Claesson.org

This year's flash memory summit got me thinking about our use of SSDs over the years at Fishworks. The picture of our left is a visual history of SSD evals in rough chronological order from the oldest at the bottom to the newest at the top (including some that have yet to see the light of day).

Early Days

When we started Fishworks, we were inspired by the possibilities presented by ZFS and Thumper. Those components would be key building blocks in the enterprise storage solution that became the 7000 series. An immediate deficiency we needed to address was how to deliver competitive performance using 7,200 RPM disks. Folks like NetApp and EMC use PCI-attached NV-DRAM as a write accelerator. We evaluated something similar, but found the solution lacking because it had limited scalability (the biggest NV-DRAM cards at the time were 4GB), consumed our limited PCIe slots, and required a high-speed connection between nodes in a cluster (e.g. IB, further eating into our PCIe slot budget).

The idea we had was to use flash. None of us had any experience with flash beyond cell phones and USB sticks, but we had the vague notion that flash was fast and getting cheaper. By luck, flash SSDs were just about to be where we needed them. In late 2006 I started evaluating SSDs on behalf of the group, looking for what we would eventually call Logzilla. At that time, SSDs were getting affordable, but were designed primarily for environments such as military use where ruggedness was critical. The performance of those early SSDs was typically awful.

Logzilla

STEC — still Simpletech in those days — realized that their early samples didn't really suit our needs, but they had a new device (partly due to the acquisition of Gnutech) that would be a good match. That first sample was fibre-channel and took some finagling to get working (memorably it required metric screw of an odd depth), but the Zeus IOPS, an 18GB 3.5" SATA SSD using SLC NAND, eventually became our Logzilla (we've recently updated it with a SAS version for our updated SAS-2 JBODs). Logzilla addressed write performance economically, and scalably in a way that also simplified clustering; the next challenge was read performance.

Readzilla

Intent on using commodity 7,200 RPM drives, we realized that our random read latency would be about twice that of 15K RPM drives (duh). Fortunately, most users don't access all of their data randomly (regardless of how certain benchmarks are designed). We already had much more DRAM cache than other storage products in our market segment, but we thought that we could extend that cache further by using SSDs. In fact, the invention of the L2ARC followed a slightly different thought process: seeing the empty drive bays in the front of our system (just two were used as our boot disks) and the piles of SSDs laying around, I stuck the SSDs in the empty bays and figured out how we'd use them.

It was again STEC who stepped up to provide our Readzilla, a 100GB 2.5" SATA SSD using SLC flash.

Next Generation

Logzilla and Readzilla are important features of the Hybrid Storage Pool. For the next generation expect the 7000 series to move away from SLC NAND flash. It was great for the first generation, but other technologies provide better $/IOPS for Logzilla and better $/GB for Readzilla (while maintaining low latency). For Logzilla we think that NV-DRAM is a better solution (I reviewed one such solution here), and for Readzilla MLC flash has sufficient performance at much lower cost and ZFS will be able to ensure the longevity.

Technology moves at a frighteningly fast pace, but sometimes old habits become ingrained. Take Ethernet Auto-negotiation for example. Policies and procedures that require administrators to use hard-coded "forced" or "fixed" Ethernet speed and duplex rates still exist at the too many of companies, ISPs and data centers we work with every day.

Just minutes ago, I overheard a colleague on the phone (we're in a 'cube farm', so that is unavoidable) with a customer having a connectivity issue that is a common scenario:

Interface showing errors in netstat. /var/adm/messages shows the interface linking up at 1000FDX during boot, then messages show that same interface linking up at 100FDX. Diagnosis: mismatch caused by a startup script changing/hard setting the speed/duplex on the interface post-boot, where the switchport is set to auto-negotiate. Corrective action: remove the startup script, allow the interface to auto-neg with it's link partner (the switch).

Forcing Ethernet speed/duplex is so 1994! See the "Ethernet Auto-negotiation Best Practices" blueprint and note that "Auto-neg" provides benefits that go beyond the bootup and initial startup of the interfaces, as noted on page 2 of the blueprint: Autonegotiation on the link is exchanged when: * Link is initially connected * Device at either end of the link is powered up * Device is reset or initialized * Renegotiation request is made Gigabit ethernet requires auto-negotiation to operate properly. From the Best Practices blueprint: "although autonegotiation (Clauses 22 and 28) is optional for most variants of Ethernet and manual configuration (forced mode) is allowed, this is not the case for Gigabit copper (1000BASE-T)." Note those last 2 bullets and here's another "war story":

Customer wants a root cause for a "network fault". Seems that there was a major Cisco switch upgrade over a weekend on his network and all the Sun systems were unable to communicate on the network at the end of the upgrade period. Customer is certain this is a "major flaw" in the driver and "needs it fixed right away", since "none of the other system OS' connected to the same switch saw the problem". Diagnosis: the Cisco switch sent a reset/renegotiation request to all connected systems at the end of the upgrade, but since the customer had configured all his Sun ethernet interfaces to be forced to 100FDX, they were not configured to respond/react to the request. Corrective action: configure the systems to use auto-neg. The other non-Sun systems that were unaffected were already using auto-neg.

Here are some other references on this topic:

"Configuring and Troubleshooting Ethernet 10/100/1000Mb Half/Full Duplex Auto-Negotiation" from Cisco:

"One of the most common causes of performance issues on 10/100 Mb Ethernet links occurs when one port on the link operates at half-duplex while the other port operates at full-duplex. This occurs when one or both ports on a link are reset and the auto-negotiation process does not result in both link partners having the same configuration. It also can occur when users reconfigure one side of a link and forget to reconfigure the other side. Both sides of a link should have auto-negotiation on, or both sides should have it off. Cisco recommends to leave auto-negotiation on for those devices compliant with 802.3u. "

"Gigabit Ethernet Auto-negotiation " from Dell.

