Nov 29
London calling
icon1 Niklas | icon2 Tags: . | icon4 11 29th, 2007| icon31 Comment »

Looks like QCon London this March has been announced. Quite a few of the tracks look similar to the much hyped QCon San Fransisco a few weeks back.

Since almost the entire company is going to the conference, I hoping for the best possible content. From the track summaries, you’ll be likely to find me in the tracks covering Architectures You’ve Always Wondered About, The Cloud as the New Middleware Platform (finally getting to see one of my favorites, Gregory Hohpe) and SOA, REST and the Web (will be interesting to see if Stefan can top the SF line-up).

So far, the list of speakers is quite short, but I guess most of the usual suspects will be coming.

Expect me to blog as much as I can from the conference. See you there!

Nov 28
Easier certificates for MQ
icon1 Niklas | icon2 Tags: , . | icon4 11 28th, 2007| icon31 Comment »

Update: I’ve posted a follow up to this post with an important addition to the script to create your CA certificate.

The last couple of days I’ve been hard at work with setting up SSL for WebSphere MQ for a customer. A major part of that is creating certificates. WMQ uses the IBM security toolkit, GSKit. My previous experience with GSKit is not the best, I’ve found that it works inconsistently between versions and platforms and contains frequent bugs. Working with this time, the inconsistencies seems to still be there, but at least many of the bugs are now gone. One of the problems is that some GSKits doesn’t work with keys/certificates created with the Java keytool which has previously been my weapon of choice (with the Keystore Explorer GUI).

Finally giving up on keytool, I retreated to using the GSKit command line tool, gsk7cmd. Working with gsk7cmd is not the most pleasant experience (almost as bad as OpenSSL). Therefore, I’ve created a set of Linux shell scripts targeted for a streamlined flow for creating certs for WMQ. They are made available under the ASL 2 license. This is how they work.

Create a directory on some server where you like to create your keys. Copy the scripts to your directory. Edit the scripts to update some generic configuration, currently the DN used and the expiration time for the certificates.

Now start out by running create-ca.sh:

./create-ca.sh mySecretPassword

Make sure you choose a strong password. The command will create a CMS key store containing your CA root certificate. Save it somewhere safe.

Then, for each queue manager (or client), run:

./create-key.sh MyQueueManager mySecretPassword
or
./create-key.sh MyClientApplication mySecretPassword

This will create a directory containing a key created for your queue manager. Its certificate will be signed by the CA root key previously created.

If, for some reason you can not create the keys this way, try creating them on the target platform. For example, I failed to get any externally created keys working on iSeries, instead I had to use the DCM tool on the iSeries box. In this case, create the key and export a certificate request (I’ll write down the details for doing this on iSeries if anyone is interested). Save the certificate request in your keys directory created at the begining of this howto. Name it <queue manager name in lower case>.p10. Run:

./sign-key.sh MyQueueManager mySecretPassword

It will create a certificate response in the file called <queue manager name in lower case>.p7r. Import this together with ca_cert.crt on your target platform.

If your client happens to be a Java client, you need the key store in JKS format. To convert it, run the following command:

./convert-to-java.sh MyQueueManager mySecretPassword

Note that the signing steps does make a huge assumption. A CA must use a unique serial number for each certificate it signs. I didn’t want the overhead of keeping track of this. Instead I use a random number for the serial number. This means that if you sign lots of certs with your CA, you might very well get collisions. If you got that many certs, you probably need a better tool :-)

These scripts uses some ideas from the scripts published by Dale Lane. Thanks! If you want to port these scripts to some other platform, I will happily accept them into SVN. Same goes for bugs and improvements of course.

Technorati Tags: , , , ,

Nov 27
Lousy password policy
icon1 Niklas | icon2 Tags: . | icon4 11 27th, 2007| icon3No Comments »

Today I received an account for checking my account status for a credit card. On first login I had to change to generated password they sent me to something of my own choice. However, their password policy seems a bit awkward to me. Translated from Swedish:

The new password must consist of at least 6 characters (a-z and 0-9) and may not have more than two of the same characters in a row. The password must contain at least one digit, but no more than three digits in a row. It must be no longer than 44 characters.

Having these onerous rules leads to two things, both reducing security:

  • None of my usual passwords match the rules (usually due to containing characters not oncluded in a-z and 0-9. That means I have to write down this password to have a chance of remembering it. In my case that means PasswordSafe, but for most people I suspecting it might mean a sticky note, and probably not in their wallet.

  • The rules actually reduce the number of possible passwords, leading to easier brute force attacks.

I don’t really understand the motivation behind them. If they has at least inhibited the common passwords people use, but no.

Nov 27
You learn something new every day
icon1 Niklas | icon2 Tags: . | icon4 11 27th, 2007| icon3No Comments »

Looks like IBM added automatic purging of expired messages on distributed platforms in WebSphere MQ 6.0. The documentation seems to fail mentioning this change so I had no clue. This is a great addition as for queues with frequent PUTs and rare GETs (e.g. with a slow or downed receiver), expired messages might build up fast.

The details of how and when the queue manager does the purging is not mentioned, only that you’re not guaranteed that it it will purge as fast as you want (which makes sense). Also ,the REFRESH QMGR TYPE(EXPIRY) command available on z/OS is not supported. It would explicitly purge messages on the named (including wild cards) queues. I hope they will get around to doing that as it will be a lot easier then doing GETs on all queues with possible expired messages when you really need to know that messages are purged..

Nov 22
Liberación
icon1 Niklas | icon2 Tags: . | icon4 11 22nd, 2007| icon3No Comments »

“SOA projects tend to attract two things: Taj Mahal architects and parasitic vendors. (My words, not Jim’s.) The combined efforts of these two groups results in monumentally expensive edifices that don’t deliver value. Worse still, these efforts consume work and attention that could go to building services aligned with the real business processes, not some idealized vision of what the processes ought to be”

Jim Webber interpreted by Michael Nygard. Couldn’t have said it better myself (no really, I couldn’t). I just reviewed a customer document that in so many ways reflect on this very reality. So much that it’s saddening.

Now, I might not agree with the implementation choices made by Jim (that would be SOAP all over) but I find that his Guerrilla SOA in many ways fit with my current thinking around how to approach integration. Go watch his presentation from QCon and Øredev. Everything up to slide 18 is bang on target.

Btw, make sure you read Michaels book, Release It! It should be taught in schools.

Technorati Tags: