Monday, June 21, 2010

Cloud Computing Economies of Scale

Great recorded talk about the hardware and data centre side of cloud computing. This great presentation explains why it (also) makes sense to leverage cloud computing simply to have cost efficient hardware. Got pointed to it while listening to the Cloud Computing Show #31.

Also interesting (via the same podcast): CloudHarmony. The blog in particular contains different benchmark results (memory, IO, network) of a large number of Infrastructure-As-A-Service providers.

Authored by: Guy
Posted by i8c at 7:53 PM 0 comments
Labels:

Tuesday, June 15, 2010

B2B market

IBM keeps acquiring other companies:
  • Lombardi being a BPM solution of which some of my colleagues are quite enthusiatic.
  • Sterling is more an "old" player in the B2B space with products such as Gentran for B2B communication and ConnectDirect for managed file transfer. But Sterling is also an Integration Service Provider (Garnter) or still call it a Value Added Network? IBM sold its VAN to GXS quite a while ago.
  • Cast Iron Systems which is a new kid on the block, with a solution specificially targeting cloud integration. Also available as an appliance. And Cast Iron was rumoured to be developing a cloud based integration offering.
Funny to see and "old" (Sterling) and brand "new" player (Cast Iron) being acquired in the same timeframe. Of course I'm curious to see what IBM will do with these acquisitions. Will they die in a corner or be successor of the DataPower success story? And how will they explain and position all these technologies at customers?

Authored by: Guy
Posted by i8c at 8:13 PM 0 comments

Sunday, April 18, 2010

Java: execute program without blocking

A long while ago that I had done some Java programming... How to run a program from within Java in a decent manner. While looking around for some sample code, most solutions use the Process.waitFor() method to wait for the process to terminate. But that will usually block forever as process writes data to stdout or stderr and nothing reads that output.

One option is to use a separate thread to read stdout/stderr. I opted for an even simpler approach: temporary files:

execCommand = execCommand + " > " + stdoutFile.getFileName();
execCommand = execCommand + " 2> " + stderrFile.getFileName();
// command/program > stdout-temp 2> sterr-temp
Process p = Runtime.getRuntime().exec(execCommand, null, currDir);
int exitValue = 0;
boolean isRunning = true;
int waitSeconds = 30;
while(isRunning && (waitSeconds > 0)) {
try {
exitValue = p.exitValue();
isRunning = false;
} catch(IllegalThreadStateException e) {
// process is still running, wait 1 second
try {
Thread.sleep(1000);
} catch (InterruptedException e1) {
// ignore
}
}
waitSeconds--;
}
if (isRunning) {
p.destroy();
exitValue = 9999;
}
stdoutFile.delete();
stderrFile.delete();

Authored by: Guy
Posted by i8c at 1:34 PM 0 comments

Saturday, April 17, 2010

Amazon pub/sub in the cloud

Amazon keeps extending its cloud offering. They have just added Amazon Simple Notification Service (SNS). SNS is a publish/subscribe mechanism.

Integration-As-A-Service
As explained in earlier posts, I expect Integration-As-A-Service to become more important. One of the larger players (Amazon, Google, EMC, Cisco, Microsoft, ...) may one day come up with a wonderful solution for Business-2-Business communication between organizations.

When I first learned about Simple Queuing Service of Amazon back in 2006, I intially thought that SQS could serve as a transport mechanism for B2B communication. But that didn't work out. As the message size of SQS was very limited, data first had to be stored on S3. Authentication and authorization were also very limited.

So I looked around in the SNS documentation to see what SNS actually is and see if it can serve as a basis for B2B communication. Amazon thinks SNS is usable for B2B or application integration:
Application integration: Amazon SNS can be used in workflow systems to relay events among distributed computer applications, move data between data stores, or update records in business systems. For example, in an order processing application, notification messages may be sent whenever a transaction occurs; a customer places an order, the transaction is forwarded to a payment processor for approval, and an order confirmation message is published to an Amazon SNS topic.

