I have a problem.

In our company we use MS Exchange as a mail server and we’re away from the company network we can connect to Exchange via a special VPN software. This software disconnects pretty often. When I reconnect it takes quite a while for Outlook to figure out there a working connection. It does eventually but I have to wait for that to happen since I want to make sure a mail is being sent correctly.

I found out that setting “Work offline” on and off quickly makes Outlook connect a lot faster:

There’s this problem though – it’s tedious to go click on the menu and then on the menu item so many times per day. So a solution:

1. Right click somewhere on the toolbar –> Customize:
   
   
   
   
2. Make a new toolbar:
    
   
   
3. Then the most unnatural step – drag the menu item from the File menu to the new toolbar:
   
   
   
4. Press Ctrl while dragging, this way the button will be copied, not moved.
5. That’s pretty much it. Now pressing the button quickly is very easy:
   

Участвам в избираем курс във ФМИ и днес мина първата ми лекция.

Курсът се казва “Социални мрежи” (официално “Теория на мрежите”) и основната му цел е да запознае студентите с Facebook, Twitter, LinkedIn и други от гледната точка на разработчиците на софтуер.

В него ще бъдат обяснени понятия като социални медии, семантични мрежи и други, но основната му цел е да покаже как се разработват приложения за основните социални мрежи.

Най-популярният програмен език в тази сфера е PHP, а база – MySQL.

Моята задача беше да запозная студентите с SQL като език и MySQL като сървър.

Сайтът на курса е http://socialnetworks.dev.bg/

Лекцията е тук: Databases 101 with MySQL.

This is an addendum to http://mihail.stoynov.com/blog/2009/03/12/CertificatesKeystoresJavaKeytoolUtilityAndOpenssl.aspx 

Key file is a format that keeps the private key in unencrypted format. It does not keep the certificate.

Converting pem –> key

openssl rsa –in mycompany.pem –out mycompany.key

Check out a certificate (pem, key)

openssl x509 –in mycompany.pem -text –noout
openssl x509 –in mycompany.key -text –noout

Output the private key

openssl rsa –in mycompany.key
openssl rsa –in mycompany.pem

(if they’re the sam certificate, they output the same thing).

Output the private key in readable format

openssl rsa –in mycompany.key –text
openssl rsa –in mycompany.key –text –noout (omit the binary part)
openssl rsa –in mycompany.pem –text
openssl rsa –in mycompany.pem –text –noout (omit the binary part)

Update:

Launch small https server to test a certificate

# on one host, set up the server (using default port 4433)
openssl s_server -cert mycert.pem –www

Check the speeds to that server

# on second host (or even the same one), run s_time
openssl s_time -connect myhost:4433 -www / -new -ssl3

The article is written based on Windows Server, CollabNet Subversion 1.6.1, Apache 2.2. Windows XP or Vista would do as well.

Subversion comes with it’s own server – svnserve. By default there is no security. One can install svn+ssh, but on a windows server and windows client that is a bit stupid.

The other option is to setup an Apache server with mod_dav and mod_dav_svn. Fortunately the CollabNet Subversion binary comes with Apache pre-bundled with those modules. The binary even installs viewvc, which is rather nice.

Installation steps.

After installing the bundle, however, there are a lot of things to do. Most of them manually. I’ll try to describe most of them here.

Download Collabnet Subversion Server binary from CollabNet (no other place to download it from). Registration required.

So we decided to use Apache instead of svnserve, so while installing one doesn’t have to make it a service. Only Apache should be installed as a service. Another pro for Apache is that it can host multiple SVN repositories as opposed to only one by svnserve AFAIK.

Now is the time to suggest that one make the Apache server run with limited credentials. By default the service would be running with Local System account which has more privileges than God the users in the Administrators group. The concrete steps would be to create one user with compmgmt.msc. Remove it from the Users group (which removes all the default privileges) and give this user Modify right for the httpd directory (one will most probably find it in C:\Program files\Subversion\httpd) and all the repositories.

