Great team meeting.
(1) Message port
(2) http port only for file upload
(3) message based handling
Tuesday, December 27, 2005
Sunday, December 25, 2005
Kstat Data ?
typedef struct kstat {
/*
* Fields relevant to both kernel and user
*/
hrtime_t ks_crtime; /* creation time (from gethrtime()) */
struct kstat *ks_next; /* kstat chain linkage */
kid_t ks_kid; /* unique kstat ID */
char ks_module[KSTAT_STRLEN]; /* provider module name */
uchar_t ks_resv; /* reserved, currently just padding */
int ks_instance; /* provider module's instance */
char ks_name[KSTAT_STRLEN]; /* kstat name */
uchar_t ks_type; /* kstat data type */
char ks_class[KSTAT_STRLEN]; /* kstat class */
uchar_t ks_flags; /* kstat flags */
void *ks_data; /* kstat type-specific data */
uint_t ks_ndata; /* # of type-specific data records */
size_t ks_data_size; /* total size of kstat data section */
hrtime_t ks_snaptime; /* time of last data shapshot */
/*
* Fields relevant to kernel only
*/
int (*ks_update)(struct kstat *, int); /* dynamic update */
void *ks_private; /* arbitrary provider-private data */
int (*ks_snapshot)(struct kstat *, void *, int);
void *ks_lock; /* protects this kstat's data */
} kstat_t;
/*
* Fields relevant to both kernel and user
*/
hrtime_t ks_crtime; /* creation time (from gethrtime()) */
struct kstat *ks_next; /* kstat chain linkage */
kid_t ks_kid; /* unique kstat ID */
char ks_module[KSTAT_STRLEN]; /* provider module name */
uchar_t ks_resv; /* reserved, currently just padding */
int ks_instance; /* provider module's instance */
char ks_name[KSTAT_STRLEN]; /* kstat name */
uchar_t ks_type; /* kstat data type */
char ks_class[KSTAT_STRLEN]; /* kstat class */
uchar_t ks_flags; /* kstat flags */
void *ks_data; /* kstat type-specific data */
uint_t ks_ndata; /* # of type-specific data records */
size_t ks_data_size; /* total size of kstat data section */
hrtime_t ks_snaptime; /* time of last data shapshot */
/*
* Fields relevant to kernel only
*/
int (*ks_update)(struct kstat *, int); /* dynamic update */
void *ks_private; /* arbitrary provider-private data */
int (*ks_snapshot)(struct kstat *, void *, int);
void *ks_lock; /* protects this kstat's data */
} kstat_t;
Saturday, December 24, 2005
Zone Existing Env and JES shared package
Zone existing env, gobal zone, whole root zone, and sparse root
zone has common share package. However even JES installation
at global zone does have the issue for shared compoent verification
and removal. It fails at the verification check and removal at core
component such as AM, PS and DS
zone has common share package. However even JES installation
at global zone does have the issue for shared compoent verification
and removal. It fails at the verification check and removal at core
component such as AM, PS and DS
Friday, December 23, 2005
Multi-home IP/hostname resolution
getHostName(), getLocaHost() does not address multi-home use cases
Thursday, December 22, 2005
CMT Core and Zone
The CMT Core specific instrumentation at zone level
is one of tough things has been borthed me a lot !
is one of tough things has been borthed me a lot !
platform specific CMT probing and solaris common probing
As I have discovered, DTrace is wonderful interm of designing
to be platform independent. However, platform specific
instrumentation is locked out of door. It leaves the challenges
to D developers for the D abstraction and platform indenpdent
(1) Where and how platform specific D code should be abstracted ?
(2) Where are the Solaris common D code should be modeled ?
(3) How abstraction and composition and inheritance are addressed ?
(4) Cool stuff are being opened >
I tend to consider the abstract factory and toolkit worthy to consider
as my D pattern book down the road.
Cool ! I am so excited about D.
to be platform independent. However, platform specific
instrumentation is locked out of door. It leaves the challenges
to D developers for the D abstraction and platform indenpdent
(1) Where and how platform specific D code should be abstracted ?
(2) Where are the Solaris common D code should be modeled ?
(3) How abstraction and composition and inheritance are addressed ?
(4) Cool stuff are being opened >
I tend to consider the abstract factory and toolkit worthy to consider
as my D pattern book down the road.
Cool ! I am so excited about D.
