Bill Benac

WCI Recurring Jobs Don't Party in 2013

Wed, 02 Jan 2013 11:02:28 -0800

Happy New Year!

Now that the holiday parties are over, we get to deal with the mess that comes so often in technology when calendars turn over. The mess I found myself facing this morning is due to a "feature" of WCI, so you may have it too.

Recurring jobs are set to run on an interval that has an end date. The portal UI defaults to an end date of Jan 1, 2013. Any pre-existing job that was set to run periodically and to use the default end date is no longer scheduled to run. This includes many crawlers, syncs, maintenance jobs, and so forth. Any new job set to run on a recurring basis defaults to Jan 1 2013 which since it's in the past will cause the job to run once but never again.

You can query the portal database to get a list of jobs that [1] ran as recently as December and [2] aren't scheduled to run again. This is the list of likely candidates that would need to be rescheduled. Also, the query gives URL suffixes to let you easily create links to open the job editors. In your case, you may want to put the full URL to your admin portal in there. In my case, I used this query for many systems with different prefixes, so I kept it generic. Here's the query I used:

SELECT j.[OBJECTID],j.[NAME]
      ,u.NAME 'owner name'
      ,j.[CREATED],j.[LASTMODIFIED],j.[LASTMODIFIEDBY],[LASTRUNTIME],[NEXTRUNTIME]
      ,'server.pt?open=256&objID=' + cast(j.objectid as varchar(9)) 'admin editor page suffix'
FROM [PTJOBS] j inner join PTUSERS u on j.OWNERID=u.OBJECTID
where NEXTRUNTIME is null and LASTRUNTIME > '12/1/2012'
order by [owner name]

Enjoy!

Update: This is now BUG:15947880 and KB Article:1516806.1.

Another Social Media Disappointment: Twitter Gamed

Wed, 11 May 2011 22:14:08 -0800

Marketers goes where the eyeballs are. We look at "social" media, so how can we be surprised by the invasion? But I'm still disappointed when I encounter blatant gaming of the channels that supposedly are trusted sources of information from "people" like us.

Let me introduce you to Anne Waterhouse. She lives in New York, and judging by her photo, she's a lovely mix of saucy and innocent (who isn't drawn by that?), and she is of modest means (just like the rest of us!). She tweets as @annewaterhouse about things that interest her nearly 2000 followers. It's good content. Funny posts from Failblog, smart content from Alltop, tech goodness from Mashable, and helpful tips from Lifehacker.

The problem is she isn't real.

I met Anne because yesterday she tweeted about a short video that my cycling buddy made. She picked it up from thought-leader Guy Kawasaki's blog. "How to make better presentations in 2:53 http://bit.ly/m8B3b5" she said.

Cool! Kawasaki likes Marc's video, and someone shared it on Twitter. When I looked at her Twitter page, I was surprised by the pace at which she posted. How could she consume so much web content? Who was she? Her profile revealed little. I scanned the timestamps, and I realized she had posted in each of the preceding 24 hours. Ah, she's superhuman and doesn't need sleep?

The constantly changing Twitter API now allows you to access the latest 200 tweets from a person using URLs like this: https://api.twitter.com/1/statuses/user_timeline.rss?screen_name=annewaterhouse&count=200. I grabbed her tweets and extracted the timestamps using this:

grep -i pubdate tweets.xml | sed s/".*"//g | sed s/"<\/pubDate>"//g > timestamps.xml

I then brought those into Excel and made histograms by day, then combined them to show all three days overlapping. This amazing woman tweeted 200 times in the past 37 hours. Check it out (or download spreadsheet):

Okay, fine, she has some automated tool that retweets the RSS feeds from her favorite sites. Some of her tweets like this one are generated by TwitterFeed.com. That doesn't mean she's not real. Is a real person behind these? Maybe she talks with her friends too? Well, no. In these 200 tweets, I used grep -v to filter out messages that didn't include a link as would come from the RSS feeds, and there was nothing left. I filtered for "@" mentions of other users and found none.

Who set this up? Is this the creation of one of the websites that she links back to? Are they trying to drive their own traffic? The idea is clearly a good one, based on the thousands of people following these garbage tweets. Is there a marketer/exploiter out there who discreetly sells this to websites? "Give me $500 for your own @annewaterhouse. I guarantee she'll share interesting content and garner a following, and this will drive traffic to your site." Does that exploiter use the metrics available from URL shortener sites that generate the links to then charge its customers advertising? "Give me two cents per click into your site." Do they go to the trouble of using so many URL shortener services to make it look less automated?

And to think my friend and I were pleased that she shared a link to his video. Well, I guarantee Guy Kawasaki is real, and he's the one whose opinion matters. Now let's stop thinking about social media and learn how to give better presentations when we're dealing with real people:

How To: Bulk download from Sharepoint

Tue, 10 May 2011 21:43:35 -0800

This post goes in the "Why wasn't I able to Google that?" category. Remember this old comic?

It turns out things that seem like they should be easily Googleable aren't. Maybe this post will be helpful to someone else out there.

I've been helping a small business migrate off Sharepoint and onto a local NAS device (Dlink DNS-323). They have about 4000 documents in 300 folders on Sharepoint hosted by Microsoft Online. How to do a bulk download? The Sharepoint UI (that they hated so much that they asked me if I could migrate them off it) gives no clues. I did searches for these without turning up anything good:

sharepoint "bulk download" "microsoft online"
bulk download sharepoint.microsoftonline.com
sharepoint server 2007 bulk download

Many people offer bulk upload tools, but what about bulk download? Certainly people want to change technologies now and again. I saw one discussion thread that vaguely mentioned WebDAV, but I found nothing about it in the online help, and I found very little for this Google search:

"microsoft online services" webdav sharepoint

Finally I just gave it my best shot. If it does support WebDAV, which the web hasn't confirmed for me, then how would I go about it?

