techblog 

Last week I attended an ITIL v3 Foundation Training course. Non technical training courses usually leave techies a little bored and uninspired but for me this definitely was not the case. All the stories I have heard from colleagues in the past is that ITIL is a bad thing, has huge overhead and costs huge amounts of money to implement. From what I was taught last week I think this is a reflection on the way ITIL has been implemented and not a criticism of ITIL itself. One of the cornerstones of what we were taught last week is to pick up the pieces from ITIL that are relevant to your business and change/apply them to your needs, this seems like a very good philosophy to me.

Anyone who has done much looking into these kind of frameworks will tell you the cost is high mainly due to the expansion in human resources which can be huge and it is certainly true that looking through the course notes (and if you are really sleepless the ITIL books themselves) that it seems to be a job creation scheme, there are new roles all over the place, however they are just that ‘roles’ many of these tasks can and should be taken on by somebody who has another job and can dedicate a little of their time to this ITIL role to ensure that things are running smoothly from an ITIL perspective. Of course this depends on the size of the organization in question, but in the case of Nominet I would imagine that one person could indeed take on several of these roles, the important thing is that the roles and responsibilities are clearly defined.

ITIL version 3 has expanded from the previous version to now include Service Strategy and Service Design and as these were new topics there was quite a lot of focus on them in the three day course. These subjects however I believe are of more interest to a management and/or software development audience, my interest mainly was on the Service Operation angle of the course as it is in that area that I have spent the last 13 years of my working life. I was very interested in ITIL’s take on Incident, Problem and Change Management, these are all critical areas within the operation of any critical service (IT or Non IT) and doing these efficiently in a repeatable manner as ITIL suggests is very important for any service based organisation, to be fair I was already aware of this but ITIL does enable you to easily spot any weakness in the way you operate and most importantly use the experiences of other people.

SJphone is a popular free VoIP client (or “softphone”), available for Windows, Linux, and MacOSX.

Most softphones have separate settings for the username and password used to authenticate the SIP REGISTER command, and another to set the SIP Address of Record. SJphone, by default, does not. It has the username and password fields, but it generates a default SIP AoR of username@domain.

There didn’t appear to be any way to support our configuration where the Authentication username is different to the left-hand side of the SIP AoR. After much digging a solution was finally found. In the “Profiles” dialog box there is an “Initialization” tab. On this tab there is a “Caller ID” setting and a tick box marked “Inquired”:

Ticking this box tells SJphone to prompt for the left-hand side of the SIP AoR along with the username and password fields. The other two tick boxes control whether the application remembers the supplied value, or prompts for it each time.

If necessary you can tick the “Full Address of Record” box instead, should you need to supply a SIP AoR with a different right-hand side.

I have a SE P990i - not a bad device if over the last 3 years you’ve been able to stomach the infinite software updates/bug fixes/patches and workarounds - mine’s actually now usable.

Running the bundled software ‘PC Suite’ is required for backups (amongst other things) - and backups are essential. But having changed to a x64 system (XP) it turns out that Sony Ericcson do not support x64 systems (except within Vista Ultimate x64 - but not confirmed) - ie. PC Suite won’t install - and that’s SE’s offical line and last word on the matter. They’re not replying to customer service emails on the matter, either. Not even an automated reply - just silence (I think this will be my last ‘phone from SE).

Some get round this by dual booting 64 and 32-bit Windows and running the software when necessary under 32-bit - but I’m not too confident in this area and wanted a more ‘familiar’ solution. There are other solutions (while staying within x64) for SE’s slackness kicking around the web - however all of them involve only partial sucess - ie. you can have the ‘phone recognised by the system as a mass storage device, have the drivers working so the USB cable can charge it, even update the OS via SE’s update service - but you still can’t get the PC Suite to synchronise and perform backups. After numerous attempts and tweaking I have however managed to get them all working correctly. This obviously was the result of sheer hard work and luck was not involved in any way. Cough. I can’t guarantee it will work for other SE models, though my P990 was very happy.