The configuration. When installing Apache asks where is the repositories basedir. Using a basedir means that all the repositories are subdirectories of the basedir:

Subversion/httpd/conf/httpd.conf:

<Location /svn>
  DAV svn
  SVNParentPath "D:/SVN Repositories/"    <— put the qoutes. installer does not do it
</Location>

Note: by default the installer does not put quotes around the dir, so if there are space characters, the server will not start. One should put the quotes himself/herself.

Now is the time to say that the Apache server is very verbose. Every error show up in the Event Viewer in the Applications tab. There are always pretty good descriptions of what is wrong. I definitely like this feature of Apache. Unfortutely one has to use Google to figure how to fix it.

Another place to look for errors is httpd/logs/errors.log. Pretty readable. I’m positively surprised.

I don’t like the basedir approach – repositories with me are in different dirs. I do it like this

<Location /svn/mycompany>
   DAV svn
   SVNPath "D:/My Company/Repository"                   <— put the qoutes
</Location>

Authentication. Very shortly – http basic and http digest. Http basic is very insecure (only base64). Http basic looks like this:

<Location /svn/mycompany>
   DAV svn
   SVNPath "D:/My Company/Repository"
   AuthType Basic
   AuthName "MyCompany subversion repository"
   AuthUserFile "C:\Program Files\Subversion/httpd/conf/svn_auth_file"
   Require valid-user
</Location>

Now, how to make the user’s file (svn_auth_file). Use htpasswd (only for http basic):

C:\Program Files\Subversion\httpd\bin>htpasswd -cm ..\conf\svn_auth_file mihail
New password: ******
Re-type new password: ******
Adding password for user mihail

C:\Program Files\Subversion\httpd\bin>htpasswd -m ..\conf\svn_auth_file ivan
New password: *****
Re-type new password: *****
Updating password for user ivan

The first time –c is used to create the file. Any subsequent user is with –m only (which stands for MD5 as far as I remember).

svn_auth_file:

mihail:$apr1$AzWq5tu5$k554PODb79n9TZwBxBDh..
ivan:$apr1$hlr9s6gK$oFLP1WtwvOLczyUSiP10v/

For http digest the configuration first the module has to be uncommented in httpd.conf:

LoadModule auth_digest_module modules/mod_auth_digest.so    <—uncomment this line

the configuration for the location is the following:

<Location /svn/mycompany>
…
AuthType Digest
…

And users are made with htdigest:

C:\Program Files\Subversion\httpd\bin>htdigest.exe –c ../conf/svn_auth_file "MyCompany subversion repository" mihail
Adding user mihail in realm MyCompany subversion repository
New password: ******
Re-type new password: ******

C:\Program Files\Subversion\httpd\bin>htdigest.exe ../conf/svn_auth_file "MyCompany subversion repository" ivan
Adding user ivan in realm MyCompany subversion repository
New password: ******
Re-type new password: ******

The file svn_auth_file looks a bit different now:

mihail:MyCompany subversion repository:3d16aced3eac2fc74ce5663df86d145b
ivan:MyCompany subversion repository:3ff20546c01028d5008651445b62d2e0

Note: keep in mind that the realms in svn_auth_file and the <Location AuthName should match.

Note: do not confuse htpasswd and htdigest. They produce users for http basic and http digest respectively and are not interchangeable.

For now there is a pretty usable svn server that supports multiple repositories and digest auth. But the communication with the server is plain and unencrypted http.

The svnbook is available here (most up-to-date version 1.5): http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html. The chapter for servers is Chapter 6.

The next part is how to setup a SSL on top of Apache.

I just watched the 2005 movie Good Night, and Good Luck. It basically depicts the communist witch-hunt that happened in the US just after the WWII. It's very moving and a bit sad (especially at the end with the faith of the main character).

The movie made me spend some time on Wikipedia reading about McCarthy, Murrow and Hollenbeck. Very interesting. Makes one think whether we have the same media now.

Directed by George Clooney. 6 Academy awards nominations. Highly recommended.

Do the following multiple times:


The first time you do it the container.root.ca.jks would be created. The subsequent times it will just be filled up with new and new keypairs (public and private keys).

How to do networking with VMWare Workstation or VMWare Fusion?

For clarity, let's assume that the host (the machine running vmware fusion or vmware workstation) has the ip of 192.168.0.10.

