277 43 2MB
English Pages 36 Year 2007
Integration:
News:
22Paul Nowak
34EOS News Desk
WillOpenSourceScaletheWalledGardensof theCellularNetworkProviders?
Motorola:PreciseProcess AccountingforLinux
Visit us at opensource.sys-con.com
THELEADINGMAGAZINEFORENTERPRISEANDITMANAGEMENT
�pen S�ur�e Apps
3 D�Y�UG��K �PENS�U�CE?
t�Pr�te�tan�C�ntr�� Y�urS�a���usinessNetw�r�
MARK R. HINKLE
6 �HECUS��ME� �SL�S�EN�NG DOMINIC SARTORIO
Against��reats
12SP��NG APPL�CA���NS
FRANCES ZHAO AND PAUL PARKINSON
8 US�NGLDAP���H �PENLDAP 24�HEECL�PSEF�AME���K
DEEPAK VOHRA AND AJAY VOHRA
JUNE/JULY2007VOLUME5ISSUE4
28Dirk Morris
BRIAN HANDLEY
PRESORTED STANDARD US POSTAGE PAID ST. CROIX PRESS
SEE PAGE 33
Sep24–26,2007 Sep24–26,2007 SantaClara,CA SantaClara,CA
fr��t�ee�it�r �����p��S������SYS-��N����
EDIT��IALB�A�D Ed����-��-�h��� MarkR.Hinkle[email protected]
������b�����Ed���� IbrahimHaddad[email protected]
M��������Ed���� JonWalker[email protected]
�����������������Ed���� PaulSterne[email protected]
D��k��pT��h�����yEd���� TimGriffin[email protected]
��v���Ed���� MattFrye[email protected] Ed���� PhilipPeake[email protected]
������b�����Ed����� KevinLarue[email protected] ChristopherNegus[email protected] ������b���� RobJones[email protected]
INTE�NATI�NALAD�IS��YB�A�D WimCoekaerts;DirectorofLinuxEngineering,������ BrianE.Ferguson;Partner,M�D�������W���&E���� JohnFowler;ExecutiveVP,NetworkSystemsGroup,S��M����������� GaëlDuval;Cofounder/DirectorofCommunication,M�������S��� SamuelJ.Greenblatt;SrVPandChiefArchitect,L���������������� ScottHandy;VP,LinuxStrategyandMarketDevelopment,��M BrucePerens;������,LLC StaceyQuandt;PrincipalAnalyst,Q�������������� ThomasReardon;VPandGM,ClientProductGroup��������S������ JohnWeathersby;ExecutiveDirector,����S�����S���������������� RanajitNevatia,DirectorofLinuxStrategy,�ER���S AndyAstor;co-founderandCEO,E���������D�
EDIT��IAL Ex�����v�Ed���� NancyValentine[email protected]
�������hEd���� BahadirKaruv,PhD[email protected]
�FFI�ES SYS-��NMEDIA 577ChestnutRidgeRd.•WoodcliffLake,NJ07677 Telephone:201802-3000•Fax:201782-9600 EnterpriseOpenSourceMagazine(ISSN#PENDING) ispublishedmonthly(12timesayear) bySYS-CONPublications,Inc. Postmastersendaddresschangesto:
ENTE�P�ISE�PENS�U��EMAGAZINE SYS-CONMEDIA•577ChestnutRidgeRd.•WoodcliffLake,NJ07677 Copyright©2007bySYS-CONPublications,Inc. Allrightsreserved.Nopartofthispublicationmaybereproducedor transmittedinanyformorbyanymeans,electronicormechanical,includingphotocopyoranyinformation,storageandretrievalsystem,without writtenpermission.Forpromotionalreprints,contactreprint coordinator.SYS-CONPublications,Inc.,reservestherighttorevise, republishandauthorizeitsreaderstousethearticlessubmittedfor publication.Allbrandandproductnamesusedonthesepagesaretrade names,servicemarks,ortrademarksoftheirrespectivecompanies.
W���dW�d�N�������dD�����b����� CurtisCirculationCompany,NewMilford,NJ
F��LIST�ENTALINF��MATI�N:
DoYouGrok OpenSource? By Mark Hinkle
S
ciencefictionwriterRobertHeinlein,inthe1961sciencefictionnovelStrangerina StrangeLand,coinedtheterm“grok.”InthestorythewordwaspartoftheMartian language:
‘Grok’meanstounderstandsothoroughlythattheobserverbecomesapartoftheobserved–to merge,blend,intermarry,loseidentityingroupexperience.Itmeansalmosteverythingthatwe meanbyreligion,philosophy,andscience–anditmeansaslittletous(becausewearefrom Earth)ascolormeanstoablindman.
Today,manypeopleusethetermgroksynonymouslywithunderstand.Togrokismuchmore. Thetruemeaningislostonmanypeople,peoplewhomayhaveheardofthetermwithoutreadinganyHeinlein.Fortunately,mostoftheparticipantsintheopensourcecommunitytrulygrok opensource. Opensourceowesitssuccesstoalargegroupofpeoplewhohavea sharedsetofvaluesaboutwhichtheyfeelstrongly.Mainstreamsociety probablylacksanyrealunderstandingofthethingsthatmattertothem intheworldofopensource.It’sironicthatthetermcamefromafictitiousMartianlanguage.Mostpeoplenotintheknowlookatdevotedopen sourcedevelopersasiftheyhailedfromtheredplanet. Theirfirstquestionisindubitably:“Whywouldhighlyskilledpeoplegive awaythefruitoftheirdifficultlabor?”Followedby,“Ifit’sfree,canitbeany good?” Isuspectmanyofthepeoplewhoaskthatquestionhave,atsomepoint, participatedinaserviceorganizationofsomesort.Iwonderifanyone askedthemwhytheydonatedtimetothelocalRotaryCluborspenttheir timehelpingtobuildhousesforthelocalHabitatforHumanity. Maybethecomparisondoesn’tholdup,assomepeoplemightnotequatethenobilityof shelteringthosewithouthomesorprovidingeducationalopportunitieswiththesamedegreeof altruismasgivingawaysoftware. Whatifthatsoftwarehelpedprovideaffordablecomputerstochildrenindevelopingnations?Ormadeitpossibleforsmallbusinessestobecomeprofitablewheretheyotherwise couldn’tbecompetitive?Whatifthatsoftwarewasusedtoanalyzetrendsthateducateusabout globalwarmingorconductanalysistohelpcureterminalillnesses?Doesthatputopensource developersonequalfootingwithaccountantsandbankersbuildingsingle-familyhomesonthe weekend? Noteveryopensourceprojectisnoble.Oftenit’sjustthebestwayforasoftwareengineeror groupofengineerstosolveaproblem,leveragingtheworkofothersanddrawingimprovements fromcolleagues. WhydoIcarewhetherpeoplegetthenuancesoftheopensourcecommunity?ArecentIDG report,“OpenSourceBusinessModels2007-2011Forecast,”attributedthesizeoftheopensource marketin2006tobe$1.8billiondollarswithrevenuereaching$5.8billionin2011.That’salotof suitsminglingwiththefreesoftwareguysandthere’sboundtobeacollisionbetweenfactions.
KevinCollopy:845731-2684,[email protected] FrankCipolla:845731-3832,[email protected]
—continuedonpage5
About the Author
Mark R. Hinkle, editor-in-chief of Enterprise Open Source Magazine, is the vice president, Community and Business Development at Zenoss Inc. He serves as a founder of the Open Management consortium and is the author “Windows to Linux Business Desktop Migration” (Charles River Media). [email protected]
����SYS-��N���� EnterpriseOpenSource.SYS-CON.com
PAGE 3
June/July 2007
fr��t�ee�it�r �����p��S������SYS-��N����
Opensourcemar�etin2006was $1�8�illiondollarswithrevenue reaching$5�8�illionin2011� That’salotofsuitsmingling withthefreesoftwaregu�s andt�ere’sb�un�t�bea ����isi�nbetweenfa�ti�ns�
P����d���&�E� FuatKircaali[email protected]
G���pP�b���h�� RogerStrukhoff[email protected]
AD�E�TISING S������P,S����&M��k����� CarmenGonzalez[email protected]
Adv��������S����D������� MeganMussa[email protected]
A��������S����M������ CorinnaMelcon[email protected]
E�ENTS
Ev����M������
—ArecentIDGreport,“OpenSourceBusinessModels2007-2011Forecast”
LaurenOrsi[email protected]
Ev����A�������� SharmoniqueShade[email protected]
P��DU�TI�N
A��D������� AlexBotero[email protected]
A��������A��D�������� AbrahamAddo[email protected] LouisF.Cuffari[email protected] TamiLima[email protected]
�UST�ME��ELATI�NS
—continuedfrompage3 Thesenewparticipantsareenteringacommunitybuiltoncertaincustomsandacodeof conduct.Theyhavebuiltthiscommunityusingacommonsetofvaluesthathavespawnedthe LinuxkernelandtheApacheWebserver.Theseareimportanttechnologiesthatcouldonlyhave accomplishedtheirsuccessinthisglobaltransparentecosystem. MichaelTiemann,thefounderofperhapsthefirstopensourcesoftwarecompany,Cygnus Solutions,andnowpresidentoftheOpenSourceInitiative(OSI),madeastatementshowinghis commitmenttothe“stewardship”oftheopensourcebrandandchidingsomeofthesecommercialopensourcenewcomers.Inasternblogposthecalledoutcertaincompaniesforwhathe interpretsasamisuseoftheOpenSourceDefinitionandtheopensource“brand”:
�����������S��v�������d������ EdnaEarleRussell[email protected] AliciaNolan[email protected]
SYS-��N���M
�PI����������Sy����� BrunoY.Decaudin[email protected]
I����������Sy��������������� RobertDiamond[email protected]
W�bD�������� StephenKilmurray[email protected] RichardWalter[email protected]
[28]
A���UNTING F��������A���y��
JoanLaRose[email protected]
A�������P�y�b�� BettyWhite[email protected]
SUBS��IPTI�NS
TOLLFREE888-303-5282 201-802-3012 [email protected] Forsubscriptionsandrequestsforbulkorders, pleasesendyourletterstoSubscriptionDepartment CoverPrice:$5.99/issue Domestic:$49.99/yr(12issues) Canada/Mexico:$79.99/yr allothercountries$99.99/yr (U.S.BanksorMoneyOrders) Backissues:$12U.S.$15allothers
����SYS-��N���� EnterpriseOpenSource.SYS-CON.com
OpenSourcehasgrownup.Nowitistimeforustostandup.Ibelievethatwhenwedo,the vendorswhoignoreournormswillsuddenlyrecognizethattheyreallydoneedtomakeachoice: tolabeltheirsoftwarecorrectlyandhonestly,ortolicenseitwithanOSI-approvedlicensethat matchestheiropensourcelabel. WhiletheOpenSourceInitiativehaslittleformalpower,itsapprovalofyouropensourcesoftwarelicensecarriesconsiderableweightwithintheopensourceranks. Iknowthestrugglesofdevelopingcommercialinopensourcecompaniesalltoowell.Ihave hadtheopportunitytohelpbringcommercial,proprietarysoftwaretomarketwithlimitedsuccess.Ialsohadtheopportunitytopartiallyopensourcesoftwareunderapseudoopensource license(whichlackedOSIapproval).CurrentlyIamtheVPofCommunityandtheopensource conscienceforZenoss,Inc.(www.zenoss.com),adeveloperofapurelyopensource(GPL-licensed)systemsmanagementtool.Myexperiencehasshownthatthegreatestsuccesshastogo tothepuristofthepotentialsolutions. Letmeofferthesepartingwordsofadvicebasedonmyownexperienceandobservations. Withintheopensourceecosystemthereexistsacertainopensourcekarma.Historytellsus thatcompaniesthathavegoodopensourcepracticesandcommunityparticipationflourish. ParagonsincludeRedHat,MySQL,andevenSun(whosefortunesareturningontheheelsof opensourceJavaandOpenSolarisinitiatives).Awordtothewise:asyoujointheopensource community,snakeoilsalesmenandhuckstersneednotapply,it’satransparentsocietyandwhile youdon’tneedtonecessarilygrokopensource,youneedtorespectandunderstandthevaluesof opensourcetobesuccessful.
AdditionalResources • “WilltheRealOpenSourceCRMPleaseStandUp?MichaelTiemann,OpenSourceInitiative Blog:http://www.opensource.org/node/163 • “OpenSourceSoftwareBusinessModels2007-2011Forecast:APreliminaryView”: http://www.idc.com/getdoc.jsp?containerId=prUS20711507 ThisarticleislicensedundertheCreativeCommonsAttribution3.0License.
PAGE 5
June/July 2007
�ar�etp�a�e
TheCustomerIsListening �t’s�riti�a�t��istent�t�e�ust��erfirstan�re�e�ber– t�eyare�isteningt�us by Dominic Sartorio
�
here’sbeenalotofpubicdiscussionrecentlyaboutwhatitmeanstobeopen. WhiletheOSIhaspublishedtheOpenSourceDefinition,whichlists10attributes ofwhatitmeanstobe“opensource,”commercialentitieshaveemergedthatare
describedas“hybrid”models.Manycompaniesofferaversionofaproductthat’ssoldunderan OSI-approvedlicenseandanotherversionunderacommerciallicense.Otherssellandsupport productsthatmeetsomebutnotallofthe10attributes.Thesecompaniespurporttobe“open” withoutmeetingthisstrictdefinition,leadingtoaspiriteddebateaboutwhatitmeanstobeopen inanevolvingmarket. Meanwhile,commercialopensourceisclearlycomingofage,aswasevidentbythebreadth ofsuccessfulopencompaniesatthisyear’s OSBCinSanFrancisco.Iexhibitedthereand canattesttothepositiveenergyandoptimism, morethanI’veseeninatradeshowinyears. Thequalityofcompaniesandpeopleboth exhibitingandattendingwasoutstanding,with manyexcellentpanelsessionsandshowfloor conversationsabouthowandwhyopensource businessesaresucceeding.Openbusinessesare trulytakingtheworldbystorm,makingfurther andfurtherinroadsintomarketsformerly dominatedbyproprietaryalternatives.Consequently,withthestakesincreasing,thedebate overwhatitmeanstobe“open”hasbeenraging.Manythoughtleadersandindustrypundits haveweighedin,expressingtheirsupportof oneviewpointandoutrageattheother. Whileourdebatesaboutdefinitionsrage on,thecustomerislistening.Notbecause theycareasmuchaboutwhatopensource businessmodelaparticularvendorusesbut becauseourdebatesgivethemreasontobe confusedbytheFUDthat’soutthere.