Needless to say, backup your ‘phone before messing with it - although this concerns the software on your PC, not your ‘phone, so you should be just fine.

First, here’s a summary of the current solutions and drawbacks, with links:

• http://webmotion87.googlepages.com/sonyericssonp990(i)undermicrosoftwindows Summary: Extract the .exe and 64-bit .msi file - modify and re-run. This will give access to the SE Update Service but not the PC Suite.
• http://www.planetamd64.com/lofiversion/index.php?t13052-50.html Summary: Extract the .exe and retrieve the .msi file. Mess about with the installation .msi and then re-run it. This solution nearly got me up and running - but failed - I got the same old “This operating system is not adequate..” error in the final stages.
• http://www.wilson-it.com/sony_ericsson_download.htm. Summary: Some clever people at Wilson-it rewrote the SE drivers; quote “Basically the DSS-25 has a USB to Serial converter chip in it made by FTDI Ltd that was slightly modified for SE. We modified a BETA x64 driver of that chip to work with the SE DSS-25. Why SE couldn’t do this I have no idea.”. This solution will, on it’s own, allow you to recognise the device (the ‘phone, not just the sync-station as claimed) on your system via USB so you can charge it. Allegedly the update service will work as well (needing just a USB connection) but I haven’t tested this bit (you’ll know why, if you own a P990 ;-). This is not a fix for the installation of PC Suite, mind -however some people have reported success.
• Do both. Install the drivers and then re-run the modified .msi. Summary: You can get a bit further but sadly, for me, it was the same old installation error in the end.
• Bluetooth only: Apparrently, “floAt’s Mobile Agent 2.1 beta 3 ( http://fma.sourceforge.net/ ) works great with Win x64 and my Z800i. Synchonizing and file transfers, no problem”. Summary: Not tested this as I’d like to stay with the OEM software, so cannot comment. And it’s Bluetooth only, as stated.

Tweaked version:

1. Download the Wilson-it drivers (http://www.wilson-it.com/sony_ericsson_download.htm) and install them (all of them - when one is finished, it will prompt another). This will enable USB charging.
2. Get the latest PC Suite (67mb) from SE’s site (http://www.sonyericsson.com/cws/support/softwaredownloads/p990i?cc=gb&lc=en) which is “PC Suite for Smartphones 1.5.8″ or use an existing (older) version - I used my older version that came with the original CD.
3. Download an .msi extraction tool such as Orca (I used this from http://www.technipages.com/download-orca-msi-editor.html) or other program (strangely the most ‘popular’ seems to be something called “Less MSIérables” - but their site is offline and still is so I have no idea what it’s like)
4. Use a program such as WinRar (http://www.rarlab.com/download.htm) to extract the PC Suite for Smartphones .exe package. Extract to a new folder where you can get at the resulting files.
5. From the resulting WinRar extracted files, run the “PCSuite.exe” (not the PCSuitex64.exe some solutions say “do” but that didn’t work for me) until you hit a wall (error report or such) - do not cancel or abort the installation just yet. Search your C:\WINDOWS\temp folder for the “still running but about to disappear when you abort the installation” .msi file - this will be called “PC Suite for Sony Ericsson.msi” or possibly “ah7v5gdo6.msi” or similar ‘random’ string. Tip: if you search for this before you begin and leave the window open, the window will update when you run the .exe showing you the right file.
6. Right click on this to edit within Orca (or drag and drop into Orca). Whilst open in Orca, locate the entry “LaunchCondition”, right-click and and “drop table”. So far, this is the standard solution which didn’t work (yet) for me.
7. My tweak - an additional error for me was “The current version of msxml6.0 is not compatible with…”. So, whilst still in Orca, locate (using the find tool) “msxml6″ in all entries (I found two) and choose “drop row”, thus deleting that call/check. I suspect the critical one is in the InstallExecuteSequence table.
8. Save the resulting file (note that’s Save and not Save as) - this will overwrite the .msi in memory. Still without having aborted the initial installation, double click and run this .msi file - this will bring up a new install window. Keep going and it should install the PC Suite. If it complains about drivers, decline Windows’ offer to search the web and locate the extracted Wilson-it drivers in the same directory as last time.
9. If you have no luck at this point with the installation of the PC Suite try the x64 version of the .exe and the subsequent .msi. I know I ran both or all variations before finally running the “PCSuite.exe” and resulting .msi which worked.
10. At this point, although PC Suite runs (hopefully) it wil still not recognise the ‘phone. I tried restarting the PC, as well as unplugging the ‘phone repeatedly. I swear this did not work - until around 48 hours later when I plugged my ‘phone in to charge - when suddenly Windows detected ‘new hardware’ and asked for “drivers”. Pointing Windows to the same extracted Wilson-it drivers as before (surely they’ve already been installed?) allowed PC Suite to recognise and connect to the ‘phone. Maybe it’s just a question of a few restarts and re-re-plugging in of the ‘phone. Not very technical this very last bit, but at least it worked.

