Saturday, August 31, 2013

Puppet: getting started with hiera (hiera example)

Official doc here

I don't like hiera, but it's better than hardcoding configuration in .pp files.
First attempt:
vi hieratest.pp
$pippo = hiera('pippo')
notify { "${pippo}" : }

I run "puppet apply hieratest.pp" and I get:
Hiera config file /etc/puppetlabs/puppet/hiera.yaml not readable at /root/puppettests/hieratest.pp:1
then I do vi /etc/puppetlabs/puppet/hiera.yaml and I enter:
    - hosts/%{::fqdn}
    - environments/%{environment}
    - common
    - users

    - yaml

    :datadir: '/etc/puppetlabs/puppet/hieradata/'

and rerun "puppet apply hieratest.pp" and I get:
Could not find data item pippo in any Hiera data file and no default supplied at /root/puppettests/hieratest.pp:1
Better than before :o)
so I do
mkdir /etc/puppetlabs/puppet/hieradata/
vi /etc/puppetlabs/puppet/hieradata/common.yaml
(remark: common is a member of the hierarchy in the hiera.yaml' and I enter
pippo : 'hello world!'

Again "puppet apply hieratest.pp":
notice: hello world!
Hurrah! My first hiera-based module!

Friday, August 30, 2013

Gridlink Datasource registering with ONS daemons

When you have Gridlink DS, you will see in the logs this debug message (of course if your log level is debug :o) )

<BEA-001556> <Data Source ACME_ConfigDS for service registering with ONS daemons using configuration string nodes=acme535:6200,acme536:6200,acme531:6200,acme532:6200,acme533:6200,acme534:6200

In our case, this would take 30 seconds for each DS, and make the restart of the cluster painfully slow.

Check that each individual node in the list, running ONS agent, is actually reachable (no firewall!). Check also that it's up and running.

Vertical Tabs in Internet Explorer

I am forced to use Internet Exploder lately, and I go literally mad with its non-customizeability of tabs: they are stuck on the top, stealing valuable vertical space.

As very well highlighted in this post:

the most ergonomic browser IMHO remains Firefox.

The good news is that you can install Firefox Portable Edition without admin rights.... FAREWELL IE!!!

Iterations in Puppet: create_resources

So, the BAD news is that in Puppet you cannot do a for loop and create resources specified in a Collection.
Why not? Because. Don't ask. The Founding Fathers of Puppet decided so, and thou shall not dare question why.
The good news is that you can STILL iterate, sticking all your (homogeneous) resources in a hash (Puppet supports this very advanced concept of Hash, disregarding 30 years of Object Oriented programming technology... call it Time Travel).
#Where the .crt .key and .cer files are
$certsFolder = '/home/soa/jkstest/source/'

#where to create the JKS files
$targetJKSFolder = '/home/soa/jkstest/target/'

$trustPassword = '111111'

/* This is how a traditional java_ks invokation looks like
java_ks { "ca_nestle:trustDEV.jks" :
    ensure       => latest,
    certificate  => "${certsFolder}ACMECA.cer",
    target       => "${targetJKSFolder}/trustDEV.jks",
    password     => "${trustPassword}",
    trustcacerts => true,


$jksHash = {
  trustDEV1 => {
    ensure       => latest,
    certificate  => "${certsFolder}ACMECA.cer",
    target       => "${targetJKSFolder}/trustDEV.jks",
    password     => "${trustPassword}",
    trustcacerts => true,

  trustDEV2 => {
    ensure       => latest,
    certificate  => "${certsFolder}ItalianSignCA.cer",
    target       => "${targetJKSFolder}/trustDEV.jks",
    password     => "${trustPassword}",
    trustcacerts => true,

create_resources(java_ks, $jksHash)

This is how, in one go, I can add 2 certificates in a JKS store.

What can I say. It could be worse. It could be Maven.

Thursday, August 29, 2013


Wednesday, August 28, 2013

Import an existing Private Key (.key file) into a JKS store

Sounds easy but it's not. I have an existing .key (private key) and .crt file (certificate for public key) and I want to import them into a JKS.

The only way seems to go through an intermediate pkcs12 store, to be imported later in the JKS. So much fuss for a simple operation which should be natively supported.

In fact, puppet JAVA_JKS module does this:

openssl pkcs12 -export -passout stdin -in /home/soa/jkstest/source/ -inkey /home/soa/jkstest/source/ -name

when you ask him to import .crt and .key into a keystore:

    java_ks { "${nesoa2env}" :
        ensure       => latest,
        certificate  => "${certsFolder}",
        private_key  => "${certsFolder}", 
        target       => "${targetJKS}",
        password     => "${identityPassword}",
        trustcacerts => false,

Sunday, August 25, 2013

JKS management made easy with Portecle

One of the irritating things about security is all those different options in the keytool command line. Portecle makes life a lot easier by managing ONE JKS.