ListeningtoThem(theCustomer)
About the Author Dominic Sartorio is president of the Open Solutions Alliance.
June/July 2007
Whenitcomesrightdowntoit,beingin thesoftwareandservicesbusinessisabout deliveringcustomervalue.Intheuniverseof opensourcesoftware,there’scertainlybeen discussionaboutpreventingcustomerlock-in, forexample,butasopensourcematuresand PAGE 6
isincreasinglyconsideredbyCIOs,there’sa broadarrayofpracticalreal-worldissuesthat havetobeaddressedtobothdelivervalueto thecustomerandprovidetheopportunityfor vendorstogrowtheirbusinessregardlessof wheretheyfallonthe“hybrid”spectrumof opensourcedefinitions. AspresidentoftheOpenSolutionsAlliance, Iadmitit’sbeendifficulttofocussolelyoncustomervaluethelastcouplemonthsbecause ofthedefinitionsdebate.Multiplemembers oftheOSAhavesuggestedthattheOSA“take astand,”andmanypeoplehaveaskedforthe OSA’spositiononopenness. TheOSA’spositiononsuchissueswill alwaysbebasedonwhatisbestforcustomers lookingtoadoptopensolutions.TheAlliance wasfoundedwiththisprincipleinmind,and itseffortsandactivitieswillalwayshavethis pragmaticgoal.TheOSAisfocusedonspecific initiativesthatgiveustheopportunitytohear directlyfromcustomerswhohaveadopted opensolutionsorconsideringdeployments, anddelivervaluetotheirendeavors,specificallyaroundinteroperability. Customerrequirementscanvarygreatly, dependingontheindustry,ITbestpractices,type ofsolutioninquestion,andtheskillsandknowhowrequiredtoimplementthem.Companies thatservedifferentmarketsegmentsmustevolve theirbusinessmodelstomeettherequirements ofthatsegment.Somemaybemoreservices-intensive,requiringfrequentcodecustomization, forexample.Othersmaybestrictlyregulatedin amannerthatdictateshowlicensingandIPis managed.Becauseopensource,especiallyin theapplicationsspace,isstillrelativelynew,we thinkthere’sroomforexperimentingtoseewhat businessmodelsarebestforcustomers.Forthis reason,OSAhasn’tlimiteditsmembershipbased onwhichbusinessmodelswethinkarebest. We’dratherletcustomersdecidethat.Ultimately, successfulcustomerexperienceswilltelluswhich businessmodelsworkbest.
�hat�e�ear(fromCustomers) So,whatdocustomerswant?Severalof OSA’smembershaveheldCIOcouncilsormet EnterpriseOpenSource.SYS-CON.com
withtheCIOsoftheircustomers,andwe’ll continuetodothatinthefuture.Whilemany ofthemcanbeclassifiedas“earlyadopters”of opensource,sinceallofthemuseopensource productsintheirorganizations,they’realso wellconnectedtomainstreamaudiencesthat maynothaveadoptedasmanyOpenSource Software(OSS)andsolutionsastheyhave. Thefeedbackhasbeenremarkablyconsistent. First,businesscustomersoftenlookfor evidenceofothercustomershavingbeensuccessfulwithaproductbeforebuyingit.Proprietaryvendorsdoagoodjobofmarketing theirsuccessstories,butmanyopensource companieshavenot,exceptforthelargest oneslikeRedHat.Theirconcernisthatthe relativelylowvolumeof“proofpoints”shows thatOSSoropensolutionsareimmature, wheninfacttheoppositeistrue.Theseofferingscanbeveryfeature-richandhigh-quality, butmanyopensourcecompaniesdon’ttalk aboutit.Theytalkmoreaboutthevirtuesof beingopen,whichmaywellbetrue,butdon’t directlytietothevaluethattheendcustomers aretryingtoextractfromtheseproducts.Value propositionssuchaslowcostofownership, supportability,interoperability,andeaseofuse aren’tdiscussedasfrequently. Interoperability,inparticular,isafrequent painpoint.Nocustomerpurchasesjustone solution.Theyfrequentlybuymultiple,and fromdifferentvendors,eachofwhichmakes independentdecisionsregardingwhichstandardstoadoptandhowtoimplementthem. Frequentlythecustomerisleftwiththecostof makingallthemovingpartsfittogether. Moreover,thechallengeofinteroperability isbroadandmulti-faceted.Issuesranging fromusermanagement,toUIintegration, toconsistentmanagementandmonitoring approaches,todataintegrationareequally important.Mostcustomersalsohavemixed environments,includingbothopenand legacyproprietaryassets,andthesemust worktogether.Finally,somenon-technical issuesarise,suchasconsistentapproachesto managingprojectsinvolvingmultiplevendors, andcommonsupportSLAs–itdoesn’thelp ifonevendorhasa24x7helpdeskwhenthe otherdoesn’t.Whilenottechnicalissues,they representinteroperabilityissuesbetweendifferentvendors’businesspracticesandcanbe equallyimportanttocustomers. Finally,wefrequentlyaskourcustomerswhattheybelieveitmeanstobe“open” andtheanswersarefairlyconsistent.They believethataccesstosourcecodeisimportant becausethisallowedforbettercustomizability andextensibility,andhelpspreventlock-in. Theyalsowanttheirlicensestobe“clean,” meaningvendorsshouldexhibit“truthinadEnterpriseOpenSource.SYS-CON.com
vertising”intheirlicensingpractices,andnot adoptlicensesthatgetinthewayofcustomers extractingvaluefromthecodetheyadopt.But themostresoundinganswerwehearisthe abilitytoworkwiththevendorasapartnerin aspiritofgive-and-taketoresolveabusiness problem.Somehavetolduswarstoriesabout one-wayinteractionswhereproprietaryvendorspushproductsonthemandneverlisten totheirevolvingneeds.Most“open”companies,intheirexperience,insteadwelcome workingtogethertosolveaproblem,aswell asfeedbackandguidanceonhowtoimprove theirofferings.Inshort,allview“openness” asameansofhelpingthecustomerruntheir businessbetterandnotasanendinitself. Consequently,somearebemusedatthedebateoverwhatitmeanstobetruly“open”and wouldprefermorefocusonhowtodeliverbettercustomervalue,nomatterwhat“hybrid” modeltheyadopt.Allfeelthereisn’tenough debateoverthebestapproachestodriving adoptionandsolvingcustomerproblems.
TheRealRelevanceof“Openness” So,whileopenbusinessesaretakingthe worldbystorm,there’smorethatcanbedone toachievegreatercustomervalue.What’sbeen missingsofariscollaborationamongcompaniestoremovetheremainingpainpoints,notablyinteroperability.Thisisahardproblem thatnoonevendorcanunilaterallysolvebyitself,butisexactlythekindofproblemthatcan besolvedthroughthekindofcollectiveaction thatmadeopensourceproductssuccessfulin thefirstplace.It’sthisspiritofcollectiveaction thatweshouldcontinuetoembraceaswe movetothenextstepofthe“open”evolution. Thiscollaborativespiritlivesnotjustin howsourcecodeismanaged.What’sbecome apparentthroughmanyofmyconversations withOSAmembersandotheropenvendorsis thatthesearen’tjustcompaniesthatdecided tomaketheirsourcecodeavailable(or,for integrators,toworkprimarilywithopensource products),butaretakingthespiritofopennessandcollaborationtoheartthroughout theirbusinesspractices.Marketingmanagers frequentlytalkaboutthe“fourPs”oftheirofferings,designedtoexposeproductstoprospectivecustomersontheirterms,notthevendor’s. Businessdevelopmentmanagerstalkabout theirmoreopenandcollaborativestylesof partnering.Productmanagerstalkabouttheir roadmapsandprocessesformanagingtheir productrequirementsovertime,designedto incorporatefrequentandregularinputfrom customersandotherexternalsources(think ofPMasafacilitator,notadictator,ofproduct requirements).Inallcases,there’sbeenaremarkabletoneofopennessandtransparency,a PAGE 7
senseof“whatyouseeiswhatyouget,”andthe confidencethatbeingopenandhonestinone’s dealings(andacceptingnothinglessthanthe sameinreturn)wouldresultinhappierpartnersandcustomers.Thisisarefreshingchange ofpacefromtheoftensecretiveone-waycommunicationofproprietaryvendors,andgreatly facilitatesdoingbusiness. Thisspiritofopennessisthecoreofwhat theOSAisallabout.Itwasfoundedtoaddress systemicissueslikeinteroperabilitythatare bestsolvedcollectively,andit’scriticalthatour membersoperateinanopenandcollaborative fashion.Bychoosingtooperatethisway,we canaddresssomeofthetoughestchallengesin ourindustryinwaysthataproprietaryvendor wouldhardlyeverdreamof. Interoperabilityisadiverseproblem,butwe alsohaveadiversemembership.Eachmember claimstohavean“itchtoscratch”(toborrowa euphemismcommonlyusedtodescribewhy developerscontributetoopensourceprojects). The“itch”differsfromcompanytocompany, butacommonthemeisthateachissuecanbe solvedbetterthroughcollectiveeffortinstead ofunilateralinitiatives.Formanagementcompanies,acommon“itch”ishowtoencourage applicationvendorstoexposeconsistentAPIs foradministration,management,andmonitoring.Forbusinessapplications,thereareseveral “itches”includingdataintegration,single sign-on,andsoforth.Forintegrators,there’s concernoverinconsistentsupportSLAsand inconsistentuseofvariousstandardsthatenableextendingandcustomizingapplications. Andsoforth.Buteachmemberlookstothe OSAtofosterandfacilitateworkingwithother like-mindedcompaniestoworkthroughtheir specificissues. Consequently,althoughwedon’tsplithairs regardingwhat“open”modelsarethebest, there’sonenotiononwhichwecan’tcompromise.There’sadifferencebetween“oldguard” proprietaryorganizationsandmoreopencollaborativeorganizations,notjustintermsof howtheymanagetheirsourcecode,buthow theydobusiness.Acompany’sDNAiseither oneortheother;theydon’tmix.Thisishard toquantify,butyouknowitwhenyouseeit wheninteractingwiththemanagement.There aretypicalmarkersthough.Freelyavailable sourceand“truthinadvertising”licensing practicesisagoodsign,andoneprioritizedin ourOpenSolutionDefinition(http://tinyurl. com/3y5pp7).Soishavingpublicforumsfor customerfeedback.Stilltherearemultiple waysacompanycandelivervalueandstillbe “open”inhowitdoesbusiness.Thecritical pieceforustorememberistolistentothecustomerfirstandremember–theyarelistening tous. June/July 2007
LDAP
UsingLDAPwithOpenLDAP Creatinga�ire�t�ryservi�eusingt�e�penLDAP�ire�t�ryserver by Deepak Vohra and Ajay Vohra
A
directoryserviceisanapplication(s)thatstores,retrieves,andmodifiesinformationaboutnetworkresourcessuchasnetworkusers.Theactualdataisstored inadatabase;adatabaseserviceisanabstractlayerontopofthedatabase.The
LightweightDirectoryAccessProtocol(LDAP)isalightweightprotocolforaccessingdirectory services.LDAPisbasedonentries;anentryisasetofattributesidentifiedbyagloballyunique
Attribute Type
Description
o
Organization
ou
Organizational unit
righttoleftwiththerightmostattributeasthetopentryandwiththeleftmostattribute(s)that
uid
Userid
areuniquetoitslevelcalledaRelativeDistinguishedName(RDN).ADNisasequenceofRDNs.
mail
E-mail address
DistinguishedName(DN).Eachofadirectoryentry’sattributeshasatypeandoneormorevalues.Theattributesinadirectoryentry’sdistinguishedname(DN)arearrangedinahierarchyfrom
Anentryinadirectoryisidentifiedbya distinguishedname(DN).Anexampleofa directoryentry’sdistinguishednameis: cn=dvohra,ou=People,dc=example,dc=com IntheexampleDN,thebaseentry/rootis “dc=example,dc=com.”Therelativedistinguishednameis“cn=dvohra.”LDAPdefines operationsforadding,searching,modifying,anddeletingdirectoryentries.AnLDAP serverisrequiredtoprovideaLDAPdirectory service.OpenLDAPisanopensourcesoftwarepackagethatincludesaLDAPdirectory server(slapd).OpenLDAPisbuiltontopof theBerkeleyDB,anembeddeddatabase.In thisarticlewe’llcreateadirectoryserviceusingtheOpenLDAPdirectoryserver.
InstallingOpenLDAP Deepak Vohra is a Sun Certified Java 1.4 Programmer and a Web developer. [email protected] Ajay Vohra is a senior solutions architect with DataSynapse Inc. [email protected]
June/July 2007
cn
dn
Domain component
Common name
Distinguished name
Table 1: Attribute Types
SomeexamplesofattributetypesarediscussedinTable1.
