Steffo's EcholotOnly technical stuff here. |
|
Wednesday Nov 14, 2007
Leopard (Mac OS 10.5) / Mac OS X 10.4 and Java 6
In case, you're looking for Java 6 on Mac OS X (10.4/10.5): https://connect.apple.com It's the roughly same 'old' build we've seen before:
teufelchen: steffo$ /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/java -version
Posted at 03:18PM Nov 14, 2007 by steffo in Sun | Comments[2]
Tuesday Sep 25, 2007
A standalone OpenSSO client
OpenSSO has a server part (deployed behind a /fam URI or similar) and a client part (e.g. a J2EE agent, or the OpenID extension). In any case you have ensure that the AMConfig.properties for each part do correspond w.r.t. encryption keys, agent IDs etc. Since debugging an J2EE agent or even OpenID extension might be unfeasible (at least as a first step), I use a stand-alone client which sources the AMAgent.properties used by e.g. the OpenID extension. The following code is example and works well for OpenSSO, Sun Java System Access Manager (7.0 and 7.1) all deployed in realm mode. To build the JAR, make sure that you include the OpenSSO Client SDK as well as the servlet.jar to your (NetBeans) project.
/*
* OpenSSOConnect.java
*
* Created on November 2, 2006, 11:18 AM
*
* To change this template, choose Tools | Template Manager
* and open the template in the editor.
*/
/**
*
* @author steffo
*/
// OpenSSO installation has a default realm 'init8' as well as an authentication chain 'init8'
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.ChoiceCallback;
import javax.security.auth.callback.ConfirmationCallback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextInputCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import netscape.ldap.util.DN;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchOpModifier;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.authentication.spi.AuthLoginException;
public class OpenSSOConnect {
public static void main(String[] argv) {
boolean remote = false;
if (argv.length > 0) {
String r = argv[0];
if (r.equalsIgnoreCase("remote")) {
remote = true;
}
}
Properties props = new Properties();
try {
//Point this to the AMConfig.properties, you want to check
FileInputStream amconfig = new FileInputStream("/Users/steffo/Projekte/OpenSSO/OpenID-Provider/src/opensso/extensions/openid/provider/resources/AMConfig.properties");
props.load(amconfig);
} catch (IOException e) {
System.out.println("AMConfig.properties was not found");
}
props.setProperty("com.iplanet.services.debug.level", "message");
props.setProperty("com.iplanet.am.naming.ignoreNamingService", "true");
//remote=true;
if (remote) {
props.setProperty("com.iplanet.am.sdk.package", "com.iplanet.am.sdk.remote");
} else {
props.setProperty(AdminTokenAction.AMADMIN_MODE, "true");
}
System.out.println("Properties set");
SystemProperties.initializeProperties(props);
try {
SSOToken token = getSSOToken();
System.out.println("Getting AMIdentityRepository object");
AMIdentityRepository idrepo = new AMIdentityRepository(token, "init8");
System.out.println("Using TOKEN to get AMIdentity object " + "and read attrs");
AMIdentity tmpId = IdUtils.getIdentity(token);
System.out.println("Calling Attributes getting all attributes: " + tmpId.getAttributes());
} catch (Exception ex) {
ex.printStackTrace();
}
System.exit(0);
}
public static SSOToken getSSOToken() throws Exception {
//We created a user 'steffo' with credenials 'password'
return getSSOToken("init8", "steffo", "password");
}
protected static SSOToken getSSOToken(String org, String uid,
String password) throws Exception {
AuthContext ac = new AuthContext(org);
ac.login(AuthContext.IndexType.SERVICE, "init8");
Callback[] callbacks = null;
if (ac.hasMoreRequirements()) {
callbacks = ac.getRequirements();
if (callbacks != null) {
try {
addLoginCallbackMessage(callbacks, uid, password);
ac.submitRequirements(callbacks);
} catch (Exception e) {
debugMessage("Login failed!!");
debugMessage("--> " + ac.getLoginException().getMessage());
e.printStackTrace();
return null;
}
}
}
if (ac.getStatus() == AuthContext.Status.SUCCESS) {
debugMessage("Login success!!");
} else if (ac.getStatus() == AuthContext.Status.FAILED) {
debugMessage("Login has failed!!");
debugMessage("--> " + ac.getLoginException().getMessage());
} else if( ac.getStatus() == AuthContext.Status.IN_PROGRESS ) {
// This may happen when the password is about to expire and must be reset.
