Saturday, December 18, 2010

A new world for integration: SAML and Identity

SAML was initially a standard for cross-domain SSO. A user who is logged on to the domain * could transparently point his browser to a web application in another domain * without having to authenticate again. His identity (and other attributes) are passed on transparently, behind the scenes. Many mechanisms were defined to exchange the information contained in SAML token (signed XML structures) between an Identity Provider and a Relying Party, including SOAP very early on (the SAML SOAP Binding).

But SAML was taken further. WS-Security SAML Token Profile allows the use of SAML tokens in SOAP messages secured with WS-Security. And WS-Trust and its Secure Token Service standardized the mechanism to obtain or exchange SAML (or other) tokens.
The STS is a standard (web) service to obtain such a SAML token: 1) through standard authentication mechanisms or 2) by exchanging one token for another (SAML to SAML, non-SAML to SAML or SAML to non-SAML).

But transferring SAML tokens between domains means the exchange of information between heterogeneous organizations. The SAML standard does not define how attributes within the SAML tokens should be named nor what their content should exactly look like. Every organziation is free to specify how information is structured in a SAML token:
  • what information or attributes is contained in the SAML token: name, cost center, department, ...
  • how the atrributes should are named, e.g. LastName or lname?
  • how the information in the attributes is represented
Imagine a vendors of office materials (Staples) that wants to offer a SSO experience to the employees of its majore customers. If every customer (large enterprises themselves) use a different SAML token structure, the office material vendor will have a great time translating the information from these different SAML tokens to its own attributes. And what if information is missing in the SAML token, e.g. what is the maximum value that employee may purchase?

Another integration challenge!

Note: Microsoft prefers the use of the term claim

Friday, December 3, 2010

Scary: backdoor in FTP server software

While reading, I picked up the news that hackers had put a backdoor in the popular FTP server ProFTPD. A version of the software containing a backdoor was put on the distribution server by some hackers.

How often does one install software from the Internet without any verification. Yes, there are the fingerprints, but who checks them? Even more scary if you were the one installing that software on a customers's server.

And if some hacker ever finds its way into the Windows Update software distribution mechanism, the world will come to a halt (don't smile you Apple users).

Monday, November 15, 2010

Java on Microsoft Azure

Triggered by my colleague Koen Van Oost and the upcoming Microsoft session at Devoxx, I looked into Java on the Microsoft Azure platform. Watched the talk "Open in the cloud: Windows Azure and Java" of PDC10. I wasn't aware that one could run Tomcat on Azure! Well, seems to be the case already since 2009. But the Eclipse tooling and JDBC connection to the SQL Azure Database are brand new. During the talk, it was also shown how the Fujitsu Interstage application server can run on Azure. Having WebLogic or WebSphere Application Server running on Azure would be very big news! For now, let's see how the ESB and integration capabilities of Azure are usable from Java.

Friday, November 12, 2010

Devoxx 2010

Next week is Devoxx! Three talks and three speakers that I can really recommend:
In particular as I invited the speakers myself for these talks! Just too bad that I can't be there myself, damned.

But many more interesting things: Activiti in Action by Tom Baeyens, Scalable Java Applications on Azure by Microsoft, Comparing JVM Web Frameworks by Matt Raible, Encryption Bootcamp on the JVM, loads of NoSQL stuff, and so many more great talks.

Looking forward to meet you next week @ Devoxx on Monday, Tuesday or Wednesday.

Thursday, November 11, 2010

Dell acquires Boomi

Boomi is a very interesting Integration-As-A-Service player. Integration in the cloud is a new trend that looks very promising. But what is not yet clear is the reason why Dell acquired Boomi. A big cloud player such as Google or Amazon or a big software players such as Microsoft, IBM or SAP have probably more chances. Curious to see what direction Dell will take with Boomi.

XML schema's for verticals

With XML as the alphabet, many languages are defined through XML schema's. But typical is the way each vertical defines its own language. Latest example that I was pointed at: XML schema's for the oil industry at

But there are very little initiatives to define a common foundation, to define the words (nouncs, verbs) from which each vertical could define variations or specific XML languages. Many XML languages lead to many translations or transformations. Fine for us the integration experts, but overall not very efficient. ebXML Core Components gave the structure to define re-usable XML building blocks that could be used in different contexts and adapted based on region, industry, business process etc. But ebXML CC is used in some of the verticals, but not one a broad scale as is the case with good old EDIFACT.