My laptop runs XP (still my favorite environment), so I used these steps:

My Network Places
Add Network Place
Next
Choose another network location
Enter URL to Sharepoint site: https://smallcomicrosoftonlinecom-2.sharepoint.microsoftonline.com/Shared%20Documents/
Give same credentials used to log into Sharepoint

The laptop of the person for whom I was doing this migration runs Vista, so the process is a little different there. I connected them using notes from a forum:

Hit start menu and go to "Network"
Hit Alt-button to get the tools-menu.
Go to Tools -> Map Network Drive
Click on the link on the bottom that says "Connect to a website that you can use to store your documents and pictures"
Hit Next
Choose "Choose a custom network location" and hit Next.
Enter your url location...

Well, the instructions from here weren't a perfect fit, but on Vista, basically, enter the URL to Sharepoint, then the credentials, then maybe select the drive this will map to.

After connecting by WebDAV, I was able to access the entire Sharepoint site as a folder in Windows Explorer, and I could then open that folder and copy its entire contents to a local disk drive. I brought it to the laptop first, then I copied it onto the NAS drive.

At this point, the folks I'm helping out were able to disable Sharepoint logins for everyone but the administrator. They'll let their Sharepoint subscription lapse at the end of the month, which they're very happy about.

By the way, the DNS-323 that I wrote about and to which I gave a glowing review? It has extraordinarily frustrating user and group management through the web interface. Users can only belong to a single group. So if you want to have a group for managers who would access the /managers share, then a group for accounting who would access the /accounting share? You can't do it with the standard UI. As soon as you add the manager Adam to the accounting group, he is taken out of the manager group. I wound up having to telnet into the server to edit the undocumented, non-standard config file (/mnt/HD_a4/.systemfile/.smb.ses). I don't recommend this NAS for use outside the home.

Install just PTSpy on desktop for reading logs

Wed, 04 May 2011 09:25:54 -0800

Do you work with people who need to analyze PTspy logs on their desktop but who don't have the Spy reader available to get those logs into an easy-to-read format?

Back in the day, BEA put out an installer called LoggingUtilities_PTspy with the executable file ALILoggingUtilities_v1-1_MP1.exe. If you still can find that installer, you can use it to install the Spy reader. The format of .spy logs hasn't changed, so that old reader works for the latest and greatest (or worst) logs.

But that installer was only for 32-bit machines. If you're working with Windows 7, then you need another approach. My recommendation is that you use the regular (and unfortunately huge) component installer, install something that includes the Spy reader, then delete the components you didn't want. The steps I used to do so follow.

Run the WebCenterInteraction_10.3.3.0.0.exe installer. At the prompts, enter the following:

--

Installation folder: (your choice. i'm choosing c:\apps\plumtree).

Choose components: Check ONLY Automation Service.

If you get a Dependency Warning about Microsoft Visual C++, then "Yes, launch the installer."

Configuration Manager - Port and Password: Accept the default port of 12345 and leave the password blank.

Password inconsistency: Click "Continue" to keep the blank password.

Pre-Installation Summary: Click install.

Launch Configuration Manager: Just click next.

Application Settings Confirmation: Select "No, configure later," then click next.

Install Complete: Select "No, I will restart my system myself," then click done.

--

PTSpy is now available on your machine. You don't need to reboot.

However, your computer also has three services installed that you probably don't want. To remove them, you need to run commands in a command prompt that runs with elevated administrator privileges. To get that command prompt, click the start button and type "cmd" into the search box. You'll see cmd.exe is one of the search results.
Right click on it, then select "run as administrator."

Now in that prompt, paste in the following commands (to paste, right-click the title bar, click edit, click paste). You can paste these all in at the same time:

@rem -- make sure all services are stopped
sc stop "oracle wci logger"
sc stop ConfigurationManager12345
sc stop ptautomationserver

@rem -- now delete them
sc delete "oracle wci logger"
sc delete ConfigurationManager12345
sc delete ptautomationserver

That should do it. You should see output like this:

C:\Windows\system32>sc delete "oracle wci logger"
[SC] DeleteService SUCCESS

C:\Windows\system32>sc delete ConfigurationManager12345
[SC] DeleteService SUCCESS

C:\Windows\system32>sc delete ptautomationserver
[SC] DeleteService SUCCESS

The install put just over 800mb of files on your machine, but most of those are not related to ptspy. You can delete about 600mb of these by deleting unnecessary files and folders.

Open the folder C:\apps\plumtree\common and delete these:

container
icu
inxight
outsidein
pthreads
wrapper

Then open the folder C:\apps\plumtree and delete these:

configmgr
descriptors
jre142
jre160
ptportal
uninstall

Now on to analyzing spy files!

What Oracle engineering should do though is put an option in the WCI installer for just the Spy logging toolkit (it won't be in WCI 10.3.3). Maybe some day...

Enjoy!

Resigning like me? How to wipe your corporate laptop.

Thu, 24 Mar 2011 19:10:36 -0800

Universe: I am resigning from Oracle.

I know the universe of interested parties shrinks every year as the sales of the WCI portal (née Plumtree) decline, Oracle promotes a different product, and old customers move on to new platforms. But! Some of you are still out there reading, and so thanks!

Fortunately for you all, I'm not going far. I'll continue working with the WCI portal for a long-time customer, Boeing, for whom I've consulted off and on, but mostly on, since 2004. So the blog entries will continue to sporadically pop into your RSS feeds.