On every virtual machine there are three options:
Bridged (VM becomes visible to other machines beside the host. It has an IP like 192.168.0.11).
Nat (VM is visible only to the host, there is internet).
Host only (VM is visible only to the host, but no internet).


Do ipconfig or ifconfig.
vmnet8 is for NAT.
vmnet1 is for host-only.
These are whole networks for virtual machines. If nat is chosen, then the VM would be supplied an IP from the vmnet8 pool.


DHCP.
If 'bridged' is chosen, then the administrator of 192.168.0.1 must assign an address to the VM.
if 'nat' or 'host-only' is chosen, then:
(I'll describe how to do this on a mac):

goto:

$cd /Library/Application Support/VMware Fusion

stop vmware networking:

$sudo ./boot.sh --stop



Let's suppose vmnet8 is 172.16.57.1 and vmnet1 is 172.16.163.1.


I would like to change the network from 172.16.57.1 to 172.16.16.1 and I would like to specify a virtual machine with a specific IP.

We're still in /Library/Application Support/VMware Fusion

Then:
$ grep 172.16.57 *
locations:answer VNET_8_HOSTONLY_HOSTADDR 172.16.57.1

Then all files in the list must be changed.
Then we go into /Library/Application Support/VMware Fusion/vmnet8/

Then the same: 

$ grep 172.16.57 *
dhcpd.conf:subnet 172.16.57.0 netmask 255.255.255.0 {
dhcpd.conf:    range 172.16.57.128 172.16.57.254;
dhcpd.conf:    option broadcast-address 172.16.57.255;
dhcpd.conf:    option domain-name-servers 172.16.57.2;
dhcpd.conf:    option netbios-name-servers 172.16.57.2;
dhcpd.conf:    option routers 172.16.57.2;
nat.conf:ip = 172.16.57.2
nat.conf:# or ip = 172.16.57.2/24



All of them must be changed.

If a specific VM must have a specific IP we go to:
/Library/Application Support/VMware Fusion/vmnet8/dhcpd.conf and we add the following:
(get the mac from the VM (ipconfig, ifconfig eth0))

host myhost {
    hardware ethernet 00:0C:29:B2:C9:69;
    fixed-address 172.16.16.16;
}


Then to renew the ip (ipconfig /release, ipconfig /renew for windows):
sudo ifconfig vmnet down
sudo ifconfig vmnet up


The last thing is to start the vmware networking:
sudo ./boot.sh --start



Then to renew the ip inside the VM (ipconfig /release, ipconfig /renew for windows):
sudo ifconfig vmnet down
sudo ifconfig vmnet up

(Updated: four six typos fixed)

I)
From time to time I need a self-signed certificate. I use the java keytool utility to make one:

For a JKS (Java Key Store format):

For a PKCS#12 keystore:

When the public certificate is needed separately, one can be exported in a file (mihail.stoynov.cer) like this:
(from a JKS)

(from a PKCS#12)



II)
Sometimes self-signed certificates are not enough and a CA root certificate must be made in order to sign a group of certificates.

First a Certificate signing request (CSR) must be made:
(from a JKS)

(from a PKCS#12)

(the output is directed to a file: mihail.stoynov.cer)

The file looks something like that:


Did we forget something? Yes, there's no Root CA certificate. Let's make one:
(JKS)

(PKCS#12)



Problem No 1
Keytool cannot sign CSRs. Period.

Now what do we do?

I went to OpenSSL.

In order to sign with OpenSSL I needed the root certificate in the PEM format.
P12 (PKCS#12) -> PEM:

Sign the CSR with OpenSSL:
(I don't know what -CAcreateserial is but it works)

So now I have mihail.stoynov.signed.cer.

The last step is to import it to mihail.stoynov.p12 (or .jks) in order to override the self-signed certificate with the one signed by the MyCompany Root CA.

A Prerequisite step to that is to import mycompany.root.ca.cer into mihail.stoynov.p12 (or .jks) because every certificate in the chain must be contained in the certificate chain of mihail.stoynov.



Problem No 2
Importing mycompany.root.ca.cer into mihail.stoynov.p12 fails but importing it into mihail.stoynov.jks works?!

