Ubuntu and Java Keystores

| No Comments

This one's short and sweet.

I just figured out a really easy way to get a SSL certificate into the system-wide Java keystore rather easily.

Just create this script:

And run it by passing the web server's host name.

That's it! Enjoy.

One More Reason to Ditch MS Office

| No Comments

I've been a user of StarOffice, and OpenOffice for a while. OpenOffice was forked to create LibreOffice a little over a year ago, and I've been using it on my Ubuntu workstation for a while. I recently dumped OpenOffice on my Mac in favor of LibreOffice and though I'd poke around to see if anything was different.

To my surprise, I was able to get the OpenOffice base application to connect to my local MySQL server instance rather easily. I had tried this years ago, and ran into a few bumps which caused me to give up at the time.
This time it was very simple. Give it the hostname, database name, username and password, and I was in.

After I was in I tried creating a couple queries, and forms and found it very easy. The first thing to catch my eye was the visual query builder. One thing I miss from my MS Access / SQL Enterprise Manager / SQL Management Studio days was the visual query builder. Writing pure SQL does get you a faster query, but I always liked to proto-type my queries via the visual query builder first. LibreOffice base gives me this functionality with ANY JDBC or ODBC database I can connect to.

SQL Workbench/J, and MySQL Workbench don't give me this functionality. I've heard that TOAD/MySQL does, but I don't use Windows anymore, so it doesn't help me.

That said, it appears that OpenOffice can now fully supplant the feature set that power users need from Microsoft Office Professional. I know the database app has been there for a while, but now it appears to be mature enough to use as a full fledged MS Access Replacement.

Configuration Manager Jealousy

| 1 Comment

So after a year of painful roadblocks, my Active Directory migration is starting to quiet down. I even have a Windows 7 deployment Task Sequence set up through Configuration Manager that lets me get a Windows machine set up with only 10 minutes of face time (~90 minutes actual install time).

I used to brag that I could set up a Linux Workstation faster than Windows 7, but now... what do I do! I was getting Jealous of Windows install times and I couldn't stand it any more.

Equivs to the rescue! One problem I have when setting up new Ubuntu Workstations is ensuring I have all the required packages installed on the machine. This can be done by creating a meta-package. There are two commands to assist you with this,


First use

to create an empty equivs control file that you can fill in. At the very minimum fill out the Package, Version, Maintainer and most importantly the Depends settings.

After that you can build your meta-package using the equivs-build command and passing your control file as the parameter.

The second step for my speedy Linux deployment is a BASH script that goes through and configures Samba, PAM, nsswitch.conf and pam_mount.conf.xml so that the machine is bound to AD, authenticates to AD and mounts shares through AD when users log in. (Most importantly the Documents folder).

Now I can have a Linux workstation up and running in about 30 minutes with 5 minutes of face time! Once again I'm faster than Windows. All is right in the world.

Samba, CIFS and Symlinks

| No Comments

I recently moved all my client workstations over from using NFSv4 mounts to CIFS mounts so as to integrate with U of MN Active Directory a bit better.

As with all migrations, I ran into a snag! When the user's Documents folder is mounted at their login using pam_mount via mount.cifs, symbolic links tend to break. Not all of them, only links with absolute path names on the server.

For example, here's a client's view of a file that's mounted

ls -l
l????????? ? ? ? ? ? .Rprofile

But on the server it looks like this:
ls -l
lrwxrwxrwx 1 user domain users 34 2011-09-13 09:01 .Rprofile -> /home/AD/user/r/r_tools/.Rprofile

So to solve this you have to go through and replace all absolute symbolic links with relative symbolic links. I wrote a bash script to do such a thing as I had too many to do by hand, but if you don't have too many, you can fix them by hand.

To find all symbolic links under the directory /search/base:

find /search/base -type l

To find all broken symbolic links under the directory /search/base:

find -L /search/base -type l

Good Luck!



We've been moving our databases over to MySQL for a while, and for any mysql server that contains private information, we've been requireing SSL connections.

I recently ran into an issue where a MySQL SSL certificate expired without my knowledge and the Web App in front of it went down. I don't like it when things go down without being the first one to know. Especially when it's preventable!

Now typically I have Nagios checking all of my SSL certs to warn me when they are expiring, but I was unable to find a Nagios check against MySQL SSL certificates... so I wrote one.

