Thursday, November 26, 2009

Retrieving a server public SSL key on Solaris 10 (such as GMail's)

This is a tip for you, UNIX users (with OpenSSL installed), who wish to obtain a server's public SSL key.

I'm configuring a Java EE application that needs to connect to an IMAP server using SSL on a Solaris 10 box. For that reason, I need to import the IMAP server SSL public key into my Java runtime certificates file.

Solaris 10 brings a bundled OpenSSL package which it's very easy to accomplish this task with. Just launch your favorite shell and execute the following command:
$ openssl s_client -connect destination.server:[service|port]

In my case, being an IMAP server using a non-standard port, I used:

$ openssl s_client -connect my.imap.server:999
CONNECTED(00000004)
[...snip...]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKYgnCCAADAAAJ5DANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0wOTA3MTcxNzEzNDFaFw0xMDA3MTcxNzIzNDFa
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5pbWFw
LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA+O0vc2pslfjk
pbxnBF4iznJMrP9Qi3fHjKqA3P2RynTcbnZfGEGMKcPeXHT4IOH6XUnf+4Jw+z7I
KiMtjX8IVGo7DeXec/ZREasEZnpMGisxN7+qk7Ho6HyaglQTAFIQJP99UFJkHO9x
dGDy5d2j9senPad1BqtyaIRGkJpHizUCAwEAAaOCASwwggEoMB0GA1UdDgQWBBT0
WHOeLKf4+VNADzHzGh+AEV+6fjAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra
42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv
b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy
bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp
Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo
b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ
KoZIhvcNAQEFBQADgYEAXLvdKJJ6ivWAi29p4pPo4cirMEYnRlpNOmPVAW4QYcSq
lEZhm4cQdyitFo9cxiwNgbBjJk8O+oiOhnueT44RXotEE7j3KnNyPRRZg0OCagGC
4G71fFA11P1L0fSd/7k52/DbZQBea3tJgkseoGL50UVvnJm+LZOovIGxoQzipJk=
-----END CERTIFICATE-----
[...snip...]

The key I need to import is the shown certificate, including the beginning and the end line.

I saved the key in a file called imap.key and I imported in my Java runtime certificates file with the following command:

$ /usr/jdk/latest/bin/keytool -import -alias imap.gmail.com -keystore /usr/jdk/latest/jre/lib/security/cacerts -file imap.key
[Insert password here]
[Confirm key import]

Done!
Now, my Java application can use that public key to establish a secure SSL connection with the target imap host.

Tuesday, November 24, 2009

Protecting workflow transitions in JIRA

Today I created a bunch of new projects in our JIRA 4.0 instance and, for the first time, I needed to create a custom workflow for some issue types. JIRA is flexible and powerful and it was pretty easy to create a new workflow just cloning (copying) the default JIRA workflow. All I had to do to fulfill my requirements was:
  • Define a new status: Waiting for feedback
  • Define a new step: Waiting for feedback
  • Create new transitions to and from this new workflow state.

Leveraging JIRA's powerful administration console the new workflow was defined in just a few minutes. Once done, I defined a new workflow scheme and associated to some of my new projects.

It was with some surprise that I realized that the new transition wasn't restricted to developers: it was there for everyone to trigger. Obviously, I'd overlooked something in the configuration so that I checked the permissions and everything seemed to be fine until I realized what was wrong: workflow transitions are protected by conditions. In my case, I required that only the issue assignee could trigger a transition.

Although the workflow was being used, creating a draft workflow was a no brainer. In the draft workflow I added the required condition:
Only the assignee of the issue can execute this transition.

Once done, I published the new workflow. JIRA quickly converted the existing issue to the new workflow and the error was corrected without even bringing the project down.

Sunday, November 22, 2009

Configuring Sendmail to Relay Messages from Other Servers

Index




Part 1. Configuring Sendmail on Solaris 10
Part 2. Configuring Sendmail to Masquerade Your Messages
Part 3. Configuring Sendmail to Relay Messages to Another Server
Part 4. Configuring Sendmail to Relay Messages from Other Servers

Introduction

In the previous post you've learnt how to configure Sendmail to relay messages to another server. Now, such a server should be probably be configured to accept incoming messages to relay from other servers. Solaris 10 Sendmail default configuration does not allow message relay and proper configuration must be applied to Sendmail.