I have three company laptops that I need to return. The newest one Oracle issued to me several months ago, and I'm sure it will be redeployed to another employee. The older ones, however, will likely be "decommissioned." Occasionally I read stories about crooks who buy old hard drives to recover their data and then engage in all sorts of nefarious crimes. I don't want my data open to that risk. Since I don't know exactly what Oracle's decommissioning process is, and since any company's processes may not be perfectly followed, I decided to take extra care to destroy the personal, customer, and corporate data that had been on the hard drives.

So here's what I'm doing tonight, and you probably should do something similar when you let go of your old laptops, whether you're disposing of an old personal machine or resigning from the job that had run its course:

Copy any needed data off the old laptop (e.g. this photo from when kiddo was a newborn)
Create a "live cd" or a bootable disk with a *nix operating system on it. I used Ubuntu (get it).
Boot your old laptop from the CD. On my Dell laptop, I used F12 to get a one-time boot menu to select that I wanted to boot from CD rather than from the hard drive.
Identify the partition name for your disk. I did this by going to System -> Administration -> GParted Partition Editor.
Open a console.
Type a command like this one at the prompt, where /dev/sda2 is my laptop partition to wipe:

sudo shred -vfz -n 1 /dev/sda2
Wait while the machine overwrites your entire disk first with random data, then with zeros.

That's it. There's not much left to find on the drive. This is a much better approach than just reformatting the drive, because reformatting merely clears the address tables for the disk but still leaves the data intact and retrievable by Dr. Evil who makes his business doing such things. Of course, you could be more fastidious than I was. Another blog gives a more detailed review of the technical issue and even more thorough ways to knock it out.

After erasing the data, I went the extra mile to installed Ubuntu. This way anyone who turns on the computer will be able to log in and see that nothing is readily available, and they'll also find it to be a generally useful machine.

Enjoy.

PS: Yes, I'm extraordinarily happy to move on from Oracle!

Detailed Diagram of ALUI Publisher 6.5 Components

Mon, 20 Dec 2010 07:22:42 -0800

Publisher is an old product, but it still has legs in some organizations. I recently helped a customer set up Publisher to load balance the portion of the app used by browsing users, the readers, of published content. The discussions about how to set this up were difficult until I diagrammed the components clearly.

If you ever need to work with Publisher, an especially if you want to increase reliability of the reader component, then I hope this diagram will be helpful to you.

Enjoy!

F5 Terminology Cheat Sheet

Wed, 17 Nov 2010 09:01:15 -0800

Technology is a land of overlapping and confusing terminology. I've been involved in plenty of confusing conversations about F5 products as they relate to WCI portal deployments, and I've worked to develop a more precise use of terms. To help a colleague sort out the mishmash, I made this list of objects we commonly discuss. Maybe you'll find it useful to?

In addition to understanding the terms, I think it's helpful to recognize areas of overlap and be careful to avoid confusion. For example, since the VMWare team thinks "virtual servers" run an operating system and the F5 team thinks "virtual servers" represent pathways through their network, I like to say "F5 virtual server" or "VMWare virtual server."

Objects
GTM (routes between LTMs)
- Wide IPs represent services. An URL is associated with the Wide IP so that users can route through here. Wide IPs can have iRules.
- Pools are configured under Wide IPs.
- Members are assigned within the pools. We create a region1 and a region2 member. These members point to the IP addresses and ports of LTM virtual servers. Normally (but not always) they are given names that match the LTM virtual servers.

LTM (routes within a region)
- Virtual servers represent services. They have IP addresses and they listen on a port. They can have iRules. When multiple host names are required for the same service, those host names can all alias to the IP of the virtual server (e.g. http://portlets and http://portlets2).
- Pools are configured under virtual servers. One pool can be used by multiple virtual servers, as we do in an environment with the imageserver pool, since we need both HTTP and SSL access to those resources. The customer usually assigns monitors to these, and the monitor applies to every member in the pool.
- Members are assigned within the pools. They are represented by the IP address of the server hosting the service and the port of that service, though the port doesn't have to be the same one used by the virtual server. Customers doesn't usually assign monitors to these, though it could be done.
- Nodes we don't talk about much. These are the IP addresses of the servers that are later combined with ports to be members.

Examples:
GTM:
- Wide IP: app-portlet.lb.cs.customer.com
- URL: http://portlet.customer.com
- Pool of Wide IP: app-portlet
- Members of Pool: 209.45.18.146 port 80, 209.40.40.147 port 80. Member names are app-portlet-reg2-80 and app-portlet-reg3-80

LTM:
- Virtual Server: Name app-portlet-reg3-80 with IP address 209.40.40.147 and port 80
- http://portlet-primary.customer.com
- Pool of Virtual Server: app-portlet-reg3-80 with monitor
- Members of Pool: 209.45.42.36:80 and 209.45.42.35:80
- Nodes of Members: 209.45.42.36 and 209.45.42.35

Training
Want to understand F5's LTM in depth, everything from the objects above to session awareness, monitor configuration, iRules, and so forth? Then I recommend you take "BIG-IP Local Traffic Manager (LTM) Essentials," the free, self-paced, 14 hour training course at https://university.f5.com/. You can follow training modules, then log into a cloud-based LTM to do configuration exercises. Even if you're not the person managing the device for your customer, you'll be able to ask for the right things by knowing so much. And you might even know about features your F5 team isn't aware of, and you'll then be able to push them to a new level of ROI from this product.

Enjoy.

Dealing with frenemies and port conflicts

Mon, 27 Sep 2010 13:13:43 -0800

Subtitle: How to identify which process is running on a port

Hi Folks:

I just found a surprise about a friend of mine. First I'll introduce: Gizmo5. First some background on how I met Gizmo5.

Do you know about Google Voice's offering? Google gives you a free phone number, then among other things, it lets you forward that number elsewhere. Where to forward it? One thing I wanted to do after moving to a new city (Helloooooo Austin!) was get a landline since my wife didn't get great cell reception at our new place. "A landline it is," I said, but continued to her mild displeasure, "but I want to try getting this set up without using AT&T." I searched for a good voice-over-IP phone service. I wanted something like Vonage, but I didn't want fees.

