Create self-signed SSL certificate for Azure

Creating a self-signed certificate is simple – when you know the correct commands.

First create the sertificate and private key

makecert -r -sv example-org.pvk example-org.cer -a sha1 -n "CN=www.example.org" -pe -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.1

(specify some password, remember it)

Next combine the cert and private key to PFX:

pvk2pfx -pvk example-org.pvk -spc example-org.cer -pfx example-org.pfx  -f

Now this should be good enough but its not. Apparently Azure is having some issues with the PFX files generate through the command line tool. A quick fix is to import the certificate to windows certificate store and then export from there.

To import, simply open the example-org.pfx from explorer. When importing, you need the password. Remember to check the allow private key export checkbox. You can use any store, but I used the personal one.

Once this is done, start up certmgr.msc and locate the certificate and export it (right click, all tasks, export). Remember to also export the private key. Set some password and remember it.

After this you can go to Azure Management and upload the certificate.

Posted in Azure |

Hotkeys for moving windows around screens

I’m using multiple monitors and sometimes it would be useful to have hotkeys that would position the active window to certain place on certain screen. I took a quick look at ready made software but those did not seem to solve my specific problem.

Luckily I found Autohotkey which allows binding of various actions to certain keys. The actions are written using a scripting language.

A number of scripts for doing this kind of window moving already exist, but instead of finding out which one is suitable for my needs, I decided to roll out my own. My solution is pretty limited as it relies on hardcoded coordinates. A number of other scripts provide functions for determining the windows sizes and calculating the positions.

How the monitors are split

In order to use the script, install Autohotkey and copy the script for example to the autohotkey.ahk file that is generated as sample (you can replace the other content). This has been tested on Windows 8.

; Simple Autohotkey script for moving around windows on 
; three monitors
;
; The screens I'm using (from left to right)
; - 1200x1920 (24", portrait)
;-  2560x1600 (30", landscape, main screen)
; - 1200x1920 (24", portrait)
;
; Left monitor is split to upper and lower half
; Center monitor is split to left and right halfs
; Right monitor is split vertically to three parts
;
; Win+numpad combinations are used to position the active 
; window on above mentioned locations. Coordinates are
; hardcoded. (0,0) is the top-left corner of the main screen.
; The coordinates on other screens depend on how they are 
; positoned on the Windows monitor configuration (you can adjust
; the vertical position of the screen there). Autohotkey 
; Window Spy is a good tool for finding the coordinates if you
; don't want to do the math :)
;
; Juha Palomäki, 2013, http://juhap.iki.fi

; Left screen, top half
#Numpad7::
win:=WinExist("a")    			; 
WinRestore
WinMove,,,-1200,-186,1200,960
return

; Left screen, bottom half
#Numpad1::
win:=WinExist("a")    			; 
WinRestore
WinMove,,,-1200,774,1200,960
return

; Left screen, maximize
#Numpad4::
win:=WinExist("a")    			
WinMaximize
WinMove,,,-1200,-186,1200,1920
return

; Center screen, left half
; Full height is not used in order to leave space for taskbar
#Numpad8::
win:=WinExist("a")    			
WinRestore
WinMove,,,0,0,1280,1558
return

; Center screen, right half
#Numpad2::
win:=WinExist("a")    			
WinRestore
WinMove,,,1280,0,1280,1558
return

; Center screen, maximize
#Numpad5::
win:=WinExist("a")    			 
WinMaximize
WinMove,,,0,0,2560,1558
return

; Right screen, top
#Numpad9::
win:=WinExist("a")    			
WinRestore
WinMove,,,2561,-185,1200,563
return

; Right screen, bottom
#Numpad6::
win:=WinExist("a")    			
WinRestore
WinMove,,,2561,380,1200,685
return

; Right screen, middle
#Numpad3::
win:=WinExist("a")   
WinRestore
WinMove,,,2561,1066,1200,657
return
Posted in Misc |

Windows 8 hotkeys

Few Windows 8 hotkeys I have found useful:

Win
Goto start screen, start typing application name to search for it
Win-X
Open advanced menu from bottom-left corner of screen (you can access this by right clicking mouse on same place)
Win-X + A
Open command prompt as administrator
Win-X + C
Open command prompt (this is better than just launching command, the shortcut always creates new window)
Win-W
Access the search dialog. Search is not just for files and folders. Try typing for example “path” immediately after Win-W and you get choices which you can use to go the user or system environment settings.
Win-Left/right
Dock window to left/right side of screen, move around displays if you have multiple
Win-Up/down
Maximize, restore window
Shift-Click
Open new instance of programs
Middle click
Open new instance of program
Ctrl-Shift-Click
Open new instance of program as administrator

 

Comprehensive list:

Posted in Misc |

SSD encryption – How does it work?