Configuring Relay for Hosts and Domains

The quickest way to have Sendmail relay messages for other domains is by modifying the /etc/mail/relay-domains file. Sendmail will relay mail for every domain listed in that file. If you want your server to relay messages for domain a.com, b.com and c.com, just insert the corresponding lines into /etc/mail/relay-domains and restart your Senmail instance:

# cat /etc/mail/relay-domains
a.com
b.com
c.com

Configuring the Access Database

If you want to relay messages from specific hosts (as well as domains and networks) you can use the access database. The access database lists email addresses, network numbers and domain names and a rule. Available rules are:
  • OK: Accept mail even if other rules in the running ruleset would reject it.
  • RELAY: Accept mail addressed to the indicated domain or received from the indicated
    domain for relaying.
  • REJECT: Reject the sender or recipient with a general purpose message.
  • DISCARD: Discard the message completely using the $#discard mailer.
  • (A RFC-821 compliant error text): Return the error message.

If you want your Sendmail to relay mails for a domain or from some specific hosts, modify your /etc/mail/access accordingly:
your-domain       RELAY
192.168.0         RELAY
another-domain    RELAY
unwanted-host     REJECT

Once done, you have to generate the access db with the following command:

# makemap hash /etc/mail/access.db < /etc/mail/access

Enabling the Access Database

To have your Sendmail use the access database, you must properly configure it adding the access_db feature to its configuration file:

# cat your-file.mc
[...snip...]
FEATURE(`access_db')
[...snip...]

Restart your Sendmail and enjoy!

A Word of Warning: DNS Configuration

Sendmail often requires that host name you use in your configuration files (such as the access database) are properly configured in your name server, both for lookup and reverse lookup. I hope this will spare you some headache while debugging.

Configuring Sendmail to Relay Messages to Another Server

Index




Part 1. Configuring Sendmail on Solaris 10
Part 2. Configuring Sendmail to Masquerade Your Messages
Part 3. Configuring Sendmail to Relay Messages to Another Server
Part 4. Configuring Sendmail to Relay Messages from Other Servers

Introduction

Sometimes you just need to configure your Sendmail to relay messages to another server. I often use such a configuration to centralize Sendmail configuration: if something had to change I would just need to change a reduced number of configuration files. For example, I made heavy use of Solaris Zones technology. Unless particular configuration is needed, whenever I create a new zone, I just configure its Sendmail to relay messages to another server (which is, incidentally, one of the preconfigured Sendmail zones we use).

Setting Up a Sendmail Smart Host

Setting up Sendmail to relay messages to another server is pretty easy. Modify your configuration file and use the following macro:

[...snip...]
define(`SMART_HOST', `your-smart-host')

[...snip...]

The smart host is the host this instance will relay messages to. This macro will be translated into a DS statement in your Sendmail configuration file. You should never modify .cf files directly: always compile .mc files! By the way, sometimes is useful to know .cf syntax if you need to interpret existing .cf files when you've lost the corresponding .mc files (something that should never pass to a seasoned System Administrator).

Configuring Sendmail to Masquerade Your Messages

Index


Part 1. Configuring Sendmail on Solaris 10
Part 2. Configuring Sendmail to Masquerade Your Messages
Part 3. Configuring Sendmail to Relay Messages to Another Server
Part 4. Configuring Sendmail to Relay Messages from Other Servers

Sendmail Masquerading

Now that you've got your Sendmail up and running it's time to do some tweaking. If you try and send mail from your host, you'll notice that messages are sent from an address such as your-user-name@hostname.your.domain. That's not probably what you want (that address isn't probably even reachable from the outside) and you'd rather like: your-user-name@your.domain. Fine, that feature is called masquerading. To masquerade outgoing mail you can use the MASQUERADE_AS and MASQUERADE_DOMAIN macros, as in the following example:

divert(0)dnl
VERSIONID(`@(#)sendmail.mc      1.11 (Sun) 06/21/04')
OSTYPE(`solaris8')dnl
DOMAIN(`solaris-generic')dnl
define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
MASQUERADE_AS(`your-domain.com')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`always_add_domain')dnl
MASQUERADE_DOMAIN(`your-domain.com')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_NET_CONFIG
R$* < @ $* .$m. > $*    $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3

Restart your sendmail and the job is done.

Configuring Sendmail on Solaris 10

Index



Part 1. Configuring Sendmail on Solaris 10
Part 2. Configuring Sendmail to Masquerade Your Messages
Part 3. Configuring Sendmail to Relay Messages to Another Server
Part 4. Configuring Sendmail to Relay Messages from Other Servers

Introduction

Whoever tried to get Sendmail up and running will agree that taming Sendmail requires black magic. I won't even try to enter into Sendmail internal and details: I don't master it and conform with being able to configure my Solaris box (and zones) to fulfill my needs. Nevertheless, I'll admit that Sendmail has got its own spell and felt compelled to keep on reading on to discover what Sendmail is capable of.

