Saturday, October 31, 2009

Mail Journaling Solution - Part II

After my post on Mail Journaling Solution, I continue to search for more solution.

My objective is simple:

1. It has to be simple architecturally;
2. It has to be value-for-money;
3. Investment should be progressive, rather than huge up-front

It's in my character to think in the shoes of my customers when I introduce a product to them. That explains why I do not like to pay too much up-front, even though the money does not belong to me. Yes, revenue-wise it would be good for the company. However, I think I need to take a higher priority on my customers' interest.

When they grow big or even bigger, they'll always come back for us. So why worry about no recurring business?

Today, I found another interesting product from deepinvent Software GmbH - MailStore Server.

This product works very well with Microsoft Exchange. It is ideal for small companies. Actually it should work well for larger setup if the architecture is deployed correctly, my opinion.

So how about Sun Java Messaging Server?

MailStore Server comes with another component called MailStore Proxy. It can be deployed in front of the Sun Messaging Server.

The only change is to simply point your email client to this Proxy. All in-coming and out-going emails will now flow through the Proxy, thus achieving mail journaling objective.

Customer can choose to deploy this in-house if they like.

The pro-and-cons are discussed here.

Thursday, October 29, 2009

Sun Java Indexing and Search Service

The latest release of Sun Java Communications Suite 7 comes with a very exciting component called "Sun Java Indexing and Search Service" (ISS).

However, in reality, it is pretty challenging to sell. Imagine the additional boxes required.

Software Requirement

* Communications Suite: Messaging Server, Indexing and Search Service, and Java Message Queue
* Application server web container for Indexing and Search Service: GlassFish
* LDAP server: Directory Server
* (Optional): Apache HTTP Server version 2, for multi-host deployments (used as web container for ISS back ends)

For High-Availability deployment, it's harder to sell Communications Suite 7 with ISS.

* Java Message Queue in clustered mode via Sun Cluster
* Glassfish in clustered mode via Glassfish Cluster
* Directory Server in Multi-Master Replication mode
* Apache in clustered mode via Heartbeat
* Not forgetting load-balancer with VLAN support to load-balance the various clustered components


Wednesday, October 28, 2009

Edge Deployment

As the workforce becomes more and more mobile these days, an Edge Architecture is highly recommended.

What is an Edge Architecture?

A two-tiered architecture that provides for secure connections over the Internet

I do not know who first came out with this term "Edge", but one will find this term more commonly used in Microsoft Exchange context.

The role of the Exchange Server 2007 Edge Transport Server is to be an SMTP Gateway for incoming and outgoing E-Mail messages

Below is how Sun Microsystems deploy their internal Edge Architecture.

FE-net: Front-End Network (Edge Network)
BE-net: Back-End Network

Basically, there is a firewall in front of FE-net and there is another firewall between FE-net and BE-net. Pretty straight-forward.

PS: I'hv been asked many times what are the recommended hardware.

As a general guideline, for a small setup with less than 5,000 users, T1000 for FE components and T2000 for BE components. (Of course, these 2 models are EOL. Find equivalent will do)

For larger deployment, I do see T2000 for FE components and V490 for BE components.

Sun internally uses the following configuration:

Tuesday, October 27, 2009

Identity Manager PasswordSync

We are still preparing for the IdM tender I mentioned in my previous post.

Today, we hit a problem - Sun Java System Identity Synchronization for Windows 6.0 cannot synchronize with Microsoft Active Directory 2008.

Identity Synchronization for Windows provides bidirectional password and user attributes synchronization between the Sun Java System Directory Server 6.0 and the following:

* Windows 2000 or Windows 2003 Server Active Directory
* Windows NT SAM Registry

Read here.

Luckily, we have a fallback plan - PasswordSync.

The PasswordSync feature keeps user password changes made on Windows Active Directory domains synchronized with other resources defined in Identity Manager. PasswordSync must be installed on each domain controller in the domains that will be synchronized with Identity Manager. PasswordSync must be installed separately from Identity Manager.

PasswordSync consists of a DLL (lhpwic.dll) that resides on each domain controller. This DLL receives password update notifications from Windows, encrypts them, and sends them over HTTPS to the PasswordSync servlet. The PasswordSync servlet is located on the application server running Identity Manager.

The recommended deployment is to configure with JMS connection.

The JMS method is recommended for more complex environments that have a high volume requirement, need messages delivered to multiple systems, and require guaranteed message delivery. The JMS Message Queue can be made highly available. As long as a message gets into the queue, if message delivery to Identity Manager should fail, the queue will keep the change until the message can be delivered to Identity Manager.

Read here.

Sunday, October 25, 2009

On-Demand Password Syncronization

There is another feature that I like from Sun Java System Identity Synchronization for Windows 6.0.

On-Demand Password Sync

The on-demand password synchronization process is as follows:

1. The user presses Ctrl-Alt-Del on a machine running Windows and changes his or her password. The new passwords are stored in Active Directory.

2. The Active Directory Connector polls the system at scheduled intervals.When the Connector detects the password change, the Connector publishes a message on Message Queue about the password change.

3. The Directory Server Connector receives the password change message from Message Queue (over SSL).

4. The Directory Server Connector sets the user entry’s dspswvalidate attribute to true, which invalidates the old password and alerts the Directory Server Plug-in of the password change.

5. When the user tries to log in, using an LDAP application (such as Portal Server) to authenticate against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.

6. The Directory Server Plug-in searches for the corresponding user in Active Directory. When the Plug-in finds the user, the Plug-in tries to bind to Active Directory using the password provided when the user tried logging in to Directory Server.

7. If the bind against Active Directory succeeds, the Directory Server Plug-in sets the password and removes the invalid password flag from the user entry on Directory Server allowing the user to log in.

Note – If user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory are not the same until the user logs in with a valid password, one that authenticates to Active Directory.

This is really cool!

Saturday, October 24, 2009

Sun Java System Identity Synchronization for Windows 6.0

There is a mega-big tender for a Identity Management (IdM) Solution in S'pore. Sun has called for my team's help in the Proof-of-Concept phase.

I'm trained in IdM, but really not well-versed. :) My colleague will help out in the IdM portion. I'll help in the backbone stuff - sync-ing Sun Directory Server with Microsoft Active Directory.

That would be relatively easier than IdM. At least, Sun already has a product in Sun Java System Identity Synchronization for Windows 6.0.

What I like about Identity Sync is:

The Active Directory Connector can be installed on any platform, not necessarily on the AD box itself

Friday, October 23, 2009

How to Determine Last Access Time

I have been asked a number of times - "How do we monitor usage pattern and especially determine the last time a user has logged into Sun Messaging Server?"

"imsconnutil" is your friend!

See here for detailed usage.

Thursday, October 22, 2009

Mail Journaling Solution

There have been requests recently for Mail Journaling Solution to integrate with Sun Java Messaging Server.

Sun used to work closely with AXS-One for a very short period of time. I attended the workshop when it was offered for Partners and Sun Professional Service.

However, honestly speaking, the price for AXS-One is far too expensive. Mid-size companies might also find the price too high for their likings, unless there is a very strong compliance reason for them to adopt. Otherwise, most will give it a miss.

What are the options left?

If you do not mind your archived data be hosted in the Cloud, you can easily subscribe to Google Postini Email Archiving Service.

I found another Email Archiving & Compliance product (MailArchiva) yesterday when I was scoping for a tender in Bangladesh.

This is a open-source product. The good thing about it is the data is always with you.

From a technical point of view, I like it for its support for many variance of Messaging Products. Notice that Sun Java Messaging Server is not mentioned. But I'll be giving it a test with our own production Sun Java Messaging Server.

Wednesday, October 21, 2009

Synchronica vs NotifyLink

Sun Mobile Communications Server is an OEM from Synchronica.

Sun Java Mobile Communications enables over-the-air (OTA) synchronization support for multiple mobile devices with calendar and contact data stored on Sun Java Communications Suite servers.

There is another similar product that works seamlessly with Sun Java Communications Suite.

Which is better? I was asked twice yesterday.

My comment is:

1. NotifyLink is more expensive, but it can support more mobile devices.
2. Synchronica can only support SyncML clients, Palm OS and Windows Mobile devices. If you are using Blackberry, I'm sorry.

Tuesday, October 20, 2009

Migrating from Microsoft Exchange to Sun Communications Suite

It has been a challenging week for me so far. There are requests to migrate users from Microsoft Exchange platform to Sun Communications Suite. One from Vietnam for a 10,000 user base; another in Philippines for a 3,000 user base.

The main talking points are always:
1. How compatible is Sun Communications Suite?
2. How to migrate Exchange information to Sun Communications Suite?

Sun Enterprise Messaging Reference Architecture

To promote understanding of the Sun Java System Communications Services architecture, Sun created the Sun Enterprise Messaging Reference Architecture (SEMRA), which simulates a corporate Microsoft Exchange site consisting of 5,000 users. This reference architecture proved the concept that migration from Microsoft Exchange to a new Java Enterprise System target deployment works from a functional point of view.

In this architecture:

Tier 0 contains the load balancer (software or switch).
Tier 1 acts as the front end that provides access to the messaging applications.
Tier 2 forms the layer where the messaging data is handled by the applications.

Compatibility is easy to comply; Migration is more challenging. Luckily, Sun has a tool called SGMT (Sun Groupware Migration Toolkit).

I'll cover more on SGMT later. For now, you can read from here.

Saturday, October 17, 2009

Google Docs Backup

There is this new product released in Google Solutions Marketplace - Google Docs Backup.

I find it amusing.

Firstly, if one decides to go with Google Apps, then he must be attracted by the Cloud and the convenience of accessing it anytime, anywhere. (Not not being restricted to his desktop)

Secondly, if one does not feel comfortable (in terms of security and "safe-ness" of one's data) with hosted service (that's what cloud is), then one should not even jump into the wagon.

Why would you need to backup your Cloud data? Strange. Dun tell me the data in the Cloud does not have redundancy and backup in place?

Friday, October 16, 2009

E-Mail Archiving Market Key Players

The Radicati Group, Inc listed the key players in the E-Mail Archiving market:

Source here.

I feel that the list is still long. There should be more consolidation in the coming years...

Interesting enough, OpenText quoted the following from the same report:

In its 2008-2012 Email Archiving Market report, Radicati Group estimated that the typical corporate user now sends or receives 156 messages per day—nearly doubling the volume per day estimated in 2004. By such measures, an organization of 10,000 employees would generate approximately 400 million emails over the course of a single year. What’s the impact of that much information? From a storage perspective, that much email could consume roughly 20 terabytes of new storage space—every year!

Source here.

Using the example above of an organization of just 10,000 employees, over the course of seven years the company could expect to accumulate 1.75 billion messages, consuming as much as 80 TB of storage space. Even if those messages are all stored on low-cost arrays, it’s still a significant amount of storage.

That's a lot of space and a lot of money! Storage business will never die! Ha!

Thursday, October 15, 2009

UWC missing in Sun Java Communications Suite 7

Sun Java Communications Suite 7 has been released since Sep 29th, 2009. Since I'm free today, I decided to read the Release Notes.

What caught my attention is UWC (Communications Express 6.3) has been deprecated!
Going forward, no new features will be added to the Communications Express user interface. It has been deprecated in favor of Sun Convergence. Communications Express will be removed from the product in a future release.

No patches will be issued for Communications Express versions prior to 6.3.

If you need to install Communications Express 6.3, use the Communications Suite 6 Update 2 media to get the software.

Read here.

This is mad. There is definitely a larger deployment of UWC than Sun Convergence. At least from my own experience on the ground.

Many corporate customers are comfortable enough with UWC. ISPs, of course, want Sun Convergence (OK, it's slicker) to gain market shares.

PS: Btw, there is still a customer of mine sticking with Messaging Express (ME). Ha!


Wednesday, October 14, 2009

Easiest way to upgrade Sun Messaging Server

What is the easiest way to upgrade Sun Messaging Server with mailboxes and address books migration?

My opinion is: If customer can afford the downtime, then imsbackup/imsrestore and simple ldapsearch/ldapadd commands are the easiest.

I'm talking about corporate customers though, not ISPs definitely. The whole migration process will not take longer than 1 man-day. Sell 2 man-days if you may.

General Steps:

1. Set up new Sun Messaging Server
2. Stop new user creation
3. Export all users (e.g. ou=People,,o=isp) from old Sun Directory Server to new Directory Server
4. Export all address books (e.g. o=PiServerDB) from old Sun Directory Server to new Directory Server
5. Run imsbackup on old Sun Messaging Server
6. Stop old Sun Messaging Server
7. Start new Sun Messaging Server
8. Run imsrestore on new Sun Messaging Server (this process will take a long time; be patient!)

We are done! Simple right?

PS: imsrestore will take care of mailbox formatting if required. e.g. from x86 mailbox format to x64 mailbox format

Tuesday, October 13, 2009

UWC behavior

On most occasions when the configuration is set correctly, the UWC (Communications Express) should render just fine like the one shown below:

At times, the following will be observed (with Mail tab missing):

When will this happen? There are a few likely cases:
1. Mail Host is set incorrectly
2. local.webmail.sso.uwcenabled has not been enabled
3. service.imap.enable has not been enabled (Webmail requires IMAP connections)

Monday, October 12, 2009

Weird UWC behavior

A customer wanted to host a new domain with our OpenMail.SG service today.

As per normal, creating a new domain via Sun Java Delegated Administrator is easy. However, after a new user was created, I was not able to log into UWC (Communications Express - Webmail).

It kept displaying "Login failed" even though I was 100% sure the credential is correct.

So I went to investigate the http log:

[12/Oct/2009:19:01:34 +0800] openmail httpd[844]: Account Notice: [] Access to smime service for denied from client address (mailAllowedServiceAccess)
[12/Oct/2009:19:01:34 +0800] openmail httpd[844]: General Notice: Received login referral for IMAP://
[12/Oct/2009:19:01:34 +0800] openmail httpd[844]: General Notice: Received login referral for IMAP://
[12/Oct/2009:19:01:34 +0800] openmail httpd[844]: General Notice: Received login referral for IMAP://
[12/Oct/2009:19:01:34 +0800] openmail httpd[844]: General Warning: More than 2 referrals received for Ignoring
[12/Oct/2009:19:01:44 +0800] openmail httpd[844]: Account Notice: close [] [unauthenticated] 2009/10/12 19:01:34 0:00:10 1493 1492 0
[12/Oct/2009:19:02:18 +0800] openmail httpd[844]: General Error: Failed to parse IMAP response at offset 52: F NO Server hosting this mailbox is not available
F OK Completed

SMIME service? What's that? We do not offer SMIME to our customer, nor do we configure any during setup.

I spent more time investigating why... I must say that the SMIME error message was misleading... The actual problem lies in the last statement:

[12/Oct/2009:19:02:18 +0800] openmail httpd[844]: General Error: Failed to parse IMAP response at offset 52: F NO Server hosting this mailbox is not available
F OK Completed

I revisited Delegated Administrator again. Oops! I made a blunder. I have actually entered a wrong Mail Host.

Sunday, October 11, 2009

Mobile Access is missing from Sun Glassfish Web Space Server

In my previous post on Sun Glassfish Web Space Server, I mentioned that I was glad the Secure Remote Access (SRA) feature from older version of Sun Portal Server has been ported to the latest Web Space Server.

I just realized that another great feature was discarded though. It's Portal Server Mobile Access.

Architectural Diagram of Sun Portal Server 7.2

Mobile Access extends the services and capabilities of Sun Java System Portal Server platform to mobile devices, such as mobile phones and personal digital assistants.

Mobile Access software enables portal site users to obtain the same content that they access using browsers that require HyperText Markup Language (HTML). It supports Sun Java System Portal Server Secure Remote Access software.

The features of the Mobile Access product are integrated seamlessly into Portal Server software.

Read more here.

Mobile Access feature was in-built in Sun Portal Server. It was also fairly easy to implement a Mobile Desktop for remote access. I was part of the Sun Professional Service Team that showcased this capability to a teleco in Philippines 2 years ago.

Saturday, October 10, 2009

Sun Messaging Server Upgrade Observation

There are a few ways to upgrade your old Sun Messaging Server to the latest release.

1. Using the Coexistence Strategy to Upgrade Messaging Server
2. Using the Side-by-Side Strategy to Upgrade Messaging Server
3. Using the In-Place Upgrade on Messaging Server

Details can be found here.

I was initially into the idea of Side-by-Side Strategy. Reasons being:

1. Does not require extra machines
2. Typically does not involve moving the mailboxes. New version just "points" to the mailboxes and mailbox conversion to the new version is automatic and transparent.
3. The binaries of the old version remain intact on the system so you do not have to reinstall and reconfigure in the case of a back out.

Sounds great!

So I went ahead for a little POC on my VMware before I introduced the concept to my customer who was looking for a Sun Messaging Upgrade from Comms Suite 5 to Comms Suite 6u2.

Result of my POC: It's a No-Go!

From my finding, the "migrate-config" script attempts to symbolic-link the "config" and "data" directories in the new Messaging Server to the old one.

Before migration:

After migration:

Looks good so far: We save space by not having duplicate mailboxes via symbolic-linked to the "data" directory. The old configuration are also intact.

However, if you look closely, "config" directory contains a sub-directory "html". This is where Messaging Express is!!

What does this imply?
1. You have a new Messaging Server 7U2 (upgraded from Messaging Server 6.3)
2. However, your Messaging Express has been back-ported to the older release.

Friday, October 9, 2009

DSCC console on Tomcat Application Server

My customer in Philippines has their Sun Directory Server installed from ZIP distribution. As such, we can only access Sun Directory Server Control Center via Tomcat Application Server (or Glassfish Application Server).

There are 2 sites which you should look at before you start:

Note the following:

Because, DSEE and DSCC are installed as root, and so is the DSCC Registry, the WAR file should be deployed in an Application Server which as the ability to run commands with the root privileges. Otherwise, DSCC will not be able to access its registry and thus will not start properly.

1. $ /dsee/dsee6/cacao_2/usr/sbin/cacaoadm start
2. $ /dsee/dscc6/bin/dsccsetup initialize
3. $ cp /dsee/var/dscc6/dscc.war /tomcat/webapps
4. $ vi /tomcat/conf/web.xml

5. $ /tomcat/bin/

Once you log into DSCC, you need to register your existing directory server.

Note: We are not using default system CACAO. We have our own CACAO running on port 21162.

Note: Key in root user and password. (I was stuck here for quite some time)

Ok. We are done!

PS: DSCC in war is currently supported on Sun Application Server 8.2 and Tomcat 5.5. I tried deploying on Sun Web Server 7.0 U5, but was not successful.

Wednesday, October 7, 2009

What differentiates Sun Glassfish Web Space Server from LifeRay Server?

If you have been following my posts on Sun Portal Server, you'll know by now that it is now called Sun Glassfish Web Space Server 10.0. (Why 10.0? I do not know. I do know the last Sun Portal Server was 7.2)

Glassfish Web Space Server is actually code-based from LifeRay Portal Server. But it offers something more  - Add-On Collection ... which I like about.

One of them is Secure Web Access Add-On. 

The Secure Web Access Add-On for GlassFish Web Space Server software enables remote Internet users to securely access a Website via a browser. 

Integration with GlassFish Web Space Server ensures that users receive secure encrypted access to the content and services that they have permission to access.

Secure Web Access software is targeted towards enterprises deploying highly secure remote access portals. These portals emphasize security, protection, and privacy of intranet resources.

This was what made Sun Portal Server attractive during its heydays. It was formerly known as Sun Java System Portal Server Secure Remote Access (SRA)

It sits in-between 2 firewalls which makes your remote access to your intranet applications more secured.

Read here for more information.

Tuesday, October 6, 2009

Sun Java Communications Suite 5 vs 6U2

Today is my delivery completion day in Philippines for the Sun Messaging Server Upgrade Service for a local government agency.

During a brief transfer of information (TOI) session yesterday, I was asked what is the major difference between Sun Java Communications Suite 5 and 6U2.

I think I can best differentiate the both by using diagrams:

Sun Java Communications Suite 6U2 Software Architecture

Sun Java Communications Suite 5 Software Architecture

The software architecture in Comms Suite 6U2 has been simplified - Sun Java System Access Manager has been removed. The Delegated Administrator no longer needs to communicate with Access Manager in order to manage users' profiles that reside in the Messaging and Directory Server.

This is a big relief to many invoice administrators as they find installing Access Manager a nightmare. 

Major components versioning:

Comms Suite 6U2
1. Messaging Server 7u2 (64-bit version available)
2. Calendar Server 6.3
3. Instant Messaging Server 8 Update 1
4. Communications Express 6.3 Update 1
5. Delegated Administrator 7
6. Sun Convergence 1 Update 2

Comms Suite 5
1. Messaging Server 6.3
2. Calendar Server 6.3
3. Instant Messaging Server 7.2
4. Communications Express 6.3
5. Delegated Administrator 6

Monday, October 5, 2009

Change Delegated Administrator Port

This post follows the one I posted yesterday. It's a request from the same customer in the Philippines. 

The Sun Java Delegated Administrator was installed on the same web server as the Communications Express. So when the port of the web server was changed, the configuration of the Delegated Administrator had to be adjusted as well.

I asked my colleague for help. Here's what he suggested:

1. Change commadminserver.port in:
a. /wbsvr-base/https-hostname/web-app/hostname/da/WEB-INF/classes/com/sun/comm/da/resources/
b. /da-base/data/da/WEB-INF/classes/com/sun/comm/da/resources/

2. Change IdentityServerPort in:
a. /da-base/data/config/
b. /da-base/config/

Sunday, October 4, 2009

Change Communications Express Port

I was performing a Sun Java Messaging Server migration in the Philippines for a government agency. 

As the Communications Express (UWC) was still running on port 82 during the new Messaging Server installation, I need to use port 80 temporarily for the new UWC instance.

When the migration was performed and the old UWC was brought down, the following is what I did to configure the new UWC instance running on Port 80 to point to Port 82.

# vi /var/opt/SUNWuwc/WEB-INF/config/

Then I log in to the Sun Web Server Administration Console to change the Port from 80 to 82.

The last step is to redeploy the web application again (by clicking on the Deployment Pending hyperlink).

Short and sweet!