Thursday, June 26, 2014

OpenAM 12.0.0 enhanced features - SFO, Persistence Cookie, Policy Support

As I spend most of my time interacting with customers, I understand their daily technical challenges (especially security concerns). I am glad there are 3 enhanced features to OpenAM 12.0.0.

OpenAM 12.0.0 should be released end of this year.


Session failover across Sites. OpenAM now allows session failover across OpenAM Sites. In order to take advantage of this capability, you must make sure that the underlying Core Token Service replicates session data across your OpenAM Sites.

==> Current restriction to multiple sites is sessions are never shared. This enhancement is good as there are indeed some valid use cases to share sessions across sites. At least, I have encountered few such scenarios in customers' environment.

Persistent Cookie from Client IP Issued. The Persistent Cookie module has been enhanced to enforce that the persistent cookie can only be used from the same client IP to which the cookie was issued.

==> Big relief. I'm always been asked: "What if someone steal the saved cookie from one PC and replay on another?"

Policy Support for Common HTTP Operations. OpenAM policies now let you allow and deny not only HTTP GET and HTTP POST, but also HTTP DELETE, HEAD, OPTIONS, PATCH, and PUT (OPENAM-336).

==> Yes, besides GET and POST, the rest of the HTTP operations are getting popular these days. 


Friday, June 20, 2014

Proper way of configuring health monitor on LB against Directory Servers

We have an issue with Sun Directory Proxy Server (DPS) recently. The IDLE connections kept building up and we needed to bounce the DPS once in a while. This is to prevent the server from running out of file descriptors.

It took us quite a while to identify what has gone wrong. The F5 load-balancer was wrongly configured by customer's system administrators.

For any enterprise load-balancer, there should be a monitor for LDAP servers. One should not use the standard TCP health check to validate the health of LDAP servers.

We found 2 good articles:

  1. Best Practices for LDAP Monitoring 
  2. F5 Load Balancers and Sun Directory Servers

Great stuff!


Thursday, June 12, 2014

Goodbye SpamHero!

A year ago, we said goodbye to Postini. Today, we are saying goodbye to SpamHero!

What should I say? The hard truth is that transiting from Postini to any other spam-filtering solution is never going to be easy. Postini has a high standard to begin with. Their spam filtering capability is next to none.

So what went wrong with SpamHero. Their spam filtering is not just up to my expectation. That's what I have to say.

So few weeks ago, we shopped around … again. This time round, we finalized on MailCleaner.

MailCleaner is a business anti spam gateway installed between your mail infrastructure and the Internet. It offers professional protection against viruses and eliminates up to 99% of spam.

MailCleaner offers 3 solutions - Cloud Anti-Spam, Cloud Appliance, Virtual Application.

For a start, we tried the Cloud Anti-Spam as this is the simplest integration. Good result. Happy customer, we are.

What's even better? MailCleaner has a Community/Open-Source Edition where the MailCleaner Virtual Appliance can be download. One can then install MailCleaner on-premise.

Very simple to install. Configuration can be a little difficult, but there's a great community to tap on. Most of my doubts can be found in the forum.

So fingers cross. I hope we'll stay with MailCleaner forever.


Saturday, June 7, 2014

ROI from Enterprise Software - People is key

I attended the 2nd Perform Day from Compuware this week. (It used to be called Compuware APM User Conference for the 1st edition) 

Application Performance Management (APM) is definitely going to get bigger and bigger, especially in this region.

Anyway, I took away a key message from the conference. Nothing technical, but very useful to apply for my work - IAMS (Identity Access and Management Service) and APM.

The software from both domains (IAMS & APM) are developed for the Enterprise and the cost attached is not cheap. Decisions to purchase usually come from the CIO level. These people usually measure the success of the projects by ROI (Return On Investment). They must see value from the software they purchased. Otherwise, it's a failure … to them.

So during the Panel Discussion, one participant asked:
"We have been using Compuware product since 2009. Can you help us to show value of the product to our Management?"

I nearly fell off from my chair! Mind you, she said since 2009. Today is year 2014. It has been 5 long years and she has not found value from the expensive software.

Ok, this is Asia, by the way. :)

Back to her question, one of the panelists responded with something along this line:

  1. Work with Compuware consultants. They will help you to understand the software and more importantly, use the software more effectively.
  2. Commit a dedicated resource to learn the software.

The MD of Compuware (Eng Kiong, a friend of mine) emphasized what he has been preaching to customers frequently - "In order to get value from dynaTrace/DCRum, you need to assign a dedicated person to learn and operate the software on a daily basis. You cannot have someone who is on a part-time basis."

From his observation, there are 3 ingredient for success:
1. Software
2. Process
3. People

A company can always deploy the best software in the market and define the best process. However, if there is not a single well-trained person in the company who can competently manage the software, there is no chance to get any value out from the software.

Another panelist added: The software will just be another "white elephant".

What they said really hit hard on me because I have deployed many IAMS and APM solutions in the region and I can say they have not yield the kind of value I wanted customers to get.


Customers are not committed to assign dedicated resources to learn and be competent with the software.
Every engineer I worked with is usually multi-tasked. Now, a software cannot be auto-pilot in Production. Human input is required.

Sad, but commonly seen in Asia.


Friday, June 6, 2014

OpenAM Policy Agent HTTP HEADER UTF-8 issue

May passed by quickly… Managed to run a night marathon on 31st May 2014. Yes, Sundown Marathon as it only starts at 11:30 pm in the night. 

It's a nightmare for me. The weather is super humid in Singapore recently and there were a lot of participants. I did not have a good run after all. Will try again next year.

Meanwhile, back at work, I was helping a customer with an internationalization issue with their OpenAM Policy Agent.

In the JSP page that displays the Chinese characters from CHINESENAME HTTP Header, the output was always in garbage format. e.g. CHINESENAME: 中国|领英.

There are a lot of articles in the Internet that talks about setting encoding for application containers. We were only interested for JBoss. One example is UTF-8 Encoding for JBoss 5.1 AS.

As one of my colleagues pointed out, those settings are for decoding content and I/O streams like uploaded files within JSP pages. These have no effect on HTTP Header.

This thread from Stackflow (Do HTTP request headers have to be UTF-8 encoded?) has the best explanation.

There is a section in HTTP RFC on Message Headers. Hmm… as usual, RFC is not meant for layman reading. I have a friend who loves reading RFC. Ha!

I then found an article on RFC 5987. This is the best answer I get.

By default, message header field parameters in Hypertext Transfer Protocol (HTTP) messages cannot carry characters outside the ISO-8859-1 character set.

So the proper way to decode HTTP Headers that are passed from OpenAM Policy Agent is as follows:

// get bytes in iso-8859-1. 
byte[] data = request.getHeader("CHINESENAME").getBytes("iso-8859-1"); 
// now decode in UTF-8 to get the Chinese characters 
String cnName = new String(data, "UTF-8"); 

Any one has better solution? I would love to know and learn!