Verifying Sendmail State and Starting It Up

Solaris 10 Sendmail is configured as an SMF-managed service. To check sendmail status you can use:

$ svcs \*sendmail\*
STATE          STIME    FMRI
online         14:19:23 svc:/network/smtp:sendmail

If Sendmail were not enabled, just use svcadm to bring it up:

# svcadm enable svc:/network/smtp:sendmail

Configuring Sendmail for Open Mode

Solaris 10 Sendmail configuration is such that Sendmail will only run in local mode, thus rejecting connections from other hosts. If you want to review Sendmail default Solaris 10 configuration, you can use:

# svccfg -s svc:/network/smtp:sendmail listprop
[...snip...]
config/local_only                    boolean  true
[...snip...]

If you're curios, SMF properties are used by SFM methods. A closer examination to Sendmail startup script in Solaris 10, indeed, reveals the following:

    local=`/usr/bin/svcprop -p config/local_only $SMF_FMRI 2>/dev/null`
    if [ $? = 0 -a "$local" = "true" ]; then
        OPTIONS="$OPTIONS -C /etc/mail/local.cf"
    fi

If you want to configure your Sendmail to work in open mode you can run the following:

# svccfg -s svc:/network/smtp:sendmail setprop config/local_only= boolean: false
# svcadm restart svc:/network/smtp:sendmail

Solaris 10 Default configuration

If you inspect the default sendmail.mc file for Solaris 10 you'll find the following:

divert(0)dnl
VERSIONID(`@(#)sendmail.mc      1.11 (Sun) 06/21/04')
OSTYPE(`solaris8')dnl
DOMAIN(`solaris-generic')dnl
define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_NET_CONFIG
R$* < @ $* .$m. > $*    $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3

Local and smtp mailers are on and you should be able to send mail, both locally and remotely, from such a host. Unless you configure your perform additional configuration, you won't be able to connect remotely to this instance, nor using such an instance as a mail relay. Naturally, some tweaking is usually required and it will be performed with the procedure described in the following sections.

Building a Configuration File for Sendmail

To build a configuration file for your Sendmail you can perform the following:
  • Temporarily disable your Sendmail:

# svcadm disable -t svc:/network/smtp:sendmail

  • Go to Sendmail configuration templates directory:

# cd /etc/mail/cf/cf


  • Start with a fresh file and write your configuration down:

# cp sendmail.mc your-file.mc

Compile your file:

# /usr/ccs/bin/make your-file.cf

Test your configuration:

# sendmail -C your-file.cf -v your-email-address </dev/null

Apply your configuration:

# cp your-file.cf /etc/mail/sendmail.cf

Restart and use Sendmail:

# svcadm enable svc:/network/smtp:sendmail

A good place to start for studying Solaris 10 Sendmail is Solaris System Administration Guide: Network Services (Chapter 13).




Thursday, November 19, 2009

Web Technologies on a Desktop Application - Portability Do Matter

What's the desktop application most commonly used? For a great majority of persons the answer is simple: the browser. The omnipresent browser has begun not to be perceived as an application anymore: instead, it's the container where web applications run.




Although there's still plenty of space for desktop applications,
they can't be thought as stand-alone any longer. Users continuously
rely on Internet as a source of information and desktop applications had to learn to use Internet as if it were a database.




Browsers and web developers probably learnt that before: Web
Services and the AJAX paradigm being just the last trends in the
industry. Vendors have been implementing similar technologies in their
SDKs and the boundary between web-technologies and general purpose
framework gets thinner day by day.



I just remember when JAX-* specifications were being integrated into
Java2 Enterprise Edition: nowadays you can hardly think of a Java
desktop application not leveraging JAX-WS or JAX-RS.




Many vendors have being trying to port web technologies on the desktop and the major players in this are are:


  • Adobe, with Adobe AIR
  • Sun Microsystems with JavaFX framework
  • Google, with Google Gears




I've being intensively using Gears-powered applications just because
I'm a faithful Google applications user. I must say that I'm pretty
happy with it and that in this sense Google is probably making one step
more in this direction with its Google Chrome OS. Nowadays, although
Google Chrome still is a browser, it really acts as an environment for Google Gears applications.




As far as it concerns JavaFX, I've played a little with it with my
NetBeans and I must say that I'm impressed. Java SE and Java EE already
have all of the pieces you need to build rich internet applications and
JavaFX goes one step further: it's a platform that aims to support a
variety of devices (browsers, mobile phones, gaming consoles and so
forth).



Adobe AIR is impressive: although I never wrote any line of of code, I've seen some applications and, just as anything-Adobe, great hype is given to integration with Flex/Flash applications.