JKS:
(this one works)

PKCS#12
this one fails with:

Actually P12 format does not permit trusted certificates. It is inteded to contain key/pairs only. So importing mycompany.root.ca.cer into mihail.stoynov.p12 failed.


I tried several things:

1) Importing mihail.stoynov.signed.cer directly into mihail.stoynov.p12:
and the response was:

2) Importing mycompany.root.ca.cer into cacerts:
This again didn't fix the problem.



Solution to Problem No 2:
Transform P12 to JKS, import the root certificate and the signed certificate into JKS keystore, transform the modified JKS back to P12.

1) Transform P12 to JKS 2) import the root certificate into the JKS keystore
3) import signed certificate into JKS keystore 4) transform the modified JKS back to P12 it said something like:
I clicked yes, and it worked.


Now let's see what's the difference between mihail.stoynov.jks and mihail.stoynov.p12:
JKS:

P12 (PKCS#12)



Do you see the difference?
It's in italic - JKS format keeps an extra trusted certificate of MyCompany Root CA.

Anyway both mihail.stoynov.jks and mihail.stoynov.p12 work perfectly.


P.S.
Does someone know better solutions to Problem No 1 and Problem No 2?
Does someone know how to sign certificates but without the cumbersome CSR step?

In the world of windows there is no standard tool to see what's going on the network level.

I have been working quite a while with web services and encryption and signing, so it's vital to me to see what's going on when a web service is being called.

TCP proxies
The way I was doing it until recently was to use TCP proxies. TCP proxies open a TCP port and forward to some other host:port. In the process of doing so it dumps every connection on the screen or in a file.
For example if I want to listen what's going on a local (for the machine I'm working on) port 8080 the following had to be done: the software working on 8080 (a web service) is moved for example to 18080, then the proxy is opened at 8080 which forwards everything to localhost:18080.

There is one minor drawback to the whole story -  the clients have to be supplied with a port that is not the port where the service resides. So if the proxy is missing - the service is invisible.

I've used mostly tcpmon and wsmonitor. wsmonitor sucks a lot. tcpmon works, but cannot handle moderately heavy traffic and has a lot of quirks that are very annoying. Anyway until recently it was my primary way of doing things.


Reading direcly from the TCP/IP Stack
There has always been software that can plug something in the TCP/IP stack of the windows machine and thus sniff the traffic. The bad side is that the machine has to be tampered with some third-party software. And some machines cannot (should not) be tampered like that.


A third way
There seems to be a software that can sniff the traffic without plugging nasty stuff in the TCP/IP stack. On such example is SmartSniff. It has what they call a "Raw Sockets" way of sniffing and so far it's working great.

There's an Apache Tomcat I'm managing that's in the wild (internet).

Saturday evening it was under attack.

I use Tomcat's manager console to drop applications from time to time and I had it's password pretty simple. Within this console a new java web application may be installed.
What's even worse is that that Tomcat instance was running with pretty high privileges.

It was a test machine, only a few guys knew the address.

So using this console a trojan was inserted. The admin password was changed. This trojan might have succeeded if it weren't for the antivirus that got the trojan on time (yes, it was a windows machine).
The trojan is called TROJ_DELF.BDG and it was deployed in webapps/fexshell/init.exe

Now the tomcat is running with pretty low privileges, the port is not so obvious, and the manager password is changed.

Did you know that classes in the 'default package' (classes that don't have a package) cannot be imported from classes that do have a package?

I did not know that.

Try it:

This is what javac says:



How stupid is this?
Is this why omitting package is deprecated?

I had an issue compiling some java classes. Javac failed, Eclipse's compiler worked. The issue is described here.
I was blaming Eclipse, I was blaming java6's endorsing. I was thinking it was due to JAXB.

It comes out they all were innocent.

Here's my code:

The result with javac is:


After some research I think I simplified the problem:
(If I continue to simplify it would still fail to compile but at some point it would start to compile which yesterday drove me crazy.
This is the most simplistic case that consistently fails to compile)
All of these changes fix the compilation error (from javac):


or



This all makes me think that the static import fails the next one only if the next one is an annotation (I've tried with a java.util.Collection - it compiled).
I have tried this with jdk6u3 and jdk6u10.
I don't have jdk 1.5. Can someone test it on jdk 1.5?



