All entries for December 2005

Creating a Java KeyStore (JKS) with an existing key

We are using a lot more SSL than we used to in e-lab because of the new super powerful and secure Single Sign On system. This means we need to programatically access SSL keys and certificates with Java. If you just want to create a new key and use it in Java, you just create a Java KeyStore with the keytool program. However, if you want to use the key and certificate that you already had, things are a little trickier.

I came up with this little unix shell script which should make life easier:

host=$1
storepass=$2
echo Creating keystore for ${host}
certFile=${host}.crt
keyFile=${host}.key
echo "Creating pkcs12 file from $certFile and $keyFile"
openssl pkcs12 -export -in $certFile -inkey $keyFile -out ${host}.pkcs12 
-name ${host} -passout pass:$storepass
java -classpath . KeystoreKeyImporter ${host}.pkcs12 $storepass ${host}.keystore $storepass

importscript.sh myhostname.com mypass

It will look for an existing myhostname.com.key and myhostname.com.crt and turn them into myhostname.com.pkcs12 which is then imported into myhostname.com.keystore with the KeystoreKeyImporter java program.

public class KeystoreKeyImporter {

public static void main(String[] args) throws Exception {

if (args.length < 4) {
System.out.println("Usage: KeystoreKeyImporter <inputpkcs12.file> <inputpkcs12.pass>
 <outputkeystore.file> <outputkeystore.pass>");
return;
}

String pkcs12Location = args[0];
String pkcs12Password = args[1];

String keystoreLocation = args[2];
String keystorePassword = args[3];


// openssl pkcs12 -export -in test.crt -inkey test.key.nopass 
                //    -out test.pkcs12 -name test

KeyStore kspkcs12 = KeyStore.getInstance("PKCS12");

String alias = null;

FileInputStream fis = new FileInputStream(pkcs12Location);
kspkcs12.load(fis, pkcs12Password.toCharArray());
if (kspkcs12.aliases().hasMoreElements()) {
System.out.println("Has keys!");
Enumeration aliases = kspkcs12.aliases();
while (aliases.hasMoreElements()) {
alias = (String) aliases.nextElement();
System.out.println("Alias:" + alias);
Key key = kspkcs12.getKey(alias,pkcs12Password.toCharArray());
if (key == null) {
System.out.println("No key found for alias: " + alias);
System.exit(0);
}

System.out.println("Key:" + key.getFormat());
Certificate cert = kspkcs12.getCertificate(alias);
if (cert == null) {
System.out.println("No certificate found for alias: " + alias);
System.exit(0);
}
System.out.println("Cert:" + cert.getType());
}
} else {
System.out.println("No keys!");
}


KeyStore ksjks = KeyStore.getInstance("JKS");
ksjks.load(null,keystorePassword.toCharArray());
Certificate c[] = kspkcs12.getCertificateChain(alias);
Key key = kspkcs12.getKey(alias, pkcs12Password.toCharArray());

ksjks.setKeyEntry(alias, key, keystorePassword.toCharArray(), c);
ksjks.store(new FileOutputStream(keystoreLocation), keystorePassword.toCharArray());

System.out.println("Created " + keystoreLocation);

}

}

You now have a nice JKS with your key and certificate in it.

: 14 Dec 2005 15:21 |  Tags: Java Keytool Openssl Single Sign On Ssl |  Comments (2) |  Close comments |  Report a problem

Monkeehub

Writing about web page http://www.monkeehub.com/

Having just watched for the first time the brilliant JCB Song video, I went in search of it's creators.

Monkeehub is a one man band animator/artist who has created the JCB Song video, but I think even more impressive is the Radiohead Creep video he has made…absolutely bloody marvelous!

What makes this even more fun is the fact that the maniac made this stuff with Flash…wonderful.

: 14 Dec 2005 00:25 |  Tags: Animation Flash Music Video |  Comments (2) |  Close comments |  Report a problem

Guitar progress

Follow-up to Guitar progress from Kieran's blog

I've had my guitar for 5 weeks now. Am I any good? Nahh.

My finger tips have got a hell of a lot tougher now so I can actually practice for more than 5 minutes without being in agony. They are not made of stone yet though as I tried to do a slide on the 1st string (basically a razor thin piece of wire) and jesus did it hurt…not trying that again for a while!

I've can now do (some well, some badly):

• Most chords…but changing between them is slow
• Simple melodies
• Scales
• Double stops
• Barre chords that sound absolutely awful!
• Hammer-ons
• Pull-offs
• Slides

Now, this doesn't actually mean I can play anything yet, or at least not quickly…but I'm at least getting a bit more understanding of what can be done. It's amazing how some stuff that you used to swear in a fit of frustrated rage is "impossible" is actually not that hard with a bit of practice :)

: 13 Dec 2005 23:03 |  Tags: Guitar Hobbies |  Comments (4) |  Close comments |  Report a problem

Serializing java objects to Oracle

We recently had a requirement to use our new Shibboleth based Single Sign On system with a cluster of jboss servers running an essentially stateless application.

The way that our new SSO works is through the SAML Post Profile meaning that an authentication assertion is posted by the user to the Shire service. This shire service then does an Attribute Request back to SSO and puts the results into a user cache in memory and generates a cookie which links to the user in the cache.

The problem is that the request might then go back to another member of the cluster which does not share the cache so it won't know about the user represented by the cookie. The obvious solution is some kind of clustered cache.

We've not needed to use any clustered cache technology before so passed on the likes of Coherence (insane pricing) and other open source caches such as memcached. It is best not to introduce new technologies that you can't support unless you have to.