About the Authors
dc
DownloadOpenLDAPforWindows. Double-clickontheOpenLDAPapplication openldap-2.2.29-db-4.3.29-openssl-0.9.8aBDB_ONLY-win32_Setup.exe.TheOpenLDAP setupwizardgetsstartedasshowninFigure1. ClickontheNextbutton. PAGE 8
Acceptthelicenseagreementandclickon theNextbutton.Selectthedefaultdestination,C:\ProgramFiles\OpenLDAPandclick ontheNextbutton.SelectcomponentsBDBtoolsandOpenLDAP-slapdasNTservice andclickonNextasshowninFigure2. SpecifyaStartMenufolderandclickon Next.Selectadditionaltaskssuchas“automaticallystartOpenLDAPNTserviceafter reboot”and“Createadesktopitem”andclick onNext.ClickontheInstallbuttontoinstall OpenLDAPasshowninFigure3.
ConfiguringOpenLDAP Theconfigurationforaslapdserveris specifiedintheslapd.confconfigurationfile. Configurationinformationcomesinthree types:global,back-endanddatabase.The configurationinformationisspecifiedwith directives;theglobaldirectivesprecedethe back-enddirectivesthatprecedethedatabase directives. Theglobaldirectivesapplytoallbackendsanddatabasetypes.Someofthecommonlyusedglobaldirectivesarediscussed inTable2 EnterpriseOpenSource.SYS-CON.com
Directive
Description
loglevel
Specifies the level at which debug information and other statistics are logged. A value of -1 enables all debugging and 0 disables debugging.
idletimeout
Specifies the number of seconds after which an idle connection is closed.
sizelimit
Specifies the maximum number of entries to return from a search operation. Default value is 500.
timelimit
Specifies the maximum number of seconds spent on a request. The default value is 3600.
Table 2:Global Directives
Back-enddirectivesspecifyaback-endandapplytoalldatabaseinstancesinaback-end.Thecommonlyusedback-enddirectiveisasfollows: backend Theback-enddirectivespecifiesaback-enddeclaration.Someofthe back-endtypesarebdb(BerkeleyDBtransactionalback-end)andsql (SQLprogrammableback-end). Databasedirectivesspecifyinformationaboutadatabaseinstance. SomeofthecommonlyuseddatabasedirectivesarediscussedinTable3. Directive
Figure 1: OpenLDAP setup wizard
Description
database
Specifies a database instance declaration. Some of the types are bdb and sql.
readonly {on|off}
Specifies a read-only database.
rootdn
Rootdn specifies a super-user DN that may bypass directory access and administrative restrictions.
rootpw
Specifies the password for rootdn DN.
directory
Specifies the directory in which the Berkeley DB database files are located.
suffix
Also known as ‘root’ or ‘base,’ specifies the topmost entry in a DIT (Directory Information Tree).
Table 3: Database Directives
Next,we’llmodifythedirectivesintheslapd.conffileintheC:\ProgramFiles\OpenLDAPdirectoryoftheOpenLDAPserverweinstalled earlier.ThedatabasedirectiveisalreadysettobdbfortheBerkeleyDB database.Setthesuffix,rootdn,androotpwasshowninfollowinglisting: database bdb suffix rootdn rootpw directory ./data
Figure 2: Selecting OpenLDAP components
“dc=example,dc=com” “cn=Manager,dc=example,dc=com” openldap
CreatingaDirector� Next,we’llcreateadirectoryintheOpenLDAPLDAPserver.For example,createadirectoryofJDeveloperdevelopers.LDAPentriesare representedintheLDAPDataInterchangeFormat(LDIF)inan.ldif format.TheformatofanentryinnLDIFfileisasfollows: #comment dn: : : EnterpriseOpenSource.SYS-CON.com
Figure 3: Installing OpenLDAP PAGE 9
June/July 2007
LDAP CreateajdevDir.ldiffileforadirectoryofJDeveloperdevelopers.A root/baseDNwasspecifiedintheslapd.conffilewiththesuffixdirective: suffix
“dc=example,dc=com”
Inthe.ldiffileaddanentryforthebaseDN.Eachdirectoryentryis identifiedwithadnattribute.TheobjectClassattributesspecifythe typeofdata,andrequiredandoptionalattributesinanentry.Object classesformaclasshierarchyandsomeofthecommonlyusedobject classesaretop,organization,andorganizationalPerson.Theobject classesthatmaybespecifiedinadirectoryentryandtheattributesthat maybespecifiedorhavetobespecifiedforanobjectclassarelistedin theC:\ProgramFiles\OpenLDAP\schema\core.schemafile: dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization dc :example o: Oracle Next,addanentryforanorganizationalunitcalledjdeveloperunder dc=example,dc=com.DirectoryentriesinanLDIFfileareseparated withablankline. dn: ou=jdeveloper, dc=example, dc=com objectClass: organizationalUnit ou: jdeveloper Next,createdirectoryentriesforJDeveloperdevelopersunderthe organizationalunitjdeveloper.Attributessnandcnarerequiredattributesfortheobjectclassperson.Anexampledirectoryentryisshown infollowinglisting: #Steve’s Directory Entry dn: cn=Steve Muench,ou=jdeveloper,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson cn: Steve Muench sn: Muench title: JDeveloper Developer
OpenLDAPprovidestheldapaddtooltoaddadirectoryentry.Run theldapaddcommandonthejdevDir.ldiffileasshownbelow.The–d argumentspecifiesthebindDNforauthenticatingtheconnectionto thedirectory.The–wargumentspecifiesthepasswordforauthenticatingtothebindDN.The–fileargumentspecifiestheLDIFfilethat containsthedirectoryentries. C:\Program Files\OpenLDAP>ldapadd -D “cn=Manager,dc=example,dc=com” -v -w openldap -f jdevDir.ldif DirectoryentriesgetaddedtotheLDAPserver. June/July 2007
TheldapsearchtoolisusedtosearchanLDAPdirectoryanddisplay theresultsinLDIFtextformat.Asdirectoryentriesareidentifiedby DNs,directoryentriesaresearchedbyDNs.Asanexample,searchthe directoryforDN“cn=SteveMuench,ou=jdeveloper,dc=example,dc=co m.”TheldapcommandtoauthenticatetothebaseDNandsearchthe directoryentryforDN“cn=SteveMuench,ou=jdeveloper,dc=example,d c=com”isasfollows: >ldapsearch -D “cn=Manager,dc=example,dc=com” -w openldap -b “cn=Steve Muench,ou= jdeveloper,dc=example,dc=com” The–bargumentspecifiesthebaseDNtosearch.Theoutputofthe ldapsearchoperationislistedbelow. # # # # # # #
extended LDIF LDAPv3 base with scope sub filter: (objectclass=*) requesting: ALL
# Steve Muench, jdeveloper, example.com dn: cn=Steve Muench,ou=jdeveloper,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Steve Muench sn: Muench title: JDeveloper Developer # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Modif�ingaDirector�
TheLDIFfilejdevDir.ldifislistedinListing1.CopytheldiffiletotheC:\ ProgramFiles\OpenLDAPdirectory.Next,starttheOpenLDAPslapdserver withthefollowingcommandfromtheOpenLDAPinstallationdirectory: C:\Program Files\OpenLDAP> .\slapd -d 1
SearchingaDirector�
OpenLDAPprovidestheldapmodifytooltomodifyadirectory.With theldapmodifytoolanewentrycanbeadded,anentrycanbemodified,andanentrycanbedeleted.Themodificationstobemadecanbe specifiedonacommandlineorinanLDIFfile.AnLDIFfileisrecommendedforspecifyingmodificationssincealargenumberofmodificationscanbespecifiedinanLDIFfile.Asanexampleaddanewentry specifiedinaddEntry.ldifinListing2.
Listing2addEntry.ldif
dn: cn=Deepak Vohra,ou=jdeveloper,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson cn: Deepak Vohra sn: Vohra title: JDeveloper Developer The–aoptionoftheldapmodifycommandisusedtoaddanew entry.Runtheldapmodifycommandasshownbelow.TheLDIFfileis specifiedwiththe–foption. PAGE 10
EnterpriseOpenSource.SYS-CON.com
���������������� ldapmodify -D “cn=Manager,dc=example,dc=com” -w openldap -a -f addEntry.ldif Anewdirectoryentrygetsadded.Adirectoryentrycanalsobemodified.Forexample,modify thetitleinthepreviouslyaddedentry.ThedirectorymodificationsarespecifiedinanLDIFfileas showninListing3.
Listing3.modifyEntry.ldif
dn: cn=Deepak Vohra,ou=jdeveloper,dc=example,dc=com changetype: modify replace: title title: Oracle DBA
1 ������������
�������������������� ����������������
Runtheldapmodifycommandasshownbelow. ldapmodify -D “cn=Manager,dc=example,dc=com” -w openldap -a -f modifyEntry.ldif Thedirectoryentrygetsmodified. Next,deleteadirectoryentry.Asanexample,deletetheentrythatwasaddedwithldapmodify. SpecifytheDNoftheentrytodeleteanLDIFfileasshowninListing4.Thedeleteoperationis specifiedwithchangetype:delete.
Listing4deleteEntry.ldif
dn: cn=Deepak Vohra,ou=jdeveloper,dc=example,dc=com changetype: delete
blog-n-play™ is the only FREE custom blog address you can own which comes instantly with an access to the entire i-technology community readership. Have your blog read alongside with the world’s leading authorities, makers and shakers of the industry, including well-known and highly respected i-technology writers and editors.
2 ��������
�����������������������
blog-n-play™ gives you the most prestigious blog address. There is no other blog community in the world who offers such a targeted address, which comes with an instant targeted readership.
Runtheldapmodifycommandasshownbelow: ldapmodify -D “cn=Manager,dc=example,dc=com” -w openldap -f deleteEntry.ldif
3 �������������� �������������
Thedirectoryentrygetsdeleted.
DeletingaDirector� Theldapdeletetoolisusedtodeletedirectoryentries.TheDNsfortheentriestodeletecanbe specifiedonthecommandlineorinanLDIFfile.AsanexampledeletethedirectoryentryforDN “ou=jdevloper,dc=example,dc=com.”Todeleterecursivelyspecifythe–roption.Theldapdelete commandtodeleteadirectoryentrybyauthenticatingtothedirectoryisshownbelow:
blog-n-play™ is powered by Blog-City™, the most feature rich and bleeding-edge blog engine in the world, designed by Alan Williamson, the legendary editor of JDJ. Alan kept the i-technology community bloggers’ demanding needs in mind and integrated your blog page to your favorite magazine’s Web site.
>ldapdelete -D “cn=Manager,dc=example,dc=com” -r -v -w openldap “ou=jdeveloper,dc=example,dc=com”
�����������������������
Non-leafentriesdon’tgetdeletedwiththeldapdeletetool.
�����������������������
Conclusion TheOpenLDAPLDAPserverprovidesadirectoryservicetostoreandmodifyinformation aboutnetworkresourcesinadirectorythat’sstoredintheBerkeleyDB.
Listing1jdevDir.ldif dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization dc :example o: Oracle
dn: ou=jdeveloper, dc=example, dc=com objectclass: organizationalUnit ou: jdeveloper
#Steve’s Directory Entry dn: cn=Steve Muench,ou=jdeveloper,dc=example,d c=com
EnterpriseOpenSource.SYS-CON.com
objectclass: top objectclass: person objectclass: organizationalPerson cn: Steve Muench sn: Muench title: JDeveloper Developer
#Kimbrley’s Directory Entry dn: cn=Kimbrley Floss,ou=jdeveloper,dc=example ,dc=com objectclass: top objectclass: person objectclass: organizationalPerson cn: Kimbrley Floss sn: Floss title: JDeveloper Developer
PAGE 11
������������������������������ ����������������
�������������
�����������������������
���������������������
��������
�����������
������������������
����������������������
���������������
����������������
������������������
�������������
�����������������
�����������������������
������������������
�������
�����
Signup�oryour FREEblogToday�
June/July 2007
fra�ew�r�
BringingAdvancedTransaction CapabilitiestoSpringApplications �nversi�n�f��ntr��an��epen�en�yinje�ti�n by Frances Zhao and Paul Parkinson
�
heSpringFrameworkprovidesaconsistentabstractionfortransactionmanagementthat deliversthefollowingbenefits:
About the Authors Frances Zhao is a principal product manager in the Oracle Fusion Middleware team. Her focus is on the core J2EE container.
Paul Parkinson has been working with and developing transaction processing technology for 15 years. His work at Oracle includes the development of the Java Transaction API and Java Transaction Service implementations in the OC4J application server as well as performance and high-availability features, Web Service Transactions, and the transactional aspects of JCA.
June/July 2007
• Aconsistentprogrammingmodelacross differenttransactionAPIssuchasJTA,JDBC, Toplink,Hibernate,JPA,andJDO • Declarativetransactionmanagement • AsimpleAPIforprogrammatictransaction managementratherthananumberofcomplextransactionAPIssuchasJTA • IntegrationwithSpring’svariousdataaccess abstractions. ThisarticlediscussesSpring’stransaction managementfacilitiesandthecommonusecases inSpringwhereanexternaltransactionmanager isrequired.Areal-worldapplicationisusedto illustratethetransactionalaspectsandfeatures. ThefocusisonleveragingJTAtransactionmanagementintheSpringFrameworkforenterprise applications.ThearticleshowshowSpring’s transactionservicescanseamlesslyexposeand interactwithaJavaEEapplicationserver’stransactionmanagersuchastheOracleApplication ServerandtheOC4JJtaTransactionManager. Atraditionalbankaccounttransferapplicationisusedinthisarticletodemonstratebasic Springprinciples:theclassicdistributedtwophasecommit-transactionusecaserequiring ACIDproperties;andOracle’sextendedsupport forSpringwithJTAusingSpring’sOC4JJtaTra nsactionManager.Thetransferinthesample applicationisfromabankaccounttoabrokerageaccountforthepurchaseindividualstocks. Itincludesassetreportingtofurtherillustrate particulartransactionalaspectsandfeatures. Let’sstartwithanoverviewoftherelated technologies,Springbasics,transactioning basics,andtransactioningfeaturesinSpring. Thenwe’lllookattheimplementationstrategy andusethesampleapplicationtoshowin moredetailhowtheyallworktogether. PAGE 12
SpringBasicsand�eatures AsaJavaEEdeveloper,youmaybethinking, “Notanotherframework.”TheSpringFrameworksimplifiesdevelopmentwithitsmodular architectureandhandlesconfigurationina consistentmanner.Itachievesthissimplificationbyusinginversionofcontrolanddependencyinjectionsoenterprisefunctionalitycan bebuiltintoPOJOs,makingitpowerfulaswell. Springisastate-of-the-arttechnologyinterms ofmakingJavaEEandotherexistingtechnologieseasiertouse.Italsoprovidesanabstract levelforusingJTAorothertransactionstrategiesaswellasotherJ2EEcomponentssuchas datasources. Additionally,theSpringFrameworkcanbe integratedwithdifferentapplicationservers suchasOracleApplicationServer,BEAWebLogic,andIBMWebSphere. Springprovidesmanyfeatures.Let’slookat thefollowingmajorareasindetail.
InversionofControlContainerand Dependenc�Injection First,let’stakealookathowtosimplify developmentbyusinginversionofcontroland dependencyinjection. Amainabstractionofinversionofcontrol isthebeanfactory,whichisagenericfactory thatretrievesobjectsbynameandmanages therelationshipsbetweenobjects. AsRodJohnsonexplainedinhisarticleon theSpringFramework,theconceptbehind inversionofcontrolisoftenexpressedinthe infamousHollywoodprinciple,“Don’tcallme, I’llcallyou.”Inversionofcontrolmovesthe responsibilityformakingthingshappeninto theframeworkandawayfromtheapplication code. Dependencyinjectionisaformofinversion ofcontrolthatremovesexplicitdependence EnterpriseOpenSource.SYS-CON.com
oncontainerAPIs.OrdinaryJavamethodsareusedtoinjectdependenciessuchascollaboratingobjectsorconfigurationvaluesintoapplicationobjectinstances. Dependencyinjectionisnotanewconcept,althoughit’sonly recentlymadeprimetimeintheJavaEEcommunity.Thedefinition ofdependencyinjectionbetweentheJ2EEcommunityandtheSpring Frameworkisthesame,butobtainedviadifferentmechanisms.
�MLBeanDefinitions(ApplicationContext) YoucanconfigureyourSpringapplicationsinXMLbeandefinition files.InsomewaysthesearesimilartotheJavaEEplatforminwhich youuseXMLconfigurationfilesandXMLdeploymentdescriptorsto definetherelationshipoftheresourcesandhowtheyaretobedeployed.TherootoftheXMLbeandefinitionisaelementthat cancontainoneormoredefinitions. Thefollowingexampleshowstheconfigurationoftheapplicationobjects,whichissimilartotheobjectrelationshipswearefamiliarwithin J2EEapplications.WewilldefineaJ2EEDataSource,bankDataSource;a DAO,bankDAO;andabusinessobjectthatusestheDAO,assetManagementService.Thefollowingexamplesarefromthesamplebankaccount transferapplicationthatshowstherelationshipsbetweenbankDataSource,bankDAO,andassetManagementService. First,let’slookatthebankDataSourcedefinitioninXMLformat.As showninthefollowingexample,wecoulduseSpring’sJNDIlocation FactoryBeantogetthedatasourcefromtheOracleApplicationServer. (TherewouldbenoimpactonJavacodeoranyotherbeandefinitions.)
jdbc/bankDataSource
Now,wedefinetheDAObeanthathasabeanreferencetothebankDataSource.Relationshipsbetweenbeansarespecifiedusingthe“ref” attributeorelement:
ContextLoaderListenerandDispatcherServlet ContextLoaderListeneristhebootstraplistenertostartupSpring’s rootwebApplicationContextwhenintegratingwithaJ2EEWebcontainer.Astheexampleshows,theJ2EEstandardweb-appdescriptor,web. xml,canincludeaSpringContextLoaderListenerlistenerthatcauses theWEB-INF/applicationContext.xmlspecifiedbythecontextConfigLocationtobeloadedbytheSpringFramework. TheSpringDispatcherServletservletdeployedwiththeservlet-name jta-springcausesthejta-spring-servlet.xmltobeloadedbytheSpring Framework:
JTA Spring Integration WebApp
contextConfigLocation WEB-INF/applicationContext.xml
org.springframework.web.context.ContextLoaderListener
jta-spring org.springframework.web.servlet.DispatcherServlet 2
jta-spring JTADispatcherServlet
TransactioningBasics Whenpurchasingstocksfromabroker,moneyistransferredfroma bankaccounttothebrokerage.Aseriesofrelatedoperationsensures thatthestocksareaddedtothepurchaser’sportfolioandthebrokerage, inturn,getsthepurchasemoney.Ifasingleoperationintheseriesfails duringtheexchange,theentireexchangefails.Youdon’tgetthestocks andthebrokerdoesn’tgetyourmoney.Transactionprocessingmakes theexchangebalancedandpredictableeveninthefaceoffailuresin anyofthesystemsorresourcesinvolved.
ACIDProperties
Thebusinessobject,assetManagementService,hasareferencetothe DAOasinthefollowingexample:
EnterpriseOpenSource.SYS-CON.com
TransactionprocessingsystemsprovidetheguaranteeofACIDproperties. ACIDpropertiesincludeatomicity,consistency,isolation,anddurability. • Atomicity:Allchangeswithinthescopeofatransaction(theunitof work)areeithercommittedorrolledback.Forexample,aconsumer obtainsstocksandabrokerreceivesthepayment,ortheconsumer doesn’tgetthestocksandthebrokerdoesn’tgetthepayment. • Consistency:Thestate(data)ofthesystemmovesfromonevalid statetoanotherfromthebeginningofthetransactiontoitscompletion.Thisappliestoboththeinfrastructureandtheapplications. PAGE 13
June/July 2007
fra�ew�r�
Forexample,inastockpurchase,theintegrityconstraintsthatare definedonthedatabaseofeithertheconsumerorthebrokerageare maintained. • Isolation:Theeffectsofonetransactionaren’tvisibletoanotheruntil thetransactioncompletes.Forexample,theeffectsofastockpurchasearen’tvisibletoanassetreportuntilthepurchaseiscomplete. • Durability:Changesmadewithinthescopeofthetransactionmust bemadepermanent.Forexample,therecordsofthetransferof moneytoabrokerageaccountarewrittentostablestorage. It’sentirelypossibletomaketheseguaranteeswithoutanysupportinginfrastructure,butthiswouldrequireaconsiderableamount oferror-proneandrepetitiveworkbytheapplicationdeveloperand generallyalessflexibledesign.Transactionprocessingsystems,and theapplicationserverstheyrunwithin,providethisserviceimplicitly. Manytransactioningsystemsandapplicationsallowrelaxingone ormoreoftheACIDproperties.Often,thisisdonetoprovidebetter performanceonceariskassessmenthasbeendoneand/oranacceptabletoleranceestablished.Isolationisthemostcommonlyrelaxed property.
IsolationLevels Anisolationleveldefineshowconcurrenttransactionsthataccessa sharedresourceareisolatedfromoneanotherforreadpurposes. Dirtyreads,non-repeatablereads,andphantomreadsarethethree mainconditionsinwhichanapplicationreadsdatainatransaction thathasbeenalteredoutsideofthetransaction. Dirtyreadsoccurwhendatathathasbeenupdatedinatransaction —andnotyetcommitted—isreadbyanothertransaction.Ifanasset reportisbeingrunwhileastockisbeingpurchasedandbeforethe purchase(transaction)hascommitted,theassetreportmaygetadirty read.Forexample,ifthereadcameafterthedebitbutbeforethecredit, theresultcouldbeareportthatdoesn’tbalance Non-repeatablereadsoccurwhenatransactionreadsdata,asecond transactionsubsequentlyupdatesthatdata,andthefirsttransaction readsthedataagainafterthesecondtransaction’supdate.Ifanasset reportisbeingrunwhileabankaccountbalanceisbeingupdatedand thevalueofthebankaccountisqueriedtwiceduringthereportfor somereason,thebankaccountvaluesreportedmaybeinaccurateand inconsistent. Phantomreadsoccurwhenatransactionreadsarangeofdata (rows),asecondtransactionsubsequentlydeletesorinsertsdata(a row)inthisrange,andthefirsttransactionreadstherangeofdataagain afterthesecondtransaction’sdeleteorinsert.Ifanassetreportisbeingrunwhileanewstockisbeingpurchased(inserted)andthestock purchaseddetailisqueriedtwiceduringthereportforsomereason,the reportmaybeinaccurate.Assuch,thestockportfoliomaybereported inconsistently. Thereadissuesdescribedmayormaynotbeaconcernforan application.Whetherit’saproblemornotdependsentirelyonthe businesscontext.Forexample,ifthereportisbeingusedforpublic reportingorinanassetmanagementdecisionsystem,theinconsistencieswillbeunacceptable.However,ifusedforadhocreal-time reportingorinsomesituationwhereinconsistenciesareunlikely,the possibleinconsistencymaybetolerable.Therearealsoresourceand performancecostsinvolvedthatmustbeconsideredinthedesignof thesystem.Isolationlevelscanbeusedtopreventorallowthesesituations. June/July 2007
Themostcommonuseofisolationlevelsiswhenaccessinga database.Differentvendorshaveproprietaryisolationlevels,locking mechanisms,andotherbehaviorsthatarewellbeyondthescopeofthis articleandsowe’llbrieflyexplainthestandardisolationlevelsdefined onlyintheJDBCAPI.Notethatthislistisprovidedinorderoftheweakesttostrongestisolationwithaninversecorrelationasfarasperformanceisconcerned. • TRANSACTION_NONE:transactionsarenotsupported. • TRANSACTION_READ_UNCOMMITTED:dirtyreads,non-repeatablereads,andphantomreadscanoccur. • TRANSACTION_READ_COMMITTED:dirtyreadsareprevented; non-repeatablereadsandphantomreadscanoccur. • TRANSACTION_REPEATABLE_READ:readsandnon-repeatable readsareprevented;phantomreadscanoccur. • TRANSACTION_SERIALIZABLE:dirtyreads,non-repeatablereads, andphantomreadsareprevented.
LocalTransactionsand�TAGlo�alTransactions Thecomplexityofatransactionincreaseswiththenumberofresourcestheapplicationenlistsinthetransaction. Alocaltransactioninvolvesonlyoneresourceandthetransaction activityisscopedandcoordinatedlocallytotheresourceitself. Aglobaltransactionmayenlistmorethanoneresourcemanager includingmultipledatabases,messagesystems,andlegacymainframe systems.Toachieveatomicoutcomesintheglobaltransaction,coordinationbetweenatransactionmanagerandtheseresourcesisrequired. Thiscoordinationisachievedviathedistributedtransactionprotocol definedintheDTPandXAspecificationspublishedbytheOpenGroup. ThefollowingdiagramisaDTPmodelthatillustratestherelationship andinteractionbetweentheapplication,resourcemanagers,andthe transactionmanager.
(1) AP uses resources from a set of RMs
Application Program (AP)
Resource Managers (RM’s)
XA
Transaction Manager (TM)
(2) AP defines transaction boundaries through the TX interface
(3) TM and RMs exchange transaction information
Applicationscommunicatewiththetransactionmanagertobegin andendtransactionsandenlistresources.Whentheapplication requeststhatatransactionbecommitted,thetransactionmanager —suchasOracleApplicationServer,BEAWebLogic,orIBMWebSphere —coordinatesthetwo-phasecommitprotocol.Thetransactionmanagermediatesbetweenapplicationsandresourcemanagerstodelineate theboundariesofunitsofwork.Italsoperformsaterminationprotocol thatcommunicatestheoutcomeofthetransactiontoallparticipants. AcomponentcanbeginaJTAtransactionprogrammaticallyusingthe UserTransactioninterfaceoritcanbestartedbytheEJBcontaineras specifiedinthetransaction-attributesoftheEJB’sdeploymentdescriptor.