Foundry Networks (maker of Brocade switches) statement on Auto-neg: " . .. .Many Ethernet products older than mid-year 1997 do not support auto-negotiation. These issues have created a situation where the new standard compliant products appear to be creating a problem, when in fact it is the older non-compliant hardware that cannot take advantage of this new valuable feature."

"Using Ethernet Auto-negotiation protocol to avoid slow network connectivity or application time outs" while the link to this whitepaper requires a subscription, the abstract reads: "In this white paper N-TRON discusses the details of Auto-negotiation protocol and how to properly configure Auto-negotiation settings for maximum performance of industrial Ethernet networks. "

Fast Ethernet is well matured and Gigabit Ethernet is becoming commonplace. 10Gigabit is increasing in usage. It's high time to dump forced ethernet connections and policies in the dustbin of computer networking history along with 2400 baud modems, Thicknet, IRQ jumpers on interface cards and dumb hubs.

Lots of speculation about Solaris and OpenSolaris is happening right now, with an allegedly leaked email being the latest generator of buzz, rumors and troll-ism.

But is that any useful? No.

So let's cut through the shiitake, do some due diligence and focus on some real facts instead.

In this article, we'll check out some real and authoritative sources of Solaris direction, mainly John Fowler's recent webcast about Solaris 11. Then we'll see what our future opportunities as members of the Solaris community are, and close with some pointers to other opinions on Solaris 11.

But before we start, the usual disclaimer: I am an employee of Oracle, I can't comment on any rumors, leaked emails or other speculation. The following is only my personal opinion and not necessarily the opinion of my employer.

Oracle and Open Source

Oracle is a big supporter of open source. Just check Oracle's Open Source Page for a number of open source projects that Oracle supports, including OpenSolaris.

The OpenSolaris Source Code is the Foundation of the Next Release of Solaris

As everybody who is familiar with Solaris and OpenSolaris knows, the source code we see in src.opensolaris.org is the ongoing development of the next release of Solaris. The OpenSolaris binary distribution is created from that source code and hence, it has always been a preview of the next release of Solaris.

The Next Release of Solaris Will be Called Solaris 11

The most interesting announcement so far (and this is official, true and public, as in "not rumor nor leaked") is John Fowler's Recent Oracle Systems Strategy Update Webcast. Please do yourself a favor and watch it, or at least download the slides. Its free, you just need to register.

I'll even give you a shortcut:

• On Slide 10, or 10:40 into the video, John Fowler announced that the next release of Solaris is going to be Solaris 11, in 2011 (sic) and that Oracle is speeding up Solaris development. Solaris 11 will be as big a release as Solaris 10 was when it was introduced in 2005.
• 12:20 into the video, John lists the key improvements that Solaris 11 will deliver: A more powerful networking stack, better scalability, improved virtualization, a new packaging and deployment architecture, enhancements to the file system, and many more. Sounds familiar? Sure, go read all about them on the OpenSolaris projects pages!
• Slide 12 (12:50) is a full roadmap for Solaris 10 and Solaris 11, highlighting key development milestones and showing regular release intervals (which come surprisingly close to traditional Oracle Open World dates). No more waiting for releases. Nice, predictable update schedule instead.

As John Fowler said, Oracle Solaris 11 will be made available as an early access soon, and I bet it will look remarkably familiar to those who have seen previous OpenSolaris builds before.

Oh, and be sure to watch the other bits of the webcast as well, for an update on the SPARC roadmap with some exciting data points about future SPARC processors.

What You Can Do Now

The way I see it, this is all good news, and it reinforces Oracle's commitment to Solaris and SPARC in a big way. And for the Solaris community, this presents a lot of ways to get involved:

• If you have been previously waiting for the next release of the OpenSolaris binary distribution, you should be looking forward to the Solaris 11 early access program. After all, the OpenSolaris binary distribution always was an early access version of what is to become the next major release of Solaris. And now it is coming. Stay tuned and check out the preview of Solaris 11 as soon as it comes out.
• If you're involved in an OpenSolaris user group, not much has changed: Solaris continues to deliver great technologies and features that are just waiting to be discussed, tried out, put to practice and shared among other Solaris enthusiasts.
• If you're a developer, now would be a good time to join the Oracle Technology Network to stay up to date on new developments around Oracle Solaris 11. BTW, this is a good idea regardless of whether you actually develop code yourself or just use Oracle Solaris.
• And if you're an open source enthusiast who wants to contribute source to a Solaris project, you still have all the options: I hear that the Solaris people are hiring, there are numerous projects related to Solaris on OpenSolaris.org, lots of user groups in all places of the world to join and there's even a full spoon/fork (depending on how you look at it) of the core OpenSolaris OS and Networking bits to play with.

Conclusion

In conclusion: Watch out for real facts from authoritative sources and don't waste your time with speculations, gossip or other unreliable information. While Oracle's communication volume may have been a little more terse than Sun's, there's a lot of value in following Oracle's official announcements closely. Just remember to stick to the facts.

Solaris 11 is the future, and it will be the best release of Solaris ever. In fact, you can preview its technologies now by looking at OpenSolaris.org and by joining the Solaris 11 early access program once it opens.

The community around Solaris is starting to become more independent, and as a result it will only become stronger. This is a good thing, because it helps the cause of bringing great OS technology to a server near you, enhance its potential and contribute new code, tools and application to the Solaris 11 OS.

Remember: The owner may have changed, but the architects, developers, service people, SEs and the community behind Solaris are still the same. Yes, people leave and join companies, they start and abandon projects, but these are all signs of a living, breathing Solaris community.