Update: GRRRRRRRRRRRRRR, Somebody found it before me:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6391197
It was reported on 27th of June, 2006

Here's what they say:

I have some code.
I have two classes. They both have inner enums.
The two inner enums have an annotation.

But one of them does not compile. The other one compiles just fine.

In eclipse there's no error, but when I build the code from ant I get a compilation error - the annotation class is not found:


I spent some time looking for it - I thought that the classpath is wrong, I endorsed an updated version of the API (java 6). The issue persisted.

Then I decided to use javac directly:



Strangely enough I got the same error?! Then I did the same for the class that did compile successfully using ant - it worked.
So there was a difference between the two classes and I had to find it.

And I found it, can you find it?


Yes, you're correct. The second enum is not static.
This only happens with inner static enums. The anomaly does not occur if it's an inner static class. I don't know why.

So I'm thinking that in the ProblematicClass the annotation is not visible because the import of XmlType is not visible.
I was correct - this one works:


I just supplied the FQN of @XmlType.

So eclipse is working, javac is not. Now is the time to say that Eclipse is not using javac. I thought it was using jikes (made by IBM), but that's not correct. Eclipse is using its own incremental compiler part of JDT Core. JDT stands for Eclipse Java Development Tools.

http://www.eclipse.org/jdt/core/:


So either javac or Eclipse's compiler is wrong. I would bet that javac is following the spec more strictly.

This is the second time I'm catching Eclipse's compiler of misconduct. The first time was something related to a very complex case with generics - one of the compilers said it was a warning, the other - error. More here.


Update: I was wrong. I was trying to report the problem. I was making a pretty simple case. I used a different annotation: @javax.annotation.Resource. It worked both on Eclipse and on javac.
So the problem is somehow linked with JAXB.

 JAXB is an API bundled with Java 6 (an 'endorsed standard' a 'standalone technology'). The version bundled was JAXB 2.0. If one wants to use a newer version, say JAXB 2.1, an 'Endorsed Standards Override Mechanism' had to be used.

Info on JAXB here.
Info on endorsed mechanism here.

I'm currently with JDK 6 update 10. Somewhere I saw that 'endorsed standard override mechanism' was no longer necessary.

It looks like the problem is more on javac side than on Eclipse's compiler.

I will investigate further.


Update2: It comes out that 'Endorsed Standards Override Mechanism' was existing prior to java 6. Only the standalone technologies were added in Java 6.

Update3: It comes out that 'Endorsed Standards Override Mechanism' is still used.

Update4: It comes out that this bug is very hard to reproduce. My simple examples at some point just started compiling :(

Update5: I just created some code that consistently reproduces the bug. I'll write it in a new entry to be cleaner.

Update6: I fixed coloring and finished the new article on the bug.

WinMerge has great shortcuts for next/previous change, copy left/right.
It has textual comparison feature which works pretty well.

Recently I had to move 200GB from one hard-drive to another.
It was imperative to make sure everything was copied successfully.

Using a binary comparison tool would take a really long time. So I only check the total file size of all files copied and the number of files.
I tried copying these 200GB files several times and never succeeded. I was too lazy or busy to investigate until today when I got really pissed off.

It comes out that the difference comes from thumbs.db files.

Thumbs.db is a thumbnail cache used by Windows XP and Windows 2k3 Server.

How to stop the creation of these files:

1. Click Start
2. Double-click Control Panel
3. Double-click Folder Options
4. Click on the View tab
5. Check off the circle next to Do not cache thumbnails
6. Click the Ok button

Ctrl + Num = switch through tabs. Useful.

No comment!

No comment!

I accentally went to http://www.gaijin.at/.
The weird part is that when one presses "English" (since it's in German) it goes to:
http://translate.google.com/translate?hl=de&langpair=de|en&u=http://www.gaijin.at/index.php
I didn't know that Google can translate whole web sites.

The translation seems to be pretty good.
The site look&feel is exactly the same.

Very good thing.

They are not very polite.

