Abusing Keytool

Well, We've got this horrible java portal thingee running at work as a pilot to deciding if we actually want to run some sort of single sign-on portal for staff and students... It's nice, in that I don't have to do much, other than make sure the machine runs, and the tomcat service stays up - We've got a little 'portal team' that's doing all the hard work.

So, anyway, TPTB decided they wanted a calendar portlet - sadly nothing out there for uPortal is of any usable quality, so they wanted to use a php calendar served via apache+php in the back end, to an iframe channel in the portal. Yech. But, ok. My only stipulation was that the back end server would detect if it wasn't being run in the iframe, and redirect people to the portal proper, in an attempt to stop people finding the calendar URL and accessing it directly.

Well, to cut a long story short, the production system is served over SSL, whereas the dev system isn't. The dev system worked fine, the production didn't. It boiled down to the fact that the calendar installation for the production system wasn't on SSL, and this was throwing a spanner in the works with how the portal's iframe proxy thingee was requesting the calendar pages. Solution? enable SSL on the calendar URL.

So, the private key for the SSL certificate we're using, is hidden away in a java keystore. The cert is easy to get out for apache to use, but the key isn't. So, a little googling, and I found this. Very Very useful. So, basically, you can do this:

wget http://mark.foster.cc/pub/java/ExportPriv.java
javac ExportPriv.java
keytool -list -keystore <keystore> -storepass <password>  # (to get the approprate alias)
java ExportPriv <keystore> <alias> <password> > exported.key

Viola :)

[00:08] [/Work] [permanent link]

The X Config

Well, I've had at least one email asking about the X Config for my Triple head setup.. So, I thought I'd chuck it up here, explaining the relevant bits.

Ok, to start with, you need to make sure your ServerFlags section turns on Xinerama:

Section "ServerFlags"
    ...
    Option  "Xinerama"  "1"
    ...
EndSection

Then, you need to create some Device sections for each head - with a dual head nvidia card, you can use the Screen option to distinguish between the outputs - I'm not sure if this is specific to the nvidia driver. With multiple cards, you must specify the BusID option - you can find out what the correct value is for your card by running 'X -scanbus' and checking the output (which on my system gets sent to /var/log/XFree86.0.log).

Here's what I use (First two are on a Dual head AGP card, the third is the PCI card):

Section "Device"
    Identifier  "nVidia GeForce FX 5200 - 0"
    Driver      "nvidia"
    BusID       "PCI:1:0:0"
    Option      "NvAgp" "1"
    Screen      0
EndSection

Section "Device"
    Identifier  "nVidia GeForce FX 5200 - 1"
    Driver      "nvidia"
    BusID       "PCI:1:0:0"
    Option      "NvAgp" "1"
    Screen      1
EndSection

Section "Device"
    Identifier  "nVidia GeForce2 MX400"
    Driver      "nvidia"
    BusID       "PCI:5:9:0"
    Option      "NvAgp" "1"
EndSection

Next up, you need to create some relevant Screen sections to go with each of the above. Childs play - this is so far, all bog standard X stuff. I have:

Section "Screen"
    Identifier  "Screen <x>"
    Device      "<device>"
    Monitor     "HP L1925"
    DefaultDepth    24
    SubSection "Display"
        Depth       24
        Modes       "1280x1024"
    EndSubSection
EndSection

Finally, You need to add each Screen to your ServerLayout section, to create a virtual definition of how your physical displays are set up. I have the following (note that the logical order of my displays in relation to the devices defined above is '2-0-1' from left to right)

Section "ServerLayout"
    Identifier  "Default Layout"
    Screen      0 "Screen 0"
    Screen      1 "Screen 1" rightOf "Screen 0"
    Screen      2 "Screen 2" leftOf "Screen 0"
    InputDevice ....
    ....
EndSection

And that's it. X is clever enough to do the rest for you. I'm currently using XFree86 on Debian unstable, but I'd imagine the X.org setup would be somewhat similar.

And just for reference, this is the Device section I used before going to 3 heads, which shows how to use TwinView:

Section "Device"
    Identifier  "nVidia GeForce FX 5200"
    Driver      "nvidia"
    BusID       "PCI:1:0:0"
    Option      "NvAgp"             "1"
    Option      "TwinView"
    Option      "SecondMonitorHorizSync"    "30-82"
    Option      "SecondMonitorVertRefresh"  "60"
    Option      "TwinViewOrientation"       "RightOf"
    Option      "ConnectedMonitor"      "CRT,CRT"
    Option      "MetaModes"   "1280x1024,1280x1024; 1280x1024,NULL"
EndSection

You can use TwinView when you have more that two displays, if you're only using one nvidia card. (this is how Jon Oxer is still using TwinView)

[02:26] [/Work] [permanent link]

Drool Worthy

So, yesterday, the extra PCI video card I ordered arrived at work for my work desktop.. Ahh! so he's going to do dual-head you say. NO! Triple head actually.. :) And I oh so very much like it.. It's a damn shame I can't have this at home.

The new card happens to be an nVidia GF2 MX400. Having two cards, means that doing what's called "TwinView" on the first is no longer possible. Basically the nvidia driver would present a nice wide display to the X server, where in actual fact the driver internally is telling the card to use both outputs. As opposed to the X server actually knowing that there's more than one head being used.