And as the XML standards in the oil industry proof, the trend of the last 10 years continues, many domain specific XML languages, specific for each vertical.

Monday, June 21, 2010

Cloud Computing Economies of Scale

Great recorded talk about the hardware and data centre side of cloud computing. This great presentation explains why it (also) makes sense to leverage cloud computing simply to have cost efficient hardware. Got pointed to it while listening to the Cloud Computing Show #31.

Also interesting (via the same podcast): CloudHarmony. The blog in particular contains different benchmark results (memory, IO, network) of a large number of Infrastructure-As-A-Service providers.

Saturday, June 19, 2010

New name: Liaison

Had never heard about Liaison Technologies until I learned they recently acquired ADX. Looked onto their website and they had also acquired Contivo 2 years ago. Contivo is somewhat know for their transformation (mapping) tools.

Tuesday, June 15, 2010

B2B market

IBM keeps acquiring other companies:
  • Lombardi being a BPM solution of which some of my colleagues are quite enthusiatic.
  • Sterling is more an "old" player in the B2B space with products such as Gentran for B2B communication and ConnectDirect for managed file transfer. But Sterling is also an Integration Service Provider (Garnter) or still call it a Value Added Network? IBM sold its VAN to GXS quite a while ago.
  • Cast Iron Systems which is a new kid on the block, with a solution specificially targeting cloud integration. Also available as an appliance. And Cast Iron was rumoured to be developing a cloud based integration offering.
Funny to see and "old" (Sterling) and brand "new" player (Cast Iron) being acquired in the same timeframe. Of course I'm curious to see what IBM will do with these acquisitions. Will they die in a corner or be successor of the DataPower success story? And how will they explain and position all these technologies at customers?

Monday, June 14, 2010

Devoxx 2010

As a member of the Devoxx steering committee, I'm adding my 2 cents to the content of the conference. Devoxx will be cloud(y)!

Already confirmed speakers in the cloud area are Michael Coté, John M Willis and Georges Reese, author of the great book "Cloud Application Architectures", now at EnStratus.

Wednesday, May 26, 2010

Applications for the Google AppEngine

Google is creating a market place for applications running on the Google App Engine. See the recordings of the "Google Campfire One".

Note: very good video quality (720p) of the recordings

Friday, May 14, 2010

OODBMS and pre-EJB AppServer

The market keeps on moving: SAP acquires Sybase etc. But one name attracted my attention: GemStone being acquired by VMWare/SpringSource (next to RabbitMQ, Hyperic, ...).

Time flies: I remember Gemstone as a vendor of OODBMS and application server. On the OODBMS side there were also Versant, ObjectStore (eXelon --> Progress). The list of applicaton servers - just before EJB's took off - is much longer: Netscape Applicaton Server, Forté, Jaguar CTS (Sybase), Tengah (became WebLogic), IBM Component Broker, ATG Dynamo, Novell Silverstream, Novera, ... Had forgotten about most of them. Another such "hidden" company that I recently encountered is Pramati.

Thursday, May 13, 2010

Flashmob - Ride your bike in Brussels

Where to ride your bike? In central station of Brussels! A great flashmob. Really nice!

Background: Nov 11, 11am was the end of the Word War I and a national holiday in Belgium. On that day, 11.11.11 collects money door-2-door in Belgium.

Sunday, April 18, 2010

Java: execute program without blocking

A long while ago that I had done some Java programming... How to run a program from within Java in a decent manner. While looking around for some sample code, most solutions use the Process.waitFor() method to wait for the process to terminate. But that will usually block forever as process writes data to stdout or stderr and nothing reads that output.

