Blog of Guy Crets

Cloudscape - the cloud overview

2012-01-02T20:05:00.001+01:00

Reference was made to a great overview of cloud providers during the latest CloudComputingShow podcast. Great picture!

Best wishes for 2012!

2012-01-02T18:02:00.000+01:00

PAAS: platform for ESB or IAAS?

2011-11-24T17:49:00.000+01:00

Often I ask myself: would it possible to build and/or deploy an integration solution such as an ESB on a PAAS platform, so create your Integration-As-A-Service solution from the binaries?

Obviously the first point would be to start from the right PAAS provider that offers enough freedom (e.g. regarding protocol such as SFTP), does not put too much constraints threading and usable libraries.

Optionally the PAAS providers also come with a decent, built-in queuing solution. Learned e.g. during the Spring University talk at Devoxx 2011 about support of CloudFoundry for RabbitMQ.

But while looking for a decent comparision of PAAS providers, didn't get further than this comparison and the DeveloperWorks article.

PS: Integration As A Service of IAAS is not yet known on Wikipedia!

Google authenticator

2011-11-18T17:14:00.003+01:00

Google is bringing two-factor authentication to the masses: the Google Authenticator project. This is an open source implementation of pluggable authentication modules (PAM) and one time password generators for mobile devices.

One time password (OTP) are often small dongles. RSA, Vasco and Yubico are well known vendor of this hardware (with RSA getting hacked recently).

Google itself has two-step authentication already for a while. The two-step authentication uses an SMS of voice call to send an 6 digit code. For a while now, Google is using the one time password generators on mobile devices itself (although I can't get it working for my own Google account).

Also other are adopting it, e.g. Lastpass is also supporting Google authenticator. To be clear, Google is not used for the actual authentication, only the (open source) implementation of Google is used.

OAuth

2011-11-13T22:18:00.006+01:00

Triggered by the upcoming Devoxx conference, I did some reading last weekend. With Fri Nov 11 as a national holiday in Belgium - because of the end of World War I - I had some extra time. Looked a bit into most recent development around HTML 5 and Android development.

Quickly I ended up diving deeper into REST. Must confess that I was very WS-* minded and was not really impressed by REST initially. But with the incompleteness of WS-* and the success of REST, I'm changing my mind.

So I ended up browsing through the book "Restful Java with JAX-RS". This REST stuff triggered me into looking into different REST API's, including the one from Dropbox. And Dropbox security is based on OAuth, which triggered me to dive (back) into OAuth.

Looked for an OAuth book on Safari and Amazon, but none (yet?) avaialble. So I ended up re-reading chapter 9 of the the book "REST in practice". By the way, very good book, I like it. Some great links while looking around:
- The introduction on OAuth
- Good OAuth introduction by Yahoo
- Google Oauth Playground, so see OAuth live in action

While looking into OAuth, I started making the comparison with WS-Security and SAML in particular. With OAuth, no XML signing nor XML canonicalization, the option to use HMAC instead of keypairs and certificates. So simpler, but not simple!

Note: one of my I8C colleagues (Kim) just finished a project on DataPower appliance to implement OAuth support

SPDY protocol

2011-11-11T14:28:00.007+01:00

The new Google SPDY protocol is another attempt to make the web more efficient and reliable. The SPDY protocol introduces an extra layer between HTTP and TCP/IP (actually SSL/TLS) that primarily allows for multiplexing and parallelizing multiple HTTP requests over a single SSL connection.

The SPDY protocol is not some lab exercise but used in production! The Google Chrome browser uses the SPDY protocol (or should we say extension?) to communicate with most Google's applications. SPDY remains mostly a Google thing, with no adoption by other big companies (except for Amazon EC2 it seems).

With SPDY, the Chromium browser needs to establish fewer SSL connections. But more importantly, the Chrome browser can launch many HTTP requests in parallel, no longer restricted by a maximum number of TCP/IP connections.

But this made me think: could this have a positive impact on how service consumers are implemented? Similarly to a browser parallizing the retrieval of web content, (web) service consumers should also try to parallize as much as possible.

The HTTP request/response model that underlies web services should not lock us into a synchronous RPC paradigm wherey a requestor blocks waiting for a response. To fully leverage this potential of parallellism, we must move to non-blocking, AJAX like model programming model.

While reading about SPDY, I encountered 2 links worth looking into:
- Recent blog entry by F5 that is a critical review of the SPDY protocol.
- Article that starts with SPDY but goes much further into wild (?) and interesting ideas to re-engineer the workings of the Internet in a more dramatic.

Blog move: http://integr8consulting.blogspot.com/

2011-04-07T15:44:00.001+02:00

For now onwards, I'll be posting to http://integr8consulting.blogspot.com/.

