2011-04-18

DD-WRT and StrongVPN

In February of 2011 I was assigned by the Department of State to serve at the U.S. Embassy in Rome Italy. Transitioning from the US to Italy was a big step for me and my family. I learned quickly that moving to a city abroad is very different from visiting a city. Everything, even brands to which one is accustomed, seems just a little bit different. And, while Rome is certainly a beautiful and historic city it wasn’t long before we yearned for familiar items from home. My hope had been that once we had our internet service installed that at least we would be able to easily access websites (banking, entertainment, etc.) with which we were familiar.
This, however, wasn’t the case. Many of the sites we wished to access were denied to us because our IP address was identified as being located outside of the US. This was a disappointment when we tried to access websites like Netflix or Hulu and truly frustrating when trying to access financial sites which house our bank and retirement accounts.
The solution was to make use of a VPN service. We chose StrongVPN’s PPTP service. PPTP stands for point to point tunneling protocol. Essentially this service allows us to connect and send all of our incoming and outgoing traffic via StrongVPN’s servers which are located in the US. For all practical purposes even though we are physically located and connected to the Internet in Europe we appear on the Internet “AS-IF” we were directly connected to the internet at a physical location in New York.
The tunnel service worked great and we were soon able to connect to the US based websites and services we desired. We were banking again! Surprisingly, even sites that streamed video worked well. We had low hopes for sites that streamed lots of video and graphical content especially sites that hosted games enjoyed by our children. We anticipated latency with these sites but experienced very little trouble.
So while we were a one computer family all was well. Then, our things arrived from the US. We now had several laptops and gaming consoles all of which were much more useful and capable when identified as being connected directly to the Internet in the US. On most of these devices it wasn’t practical (the PCs) to use the same StrongVPN account. One would have to drop off of the VPN service/tunnel on one PC so that another PC could connect. On some of our devices (game consoles) it didn’t appear as if they could be configured to use the PPTP protocol/service.
Fortunately, one of the devices that arrived from the US was our Cisco/Linksys wireless router. The idea was simple… connect the router to our local ISP and configure it to connect to StrongVPN’s service. In turn connect all of our local devices to the router.
House Hold Devices ßà Cisco/Linksys Router ßàISP (PPTP) ß à StrongVPN’s Servers
(Even without the use of StrongVPN’s PPTP service this was desired as the power output of the Wi-Fi router supplied by the local ISP wasn’t powerful enough to cover the entirety of our apartment.)
This plan quickly came to a halt as the Cisco/Linksys router (model wrt320n) was not able to be configured in a fashion as to be able to use the PPTP protocol. Also, the router didn’t seem to be able to bridge the devices I connected to the network required and pre-configured by the modem/router provided by the ISP. I could connect devices to the router, of course, but was unable to route traffic from the private IP address block of the router across the SAME private IP address block enforced by the ISP’s modem/router. StrongVPN’s support site pointed to a solution.
The solution offered was to upgrade the firmware on my router to a firmware package other than that preinstalled on the router by the manufacturer!
At first thought I was weary of this solution. I was concerned that I would be unable to restore the unit to factory condition if the non-OEM software didn’t work at expected. Or, even worse, that I would damage the router hardware and would be stuck with a dead piece of electronics.
Before going this route I decided to check the manufacturer’s website and upgrade the firmware to their latest release in the hope that the latest version of the firmware (1.0.0.4 in this case) would have included in it a feature set that would allow me to configure my network to take advantage of the PPTP protocol and StrongVPN’s service. The router upgrade to the latest OEM firmware went fine but the feature set of the software was pretty much the same as the software that came preinstalled on the router. So, I decided to take a calculated risk and install the non-OEM software.
The non-OEM software was dd-wrt found at http://www.dd-wrt.com. Dd-wrt is a Linux based open source firmware package that was written to run on a number of different router hardware devices. The package seems mature and seems to provide a great deal of functionality. I downloaded the most recent copy of the software from ftp://ftp.dd-wrt.com/ and loaded the image for my particular model router into my router device. A few minutes and a reboot of the router and I had a brand new and much more capable software package along with a neww user interface on my old router.
From the main setup screen I was able to setup PPTP as the main WAN connection and enter all the information needed to successfully connect to StrongVPN’s servers in New York. All of my house hold devices were able to connect to the router using its new software without a hitch. Now, by way of this router, all of my devices are using StrongVPN’s service at the same time without any extra configuration.
StrongVPN’s website offered good documentation on getting a dd-wrt router working with their service. There was also good general documentation on the dd-wrt software found at dd-wrt.com. The hour or two it took to get this solution working has been well worth it. And, having access to our favorite US based websites help to make Rome seem a little bit more like home.
In conclusion, if you are living and working as an expatriate and need access to otherwise blocked US based websites and services give the StrongVPN (along with the dd-wrt router software) solution some serious consideration.




2010-06-22

"Glassfish Security" by Masoud Kalali

"GlassFish Security" by Masoud Kalali lives up to the motto printed on its cover -- “Community Experience Distilled.”

The book is efficient, has a clean layout and contains a logical progression of current JAVA EE and GlassFish Specific security topics.  Mercifully, the author avoids the conversational “filler” found in many books which cover IT related topics resulting in heavy tomes where one must hunt for information that is relevant.


The first chapter is useful in that it quickly defines the terms and describes the concepts that either a developer or administrator will require in understanding how to secure an application that is targeted toward the GlassFish application server. Also, the author made a good choice in using a jdbc realm as his first realm example. Directory Services are becoming more popular but there are many of us who are still developing applications where our authentication schemes will be supported by groups and roles already defined in our company’s or customer’s existing database systems. That being said Mr. Kalali furnishes us with a fine chapter on the OpenDS directory server for those of us that would like to get started with an LDAP v3 directory server often used to store this kind of hierarchical user/role information. The book also covers more advanced topics relevant to larger organizations and applications including Single Source Sign.

The work produced by Mr. Kalali has benefited by the time and attention of the editors at Packet publishing. “GlassFish Security” is a pleasant physical product. The book is well formatted, well bound and its use of fonts and screen shots is clear and consistent. Formatting that is "easy on the eyes" is, for someone who spends many hours looking and computer screens and reading programming and systems manuals, something that is appreciated in a book of this kind. Packt has done a nice job on this aspect of the product. Excellent layout and formatting appears to be a signature of several recent Packt titles. Keep up the good work Packt!

Long gone are the days when developers can generate software applications without consideration of the application’s security. If you are developing Java EE 6 applications, or are responsible for the administration of applications that resides in the GlassFish application server, “GlassFish Security” should be included in your project reference material.

2010-02-12

PostgreSQL 8.4 on Ubuntu 9.10 (Karmic)

Getting PostgreSQL installed on Ubuntu is pretty straight forward as standard .deb packages already exist for the db in Ubuntu's repository system. However beyond getting the package installed there are a couple of configuration steps that are required to complete the basic configuration of the PostgreSQL Db System.

  1. Install the DB and associated packages
  2. Reset the default postgres db password
  3. Reset the default postgres system password
  4. Backup/Edit the postgresql.conf file
  5. Backup/Edit the pg_hba.conf file
  6. Restart the Db
  7. Create a new db user and new database



Install the DB and associated packages
The database and any prerequisite packages:

aptitude update
aptitude install postgresql postgresql-doc pgadmin3


Reset the default postgres db password
Reset the default password for DATABASE ACCOUNT postgres:

sudo su postgres -c psql template1
postgres=# ALTER USER postgres WITH PASSWORD 'YourNewPasswordForTheDb';
postgres=# \q


Reset the default postgres system password
Reset the default password for SYSTEM ACCOUNT postgres:

sudo passwd -d postgres
sudo su postgres -c passwd
When prompted enter YourNewPasswordForTheDb as the password for the SYSTEM account postgress


Backup/Edit the postgresql.conf file
cd /etc/postgresql/8.4/main
cp postgresql.conf postgresql.conf.orig (back up this file -- just in case)
vi postgresql.conf (edit this file)

Find the line that reads:
#listen_addresses = ‘localhost’
Change to:
listen_addresses = ‘*’

Find the line that reads:
#password_encryption = on
Change to:
password_encryption = on