One option is to use a separate thread to read stdout/stderr. I opted for an even simpler approach: temporary files:

execCommand = execCommand + " > " + stdoutFile.getFileName();
execCommand = execCommand + " 2> " + stderrFile.getFileName();
// command/program > stdout-temp 2> sterr-temp
Process p = Runtime.getRuntime().exec(execCommand, null, currDir);

int exitValue = 0;
boolean isRunning = true;
int waitSeconds = 30;
while(isRunning && (waitSeconds > 0)) {
try {
exitValue = p.exitValue();
isRunning = false;
} catch(IllegalThreadStateException e) {
// process is still running, wait 1 second
try {
} catch (InterruptedException e1) {
// ignore
if (isRunning) {
exitValue = 9999;


Saturday, April 17, 2010

Amazon pub/sub in the cloud

Amazon keeps extending its cloud offering. They have just added Amazon Simple Notification Service (SNS). SNS is a publish/subscribe mechanism.

As explained in earlier posts, I expect Integration-As-A-Service to become more important. One of the larger players (Amazon, Google, EMC, Cisco, Microsoft, ...) may one day come up with a wonderful solution for Business-2-Business communication between organizations.

When I first learned about Simple Queuing Service of Amazon back in 2006, I intially thought that SQS could serve as a transport mechanism for B2B communication. But that didn't work out. As the message size of SQS was very limited, data first had to be stored on S3. Authentication and authorization were also very limited.

So I looked around in the SNS documentation to see what SNS actually is and see if it can serve as a basis for B2B communication. Amazon thinks SNS is usable for B2B or application integration:
Application integration: Amazon SNS can be used in workflow systems to relay events among distributed computer applications, move data between data stores, or update records in business systems. For example, in an order processing application, notification messages may be sent whenever a transaction occurs; a customer places an order, the transaction is forwarded to a payment processor for approval, and an order confirmation message is published to an Amazon SNS topic.

Some facts
  • Messages can be published over HTTP, HTTPS, E-mail or SQS
  • Proprietary solution/mechanism, not based on any standard (no AS1, AS2, SFTP, WS-Notification, WS-Eventing, ...)
  • Messages are (again) limited to 8KB. Just like SQS: too small.
  • Authentication is based on AWS accounts, so also every subscriber requires an AWS account, hindering factor.
  • Messages are pushed, not polled. This is good for performance. For polling, use SQS.
  • But when pushing, the subscriber must expose a web service or mail account. How to secure this: no authentication from Amazon to endpoint receiving notifications; no basic auth, no support for client certs, ...
  • Messages are signed by Amazon. This is good, very good. Signing is based on HmacSHA256.
Nice and interesting, but not good enough... In particular the message size remains a blocking factor.

Questions left:
  • What happens if messages cannot be delivered for a longer periode of time? E.g. when a subscriber disappears?
  • How does a message that is published over HTTP exactly look like (signed, JSON)? What parameters are passed in the URL?
  • Can an SSL endpoint with self-signed cert receive notifications?
  • What if SSL cert of endpoint is expired?
  • Are mail messages signed and if yes, how?
  • How and when are messages actually persisted?
  • The publish service isn't idempotent it seems?
PS: all based on reading the docs, must confess that I didn't actually test it

Wednesday, April 14, 2010

SSL Man-in-the-middle

Again a great "Security Now" podcast about SSL: how governments can sniff SSL traffic by enforcing Certificate Authorities to provide them with (intermediate CA) certificates. Based on this paper. Great story, recommended reading or listening!

Some things that I picked up:
  • Different CA's can provide you with SSL certificate for same URL (or whatever)
  • Internet Explorer (actually the Windows crypto) downloads extra CA's dynamically; so the list you see in IE can grow behind the scenes
  • Firefox manages the list of trusted CA's itself
  • There is no standard policy for when a CA is accepted by browser vendors
  • The list of trusted CA's should be based on your geographical location
  • Trusting a CA is somewhat equivalent to trusting a government
  • Browser should provide (advanced) users with extra features to help them decide if CA certificate should be trusted or not
In my daytime job, SSL/TLS is used a lot for communication between IT systems within the corporate firewall or with business partners across the Internet. Low level configuration of SSL/TLS is often not supported:
  • Configure single CA (or self-signed) cert to be trusted for specific outbound connection (e.g. when business partners have defined their "own CA")
  • Different SSL client certificate per outbound connection
  • Easy configuration revocation checks (OCSP etc); and checking if the revocation checks actually work
  • Different timeout settings per connection
  • Only accept SSL connections on specific interfaces

Sunday, March 14, 2010

Shooter game or warfare?