Gizmo5 is one of many free VOIP services, or SIP providers. Another I use is sipgate. Oh yeah, and there's Skype, but Skype charges a monthly fee for a phone number right? Something like that. Money was involved, so I didn't go there. Plus, I wanted to have more of a DIY solution. So the idea of these VOIP providers is they give a phone number that rings to an Internet-connected client. The easiest client is the laptop-based softphone that every SIP provider has. Here's the one from Gizmo:

But the Internet-connected client becomes much more interesting when the client is a simple, old-fashioned, landline style phone. This is what Vonage does.

So I bought an analog telephone adapter (ATA) from Grandstream for $45, and after a bit of configuration, I was able to plug my old landline phone into the ATA, then plug the ATA into my router, then have the ATA register itself with Gizmo5's servers to say, "when a call comes in to Bill's Gizmo5 account, let me know because I'm his phone." Then I had Google Voice forward my Google Voice number to that Gizmo5 number, and I'm in business. How cool is this? So cool that Google bought Gizmo5 and ended new registrations while they work on their integration plan. Don't worry though. You can set this up with a sipgate account too.

Anyway, I still have that Gizmo5 softclient running on my laptop from time to time. And today I fired up my WCI Automation service, and I messages like these in my PTSpy:

Automation Server cannot be initialized.
com.plumtree.openfoundation.util.XPException: Address already in use: JVM_Bind

InitForScheduler(): Unable to start communicator on port 7777
java.net.BindException: Address already in use: JVM_Bind

Hey, what's that about? I ran this command to see what was running on port 7777:

Netstat -a -n -o | GREP 7777

And the report came back:

TCP 0.0.0.0:7777 0.0.0.0:0 LISTENING 3184

So what is running behind process 3184? I checked my task manager and found it's my friend Gizmo5 now acting as my enemy:

Since I don't know how to change the port of Gizmo5, I hop into my serverconfig.xml and change the automation server's port, restart, and I'm back in business with a fully functioning WCI system. Gizmo5 is no longer an enemy but a friend.

PS: The business model behind free SIP providers is they charge for outgoing telephone calls. Gizmo5 is a penny per minute. Sipgate is two cents per minute. But incoming calls are free, so? Initiate those long calls from Google Voice. Google will ring your SIP provider as an incoming call, then Google rings the party you wish to speak with, and it's free.

Why Place a Proxy in Front of the Portal?

Thu, 24 Jun 2010 08:42:21 -0800

Someone asked this question today:

What does a web proxy server placed in front of the Portal give you, in terms of security (or anything else), when there is already an SSL Accelerator (F5 BigIP) managing the portal? The end user would still access the Portal on port 80.  Either way.  What does the extra server buy you?

In hopes a larger audience might find my answer useful, here you go. First though, I'll try the "picture is worth a thousand words" approach, using a slide from a presentation I did a couple years ago:

Now my take:

Consider this case: You have users on the public internet, and you don't want any of your app servers to be in the DMZ. So you put a proxy in the DMZ, and it can reach back through the firewall to the internal Big IP that can route traffic to the many app servers.

Why not put the Big IP itself in the DMZ and have it route from there? One reason is that it handles traffic for many more ports than you want open on the firewall (e.g. for search, directory, dr). But more importantly, Big IP needs to be able to monitor the members of its pools. So there's lots of chatter between it and the servers.

So there you've got the security angle.

Also, proxies sometimes offer additional features such as authentication. You may only have internal users, want your users to authenticate at your company proxy.

There's also improved performance when you can keep the portal in the same VLAN as the remote servers it uses to build pages. A single portal page load can generate dozens of DB queries and http requests to the remote tier. A proxy lets you keep users in the DMZ while keeping the portal near those resources.

WCI Settings Files: rules for construction

Sat, 27 Feb 2010 13:15:55 -0800

The world is full of rules. I was amused at a local Austin grocery store to find rules against something that seem pretty obvious: food trays are not sleds. Other rules though can be harder to figure out. In case you need to know some of these less obvious rules:

I'm working on an effort to restructure WCI settings files, and a piece of this required understanding the rules for putting together a valid settings file. I hope to later explain the whole project, but until then, here's a subset of what I learned.

The Loose
WCI applications read in everything in the %WCI_HOME%\settings directory on startup. A default system would have these in c:\oracle\wci or some such location. That everything is read means WCI neither cares what your file names are nor what subfolders they may be in. For example, you can move .\settings\configuration.xml to .\settings\do-not-use\disabled.xml, and it will still work just fine. The system treats all information across all files as a single settings definition.

You can also break apart the out-of-the-box XML files into new smaller files, or you can rearrange their content entirely. This explains how it is that systems run WCI 10.3.0.0 equally well for fresh installs versus upgraded installs even though each has differently structured XML files (for example, fresh installs store settings in configuration.xml that upgraded installs keep only in portal\portalconfig.xml and common\serverconfig.xml).

You can add settings in the XML files that are not required and not used by the system. For example, you can have a context or a component defined but never used.

The Strict
Within the config files, however, you'll find tightly linked context, component, and client sections. Some rules are:

A context cannot be defined more than once.
A component name cannot be used more than once.
A component cannot have a subscribed client that is not a defined context.
A client cannot subscribe to two different contexts of the same component type.

An Example
Now is a great time for an example. The following file sits on my system as %WCI_HOME%\settings\example.xml. When the system starts, this file is read into the settings definition, though nothing in it will be used by my applications. The system runs just fine, and it will continue to do so unless I uncomment any of the sections of the config file that are designed to break the four strict rules I previously listed.