In hindsight, I suspect that if you install the drivers last - after the “.msi PC Suite” part - you may have a quicker result than I did.

Useful links:

http://www.planetamd64.com/lofiversion/index.php?t13052-50.html
http://www.esato.com/board/viewtopic.php?topic=170665

Vendors use different terminology to specify the performance of their Hardware Security Modules (HSMs). Regular terms are transactions, exponentiations, encryptions or signatures per second, or microsecond per transaction, exponentiation, etc. Performance statistics that use different units are incomparable. We’re trying to overcome that by using common unit. This post elaborates further on an small application for performance measurement.

Performance depends on algorithm and size of the key. Mostly, 1024-bit RSA private key operations are used, but that is often not specified. Using units like “encryption” or “verification” is biased as well, as both encryption/verification are public key operations (and thus small exponents), which are much faster than “decrypting/signing”. Using “exponentiations” is sometimes used to amplify the statistics. For example, a 1024 bit RSA key implies 512 exponentiations for a single “transaction” (the performance numbers are blown up by a factor of 2^9 …. on paper).

Performance is only comparable when using the same standard measurement unit. Since most vendors use 1024 bit RSA key signatures per second (sig/sec), let’s use that for a performance specification conformance test (or… lets check the marketing on the box).

For this test we’re using a Sun Fire T2000 with 3 SCA6000 cards. The technical specification promises “Up to 13,000 RSA operations per second with 1,024-bit keys”. All three combined should get a nice performance of about 39,000 RSA signatures/second…. in theory.

An often used method to measure performance is the OpenSSL speed test. However, it is not possible to specify keys that are located on the HSM. Also, an engine is needed to let OpenSSL use the pkcs11 interface. The well known OpenSC PKCS11 engine assumes that keys are on the HSM, while the RSA speed test generates its own key causing the speed test to fail. Sun’s PKCS11 engine is fully supported (thanks for Darren J. Moffat for pointing that out, see his comment below), the patches for OpenSSL are not supported by Sun. Lastly, the OpenSSL speed test uses fork/wait/pipe (using the undocumented -multi and -elapsed for proper timing), where we want to use threads (less overhead, no IPC). So it was time to write a small performance test application that uses native PKCS11 calls.

The result of that speed test is a whopping 39353 sig/sec for a 1024 RSA private key. This was verified independently by the unix time utility (for elapsed time) and Solaris kstat utility (for actual hardware transactions).

Or….. signing 7 million records in less than 3 minutes.

hsm-speed implementation notes

Download the hsm-speed package.