Quite many vendors brag about the AES-256 encryption capabilities of their SSD drives. This sounds good, everybody like to keep their data safe & secure. But how this encryption really works, what does it protected you from? Easy questions, right? Sure this is clearly documented by the vendors.

Well.. It is surprisingly hard to find out how the encryption in modern SSD drives actually works. You get certain details, but the full picture. Google around and you are likely to find more questions than answers.

The main question is: Is the password entered by user used to encrypt the actual AES encryption key that is used to encrypt the data on SSD?

The data stored on flash memory chips is always encrypted. The drive controller maintains the key and encrypts/decrypts data on the fly as it passes through. Intel white paper states that Intel 320 SSD drives are initialized with unique encryption keys at the factory. User can trigger a generation of new encryption key through secure erase or enhanced secure erase procedure. The white paper does not give answer to your main question. Is the encryption key encrypted with the password entered by the user.

Obvious counter question is: why would they implement the AES encryption on the drive if the key is not encrypted with user entered password? Answer to this question is easy to figure out. Think about the situation when you want to discard old drive. With traditional hard drives you go and write zeros (or random data or random data multiple times, depending on your level of paranoia) on disk to remove existing content. With flash based storage this is not so easy. With hard drive you can write data over and over again on the exactly same spot on the disk platter. Not so with flash based storage. The flash memory consists of individual memory cells. Each memory cell supports only finite number of erase-write cycles. This means that at some point you can now longer write data to a specific flash memory cell. When computers use the hard disk, in many cases there are certain “hot spots” on the disk, think about the location of your swap file. Those  spots get constantly updates while other part of the disk are mostly just used to read data. Without some intelligence, the flash memory would quickly worn out from those hot spots. To combat this, the SSD drives use wear leveling algorithms. Instead of writing data always to the spot requested by computer/operating system, the drive actually decides how to evenly distribute the writes over the flash cells. SSD maintains internal mapping where data is actually written to so that during read operations it can recover it from correct place.

Now how does this relate to erasing data? The wear leveling means that operating system can never be certain that something it has written to SSD has been actually removed from there. Even if the operating system is trying to write at the very same spot on the disk to remove existing data, SSD could directing these writes to some other place. In some cases it could be that the flash cells have gone through their limited number of program-erase cycles and can’t be erased no matter what. These things pose a problem for securely removing the data. AES encryption to rescue! Remember the data written to the flash memory in encrypted by a key that is maintained by the drive. Instead of erasing actual data, we can simply erase the key. Once the key is gone the data is useless. Does not matter if somebody is able to recover the encrypted data from the flash chips in their laboratory. Since the encryption key no longer is, there is no way to decrypt the data.

Now back to original question. Let’s approach it with another question. Could the drive use the password entered by the user and not use it to encrypt the main encryption key. The obvious answer is yes. The drive you could implement a simple system where the password is stored in hashed form on the disk, when user enters it the drive would hash it again, compare to the hashed form and only allow access if correct password is given.

But how does the SSD actually work, is the ATA password entered by the user actually used to encrypt the AES encryption key or is the password just being used for traditional access control? After spending some quality time on Google, I finally found the answer from Intel Communities.

On April 8th, 2011 6:29 “Scott” from Intel Corporation has answered to this specific question: “Yes, ATA password is used to encrypt the encryption keys stores on the SSD.”  (This answer is related to Intel 320)

So there you have it. Of course this only applies to the specific Intel drive and it is just a comment on a discussion forum – hardly an official stament. It is also interesting that I could not find any white paper or more official documentation on the subject even though this is very important topic.

Now this is just a beginning. At least with Samsung 840 Pro drives there is already discussion about their encryption requiring TPM support from the system. Once again, very difficult to find any official documentation about the topic but it could be related to the OPAL specification. To read more about OPAL, check this presentation.

Posted in Security |

Get rid of NaN and INF values in Orbeon

With calculations in binds it is easy to run into NaN (Not-a-Number) or INF values showing on the form.