Download the file so you can load it in a readable XML parser, load it on your system, or tweak it. You can also try reading it in less readable format below.

Enjoy!

ALUI/WCI SSO Login Sequence and Log Files

Wed, 20 Jan 2010 11:27:53 -0800

You can't trust your web server logs to tell you how many pages your portal users view. When logging in, especially under SSO, the login sequence generates several "GET /portal/server.pt " lines. I dug into this today, and the results may be helpful as you look to infer portal usage from log files.

Yesterday I turned to IIS logs to determine some usage patterns in the portals I work with where users can enter through two different SSO systems. I started my search by looking at how many times SSOLogin.aspx occurred for each SSO system (hosted on different servers). When the results appeared material, today I wondered whether the load for the systems are different. Do the users of one SSO system have a more engaged portal session?

First I counted simply "GET /portal/server.pt" in the log files, and I though one set of users had far more pages per session than did the other. However, I then realized that gateway images were returned by my search pattern, so I added a space: "GET /portal/server.pt " This made the traffic look much more similar.

But I still didn't know how many actual pages the user sees. What happens in the login sequence?

What I found was:

* It is hard to identify actual pages per visit because the IIS log sometimes shows 3 and sometimes 4 requests per login.
* A user's login generates three lines in the IIS log with "GET //server.pt/ " when the user enters the portal through http(s):///
* A user's login generates four lines in the IIS log with "GET //server.pt/ " when the user enters the portal through http(s):////server.pt

The login sequence as found in IIS logs looks similar to this:

1. The unidentified user enters without specifying the /server.pt, then redirects to the SSO login
/

2. The SSO-authenticated user is redirected to the portal from the WSSO login
/portal/server.pt

3. The SSO-authenticated user is directed to the portal's SSOLogin sequence to process the SSO token and become portal-authenticated
/portal/sso/SSOLogin.aspx

4. The portal-authenticated user runs a login sequence to determine the proper home page behavior
/portal/server.pt open=space&name=Login&dljr=

5. The user lands on the proper home page
/portal/server.pt/community/superstuff/204

I hope that's helpful.

Love at First Boot: The D-Link DNS 323 NAS

Wed, 09 Dec 2009 11:09:21 -0800

[Added Dec 29 2011] The best love endures overtime. My infatuation has passed. I cannot recommend this device for use outside the home. The default software only lets a user belong to a single group (e.g. finance) but not two (e.g. finance and managers). You can hack around this by using ffp then editing smb.conf, but you don't want to do that routinely. Also, ffp isn't compatible with the most recent firmware, and only the most recent firmware lets you do offsite backup with the CTERA plugin. Also, it requires SMB access requires old and insecure lanman auth, which presents problems when a hardened system like recent Ubuntu distributions want to connect (though you can rollback security on Ubuntu to connect). If I had it to do over again, I would buy the QNAP TS-239 Pro Turbo to get to know a more serious device with disk encryption, better backup options outside the device, better user/group management, etc. And now, the original post...

Remember that giddy feeling when in high school you first ate lunch on the grass with that special someone, the object of your springtime infatuation? Ahhh. So sweet. I'm reliving that feeling with my newly installed NAS. I tenderly call her "323" for short, but her parents call her "D-Link DNS-323 2-Bay Network Storage Enclosure." I can see beyond her toaster looks...

I don't blog about every early Christmas present, but this NAS is so geek-winningly hackable, and I wound up doing such a number on my home network for it that I can't help but share the story. This may be helpful to other web wanderers, just as I relied on many blog posts, discussion forums, and so forth to get set up.

Benefits

First the benefits of this relationship:

1. Network Attached Storage -- You know at the office how nice it is to always have access to those never-ending shared drives that corporate IT provides. I now have it at home. Instead of keeping only select music stored on my computer and the rest locked away on that external USB drive in my wife's office, it's all available. The old cables and plugs were a barrier to access.

2. Peace of Mind -- With RAID-1 and two SATA drives, my data won't get lost when a hard drive fails. And every hard drive fails sooner or later.

3. Openness -- The 323 runs an embedded Linux, and D-Link built a hook to let folks access the core. Extend it with Subversion, SSH, MySQL, or if you're crazy enough you can even install a new Debian.

4. FTP -- The built-in FTP server and granular security model lets me access, share, or backup content from outside the home.

5. iTunes Server -- The device can discover its music then broadcast it to iTunes clients on the network.

6. Scheduled Downloads -- It can schedule downloads of files and folders from an FTP server, web server, or local network share. I don't want to fully rely on my web hosting providers to backup my data, and this lets me keep a copy too.

The feature list is rich, but not all of it applies to me -- yet. We'll see how my thinking shifts as she and I get to know each other better. Other people though are interested in its BitTorrent feature, UPnP AV server, or others

Now for some details.

The Hard Drives

In keeping with the do-it-yourself offering, the 323 doesn't come with hard drives. It's just an enclosure. So what did I buy? I admit that I was driven by price rather than features, but I still wound up with a pair great drives. Amazon was selling Western Digital's energy efficient WD10EADS drives cheaper than any of the other 1TB options, at least with 7200 rpm. It's cool to be green (no matter what Kermit says), but I'm more excited about the cool temperature than the green energy savings. As drives heat up, the probability of failure increases dramatically. More on failures later. The 323 has a feature to monitor the temperature and at high levels, send an email alert and then shut down. I want this feature, but I also don't want it to ever be triggered. The drives were $69 each when I bought, but perhaps for the holidays they have since risen to $84.

Installing the drives to the 323 was easy. I just tore open the drive packages from Amazon, slid the front plate off the 323, and pushed in the drives. No tools required.