A new world for integration: SAML and Identity

2010-12-18T14:32:00.008+01:00

SAML was initially a standard for cross-domain SSO. A user who is logged on to the domain *.i8c.be could transparently point his browser to a web application in another domain *.cronos.be without having to authenticate again. His identity (and other attributes) are passed on transparently, behind the scenes. Many mechanisms were defined to exchange the information contained in SAML token (signed XML structures) between an Identity Provider and a Relying Party, including SOAP very early on (the SAML SOAP Binding).

But SAML was taken further. WS-Security SAML Token Profile allows the use of SAML tokens in SOAP messages secured with WS-Security. And WS-Trust and its Secure Token Service standardized the mechanism to obtain or exchange SAML (or other) tokens.

The STS is a standard (web) service to obtain such a SAML token: 1) through standard authentication mechanisms or 2) by exchanging one token for another (SAML to SAML, non-SAML to SAML or SAML to non-SAML).

But transferring SAML tokens between domains means the exchange of information between heterogeneous organizations. The SAML standard does not define how attributes within the SAML tokens should be named nor what their content should exactly look like. Every organziation is free to specify how information is structured in a SAML token:

what information or attributes is contained in the SAML token: name, cost center, department, ...
how the atrributes should are named, e.g. LastName or lname?
how the information in the attributes is represented

Imagine a vendors of office materials (Staples) that wants to offer a SSO experience to the employees of its majore customers. If every customer (large enterprises themselves) use a different SAML token structure, the office material vendor will have a great time translating the information from these different SAML tokens to its own attributes. And what if information is missing in the SAML token, e.g. what is the maximum value that employee may purchase?

Another integration challenge!

Note: Microsoft prefers the use of the term claim

Scary: backdoor in FTP server software

2010-12-03T17:44:00.005+01:00

While reading security.nl, I picked up the news that hackers had put a backdoor in the popular FTP server ProFTPD. A version of the software containing a backdoor was put on the distribution server by some hackers.

How often does one install software from the Internet without any verification. Yes, there are the fingerprints, but who checks them? Even more scary if you were the one installing that software on a customers's server.

And if some hacker ever finds its way into the Windows Update software distribution mechanism, the world will come to a halt (don't smile you Apple users).

Java on Microsoft Azure

2010-11-15T21:06:00.002+01:00

Triggered by my colleague Koen Van Oost and the upcoming Microsoft session at Devoxx, I looked into Java on the Microsoft Azure platform. Watched the talk "Open in the cloud: Windows Azure and Java" of PDC10. I wasn't aware that one could run Tomcat on Azure! Well, seems to be the case already since 2009. But the Eclipse tooling and JDBC connection to the SQL Azure Database are brand new. During the talk, it was also shown how the Fujitsu Interstage application server can run on Azure. Having WebLogic or WebSphere Application Server running on Azure would be very big news! For now, let's see how the ESB and integration capabilities of Azure are usable from Java.

Devoxx 2010

2010-11-12T19:29:00.004+01:00

Next week is Devoxx! Three talks and three speakers that I can really recommend:

Designing Java Systems to Operate at a Cloud Scale by George Reese

Does dev/ops matter for me? by Michael Coté and John Willis

Pragmatic Cloud Computing, or, Dealing with Morlocks, or, Agile Infrastructure by Michael Coté

In particular as I invited the speakers myself for these talks! Just too bad that I can't be there myself, damned.

But many more interesting things: Activiti in Action by Tom Baeyens, Scalable Java Applications on Azure by Microsoft, Comparing JVM Web Frameworks by Matt Raible, Encryption Bootcamp on the JVM, loads of NoSQL stuff, and so many more great talks.

Looking forward to meet you next week @ Devoxx on Monday, Tuesday or Wednesday.

Dell acquires Boomi

2010-11-11T16:18:00.006+01:00

Boomi is a very interesting Integration-As-A-Service player. Integration in the cloud is a new trend that looks very promising. But what is not yet clear is the reason why Dell acquired Boomi. A big cloud player such as Google or Amazon or a big software players such as Microsoft, IBM or SAP have probably more chances. Curious to see what direction Dell will take with Boomi.

XML schema's for verticals

2010-11-11T15:00:00.013+01:00

With XML as the alphabet, many languages are defined through XML schema's. But typical is the way each vertical defines its own language. Latest example that I was pointed at: XML schema's for the oil industry at energistics.org.

But there are very little initiatives to define a common foundation, to define the words (nouncs, verbs) from which each vertical could define variations or specific XML languages. Many XML languages lead to many translations or transformations. Fine for us the integration experts, but overall not very efficient. ebXML Core Components gave the structure to define re-usable XML building blocks that could be used in different contexts and adapted based on region, industry, business process etc. But ebXML CC is used in some of the verticals, but not one a broad scale as is the case with good old EDIFACT.