I determined the only way to do this easily is on the server side using an NRPE script. The following is a simple BASH script that uses `openssl verify` to check certificates and warn if they are expiring.


# /usr/lib/nagios/plugins/check_certfile

if [ "${1}" == "" ] || [ "${2}" == "" ] || [ "${3}" == "" ]; then
echo "usage:
${0} "
exit 2
elif [ ! -f "${3}" ]; then
echo "File: '${3}' does not exist."
exit 2
tempout=`mktemp /tmp/certdates.XXXXXXXXX`
now=`date +%s`

openssl x509 -noout -dates -in "${3}" \
| sed -e 's/=/="/' \
| sed -e 's/$/"/' > ${tempout}
. "${tempout}"
rm -f $tempout

expire_date=`date --date="${notAfter}" +%s`
days="$((( (expire_date - now) / 86400 )))"

report="certificate expired in ${days} days (${notAfter})"

if ((( $days < ${2} ))); then
echo "CRITICAL: ${report}"
exit 2
elif ((( $days < ${1} ))); then
echo "WARN: ${report}"
exit 1
echo "OK: ${report}"
exit 0

Then add a line to your /etc/nagios/nrpe_local.cfg file like such:
# Check MySQL SSL Certificate
command[check_mysql_sslcert]=/usr/lib/nagios/plugins/check_certfile 21 7 /etc/mysql/sql.ncs.umn.edu.crt.pem

And add a service definition to your nagios host config file
# check that MySQL SSL certificate is valid
define service{
use generic-service
host_name mysql.dept.umn.edu
service_description MySQL SSL Certificate
check_command check_nrpe!check_mysql_sslcert
# servicegroups ssl-cert # optional, but handy
notification_interval 0 ; set > 0 if you want to be renotified

Grails at the U

| No Comments

We had a great turn out today at the first Code People meeting. Lots of developers show up and were truly interested in making this group work out.

I did a presentation on using the Grails framework here at the U of MN. Slides and source code is available at the Code People moodle site:


Reports from Java or Grails

| No Comments

As we migrate our applications from ASP/VBScript to Java ServerFaces or Grails applications, we needed a way to create reports.

In ASP+VBScript we had a custom reporting framework we developed in house that would build simple reports from sets of queries. More complicated reports were often build as VBScript functions in one of our ASP libraries. This worked well 8 years ago as it was all we could find for web-based reporting at the time.

Boy have things changed. I found a great reporting framework that runs on a pure Java stack. It will work in any Java application; desktop, web app or web service. It's called Jasper Reports.

Jasper Reports can be created from a desktop GUI report designer application. I've used this on Mac and Linux, and I assume it runs well under windows if you choose to do so. It's is reminiscent of the old MS Access report designer, or the Crystal Reports designer that I've used when writing C# applications... just nicer.

When it comes to integrating it with my Grails applications, it couldn't be easier because Marcos Fábio Pereira and Sebastian Hohns wrote an excellent plugin for grails so you can create one-liner links to your designed reports. It's very easy to pass parameters to your report as well. There's a good tutorial on setting up a report available on the plugin page.

All in all, I really like this solution. We're working on setting up a U of MN theme for our reports to make them all "maroon and gold". If you write any apps that run on the JVM, I highly suggest you check this open source project out.

Multiple IPs on one Host on the Same Subnet

| No Comments
I have a need to host multiple IPs on the same host on the same subnet due to SSL certificate reasons. My initial attempt at setting this up ended in routing errors. After a bit of digging I found out why. Because the server in question was a VMware guest, I initially just added a second network interface to the VMware guest and assigned the second IP address to it. At first glance this seems to work, as I can ping both of the IPs from within my subnet. However, if I try to access both of the IPs from outside of the subnet, only one of the IPs works! Why is it doing this? The answer lies in the routing table.
ajz@server:~$ route -vn
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface U     0      0        0 eth0 U     0      0        0 eth1         UG    100    0        0 eth0         UG    100    0        0 eth1
You see when a packet comes in from outside of the local network to eth1, it may get routed back on eth0, or eth1. One of those is going to get lost. This means the routing table will choose one of the interfaces for routing traffic back to the internet outside your subnet, and the other interfaces get lost in the process. So how do we set it up right? We don't use a different ethernet interface for each adapter. We setup an eth0:1 interface! The working configuration file is below. If you're using a debian based system, the
file looks like the following.
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 160.94.345.101
    network 160.94.345.0
    broadcast 160.94.345.127
    gateway 160.94.345.126
    # dns-* options are implemented by the resolvconf package, if installed

# Alternate secondary network interface
auto eth0:1
iface eth0:1 inet static
    address 160.94.345.96
    network 160.94.345.0
Good luck!