Improving the Home Network

In order for my wife and me to share the NAS, our laptops need IP addresses from the same network. Previously, we didn't have this. The Internet drop and primary wireless router (an old WRT54g) are in my office. Since her office is on the other side of the house, and since the house has built-in ethernet wiring from the location of the Internet drop, we put a secondary wireless router (an older BEFW11S4) near her office that pulls data from the ethernet port.That router though was configured the easy way, with DHCP enabled and placing her on a different network. I was on 10.1.10.x, and she was on 10.1.11.x. So here's what I did:

1. Made sure the primary router ran normally, with our ISP's Internet provided through the router's WAN port
2. Made sure the secondary router ran normally, with the primary router's Internet provided through the secondary router's WAN port
3. Changed the secondary router to use a static IP, which in retrospect may not have been necessary
4. Configured the secondary router's Setup->Advanced Routing page to both send and receive RIP 1, which may not have been necessary but one blog suggested
5. Moved the secondary router's ethernet cable from the WAN port to port 1 which does uplink.

That was it. Now when my wife connects to the secondary router by her office, it acts as a switch to get to the primary router, and the primary router gives her an IP address in 10.1.10.x so we can both communicate with the NAS.

Improving the 323

Out of the box the 323 is nice, but it really starts to get cool once you start treating it as a customizable Linux box instead of just a hard drive. The device has a thriving community supporting it, and it's a great example of how a company's decision to open their product up can improve its usefulness and cultivate buzz (e.g. this blog post). The best site for the product may be http://wiki.dns323.info/. I proceeded cautiously installing my first "fun_plug" file to execute my commands at startup based on instructions at that site. Once my feet were wet, I installed a package of Unix tools called "ffp" (Fonz fun_plug) following the instructions at nas-tweaks.net.

In no time at all, I had logged in through telnet, disabled that insecure service, set up SSH, and begun looking around. I then followed the instructions at another blog to install the usb-storage.ko module allowing me to mount Fat32 USB devices through the 323's USB port. I got my wife's old iPod Mini loaded up with little effort.

Breaking Up, not Backing Up, with Standard USB Hard Drives

After setting up a few directories on the hard drives with proper security, I powered up the old 250 gb USB drive that started all this. The prior time my wife started it was ten days ago, and that time like this time it behaved the same way: a few minutes of near-silent, slow clicking, then an awakening and normal operation. We suspect it's on the verge of death. Before going to sleep, I dragged the old drive's folders to the 323, and let it run through its 10 hour transfer from sinking skiff to reliable coast guard cutter.

What's the problem with standard USB drives, and why should you not rely on them? Every drive fails, and you don't want to backup to a device with a fuse burning toward self destruction. Before moving to the RAID solution and while looking for a replacement for the old USB drive, I realized that every drive Amazon sells, given enough reviews, will have some frightening proportion of customers saying this like "It died after two weeks and I lost all my data! I'm never buying from this company again! Avoid this drive!" Every drive does this. Really?

I did a little research, and I found a great paper put together by some Google engineers. The guys who support the Google infrastructure have to buy a lot of drives and must know something about failure rates, right? Failure Trends in a Large Disk Drive Population may be more scientific than you're interested in, but at least consider this picture:

Enough said.

Anyway, that's my personal tech journal for the week.

Enjoy!

[Added Mar 30, 2011]

How to Configure Email Alerts
(or How to Crash the Administrative Website of the DNS-323)

Beware of email alert testing. I found a strange bug in the DNS-323 Firmware version 1.09 today. If I use correct email settings, I can send test messages, and alerts work. If I use normal incorrect settings, then I get failures. But if I use special incorrect settings, I crash the administrative web server, essentially freezing it, perhaps due to a blocked process.

I tried several configurations. In each case, I included these settings:

username: myaccount@gmail.com
password: magicpassword
sender email: myaccount@gmail.com
receiver email: myaccount@gmail.com
smtp authentication: check

Proper settings finished with this:

smtp server: smtp.gmail.com, port: 587

Settings that resulted in failure finished with this:

smtp server: smtp.googlemail.com, port: 587

Settings that resulted in a crash finished with either of these:

smtp server: smtp.googlemail.com, port: 465
smtp server: smtp.gmail.com, port: 465

I'm surprised to find that these result in a crash, since the settings were taken from Google's documentation of how to set up outgoing email.

The crashed web server won't come up until it is restarted. Most people will need to reboot the DNS 323 for this. Those of us with ffp installed and ssh access can go in and restart it as follows:

# killall webs
# /web/webs &

By the way, I've seen many people complain in online forums that no logging is available to inform them of what causes their test to fail. If you can log in through ssh and watch the console, then you'll see the errors in the output. For example, with smtp.google.com.com on 587, I saw this:

msmtp: the server does not support authentication
msmtp: could not send mail (account default from /etc/.msmtprc)
Error sending message, child exited 69 (Service unavailable.).

And when I tried testing with smtp.gmail.com on 587 but without checking the box for smtp authentication, I saw this:

msmtp: envelope from address myaccount@gmail.com not accepted by the server
msmtp: server message: 530 5.7.0 Must issue a STARTTLS command first. c18sm589580ana.27
msmtp: could not send mail (account default from /etc/.msmtprc)
Error sending message, child exited 65 (Data format error.).
Mail Server test fail

However, the only way I know to get these in my output is to first restart the web server from the console. I suppose this makes the process of my ssh session the parent to the web server process.

On the crash, no message is sent to output. Instead, the system freezes.

Interesting!

MySQL Slave Revolt: Avoid 'Duplicate entry for key 1'

Sun, 15 Nov 2009 02:44:50 -0800

Here's a post that will be of little interest to my normal readers but that may be helpful to Googlers. If this helps you, please drop a comment letting me know. I need encouragement to go so far off topic from my normal posts.