PAGE 14
EnterpriseOpenSource.SYS-CON.com
��������������
������������������ ���������������������
��������
�������������������� ������������� ����������������� �����������
������������������
— Sponsored by —
����������������������� ������������������� ������������������������������������������������������������������������������� ��������������������������������������������������������������������������������� �������������������������������������������������������������������������������������� �������������������������������������������������������������������������������� �������������������������
— Produced by —
For this and other great events
visit www.EVENTS.SYS-CON.com
��������������������
�������������������
�
������������������������ ����������������������� ���������������
�
��������������������������
�
�
������������ ����������������
�
�������������������
�
��������������� ���������������
�
�������� ������������������
���������������������
� �
���������������������� ����������������� �������������������
�
©COPYRIGHT 2007 SYS-CON MEDIA
��������������������� ������
�������������� ��������������
�
The Java Coffee Cup logo and Sun logos are trademarks of Sun Microsystems
fra�ew�r�
�h�Springwith�TATransactionManager Thetransactioningrequirementsformostapplicationsaremetby eitheraSpringtransactionmanagementstrategyoraJTAtransaction managerinthemiddletier.Onoccasion,applicationsmustsupport remotecallsinwhichatransactioncontextispropagatedovermultiple processes.Inthiscase,usingthefacilitiesinherentintheEJBdistributed-componentmodelwithcontainer-managedJTAtransactioningsupportisappropriate.Ifyou’relookingforaJ2EEframeworkthatprovides declarativetransactionmanagementandaflexiblepersistenceengine, Springisagreatchoice.Itletsyouchoosethefeaturesyouwantwithout theaddedcomplexitiesofEJB. LikeJ2EE,Springprovidessupportforprogrammatictransaction demarcation.However,amoredynamicapplicationdesigncomesfrom theuseofdemarcationspecifiedeitherbyannotationorAOP.Thesetwo techniquesareillustratedintheexampleprovided;completedetailscan befoundintheSpringdocumentation. AnotheruniqueandcleverSpringfeatureistheabilitytoswitch fromusingalocaltransactionmanager—suchasadatabasedatasource—toaJTAtransactionmanager.Thiscanbedonesimply bymanipulatingafewlinesofconfigurationandusingadifferent PlatformTransactionManagerimplementation.Migrationofthis nature—thatistheneedtoaddanotherresourcewithinthescope ofatransactionpreviouslydesignedforonlyresourcelocaltransactionalwork—iscommonintheextendedlifecycleofanapplication. However,it’sdangerouslyerror-proneinconventionalJ2EEapplications.Notethatthedatasourcebeingusedinthisscenariomustbe onethathasacontractwiththeJTAimplementationbeingusedto provideenlistmentintheglobaltransaction.Thisisgenerallythe caseifthe(XA)datasourceisobtainedfromtheapplicationserver usingJNDI.ThisisshownintheexampleprovidedbyusingSpring’s JndiObjectFactoryBeanthatfreestheapplicationcodefromJNDI dependency. Mostenterpriseapplicationssuchashigh-endfinancialapplicationsandhighlyavailabletelecomsystemsrequirecomprehensive transactionalsupport.ByusingSpringintandemwithanenterprise JTAimplementation,powerful,andgenerallyproprietary,qualityof servicefeatures—suchashigh-availability,clusteringandgridsupport,fail-over,peerrecovery,non-stoptransactioning,integration, interoperability(suchasOTSandWS-TX),monitoringandadministration,andotherfeaturespresentinenterpriseJTAimplementationsandapplicationserverenvironments—canbeexploitedwhile theapplicationitselfretainsallofthebenefitsofSpringpreviously described. TwoexamplesinwhichSpringhasprovidedsupportandintegrationbeyondstandardJTAaretransactionnamesandper-transactionisolationlevels.Duetothecomplexnatureoftransactions—in particularglobaltransactionswhereanumberofsystemsareinvolved inasingleactivity—itbecomescriticaltohavemeaningfulinformation foradministration,monitoring,anddebugging.Namedtransactions provideawayofidentifyingandgroupingtransactionsbyatype.Spring providesthenameoftheclassandmethodthatinitiatedthetransactionasthistransactionnameidentifier.Thisisveryuseful,particularly whenimportedintoatransactioningsystemthatcanthencorrelate thisinformationwithotherdata.Suddenly,theenterprisesystemhasa debuggableholisticallymonitoredtransactionalbusinessprocessrather thanacrypticlogofXidbytearrays. Asdiscussedinthesectiononisolationlevels,itbecomesapparentthatanumberoffactorsincludingperformance,strictversus June/July 2007
relaxedACIDrequirements,datarepresentationandusage,andeven vendorimplementationbehaviorsdictatethatdifferentisolationlevelsmustbeusedfordifferentcases.Thisleadstotheneedforfinegrainedcontrolofisolationlevels,particularlywhenconnectionrelatedresourcesareatapremium.Again,thisisacaseinwhich litteringapplicationcodewithcommonAPIcalls—suchassetting andresettingtransactionisolationlevels—isnotideal.Instead, Springpresentsadynamicsolutionbyexposingtheper-transaction isolation-levelfeaturespresentinsomeextendedJTAimplementations.Springprovidesthisinexactlythesamefashionastransaction demarcationinwhichdemarcationisspecifiedasa“propagation”attributeandtheisolationlevelisspecifiedasan“isolation”attribute. Thesesettingsaredescribedindetailintheexampleapplicationas wellasinSpringdocumentation. Let’stakeastep-by-steplookatoursampletradingapplicationshowinghowSpringcanbeusedwhenanexternaltransactionmanageris required. Let’susetheOracleApplicationServertransactionmanagerasanexamplethatdemonstratestheintegrationofJTAwithSpring’sOC4JJtaTra nsactionManager.Theapplicationdemonstratestheclassicdistributed two-phasecommittransactionusecaserequiringACIDproperties:the bankaccounttransfer.Fundsaredebitedfromoneaccountandcreditedtoanother.Eitherboththedebitandcreditmustoccurorneither mustoccur.Inthisexample,thetransferisfromabankaccounttoa brokerageaccounttopurchaseindividualstocks.Theexampleincludes averysimpleMVC-styleapplicationconsistingofatestcontroller,financialservice,assetmanagementservice,andtwodataaccessobjects representingabankandabrokerage.Container-managertransactionsareused.Theexampleaddsadditionalaspectstothisscenarioto demonstratetheextendedfeaturesoftheOC4JJtaTransactionManager thatincludenamedtransactionsandper-transactionisolation-level designation. ThefollowingHowToJTASpringControllerimplementstheSpring ControllerandInitializingBeaninterfaces.NotethatthesetFinancial methodprovidestheFinancialServiceimplementation(asspecifiedin applicationContext.xml). public class HowToJTASpringController implements InitializingBean, Controller { private FinancialService m_financial; public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception { try { FinancialReport financialReport = m_financial.processFinancials(); request.setAttribute(“financialReport”, financialReport); return new ModelAndView(“/jsp/success.jsp”); } catch (Exception e) { request.setAttribute(“error”, e.getMessage()); return new ModelAndView(“/jsp/error.jsp”); } } TheFinancialServiceImplclassimplementstheSpringInitializingBeaninterfaceaswellastheFinancialServiceinterface.ThesetAssetManagementmethodiscalledbytheSpringFramework,whichalso providestheAssetManagementServiceimplementation(asspecified
PAGE 16
EnterpriseOpenSource.SYS-CON.com
inapplicationContext.xml)usingdependencyinjection.TheTransactionalclass-levelannotation(transactionannotationsupportisspecifiedinapplicationContext.xml)designatesthatbusinessmethods ofthisclass,namelyprocessFinancials,haveapropagationvalueof REQUIRED.Thatis,themethodsexecuteinatransactionifoneexists oratransactionisstartedifnoneexists.Theannotationalsospecifies thatthetransactionistobereadOnlyandthattheisolationlevelof anyconnectionsusedinthetransactionaresettoSERIALIZABLE. @Transactional(readOnly = true, propagation = Propagation.REQUIRED, isolation = Isolation.SERIALIZABLE) public class FinancialServiceImpl implements InitializingBean, FinancialService { AssetManagementService m_assetManagementService;
Wiley and the Wiley logo are registered trademarks of John Wiley & Sons, Inc. Linux is a registered trademark of Linus Torvalds.
public FinancialReport processFinancials() { AssetReport assetReportBeforeStockPurchase = m_assetManagementService. reportAllAssets(); StockPurchaseReport stockPurchaseReport = m_assetManagementService. purchaseNewStockAndReport(); AssetReport assetReportAfterStockPurchase = m_assetManagementService. reportAllAssets(); return new FinancialReport(assetReportBeforeStockPurchase, stockPur chaseReport, assetReportAfterStockPurchase); }
public final void afterPropertiesSet() throws Exception { if (m_assetManagementService == null) throw new BeanCreationException(“NoAssetManagementService was set. Verify context xml.”); } { }
public void setAssetManagement(AssetManagementService assetManagementService) }
m_assetManagementService = assetManagementService;
TheAssetManagementServiceImplclassimplementstheSpring InitializingBeaninterfaceaswellastheAssetManagementServiceinterface.ThesetBankandsetBrokeragemethodsarecalledbytheSpring FrameworkprovidingtheBankandBrokerageDAOimplementations (asspecifiedinapplicationContext.xml)usingdependencyinjection. TheTransactionalmethod-levelannotation(transactionannotationsupportisspecifiedinapplicationContext.xml)designatesthat thepurchaseNewStockAndReportmethodhasapropagationvalue ofREQUIRED.Thatis,itexecutesinatransactionifoneexists,ora transactionisstartedifnoneexists.Theannotationalsospecifiesthe isolation-levelofanyconnectionsusedinthetransactionbesetto READ_COMMITTED.
When Chris Negus speaks, people learn Linux!
EnterpriseOpenSource.SYS-CON.com
978-0-470-08278-2
978-0-470-08279-9
Get the latest Linux Bibles by Christopher Negus. The books you need to succeed. PAGE 17
June/July 2007
fra�ew�r�
Anothermethod-levelTransactionalannotationdesignatesthat thereportAllAssetsmethodhasapropagationvalueofSUPPORTS. Thatmethodexecutesinatransactionifoneexistsbutdoesn’tthrow anexceptionorstartatransactionifnoneexists.Theannotationalso specifiesthatthenoRollbackForbesettoConcurrencyFailureException.class,whichindicatesthatifatransactionexistsandthisSpring DAORuntimeExceptionisthrown,thetransactionshouldn’trollbackas aresult. public class AssetManagementServiceImpl implements InitializingBean, AssetManagementService { private Bank m_bank; private Brokerage m_brokerage; @Transactional(propagation = Propagation.SUPPORTS, noRollbackFor = ConcurrencyFailureException.class) public AssetReport reportAllAssets() { return new AssetReport(m_bank.selectBalance(), m_brokerage.selectAllStocks()); } @Transactional(propagation = Propagation.REQUIRES_NEW, isolation = Isolation. READ_COMMITTED) public StockPurchaseReport purchaseNewStockAndReport() { int stockAmount = 10; String stockSymbol = “ABC”; m_bank.updateBalance(m_bank.selectBalanceForUpdate() - stockAmount); m_brokerage.insertStock(stockSymbol, stockAmount); return new StockPurchaseReport(stockSymbol, stockAmount); } public final void afterPropertiesSet() throws Exception { if (m_bank == null) throw new BeanCreationException(“No Bank was set. Verify context xml.”); if (m_brokerage == null) throw new BeanCreationException(“No Brokerage was set. Verify context xml.”); } public void setBank(Bank bank) { m_bank = bank; } public void setBrokerage(Brokerage brokerage) { m_brokerage = brokerage; } } TheBankImplclassextendstheSpringJdbcDaoSupportclassand usestheSpringJdbcTemplatetoactonthebankDataSourcedatasource. public class BankImpl extends JdbcDaoSupport implements Bank { public int selectBalance() { return getJdbcTemplate().queryForInt(“select balance from bank where account = ‘101’”); } public int selectBalanceForUpdate() { June/July 2007
return getJdbcTemplate().queryForInt(“select balance from bank where account = ‘101’ for update”); } public void updateBalance(int amount) { getJdbcTemplate().execute(“update bank set balance = “ + amount + “ where account = ‘101’”); } } TheBrokerageImplclassextendstheSpringJdbcDaoSupportclass andusestheSpringJdbcTemplatetoactonthebrokerageDataSource datasource. public class BrokerageImpl extends JdbcDaoSupport implements Brokerage { public List selectAllStocks() { return getJdbcTemplate().queryForList(“select * from brokerage”); } public void insertStock(String symbol, int amount) { getJdbcTemplate().execute(“insert into brokerage values (‘”+symbol+”’, ‘”+amount+”’ )”); } } Let’slookattheconfigurationfiles.TheJ2EEstandardweb-appdescriptorweb.xmlincludesaSpringContextLoaderListener.TheContextLoaderListenercausestheWEB-INF/applicationContext.xmlspecified bythecontextConfigLocationcontext-paramtobeloadedbytheSpring Framework. TheSpringDispatcherServletservletdeployedwiththeservlet-name jta-springcausesthejta-spring-servlet.xmltobeloadedbytheSpring Framework.
JTA Spring Integration WebApp
contextConfigLocation WEB-INF/applicationContext.xml
org.springframework.web.context.ContextLoaderListener
jta-spring org.springframework.web.servlet.DispatcherServlet 2
jta-spring JTADispatcherServlet
index.html
PAGE 18
EnterpriseOpenSource.SYS-CON.com
fra�ew�r�
Thedescriptorjta-spring-servlet.xmlcontainsabeandefinition fortheHowToJTASpringController,namelythefinancialServicebean namedfinancial(thepropertynamecorrespondstothesetterinHowToJTASpringController).
ThedescriptorApplicationContext.xmlcontainsbeandefinitionsfor theFinancialServiceImpl,AssetManagementServiceImpl,BankImpl, andBrokerageImplclasses.Theelementspecifiessupportforannotationdrivendemarcationoftransactions. Finally,thedescriptorspecifiesOC4JJtaTransactionManagerasthe transactionManagertobeused.
jdbc/bankDataSource
jdbc/brokerageDataSource
Inthisexamplewe’vediscussedhowtodevelopasimpleSpringenabledJTAapplicationusingtheOC4JJtaTransactionManagertoautomaticallyprovidenamedtransactionsandper-transactionisolation levels.
Summar� SpringaimstomakeJ2EEdevelopmenteasierbyusinginversionof controlasoneofitscentralfeatures.ThisenablesyoutodevelopenterpriseapplicationsusingsimpleJavaobjectsthatcollaboratewitheach otherthroughinterfaces.Thesebeansarewiredtogetheratruntimeby theSpringContainer. Stayingtruetoassistingenterprisedevelopmentandfillingoutits supportforthemiddletier,SpringoffersintegrationwithvariousJ2EE services.Italsoprovidesintegrationwithseveraltransactionstrategies andsupportsavarietyoftransactionscenarios,includingintegration withenterpriseJTAtransactioningsystems.
PAGE 20
EnterpriseOpenSource.SYS-CON.com
ENTERPRISE CLASS
ADVANCEDDESIGN
OPENSOURCE
CUSTOMERMANAGEMENT
Robust security. Fully scalable.
Best-of-breed CRM modules.
Source code freely available.
Manage sales pipeline end-to-end.
Java/J2EE environment.
Runs on all standard-based platforms.
Flexible license.
Leads manage-ment. Sophisticated
Supports leading SQL databases.
VoIP integration.
Freely extend product capabilities.
Help Desk. Custom surveys and
In use today by Fortune 500
Customizable workflows.
Integrate with existing systems.
marketing communication.
No Matter the Weather, The Weather Channel Is Open
®
The Weather Channel is open for business 24/7. When they decided to
®
make their IT systems open as well, they turned to Centric CRM, the most advanced Open Source CRM system available. Centric CRM gave The Weather Channel’s sales and support teams access to data from their patented technologies housed in 10,000 cable headends across the country.
Brian Shields CTO,The Weather Channel
The result? Reduced total cost of ownership (TCO), improved customer
Centric CRM is a key part of
view, and the elimination of multiple proprietary applications. Regardless of
Open Source software, allowing us
the conditions outside, Centric CRM helps The Weather Channel stay open.
to mothball expensive, proprietary
The Weather Channel’s move to
applications. Centric CRM is Reliable, low cost and easy to use, adding feature
Find out how Centric CRM can help your business get open: Visit www.centriccrm.com Set up a free demo system / Become a Centric CRM Partner
rich functionality and flexibility to the way critical data is managed.
�� ��� �� �� ��� � �� �� �� ��� �� ��� �� ��� �� �� � �� �� �� �
Because Great Minds Are Open
Centric CRM and the Centric CRM logo are trademarks of Dark Horse Ventures, LLC. The Weather Channel and The Weather Channel logo are service marks of The Weather Channel, Inc. © Copyright 2006 Dark Horse Ventures, LLC.
integrati�n
WillOpenSourceScaletheWalledGardens oftheCellularNetworkProviders? ��ey’re�i�e�rug�ea�ers���eygety�u����e�t�en�a�ey�upay by Paul Nowak
�
recentlywrappedupan18-monthstintonthebusinesssubcomitteeoftheWirelessWashtenawInitiaitive,aprojecttobringwirelessbroadbandtothecitizensofWashtenawCounty, Michigan.It’spartofagrowingmovementbylocalgovernmenttohelpcitizensparticipatein
today’shigh-speeddatanetworks.
About the Author Paul Nowak first used Linux in 1995 while migrating from Sun to Linux at the University of Michigan. He used Linux in subsequent IT projects including web, telecom, telemetry and embedded projects and is currently CIO of a small professional association based in Washington D.C. [email protected]
June/July 2007
Oneofthemanyconceptsthatcameupduring themanycommitteemeetingswasthatofthe walledgarden.Walledgardensareacommon wayforanetworkprovidertomakesomegoodies availableoveritsnetworkandthengetcustomerstopayupiftheywantmoreopenaccess.Cell phoneprovidersareclassicwalledgardens...tothe pointtheytakeserviceslikeYouTubeandmakeit unfree,unopen,censored,limited,andcommunity-less.ThisGigaOMarticlehasmoredetails: http://gigaom.com/2006/11/28/walled-gardenyoutube/.ForVerizon’sbusinessmodeltowork withYouTubecontent,ithastotreatitlikeadrug, getyouhookedthenmakeyoupayforthepartof theserviceoutsidethewalledgarden.Classic. Lately,I’vebeenresearchingthefeasibilityof runningLinuxonanyoftheseveralexcellent smartphoneplatformsoutthere.There’sthelong runningTreos650/680/700thathavealotofunits inserviceandsurprisinglyconsistentinternal technologywithwhichtofocusanopenOS developmentteamon.Developerinterestinthe platformseemstobegrowing(linktoshadowmiteandhack’ndev). Samsungisalsooutwithwhatlookslikeasuperbplatformandit’shittingtheU.S.marketnow, theSPH-600.TheU.S.versionistheBlackJack fromCingularandit’ssafetoassumeothercarrierswillbepickingitupsoon.Thephonecomes withquadbandradioandoffersWi-Fi–although theinitialU.S.introdropsWi-Fi–perhapsCingulardoesn’twantyoumakingvoicecallsoverWi-Fi. Forthecellphonecompanies,theultimate walledgardenisvoice.Youpayforaccesstothe voicenetworkandforyourmoneyyougetto PAGE 22
makecallstocertainkindsofphonenumbersfor acertainnumberofminutes.Whatifsuddenly youcouldplaceahigh-orhigher-qualitycallfrom thesamedeviceoverWi-Fi?Whatifthecallwas freeorafractionofthecostofyourcellularcall? Whatifyoucouldmakeandtakecallsanywhere intheworldwithWi-Fi?Soundslikeagooddeal formostofusbecauseI,likemany,aminWi-Fi coveragemostofthedayaspartofwork. GoingtoacompletelyopenplatformlikeLinux onaBlackjackjusttogetVoIP-over-Wi-Fiseems likealongwaytogobuttherearearangeofother featuresthatcometotheforeifyouhaveopen phoneplatformsinanenvironmentthatalsohas PCsrunninganopenOS,openPBXs(Asterisk), andacombinationofopenandclosedwireless networks. Tome,someofthebighittersherearetheabilitytointegratemyvoiceserviceacrossnetworks.I wantmyphonetochoosethebest-qualityorlowest-costnetworkavailable.Thatmeansaphone thatmayhavesophisticatednetworkquality detection(latency,packetdrops,bandwidth)and makesasmartchoiceamongavailablenetworks. JustthatrequirementprobablymeansaWi-FienabledBlackJacknotrunningWindowsMobile. Why?Becausesuchaplatformrequireslow-level integrationwiththephonenetworkchoice.It meansthatthephonedialersoftwareisnolonger connecteddirectlytothephonecellularradio. Betweenthedialerandtheradioisasoftware layerthat’stestingandselectingthevoicenetwork automatically(andwithmanualoverride).Voice onthisphoneisnotasimplematterfromthe networkselectionaspect. Theotherbighitterhereisthenetworkside ofthings.Howisyourincomingcallgoingto berouted?Justtomakeitreal,let’sassumeyou useaSkype-inorVonagenumberasyourmain number.NeitherSkypenorVonageareopenbut thepointofthisexampleisjusttoestablishthat yourincomingcallsinitiateonanIPnetworkof EnterpriseOpenSource.SYS-CON.com
somesort.Whenthecallisincomingithastobe routedtoyourdeviceviaoneofseveralmethods –traditionalcellular,Skype-over-Wi-Fi,Skype overcellularInternet,oropenVoIP-over-Wi-Fi. Howistheroutingofthatcalltoyourphonegoing tohappen?Thenetworkdoesn’tknowwhichnetworkiscurrentlybestforyouunlessyourphone cansomehowtellit. Andthereyouhaveit.Yourphonehastobethe devicethattellssomeotherdeviceonthenetwork whatroutestothephoneworkandhowwellthey work.Thismeansthephoneisgoingtoconnect throughoneofitsavailablenetworkstoanInternetserverandsendsomedatatothatservertotell thatserveritsoptionsforroutingthecall. Whereisthisservergoingtositandwhat’sgoingtorunintermsofsoftware?It’sprobablygoing tobeanindustrystandardserversittingatahighqualityISPrunningacustomversionofAsterisk. That’sthebestwaytosupportthelowest-cost, highest-qualityoptionyouhave,whichisopen VoIP-over-Wi-Fi,andthebestwaytosupportthe remotestatusandconfigurationthatyourphone isgoingtoneedtosignaltheserver.Alltheother optionssuchasSkypeandtraditionalcellular voicewillbeoptionswithinthisinfrastructure. Allofthisisaleapinlevelofserviceandan orderofmagnitudedropincost.Arethecellular
EnterpriseOpenSource.SYS-CON.com
providersgoingtolikeit?No.Cantheystopit? Yes.Theycanlocktheirphonesfrombeingtaken overbytheopensourcecommunity.Willthey succeed?Idon’tknowbutthequestionis“what doesn’trunLinuxthesedays?” Besidestheadvantagesofvoicealone,just thinkwhatanopenPClikealaptoprunning Ubuntuworkinginunisonwithasmartphone runningLinuxcando.Youcouldsyncupyour contactsoverBluetooth,Wi-Fi,orwiredEthernet viaacronjobthatrunsinthebackground.How niceisthat?Youcandownloadyourcallhistory anddisputeanybilldiscrepancies.Wanttoset upaDUNconnectionandaccesstheInternet throughyourphone’scellularnetworkviaBluetoothwhenontheroadandoutofWi-Ficoverage?Simple,it’sanicononyourdesktopandit configuresyourphoneautomatically.Noneedto manuallytwistknobsonthephone’spreferences thendosomeknobtwistingonthePCtoselect anetworkthenwaitforitalltocometogether.It canjustwork. Trustmeonthis...theamountofintegration thatcanhappenbetweenphoneandPCand betweenphoneandInternethasn’tbegunto bescratched.Anditwon’tuntilweopenupthe phonesandtakeaswingatthewallsurrounding thecellularnetworks’garden.
PAGE 23
Theamountof integrationthat canhappen �etweenphone andPCand �etweenphone andInternet �asn’tbegunt� bes�rat��e�
June/July 2007
e��ipse
ALow-CostCross-Development EnvironmentUsingthe EclipseFramework S�a�ingt�ebarriers by Brian Handley
�
heEclipsedevelopmentenvironmenthasbecomethedefactoindustrystandard environmentinwhichtohostembeddeddevelopmenttools.Manyofthetraditional embeddedtoolsvendorswhousedtoselltheirownproprietarydevelopment
toolsandenvironmentshaveembracedEclipseandportedtheirproductstorunwithinittotake advantageofthesophisticated,feature-richframeworkitprovides.
About the Author Brian Handley is a senior engineer at Macraigor Systems LLC. He has over 20 years of experience working with embedded systems. Brian holds BS in computer science and engineering from MIT. [email protected]
June/July 2007
Thesetoolsandenvironmentsarepowerful,buttheycanstillbeexpensive.For projectsonatightbudget,it’snowpossible tousethefreelyavailable,opensource EclipseIDEalongwithopensourceGNU tools(binutils,gcc,andgdb)toconstructa completecross-developmentenvironment atlittleornocost. However,piecingtogetherallthecomponentsnecessarytobuildasystemsuchas thisisn’teasy.Eclipsewasn’tbuilttohandle cross-development,oreventheCorC++ languagestypicallyusedinmostembedded projects.Soasignificantamountofeffortis neededtogetEclipsetodothisadequately. Eclipsealsodoesn’thaveanyconceptofaremotedebugconnectionofitsown.Ifadebug interfacesuchasJTAG,orevenanEthernetor serialconnectiontoatarget-residentdebug monitor,isused,Eclipsemustbereconfigured tohandlethesituation.AndtheGNUtools requiredaretypicallyavailableonlyinsource format,andmustbebuiltfortheparticular hostandtargetprocessorbeingusedbyaproject.Gettingthesetoolstobuildforaparticular host/targetcombinationcanbedifficult, consumingengineeringtimebetterspenton applicationdevelopment. Thisarticledescribeshowtoconstructa freeorlow-costcross-developmentenvironmentforIntelXScaleprocessorsbasedon EclipseIDEandGNUtoolsets. PAGE 24
De�ugging�sing�reeTools Tobuildafunctional,free,cross-developmentenvironment,youhavetogetseveral componentsandintegratethem.TheEclipse developmentenvironmentistheframework inwhichtheothernecessarytoolsareintegrated.Eclipseitselfincludesaneditor,project manager,anddebuggerinterface.Sincethe environmentisintendedforembeddedcrossdevelopment,theCandC++languagesmust besupported.ThismeansusingtheCDTpluginforEclipse(http://www.eclipse.org/cdt/). Theassembler,compiler,linker,andother code-generationutilitieswillbeprovidedby opensourceGNUcode. IfthegoalweretodevelopnativeapplicationsinC/C++usingEclipsethenthesetools wouldsuffice.However,forembeddedcrossdevelopment,afewmorepiecesareneeded. EclipsewithaCDTplug-inhasnoconcept ofaremotedebugconnectiontoconnectto anembeddedprocessor.ZylinASConsulting (www.zylin.com)offersanopensourceembeddedCDTandanotherplug-inthattogether lettheEclipsedebuggerconnecttoaremote targetviaanydebugconnection(seetheZylin plug-inssectionbelow).ThisdebugconnectionistypicallyaJTAG,Ethernet,orserialconnection.AndifaJTAGconnectiontothetarget isneeded,amethodmustbeprovidedforthe GNUProjectDebugger(GDB)tocommunicate withthetargetusingthisinterface. EnterpriseOpenSource.SYS-CON.com
Thecompleteddevelopmentsystemusinga JTAGtargetconnectionisshowninFigure1.