Unfortunately I still need to find an application which can ease the pain of maintaining all the security-related artifacts in a complex organization - based on a DATABASE of certificates, JKS stores, private keys etc.

Book: The Healthy Programmer

The book provides a host of evidence about the negative effect (=early death and painful life) of the lifestyle associated with most office jobs: long hours sitting, not enough aerobic exercise, strain on specific parts of the body (neck, wrists, spine)....

The solution is quite simple: take more breaks, walk, have a healthy nutrition (NO SUGAR, NO SODAS). Nothing new honestly.

keytool error AVA format

I run this command:

keytool -genkeypair -alias alias -keyalg RSA -keysize 1024 -dname dn -keystore keystore

and this fails with "keytool error AVA format"

Just remove -dname:
keytool -genkeypair -alias alias -keyalg RSA -keysize 1024 -keystore keystore

and answer all questions directly, and you will be fine. Otherwise, provide a proper dname, like "CN=Mark Smith, OU=JavaSoft, O=Sun, L=Cupertino, S=California, C=US". For details, see the EXCELLENT (when everything else fails, read the manual). Especially, avoid funny characters in the dname, including . or $ or #

Saturday, August 24, 2013

Stderr: VBoxManage.exe: error: Could not rename the directory

I am not a big fan of Vagrant, its behavior is way too erratic and opaque for me. When it works we are happy, when it fails - and it fails way too often - we are left googling sparse and stern documentation.

This new error "Stderr: VBoxManage.exe: error: Could not rename the directory" could be fixed only after LOTS of googling and trial and error:

Vagrant.configure("2") do |config2|
  # ... (other config)
  config2.vm.provider :virtualbox do |vb| = "jkstest"

This should be added just after the config.vm.box_url clause, and BEFORE any customize.

How frustrating.

Despite this settings, my VB is created in C:\Users\myuser\VirtualBox VMs\workspaceJKS_1377339021, rather than in the jkstest folder.

The original error message was:
There was an error while executing `VBoxManage`, a CLI used by Vagrant
for controlling VirtualBox. The command and stderr is shown below.

Command: ["modifyvm", "3a81f6e5-ba5a-438b-85a8-501a63a3a053", "--name", "trunk_1377853840"]

Stderr: VBoxManage.exe: error: Could not rename the directory 'C:\Users\pippo\VirtualBox VMs\acme-basebox' to
'C:\Users\pippo\VirtualBox VMs\trunk_1377853840' to save the settings file (VERR_ACCESS_DENIED)
VBoxManage.exe: error: Details: code E_FAIL (0x80004005), component SessionMachine, interface IMachine, callee IUnknown
VBoxManage.exe: error: Context: "SaveSettings()" at line 2527 of file VBoxManageModifyVM.cpp

In fact, there was another VBOX running, which had been created with the name "acme-basebox" (this is the setting = "acme-basebox" . Shutting down this machine allowed me to start the other without the above mentioned hack.

Friday, August 23, 2013

Display JKS content in Python (WLST)

from import KeyStore
from import MessageDigest
from import FileInputStream

def hexify(bytes):
    hexDigits = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F']
    buf = StringBuffer()
    for i in range(len(bytes)):
        buf.append(hexDigits[(bytes[i] & 0xf0) >> 4])
        buf.append(hexDigits[bytes[i] & 0x0f])
        if i < len(bytes) - 1:
    return buf.toString()

ks = KeyStore.getInstance("JKS")
ks.load(FileInputStream(filestore), password)
md = MessageDigest.getInstance("MD5")

for item in ks.aliases():
 print "alias", item, "isCertificate", ks.isCertificateEntry(item)
 if ks.isCertificateEntry(item):
  print "isCertificate"
  cert = ks.getCertificate(item)
  der = cert.getEncoded()
  print hexify(md.digest())

Inspired by

Javadoc: MessageDigest , KeyStore, Certificate, Key

Display JKS content in Windows (keytool)

There is an excellent plugin for Eclipse:

I was bored of running always the command line

keytool -keystore BLA -list

Thursday, August 22, 2013

OSB transaction required

The advantage of setting "transaction required" for your Proxies is that the incoming request will be starting a transaction and set the default <con:qualityOfService>exactly-once</con:qualityOfService> , instead of <con:qualityOfService>best-effort</con:qualityOfService>. You can examine the $inbound you will find this setting.

Subsequent Publish or Route will use this same Quality Of Service, instead of the default which is "best-effort".

Monday, August 19, 2013

FileListDAO::Unable to pickup

We use HAFileAdapter to read files from a shared folder. Occasionally we find in the logs

FileListDAO::Unable to pickup [BLA], this error will ignored

2 Managed Servers at the same time have detected the file with their FilePoller, so the 2 of them at the same time run to get the exclusive lock on the file by updating the table FILEADAPTER_IN to set PROCESSED = 1, but only one of them gets it, the other gets no lock and logs a warning saying "I was unable to get the lock". This is not an issue, actually it should not even be a warning at all, since it's meant to work that way.

This is done in FileListDAO: public boolean claimLock(FileInfo fileInfo)

OSB : weblogic datasource suspended

This is the overall story: several JMS Proxy Services (MDB) use a certain DS (datasource). Each of these Proxy has 16 MDB created by OSB.
To avoid overloading the DB with too many concurrent requests we sized the Connection Pool (CP) of this DS to 25. Evidently if there is a burst of activity (JMS) on 2 different Proxy Services, the DS will be overloaded and eventually we shall get a

weblogic.jdbc.extensions.PoolDisabledSQLException: weblogic.common.resourcepool.ResourceDisabledException: Pool BLA is Suspended, cannot allocate resources to applications...
select count(*) from v$process;
select count(*) from v$session;
select * from v$parameter where name in ('sessions','processes','transactions');

The only effective workaround I see is associating the same WorkManager with a Max Threads Constraint of 25 to ALL JMS Proxy Services.


Just a collection of useful links on less-understood topics

what is a SB protocol in OSB?

(this was copied from Oracle Forum:) SB transport is primarily used for invocations between different OSB instances where transaction propagation is required. eg In an organization, two department use OSB for hosting their services. Finance services are hosted on OSB_Fin domain and Marketing services are hosted on OSB_Mar domain. If there is an requirement for transactional communication between the proxies of these two service then it would be ideal to use SB transport. Also can also be used for routing to local proxies (SB business service without a JNDI provider) and in that case SB transport is optimized for RMI.


how do I use client certificates to secure a HTTP Proxy?

see this excellent tutorial and

and a must-read on TLS


should I enable "Transaction Required" in a Proxy?

see explanation here:

Most likely yes, unless you want to set explicitly "Quality Of Service=exactly once" for every Service Callout or Route operation

for an excellent coverage of Transactions in OSB, read


in a JMS Business Service, what is the "Response Queue" for?

a BS can handle synchronous calls to external services using 2 JMS queues (one to send the request, the other to receive the response) as channels. correlation of the 2 messages is done commonly through JMSCorrelationID


in a JMS Proxy Service, what is the "Same Transaction For Response" option for?

look at this excellent video

and the "Is Response Required " ?

Friday, August 16, 2013

JSP in a WAR showing maven version

I have googled the planet for a simple solution to displaying the build version of the war project in a JSP.

If you use a war plugin, then you might try filtering.

Personally I HATE maven so, after a few failed attempts, I have simply done this and it works magically:

in my jsp I simply read a file in META_INF folder:

Properties mavenproperties = new Properties();
obelixversion=" + mavenproperties.getProperty("version") + "

being wlobelix my artifactIdand and com.acme.common my groupId contains:


#Generated by Maven
#Fri Aug 16 15:38:28 CEST 2013

Monday, August 12, 2013

Quick guide to OPatch

Create a folder /opt/oracle/patches
Copy there your patch zip file (
cd /opt/oracle/patches/16266172
export MW_HOME=/opt/oracle/fmw11_1_1_5/
export ORACLE_HOME=/opt/oracle/fmw11_1_1_5/osb
shut down all wl servers
/opt/oracle/fmw11_1_1_5/oracle_common/OPatch/opatch apply -invPtrLoc /opt/oracle/fmw11_1_1_5/osb/oraInst.loc
restart the domain

I got an error "OPatch failed with error code 73", this because opatch could not find the /etc/config/actions.xml file.

Multiple definitions of server-group BI-ADF-ADMIN-SVR are not allowed

I had got occasionally this error in the past, while creating a OSB domain. No clue what caused it. Normally I delete all and restart. Once I find the root cause I will update this post.

I think something in a template is defined twice.

Friday, August 9, 2013

wlst NameError: cd (using WLST as a Jython module)

I am defining a function in a python module
def createMailSession(theMailSessionName, adminName, clusterName):

and I invoke it like this:
from acmelibrary import createMailSession

createMailSession(theMailSessionName, adminName, clusterName)

Much to my dismay, the cd('/') statement works perfectly when invoked in the main module, but not in the library:
NameError: cd


in all WLST scripts there is a variable WLS of type, and you have to pass it as a parameter to the createMailSession:

def createMailSession(wls, theMailSessionName, adminName, clusterName):'/')
A more radical approach is to create a module:
from import WLSTUtil
import sys
origPrompt = sys.ps1
theInterpreter = WLSTUtil.ensureInterpreter();
theInterpreter = None
sys.ps1 = origPrompt
modules = WLSTUtil.getWLSTModules()
for mods in modules:
wlstPrompt = "false"  

and in your you start with a
import wl

at this point your code can do
def createMailSession(theMailSessionName, adminName, clusterName):'/')

See also

The OSB framework, intercepting an logging all requests

The base issue is that whenever we have a stuck thread, we don't have a means to tell which Proxy Service it was processing. This is a sample StackTrace:

"[STUCK] ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'" RUNNABLE native Method)
 sun.reflect.GeneratedMethodAccessor645.invoke(Unknown Source)
 $Proxy140.sendMessageAsync(Unknown Source)
 sun.reflect.GeneratedMethodAccessor645.invoke(Unknown Source)
 $Proxy125.sendMessageAsync(Unknown Source)
 sun.reflect.GeneratedMethodAccessor645.invoke(Unknown Source)
 $Proxy125.sendMessageAsync(Unknown Source)

We vaguely understand that (bottom to top):

this was a HTTP Proxy, since at transport level it's initiated by a ServletRequest

after a LOT of layers of transport and security related processing, we reach the core RouterManager.processMessage() method. We understand that the RouterManager is the core on the Proxy Message Flow processing.

the RouterManager creates a RouterContext, which contains a reference both to the MessageContext
public MessageContext getMessageContext();
and to the ProxyService:
public ProxyService getProxyService();
these 2 classes identify both the message (messageId) and the proxy being invoked.

a static call to MessageProcessor.processRequest(RouterContext context) will then deal with getting the right Pipeline and pushing the message through the Message Flow (Router, PipelineContextImpl, PipelineStage....).

The problem is that there is no means to grab a reference to a collection of the running messages with associated proxy. We can't even override the implementation of these classes, because OSB doesn't use Dependency Injection, and implementations are instantiated with a new().

The only way to log these messages being processed is either using some instrumentation to intercept the static MessageProcessor.processRequest(RouterContext context) call (like BTrace), or by explicitely call a Java Callout / Custom XPath at the beginning of each Proxy, logging to a file the Thread Name, the Proxy Service and the messageId.

Caveat: if you use a Route node, the thread used to process the response is different from the one used for the request. You should use intercept also MessageProcessor.processResponse()

I have also been thinking of storing all that info (messageID, proxy) in a ThreadLocal variable, and use log4j MDC to log that info in the WebLogic logs. But again this requires a Java Callout.

One could also change the thread name by appending the Proxy Name

See also

Tuesday, August 6, 2013

PL/SQL: using INSTR and SUBSTR is a lot faster than REGEXP_SUBSTR

Given this "labels":
"InterfaceID=Common_NCRS;TechnicalMessageID=Common_NCRS^ACMEPreOrder.quote_order^5505352925343722746--4337ac89.1404f3a3d07.-8bc;EventType=InvokedACME;PathOfService=Commons_NCRS/ProxyServices/Common_NCRS_PS;EventOccuredOn=2013-08-05T18:17:59.470+02:00;BusinessID=DE11PC089^d3a59751-38e4-eed5-7bf7-4f45592a9d18;ServerName=osbpr1ms2" and this labelname "EventOccuredOn", the following function extracts the value "2013-08-05T18:17:59.470+02:00" :

create or replace 
FUNCTION ACME_findLabelValue 
  (labels IN VARCHAR2, labelname IN VARCHAR2 )  return VARCHAR2
  return  REPLACE(REGEXP_SUBSTR(labels, labelname || '=[^;]+'), labelname || '=', '');

Performance was abysmal. I have replaced with this much faster function:

create or replace 
FUNCTION ACME_findLabelValue 
  (labels IN VARCHAR2, labelname IN VARCHAR2 )  return VARCHAR2
v_delimpos1 PLS_INTEGER;
v_delimpos2 PLS_INTEGER;
labels2 VARCHAR2(4000);
  v_delimpos1 := INSTR(labels, labelname || '=' );
  if v_delimpos1 > 0 then
    labels2 := SUBSTR(labels, v_delimpos1 + 1 + LENGTH(labelname));
    v_delimpos2 := INSTR(labels2, ';' );
    return SUBSTR(labels2, 1, v_delimpos2 - 1);  
    return '';
  end if;