Which one should I go with?



Although every framework has got its own peculiar advantages, such a
decision depends on many factors, such as your needs and your
requirements.



One of the fundamental advantages of web applications is their
platform-independence (usually). Yes, there are many glitches depending
on the browser you're using but nowadays the situation is pretty
satisfactory, at least as far as it concerns an application
functionality. Such an independence is achieved by means of the
browser, which is the container in which such an application is
executed. Taking an application out of the browser is complex and in
that process you run the risk of reducing an application's portability.
That's the original sin of many frameworks, such as Adobe AIR.




I strongly believe in portability and that's something I'm
never going to sacrifice easily and when I do the requirement must be
compelling. That's why I always go with Java.



Let alone enterprise-level technologies supported by Java Enterprise Edition, Java gives you the basic tools you need such as:


  • A powerful programming language.
  • Support for Web Services (JAX-RPC and JAX-WS).
  • Support for RESTful Web Services (JAX-RS)
  • Support for AJAX.
  • Integration with databases (JDBC, JPA)




The Java language itself has been recently enhanced by annotations
which are commonly used by specifications and frameworks (such as
Spring) to greatly reduce boilerplate code. EJB 3.0, JPA, JAX-RS,
JavaBeans Validation (JSR-303) are just examples of the
annotation-centric APIs you can use in a Java program just by applying
metadata to your class and letting the framework (or the container) do
the job. POJO-based and annotation based frameworks and APIs greatly
contributed to simplify the programming models previously used: whether
you're developing a web service, a web service client, an interaction
with a DB, an EJB, you're probably producing just POJOs. Reusing such
objects is straightforward: the boundary that existed between the
various kind of Java applications have blurred and nowadays is almost
null.



Moreover, in the incredibly vast ecosystem of Java libraries and
frameworks you're probably going to find everything you need to get the
job done.




Conclusion



When deciding the tools you're going to use to develop your next
application, always consider that there's someone out there who might
not be using your browser or your OS. If you haven't got compelling
reasons, don't shut the door in their face. Users do not understand, sometimes not even with reasons. And they'd just turn to another provider.


Tuesday, November 17, 2009

Apache HTTP Server Virtual Hosts (on Solaris)

Some posts ago (Poor man's web redirection using a servlet filter) I described how I'm sending an HTTP Redirect Status Code back to a client. Such a solution was easy for me to implement because we're already running Java EE applications on our application servers and, on the other hand, we have no other web server available (if you're thinking about Apache HTTP Server). The previous post fails in pointing out that, implementing such a solution from scratch, is really overkill.

If you're one of the many users of Apache HTTP Server you should be aware of a functionality called Virtual Hosts. Virtual hosts let you run multiple web sites on a single Apache HTTP server instance and requests will be forwarded to the appropriate web site by using either the target IP address or the name you used to connect to the site. The last step will be configuring Apache so that such a Virtual Host will be served by proxying the destination server.

With such a proxy/gateway you'll be able, for example:
  • To serve different domains, subdomains or even specific URLs with just one Apache HTTP Server instance.
  • To offer a gateway in the case you've got a reduced number of public IPs and you don't want to publish HTTP services on ports other than 80.

DNS configuration

First of all I substituted the old DNS record with a CNAME which points to this Apache HTTP Server instance. Now, whenever a client requests www.domainA.com, the connection will be established with the target Apache.

Apache HTTP Server Startup

On (Open)Solaris, check if you've got an Apache HTTP Server instance running:
# svcs \*apache\*
STATE          STIME    FMRI
legacy_run     Mar_13   lrc:/etc/rc3_d/S50apache
disabled       Mar_13   svc:/network/http:apache2

If it isn't running, create a suitable configuration file in /etc/apache2:
# cp httpd.conf-example httpd.conf

Once the configuration file is created, the service should start normally:
# svcadm enable svc:/network/http:apache2
# svcs http:apache2
STATE          STIME    FMRI
online         Nov_15   svc:/network/http:apache2

Apache HTTP Server Configuration

The last thing to do is creating virtual hosts:

NameVirtualHost *

<VirtualHost *>
ServerName domainA.com
DocumentRoot /var/apache2/htdocs
</VirtualHost>

<VirtualHost *>
ServerName subdomain.domainA.es
ProxyPreserveHost On
ProxyPass / http://localhost:8083/
ProxyPassReverse / http://localhost:8083/
</VirtualHost>

In the previous fragment you can notice the following:
  • the NameVirtualHost directive lets you configure Apache to listen on a specific address and port. In this case, any IP address and any port (*) have been configured.
  • The VirtualHost sections let you define virtual hosts. Please note that the NameVirtualHost value and the VirtualHost value must be the same (in this case, *).
  • The ServerName directive is used to assign the domain name a virtual host should serve.
  • ProxyPreserveHost is used to tell Apache not to override the Host HTTP header when connecting to the proxied host.
  • ProxyPass and ProxyPassReverse lets you map proxied URL spaces. In this case, everything (/) is sent to the proxied host (http://localhost:8083/).