And as the XML standards in the oil industry proof, the trend of the last 10 years continues, many domain specific XML languages, specific for each vertical.

Cloud Computing Economies of Scale

2010-06-21T19:53:00.001+02:00

Great recorded talk about the hardware and data centre side of cloud computing. This great presentation explains why it (also) makes sense to leverage cloud computing simply to have cost efficient hardware. Got pointed to it while listening to the Cloud Computing Show #31.

Also interesting (via the same podcast): CloudHarmony. The blog in particular contains different benchmark results (memory, IO, network) of a large number of Infrastructure-As-A-Service providers.

New name: Liaison

2010-06-19T18:05:00.006+02:00

Had never heard about Liaison Technologies until I learned they recently acquired ADX. Looked onto their website and they had also acquired Contivo 2 years ago. Contivo is somewhat know for their transformation (mapping) tools.

B2B market

2010-06-15T20:13:00.001+02:00

IBM keeps acquiring other companies:

Lombardi being a BPM solution of which some of my colleagues are quite enthusiatic.
Sterling is more an "old" player in the B2B space with products such as Gentran for B2B communication and ConnectDirect for managed file transfer. But Sterling is also an Integration Service Provider (Garnter) or still call it a Value Added Network? IBM sold its VAN to GXS quite a while ago.
Cast Iron Systems which is a new kid on the block, with a solution specificially targeting cloud integration. Also available as an appliance. And Cast Iron was rumoured to be developing a cloud based integration offering.

Funny to see and "old" (Sterling) and brand "new" player (Cast Iron) being acquired in the same timeframe. Of course I'm curious to see what IBM will do with these acquisitions. Will they die in a corner or be successor of the DataPower success story? And how will they explain and position all these technologies at customers?

Devoxx 2010

2010-06-14T14:55:00.001+02:00

As a member of the Devoxx steering committee, I'm adding my 2 cents to the content of the conference. Devoxx will be cloud(y)!

Already confirmed speakers in the cloud area are Michael Coté, John M Willis and Georges Reese, author of the great book "Cloud Application Architectures", now at EnStratus.

Applications for the Google AppEngine

2010-05-26T09:30:00.000+02:00

Google is creating a market place for applications running on the Google App Engine. See the recordings of the "Google Campfire One".

Note: very good video quality (720p) of the recordings

OODBMS and pre-EJB AppServer

2010-05-14T11:11:00.000+02:00

The market keeps on moving: SAP acquires Sybase etc. But one name attracted my attention: GemStone being acquired by VMWare/SpringSource (next to RabbitMQ, Hyperic, ...).

Time flies: I remember Gemstone as a vendor of OODBMS and application server. On the OODBMS side there were also Versant, ObjectStore (eXelon --> Progress). The list of applicaton servers - just before EJB's took off - is much longer: Netscape Applicaton Server, Forté, Jaguar CTS (Sybase), Tengah (became WebLogic), IBM Component Broker, ATG Dynamo, Novell Silverstream, Novera, ... Had forgotten about most of them. Another such "hidden" company that I recently encountered is Pramati.

Flashmob - Ride your bike in Brussels

2010-05-13T11:48:00.003+02:00

Where to ride your bike? In central station of Brussels! A great flashmob. Really nice!

Background: Nov 11, 11am was the end of the Word War I and a national holiday in Belgium. On that day, 11.11.11 collects money door-2-door in Belgium.

Java: execute program without blocking

2010-04-18T13:34:00.003+02:00

A long while ago that I had done some Java programming... How to run a program from within Java in a decent manner. While looking around for some sample code, most solutions use the Process.waitFor() method to wait for the process to terminate. But that will usually block forever as process writes data to stdout or stderr and nothing reads that output.

One option is to use a separate thread to read stdout/stderr. I opted for an even simpler approach: temporary files:

execCommand = execCommand + " > " + stdoutFile.getFileName();
execCommand = execCommand + " 2> " + stderrFile.getFileName();
// command/program > stdout-temp 2> sterr-temp
Process p = Runtime.getRuntime().exec(execCommand, null, currDir);
int exitValue = 0;
boolean isRunning = true;
int waitSeconds = 30;
while(isRunning && (waitSeconds > 0)) {
try {
exitValue = p.exitValue();
isRunning = false;
} catch(IllegalThreadStateException e) {
// process is still running, wait 1 second
try {
Thread.sleep(1000);
} catch (InterruptedException e1) {
// ignore
}
}
waitSeconds--;
}
if (isRunning) {
p.destroy();
exitValue = 9999;
}
stdoutFile.delete();
stderrFile.delete();

Amazon pub/sub in the cloud

2010-04-17T12:24:00.005+02:00

Amazon keeps extending its cloud offering. They have just added Amazon Simple Notification Service (SNS). SNS is a publish/subscribe mechanism.