Backup/Edit the pg_hba.conf file
cp pg_hba.conf pg_hba.conf.orig (back up this file -- just in case)
vi pg_hba.conf (edit this file)

Find the line that reads:
local    all    all    ident
Change to:
local   all    all    md5

Confirm that there is a line that reads:
host    all    all    127.0.0.1/32    md5

Confirm that there is a line that reads:
host    all    all    ::1/128        md5

Add the line:
host     all    all    192.168.1.0/24    md5
(Adjust the above line you have a different ip scheme on your LAN)


Restart the Db

/etc/init.d/postgresql-8.4 restart


Create a new db user and new database

sudo -u postgres createuser -D -A -P newdbuser
sudo -u postgres createdb -O newdbuser newdb

Glassfish V3 on Ubuntu 9.10 (Karmic)

A quick recipe for installing Glassfish V3 into /opt on Ubuntu:
# sudo -s
# aptitude update
# aptitude install sun-java6-jdk wget unzip
# cd /opt
# wget http://download.java.net/glassfish/v3/release/glassfish-v3.zip
# unzip glassfish-v3.zip
# useradd --system glassfish -d /opt/glassfishv3
# sudo chgrp -R admin /opt/glassfishv3-prelude 
# sudo chown -R glassfish /opt/glassfishv3-prelude
# sudo chmod -R +x /opt/glassfishv3/bin/
# sudo chmod -R +x /opt/glassfishv3/glassfish/bin/
# /opt/glassfishv3/bin/asadmin start-domain domain1 

There doesn't seem to be an init script included within the distribution zip.... so:

  • # vi /etc/init.d/glassfish
  • past the following into the file:
#! /bin/sh

    GLASSFISHHOME=/opt/glassfishv3
    case "$1" in
    start)
        ${GLASSFISHHOME}/bin/asadmin start-domain domain1
        ;;
    stop)
        ${GLASSFISHHOME}/bin/asadmin stop-domain domain1
        ;;
    restart)
        ${GLASSFISHHOME}/bin/asadmin stop-domain domain1
        ${GLASSFISHHOME}/bin/asadmin start-domain domain1
        ;;
    *)
        echo $"usage: $0 {start|stop|restart}"
        exit 1
    esac

  • edit the file to suit and save
  • set permissions and use update-rc.d to ensure its run at system start/stop:

# chmod a+x /etc/init.d/glassfish
# update-rc.d /etc/init.d/glassfish defaults






2010-01-18

"Glassfish Administration" by Xuekun Kou

"Glassfish Administration" by Xuekun Kou is accurate, concise and useful.

Computer manuals comprise an odd segment of the publishing industry.  I suppose that this is because the books published in this segment generally have both a narrowly defined audience and scope and a short window of usefulness driven by the speed of evolution of the products they seek to address. This, sadly, seems to result in books of this kind falling into two general categories: Sparse works that cover little more than what the end user could have found in the product's install documentation or its included "readme" files and at the other extreme heavy tomes of dense material that make it difficult for the product end user to zero in on the essential information they require to address their immediate administration needs.

So, when I had been invited to review "GlassFish Administration" from Packt I was predisposed to believe that Mr. Kou's book would suffer from the same flaws as so many other system administration books: too short to be of use to anyone but those who are brand new to the product or of use to someone interested in becoming an expert in all nuances of the product. "Glassfish Administration" deviates from this pattern. I was pleased to find that Mr. Kou had written a well balanced handbook for Glassfish that addressed much of what is essential for making good use of what I consider to be an excellent product.

The book may also serve as a "bridge" manual for Glassfish development and production teams. This is to say that the book could be a useful tool to quickly get both your development teams and production teams to understand the platform and its capabilities from the same perspective with a minimum of fuss, regardless of where you project is in its development cycle. Many of us that use Glassfish are first exposed to the product as it is bundled with an IDE, typically Netbeans. What we find in Glassfish is a platform that, along with its associated development tools, is an excellent development platform that is pre-configured for a workstation environment in order to meet the needs of the developer. This is certainly a plus for the developer trying to get their code running but less than optimal for the administrator who will be responsible for the day to day "care and feeding" of the application as its deployed in the server stack.

For example, Kou's discussion of the alternate releases (pure open source release vs. the commercially supported release ) of the application server along with illustrations their different abilities and behaviors in a production environment along with chapters like "Configuring Clusters and High Availability" are useful for both the developer and administrator alike. If you are a project lead for a Glassfish application this material should be considered a prerequisite for all team members as your project enters its systems planning and pre-production phases. Misunderstandings and mis-communications at these stages can have the potential to drive expensive re-design changes back to developer which can be expensive. Use of Mr. Kou's book  as "team support materials" or "bridge materials" at these stages may help mitigate this kind of risk.

"Glassfish Administration" also presents a pleasant physical product. The book is well formatted, topics flow logically and its use of fonts and screen shots is clear and consistent. Formatting that is "easy on the eyes" is, for someone who spends many hours looking and computer screens and reading programming and systems manuals, something that is appreciated in a book of this kind. Packt has done a nice job on this aspect of the product.

If you are looking for well written and balanced handbook in support of your Glassfish installation or application development project Xuekun Kou's "Glassfish Administration" needs to be on your short list of titles to consider.

2009-09-18

Unique or Null: MS-Sql Trick

MS-SqlServer, by default, doesn't appear to handle the "UNIQUE" constraint in the fashion prescribed by ANSI. The ANSI approach to the "UNIQUE" seems to allow for multiple null values while enforcing that non-null values are unique. MS-SqlServer's implementation of the "UNIQUE" constraint does enforce that non-null values are unique but also will allow only one null entry in the constrained column.

There are scenario's where it is useful for a column (or pair of columns) to be allowed to be either "NULL" or "UNIQUE." For instance, my organization had experienced a scenario where we were required to collect GPS information with each work activity performed for a customer in the field. On several occasions the employees collecting the work could not get a GPS fix. This did not happen often but did happen often enough that MS implementation of the "UNIQUE" constraint, and its approach to "NULL" values, became an issue.

We were able to work around the MS constraint approach with the use of a calculated column. Essentially, the calculated column assists in enforcing the "UNIQUE" constraint by examining two columns that we wish to be unique or null.

create table multipleNullOK(
     id int NOT NULL IDENTITY PRIMARY KEY,
     longitude int,
     latitude int,
     --gpsLatAndLongCalcCol is my calculated field

     gpsLatAndLongCalcCol as (
          CASE 
               WHEN longitude IS NULL AND latitude IS NULL THEN id 
          ELSE 0 
          END
)
      --The UNIQUE constraint now incorporates the calculated column
     CONSTRAINT UNQ_GPS_LatAndLong_NULL_OK UNIQUE (longitude, latitude, gpsLatAndLongCalcCol)
 

)

 --Examing the empty table

select * from multipleNullOk

--Test the constraint
insert into multipleNullOK (longitude, latitude) values (1, 1) --OK
insert into multipleNullOK (longitude, latitude) values (1, 1) --Fail
insert into multipleNullOK (longitude, latitude) values (1, 2) --OK
insert into multipleNullOK (longitude, latitude) values (null, null) --OK
insert into multipleNullOK (longitude, latitude) values (null, null) --OK

insert into multipleNullOK (longitude, latitude) values (null, null) --OK

insert into multipleNullOK (longitude, latitude) values (1, 1) --Fail
insert into multipleNullOK (longitude, latitude) values (1, 2) --Fail

insert into multipleNullOK (longitude, latitude) values (null, null) --OK

--Examine the table

select * from multipleNullOk

If you have run into this issue with MS-SqlServer this approach may be useful to you as well!

2009-05-14

Great Copy Utility

Today I gave TeraCopy from Code Sector Inc. a try.

I found this utility while looking for a solution to an issue with reliably copying large files over my local area network from a Vista SP1 PC to a Windows 2008 server. In short Vista would hang when copying files over a few Gigs in size.

TeraCopy did the trick! TeraCopy is a drop in replacement for the copy functionality provided by Vista. Not only does this utility perform well its progress indicators are also superior to those provided in Vista.

If you need to move a lot large files this utility is a 'must consider' product.