Portal community services
(1) One way admin centric portal content presentation
(2) end user decide the content aggregation, self managed
(3) a user can subscribe many communities but only can
access one community at a time for the overhead of the
DP merging. It should have upper level container for
multi-channels from different communitites. RSS
pushing content delivery
(4) derby owns basic schema and data model
(2) end user decide the content aggregation, self managed
(3) a user can subscribe many communities but only can
access one community at a time for the overhead of the
DP merging. It should have upper level container for
multi-channels from different communitites. RSS
pushing content delivery
(4) derby owns basic schema and data model
Wednesday, December 21, 2005
Portal SRA & Proxy
Portal SRA does URL rewrite, xxxx Let component to ensure
secure HTTP access to protected resources. which proxy server
does not do rewritintg
secure HTTP access to protected resources. which proxy server
does not do rewritintg
Portal SRA within DMZ
(1) Standard Forward Co-operate Proxy within DMZ
(2) Reverse Proxy within DMZ
(3) SRA ProxyLet applet running with browser--SSL--> SRA Gateway (router)-->Server side Proxy Let with Gateway in DMZ --> or internal proxy let component to dispatch the request to internal protected resources
(4) SRA Net Let applet running with browser--SSL--> SRA Gateway (router)-->Server side Net Let with Gateway in DMZ --> or internal Net let component to dispatch the request to internal protected resources
(5) SRA File Let applet running with browser--SSL--> SRA Gateway (router)-->Server side File Let with Gateway in DMZ --> or internal File let component to dispatch the request to internal protected resources
(2) Reverse Proxy within DMZ
(3) SRA ProxyLet applet running with browser--SSL--> SRA Gateway (router)-->Server side Proxy Let with Gateway in DMZ --> or internal proxy let component to dispatch the request to internal protected resources
(4) SRA Net Let applet running with browser--SSL--> SRA Gateway (router)-->Server side Net Let with Gateway in DMZ --> or internal Net let component to dispatch the request to internal protected resources
(5) SRA File Let applet running with browser--SSL--> SRA Gateway (router)-->Server side File Let with Gateway in DMZ --> or internal File let component to dispatch the request to internal protected resources
Tuesday, December 20, 2005
Solaris SRM and Resource Control for CMT
Resource Control
(1) Process
(2) Task
(3) Project
zone ---
Pool----
(2) Processor --- cpu-share
(1) Process
(2) Task
(3) Project
zone ---
Pool----
(2) Processor --- cpu-share
Grid Data Distribution and Management
It seems test cases drives a lot of errors
(1) Global Zone
(2) Sparse Root Zone
(3) Whole Root Zone
Multicast for member discovery
(1) Global Zone
(2) Sparse Root Zone
(3) Whole Root Zone
Multicast for member discovery
Monday, December 19, 2005
start-node-agent error
(1) asadmin create-node-agent --agentdir --port 6666 --user admin --agentport 3333 jesswitchNodeAgent
(2) asadmin list-node-agents --agentdir --port 6666 --user admin
(3) asadmin start-node-agent --agentdir --port 6666 --user admin jesswitchNodeAgent
both (1) and (2) works but failed at (3)
It is under investigation
(2) asadmin list-node-agents --agentdir
(3) asadmin start-node-agent --agentdir
both (1) and (2) works but failed at (3)
It is under investigation
Sunday, December 18, 2005
exiting zone new inherit-pkg-dir
How to add new inherit-pkg-dir to an existing zone withno
or limited rework and backup process ?
or limited rework and backup process ?
Saturday, December 17, 2005
Grid and Solaris Sparse Root Zone
Data distribute and Management
(1) share dir with inherit-pkg-dir does not address well
(2) license zip file share for gemfire home
(3) whole root NG zone works
(4) inherit-pkg-dir for whold gemfire home works
(5) local cache has issues
(1) share dir with inherit-pkg-dir does not address well
(2) license zip file share for gemfire home
(3) whole root NG zone works
(4) inherit-pkg-dir for whold gemfire home works
(5) local cache has issues
Friday, December 16, 2005
SRM & Resource Control
(1) Currently, zone wide resource control are designated to
zone.cpu-shares
zone.max-lwps
(2) S10, from resource control perspective, is identitified
per project, task, or traditional process. Which are system
wide basis
Resource control facility provides the kernl IPC setting seems
limited as
zone.cpu-shares
zone.max-lwps
(2) S10, from resource control perspective, is identitified
per project, task, or traditional process. Which are system
wide basis
Resource control facility provides the kernl IPC setting seems
limited as
-
project.max-shm-ids
-
project.max-msg-ids
-
project.max-sem-ids
-
project.max-shm-memory
-
process.max-sem-nsems
-
process.max-sem-ops
-
process.max-msg-qbytes
Zone console access control and auditing
(1) If it is ok to have a proxy authentication for zlogin or rzlogin
ex, I have a management host tries to zone login for data collection
It may requires some level of privilege (RBAC) to execute some
task and access some resources such as utility and host resource
and some level a data sampling to be done too. Can we have zlogin
with a normal Solaris User and after login to it can own the ACL
for the designated proxy user's privilege. I know extra "su" can
work some time, can it be more automatic and robust fashion ? If
not what are the concerns ?
(2) Can we specify the login session limits so that we can pro actively
assess the hacking cases. So what I mean to have a policy based
restricition so that server can control the session duration.
(3) Can we categorize the configuration related scripts or meta data file
into one central realm for easy of deployment and control instead of
multiple of twinks
(4) Can we have account locking policy in case of times of exceeding retry?
(5) svc based login and per zone based auditing
These may not only for zlogin and rzlogin only, but if it is integrated, it can
be more manageable and auditable in production.
ex, I have a management host tries to zone login for data collection
It may requires some level of privilege (RBAC) to execute some
task and access some resources such as utility and host resource
and some level a data sampling to be done too. Can we have zlogin
with a normal Solaris User and after login to it can own the ACL
for the designated proxy user's privilege. I know extra "su" can
work some time, can it be more automatic and robust fashion ? If
not what are the concerns ?
(2) Can we specify the login session limits so that we can pro actively
assess the hacking cases. So what I mean to have a policy based
restricition so that server can control the session duration.
(3) Can we categorize the configuration related scripts or meta data file
into one central realm for easy of deployment and control instead of
multiple of twinks
(4) Can we have account locking policy in case of times of exceeding retry?
(5) svc based login and per zone based auditing
These may not only for zlogin and rzlogin only, but if it is integrated, it can
be more manageable and auditable in production.
Grid Data Distribution and Management System (Caching) Issues
(1) GemFire E 4.1.1 shipping with Installer
JRE and GFE Distribute System JRE. JRE
has platform sepcific builds such as Solaris
SPARC and x64. Current installer will failed
to deploy over x64 due to JRE.
Suggestion: To have a flag with installer invokation
to specify which JRE to be used by installer so that
installation process also can have a choice to pick
up which JVM for distribute system.
In addition, gemstone need to create another Solaris
x64 boundle for x64 platform.
(2) With Large cache feature, GFE need to consider
utlize 64 bit JVM for both SPARC and x64, specifically
x64.
(3) Share Memory needs compliance with Solaris 10 SRM
JRE and GFE Distribute System JRE. JRE
has platform sepcific builds such as Solaris
SPARC and x64. Current installer will failed
to deploy over x64 due to JRE.
Suggestion: To have a flag with installer invokation
to specify which JRE to be used by installer so that
installation process also can have a choice to pick
up which JVM for distribute system.
In addition, gemstone need to create another Solaris
x64 boundle for x64 platform.
(2) With Large cache feature, GFE need to consider
utlize 64 bit JVM for both SPARC and x64, specifically
x64.
(3) Share Memory needs compliance with Solaris 10 SRM
Thursday, December 15, 2005
Grid Enterprise caching server throws exception
Grid Distribute Cache Server and Manager does not
have smooth output. It is under investigation
(Dec 15, 2005 10:38:16 AM), Setup.product.install,
com.installshield.wizardx.panels.CustomDialog, err,
java.lang.ClassNotFoundException:
com.installshield.gemfire4x.event.dialog.console.PanelDestinationConsoleImpl
STACK_TRACE: 15
java.lang.ClassNotFoundException:
com.installshield.gemfire4x.event.dialog.console.PanelDestinationConsoleImpl
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at
com.installshield.event.ActionSequenceEngine$ActionTask.invokeJavaMethod(Unknown
Source)
at
com.installshield.event.ActionSequenceEngine$ActionTask.executeAction(Unknown
Source)
at
com.installshield.event.ActionSequenceEngine$ActionTask.run(Unknown Source)
at com.installshield.event.ThreadPool.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
--
have smooth output. It is under investigation
(Dec 15, 2005 10:38:16 AM), Setup.product.install,
com.installshield.wizardx.panels.CustomDialog, err,
java.lang.ClassNotFoundException:
com.installshield.gemfire4x.event.dialog.console.PanelDestinationConsoleImpl
STACK_TRACE: 15
java.lang.ClassNotFoundException:
com.installshield.gemfire4x.event.dialog.console.PanelDestinationConsoleImpl
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at
com.installshield.event.ActionSequenceEngine$ActionTask.invokeJavaMethod(Unknown
Source)
at
com.installshield.event.ActionSequenceEngine$ActionTask.executeAction(Unknown
Source)
at
com.installshield.event.ActionSequenceEngine$ActionTask.run(Unknown Source)
at com.installshield.event.ThreadPool.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
--
Identity Service and Subject Virtualization
Apprently, CCoS based virtualization requires a lot of
work to improve the automic provisioing.
(1) As service assigned to realm, containerDefaultTemplateRole role based
CCoS template is created for the CCoS definition
(2) As service assigned to the role, the role based CCoS template is created for the CCoS definition
(3) However, CCoS definition and CCoS template do not create virtualization attribute until
the marker OC is added to the subject in order to have the virtual attribute shown
User Subject based service assignment does not marker OC assignment.
Can we include the marker OC as CoS sepecifier in order to auto generate the marker
for identity subject ?
?????????????? Puzzl Day
work to improve the automic provisioing.
(1) As service assigned to realm, containerDefaultTemplateRole role based
CCoS template is created for the CCoS definition
(2) As service assigned to the role, the role based CCoS template is created for the CCoS definition
(3) However, CCoS definition and CCoS template do not create virtualization attribute until
the marker OC is added to the subject in order to have the virtual attribute shown
User Subject based service assignment does not marker OC assignment.
Can we include the marker OC as CoS sepecifier in order to auto generate the marker
for identity subject ?
?????????????? Puzzl Day
Grid data distribution and caching systems
(1) My PHD transcripts required offical sealed one from NSU institution
(2) My id card version to be sent over to NSU
(3) KTS requires outline refinement
(4) data grid distribution and caching system are in lab vaildation now
(1) Tx awareness
(2) Pure Java
(3) Grid awareness
(4) Data Centeric
(5) Storage Grid ????
(5) App server core component requires more work to do
(6) SMS does more HAL work which I do need to continue to follow up
(7) Identity Management Pat outline is out for many content
(8) ILM require more work on compliance manager implementation
to appliance and storage device
(9) More work to implementation SOA management tool vs IBM SMD kit
(2) My id card version to be sent over to NSU
(3) KTS requires outline refinement
(4) data grid distribution and caching system are in lab vaildation now
(1) Tx awareness
(2) Pure Java
(3) Grid awareness
(4) Data Centeric
(5) Storage Grid ????
(5) App server core component requires more work to do
(6) SMS does more HAL work which I do need to continue to follow up
(7) Identity Management Pat outline is out for many content
(8) ILM require more work on compliance manager implementation
to appliance and storage device
(9) More work to implementation SOA management tool vs IBM SMD kit
Wednesday, December 14, 2005
Java DB and Grid awareness
(1) if indirect CoS on iplanetAMConfiguration definition are utlized ? the why iplanetAMConfiguration service are also defined at global and org leve ?
(2) Java DB & Grid. Wonderful and strong offering to compete with conventional RDBMS.
a. Java is horizontally scaled at user land
b. Java Tx transaction is distributable and work load dispatched
c. Data Provisioning is matured
d. Grid Management Solution is more clarified now
(3) Training is due
(4) KTS on x64 is good time for meeting
(5) open ESB is out, what is the position then ?
(2) Java DB & Grid. Wonderful and strong offering to compete with conventional RDBMS.
a. Java is horizontally scaled at user land
b. Java Tx transaction is distributable and work load dispatched
c. Data Provisioning is matured
d. Grid Management Solution is more clarified now
(3) Training is due
(4) KTS on x64 is good time for meeting
(5) open ESB is out, what is the position then ?
Tuesday, December 13, 2005
Patent Day
(1) A tough patent day for DDAC Multip-channel Presentation
(2) Create Core Dump from both Solaris and Win OS for JVM trouble shooting
(3) Anti-Corruption Training deadline is approaching
(4) Grid Lab deployment for GemFire
(5) Dtrace to resolve aggreation and history data repository
(6) Solaris Enterprise System, I need to clarify the realm and service management
(7) Identity Management, I need to setup federated management
(8) SOA, I need to consolidate the service mangement and mediation
(9) ILM, I need to focus on compliance manger
(10) A lot to be done, tight day again
(2) Create Core Dump from both Solaris and Win OS for JVM trouble shooting
(3) Anti-Corruption Training deadline is approaching
(4) Grid Lab deployment for GemFire
(5) Dtrace to resolve aggreation and history data repository
(6) Solaris Enterprise System, I need to clarify the realm and service management
(7) Identity Management, I need to setup federated management
(8) SOA, I need to consolidate the service mangement and mediation
(9) ILM, I need to focus on compliance manger
(10) A lot to be done, tight day again
Monday, December 12, 2005
A Mobile RSS buzz me a lot
(1) Mobile RSS channel buzz me a lot
Prove It !!!!
(2) Solaris Enterprise System Comm for crossing boundaries forwarding and domain fetching
US-Chinese Game Starts !!!!
(3) Lagency Portal Mode to Latest Realm management solutions
(4) Flash thick client does not want to be part of portal channel services ?
Prove It !!!!
(2) Solaris Enterprise System Comm for crossing boundaries forwarding and domain fetching
US-Chinese Game Starts !!!!
(3) Lagency Portal Mode to Latest Realm management solutions
(4) Flash thick client does not want to be part of portal channel services ?
Identity Privilige and Policy
(1) Regarding to identity CCoS attributes:
Why and How AM API impact the IdRepo identity
attributes ? If so why amUser and amDiscoveryService
are not impacted ?
Please clarify.
(2) Regarding to the realm retrictions to attribute accessing
I really have some questions on Priviliges
(a) Why Priviliges are definied at realm level instead of
other AM identity container level such as group and role ?
(b) It seems,realm priviliges are setting a all iPlanetAMPolicyService,
specifically, PolicyCrossReferences for sunAMDelegationService
within the realm.
In addition, it sets the PolicyAdmin,RealmReadOnly,DatastoresReadOnly,
AllUserReadableServices,SelfReadAttributes, SelfWriteAttributes
Policies to target Identity subjects
(c) policy management is about to create referral policy
and at realm and sub realm and level.
ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,
Then my question is what are the decision point to define priviliges instead
of policy at realm level. I mean I can create customer privilige services
as policy does. Please clarify my confusion.
Why Privilige does not requires Referral at root level since Privilige
is about to create policy in nature too.
Why and What should be defined as Privilige instead of Policy ?
Early Morning Hit
Here is the early morning hit
(1) Anti-corruption training alert
(2) December status to update
(3) 401K roll over login credential
(4) on line traffic school hurts
(5) Solaris Enterprise System Hits down the road
(6) DTrace is more in catching up mode
(7) Identity Solution is to clarify the privilige, policy and subject matter
(8) SOA does a bit
(9) No news from Richard
(10) Deploy GemFire Enterprise on Grid Lab
(1) Anti-corruption training alert
(2) December status to update
(3) 401K roll over login credential
(4) on line traffic school hurts
(5) Solaris Enterprise System Hits down the road
(6) DTrace is more in catching up mode
(7) Identity Solution is to clarify the privilige, policy and subject matter
(8) SOA does a bit
(9) No news from Richard
(10) Deploy GemFire Enterprise on Grid Lab
Saturday, December 10, 2005
CCoS attribute virtualization and AM Services
(1) iPlanetAMUserService,iPlanetAMSessionService,sunIdentityServerDiscoveryService are role based CCoS services for ContainerDefaultTemplateRole.
(2) iPlanetAMAdminConsoleService,iPlanetG11NSettings,iPlanetAMPasswordResetService are OrganizationConfig under realm. Why ?
(3)
(2) iPlanetAMAdminConsoleService,iPlanetG11NSettings,iPlanetAMPasswordResetService are OrganizationConfig under realm. Why ?
(3)
Grid Lab is messed up
I found that my grid lab is messed up
(1) only SMS is ready for my usage
(2) lost of storage bits
(3) OS for other servers are not ready
(1) only SMS is ready for my usage
(2) lost of storage bits
(3) OS for other servers are not ready
Identity User & Role based UserSessionService
(1) Identity User owns containerdefaulttemplaterole
(3) containerdefaulttemplaterole is the RDN for role based CCoS template
(4) Indentity Session Service does definie attributes
However, session attributes only shows from some AM default users
because all default users have the session service assigned.
The assignment of session services is to create session attributes
for AM User Object
(3) containerdefaulttemplaterole is the RDN for role based CCoS template
(4) Indentity Session Service does definie attributes
However, session attributes only shows from some AM default users
because all default users have the session service assigned.
The assignment of session services is to create session attributes
for AM User Object
Friday, December 09, 2005
Agent service confusion
I am running into the use case which needs clarification on
iPlanetAMAgentService vs sunIdentityAgentService
The service schema are the same hit
iPlanetAMAgentService vs sunIdentityAgentService
The service schema are the same hit
(1) I understand BasicAgent's CreationTemplates handles agent creation
via standard AM UMS object
(2) iPlanetAMAgentService and sunIdentityAgentService seems to have the
same schema service attributes
however,the attribute
"description", "sunIdentityServerDeviceKeyValue"
"RequiredValueValidator"
does not show from amConsole
(3) In addition what is the usage of the two services
iPlanetAMAgentService vs sunIdentityAgentService
Persistent Search contributes to Performance overhead
For > xx million accesses, xxx k user increased capacity planning. persistent search has been
oberserved as major performance bottleneck. To avoid of the straight object entry and role
computing persistent search, I need to introduce retro change or other better ideas.
oberserved as major performance bottleneck. To avoid of the straight object entry and role
computing persistent search, I need to introduce retro change or other better ideas.
I do not have problem with HAL
For an efficient system and risk management,
HAL can be an very init level abstraction. From
firmware, device, kernel components to power
management service. It will be a very indicated
solutions to the questions proposed by industry
HAL can be an very init level abstraction. From
firmware, device, kernel components to power
management service. It will be a very indicated
solutions to the questions proposed by industry
Solaris Enterprise System DS & DMZ
Double or Tripple Layer Firewall policy is popular in several industry segments
(1) Configuration Seperation
(2) Central Administration
(4) R/W seperation
(5) No inbound from DMZ to Intranet
(6) One way outbound only
|---------DMZ-----------| Intranet
(1) Configuration Seperation
(2) Central Administration
(4) R/W seperation
(5) No inbound from DMZ to Intranet
(6) One way outbound only
|---------DMZ-----------| Intranet
A tough Gird day
(1) Working on Grid Infrastructure solution at 9:00 AM.
(2) Property Meeting is scheduled at 1:00 PM from PMK16 - 2532
(3) Identity Repo Matching Rule is under cn=schema
(2) Property Meeting is scheduled at 1:00 PM from PMK16 - 2532
(3) Identity Repo Matching Rule is under cn=schema
Thursday, December 08, 2005
UTF-16 Encoding and LDAP Authentication
/* get UTF-16 string */
public String getUTFString(String rawString)
throws UnsupportedEncodingException {
byte[] bytes = getEncodeString(String rawString);
return new String(bytes,0,bytes.length(),"UTF-16");
}
/* UTF-16 bytes */
public byte[] getEncodeBytes(String rawString)
throws UnsupportedEncodingException {
Charset cset = Charset.forName("UTF-16");
ByteBuffer buf = cset.encode(rawString);
return buf.array();
}
/* Does LDAP Binding for authentication */
public Context getContext(String ldapurl,
String utf_uid, String utf_pass) throws NamingException {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapurl);
env.put(Context.SECURITY_PRINCIPAL, utf_uid);
env.put(Context.SECURITY_CREDENTIALS, utf_pass);
return new InitialDirContext(env);
}
Please note that Solaris Enterprise System
DS does the Cipher oneway hash, Client does
not do anything else by UTF-8 encoding.
public String getUTFString(String rawString)
throws UnsupportedEncodingException {
byte[] bytes = getEncodeString(String rawString);
return new String(bytes,0,bytes.length(),"UTF-16");
}
/* UTF-16 bytes */
public byte[] getEncodeBytes(String rawString)
throws UnsupportedEncodingException {
Charset cset = Charset.forName("UTF-16");
ByteBuffer buf = cset.encode(rawString);
return buf.array();
}
/* Does LDAP Binding for authentication */
public Context getContext(String ldapurl,
String utf_uid, String utf_pass) throws NamingException {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapurl);
env.put(Context.SECURITY_PRINCIPAL, utf_uid);
env.put(Context.SECURITY_CREDENTIALS, utf_pass);
return new InitialDirContext(env);
}
Please note that Solaris Enterprise System
DS does the Cipher oneway hash, Client does
not do anything else by UTF-8 encoding.
Solaris Enterprise System DS Unicode Handling
How Solaris Enterprise System DS handle Unicode Character
DS follows LDAP standard schema,
attributeTypes=( 2.5.4.35 NAME 'userPassword'
DESC 'Standard LDAP attribute type
' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}
X-ORIGIN 'RFC 2256' )
According to RFC 2256, "Passwords are stored
using an Octet String syntax and are not encrypted.
Transfer of cleartext passwords are strongly
discouraged where the underlying transport service
cannot guarantee confidentiality and may
result in disclosure of the password to
unauthorized parties. "
This is how Solaris Enterprise System DS
works on userPassword:
Identifies the entry's password and encryption
method in the following format:
{encryption method}encrypted password
Syntax:
Binary, multi-valued.*
uid=test,ou=people,dc=sun,dc=com
objectClass=person
objectClass=organizationalPerson
objectClass=inetuser
objectClass=inetOrgPerson
*userPassword={SSHA}yG/3f2DJzg8jdc8gqAnqoPXqwIjoPzAKsToNcA==*
(3) Second, let's study LDAP schema cipher used
by Solaris Enterprise System DS
cn=Password Storage Schemes,cn=plugins, cn=config
objectClass=top
objectClass=nsContainer
cn=Password Storage Schemes
cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=CLEAR
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=clear_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=clear-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=No encryption (CLEAR)
ds-pluginSignatureState=valid signature
cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=CRYPT
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=crypt_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=crypt-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Unix crypt algorithm (CRYPT)
ds-pluginSignatureState=valid signature
cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/des-plugin.so
nsslapd-pluginInitfunc=des_init
nsslapd-pluginType=reverpwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginarg0=nsmultiplexorcredentials
nsslapd-pluginarg1=nsds5ReplicaCredentials
nsslapd-pluginarg2=dsKeyDBPwd
nsslapd-pluginId=des-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=DES storage scheme plugin
ds-pluginSignatureState=valid signature
cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=NS-MTA-MD5
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=ns_mta_md5_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=NS-MTA-MD5-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Netscape MD5 (NS-MTA-MD5)
ds-pluginSignatureState=valid signature
cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=SHA
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=sha_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=sha-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Secure Hashing Algorithm (SHA)
ds-pluginSignatureState=valid signature
cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=SSHA
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=ssha_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=ssha-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Salted Secure Hashing Algorithm (SSHA)
ds-pluginSignatureState=valid signature
(3) DS does support UTF-8 encoded ASCII for
further oneway hash. Cipher are defined
as the above storage schema such as SSHA
(4) It requires LDAP client does UTF-8 encoding That's why
AM loves Encoding with XML instances
DS follows LDAP standard schema,
attributeTypes=( 2.5.4.35 NAME 'userPassword'
DESC 'Standard LDAP attribute type
' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}
X-ORIGIN 'RFC 2256' )
According to RFC 2256, "Passwords are stored
using an Octet String syntax and are not encrypted.
Transfer of cleartext passwords are strongly
discouraged where the underlying transport service
cannot guarantee confidentiality and may
result in disclosure of the password to
unauthorized parties. "
This is how Solaris Enterprise System DS
works on userPassword:
Identifies the entry's password and encryption
method in the following format:
{encryption method}encrypted password
Syntax:
Binary, multi-valued.*
uid=test,ou=people,dc=sun,dc=com
objectClass=person
objectClass=organizationalPerson
objectClass=inetuser
objectClass=inetOrgPerson
*userPassword={SSHA}yG/3f2DJzg8jdc8gqAnqoPXqwIjoPzAKsToNcA==*
(3) Second, let's study LDAP schema cipher used
by Solaris Enterprise System DS
cn=Password Storage Schemes,cn=plugins, cn=config
objectClass=top
objectClass=nsContainer
cn=Password Storage Schemes
cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=CLEAR
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=clear_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=clear-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=No encryption (CLEAR)
ds-pluginSignatureState=valid signature
cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=CRYPT
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=crypt_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=crypt-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Unix crypt algorithm (CRYPT)
ds-pluginSignatureState=valid signature
cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/des-plugin.so
nsslapd-pluginInitfunc=des_init
