C=US correct?
 [no]:  yes

Enter key password for <mykey>
       (RETURN if same as keystore password):
 Then the CSR is obtained as follows:

chandu(sv96363):~ -> keytool -certreq -keystore ~/public_html/mykeystore -alias mykey

Enter keystore password: changeit


 Almost immediately I got an email containing my trial cert. I saved the trial cert as uc_cert.cer. I import this trial certificate along with <a href=""> trial Root CA</a> certifcate.

keytool –import –trustcacerts –keystore ~/public_html/mykeystore  -alias mykey -file ~/public_html/uc_cert.cer
keytool –import –trustcacerts –keystore ~/public_html/mykeystore  -alias mykey -file ~/public_html/trial_root.cer

Now a jar file can be signed as follows:

jarsigner Test.jar mykey

Then it can be verified as follows:

jarsigner -verify -verbose -certs Test.jar

Wednesday Dec 06, 2006

Update on Update Center (GlassFish) and lessons from Java Update

The engineers working on Update Center Project are excited to finish the milestone 2 of the project. Initial GUI is up and running. Next week, we will finish the Desktop tray implementation and we will also integrate into the GlassFish Application Server.

I also looked at Java Update functionality over this weekend. It is pretty cool. There was an update available, so a tool tip balloon appeared as below on my computer. When I clicked on the ballon, I get an option to Download or be reminded later. (screen shot shown below).
I like that fact it asks you, when again to remind me about the update. I can choose a time ranging from 30 mins to 3 days. This is very convienent. In Update Center project we may think about doing this too.

Just like the Update Center project - options could be set to either manual option, download or just inform about the updates. As you can see in the following menu - "Check for updates automatically" can be turned on or off. Notification could be either "before downloading" or "before downloading and before installing". Unlike Update Center, there is no way to automatically download and install updates. Sometimes this could be very useful.
. Not let me talk about the settings. Automatic update setting could be either daily, weekly or monthly. The default is day 0 at 4 p.m. I am assuming that is 1st day of the month.
Update Center should also have monthly option, rather than every week. Every week scan not required for many users. I also liked the proxy settings menu in Java Update. It looks like the following:
. I like the fact that they let you choose either system settings or the brower settings. We will support proxy configuration script option in Update Center in future. Finally if you do not like to the System tray icon to disappear- you can uncheck the following option:
. Just to recap, in the Java Update- I liked the remind me later feature, ability to set monthly update checks and more flexible proxy configuration. Please take a look at the Update Center GUI mockups, let us know how we can improve the look and feel the Update Center GUI.

Thursday Oct 12, 2006

How good is Google Updater?

Last week I looked at the Apple's Software Update feature. I want to summarize Google's Updater experience this week. This may help us in designing the Update Center user interface. Google Updater has a toolbar icon. If you click on it shows you the current status of the Google's software. The screen shot looks like the following:

On my computer I already had Norton Antivirus 2004 installed. Google could update that software automatically. It had asked me to un-install before it could install the 2005 version.
You can look at the current installed software and the details like install size, date, option to run, option to uninstall and option to get more software. The screen shot for the installed software looks like the following:

One interesting fact is that it "Software installed or detected by Google Updater". Even though I did not install Norton Antivirus 2004 through Google Updater, it shows it. Because Norton Antivirus is part of Google Update Center. Thats why the install date of the Norton Antivirus is in 2004, where as others is in 2006. I tried clicking on the "Get more software" link. I get the following in a browser window:

I was bit confused by the terminology here. This page says there is "no new software", however it shows the additional software links for Google Video, Picassa, Google screen saver etc. It meant that there are new versions, when it said "no new software". To confirm this fact, I clicked on the updates tab. As I expected it shows that there are no updates (even though there are more software available for download). The screen shot looks like the following:

The most important tab is Preferences tab. You can control the behavior of Updater here. If you are behind firewall/proxy, you need to setup the proxy information here. The screen shot looks like the following:

The default is Updater checks for the updates and installs them automatically. It also notifies the user, if there is another update. By default Updater shows up in the system tray.
I did not like the fact that the term 'new software' is used in exchange of 'newer software update' and I do not like the default of 'Automatically update software' rather than notifying the user. The version of Google Updater is very interesting too version 1.2.567.20382.beta.en. :). The version name is bit longer than I am used to. :). I am interesting in learning more about what type of anonymous usage statistics that Google intend to collect, once that option is enabled. Over all I liked the Google Updater.