Are my children playing Counterstike?
Or flying a drone plane over Afghanistan?
Great article about pilots flying unmanned planes with remote control. But really remote: 10.000+ kms away.

Thursday, March 11, 2010

Claims explained

SAML, WS-Security and the Secure Token Service of WS-Trust result in a very interesting mix, where federated identity and integration (web services) come together.
Microsoft has published the free book(let) "A Guide to Claims–based Identity and Access Control". Obviously the book is focused on Microsoft technology, ADFS (code name Geneva), FAM and WIF in particular. But I found the first 2 chapters very informative and well written.

E.g. interesting to have confirmation that applications need to keep maintaining fine grained (data level) authorizations themselves.

Also intersting to read about the challenge of home realm discovery: how to know to what Identity provider an external user should be redirected to.

One of the main challenges in my opionion with federated identity is the transformation of tokens/claims. Unless there is further standardization (profiles), the integration with each external business partners will require token transformations. There seems to be a general tendency in WS-land not to bother too much with the actual business content of SOAP messages or SAML tokens.

The day when SAML tokens can be used in an interoperable manner to connect to back-end applications such as SAP or Oracle will be a great day. Looking forward to it.

Saturday, March 6, 2010

Securing my laptop

In my car, I spend quite some time listening to podcasts. On the topic of security, the podcasts Security Now and the Dutch podcast "De beveiligingsupdate" are my favourites.

Driven by the suggestions in these podcasts, I have taken a few extra measures to secure my laptop:
  1. Replace the ever leaky Adobe Acrobat PDF Reader with the Foxit reader.
  2. Set the Security level in Microsoft Internet Explorer to High for every zone. Even when using another browser, IE is used in MS-Office applications.
  3. Installed the NoScript plug-in in Firefox. NoScript allows to selectively allow the execution of Javascript. Only for a few sites I have allowed Java script permanently. For most sites, I only allow Javascript temporarily. It offers some extra defense against cross-site scripting attacks (XSS).
Disabling Javascript also helps with privacy: it reduces the amount of information exposed for browser fingerprinting. More Firefox add-ons for safer surfing are available here. Next one I'll try is Better Privacy to automatically remove Flash cookies.

Sunday, February 28, 2010

B2B market keeps moving

As mentioned in the blog post of Gartner analyst Benoit Lheureux, the market of B2B products keeps moving, e.g. the acquisition of Foresight by Tibco.

Interesting blog post as well on the SAP Developer Network: SAP will increase its stake in Crossgate and SAP sales people will (re-)sell the Crossgate B2B service offering.

Note: I always confuse Crossgate and Northgate. NorthgateArinso is a SAP oriented provider of HR IT services and acquired the Belgian company Arinso.

Thursday, January 21, 2010

Elie Crets

Elie Crets
22-mrt-1934 / 19-jan-2010

Saturday, January 2, 2010

Do it yourself CA

Recently got questions on testing with certificates. Use self-signed certificates or CA signed certs? And how to easily obtain CA signed certs? It was quite a while ago that I had been playing with certs myself. So time to refresh my mind, do some searching + experimenting, and write a blog entry about it.

CA signed certificates (SSL server and client) are recommended as only the CA cert needs to be imported as a trusted certificate (e.g. in cacerts). First option is to use a free CA like CAcert.

Second option is to setup your own (test) CA. The most obvious option is to use openssl. The command line tool of openssl allows to first create a CA keypair + CA self-signed cert and next sign certificate requests (CSR), thereby creating CA signed certificates.

Alternative tools for a do-it-yourself CA with GUI are:
Played around a bit with this SimpleAuthority, and it looks quite OK. One can import certficate signing requests and export signed cert. A very limited version is free, but to manage an unlimited number of certificates, the cost is $50 (personal) to $240 (commercial). The ease-of-use and consistency of the GUI could be improved, but it does do the job.

  • To generate and manage keystores, thé recommended tools is Portecle.
  • Alternative is Keytool IUI: it has extra features such as signing of files, but less user friendly than Portecle.
  • All sorts of links about PKI