Several years ago I bought the history book on which the movie Amistad had been based. The Amistad was a ship carrying slaves to the Americans, and its captives revolted. The movie, which I didn't see, was apparently exciting enough, but the book was tedious. I wanted to never revisit it or anything like it again. But alas, I've encountered what could be called a slave revolt.

MySQL has a strange behavior on slaves with the CHANGE MASTER command that cost me a few hours of sleep. Sometimes when values are set with the command, those values merge into the master.info file. However in other cases after using the command, the values in master.info are lost. A sequence of commands that seemed reasonable to me left me without the proper master bin-log and offset log position, and this caused my slave to get errors like 'Duplicate entry for key 1.'

Here's how I discovered this behavior:

First, I created a dump using the syntax that places within the dump an update statement to set the master's position:

mysqldump --all-databases --master-data=1 --add-locks -u myuser -p > full.db.`date +"%F"`.dmp

Afterward, I can check my dump and find that indeed, it provides the master's bin-log and position:

CHANGE MASTER TO MASTER_LOG_FILE='bin-log.000494', MASTER_LOG_POS=169;

I then bring the dump to my slave server. If I first import the dump and rely on its values to set the master's position, I'll get errors when replication begins. The errors are caused because the replication picks up at the oldest bin-log instead of the right one. The errors, found after running "show slave status\G;" are like this:

Last_Error: Error 'Duplicate entry '3363837' for key 1' on query. Default database: 'myapp'. Query: 'INSERT INTO mytable (
                                    blah,
                                    blah2,
                                    blah3
                                ) VALUES(
                                    '1',
                                    '2009-11-01T00:06:16-05:00',
                                    'stuff'
                                )'

What I really should have done to avoid the errors would have been to run a CHANGE MASTER command that stated everything rather than skipping the details that the dump included.

After looking into this further, I find that as expected, the dump creates a master.info file with the master's proper bin-log and offset, and that master.info doesn't yet have the server connection details. Then after providing just the connection details through CHANGE MASTER, contrary to my expectation it then wipes out the bin-log and offset values rather than properly merging. I can fix this by then providing just the bin-log and offset values, which are properly merged into master.info.

Commands illustrating this are below:

[root@myhost ~]# # import the master's data
[root@myhost ~]# mysql -u root -p{secret} < /tmp/full.db.2009-11-14.dmp
[root@myhost ~]# # see what the dump put into master.info
[root@myhost ~]# cat /var/lib/mysql/master.info # notice this first iteration of the file has no connection info
14
bin-log.000494
169

test

3306
60
0

[root@myhost ~]# # set the partial details as documented
[root@myhost ~]# mysql -u root -p{secret} --execute="CHANGE MASTER TO MASTER_HOST='10.1.1.14', MASTER_PORT=3306, MASTER_USER='repl', MASTER_PASSWORD='supersecret';"
cat /var/lib/mysql/master.info
[root@myhost ~]# # check if that put anything in master.info
[root@myhost ~]# cat /var/lib/mysql/master.info # notice this second iteration dropped the bin-log and log position
14

4
10.1.1.14
repl
supersecret
3306
60
0

[root@myhost ~]# # set the remaining details as though nothing had been in dump
[root@myhost ~]# mysql -u root -p{secret} --execute="CHANGE MASTER TO MASTER_LOG_FILE='bin-log.000494', MASTER_LOG_POS=169;"
[root@myhost ~]# # check if that put anything in master.info
[root@myhost ~]# cat /var/lib/mysql/master.info # notice this third iteration merged in the bin-log and log position
14
bin-log.000494
169
10.1.1.14
repl
supersecret
3306
60
0

[root@myhost ~]# # set everything and see the results:
[root@myhost ~]# mysql -u root -p{secret} --execute="CHANGE MASTER TO MASTER_HOST='10.1.1.14', MASTER_PORT=3306, MASTER_USER='repl', MASTER_PASSWORD='supersecret', MASTER_LOG_FILE='bin-log.000494', MASTER_LOG_POS=169;"
cat /var/lib/mysql/master.info
[root@myhost ~]# cat /var/lib/mysql/master.info # notice this fourth iteration that sets everything looks like the third iteration
14
bin-log.000494
169
10.1.1.14
repl
supersecret
3306
60
0

So in short, don't rely on the dump to set master.info values for you. Just put them all into your mysql prompt similar to this:

mysql> CHANGE MASTER TO MASTER_HOST='10.1.1.14',
    -> MASTER_PORT=3306,
    -> MASTER_USER='repl',
    -> MASTER_PASSWORD='supersecret',
    -> MASTER_LOG_FILE='bin-log.000494',
    -> MASTER_LOG_POS=169;

Enjoy!

Cache Portlet Content on 10gR3 (Workaround to bug 8689121)

Fri, 30 Oct 2009 07:42:54 -0800

Here's another workaround.

Download this post, the batch file it refers to, and the wget utility from
CachedPortletContent-Workaround.zip.

Overview
=========
This describes a way to get results similar to the ALUI portal's Cached Portlet Content feature of the ALUI portal. This is useful for users of Oracle's WebCenter Interaction 10gR3, a release that has a bug (No. 8689121) that causes this feature to otherwise be unavailable. As the bug database describes it, "WHEN "RUNNING PORTLETS AS JOBS", THE JOB WILL FAIL."

Cached Portlet Content Feature
=========
You can read about the Cached Portlet Content feature at http://download.oracle.com/docs/cd/E12529_01/ali65/AdministratorGuide_ALI_6-5/tsk_portlets_cachingcontent.html. As that page describes, "You might occasionally want to run a job to cache portlet content (for example, if the portlet takes a couple minutes to render). When the job runs, it creates a snapshot of the portlet content (in the form of a static HTML file) that can be displayed on a web site. The file is stored in the shared files directory (for example, C:\bea\ALUI\ptportal\6.5) in \StagedContent\Portlets\\Main.html. You can then create another portlet that simply displays the static HTML."