More Takes, Opinions and Comments

However, I'm not the only blogger trying to do a reality check here, and it may be valuable for you to check out other opinions as well. Here are a few articles from similar or different, but interesting viewpoints:

• Jörg Möllenkamp's take on the infamous allegedly leaked email
• Ben Rockwood's analysis of John Fowler's Webcast
• Jim Laurent's summary of Solaris 11
• An interview with John Fowler in ServerWatch about Solaris 11. Notice the "Oracle will continue to invest in its open source communities" bit.

Your Take

So the point is: Stick to the facts. Be constructive. RTFM. The idealism behind Solaris is technology oriented: It's all about the best innovations in operating system design ever, and how to make the best of them for businesses, users and developers.

What's your take? What are you looking forward to in Solaris 11? Leave a comment and share your take on Solaris 11 now!

var flattr_uid = '26528'; var flattr_tle = 'Oracle Solaris 11 is the Future'; var flattr_dsc = 'Lots of speculation about Solaris and OpenSolaris is happening right now, with an allegedly leaked email being the latest generator of buzz, rumors and troll-ism.But is that any useful? No.So let's cut through the shiitake, do some due diligence and focus on some real facts instead.In this article, we'll check out some real and authoritative sources of Solaris direction, mainly John Fowler's recent webcast about Solaris 11. Then we'll see what our future opportunities as members of the Solaris community are, and close with some pointers to other opinions on Solaris 11.'; var flattr_tag = 'community,future,opensolaris,Oracle Solaris,solaris,solaris 11'; var flattr_cat = 'text'; var flattr_url = 'http://constantin.glez.de/blog/2010/08/oracle-solaris-11-future'; var flattr_lng = 'en_GB'

There was a rejuvenation of the Solaris Cluster 3.2 core patch. The new patches are
144220 Solaris Cluster 3.2: CORE patch for Solaris 9
144221 Solaris Cluster 3.2: CORE patch for Solaris 10
144222 Solaris Cluster 3.2: CORE patch for Solaris 10_x86
At this time these patches does NOT have the requirement to be installed in non-cluster-single-user-mode. They can be installed in order when cluster is running, but requires a reboot.

Beware the new patches requires the previous version -42 of the SC 3.2 core patch.
126105-42 Sun Cluster 3.2: CORE patch for Solaris 9
126106-42 Sun Cluster 3.2: CORE patch for Solaris 10
126107-42 Sun Cluster 3.2: CORE patch for Solaris 10_x86
And the -42 still have the requirement to be installed in non-cluster-single-user-mode. Furthermore carefully study the special install instructions and some entries of this blog.

The advantage is, when -42 is already applied then the patching of Solaris Cluster 3.2 becomes more easy.

Certainly, it's possible to apply the new SC core patch at the same time as the -42 core patch in non-cluster-single-user-mode.

We are now six months post the acquisition of Sun by Oracle. Certainly a lot has changed, but with respect to SPARC virtualization, there's much more that hasn't changed. One big change for us is that Logical Domains has been re-branded as "Oracle VM Server for SPARC". Another adjustment is that we are more restricted in discussing future features & roadmap info than we were at Sun.

More importantly, here's what hasn't changed: the development team is essentially intact (we've lost a few and gained a few) and we remain fully engaged (in fact there was zero schedule impact caused by the acquisition). Our strategy and tactical roadmap have changed very little. If anything, Oracle is more committed to SPARC and our virtualization technology than Sun was. We continue to work on new features & releases exactly as we had been doing as part of Sun. Of course, there have been some tweaks to our priority & feature set, and we are working to better integrate our technology with other products within Oracle, but the overall strategic direction has not changed. The bottom line is that everything's full steam ahead for LDoms Oracle VM Server for SPARC.

Finally, go check out the story: Oracle VM Server for SPARC - Powering Enterprise-class Virtualization, currently featured at oracle.com, or go here.

Identity compliance projects don't have to be hard!  The key to any successful project in IT is delivering value to the business quickly!  It is critical to then leverage those early wins into larger wins for the organization.  When I used to coach I likened this to walking up a staircase.  McKinsey used the analogy to describe the approach successful companies took to manage successful growth. (take a look here)  

Oracle Identity Analytics provides a set of tools that can help organizations take the first step up that staircase to Compliance quickly.  The approach allows organizations to show value quickly and then build upon those early wins to build better security into the organization.  This webcast tomorrow will give insight into how organizations can build in proper segregation of duties, 360 degree review's and proper attestation of roles.  One customer of the product used to print out a conference room of paper and had his compliance auditors and business managers review the roles and access rights to meet compliance.  Imagine if you had the tools to ensure you could make this process easier.  Register today and find out how.

Register Today Here:

Customer Stories: Tackling Compliance Challenges with Oracle Identity Analytics

Date: Wednesday, August 18, 2010
Time: 10:00 am PT / 1:00 pm ET

Featured Speakers:

Naynesh Patel,
Partner,
Simeio Solutions
Neil Gandhi,
Principal Product Manager,
Oracle Identity Analytics,
Oracle Corporation

Identity compliance projects don't have to be hard!  The key to any successful project in IT is delivering value to the business quickly!  It is critical to then leverage those early wins into larger wins for the organization.  When I used to coach I likened this to walking up a staircase.  McKinsey used the analogy to describe the approach successful companies took to manage successful growth. (take a look here)  

Oracle Identity Analytics provides a set of tools that can help organizations take the first step up that staircase to Compliance quickly.  The approach allows organizations to show value quickly and then build upon those early wins to build better security into the organization.  This webcast tomorrow will give insight into how organizations can build in proper segregation of duties, 360 degree review's and proper attestation of roles.  One customer of the product used to print out a conference room of paper and had his compliance auditors and business managers review the roles and access rights to meet compliance.  Imagine if you had the tools to ensure you could make this process easier.  Register today and find out how.

Register Today Here:

 

Customer Stories: Tackling Compliance Challenges with Oracle Identity Analytics

Date: Wednesday, August 18, 2010
Time: 10:00 am PT / 1:00 pm ET

Featured Speakers:

Naynesh Patel,
Partner,
Simeio Solutions Neil Gandhi,
Principal Product Manager,
Oracle Identity Analytics,
Oracle Corporation

Don't Miss the Oracle Virtualization Online Forum
August 19th at 18:00 CET Time - Amsterdam

Join us for the live Virtualization Online Forum, as Oracle’s Edward Screven, Chief Corporate Architect, and John Fowler, Executive Vice President, Systems, kick-off a full agenda of analyst, customer and product webcasts presenting how Oracle’s most complete and integrated virtualization delivers more value than VMware.

Throughout the event you’ll have a unique opportunity to participate in live chat with Oracle’s virtualization, database, middleware, and management experts to get answers to your toughest virtualization questions.

Learn how Oracle’s Virtualization can:

• Virtualize and manage your full hardware and software stack, from applications to disk
• Significant operational and cost benefits beyond simple consolidation
• Integrated support backed by Oracle's world-class support organization

By registering for this event you will be able to attend any of the live webcasts available during this forum.

Using Kerberos as Authentication Database in Oracle iPlanet Web Server on Solaris 10 This article describes how to use Kerberos authentication database in Oracle iPlanet Web Server.

In this article, KDC and Web Server are setup on the same host (serverhost.your.domain.com), Kerberos domain is YOUR.DOMAIN.COM, DNS Domain is your.domain.com and client is on host : clienthost.your.domain.com. Both these KDC/Web Server and client machines have Solaris 10.

Make sure you configure DNS properly on KDC, server and client machines. 

"/etc/hosts" should have KDC hostname and it must be the same on all machines. You can verify by
#getent hosts serverhost.your.domain.com <ip-address> serverhost.your.domain.com             Note that the first entry is of the form hostname.domain not just hostname.
Clock Synchronization

All hosts that participate in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time. Known as clock skew, this feature provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, requests are rejected. The default value for the maximum clock skew is 300 seconds (five minutes).

One way to synchronize all the clocks is to use the Network Time Protocol (NTP) software. See Synchronizing Clocks Between KDCs and Kerberos Clients for more information.

Or you can also use rdate from client host as shown below

[clienthost]# rdate serverhost.your.domain.com
1. Configure Kerberos master KDC on Solaris 10
Install Solaris 10 with these options

• Enable Kerberos : Yes
• Kerberos default realm : YOUR.DOMAIN.COM
• Kerberos Admin Server and KDC : serverhost.your.domain.com

* even if you do not we can edit configuration files manually.
1.1 Modify Kerberos configuration files             Modify Kerberos configuration files as shown in the tables below.

/etc/krb5/krb5.conf
[libdefaults] default_realm = YOUR.DOMAIN.COM [realms] YOUR.DOMAIN.COM = {
kdc = serverhost.your.domain.com
admin_server = serverhost.your.domain.com } [domain_realm] .your.domain.com = YOUR.DOMAIN.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } gkadmin = { help_url = ... }
/etc/krb5/kdc.conf
[kdcdefaults] kdc_ports = 88,750 [realms] YOUR.DOMAIN.COM = { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal admin_keytab = /etc/krb5/kadm5.keytab  acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s  max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth }


/etc/krb5/kadm5.acl

*/admin@YOUR.DOMAIN.COM *


1.2 Start dns/client service on Master KDC For Kerberos to work dns/client service must be started before you start any other Kerberos daemons. Edit /etc/resolv.conf to have nameserver entries and then enable dns/client service using svcadm command as shown below.


# svcadm -v enable -s dns/client
svc:/network/dns/client:default enabled.


1.3 Create principal database on master KDC
                 Create principal database using kdb5_util.


# kdb5_util create -s

Initializing database '/var/krb5/principal' for realm 'YOUR.DOMAIN.COM',
master key name 'K/M@YOUR.DOMAIN.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:  <--- Enter password here
Re-enter KDC database master key to verify: <--- Enter the same password again

 List the principals which got created by default by listprincs command as shown below

# kadmin.local

kadmin.local: listprincs

K/M@YOUR.DOMAIN.COM
changepw/serverhost.your.domain.com@YOUR.DOMAIN.COM
kadmin/changepw@YOUR.DOMAIN.COM
kadmin/history@YOUR.DOMAIN.COM
kadmin/serverhost.your.domain.com@YOUR.DOMAIN.COM
kiprop/serverhost.your.domain.com@YOUR.DOMAIN.COM
krbtgt/YOUR.DOMAIN.COM@YOUR.DOMAIN.COM
Make sure you have these three entries shown in green color.
1.4 Add atleast one Administrative Principal to Kerberos database The administrative principals created here should be the ones that were added to the ACL file.

# kadmin.local

kadmin.local: addprinc admin/admin@YOUR.DOMAIN.COM

WARNING: no policy specified for admin/admin@YOUR.DOMAIN.COM; defaulting to no policy
Enter password for principal "admin/admin@YOUR.DOMAIN.COM": <- Enter password here
Re-enter password for principal "admin/admin@YOUR.DOMAIN.COM": <- Enter the same password again
Principal "admin/admin@YOUR.DOMAIN.COM" created.
1.5 Create a keytab file for the kadmind service.
Create the kadmin keytab with entries for these principals

# kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab
kadmin/serverhost.your.domain.com
               changepw/serverhost.your.domain.com
               kadmin/changepw

This command sequence creates a special keytab file with principal entries for kadmin/<FQDN> and changepw/<FQDN>. These principals are needed for the kadmind service and for passwords to be changed. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file. The kadmin/changepw principal is used to change passwords from clients that are not running a Solaris release.

Use klist to inspect keytab file

# klist -k /etc/krb5/kadm5.keytab
Keytab name: FILE:/etc/krb5/kadm5.keytab
KVNO Principal
---------------------------------------------------------
   3 kadmin/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 kadmin/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 kadmin/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 kadmin/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 kadmin/changepw@YOUR.DOMAIN.COM
   3 kadmin/changepw@YOUR.DOMAIN.COM
   3 kadmin/changepw@YOUR.DOMAIN.COM
   3 kadmin/changepw@YOUR.DOMAIN.COM
   3 changepw/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 changepw/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 changepw/serverhost.your.domain.com@YOUR.DOMAIN.COM
   3 changepw/serverhost.your.domain.com@YOUR.DOMAIN.COM
1.6 Create /etc/krb5/krb5.keytab Some programs like telnet by default look for /etc/krb5/krb5.keytab so we create a softlink as shown below

# ln -s /etc/krb5/kadm5.keytab /etc/krb5/krb5.keytab
1.7 Start Kerberos Daemons on Master KDC
Use svcadm command to start Kerberos daemons krb5kdc and kadmin as shown below


# svcadm -v enable -s krb5kdc
svc:/network/security/krb5kdc:default enabled.

# svcadm -v enable -s kadmin
svc:/network/security/kadmin:default enabled.

Also, make sure that that ktkt_warn service is also online.

# svcs | grep security
online       Apr_17   svc:/network/security/ktkt_warn:default
online        0:37:21 svc:/network/security/krb5kdc:default
online        0:37:26 svc:/network/security/kadmin:default

                Use svcadm command to start time service s as well

# svcadm -v enable -s time:stream time:dgram
svc:/network/time:stream enabled.
svc:/network/time:dgram enabled.

1.8 Create host and HTTP principal on KDC, and extract its keys into keytab
Create host and HTTP principal on KDC and extract them to keytab file as shown below

# kadmin -p admin/admin
kadmin: addprinc -randkey host/serverhost.your.domain.com
WARNING: no policy specified for host/serverhost.your.domain.com@YOUR.DOMAIN.COM; defaulting to no policy
Principal "host/serverhost.your.domain.com@YOUR.DOMAIN.COM" created.
kadmin: addprinc -randkey HTTP/serverhost.your.domain.com
WARNING: no policy specified for HTTP/serverhost.your.domain.com@YOUR.DOMAIN.COM; defaulting to no policy
Principal "HTTP/serverhost.your.domain.com@YOUR.DOMAIN.COM" created. kadmin: ktadd -k /etc/krb5/kadm5.keytab host/serverhost.your.domain.com

kadmin: ktadd -k /etc/krb5/kadm5.keytab HTTP/serverhost.your.domain.com

*Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters.
1.9 Create a user "testuser" and add it to KDC                   For testing, add a user "testuser", set its password and add this principal to KDC.

# useradd -u 400 testuser
# passwd testuser
...
# kadmin -p admin/admin
kadmin: addprinc testuser
WARNING: no policy specified for testuser@YOUR.DOMAIN.COM; defaulting to no policy
Enter password for principal "testuser@YOUR.DOMAIN.COM": <- Enter password here
Re-enter password for principal "testuser@YOUR.DOMAIN.COM": <- Enter the same password again
Principal "testuser@YOUR.DOMAIN.COM" created.
1.10 Configure slave KDCs as given in "Solaris 10 - System Administration Guide: Security Services" (optional)
But for simplicity this can be skipped.
2. Oracle iPlanet Web Server Configuration
2.1 Install Oracle iPlanet Web Server on the machine where KDC is installed.
In this case, for simplicity, Oracle iPlanet web server is installed on the same machine as master KDC.
2.2 Copy keytab file and make sure that user running Web Server Instance has file system permissions
If Web Server instance is running as "webservd"(or any user other than root), it doesn't have permissions to read /etc/krb5/kadm5.keytab. So copy the file as shown below and change its owner.

# cd https-<instance>/config
  # cp /etc/krb5/kadm5.keytab kadm5.keytab
# chown webservd:webservd kadm5.keytab
2.3 Create Kerberos Authentication Database in Web Server

To create an authentication database through Administration CLI, execute the following wadm commands.

wadm> create-kerberos-authdb --config=test --service-name=HTTP my-kerberos

wadm> set-config-prop --config=test krb5-keytab-file=kadm5.keytab

* Refer the latest Web Server documentation for details.

After this, server.xml should have these new entries :

<auth-db>
<enabled>true</enabled>
<name>my-kerberos</name>
<url>kerberos</url>
<property>
<name>servicename</name>
<value>HTTP</value>
</property>
</auth-db>

<krb5-keytab-file>kadm5.keytab</krb5-keytab-file>

2.4 Add the following ACL in ACL file
            Using Administration GUI/CLI, add ACL for /krb uri so that only authenticates users are allowed access.
             ACL file should contain ACL like this :

acl "uri=/krb/";
authenticate (user, group) {
    method = "gssapi";
    database = "my-kerberos";
};
deny (all) user="anyone";
allow (all) user="all";
You can set last allow ACE as user="testuser@YOUR.DOMAIN.COM" instead of user="all".
2.5 Add test.html in krb directory in document root directory
3. Configure Kerberos Client
      On client host (in this case it is clienthost.your.domain.com)
3.1 Copy /etc/krb5/krb5.conf file from KDC. 3.2 Obtain Kerberos ticket-granting ticket for "testuser" principal: Add user testuser and request a ticket for that user

[clienthost]# useradd -u 400 testuser
[clienthost]# passwd testuser
...
[clienthost]# kinit testuser
Check that the ticket exists with klist command as shown below

[clienthost]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@YOUR.DOMAIN.COM

Valid starting                Expires                Service principal
07/01/10 01:06:48  07/01/10 09:06:48  krbtgt/YOUR.DOMAIN.COM@YOUR.DOMAIN.COM
        renew until 07/08/10 01:06:48
07/01/10 01:09:03  07/01/10 09:06:48  host/serverhost.your.domain.com@YOUR.DOMAIN.COM
        renew until 07/08/10 01:06:48
3.3 Testing if Kerberos was setup properly (optional)
3.3.1 Check for these entries in pam.conf. Needed just to test if telnet is kerberized.  Entries in pam.conf
ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1

other session required pam_unix_session.so.1

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
3.3.2 Make sure that telnetd is running on server.
3.3.3 Testing with telnet
[clienthost]telnet -a -F -l testuser serverhost.your.domain.com
Trying <ip-address-of-server>...
Connected to serverhost.your.domain.com.
Escape character is '^]'.
[ Kerberos V5 accepts you as ``testuser@YOUR.DOMAIN.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
...

The above should log in without password prompt. This shows kerberos is setup properly.

3.4 Settings in Firefox/Mozilla Browser Open Mozilla/Firefox browser. On the url type about:config,
set network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris to http://serverhost.your.domain.com,https://serverhost.your.domain.com 3.5 Access Web Server Content using Mozilla/Firefox Browser

On Mozilla/Firefox, access http://serverhost.your.domain.com/krb/test.html. This should bring up the test.html page

On the command prompt type # kdestroy. This should destroy the existing ticket issued to testuser

On Mozilla/Firefox now access http://serverhost.your.domain.com/krb/test.html. This should bring up Unauthorized page.

Enable security in Web Server and follow the same for https://....

This is what is happening between the Browser and Web Server, when /test.html is accessed. (Ignoring Browser->KDC and Web Server -> KDC interactions)

Browser to Web Server
Web Server to Browser
GET /test.html HTTP/1.1
Host: ...
...

HTTP/1.1 401 Unauthorized
Server: Sun-Java-System-Web-Server/7.0
Www-authenticate: Negotiate
...

<HTML><HEAD>
<TITLE>Unauthorized</TITLE>
</HEAD>
... GET /test.html HTTP/1.1
Host: ...
Authorization: Negotiate <gssapi-data>
...

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Www-authenticate: Negotiate <gssapi-data>
Content-type: text/html
...

This is test.html

• Browser sends a GET request. 
  
• Web server returns a 401 Unauthorized response with Header "Www-authenticate" with value "Negotiate".
• Browser sends the same request with Header "Authorization" with value "Negotiate <gssapi-data>"
• Web Server returns a 200 OK response with Header "Www-authenticate" with value "Negotiate <gssapi-data>" and the contents of the file user has asked for.

Access log of Web Server Instance shows two entries as shown below

format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-request%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%

<client-ip-address> - -                                                [<date-and-time>]  "GET /test.html HTTP/1.1" 401 223
<client-ip-address> - testuser@YOUR.DOMAIN.COM [<date-and-time>]  "GET /test.html HTTP/1.1" 200 18

4. References

• Blog by Slava Leanovich "Start playing with Kerberos" http://blogs.sun.com/vl/entry/start_playing_with_kerberos
• Solaris 10 System Administration Guide: Security Services http://docs.sun.com/app/docs/doc/816-4557/seamtm-1?l=en&a=view
• Working With the Authentication Database in Sun Java System Web Server 7.0 Update 8 Administrator’s Guide http://docs.sun.com/app/docs/doc/821-1496/gczym?l=en&a=view
• Kerberos V5 Install guide from MIT http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-install.html
• Chandra's QA test specification document

The latest NetBeans Weekly Newsletter reveals that there are many NetBeans Platform trainings coming up. If you're about to attend one, you might be wondering how best to prepare for the event. What should be on your laptop? Are there any special plugins you need to install? Any special reading you need to do?

Here are my recommendations for preparing for a NetBeans Platform training:

• Get the Smallest Relevant & Newest NetBeans IDE Distribution. You'll be learning how to create Swing applications. So why do you have the "All" distribution installed? Get the smallest relevant version of the latest release of NetBeans IDE. To do this, go to the Downloads page, find the latest version (leftmost tab on the page, i.e., 6.9.1, at the time of writing), and download the "Java SE" distribution.

  Already have a different distribution installed? Not to worry. Get the above distribution and use that throughout the course. The smallest distribution has the modules you need and nothing extra. That will speed up start up time during the course, as well as performance. Plus there won't be all sorts of features that you won't need to use but that will confuse you when you see them.

• Get a Fresh User Directory. The user directory is where all the customizations you make in NetBeans IDE are found. For example, when you move a window to a different place in the IDE, that new place is stored in the user directory so that at the next start up of the application the customized position of the window is used instead of its default position. Possibly you've been using the same user directory for many months or years and things might have got messed up, from release to release. Start the NetBeans Platform training with a clean slate. Remove the user directory and then, when the IDE starts up again, a new user directory is created for you. Don't know what or where the user directory is? Read this FAQ.

• Get the NetBeans API Javadoc Plugin. Go to Tools | Plugins and then go to the "Available Plugins" tab. In the "Search" box, type "NetBeans API". The filter then shows you "NetBeans API Documentation". Install it. Now you'll be able to browse the javadoc of the NetBeans API classes (such as "TopComponent") in the NetBeans Java editor. You will also be able to look at the source code of the NetBeans API classes, from within the NetBeans Java editor (press Ctrl-Click on a class name and then you will be able to hyperlink into the source code).

That's it. You're ready for the course. The above are the only things you need to do to get ready.

In addition to the above, though, if you'd like some additional extra tasks, just to get slightly more prepared than the bare essentials, consider the following, purely as optional things:

• Get familiar with NetBeans IDE. During the course, NetBeans IDE is used as the development environment for learning about the NetBeans Platform, simply because it provides templates and other tools that other IDEs lack. If you're not familiar with NetBeans IDE, not to worry. You'll pick up everything you need during the course. But, just to prepare, you can have a look at the Keyboard Shortcuts Card under the Help menu, where you'll find many tips and tricks. Also, have a look through some of the NetBeans IDE documents on the Documentation, Training, and Support page, just to get a feel for the things that NetBeans IDE provides.

• Get Familiar with the NetBeans Platform. Go to the NetBeans Platform Homepage (which has just been redone) and look at the various resources available, in particular, take a few of the beginner tutorials on the NetBeans Platform Learning Trail. Highly recommended is the Essential NetBeans Platform Refcard, which will give you a good feel for everything that the NetBeans Platform provides. The NetBeans Platform Screenshots page can serve as inspiration for the cool applications you'll be able to create after completing the course.

Tip. In general, it's a good idea to run through one tutorial in the IDE, just to see that everything is working as you would expect and so that you can tell the trainer right at the start about any problems you've encountered in your installation of NetBeans IDE. Better to have problems known up front than to discover them later and have those problems slow down the course.

Have fun at your NetBeans Platform training session!

An attempt to use Jing here.  Even went "Pro".  Still a five minute limit and I got cut short, but you'll get the gist.  Check out the functionality!  Big hat tip to the folks in Hamburg, Leeds, and Dublin.  :)  (I just realized I have 2GB traffic limit per month with pro...I'll see what I can do)

(And no, I cannot tell you why Javier was not ruled offsides there. )

Your browser cannot play this video. Learn how to fix this.


Oh, and Jaap...this is for you.

My father Greig Rose was a college science teacher for about 35 years, mostly at West Valley College. He also served on faculty at West Point. As a youngster I learned the genetic code watching him teach the cadets. Later on, interesting classes were routinely available to me. Growing up in an educator's house was a privilege and a blessing. It is one of the main reasons I have been directly involved in my own children's education, to the point of home schooling and volunteer teaching.

Tonight my father and I were talking about education, with the end of the summer and fall classes coming on. He is glad to be retired, but he is still a teacher at heart. I asked him, “What is your best advice to teachers?” Here is the answer he gave, as well as I can reconstruct it.

“Listen” is the first word. Listen to your students with your eyes and ears. Understand how they are approaching the class, and whether they are understanding the lesson. If you are sending a message, but they are not receiving, no communication is happening. Ask questions.

Aim for self-education, and model it. Show them how to learn for themselves. In a typical class, you will teach them a few cardinal facts of subject matter, and show them ways to fill in everything else later. Encourage questions. Be willing to say “I don't know; let's find out”.

Allow a little chaos into the classroom, to make room for conversation and discovery. Tightly scripted lesson plans do not work. On the other hand, know where you are going. Have clear class objectives and lesson plans, and steer the interactive conversations back to the class objectives.

To make students accountable for the required reading, give take-home quizzes to be turned in at the beginning of each week. Make each quiz from a handful of simple write-in questions drawn from the text. Give the quizzes significant weight, as a group. Allow students to use any resources to answer the question, but do it in a way that makes reading the text the easiest way to get it done. Allow students to work together on the quizzes. Study groups are good, as long as they are not too large. If this is done well, nearly all students will put in the work and gain nearly all the points. Then, in your lectures, you can then assume the basic reading work has been accomplished.

For science classes, know that you will be teaching a field that changes each year. The internet is a good source for new information, better than the paper journals of yesteryear. For classic humanities, what is new each year is the teacher's deepening understanding of the subject matter.

When tackling a difficult text, as in a humanities class, use a three-phase process: First observe, then interpret, then apply. (To me, this reflects the phases of the classical Trivium: grammar, logic, rhetoric; or, facts, ideas, actions.) This three-phase process works both for individual study and for discusion.

Of course, every subject is new to each new student. Listen to them and help them discover.

In exchange for blogging about them, I've been given a free look at the new Java Swing Components. Here's the Accordion component in action within a NetBeans Platform application:

All the components provided by Java Swing Components rely on a formatting rule engine to determine how text is rendered, which is what allows you to mix and match fonts, colors, and other font styles in a single wrapped label, which is one of the other components provided by Java Swing Components. The Accordion's cell renderers make use of the same formatting engine to determine rendering, which allows you to mix and match fonts and formatting rules in the accordion tabs as well: //Create a new TabRenderer based on the steel UI: SteelVerticalTabRenderer steelTabRenderer = new SteelVerticalTabRenderer(accordion); //Hide the index to make the most use of limited space: steelTabRenderer.setShowIndex(false); //Apply normal text rules to determine how normal text is rendered: steelTabRenderer.setNormalTextFormattingRules( new TextFormattingRuleBuilder().createRule() .setFontSize(12) .setFontFamily(getFont().getFamily()) .setForeground(Color.BLACK) .build() ); //Apply mouse over text rules to determine how text is displayed when the mouse is over the tab: steelTabRenderer.setMouseOverTextFormattingRules( new TextFormattingRuleBuilder().createRule() .setFontSize(12) .setFontFamily(getFont().getFamily()) .setWeight(Weight.BOLD) .build() ); //Apply selected text rules to determine how text is displayed when the tab is selected: steelTabRenderer.setSelectedTextFormattingRules( new TextFormattingRuleBuilder().createRule() .setFontSize(12) .setFontFamily(getFont().getFamily()) .setForeground(new Color(70,25,121)) .setWeight(Weight.BOLD) .build() ); accordion.setVerticalAccordionTabRenderer(steelTabRenderer);

The above results in the following rendering:

It reminds me a bit of the Eclipse PShelf Widget and the JOutlookBar, which I blogged about here.