There are few ways to get rid of them

  • You can use if inside the calculation to prevent the calculation from running if the inputs would result in NaN or INF.
  • Use the relevant attribute in your bind expression to hide the field if the value is not numeric. You should be able to use something like not(number(myNode)) as the condition.
  • use the xxforms:format attribute together with translate to simple translate NaN and Infinity values to empty strings.
    <xforms:output .. xxforms:format="translate(translate(., 'NaN', ''), 'Infinity', '')" />
    
Posted in Orbeon |

Orbeon forms processsor for extracting locale from request

A simple processor for Orbeon forms that extracts locale information from request.

package fi.iki.juhap.xpl;

import java.util.Locale;

import org.dom4j.Document;
import org.dom4j.DocumentHelper;
import org.dom4j.Element;
import org.orbeon.oxf.pipeline.api.ExternalContext;
import org.orbeon.oxf.pipeline.api.PipelineContext;
import org.orbeon.oxf.processor.ProcessorInputOutputInfo;
import org.orbeon.oxf.processor.SimpleProcessor;
import org.orbeon.oxf.xml.TransformerUtils;
import org.xml.sax.ContentHandler;
import org.xml.sax.SAXException;

/**
 * Extract locale information from request.
 * 
 * Example output: 
 * 
 * <locale>
 * 		<language>en</language>
 * 		<country>US</country>
 * 		<variant />
 * </locale>
 *
 */
public class RequestLocaleProcessor extends SimpleProcessor {
	public RequestLocaleProcessor() {
		addOutputInfo(new ProcessorInputOutputInfo(OUTPUT_DATA));
	}
	
	public void  generateData(PipelineContext context, ContentHandler contentHandler) throws SAXException {
		ExternalContext externalContext  = (ExternalContext) 
				context.getAttribute(PipelineContext.EXTERNAL_CONTEXT);
		
		Locale locale = externalContext.getRequest().getLocale();

		Document document = DocumentHelper.createDocument();
		Element root = document.addElement("locale");
		root.addElement("language").addText(locale.getLanguage());
		root.addElement("country").addText(locale.getCountry());
		root.addElement("variant").addText(locale.getVariant());
		
		TransformerUtils.writeDom4j(document, contentHandler);		
	}
}

In order to use this you need to add it to processors-local.xml file (WEB-INF/resources/config) like this:

<processors xmlns:jp="http://fi.iki.juhap/processors">
    <processor name="jp:request-locale">
        <class name="fi.iki.juhap.xpl.RequestLocaleProcessor" />
    </processor>
</processors>

Usage very simple. In XPL you need to declare the namespace and then use the custom processor as any other.

<p:config xmlns:p="http://www.orbeon.com/oxf/pipeline"
          xmlns:jp="http://fi.iki.juhap/processors">
..
	<p:processor name="jp:request-locale">
		<p:output name="data" id="request-locale" />
	</p:processor>
..
</p:config>
Posted in Web development |

Orbeon, get-request-attribute and “Content is not allowed in prolog”

“An Error has Occurred Fatal error: Content is not allowed in prolog.”

Not one of my favourite problems as it is sometimes difficult to figure out what is the actual cause. In general the “content is not allowed in prolog” indicates there is some content in the xml file or stream before the <?xml …> declaration.

The error can easily happen if Orbeon thinks something is XML when it’s not. I’ve run into this problem couple of times with xxforms:get-request-attribute function. By default Orbeon seems to think the attribute probably contains XML data, tries to parse it and then runs into the problem if it is not actually XML.

Luckily this is easy to fix. Just pass in the content type in second argument:

xxforms:get-request-attribute('MY_VAR', 'text/plain')
Posted in Orbeon |

Debugging Orbeon XPL programs

Orbeon XPL is way of describing processing flows using XML syntax. Since there is no debugger the debugging mostly happens by putting something in and looking at what comes out.

You can always get the output from pipeline by using the “debug” attribute with processors, but reading the information from log files can be cumbersome if you have many steps. I’ve found it easier to put the output from certain processors to separate files on disk. I then keep the files open in editor that reload changes automatically. This makes it quick and easy to see how the changes I have made to XPL have affected the results.