Now, I have the X server knowing about all three heads, and running the Xinerama extension. Before, the nvidia driver was using it's internal Xinerama extension, which meant that to the X server, this one really big display was split in two.

I don't know how the X internals work, but I'd imagine that the configuration now, will have the X server copying between the different video memories when you drag windows between the heads. Whereas before, as one big display, it was only one video memory to X.. Obviously, there's a performance hit here. You notice it for sure, when you drag a really huge firefox window between the heads. Small windows are hardly affected.

Now, 3 Heads, or speedy window drags between heads? I'm willing to take that trade off :)

UPDATE 2005/05/11: Bastard

[23:06] [/Work] [permanent link]

Training, the M$ way.

This week I'm being subjected to an M$ Training course - "Implementing and Managing Microsoft(R) Exchange Server 2003 (2400BC)". Mainly as a backup, so I've got some knowledge about how it will be talking to the core campus mail servers, and how to make any changes that are needed. The primary Exchange admin is here too...

Anyway, to cut a long story short, I cannot work out what I find is the most absurd thing about this "course" - I'm not sure if it's the sickeningly sweet way everything about exchange is presented as if it's the answer to everything, or if it's the way that the trainer is showing us all these neat little things that you can do with Windows to make administration easier... Things that you could do in *nix years ago.

Anyway, I'm still coming to terms with this point and click thing...

[02:21] [/Work] [permanent link]

Apache+mod_ssl, and a morning off work.

Ok, I also agree with joeyh, I hate thinking of titles too....

Moving on, I learnt for the first time today, how SSL Cert creation works... A workmate usually does that stuff. But I run the webmail service, which I finally decided I should get a move on with, and make encrypted. Anyway, to cut a long story short, I created a key, and then the Cert Signing Request, and mailed it off to the 'IT Security Officer' for him to plug into Thawte's web page.

Sadly, the machine in question, is running RHAS... I'm thankful that I managed to put my foot down with my pride and joy.... the Student mail server. Quad 2.8GHz Xeon, 4G RAM, and ~850GB of RAID5'd disk for the cyrus spool. It runs Debian. As part of our 'policies', we reserve the right to mass mail students. The in-house software - Ok, bash script - that was written long before I arrived, used to take a good 5-7 hours on the old Solaris box that once accomodated the students. After an extensive rewrite by myself, it now runs in just under 10 minutes. Ok, to how many accounts you ask? Just under 16 thousand.

Some will remember that I recieved a Summons to Jury duty... It was awfully nice for the accused, a nicely tattooed chap, to decide that morning he'd enter a guilty plea. The court person said "Thanks for coming. We only heard about his decision this morning, so there was no time for us to contact you." Oh well, I'm not too fussed.. I got the morning off work, and $25 for the trouble (Jury duty lands you $25 per half day in NZ). Would have been interesting too... apparently he was weilding a weapon (a knife) on a public street, and had threatened to seriously harm someone with it. A Year ago. It appears that in law, things move even slower than at work.

[10:21] [/Work] [permanent link]

Weekend Overtime Sucks.

Ok, so it goes like this. Crappy old third party SCSI drive fails in the staff mail server. No problem, we'll just replace it. Ok, no spares available in a decent time frame from any local suppliers. (It's an old 18G with an SCA connector). Right, next plan. Lets just remove the partner disk of the failed one from the mirror set, and reduce the size of the mirror. Afterall, The single 75G volume served both Staff and Students until a month ago, so staff wont miss ~18G or so.

Tonight rolls around, when I'm supposed to do this work. Ok, so I try putting a spare 36G into the slot where the 18G failed. BAD idea:

d20: Submirror of d21
    State: Needs maintenance 
    Invoke: metareplace d21 c2t3d0s1 <new device>
    Size: 143302506 blocks
    Stripe 0: (interlace: 32 blocks)
        Device              Start Block  Dbase State        Hot Spare
        c2t0d0s1                   0     No    Maintenance  
        c2t1d0s1                   0     No    Maintenance  
        c2t2d0s1                   0     No    Maintenance  
        c2t3d0s1                   0     No    Maintenance

For some reason, it cut power to the entire disk enclosure. Although, there are two enclosures, and half of the mirror set is in each. (4 18's striped in each enclosure, then mirrored.) No problem, after futzing with power in the enclosure, things come back. Good good. Right, New plan. I use the silly Solaris DiskSuite tools to remove the failed submirror from the mirror, and recreate a new stripeset with the 3 good disks. We'll copy to that, then do some fun data shuffling. No problem.

Start rsync. Wait. Wait some more. And some more. Go get food... Right ok, I'm back, and what do I find? but it copying the old student spool, sitting in cyrus/PRE_STUDENTMOVE/ - Mike, you're a dumbass. Lets see if I can get by for the rest of the evening without screwing up too badly again... *sigh*

UPDATE 2004/02/01: Finally...
... I can go home.

d21: Mirror
    Submirror 0: d20
      State: Okay         
    Submirror 1: d19
      State: Resyncing    
    Resync in progress: 11 % done

Still had to wait ages on rsync though....

[10:07] [/Work] [permanent link]