// Analyze the error message to be sure what is going on.
debugMessage( "Login is in progress !" );
//debugMessage("--> " + ac.getLoginException().getMessage());
if( ac.hasMoreRequirements() ) {
callbacks = ac.getRequirements();
if( callbacks != null ) {
debugMessage( "Callbacks for new password will be processed !" );
try {
addNewPasswordCallbackMessage( callbacks, uid, password, "Geheim03" );
ac.submitRequirements( callbacks );
} catch( Exception e ) {
debugMessage( "Login failed while processing new password callbacks." );
debugMessage("--> " + ac.getLoginException().getMessage());
e.printStackTrace();
return null;
}
}
}
if( ac.getStatus() == AuthContext.Status.SUCCESS )
debugMessage( "Login success after switch to new password!" );
else {
debugMessage( "Login failed after switch to new password!" );
debugMessage("--> " + ac.getLoginException().getMessage());
}
}
else {
debugMessage("Unknown status: " + ac.getStatus());
debugMessage("--> " + ac.getLoginException().getMessage());
}
SSOToken token = ac.getSSOToken();
return token;
}
// Get user's inputs and set them to callback array.
static void addLoginCallbackMessage(Callback[] callbacks, String uid,
String password) throws UnsupportedCallbackException {
debugMessage("begin addLoginCallbackMessage()");
int i = 0;
try {
for (i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof TextOutputCallback) {
debugMessage("Got TextOutputCallback");
// Display the message according to the specified type
TextOutputCallback toc = (TextOutputCallback) callbacks[i];
switch (toc.getMessageType()) {
case TextOutputCallback.INFORMATION:
debugMessage(toc.getMessage());
break;
case TextOutputCallback.ERROR:
debugMessage("ERROR: " + toc.getMessage());
break;
case TextOutputCallback.WARNING:
debugMessage("WARNING: " + toc.getMessage());
break;
default:
debugMessage("Unsupported message type: "
+ toc.getMessageType());
}
} else if (callbacks[i] instanceof NameCallback) {
debugMessage("Got NameCallback");
NameCallback nc = (NameCallback) callbacks[i];
nc.setName(uid);
} else if (callbacks[i] instanceof PasswordCallback) {
debugMessage("Got PasswordCallback");
PasswordCallback pc = (PasswordCallback) callbacks[i];
pc.setPassword(new String(password).toCharArray());
} else if (callbacks[i] instanceof TextInputCallback) {
debugMessage("Got TextInputCallback");
// prompt for text input
TextInputCallback tic = (TextInputCallback) callbacks[i];
// ignore the provided defaultValue
System.err.print(tic.getPrompt());
System.err.flush();
tic.setText((new BufferedReader(new InputStreamReader(
System.in))).readLine());
} else if (callbacks[i] instanceof ChoiceCallback) {
debugMessage("Got ChoiceCallback");
// prompt for choice input
ChoiceCallback cc = (ChoiceCallback) callbacks[i];
System.err.print(cc.getPrompt());
String[] strChoices = cc.getChoices();
for (int j = 0; j < strChoices.length; j++) {
System.err
.print("choice[" + j + "] : " + strChoices[j]);
}
System.err.flush();
cc.setSelectedIndex(Integer.parseInt((new BufferedReader(
new InputStreamReader(System.in))).readLine()));
}
}
} catch (Exception e) {
throw new UnsupportedCallbackException(callbacks[i],
"Callback exception: " + e);
}
}
static void addNewPasswordCallbackMessage( Callback[] callbacks,
String uid,
String oldPassword,
String newPassword ) throws UnsupportedCallbackException
{
int pwdCount = 0;
int i = 0;
try {
for (i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof TextOutputCallback) {
debugMessage( "Got TextOutputCallback while setting new password." );
// simply display the message
TextOutputCallback toc = (TextOutputCallback) callbacks[i];
debugMessage(toc.getMessage() + " :" + toc.getMessage() );
} else if (callbacks[i] instanceof NameCallback) {
debugMessage( "Got NameCallback while setting new password - this should not happen !" );
debugMessage( "Maybe you hit the next login module." );
} else if (callbacks[i] instanceof PasswordCallback) {
debugMessage( "Got PasswordCallback while setting new password." );
PasswordCallback pc = (PasswordCallback) callbacks[i];
// set first password callback with value of old password, the others with the new one
if( pwdCount == 0 )
pc.setPassword( new String( oldPassword ).toCharArray() );
else
pc.setPassword( new String( newPassword ).toCharArray() );
pwdCount++;
} else if (callbacks[i] instanceof ConfirmationCallback) {
debugMessage( "Got ConfirmationCallback while setting new password !" );
ConfirmationCallback cc = (ConfirmationCallback) callbacks[i];
// "0" is the index of SUBMIT
cc.setSelectedIndex( 0 );
} else if (callbacks[i] instanceof TextInputCallback) {
debugMessage( "Got TextInputCallback while setting new password - this should not happen !" );
} else if (callbacks[i] instanceof ChoiceCallback) {
debugMessage( "Got ChoiceCallback while setting new password - this should not happen !" );
}
}
} catch( Exception e ) {
throw new UnsupportedCallbackException( callbacks[i], "Callback exception: " + e );
}
}
static void debugMessage(String msg) {
System.out.println(msg);
}
}
Posted at 08:46AM Sep 25, 2007 by steffo in Sun | Comments[3]
Monday Sep 24, 2007
OpenSSO with OpenID (on the Mac featuring Glassfish)
I've been asked for this a couple of times. Building and getting the OpenID extension for OpenSSO running
I assume that you have already downloaded and deployed OpenSSO in the Glassfish application server. Also, you must be able to successfully login to OpenSSO's console as 'amadmin'. Overall Scenario We will setup 4 (HTTP) services:
The 4 components correspond to the ones used by Sun's deployment (as described in Hubert's blog: the relying party (Python client), the OpenID Identifier Server (Apache), OpenID Extension (OpenID Endpoint at 18080), Login (OpenSSO server at 8080). There is no registration component in our example. Users are either created from the OpenSSO console or privioned to an LDAP data source. Step 1. Download and build the OpenID extension First, login to OpenSSO's console and create an account to be used by the OpenID extension (the OpenID extension is an OpenSSO client which tries to authenticate against the OpenSSO server).
Second, checkout the OpenSSO source code via cvs -d :pserver:yourlogin@cvs.dev.java.net:/cvs checkout opensso an save the result in e.g. ~/Projects/OpenSSO/src. Next, dowload the OpenSSO ClientSDK and save the JAR famclientsdk.jar in e.g. ~/Projects/OpenSSO/clientSDK/. The client SDK is needed by the OpenID extension. The OpenID extension is at: opensso/extensions/openid/provider/ in the OpenSSO source tree. You'll also find a build.xml with all the necessary targets there. Now copy the following JARs to opensso/extensions/openid/provider/extlib:
Setup a NetBeans project; I used 'Java Project with existing Ant script'. Make sure you add the above JARs to your NetBeans project. There are two properties files which are crucial
More information can be found the extension's README
AMConfig.properties contains configuration information required by the OpenSSO client SDK (do not mix up this one up with the OpenSSO server configuration file which has the same name but resides somewhere at /etc/OpenSSO or /etc/SUNWam - you've been asked for the exact location during the OpenSSO installation). Make sure that everything in this file is correct. Also check that the debug directity exists and that the naming URL is correct. Here are the keys that work for my setup:
Make sure, that in your setup, the values of the server's and client's AMConfig.properties match. Provider.properties There are only a few keys here.
You can now build the OpenID extension by selecting the target 'war'. I deployed the 'provider.jar' at http://teufelchen.nit8.net:18080/openid. Browse to http://teufelchen.nit8.net:18080/openid and you should see the service end point. Step 2. Configuring your OpenID URL and create a user in OpenSSO The OpenID URL I want to use is: "http://teufelchen.init8.net/steffo". Browsing to this URL should retrieve the document at $DOCROOT/steffo/index.html. I used Apache's standard 'index.html' (the one that gives you the 'Seeing this instead of the website you expected?') and pasted the following between th HEAD tag: <link rel="openid.server" href="http://teufelchen.init8.net:18080/openid/service"/> You also have to create a user in OpenSSO. The ID of that user depends on the OpenID you want to use. If you want to use "http://teufelchen.init8.net/steffo", create a user "steffo". Note that this user might reside in an external LDAP (in which case you have to configure an appropriate authentication module and data source - but that's not required for this sample). Step 3. Download and install the OpenID client Download the Python libs at http://www.openidenabled.com/ . Follow the installation instructions and edit the file 'consumer.py' in the examples directory. Modify the following keys:
You can now start the consumer from the command shell: python consumer.py --port 8001 This sets up an HTTP service. The above command outputs something like:
Server running at:
I put a fake entry to /etc/hosts which assigns 127.0.0.1 the name "openid.init8.net". Direct your browser to this URL. You can now enter your OpenID (e.g. http://teufelchen.init8.net/steffo) into the box. Next, you'll be redirected to OPenSSO's login screen. After successfully entering your credential, you'll see a message like The website http://openid.init8.net:8001/ is requesting confirmation that your OpenID identity is http://teufelchen.init8.net/steffo. Done. Posted at 06:44PM Sep 24, 2007 by steffo in Sun | Comments[1]
Thursday Mar 22, 2007
UNESCO on Ethical Implications of Emerging Technologies
The 2007 report is out and covers
Posted at 04:54PM Mar 22, 2007 by steffo in Sun | Comments[0] The need for virtualization on Load Balancers
Surprisingly many (big) companies still don't use load-balancing switches (LBs). I am talking of hardware boxes like Alteon, Foundry, Nauticus. Those that use LBs, use them in mission-critical environments. If any of these companies plans to rollout a new project that could benefit from a load-balanced network environment, they're instantly in a big discussion with the people who operate these boxes. Since these boxes are mission-critical, configuration changes require a lot of discussion. This is espacially true if you want to convince these people to use configurations they've never used before (e.g. proxy IP addresses). End of the game
It would be easier to buy a seperate load-balancer for each project. But then: costs, costs, costs. A load-balancer with appropriate features is not a cheap thing: 10-20K EUR per box, at least 2 boxes (high-availability), three environments (development, integration, production) with 60-120K EUR per project/application. So what's the alternative: discussions or cheap software solutions? Well the cheap software solutions I saw (I'm not talking about Resonate here, I'm talkling about things like BEAs LB plugin, DNS round-robin etc) don't take you that far. Load-balancing is a network thing, is a hardware thing (you don't use multi-homed PCs for L3 routing, don't you). Discussions? The average time spend on discussions on how to configure the load-balancer without affecting the other applications is 5-10 days (you, the network guy plus some project manager). Yes, that's 5-15K EUR per project. Assume you have 3-5 projects on you LB infrastructure, that's 15-75K EUR spend on discussions. Plus the amount that is caused by the unplanned outage (maybe not of the production system but non-availability of the integration system can also cost money). So in total: 5-80K EUR. That money could be saved if the network guy can easily be assured that the new configuration won't harm his existing one. That's what virtualization can do for you (and for him). Every project get its own sandbox on one LB platform. Posted at 02:00AM Mar 22, 2007 by steffo in Sun | Comments[2]
Thursday Mar 01, 2007
Java Enterprise System 5 is out
Java ES 5 is out! Most exciting things for me in this release
Since Paralles 2.5 is now also officially released, the reduces the amount of beta software on my Mac substantially. Since I work in the identity systems area I haven't tested all of the Java ES components. However, for a PoC/TOI I had 6 instances of Directory Server 6 plus Directory Proxy and MySQL database running in my Solaris 10 Parallels image. No problems apart from the clock issue (which might be a problem with S10U1 and doesn't show up with Update 3 of Solaris 10). All this requires some memory; 2GB seem to be sufficient, and the simple truth "Hubraum ist durch nicht zu ersetzen außer durch noch mehr Hubraum" holds here as well. Posted at 04:34PM Mar 01, 2007 by steffo in Sun | Comments[0]
Thursday Feb 15, 2007
Parallels (and Nevada) Short version: yes it works out of the box. I downloaded the Parallels Beta 2.5 (Build 3150) software. For some reason the activation key didn't work - had to get a trial key. Started Parallels and immediately froze my Mac. Reboot (that's a shame because I found all the stuff around my OS X quite stable and that happened before). Anyway, I took the latest Nevada build and installed it. No problems so far. I'll post detailed results later. Posted at 06:53PM Feb 15, 2007 by steffo in Sun | Comments[1] |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||