BuildingonEclipse
AccordingtotheofficialEclipseWebsite (www.eclipse.org),theEclipseFoundation managesopensourcedevelopmentofprojects that“arefocusedonprovidingavendor-neutralopendevelopmentplatformandapplicationframeworksforbuildingsoftware.”The EclipseFoundationhascreatedtheEclipse Platformthatprovidesafeature-richintegrateddevelopmentenvironmentwithawell-definedinterfacethatallowsadditionalfeatures topluginandworkseamlesslywithexisting code. Eclipsehasrapidlygainedfavoramong embeddedtoolscompaniesbecauseitprovidesasophisticatedIDEintowhichtheycan plugtheirtoolsandnolongerhavetoworry aboutbuildingandmaintainingtheirown proprietaryenvironments.TheEclipsePublic Licenseletsthecreatorofderivativeworks basedonEclipseretaintheirdistribution rightssocompaniescanfocusontheircore embeddedcompetenciesandstillprofitfrom theirefforts. Thisisexcellentnewsforthosetryingto puttogetherafreedevelopmentenvironment. Itmakesacommercial-qualityIDEavailable thathasthebackingandsupportofalarge numberofbothembeddedandenterprise
softwaretoolscompanies.However,asmentionedabove,Eclipsebyitselfprovidesonlya frameworkandsomegenerictools,suchasan editor,code/projectmanager,anddebugger interface.Toconstructacross-development system,severalmorepackagesmustbeobtainedandintegratedintoEclipse.
bler,compiler,linker,andloaderarealsostill requiredtogeneratedownloadablecodefor theXScaletargetprocessor.Thenextsection discussesusingGNUtoolsthatprovidethese utilities.
C/C++DevelopmentTooling
TheFreeSoftwareFoundationmakesfree sourcecodeavailableforawiderangeof programsandutilities,includingasetoftools thattogethercanprovideeverythingnecessary tobuild,link,load,anddebuganembedded application.ThecombinationofGNUbinutils (http://www.gnu.org/software/binutils/),the GNUCompilerCollection(GCC)(http://gcc. gnu.org/),andGDB(http://sources.redhat. com/gdb/)provideafairlycompletetoolset forbuildinganddebuggingembeddedapplications.Thesetoolscanbeusedontheir ownforthispurpose.Thebinutilspackage providesanassembler,linker,archiver,and severalotherutilitiesforcodedevelopment, theGCCprovidestheC/C++compiler,andthe GDBallowsthecodetobedownloadedtoand debuggedonthetargetprocessor. Thedownsideofusingthesetoolsasthey areisthatthere’snographicaluserinterface (GUI)andnorealintegrationofthetools.Used bythemselvestheybasicallyprovideacommand-lineinterface.However,Eclipsewiththe CDTiscapableofsufficientlyintegratingthese toolsintoanenvironmentwithaGUIsomost ofthecommand-lineuseofthetoolscanbe avoided. TheotherproblemwithusingtheGNU toolsforcodedevelopmentisthattheygenerallycomeonlyinsourceform.Althoughthe toolssupportahugearrayofvarioustarget processorsandjustaboutanyhostOSand hardwareonecouldimagine,theuserusually hastoconfigureandbuildthem.Thisbuild processcanbeatime-consuming,frustrating experience,especiallyforsomeonewhohasn’t doneitbefore. Fortunately,severalembeddedtoolsvendorsmakeavailablefreepre-builtversionsof theGNUtoolsforARM/XScalethatcansimply bedownloadedandinstalled.
Eclipsewasoriginallydevelopedinandfor theJavaprogramminglanguage,andthebasic frameworkisstillspecifictoJava.Mostembeddedcross-developmentprojectsstillhavedevicedrivers,operatingsystem(OS)code,and applicationswritteninC,C++,orassembly language.TomakeEclipsecompatiblewith, anduseablefor,C/C++,asub-projectcalled C/C++DevelopmentToolingwascreatedto buildaplug-inthatwouldaddthesefeatures tothebasicEclipseframework.Thisplug-in isavailableasafreedownloadfromEclipseat www.eclipse.org/cdt/downloads.php. WiththeEclipseframeworkandCDTin place,theenvironmentiscapableofsupportingandenablingcodedevelopmentinC/C++. Howeverthisenvironmentwillonlyworkfor nativeapplicationdevelopment.Forembeddedcross-development,therearestillsome issuesthatmustbeaddressed,primarilythe handlingofremotedebugconnectionstoa targetprocessor.TheZylinplug-inssection discussesthisproblemfurther.Anassem-
�reeSoftware�oundation GN�Tools
Z�linEm�eddedCDTPlug-Ins AnenvironmentconsistingofEclipse,the CDTplug-in,andtheappropriateGNUtools isclosetobeingafunctionalembeddedcrossdevelopmentsystem.Asmentionedabove, however,EclipseandtheCDTdon’tsupport remotetargetconnectionstoanembedded processor.Theyassumethatdebuggingis occurringonthehostmachine.Todownload
Figure 1: Completed development system using a JTAG target connection EnterpriseOpenSource.SYS-CON.com
PAGE 25
June/July 2007
e��ipse
thedebuggertoanembeddedprocessorviaa JTAG.Thisisusuallyhandledbyaproprietary standaloneutilitythatrunsonthehostand providesaTCP/IPportthatwillacceptaGDB connectiononthefront-endandconnectto theJTAGhardwaredeviceontheback-end. MostJTAGinterfacedevicevendorsprovide autilityforthiskindofconnectionwiththeir hardware. Figure2showstheEclipseDebugPerspectiveduringadebuggingsessionusingthe systemdescribedinthisarticle.Thetarget isanXScale81348I/Oprocessorevaluation boardandthedebugconnectionismadevia anUSB-connectedJTAGdevice.
�ull-�eaturedIntegratedCross-DevelopmentEnvironment
Figure 2: shows the Eclipse Debug Perspective during a debugging session using the system described in this article. The target is an XScale 81348 I/O processor evaluation board and the debug connection is made via an USB-connected JTAG device
theembeddedcodefromthehosttothetarget andthenconnecttoadebugagentofsome typerunningonthetargethardware,some changesmustbemadeinthewaytheCDT handlesdebugging. Toaddressthisproblem,ZylinASConsulting,aNorwegiancompany,hascreatedand madeEmbeddedCDTandanothersmallpluginavailablethattogether“understand”and properlyhandleembeddeddebuggingusing GDBfromwithinEclipse.Thesefreeplug-ins areavailableathttp://www.zylin.com/embeddedcdt.html. It’salsoworthnotingthatanEclipseProject calledtheDeviceSoftwareDevelopment Platform(DSDP)isnowavailable.Thisproject isspecificallyaimedatenablingEclipseto beusedforembeddedcross-development sothat,atsomepointinthefuture,theZylin EmbeddedCDTmodificationsmaybecome unnecessary.Furtherinformationaboutthe DSDPprojectcanbefoundathttp://www. eclipse.org/dsdp/.
TraditionalTargetConnections Theonlypiecethatremainsmissinginthe integratedcross-developmentsystemissome kindofdebugcommunicationmethodtoconnectthehostcomputertothetargetprocessor. Traditionally,thisconnectionisusuallymade viaaserial,Ethernet,orJTAGinterface.Ifa June/July 2007
projectisusinghardwareforwhichaboard supportpackagealreadyexists,itmaybe feasibletosimplyrunaGDBdebugagenton thetargetandconnectGDBtoitusingaserial orEthernetconnection. However,fornewcustomXScaleboards, theinterfaceofchoiceisusuallyJTAG.This debuginterfaceisbuiltintoXScaleprocessors andprovidesadedicateddebugconnection directlytotheprocessorcorethathasseveral advantagesoverusingaserialorEthernetconnection: • It’sbuiltintotheprocessorandonlyrequires thattheprocessorispoweredandgettinga clocksignaltowork. • Itcanbeusedtowriteanddebugbootcode anddriversthatmustbeimplementedand testedbeforegettingadebugagentrunning ontheprocessor. • Itdoesn’tuseanyvaluabletargetresources. AserialorEthernetdebugconnectionusuallyrequiresdedicatedhardwareforthe interfacebesidesusingprocessorcyclesand memoryforadriver. ToconnectaJTAGinterfacedevicetothe targetusingtheEclipse/GNUenvironment describedabove,adebugagentofsomesort isrequired.GDBhasawell-definedbackendinterfacecalledGDBRemotethathas becomeacommonstandardforconnecting PAGE 26
Thisarticlehasshownthat,usingreadily available,free,opensourcesoftwaretools,it’s possibletoconstructafull-featuredintegrated environmentforXScaleembeddedcross-development.Theprocessofgatheringcomponents,integratingthemand–inthecaseof theGNUtools—buildingapplicationsfrom sourceislikelywellwithinthecapabilitiesof mostembeddedsoftwareengineers.However, thisprocesscanstillbeatime-consuming anddifficult,eatingintoengineeringtime thatmightbebetterspentwritingcodeforthe targethardware. SeveralJTAGdebuggervendors,asawayof promotingandenablingtheirJTAGinterface devices,havegreatlysimplifiedthetaskof constructingtheintegrateddevelopment environmentdescribedinthisarticle.These companiesmakeavailablefreedownloads thatincludeEclipse,theZylinEmbedded CDTplug-ins,pre-builtGNUtoolkitsfor ARM/XScaleprocessors,and,typically,prebuiltEclipseprojectsconfiguredforstandard XScaleevaluationboards.Thepre-configured Eclipseprojectsandthepre-builtGNUtools, withinstallprogramsforWindowsoperating systemsandRPMscriptsforLinuxoperating systems,allowausertogetacompleteenvironmentupandrunningquicklyonactual hardware. Inconclusion,constructingafreeor low-costcross-developmentenvironment basedontheopen-sourceEclipseIDEand GNUtoolsetsispossible,thoughtime-consumingandchallenging.VendorsofJTAG interfacehardwarehavesimplifiedthe processbyprovidingdownloadsthathelp facilitateconstructionandlowerthebarrierstoachievingthesophisticatedXScale cross-developmentenvironmentdevelopersareseekingtoday. EnterpriseOpenSource.SYS-CON.com
� ����� ������
����� ����� ��� �����
����
�������������� �����������
��������������
��������������� �������������������������� ���������� ����������������� ������������������������ ��������������� ��������������������������������������������������������������������������������� ������������������������������������������������������������������������������������ �������������������������������������������������������������������������������������� �������������� ����������������������������������������������������������������������������������� ������������������������������������������������������������������������������ ������������������������������������������������������������������������������������� ���������������������������������������������� �������������������������������������������������������������������������������������� �����������������������������������������������������������������������������
��������������� ��������������������������������
�������������������������������������������
��������������������� ������������������������
����������������
��������� ������������� ����������������
�������������������������������������������������� COPYRIGHT ©2007 SYS-CON MEDIA
ALL RIGHTS RESERVED
�verview
ProtectandControlYour SmallBusinessNetwork Five�pens�ur�eapp�i�ati�nst�gety�ustarte� by Dirk Morris
F
orasmallbusiness,flexibilityandcostarekeyfactorstobearinmindwhenconsideringa networkthreatmanagementsolution.
About the Author Dirk Morris is the founder and CTO of Untangle, which incorporates more than 30 open source projects into a single open source network gateway platform to stop spam, spyware, viruses, and more. [email protected]
June/July 2007
ThenetworksecurityspacehasbeendominatedbybigproprietaryvendorslikeBarracuda,SonicWall,andWatchGuard.However, manypeoplesimplydon’thavethetimeor budgettoresearchallthepossiblevendors andorder,install,andconfigureanetworkappliance,sotheypostponeaddressingnetwork security. Giventhecostandinflexibilityassociated withproprietaryvendors,opensourcesolutionsmayseemlikeagoodoption.However, manybusinesseshavetraditionallysteered clearofopensourcealternatives,becauseearly projectslackedthecommercialsupportand documentationthattheywerefamiliarwith.In addition,mostpeoplewhohaven’thadexperiencewithopensourcedon’tevenknowwhere tobeginwhenevaluatingifaparticularapplicationisappropriateforthebusiness. Asaresultoftheperceiveddownsidesof bothproprietaryandopensourcesolutions, manysmallbusinessessimplychoosetolive withinsecurenetworksanddon’tdeploya propersuiteofsecurityapplications.However, leavingthenetworkuncontrolledandvulnerabletoattacksisobviouslynottheoptimal solution,norisinvestingalotofmoneyina proprietarysolutionthatmaynotprovidethe desiredflexibility,astheneedsofthenetwork evolvesasthecompanygrowsandchanges. Therealityisthatopensourcecanprovide anexcellentsolutionforsmallbusinesses. However,becauseoftheslewofopensource optionsoutthere,itisimportanttohaveboth somebasicstartinginformationandasystem bywhichtoevaluatewhichprojectsareappropriate.(Italsodoesn’thurttohavesome patienceandasenseofadventurewhendiving intotheseaofavailableopensourceprojects.) Inthespiritofhelpingtocreateajumping-off pointforthoseconsideringopensource,here arefivefreeopensourcesecurityapplications thateverysmallbusinessshouldevaluate: PAGE 28
1)SpamAssassin Everyonehatestheunsolicitede-mailcalled spam.TheopensourceSpamAssassin(http:// spamassassin.apache.org/)isanextremelyeffectivespamfilterthatistypicallyinstalledon themailserverorrelay.Forthosewhoalready haveamailserverinplace(evenMicrosoft Exchange),thereareavarietyofwaystoplug inSpamAssassin.Itboastsalargecommunity ofuserswhoconsistentlywritenewSpamAssassinplug-ins,andaSpamAssassinuser inheritsallofthebenefitsandsupportofthis veryactivecommunity. However,therearedownsidestousingit. Theinstallationcanbetricky,andtheplatform lackssomeofthefeaturesthatbusinesses mightwant,suchasamailquarantine,and blocklistandpasslistcapabilitiesbecause SpamAssassin’sjobisonlytodetectwhetheror notane-mailisspam.However,thereareways tosetupSpamAssassintomimicquarantinelikeactions,suchasmovingspamtoother mailboxestoachievesomeofthesameresults. Thespamdetectionengineisoneofthebest, includingtechnologylikeBayesianfiltering, RBLs,andplug-insfortheRazordatabase andevenopticalcharacterresolution(OCR). Becausethecommunityissolargeandactive, thereareconsistentlyfreeupdatesreadily available. Inshort,SpamAssassinisagreat,low-cost alternativetoaproprietaryspamfilterlike Barracuda’sappliance,whichperformsthe samefunctionsandaddsdocumentation,support,andafewfeaturesthattheyfeelSpamAssassinismissing,includingaheftypricetag. Ifyouhavetimefortheinstallationanddon’t mindtakingsometimetopokearoundthe communitytoanswerquestions,giveSpamAssassinatry.