I ended up building a simple two level cache that put the data both in memory and in the database. If when a request came in, there was nothing in the memory cache, it checked the database and populated the memory cache. I wouldn't want to go to the database everytime as this is a very busy application that could do without the additional overhead.

Now, the code.

ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos;
try {
oos = new ObjectOutputStream(baos);
oos.writeObject(value);
} catch (IOException e) {
throw new RuntimeException("Could not write object to stream",e);
}

SqlUpdate su = new SqlUpdate(getDataSource(), "INSERT INTO objectcache " + "(key, objectdata,createddate) "
+ "VALUES (?, ?,?)");
su.declareParameter(new SqlParameter("key", Types.VARCHAR));
su.declareParameter(new SqlParameter("objectdata", Types.BLOB));
su.declareParameter(new SqlParameter("createddate", Types.DATE));
su.compile();

Object[] parameterValues = new Object[3];
parameterValues[0] = key.toString();

LobHandler lobHandler = new DefaultLobHandler();
parameterValues[1] = new SqlLobValue(baos.toByteArray(), lobHandler);

parameterValues[2] = new java.sql.Date(new Date().getTime());

su.update(parameterValues);

ObjectInputStream ois = new ObjectInputStream(new DefaultLobHandler().getBlobAsBinaryStream(resultSet, 1));
UserCacheItem dbItem = (UserCacheItem) ois.readObject();
return dbItem;

: 09 Dec 2005 11:30 |  Tags: Java Oracle Programming Single Sign On |  Comments (2) |  Close comments |  Report a problem

Is 99.999% uptime only for Wal–Mart?

Writing about web page http://37signals.com/svn/archives2/dont_scale_99999_uptime_is_for_walmart.php

I've linked to an article on 37 Signals blog that talks about uptime for web applications. They state that you only need to worry about 99.999% uptime once you're doing big business.

Wright correctly states that those final last percent are incredibly expensive. To go from 98% to 99% can cost thousands of dollars. To go from 99% to 99.9% tens of thousands more. Now contrast that with the value. What kind of service are you providing? Does the world end if you’re down for 30 minutes?

If you’re Wal-Mart and your credit card processing pipeline stops for 30 minutes during prime time, yes, the world does end. Someone might very well be fired. The business loses millions of dollars. Wal-Mart gets in the news and loses millions more on the goodwill account.

Now what if Delicious, Feedster, or Technorati goes down for 30 minutes? How big is the inconvenience of not being able to get to your tagged bookmarks or do yet another ego-search with Feedster or Technorati for 30 minutes? Not that high. The world does not come to an end. Nobody gets fired.

Having a quick look at our wonderful IPCheck software, these are our values for the last 3 months.

• BlogBuilder: 99.70% (5h40m downtime)
• SiteBuilder: 99.93% (24m downtime)
• Forums: 98.97% (27h downtime)
• Single Sign On: 99.89% (1h43m downtime)

Whose fault that 0.30%, 0.07%, 1.03% and 0.11% are, it doesn't matter, sometimes things are just slow rather than down, sometimes things just break, sometimes it's the network, sometimes it's human error doing a redeploy. All our users see is that it is down for some small period of time. In many cases the system is not actually down, it is just that a single request from the monitoring server failed…but to be fair, if that happens, the chances are that occasionally it will happen to a use without the monitor noticing either.

This is just a small selection (but of the most commonly used systems we monitor), but you can see that we have good uptime. Would it matter if we were a couple of percentage points lower? As always…it depends.

If Single Sign On was down for an hour on a single Monday morning and that was the only downtime that month, it'd look like a fantastic month of 99.9% uptime. Unfortunately many systems rely on SSO and you would in some way at least degrade if not bring down completely all those other systems, adding up to a very nasty bit of downtime.

The 37 Signals article is correct that you do have to spend quite a bit of money to get that extra percentage point, but in the environment we work in where so many people come to rely on our services, it is important.

If however you need the occasional planned downtime and you can let everyone know, that is fine as people can make other plans, so pure uptime is not always important, it is keeping the unplanned downtimes to a minimum that counts.

: 08 Dec 2005 14:22 |  Tags: Programming Single Sign On Uptime |  Comments (6) |  Close comments |  Report a problem

Google: Ten Golden Rules

Writing about web page http://www.msnbc.msn.com/id/10296177/site/newsweek/

Google's ten golden rules are an interesting read to get a feel for what makes Google tick. My favourite:

Encourage creativity. Google engineers can spend up to 20 percent of their time on a project of their choice. There is, of course, an approval process and some oversight, but basically we want to allow creative people to be creative. One of our not-so-secret weapons is our ideas mailing list: a companywide suggestion box where people can post ideas ranging from parking procedures to the next killer app. The software allows for everyone to comment on and rate ideas, permitting the best ideas to percolate to the top.

: 07 Dec 2005 23:28 |  Tags: Business Google Management Programming |  Comments (1) |  Close comments |  Report a problem

Christmas lights

Writing about web page http://www.StupidVideos.com/?VideoID=1344

In light (ba boom) of the fact that we put up our Christmas decorations this weekend, here is an amazing video sequence of some Christmas lights by a mad American.

This has been going around for a while now but you might not have seen it…enjoy.

Some people have claimed it is fake some how, but the ever reliable Snopes says it is real

PS. Make sure you watch it with sound, it is pointless without the music

: 07 Dec 2005 22:28 |  Tags: Christmas Funny |  Comments (0) |  Close comments |  Report a problem