Simply creating a loop in which data is signed might not get the desired performance. A single loop performed at about 1600 sig/sec, while the specification promised 13000 sig/sec per card. A single loop (one process thread) did not get enough exposure to fill the bus fast enough. Creating multiple processing threads seems the obvious answer, especially since the T2000 uses an UltraSPARC T1 processor with 32 simultaneous processing threads. The speed-test is made multi threaded (using pthreads for portability, not the Solaris native threads), and gets about 13200 sig/sec on a single card. Note that there is also the option to fork processes, which effectively causes multithreading per forked process. Since forking has more overhead than threading, and threading has more overhead than looping, a straightforward way to maximize performance is to increase the loop iteration until it adds no more speed. Then increase the threads until it adds no more, then increase the forks.

Solaris Cryptographic Framework notes

The Solaris cryptographic framework allows different slot configurations. The “Metaslot” serves as a single virtual slot with all the combined capabilities of all the tokens and slots that have been installed. The “Keystore” slot groups only the crypto hardware together. The order in which multiple calls to C_FindObject returns objects from the metastore is reverse of that of the keystore. Hence, a search for a key without specifying the object class, will on the metaslot return the private key first, and on the keystore slot return the public key first. Effectively, when using the keystore slot, a C_SignInit that returns error “CKR_KEY_TYPE_INCONSISTENT” might be the result of not having specified CKO_PRIVATE_KEY in the search template for C_FindObjectsInit().

Another problem encountered with the Metaslot configuration is that it has a bug in meta_release_slot_session, used by C_CloseAllSessions, causing a nasty segmentation fault when trying to close a certain amount of idle sessions. This is circumvented by closing individual sessions one by one, though that is a tiny bit detrimental on the overall performance.

It is essential that the cards have the same firmware. Exporting the keystore information to another card requires the same firmware on both cards.

The PIN is a combination of the username and password, separated by a colon. When the password requirement for the SCA6000 is set to high, the password must be at least 8 characters long. However, the solaris getpass() call (from stdlib.h) only returns the first 8 characters, thus it leaves no room for the username to be specified. The GNU getpass() (libc) does not have this limitation. To circumvent this issue, use getpassphrase() on solaris. Note that this function is not portable.

Notes on PKCS11

Threads that share a single session might interfere each other between a C_SignInit and a C_Sign call. This will have unpredictable behavior. A thread safe way of sharing sessions is using mutex locks. This will significantly reduce the benefit of using threads. One way to avoid interference without having to use mutex locks is to create one session per thread. Since sessions can safely interleave and interfere, this is a very effective way to guarantee thread safety without locking.

This is a follow up to my previous article, DomainKeys signing for nominet.org.uk e-mails… not just yet, which I wrote a month ago. Since then all I did was reading RFC4871 forsaking all my other duties, losing sleep and appetite.
After this I came up with the following findings:

• DomainKeys (rfc4870) is an obsolete standard for signing messages but still widely used (compared to DKIM)
• DKIM (rfc4871) is a current standard for signing messages
• DomainKeys defines signing policies but is vague about policies for subdomains
• DKIM doesn’t define policies. Policies, or rather Author Signing Practices(Sender Signing Practices), are separated from DKIM into a different standard which is still a draft and quite frequently revised: draft-ietf-dkim-ssp-03.txt
• If policies (practices) are not explicitly defined, Verifiers in both DomainKeys and DKIM assume that a Signing domain MAY sign messages and Verifiers should treat unsigned messages as if the domain supports neither DomainKeys nor DKIM.

After considering all this I came up with the following plan for rolling out of e-mails signing:

• Upgrade our mail servers to a version which supports both DomainKeys and DKIM signing
• Create DKIM and DomainKeys signing profiles on our mail servers
• Publish DKIM and DomainKeys selectors with public keys in nominet.org.uk zone
• Publish neither DomainKeys policies nor DKIM Author Signing Practices in nominet.org.uk zone effectively telling to Verifiers that Nominet messages MAY be signed
• Work out a correct Author Signing Practices (or whatever it’ll be called by that time) when it becomes a standard.