Some facts
  • Messages can be published over HTTP, HTTPS, E-mail or SQS
  • Proprietary solution/mechanism, not based on any standard (no AS1, AS2, SFTP, WS-Notification, WS-Eventing, ...)
  • Messages are (again) limited to 8KB. Just like SQS: too small.
  • Authentication is based on AWS accounts, so also every subscriber requires an AWS account, hindering factor.
  • Messages are pushed, not polled. This is good for performance. For polling, use SQS.
  • But when pushing, the subscriber must expose a web service or mail account. How to secure this: no authentication from Amazon to endpoint receiving notifications; no basic auth, no support for client certs, ...
  • Messages are signed by Amazon. This is good, very good. Signing is based on HmacSHA256.
Conclusion:
Nice and interesting, but not good enough... In particular the message size remains a blocking factor.

Questions left:
  • What happens if messages cannot be delivered for a longer periode of time? E.g. when a subscriber disappears?
  • How does a message that is published over HTTP exactly look like (signed, JSON)? What parameters are passed in the URL?
  • Can an SSL endpoint with self-signed cert receive notifications?
  • What if SSL cert of endpoint is expired?
  • Are mail messages signed and if yes, how?
  • How and when are messages actually persisted?
  • The publish service isn't idempotent it seems?
PS: all based on reading the docs, must confess that I didn't actually test it

Authored by: Guy
Posted by i8c at 12:24 PM 1 comments

Wednesday, April 14, 2010

SSL Man-in-the-middle

Again a great "Security Now" podcast about SSL: how governments can sniff SSL traffic by enforcing Certificate Authorities to provide them with (intermediate CA) certificates. Based on this paper. Great story, recommended reading or listening!

Some things that I picked up:
  • Different CA's can provide you with SSL certificate for same URL (or whatever)
  • Internet Explorer (actually the Windows crypto) downloads extra CA's dynamically; so the list you see in IE can grow behind the scenes
  • Firefox manages the list of trusted CA's itself
  • There is no standard policy for when a CA is accepted by browser vendors
  • The list of trusted CA's should be based on your geographical location
  • Trusting a CA is somewhat equivalent to trusting a government
  • Browser should provide (advanced) users with extra features to help them decide if CA certificate should be trusted or not
In my daytime job, SSL/TLS is used a lot for communication between IT systems within the corporate firewall or with business partners across the Internet. Low level configuration of SSL/TLS is often not supported:
  • Configure single CA (or self-signed) cert to be trusted for specific outbound connection (e.g. when business partners have defined their "own CA")
  • Different SSL client certificate per outbound connection
  • Easy configuration revocation checks (OCSP etc); and checking if the revocation checks actually work
  • Different timeout settings per connection
  • Only accept SSL connections on specific interfaces
Authored by: Guy
    Posted by i8c at 9:31 AM 0 comments

    Thursday, March 11, 2010

    Claims explained


    SAML, WS-Security and the Secure Token Service of WS-Trust result in a very interesting mix, where federated identity and integration (web services) come together.
    Microsoft has published the free book(let) "A Guide to Claims–based Identity and Access Control". Obviously the book is focused on Microsoft technology, ADFS (code name Geneva), FAM and WIF in particular. But I found the first 2 chapters very informative and well written.

    E.g. interesting to have confirmation that applications need to keep maintaining fine grained (data level) authorizations themselves.

    Also intersting to read about the challenge of home realm discovery: how to know to what Identity provider an external user should be redirected to.

    One of the main challenges in my opionion with federated identity is the transformation of tokens/claims. Unless there is further standardization (profiles), the integration with each external business partners will require token transformations. There seems to be a general tendency in WS-land not to bother too much with the actual business content of SOAP messages or SAML tokens.

    The day when SAML tokens can be used in an interoperable manner to connect to back-end applications such as SAP or Oracle will be a great day. Looking forward to it.

    Authored by: Guy
    Posted by i8c at 8:03 PM 0 comments

    Sunday, February 28, 2010

    B2B market keeps moving

    As mentioned in the blog post of Gartner analyst Benoit Lheureux, the market of B2B products keeps moving, e.g. the acquisition of Foresight by Tibco.


    Interesting blog post as well on the SAP Developer Network: SAP will increase its stake in Crossgate and SAP sales people will (re-)sell the Crossgate B2B service offering.

    Note: I always confuse Crossgate and Northgate. NorthgateArinso is a SAP oriented provider of HR IT services and acquired the Belgian company Arinso.

    Authored by: Guy
    Posted by i8c at 12:45 PM 0 comments
    Subscribe to: Posts (Atom)