Django from a Grails Developer's Perspective

| No Comments

I attended a pretty good Django demo today put on by MSI. I've been writing apps in the grails.org framework for a couple years now, and I remember looking django over before I started using grails, but not in enough details to be able to do a decent comparison.

Now that I feel rather confident using the Grails framework, I wanted to see if I chose well, and if I should have picked Django. I was a bit worried about discovering that I'd made a bad decision, but I really wanted to know.

The demo I went to today was only two hours, so I am not by any means an expert on Django. These are merely observations I've made while driving past it at 70 miles per hour.

The first thing I'd like to say is that because Django is all in python, the command line scripts are fast. I mean really fast. I'm used to 5 - 10 second runtimes for grails commands. Running an app can take up to 15 seconds on a Intel Core 5 processor. Python screams here.

The second thing I notices about Django was that it can handle multi-tennancy out of the box. I can create one Django site, and host many different apps within that single config. This is something that I've never been able to do with Grails, but have wanted to do. Kudos to Django.

Now for why I am glad that I went with grails. It can be summed up in one statement. Structure. Grails is structured very well. It keeps it's templates, controllers, views, domain classes, scripts, tests, etc all in a very logical folder structure, and uses that structure to execute some very nice DRY (don't repeat yourself) configurations.

Django is very loosely structured. The controllers can be in the same folder as the domain classes as the services as the plain old class files. This means clutter, this means configuration files, this means boiler plate code.

In grails, if I have a controller named BookController, that will by name map to a book/ view and in turn have BookTest unit tests, and the url http://.../myapp/book will map to that controller by default. Django needs quite a bit of configuration to make that work. That's code that I need to type, and I don't like to write code that I shouldn't have to.

Another area I like regarding Grails is it is build on top of enterprise Java systems. What does this mean. Well, under the GORM hood is Hibernate, and with a few lines of code, I can map my really cool Grails domain classes to a nasty old MSSQL database structure. That seems to be rather difficult to do with Django.

These are a few things that caught my attention. Don't let this dissuade your from using Django though. If you are a python programmer writing web apps, USE DJANGO! Please. You should be using a framework, and Django is it for python. If you are language agnostic though... so far I like Grails the best. I have yet to see a good Yii demo or CakePHP demo, so if anyone out there is a PHP framework guru, I'd be interested in seeing some cool PHP code-fu.

P.S. If you write U of MN apps and want to use Grails, let me know I have some plugins for you. Authentication and Web Templates are the two big ones.

Please tell me if I mis-judged Django. I want Django to be awesome. I really do.

Federated Single Sign-On

| No Comments

The Identity Management team here @ the U has done a great Job rolling out the new Shibboleth (a SAML based SSO solution) system.

I added quite a bit of documentation to https://wiki.umn.edu/ShibAuth to help people migrate, but I thought I'd clarify a few points that seem to get lost in the clutter.

An entityId is a way to group web applications that need to access the same set of Metadata. What?!? If you have one, two, four, or twenty web servers that only need one attribute exposed (let's say username), then you only need one entityId for that group of servers.

You need one Metadata XML file for each entity. If you read the above statement, that means that if you have multiple web apps / web servers using the same entityId, then every singe one of those servers needs to have an entry in your metadata file.

That means if you have 10 servers using 1 entity, you'll need 1 metadata file with 1 Public SSL cert in it (listed twice...) and 1 contact info section, and then 10 sets of service listings.

I think a single set of service listings for me has 10 different entries. I think you can get away with less if you want, but that still means ~100 lines of service listings for 10 servers.

I hope this clarifies things for you when you're setting up your Shibboleth implementations! If not, drop an email to the IDM team. They'll help you out!

Recent Comments

  • lindamoore645@yahoo.com: The steps you have provided are quite easy for understanding, read more
  • Aaron Zirbes: This was my original though, but openssl s_client doesn't seem read more
  • Chris Bongaarts: You could also do an "openssl s_client" to your script read more

Find recent content on the main index or look in the archives to find all content.