In a modular application, each of the tabs could be contributed by a different module, as illustrated in the Pluggable JXTaskPane article. Modularity really enriches a component such as the above, since simple tabs could be provided for free (via free plugins), while more complex tabs could be part of a pricing strategy, which could then be installed (explicitly or silently) once the purchase has been processed.

Each of the components provided by Java Swing Components is accompanied by sample code and by a very clear PDF file that documents the main features of the component in question. In the case of the Accordion component, you can create new tabs, listen to tab changes, change the look and feel, and customize the accordion (background painter, accordion tab renderer, and you can even create a custom accordion UI).

It is a project worth supporting!

I've posted a new draft of the interface evolution document here. 

• Oracle v. Google Java Lawsuit - Rationale Becoming More Clear Bruce Perens about the lawsuit
• Oracle v Google: Why? – tecosystems

Several years ago Sun began a project to update and consolidate the business intelligence tools used at Sun and we decided on Hyperion as we had a variety of Hyperion tools already: Brio, Essbase. This was a few years before the Oracle acquisition of Hyperion and we wanted to run on Solaris.

This meant we were one of the first customers to run the Hyperion suite on Solaris and I frequently had conversations with other Hyperion experts similar to the title of this post and was also told that essbase was designed on windows and would therefore run best on windows.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); try { var pageTracker = _gat._getTracker("UA-4618459-4"); pageTracker._trackPageview(); } catch(err) {}

Sigo de vacaciones pero el pasado día 10 el vicepresidente ejecutivo de sisetemas John Fowler dió una conferencia retransmitida por web y disponible ahora en esta dirección, de la que quiero dejar una breve reseña. Las láminas que incorporo forman parte de la presentación disponible en esta otra dirección.

Lo primero para no sacar de contexto el contenido es recordar que Oracle proclama al principio de la presentación que el objetivo de la sesión es presentar genéricamente la evolución de los productos y que esta información no puede bajo ninguna circunstancia suponer un compromiso contractual ni ser motivo de ninguna decisión de compra por parte de los clientes, ya que Oracle se reserva en exclusiva la capacidad de fijación de los alcances y plazos de cualquier funcionalidad aquí presentada.

Por tanto, estamos ante una presentación de la estrategia y objetivos a cumplir en los próximos cinco años, lo que, a pesar de todas las restriccciones indicadas al principio es importante para los actuales usuarios de sanidad y los futuros clientes comprender la hoja de ruta prevista.

Además del compromiso reforzado con Solaris como sistema operativo empresarial por excelencia tanto sobre SPARC como sobre x86 de Oracle y otras plataformas, como el reciente anuncio de disponibilidad sobre equipos Dell y HP avala, incluyo el resumen de la estrategia sobre servidores, almacenamiento, virtualización y soluciones completas hardware-software de la que ExadataV2 es la primera gran muestra.

Espero que las láminas seleccionadas sean legibles y, en todo caso, la fuente original recuerdo que está en esta dirección. Mientras, por aquello del verano, cierro con una foto de uno de los lugares donde paseo estos días.

Tweet

If you're finding summer to be a good time to learn something new, you could look at the Java EE 6 tutorial. This book makes for a complete and detailed reference for anyone wanting to learn and use Java EE 6.

What is now available is the first part of the tutorial with the second part out soon before JavaOne (September 2010). A recent episode of the Oracle Author Podcasts explains what to expect and how the tutorial is structured.

Both tutorials (part 1 and 2) contain sample code which you'd probably want to try out for yourself, so you could simply download and install Java EE 6 SDK or GlassFish Open Source Edition 3.0.1 and get both the tutorial and examples straight from the Update Center.

This tutorial will also be published by Addison-Wesley as part of the Java Series. The title of the first part is The Java EE 6 Tutorial: Basic Concepts (600 pages) while the second part will be called Advanced Topics (408 pages).

Habe gerade einen Blick in die Konferenznews fürdie DOAG 2010 geworfen: Mein Vortrag "Performance Analyse - oder: Was macht eigentlich mein Solaris?" findet am 18.11.2010 von 10:00 bis 10:45 in Raum 19 im CongressCenter Nürnberg statt.

Many months ago, I was lucky to be involved in the shooting of a western film – more appropriately, the world’s first Pavlova Western. Most people will be familiar with the concept of a Spaghetti Western, but now Mike Wallis (my brother in law) and his fiancée Inge Rademeyer from Mi Films have extended that concept to New Zealand.

They are currently in post-production mode bringing all the pieces together, including an incredible music score from John Psathas (recently awarded Officer of the New Zealand Order of Merit for his Athens Olympics work). Jamie Selkirk (who received an Academy Award for his work on the Lord of the Rings trilogy) has also come on board to give them financial support to put the film through the final stages at Weta’s Park Road Post Production studios.

And to top it all off, last week they appeared on TV One’s Close Up. Check out the following video -

[http://www.youtube.com/v/Bhx9NiG9uhs]

You can check their progress on the Facebook Pavlova Western group and the Pavlova Western blog.