Further Readings
If you want to go into deeper detail, please read the following:


Sun xVM VirtualBox 3.0.12 has been released

On November, 17th, Sun has announced the release of Sun xVM VirtualBox 3.0.12. The changelog for this release is the following:
  • VMM: reduced IO-APIC overhead for 32 bits Windows NT/2000/XP/2003 guests; requires 64 bits support (VT-x only; bug #4392)
  • VMM: fixed double timer interrupt delivery on old Linux kernels using IO-APIC (caused guest time to run at double speed; bug #3135)
  • VMM: reinitialize VT-x and AMD-V after host suspend or hibernate; some BIOSes forget this (Windows hosts only; bug #5421)
  • VMM: fix loading of saved state when RAM preallocation is enabled
  • BIOS: ignore unknown shutdown codes instead of causing a guru meditation (bug #5389)
  • GUI: never start a VM on a single click into the selector window (bug #2676)
  • Serial: reduce the probability of lost bytes if the host end is connected to a raw file
  • VMDK: fix handling of split image variants and fix a 3.0.10 regression (bug #5355)
  • VRDP: fixed occasional VRDP server crash
  • Network: even if the virtual network cable was disconnected, some guests were able to send / receive packets (E1000; bug #5366)
  • Network: even if the virtual network cable was disconnected,
    the PCNet card received some spurious packets which might confuse the
    guest (bug #4496)
  • Shared folders: fixed changing case of file names (bug #2520)
  • Windows Additions: fix crash in seamless mode (contributed by Huihong Luo)
  • Linux Additions: fix writing to files opened in O_APPEND mode (bug #3805)
  • Solaris Additions: fix regression in guest additions driver
    which among other things caused lost guest property updates and
    periodic error messages being written to the system log

If you want to update or if you want to give VirtualBox a test drive, download it now.

Friday, November 13, 2009

Fluendo DVD Player for Solaris has finally been released


Many of us Solaris users have been waiting for this a long time. Fluendo has finally released its DVD Player for Solaris as well.

This is great news. I've been using Fluendo codecs on Solaris since a long time and I'm trying right now their DVD Player. So far I had no issue and it clearly is a leap forward for Solaris as a desktop platform.

There exists, indeed, open source and free alternatives such as Xine and MPlayer. To be fair, I never had any problem with Xine: I'm a faithful Xine user since so many years. The only issues I had are related to Blastwave's Xine packages which seem to broke many Nevada builds ago (b110 more or less). To play encrypted DVDs you also need to compile your own libdvdcss, which may be an issue for a non technical user.

If you're willing to support companies like Fluendo, which is supporting the Solaris Operating System even for desktop products like a DVD Player, please don't think twice and buy it.


Sunday, November 1, 2009

Jump Into the Past: a Duke 3D revival



"Damn! Those alien bas***ds are gonna pay for shooting up my ride."

Does this opening sentence sound familiar to you? Two days ago, after installing Duke Nukem 3D on my iPhone, I launched the game and was welcome by it.

I used to play with Duke on a PC powered with a Pentium 133 a long, long time ago. When I saw it on the App Store, by chance, I couldn't resist buying it and playing it again.

The port is really good, although still incomplete. The primary three episodes are there (L.A. Meltdown, I didn't even remember the name!) and the feeling is just the same. I noticed some graphical detriment that I wouldn't call minor:
mirror effects, for example, were things that made Duke 3D so cool,
back in the 90's. Playability on the iPhone isn't so good, either, in
my opinion. The user is given two choices: digital and analog controls.


Digital controls, whose screenshot is shown in the next picture,
is the easiest control to get accustomed to. By sliding your finger
onto four buttons you can control Duke's movements just as if you were using a joystick. While playing you still need to use additional buttons (such as jump or use): these buttons are located on the uppermost right corner of
the screen and they're sufficiently small so as you confuse them one another.

The analog controls, at first impression, seem more intuitive because the user is given two separate joysticks:


Nonetheless, I found these controls pretty hard to manage and quickly switched to using the digital ones exclusively.

If you're feeling some kind of longing for such an old game, Duke Nukem 3D can be purchased right now on the App Store at just 0.79 Eur. Much less than an espresso, here in Spain.