Monday Sep 11, 2006

Load Balancer Administration - Current Status

I presented about Load Balancer Administration in the User Experience Group. You can take a look at the slides and the meeting minutes. I received good feedback, especially from Vince Kraemer. He carefully reviewed CLIs and GUI and pointed out some issues. Some of which have existing RFEs/bugs associated with them.

As a follow-up to the user experience meeting, I wrote two blog entries detailing an easier way to install load balancer plug-in and also setup load balancer so that it receives confiuration updates from DAS automatically - Installing Load Balancer (Using APS Installer) with GlassFish and Updating and Monitoring HTTP Load Balancer. I also added the Loadbalancer Administration module page for GlassFish.

Following is the recap of the feedback Vince and others provided. I tried to classify the feedback into two areas - feedback to the existing features and feedback to Documentation.

Functionality Feedback
  • loadbalancer.xml's DTD lets user to configure error-url per web-module. By default LB uses a local  page in its installtion directory called default-error.html. There is no way to configure this now. Load Balancer admin should provide a way to configure this error url. (Bug # 6463611 is filed for this)
  • DTD documentation error was pointed out by Vince. DTD says the unit of measurement for disable-timeout-in-minutes is seconds. It should say minutes. Bug 6463768 is filed for this).
  • Simplify adding multiple clusters to LB configuration.  User should be able to enter comma separated targets for --target argument in   create-http-lb-config  and create-http-lb commands. (Pre-existing RFE: 6193575 )
  • Thee is a data overlap between the data in the loadbalancer.xml file for "our" lb plugin and configuration files for some of the other load balancers that I discussed on slide 4 of my presentation. XSLT "scripts" could be created to automate this for users that have those other LB configurations. No customer asked for these yet. We could take community contribution in this area.
  • [Issue 1020] We have options to enable all server instances/applications in create-http-lb-ref command, but also need lbEnableAllInstances & lbEnableAllApplications options for create-http-lb-config.
  • Auto apply should not be enabled by default in GUI. Bug # 6468049 is filed.
  • When auto-apply flag is enabled, it should not produce a large stack trace with every asadmin command if DAS is unable to contact the loadbalancer. We should warn the user without creating lots of stack traces.

Documentation Feedback

I filed a documentation bug to improve documentation with the following items. The issue 1019 is filed as a tracking bug. I need to spend some more time to write the following documentation suggestions in great detail, which can then be consumed by the documentation team for production. Documentation for Application Server 8.2 is missing the following topics:

  • The current Loadbalancer Administration documentation mentions the CLI commands. It should also provide a link that CLI command, so that user can click on the CLI command and immediately can read more about that command.
  • Document the way to change the value of the properties that were used/defaulted when a health-checker was created. Example dotted commands must be provided.
  • Clarify that the additional health-checker  properties, like active-healthcheck-enabled are global to the load balancer.
    • These properties can added during create-http-lb-config or create-http-lb.
  • Clarify that there is no stand-alone verifier for the loadbalancer.xml. asadmin (GlassFish) generates a correct loadbalancer.xml. We try to remove the need to edit the loadbalancer.xml manually and avoid any editorial mistakes.
  • Clarify that  all the customizations of the loadbalancer.xml file are supported by CLI commands and GUI screens. If they aren't, it is a bug and must be fixed.
  • Table 5-1 and other tables must use the actual names for the parameter specified in DTD.
  • Document the way to set/change the disable-timeout-in-minutes attribute of the instance element. Provide a sample command.
  • Use cases like what happens when a new application is deployed, un deployed, a new HTTP listener is added and their semantics must be clearly documented. This should also cover how web-module elements are added and deleted from loadbalancer.xml.
  • Provide a link to the latest version of DTD/Schema of the loadbalancer.xml.
  • Talk about why we require the user to execute disable-http-lb-server  before they can execute delete-http-lb-ref.
  • Discuss the behavior of delete-http-lb-config, it does not delete the loadbalancer.xml file from the machine that has the lb installed. It only removes the config object on DAS. Even in the Auto Apply mode, the loadbalancer.xml is not deleted from lb installation. No further configuration updates are sent from DAS into LB in this case.
  • Provide the mapping between the elements of the lbxml and the asadmin commands that manipulate the object created by the create-http-lb-config command? For example:

    <!ELEMENT web-module (idempotent-url-pattern\*)>
    <!ATTLIST web-module       context-root    CDATA     #REQUIRED   --> comes from domain.xml ( context-root in web-module element for stand alone modules, for an application it comes from descriptor)
     enabled         %boolean; "true"                                      -->  asadmin http-lb-enable-application
     disable-timeout-in-minutes CDATA     "31"                  -->   asadmin http-disable-http-application --timeout (you can only modify during disable, because that is when this is useful)                          error-url      CDATA ""  >                                            --> Bug # 6463611 is filed to fix this
The following must be corrected/added in 9.1 Documentation:

  • All the new commands like create-http-lb, delete-http-lb etc must be documented. New commands to add policy modules, set/change the listeners/weight attribute of the instance element must also be discussed. The way to enable/disable all the servers/applications in a config with just  --lbEnableAllApplications and --lbEnableAllInstances command/argument must be discussed. Please refer to the latest CLI man pages here.
  • Auto Apply feature must be documented.
  • The way to enable/disable all the servers/applications in a config with just  one command/argument must be discussed.
  • If the user wants to configure custom error pages, they need to be present on the machine that is balancing the load.  "best practice" for names/locations/content/whatever that we should encourage folks to follow (or build tools to automate) must be documented.

Thursday Sep 07, 2006

Updating and Monitoring HTTP Load Balancer

My previous blog talks about setting up a Load Balancer plug-in. If you setup a SSL connection between DAS and load balancer, configuration changes can be pushed from DAS (Domain Administration Server) to Load Balancer automatically. This avoids manual copying of loadbalancer.xml. The monitoring data about load balancer can also be obtained, once SSL is setup. The following instructions talk about setting up Load Balancer in SSL Mode.

Instructions to install load balancer and enable the 9.0 features:

Please make sure that you have the load balancer setup using either instructions from my previous blog or using manual steps. Start the webserver's admin server by calling <web server home>/https-admserv/start. Now you are ready to setup the SSL.

1. From the browser access the admin gui of the webserver and login

2. Select your server instance and click on manage

3. Click on security tab

4. Initialize the trust database by giving the username and password. This could be done either using certutil or using GUI. The following certutil options could be used to initialize trust database:

certutil -N -P "" -d .
When prompted by certutil, enter the password to encrypt your keys:

Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.

Enter new password: your-password
Re-enter password: your-password

The following is the screen shot for this task :

5. Create a sample local CA (Certificate Authority)

certutil -S -P "" -d . -n SelfCA -s "CN=Self CA,,C=US" -x -t "CT,CT,CT" -m 101 -v 99 -5

You will be asked to enter 0-7 for type of certificate, please choose 5 for SSL CA. It will re-ask the same dialog again, this time choose 9 now to finish the dialog

For the following question Is this a critical extension [y/n]? please answer y.

6. Use the above create sample CA to generate a certificate

certutil -S -P "" -d . -n MyServerCert -s ",C=US" -c SelfCA -t "u,u,u"   -m 102 -v 99 -5

You will be asked to enter 0-7 for type of certificate, please choose 1 for SSL Server. It will re-ask the same dialog again, this time choose 9 now to finish the dialog

For the following question Is this a critical extension [y/n]? please answer y.

7. Edit the current http listener socket by clicking on "Preferences->Edit Listen Socket" enable the security and choose the certificate created in step 6. The following is the screen shot for this task :

If you wish to not use GUI. Change the entry to read as follows:

Change the tag so that the value of security= is "true"; the tag must be altered to contain additional body content and a closing tag. Be sure to remove carriage returns when adding the tag.
<LS id="ls1" port="80" servername="$DEPLOY-INSTANCE" defaultvs="https-$DEPLOY-INSTANCE" ip="any" security="true" acceptorthreads="1" blocking="false">
<SSLPARAMS servercertnickname="$HOST-DOMAIN" ssl2="off" ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>

8. Export DAS certificate by executing the command

<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsas.p12 -W <file password> -K <master password> -n s1as

9. Import the das certificate into webserver instance

<webserver home>/bin/https/admin/bin/pk12util -i sjsas.p12 -d <webserver home>/alias -W <file password> -K <webserver security db password> -P <instance-name>-<hostname>-

<webserver home>/bin/https/admin/bin/certutil -M -n s1as -t "TCu,Cu,Tuw" -d alias -P <instance-name>-<hostname>. This command makes s1as CA be a trusted CA to sign both client and server certificates. The following screen shot shows a sample certificate : -

If obj.conf does not contain the following lines, please inser the following lines to the end of obj.conf

<Object ppath="\*lbconfigupdate\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object ppath="\*lbgetmonitordata\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"

You can verify the above setup from DAS. From the appserver admin gui, create a cluster, load balancer. Instead of using local CA, you can use any other CA and server certificate. In that case you skip step 5 and 6, but need to import server certificate you obtained from other CAs.
From CLI, the following creates the load balancer and sets it up, so that DAS posts the configuration changes automatically to that load balancer.

asadmin create-http-lb-config --target cluster1 sample_lb_config

asadmin create-http-lb --config sample_lb_config --autoapplyenabled=true --devicehost device_host_or_ip --deviceport device_port sample_lb Give the webserver host and https listener port for device host and port. Click on test connection to test the connection. By default load balancer created from GUI uses SSL connection to connect to load balancer device.