Still crashes on some update sites - it did hang on a modal window while downloading SoapUI.

Great new shortcut - middle button closes tabs as in browsers (only IE does not do that) - VERY, VERY COOL.

Michael Moore's new movie is out.
They don't allow non-US IPs so use a torrent and download it.

And ... VOTE !!!

Update: The movie is inspiring. 20 mln. youngsters voted - an unique record. I don't know if Moore the reason.

In a project where requirements change on a daily basis, refactoring is one's biggest friend.
I'm currently in such a project - not my kind of thing but reality sometimes sucks.
Anyhow, I've tried to look at it from the bright side.

I'm currently perfecting my refactoring skills in eclipse.

Here's what I can share.

Everybody knows about
Ctrl + Shift + R - find resource (file )
Ctrl + Shift + T - find type (class)

Alt+Shift+C - Change method signature
Alt+Shift+S - Context menu for source generation.

Alt+Shift+X, J - Launch current focused code as Java Console App
Alt+Shift+D, J - Debug current focused code as Java Console App
Ctrl + L - go to line - when watching stack traces. NEW
Ctrl + O - find method in class.   NEW
Ctrl + T - Hierarchy of a class (subclasses + base classes).   NEW

But do you know these:
Alt+Shift+X, Q - Launch current focused script as an Ant Build Script (focused on a target in the 'Outline' window launches only that target, very handy)
Ctrl + >, Ctrl + < - Navigates through warnings and errors in a source file. Extremely handy.
Ctrl + 1 - launches the solution box or whatever that's called.
Ctrl + 3 - finds any window.
Middle button closes tabs as in browsers (only IE does not do that) - VERY, VERY COOL. Ganymede (Eclipse 3.4) only.
Ctrl + E - list of all the open windows (by Joke). NEW
Ctrl + J - incremental search (like Ctrl + F, F3 in browsers (real browsers, IE can't do that)), then arrow up/down to go to next previous, Enter to stop (by rado). NEW

Ctrl + Shift + / - collapse all. NEW2
Ctrl + Shift + * - expand all. These are very nice in long classes. NEW2

Debugging
Ctrl + Shift + I - inspect selected source code while debuging.
The 'Display' window is my biggest friend - inside it you can write code and evaluate it with Ctrl + Shift + D (print result in the box) and Ctrl + Shift + I ( inspect the code in a context window.

That's for now, I'll update this regularly. If someone uses something regularly that is not here, please tell.

He's like a parody version of Eminem.
The chosen topics.
The lack of delicacy discussing the topics.
The topics nobody wants to speak about.

I very well understand that this is a parody but it's an Eminem-styled parody. I connect because I recognize myself as the looser character in his Everyday Normal Guy 2.
Please, my one good reader, don't write nasty comments, please.

Some info on the guy:
http://en.wikipedia.org/wiki/Jon_Lajoie

Some songs:
Everyday normal guy (favourite)
Everyday normal guy 2 (favourite, part 2)

Stay At Home Dad

We have the following:
(The code is taken from here http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Throwable.html#printStackTrace())

What does ... 1 more or ... 3 more means?

This is what it means:

Michael Moore is a kind-of-a journalist, a filmmaker and a writer in the US. I have read and watched almost anything he did, going back even to "Roger and Me" (please search them up, I can't constantly write target="_blank"). He caught my attention with "Bowling for Columbine", a movie for some kids that armed themselves and killed some co-students and teachers in school. Especially the interview with Marylin Manson and the part where he mocks the locals claims that it was the bowling that put these kids to the idea.

Since then he got an Oscar, written a lot of stuff. He is not always absolutely objective, lets himself carried away sometimes but the personal touch makes him so likable.

He's in my blogroll now.

I'm starting a new section "Did you know" where I'd share stuff I find interesting.

So, do you know what "Gort, Klaatu barada nikto" is?

It is considered the most famous science-fiction phrase ever. It has been quoted in almost all important science-fiction movies and not only.

It's from the 1951 movie called The Day the Earth Stood Still. It was said as a safe word to stop a robot from destroying the earth.
Gort was the name of the robot.

More on the subject: http://en.wikipedia.org/wiki/Klaatu_barada_nikto