To do this I have created a simple processor that writes the file to certain location.

write-to-file.xpl:

<p:config xmlns:p="http://www.orbeon.com/oxf/pipeline"
	  xmlns:oxf="http://www.orbeon.com/oxf/processors">
	<p:param type="input" name="data" />
	<p:param type="input" name="setup" />

	<p:processor name="oxf:xml-converter">
	    <p:input name="config">
	        <config>
	            <encoding>utf-8</encoding>
	        </config>
	    </p:input>
	    <p:input name="data" href="#data"/>
	    <p:output name="data" id="converted"/>
	</p:processor>
	<!-- Comment out the following processor to disable debugging -->
	<p:processor name="oxf:file-serializer">
	    <p:input name="config" href="#setup" />
	    <p:input name="data" href="#converted"/>
	</p:processor> 
 </p:config>

That processor is used from my main XPL by connecting it to interesting outputs (below the #xforms).

<p:processor name="oxf:pipeline">
	<p:input name="config" href="write-to-file.xpl"/>
	<p:input name="data" href="#xforms" />
	<p:input name="setup">
		<config>
			<directory>c:/temp</directory>
			<file>xforms.xml</file>
		</config>
	</p:input>
</p:processor>
Posted in Orbeon |

Orbeon XPL copy values from request

Quite often I end up in situations where I need to use a value from HTTP request (either parameter or header) inside a configuration element for another Orbeon XPL processor.

One fairly simple way to do this is to use oxf:xslt processor as shown below:

<p:config xmlns:p="http://www.orbeon.com/oxf/pipeline">
	<!-- Read in request headers -->
	<p:processor name="oxf:request">
		<p:input name="config">
			<config>
				<include>/request/headers/username</include>				
			</config>
		</p:input>
		<p:output name="data" id="request" />
	</p:processor>

	<p:processor name="oxf:xslt">
		<p:input name="data" href="#request" />
		<p:input name="config">
			<config xsl:version="2.0">
				<orgUnit>A</orgUnit>
    			<username>
    				<xsl:value-of select="//header[name='username']/value"/>
    			</username>
			</config>
		</p:input>		
		<p:output name="data" id="config" />
	</p:processor>
</p:config>

The example code will take the “username” request header and combine it with the XML fragment:

<config>
	<orgUnit>A</orgUnit>
</config>

to create

<config>
	<orgUnit>A</orgUnit>
 	<username>...</username>
</config>

Another option could be to use the aggregate and xpointer functions.

Posted in Orbeon |

Customizing Liferay service builder templates

Liferay service builder code generation is based on Freemarker templates. The default templates come packaged inside the portal jar files. You can take a look at them for example in Github (note that those are from master branch – if you want to make modifications you should probably locate template files that correspond to the version of your Liferay setup). Another option to see the templates is to locate the portal-impl.jar and extract template files from there. The templates are in com/liferay/portal/tools/servicebuilder/dependencies package/folder.

In order to make service builder use your modified template you need to make the template available and then change the ant build scripts to make use of it.

1. Create sb_templates directory underneath liferay-plugins-sdk -root folder and place your modified template there. I suggest using the original template file name to keep things simple.

2. Modify the ant build script to override the default templates with your own. The related build file is build-common-plugin.xml (located in liferay-plugins-sdk folder). Look for the “build-service” target. There you need to make two changes

2.1 Locate the path with id=”service.classpath”. The service builder will use this path to locate the templates. Add following highlighted line as the first item

<path id="service.classpath">
    <pathelement location="${project.dir}/sb_templates" />
    <path refid="lib.classpath" />
	<path refid="portal.classpath" />
	<fileset dir="${app.server.lib.portal.dir}" 
          includes="commons-digester.jar,commons-lang.jar,easyconf.jar" />
	<fileset dir="docroot/WEB-INF/lib" includes="*.jar" />			
	<pathelement location="docroot/WEB-INF/classes" />
</path>

2.2 Modify the java task, adding arguments like the following line for each template you want to override

<java
	classname="com.liferay.portal.tools.servicebuilder.ServiceBuilder"
	classpathref="service.classpath"
	outputproperty="service.test.output">
	<arg value="-Dexternal-properties=com/liferay/portal/tools/dependencies/portal-tools.properties" />
	<arg value="-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger" />
	<arg value="-Dservice.tpl.service_clp_serializer=vt_service_clp_serializer.ftl" />					
	<arg value="service.input.file=${service.input.file}" />
	<arg value="service.hbm.file=${basedir}/docroot/WEB-INF/src/META-INF/portlet-hbm.xml" />

3. Execute service builder. Remember to check the output to see if there are some errors in your templates. If your modified template is not found, service builder may just skip generating the file. This can be confusing if you generating on top of existing files. If you suspect the files is not being regenerated compare the last modified timestamp to other generated files.

Posted in Liferay |