Integration-As-A-Service
As explained in earlier posts, I expect Integration-As-A-Service to become more important. One of the larger players (Amazon, Google, EMC, Cisco, Microsoft, ...) may one day come up with a wonderful solution for Business-2-Business communication between organizations.

When I first learned about Simple Queuing Service of Amazon back in 2006, I intially thought that SQS could serve as a transport mechanism for B2B communication. But that didn't work out. As the message size of SQS was very limited, data first had to be stored on S3. Authentication and authorization were also very limited.

So I looked around in the SNS documentation to see what SNS actually is and see if it can serve as a basis for B2B communication. Amazon thinks SNS is usable for B2B or application integration:

Application integration: Amazon SNS can be used in workflow systems to relay events among distributed computer applications, move data between data stores, or update records in business systems. For example, in an order processing application, notification messages may be sent whenever a transaction occurs; a customer places an order, the transaction is forwarded to a payment processor for approval, and an order confirmation message is published to an Amazon SNS topic.

Some facts

Messages can be published over HTTP, HTTPS, E-mail or SQS
Proprietary solution/mechanism, not based on any standard (no AS1, AS2, SFTP, WS-Notification, WS-Eventing, ...)
Messages are (again) limited to 8KB. Just like SQS: too small.
Authentication is based on AWS accounts, so also every subscriber requires an AWS account, hindering factor.
Messages are pushed, not polled. This is good for performance. For polling, use SQS.
But when pushing, the subscriber must expose a web service or mail account. How to secure this: no authentication from Amazon to endpoint receiving notifications; no basic auth, no support for client certs, ...
Messages are signed by Amazon. This is good, very good. Signing is based on HmacSHA256.

Conclusion:
Nice and interesting, but not good enough... In particular the message size remains a blocking factor.

Questions left:

What happens if messages cannot be delivered for a longer periode of time? E.g. when a subscriber disappears?
How does a message that is published over HTTP exactly look like (signed, JSON)? What parameters are passed in the URL?
Can an SSL endpoint with self-signed cert receive notifications?
What if SSL cert of endpoint is expired?
Are mail messages signed and if yes, how?
How and when are messages actually persisted?
The publish service isn't idempotent it seems?

PS: all based on reading the docs, must confess that I didn't actually test it

SSL Man-in-the-middle

2010-04-14T09:31:00.006+02:00

Again a great "Security Now" podcast about SSL: how governments can sniff SSL traffic by enforcing Certificate Authorities to provide them with (intermediate CA) certificates. Based on this paper. Great story, recommended reading or listening!

Some things that I picked up:

Different CA's can provide you with SSL certificate for same URL (or whatever)
Internet Explorer (actually the Windows crypto) downloads extra CA's dynamically; so the list you see in IE can grow behind the scenes
Firefox manages the list of trusted CA's itself
There is no standard policy for when a CA is accepted by browser vendors
The list of trusted CA's should be based on your geographical location
Trusting a CA is somewhat equivalent to trusting a government
Browser should provide (advanced) users with extra features to help them decide if CA certificate should be trusted or not

In my daytime job, SSL/TLS is used a lot for communication between IT systems within the corporate firewall or with business partners across the Internet. Low level configuration of SSL/TLS is often not supported:

Configure single CA (or self-signed) cert to be trusted for specific outbound connection (e.g. when business partners have defined their "own CA")
Different SSL client certificate per outbound connection
Easy configuration revocation checks (OCSP etc); and checking if the revocation checks actually work
Different timeout settings per connection
Only accept SSL connections on specific interfaces

Shooter game or warfare?

2010-03-14T15:06:00.002+01:00

Are my children playing Counterstike?
Or flying a drone plane over Afghanistan?
Great article about pilots flying unmanned planes with remote control. But really remote: 10.000+ kms away.

Claims explained

2010-03-11T20:03:00.003+01:00

SAML, WS-Security and the Secure Token Service of WS-Trust result in a very interesting mix, where federated identity and integration (web services) come together.
Microsoft has published the free book(let) "A Guide to Claims–based Identity and Access Control". Obviously the book is focused on Microsoft technology, ADFS (code name Geneva), FAM and WIF in particular. But I found the first 2 chapters very informative and well written.

E.g. interesting to have confirmation that applications need to keep maintaining fine grained (data level) authorizations themselves.

Also intersting to read about the challenge of home realm discovery: how to know to what Identity provider an external user should be redirected to.

One of the main challenges in my opionion with federated identity is the transformation of tokens/claims. Unless there is further standardization (profiles), the integration with each external business partners will require token transformations. There seems to be a general tendency in WS-land not to bother too much with the actual business content of SOAP messages or SAML tokens.

The day when SAML tokens can be used in an interoperable manner to connect to back-end applications such as SAP or Oracle will be a great day. Looking forward to it.