Wednesday Aug 23, 2006

Installing Load Balancer (Using APS Installer) with GlassFish

Dinesh published the a blog on Configuring the Cluster/Load Balancer with GlassFish V2. It involves downloading web server and manually configuring it. GlassFish V2 does not have a installer it to do this job. However APS installer could be for this purpose. The following are the instructions to setup Load balancer using APS installer.[Read More]

Tuesday Aug 22, 2006

Setting up BIG-IP v4.5 LoadBalancer with GlassFish

Prashant Abbagani wrote detailed instructions on setting BIG IP load balancer with Sun Application Server (GlassFish). I posting his work.[Read More]

Friday Aug 18, 2006

WS Management.NEXT in GlassFish

In GlassFish v1, we added support for Web Services automatic discovery, monitoring and integrated with Web Services registry. GlassFish v1 also supports message level security and XSLT transformation. Using these features one can secure Web Services on the wire and also do performance monitoring, track usage, analyze failures and do debugging during development. Refer to this article and screencast for more details on v1 features.

We are planning to extend the existing Web Services monitoring capabilities in GlassFish with more sophisticated features such as Activity Monitoring, Service Monitoring, Policy Management and Service Testing and Validation. Activity Monitoring lets you monitor and view only interested activities rather than monitoring all web service calls and increases administrator's productivity. Service Monitoring enables monitoring key service levels such performance and availability targets and alerts if the boundary conditions are broken for immediate attention. Each web service deployment has its own policies to enforce in terms of Inter-operability and security requirements. We allow easier management of these policies. Service Testing provides a easy to do testing and verify key deployment properties like inter-operability and makes sure that web services work for all possible kinds of inputs.

Refer to this document and presentation for more details on the planned features. Please give us feedback via comments on blog.

Tuesday Feb 14, 2006

Useful blog on Pluto

If you are trying to develop portlets on GlassFish using Pluto, The following blog will be useful.This blog covers more information than Apache documentation.

Wednesday Feb 08, 2006

@OneWay or @Oneway?

I was coding an oneway web service method. I looked for documentation about this annotation.I found the following on and another list on I could not import javax.jws.OneWay. So Looks like java.jws.Oneway (@Oneway) is the right annotation. Hopefully these links will be fixed soon.

Monday Feb 06, 2006

Sample Portlet development in Glassfish

I copied the pluto-1.0.1.jar and portlet-api-1.0.jar from Apache Pluto 1.1 distribution into $GLASSFISH_HOME/lib. Please note that these jar files are in pluto-1.0.1/shared/lib directory. Started the GlassFish server. I downloaded the Sample Portlet and copied to $GLASSFISH_HOME/domains/domain1/autodeploy.

Verified that deployment went through fine. The server.log had the following output:[#|2006-02-06T23:30:30.421-0800|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.classloading|_ThreadID=12;_ThreadName=Timer-4;|Finished loading persistence units for application: /export/satish/install/glassfish/domains/domain1/applications/j2ee-modules/SamplePortlet|#] [#|2006-02-06T23:30:30.528-0800|INFO|sun-appserver-pe9.0||_ThreadID=12;_ThreadName=Timer-4;success;|ADM1042:Status of dynamic reconfiguration event processing:[success]|#] [#|2006-02-06T23:30:30.531-0800|INFO|sun-appserver-pe9.0||_ThreadID=12;_ThreadName=Timer-4;|[AutoDeploy] Successfully autodeployed : /export/satish/install/glassfish/domains/domain1/autodeploy/SamplePortlet.war.|#] Soon I will use this Portlet in an application and verify the portlet implementation.

Monday Jan 30, 2006

Samples in GlassFish

By default samples are not available in GlassFish builds. The following Build instructions talk about checking out the source and building the server from scratch. Once the build is complete, check out the 'packager'. % cd workspace % cvs -d :pserver:<userid> checkout packager % cd packager % maven bootstrap You should now see samples in glassfish.home.

Friday Jan 27, 2006

Monitoring web services in Glassfish

JAX WS 2.0 and Annotations (JSR 181) makes developing Web Services easy. Now Glassfish takes it further by providing Monitoring functionality for Web Services. TechTip has been posted on where this is discussed with a sample application.



« July 2016