Having the plan I just followed it and as of today all outgoing @nominet.org.uk messages are signed both with DKIM and DomainKeys (subdomains originated messages, e.g. @lists.nominet.org.uk are not at the moment). One note though: for now we decided to publish the selectors with a “test mode” flag set but I think it’ll be removed very soon.

My appetite is back until I need to read another RFC.

I wanted to connect a (fairly old) laptop running Windows XP to my home wireless router the other day. With WEP discredited, I have the security on the router set to WPA2. Since the laptop doesn’t have inbuilt WPA2 support, I bought a new WPA2 wireless LAN adapter. After installing the the accompanying software and plugging in the adapter to one of the USB sockets, I tried to set up the connection - and failed. When I scanned for wireless networks, the network was visible, but nothing I did could persuade the laptop join it.

An email to the manufacturer’s support desk brought the answer. Windows XP doesn’t have WPA2 support included by default. To enable it, you must install the KB893357 update. Once I did that, I connected with no further problems.

For any number of reasons, you may find yourself wanting to create only part of a Spring context without satisfying all of its @Required dependencies (and their dependencies, and their dependencies’ dependencies…) with real objects:

• Reducing the number of Spring beans your integration tests need can drastically speed up your unit tests, since Spring container startup can take a while and consume a lot of heap space.
• In my case I wanted to write an integration test that only needed a thin vertical slice of beans to get Hibernate working, without the (rather large number of) other beans in the rest of the context definition.

In conventional unit testing, this is easy: you use mocks or stubs at the boundaries of your test objects. Why not extend this to Spring beans?

By rejigging some import statements, I was able to use Spring’s instance-factory bean declarations and dynamic mocking to do just that. The process has two parts: creating the factory class, and declaring the stub beans…

Creating the factory

package uk.nominet.testing;
 
import net.sf.cglib.proxy.Enhancer;
import net.sf.cglib.proxy.MethodInterceptor;
import net.sf.cglib.proxy.MethodProxy;
 
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
 
/**
 * Stub spring bean factory class. Call createStubBean("classname") to stub out a bean.
 */
public class StubBeanFactory
{
    /**
     * Factory method to create stub beans.
     * @param className to create a stub bean for.
     * @return stub bean.
     * @throws ClassNotFoundException if className doesn't match a real class.
     */
    @SuppressWarnings("Unchecked")
    public <T> T createStubBean(String className) throws ClassNotFoundException
    {
        // get the class to proxy
        Class<T> proxyClass = (Class<T>)Class.forName(className);
 
        // the specifics of proxy creation depend upon whether we need to proxy a class
        // or an interface - which is it?
 
        if (proxyClass.isInterface())
        {
            // proxying interfaces is easy with the standard java proxying classes
            return (T)Proxy.newProxyInstance(proxyClass.getClassLoader(),
                                             new Class[]{proxyClass},
                                             new StubMethodHandler());
        }
        else
        {
            // proxying classes requires some cglib magic...
            Enhancer enhancer = new Enhancer();
            enhancer.setSuperclass(proxyClass);
            enhancer.setCallback(new StubMethodHandler());
            return (T)enhancer.create();
        }
    }
 
    /**
     * Helper class to handle method invocations on stub beans.
     */
    private static class StubMethodHandler implements InvocationHandler, MethodInterceptor
    {
        /**
         * @see InvocationHandler#invoke(Object, Method, Object[])
         */
        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable
        {
            // you could put some logging here...
        }
 
        /**
         * @see MethodInterceptor#intercept(Object, Method, Object[], MethodProxy)
         */
        public Object intercept(Object o, 
        			Method method, 
				Object[] objects, 
				MethodProxy methodProxy) throws Throwable
        {
            // you could put some logging here...
        }
    }
}

Creating stub beans

Stubbing out a spring bean is simply a case of creating and using the factory:

<beans>
    ...
    <!-- this is our stub bean factory -->
    <bean id="stubBeanFactory" class="uk.nominet.testing.StubBeanFactory"/>
 
    <!-- stubbing out either interfaces or classes is exactly the 
         same - just call the factory -->
    <bean id="tokenDao"
          factory-bean="stubBeanFactory"
          factory-method="createStubBean">
        <constructor-arg value="uk.nominet.authentication.TokenDao"/>    
    </bean>
    ...
</beans>

What’s the point?