nsslapd-pluginType=reverpwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginarg0=nsmultiplexorcredentials
nsslapd-pluginarg1=nsds5ReplicaCredentials
nsslapd-pluginarg2=dsKeyDBPwd
nsslapd-pluginId=des-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=DES storage scheme plugin
ds-pluginSignatureState=valid signature
cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=NS-MTA-MD5
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=ns_mta_md5_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=NS-MTA-MD5-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Netscape MD5 (NS-MTA-MD5)
ds-pluginSignatureState=valid signature
cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=SHA
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=sha_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=sha-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Secure Hashing Algorithm (SHA)
ds-pluginSignatureState=valid signature
cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=SSHA
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=ssha_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=ssha-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Salted Secure Hashing Algorithm (SSHA)
ds-pluginSignatureState=valid signature
(3) DS does support UTF-8 encoded ASCII for
further oneway hash. Cipher are defined
as the above storage schema such as SSHA
(4) It requires LDAP client does UTF-8 encoding That's why
AM loves Encoding with XML instances
Multiple Realms under one Root Suffix
(1) ID Sync Property Doc is out
(2) Handshake on IDC Virtualization Conference
IDV, JESSwitch on Zone
(3) Multiple Realms under on Root Suffix. Console confuses
end user, DIT does not contain the entry as o=,ou=services,
but all sub realm created from cli and console do exist as
o=,ou=services,
(4) Putting thoughts on if we need SSO Token with
different realms under the same root suffix
(5) JVM dump shows some clues on exception thrown
from applet. It needs a bit more research to identify if
it causes by awt/plugin bug
(6) SRM is on per processor-set not memory either
Need to figure out what to be done soon.
(7) GemFire Enterprise does shwo attraction interms of Grid transaction service
It is pure Java instead of traditional JINI approach . I have the bits ready for Gird
(8) Ice Grid Solution shown up from www.theserverside.com which need further
investigation
(9) It is such as pain to route patent . I should use ID appended with file name
(10) I am thinking if the straight way to get solaris server hostid instead of from SNMP
(11) I am thinking the way to monitor the CoS contruction if it is possible ? Current
cn=monitor,cn=Class of Service,cn=plugins,cn=config
(2) Handshake on IDC Virtualization Conference
IDV, JESSwitch on Zone
(3) Multiple Realms under on Root Suffix. Console confuses
end user, DIT does not contain the entry as o=
but all sub realm created from cli and console do exist as
o=
(4) Putting thoughts on if we need SSO Token with
different realms under the same root suffix
(5) JVM dump shows some clues on exception thrown
from applet. It needs a bit more research to identify if
it causes by awt/plugin bug
(6) SRM is on per processor-set not memory either
Need to figure out what to be done soon.
(7) GemFire Enterprise does shwo attraction interms of Grid transaction service
It is pure Java instead of traditional JINI approach . I have the bits ready for Gird
(8) Ice Grid Solution shown up from www.theserverside.com which need further
investigation
(9) It is such as pain to route patent . I should use ID appended with file name
(10) I am thinking if the straight way to get solaris server hostid instead of from SNMP
(11) I am thinking the way to monitor the CoS contruction if it is possible ? Current
cn=monitor,cn=Class of Service,cn=plugins,cn=config
Does not address the monitoring of the CoS contruction. How then ?
(12) how to look up all services and attributes pertaining to a specific realm ?
Wednesday, December 07, 2005
Realm Service Creation Template ?
(1) Realm is a container of identity services and configuration, plugin. However, creation template is missing and delegationservicepermission is to be clarified
(2) KTS CMT Deployment and Performance Guide outline
(3) CEC2006 enrollment.
(4) Regarding to identity Resource creation template is under consideration, specifically icsCalendarResource is too implementation specific ?
(5) IDV is under design and implementation
(6) Optimal Directory substring search via VLV is limited ---- It is for telcom
(7) Dtrace task to be completed
(8) Solaris Enterprise System Task is in action today
(9) My PHD evaluation forms are sent out via registered mail
(10) My blog is linked to MAX
(2) KTS CMT Deployment and Performance Guide outline
(3) CEC2006 enrollment.
(4) Regarding to identity Resource creation template is under consideration, specifically icsCalendarResource is too implementation specific ?
(5) IDV is under design and implementation
(6) Optimal Directory substring search via VLV is limited ---- It is for telcom
(7) Dtrace task to be completed
(8) Solaris Enterprise System Task is in action today
(9) My PHD evaluation forms are sent out via registered mail
(10) My blog is linked to MAX
Subscribe to:
Posts (Atom)