Workaround
==========
The alternate way to get cached portlet content is to create an external operation that will call the URL of the desired content and then will save it to the automation server's file system. This uses wget.exe, a program that is standard on UNIX environments and that is distributed with this workaround for Windows. The port I use is from http://sourceforge.net/projects/unxutils/.

Installation
==========
1. Put wget.exe into the %WCI_HOME%\ptportal\10.3.0\scripts directory of your automation server (e.g. D:\bea\alui\ptportal\10.3.0\scripts). This application allows you to access web pages from the command line and then to save them to the file system.
2. Put the wget-extop.bat file into the %WCI_HOME%\ptportal\10.3.0\scripts directory of your automation server.
3. Test that it works by opening a command prompt on your automation server to %WCI_HOME%\ptportal\10.3.0\scripts, then running a command like this one:

"wget-extop.bat" http://www.target.com target-homepage

When that command finishes, you should see a success message similar to the following:

20:46:28 (104.98 KB/s) - `..\StagedContent\portlets\target-homepage\Main.html' saved [80621]

4. Make sure logging works properly. You should find a file in %WCI_HOME%\ptportal\10.3.0\scripts named wget-extop.log. Open that file and see that it recorded your recent action.

5. Make sure the action downloaded the webpage. You should find it in a location like %WCI_HOME%\ptportal\10.3.0\StagedContent\portlets\target-homepage\Main.html.

6. Open the portal and create an external operation object. On the main settings page, enter an Operating System Command like this:

"wget-extop.bat" http://www.target.com target-homepage

The command has three parts. First it names the batch file you'll use. Second, it gives the URL to download. Third it gives the identifer for this download that will be the directory in which the downloaded content will be stored. Be careful to use only characters in the identifer name that work as directory names. An identifer like "http://www.target.com" will not work because you cannot have slashes in a directory name. Your command may be this:

"wget-extop.bat" http://www.my-company.com/about.html about-our-company

7. In the portal, create a job that will run your external operation. Schedule it to run at the appropriate interval.

wget-extop.bat
==========
The contents of wget-extop.bat should be as follows:

@REM BEGIN WGET-EXTOP.BAT

set arg1=%1
set arg2=%2

md ..\StagedContent\portlets\%arg2%

echo %date% - %time% --- wget %arg1% -O ..\StagedContent\portlets\%arg2%\Main.html >> wget-extop.log
wget %arg1% -O ..\StagedContent\portlets\%arg2%\Main.html

@REM END WGET-EXTOP.BAT

Limitations
==========
This workaround does not offer all the features that the Cached Portlet Content feature normally has. The main reason for limitations is that this request uses wget rather than the portal engine to request content. The request therefore has no access to portlet preferences and so forth. While this workaround is sufficient in some cases, it does not claim to work in all.

Enjoy.

Bill Benac
October 2009

Is that a [BLANK] or a Bug? Resetting Login Tokens.

Thu, 17 Sep 2009 11:55:46 -0800

In software development, we can sometimes have maddening debates about whether something is a feature or a bug. This reminds me of an old Phish song: Windora Bug.

"Is that a wind? Or a bug? It's a Windora bug." In other words, it's both. While troubleshooting your system, you might want to listen to the mp3.

In WCI 10gR3, we find the collision of two reasonable features. I think together they make a bug. Or at least, a badly designed feature. So let's start with the old feature:

Sometimes agents outside the portal need to authenticate in. Users count as agents, and so do remote portlets. To allow the agent to log in without providing a password each time, the portal can send a login token that the agent can use for future portal connections. Two old examples of this are [1] when a person uses the "Remember my Password" feature of the portal login screen (usually valid for many days) and [2] when a remote portlet web service sends a login token to the remote service (usually valid for five minutes). The login token held on the remote tier by the agent can be decrypted by the server using its key. This works fine in both the old use cases I provided because the remote tier is handed this value by the portal server.

For whatever reason, you may decide every once in a while that there is a security issue related to saved passwords. The portal had a great feature in the old days to let you update the login token's root key and thereby invalidate these old login tokens forcing users to reauthenticate. The tool for the reset is in the administrative portal under the Portal Settings utility, and it looks something like this:

When you click that "Update" button, it connects to the portal database and generates a new login token root key, stored in PTSERVERCONFIG with settingid 65.

The trouble comes in with the new feature. In 10gR3, the portal introduces new applications that encrypt passwords based on the login token root key, but this is done at configuration time in the remote application's Configuration Manager. The problem is that those applications are built apparently assuming that the login token root key will never change. The configuration manager requires that you provide the login token root key to it directly. Applications that do this include but are not limited to the Common Notification Service and Analytics. For example:

The upshot of all this is that if you choose to click that button in the Portal Settings utility, then you get a new login token root key that no longer matches the one relied on by your remote applications.

If this part of the portal were reconceived, then perhaps the database would have one login token root seed used for agents with a transient token such as those given to users and through remote web service calls that are used to let the agent come back. Those keys basically say, "you've been here before, and you can come back." Then the database might have a second root seed for applications that need permanent access to the portal. In that case, the update feature would be fine, and it would only apply to the key for transient agents.

Oh well. We have to live with it. So to avoid administrators accidentally breaking remote applications, I suggest you update the portal UI to explain the full effect of this particular feature (if you don't want to go through the headache of an involved UI modification to entirely remove it). I did this and now have the following:

I got there by modifying this file on the admin servers:

d:\bea\alui\ptportal\10.3.0\i18n\en\ptmsgs_portaladminmsgs.xml

Within it I changed strings 2134, 2135, 2136, and 2964. My file has no other modifications in it from the vanilla 10.3.0 version. You can download it here.

Enjoy.