By stubbing out the unneeded beans:

• the number of beans in the testing context was reduced from nearly 400 to less than 40;
• the running time for the integration test was reduced from 40 seconds to 10 seconds.

The second point here is key - faster tests leads to tests that get run at all…

I was set a task to deploy DomainKeys signing for @nominet.org.uk e-mails so that any messages, which appear to be coming from @nominet.org.uk but not signed with our key, would be treated as suspicious. At first glance it appeared to be quite simple:
1. Generate a private/public key pair.
2. Configure our mail servers to sign outgoing e-mails with the private key.
3. Publish the public key in the nominet.org.uk zone.
And that’s done! Not quite.

We have some auxiliary mail servers serving nominet.org.uk subdomains, e.g. lists.nominet.org.uk (which is not delegated), where we cannot deploy DomainKeys signing just yet. After reading rfc4870 I realized that a granular DomainKeys signing policy published in DNS would be just what we wanted. So my thought was to publish a policy like this:

1. any e-mails coming from @nominet.org.uk MUST be signed.
2. any e-mails coming from @subdomain.nominet.org.uk MAY be signed.

So real records in nominet.org.uk zone with lists.nominet.org.uk example would look like this:

_domainkey IN TXT “o=-”
_domainkey.lists IN TXT “o=~”

Here I bumped into a problem. Nowhere in rfc4870 it was specified that MTAs MUST look up a subdomain _domainkey policy so I was not sure that all MTA implementations wouldn’t just lookup _domainkey.nominet.org.uk policy for @lists.nominet.org.uk e-mails and would lookup _domainkey.lists.nominet.org.uk as well. As result I could not be sure that all MTAs would read our DomainKey policy correctly.
And at that point I was told that rfc4870 had been obsoleted by rfc4871 and something important about signing policies had changed.

So, as of now, nominet.org.uk e-mails are not being signed yet and I am back reading RFCs, i.e. rfc4871. I hope I read the right RFC this time.

Having recently setup my new Linux box with Ubuntu 7.10 I have just installed Iris Explorer successfully (eventually).

In order to ensure Iris Explorer runs properly there’s a few additional libraries that need installing…..

The first step is to request a license key from the NAG’s support section. In order to do this you need to run the supplied key_rqst program. Although, the install of Ubuntu I am using is 64-bit and the key_rqst program is 32-bit - this needs the installation of libc-i386.

In order to actually execute Iris Explorer you also need to install the following libraries:

• libmotif3
• libstdc
• libg2c0
• libg2cDev

Finally, Iris will run with the above installed but some modules (typically display modules) will not run without the gcc libraries installed either.

I’ve blogged before about our experience of using DataCash as a payment service provider especially with regard to the difficulties of getting 3-D Secure working correctly.

Since then, we’ve hit another difficulty. We want to implement continuous authority (CA), which in essence is like setting up a direct debit on a credit card. This is because some of our customers would like us to simply charge their credit card with the outstanding amount each month. We started implementing this and got quite a long way down the path before hitting a major obstacle.

To set up the authority you need to make an initial payment, but simply flag this as being special. This initial payment is exactly like an ordinary credit card payment, but you get back a reference you can use next time around instead of providing the customers card details. We have committed to using 3-D Secure for any cards that support it, so that automatically took place for the initial payment, which is made online. Unfortunately DataCash can’t support both CA and 3-D Secure. So all of this development work had to be shelved.

Luckily for DataCash (and unluckily for us), no-one else who does CA with 3-D Secure also supports the other services we use from DataCash (in particularly paperless direct debit). So we are still a customer.  But it does seem amazing that this support is not there, especially as 3-D Secure is slowly but surely being mandated by the big card providers.