Monday, August 5, 2013

Associative Arrays in PL/SQL

When splitting/parsing strings in PL/SQL, using REGEXP can bee too computationally expensive.
Parsing a CSV string can be done more effectively with SUBSTR, INSTR and associative arrays.
Most of my inspiration is coming from this post.


  v_delimpos1 PLS_INTEGER;
  v_delimpos2 PLS_INTEGER;
  p_delim1 VARCHAR2(1);
  p_delim2 VARCHAR2(1);
  v_label varchar(50);
  v_value varchar(400);
  v_result MSG_LABELS_TYPE;
  INPUT_STRING := 'InterfaceID=ACMEPIPPOConnector;TechnicalMessageID=ACMEPIPPOConnector^INVOICE^f6de3e52000001404d914d04ffff847a^7-382734;EventType=ACMEMessage For PIPPO Posted;PathOfService=ACME_CommonServices/ProxyServices/ACMECommonServices_NESOA_to_PIPPO_PS;EventOccuredOn=2013-08-05T10:22:11.765+02:00;BusinessID=7-382734;ServerName=osbpr1ms3';
  p_delim1  := ';';
  p_delim2  := '=';
  v_delimpos1 := INSTR(INPUT_STRING, p_delim1);
  while v_delimpos1 > 0 and LENGTH(INPUT_STRING) > 1
    v_delimpos2 := INSTR(INPUT_STRING, p_delim2);
    v_label := SUBSTR(INPUT_STRING, 1, v_delimpos2 - 1);
    v_value := SUBSTR(INPUT_STRING, v_delimpos2 + 1, v_delimpos1 - v_delimpos2 - 1);
    v_result(v_label) := v_value;
    INPUT_STRING := SUBSTR(INPUT_STRING, v_delimpos1 + 1);
    v_delimpos1 := INSTR(INPUT_STRING, p_delim1);
  dbms_output.put_line('InterfaceID ' || v_result('InterfaceID'));
  dbms_output.put_line('TechnicalMessageID ' || v_result('TechnicalMessageID'));
  dbms_output.put_line('EventType ' || v_result('EventType'));
  dbms_output.put_line('PathOfService ' || v_result('PathOfService'));
  dbms_output.put_line('EventOccuredOn ' || v_result('EventOccuredOn'));
  dbms_output.put_line('BusinessID ' || v_result('BusinessID'));
  dbms_output.put_line('ServerName ' || v_result('ServerName'));

More info on Collections here.

Sunday, August 4, 2013

Escaping strings in Java or Groovy

Working with Strings in Java is a pain, because Java does its best to prevent you from using characters like " or \ in a string.

Escaping is a pain but there is no way around it - apart from ditching Java in favor of Groovy which is a lot more flexible.

Either you use apache commons library escapeJava(), or Groovy escapeUtils , or just write a little function:

def escapeString(theString) {
    return theString.replace('\\', '\\\\').replaceAll('"',"'").replaceAll('\n', '" +\n"')
    //this is the list of all replace you need to implement: {"'", "\\'"}, {"\"", "\\\""}, {"\\", "\\\\"},{"/", "\\/"}

and good luck.

Saturday, August 3, 2013

The picture of Dorian Palm

Today I have received by mail another Palm Treo 650, to be ready to replace my current Treo which is falling apart.... the only "smart" phone I like. I hate Iphones and the likes. I like a cartesian interface, bare bone features and, most of all, a mechanical keyboard.
I bought the first (a Treo 600) some 10 years ago, when I was a wealthy, healthy man with a lot of dreams for the future.
Ever since I have suffered several MAJOR blows: I have been betrayed by the woman I loved and whose child I had supported through a costly education... I have almost lost the use of my legs for orthopedic problems, and gained permanent arthritis... herniated disk is torturing me... I have been robbed by a guy who took my confidence and then fled to Peru with my money (he was later sentenced to 6 months in jail, but he will never have to pay)... most of all, I have totally lost confidence in humanity, and I am deeply disillusioned about humans, and willing to never have confidence in one of them again.

So, comparing the 2 phones, it's like I was seeing myself in a mirror, on the left the man I used to be, on the right the one full of scars and missing pieces, still miraculously working .... I will never throw it away, even if it should fail altogether.

Friday, August 2, 2013

copy and paste not working (or only intermittently) in Firefox 22

It literally run me crazy for several weeks, until I have installed Firefox 23 beta. I am a happy man again now.