2)ClamA� ClamAV(http://www.clamav.net/)isan effective,well-performingvirus-scanningenginethatcanbeusedinafewdifferentways. YoucantreatClamAVlikeSpamAssassinand EnterpriseOpenSource.SYS-CON.com
integrateitwithamailservertoscanpieces ofmailforviruses.YoucanalsoinstallClamWin(http://www.clamwin.com/)onevery desktopinthecompanyforanextralayerof security.Thisissimilartousingcommercial productslikeNortonAnti-Virus,butClamWindoesnothavesomeofthefancyfeatures. Ontheplusside,ClamAV,likeSpamAssassin, hasboththeadvantageofprice(it’sfree)and ofalargecommunityofuserssubmitting signatures,whichareoftenavailablesooner thantheyareforanyothervirus-detection product.
3)L7�ilter L7Filter(http://l7-filter.sourceforge.net/) isamoduleforiptables,theLinuxfirewall,so itrequiresaLinuxfirewallonthenetwork.L7 Filtermakesitpossibletodetectandblockan arrayofprotocolsthataretraditionallydifficulttodetectandblockbecausetheyjump aroundtodifferentports.Companiesthat wanttoblocktheiremployeesfromusingAOL InstantMessenger,forexample,needtoblock whateverportAOLIMuses,whichtheoreticallyisport5190butoftenshiftstootherports (includingtheWebport,port80,whichevery firewallhasopen)toensureaconnection. L7Filterisgreatfordetectingandblocking tougherprotocolslikeInstantMessagingfrom Yahoo,AOL,andMicrosoft,andP2Pprotocols suchasBitTorrent. LikeClamAVandSpamAssassin,L7Filter hasausercommunitythatdevelops,maintains,andupdatesimportantsignatures. Proprietaryvendorsoftenhavesignaturelists thattrytocoverabroadarrayoftopicsandare outdatedandpoorlymaintained.Opensource projectslikeL7Filter,becauseofitslarger communityanditsfocusonasingleaspectof security,tendtohavenewerandlargersignatureliststhatleadtomoreeffectiveproduct use.
4)Snort Snort(http://www.snort.org/)hasevolved intoanindustrystandardforintrusion detectionandintrusionprevention.Thebest thingaboutSnort,asidefromitsreputation asaneffectiveintrusiondetectionsystem, isthatthecommunityissolargeandactive thatyoucanessentiallyfindaprovensignatureforvirtuallyanything,beitdetectinga certainattackorevenwhetherornotsomeoneis,amongothernefariousactivities, usingaprotocolthatshouldbeblockedor accessingaWebsitethatisdeemedinappropriateforthenetwork.Thesesignatures areavailablefreewitha30-daydelayfrom SourceFireandareprofessionallymainEnterpriseOpenSource.SYS-CON.com
tained.Snort’sbeautyliesinitsflexibility –therearesomanyprovensignaturesout therethattherearealmostlimitlessoptions forwhatitcanbeusedforbeyondjustintrusiondetection.
5)Open�PN OpenVPN(http://openvpn.net/)isagreat VPNtoolforremoteaccess,ifyouhavea lotofuserstryingtoaccessthenetwork remotely.OpenVPNissimilartootherVPN protocolslikeIPSecandPPTP,butit’smuch simpler(andisfree).ThereareclientsavailableforWindows,Mac,andLinux,andit avoidsissuesthatcommonlyplagueusers ofPPTPandIPSec,includingproblemswith NAT.IPSecandPPTPcanbetrickytosetupin alotofcases,andtheyrequireyoutoinvest timeandenergydealingwithcomplexissues likekeymanagement.OpenVPNismuchless complex,andifyouarewillingtodoresearch intohowtogetitupandrunning,itwillbe acost-effective,muchmorestableVPNthan eitherIPSecorPPTP. Obviously,opensourceprovidesacost-effective,flexiblealternativetoproprietarysolutionsforthenetworksecuritygateway.These fiveprojectseachcanbeusedtoperforma vitalnetworksecurityfunction.However,there isnoguaranteethatanygivenopensource projectisrightforyourbusiness.Itisimportanttoevaluateeachprojectonthebasisof severalcriteriatoseeifitisappropriateforyou toimplementanduse. Questionsyoushouldaskyourselfbefore implementinganyopensourceprojectare: • Whatistheinstallationprocesslike? • Howgood/clearisthedocumentation?Isit easytofind? • Howlargeandactiveistheusercommunity? • Istheresomeoneatyourcompanywhois willingtogototheprojectcommunityfor supportratherthanhavingatelephone numberorahelplinetocall? • Istheresomeoneinyourcompanywhois willingtotakesometimetofindandreview onlinedocumentationandtofigureoutthe useoftheproject?
opensource providesacosteffective�flexi�le alternativeto proprietar� solutionsforthe netw�r� se�urity gateway
Thekeyforanybusinessofanysizethinking ofimplementingopensourceistobewareof downsides,knowtheupsides,andmakesure thisprojectisrightforyou.Ifthereissomeone atyourcompanywillingtoputinalittleelbow greasetoreadthedocumentation(RTFM),to seekoutsupport,andtogotheextramileto engagewiththecommunity,thenlow-cost, flexibleopensourcesolutionscanbethebest waytosecureyournetwork. PAGE 29
June 2007
news
CentricCRMReceives�undingfromIntelCapital (Norfolk,VA)–CentricCRM,adeveloperofopensourceCustomerRelationshipManagement (CRM)technology,hasannouncedthecompanywillreceiveinvestmentfundingfromIntelCapital,theventurecapitalarmofIntelCorporation.CentricCRMwillusethefundstopursuegrowth opportunitiesforecastfortheCRMtechnologyindustry. TherapidgrowthintheCRMtechnologymarketisbeingfueledbyanincreasedbusinessfocus onstrengtheningcustomerrelationships,aswellasanincreasedacceptancebybusinessesof opensourceandSoftwareasaService(SaaS)businessmodels.Opensourcesoftwaredevelopersmakethesoftware’ssourcecodeavailabletousersunderalicenseorotherarrangementthat allowsuserstomodifythesoftwaretofittheirneeds.TheSaaSmodelinvolvesaWeb-delivered softwareapplicationthatthevendorhostsandoperatesforusebyitscustomers,whodonot payforowningthesoftwareitselfbutforusingit.CentricCRMdeliversitssoftwareusingboth methods,allowingitscustomerstochoosetheapproachthatworksbestforthem. www.centriccrm.com
Blac�Duc�SoftwareDeepens�or�withIBMRational ThroughExpandedSoftwareIntegration (Orlando,FL)–BlackDuckSoftware,aglobalproviderofsoftwaregovernancesolutions,hasannouncedanothersignificantintegrationbetweenitsprotexIP/developmentplatformandIBM Rationalsoftware.BlackDuckhaslinkedprotexIP,asoftwarecompliancemanagementsystem, withIBMRationalPortfolioManager,theend-to-endsoftwareproductandportfoliomanagement solution.BlackDuck’sworkwithIBMRationalhasyieldedseveralpointsofintegrationbetweenthe companies’productlines.Eachhelpsexecutivesandlegalcounselworkwithdeveloperstoensure softwareisdevelopedinawaythatmeetscorporateandlegalobjectives.BlackDuck’sprotexIP platformcheckssoftwarecodeforcompliancewithhundredsofopensourcelicenses. InadditiontogainingReadyforIBMRationalsoftwarevalidation,protexIPwithIBMRational PortfolioManager,BlackDuckhasintegrateditsflagshipproductwithIBMRationalClearCase, IBMRationalApplicationDeveloperforWebSphere,andRationalSoftwareArchitect.BlackDuck andIBMRationalsolutionsgivejointcustomersarangeofoptionsforhelpingexecutives,lawyers,anddeveloperscollaboratethroughoutthesoftwarelifecycle,withthegoalofmakinguse ofopensourcetechnologieswhilecomplyingwithsoftwarelicensesandcompanypolicies. www.blackducksoftware.com
McO�ject’se�tremeDB3�1TestedasCompati�lewith Monta�istaLinuxCarrierGradeEdition4�0 (Issaquah,WA)–McObjectannouncedthateXtremeDB3.1,thelatestreleaseofMcObject’s in-memoryembeddeddatabaseforreal-time,highavailabilityapplications,hasbeentestedas compatiblewithMontaVistaLinuxCarrierGradeEdition(CGE)4.0. eXtremeDBversion3.1targetstelecomanddatacomembeddedsoftwarewithindexfunctionsformoreefficientcommunications-relatedsortingandretrieval,andwithanimproved highavailabilitysub-system.ThatmakesitanidealfitwithMontaVistaSoftware’sfull-featured, deployment-provenLinuxCGE4.0,whichaddshardreal-timecapabilities,newandunique clusteringservices,andotherfeaturesforbuildingcarriergradetelecomanddatacomsystems. MontaVistaisaproviderofLinuxforintelligentdevicesandtelecommunicationsinfrastructure. http://www.mcobject.com/extremedbfamily.shtml
�erioLinuxManaged�ostingandApplicationSolutions �reeBusinesses�romITManagement (Centennial,Co)VerioInc.,announcedtheavailabilityofitsManagedPrivateServer(MPS)onthe Linuxplatform,partofVerio’s360oManagedServerssuiteofservices.Verio’sLinuxMPS,builton RedHatEnterpriseLinuxESversion4,takesadvantageofthestabilityoftheLinuxplatformby bundlingitwithdedicated,enterprise-levelhardware,ahighlysecuremanagedhostingplatform, andmanagedservicesforaddedpowerandperformance.CoupledwithVerio’stime-testedreliability,securityandflexibility,thesolutiondeliverscost-efficientLinuxhostingtomid-market andsmallbusinesses,aswellassolutionproviderpartners,includingindependentsoftware vendors,WebdevelopersandITprofessionals.AllVerioMPSsolutionsincludemanagedbackup toprotectbusinessdata;araidarrayforgreaterredundancy,reliabilityandspeed;managed securitypatches;andfullymanagedhardwareandsoftwareupdates. www.verio.com June/July 2007
PAGE 30
EnterpriseOpenSource.SYS-CON.com
� �� �� ��������� � � ��
�� ��� ��������� � � � �� ���
� �� �������� �
��
�OINT�EA�A� RE�OL�TION�
ISBN 0-9777622-0-3
��������������������
�������������� Edited��Dion�inchcliffe��ateAllen
����������������������������������������������������������������������� ������������������������������������������������������������������ OrderOnlineat�ea���r��A�A���������andget
�� � � � � ��� ���� �� �� �������� � � � ����
�� ��� �������� � � �� �� ����
� � �������� ��
ISBN 0-9777622-2-X
��
����FF
RegularBoo�storePrice�
����������������� from the Worldʼs Leading i-Technology Publisher
© COPYRIGHT 2007 SYS-CON MEDIA
B�ILDRIC� INTERNETAPPS�
����������������������������
��������������
�ritten���a�ov�ain�Dr��ictorRasputnisandAnatoleTarta�ovs�� ����������������������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������������� ��������������������������������
OrderOnlineat��e��A��������andget
�� � � � � ��� ���� EnterpriseOpenSource.SYS-CON.com
����FF
RegularBoo�storePrice�
����������������� from the Worldʼs Leading i-Technology Publisher
PAGE 31
© COPYRIGHT 2007 SYS-CON MEDIA
June 2007
news
TalendLaunchesOpenSourceDataIntegrationonDemand (PaloAlto,CA)–Talend,aproviderofopensourcedataintegrationsoftware,hasannouncedthe availabilityofTalendOnDemand,thecompany’sflagshipopensourcedataintegrationsolution,TalendOpenStudio,deliveredasaservice.Leveragingthewidelyrecognizedbenefitsofthe software-as-a-service(SaaS)model,suchasreducedinfrastructurerequirements,productmaintenanceandadministration,TalendOnDemandenablesenterpriseinformationmanagement teamstocost-effectivelyandefficientlysolvetheircomplexdataintegrationchallenges. Talend’sSaaS-basedsolutionprovidesanalternativetotraditionalstand-alonesoftwaredata integrationapplications,deliveringaservicethatcanbeobtainedanywhereovertheInternet.It isacost-effectivewayforresource-strappedorganizationstoobtainthesamebenefitsofcommerciallylicensed,internallyoperatedsoftwarewithouttheassociatedadministration.AsaSaaS offeringthatisalsobuiltwithopensourcecomponents,TalendOnDemandrequiresnonew softwaretosupportorinfrastructuretomaintain,andcanbedeployedinminutesanywherein theworld. TalendOnDemandisthefirstopensourcedataintegrationsolutiononthemarketdelivered asaservice.Itprovidesacentralizedandsharedrepository,facilitatingproject-teamcollaborationandobjectandcodereuse,andpromotingdevelopmentbestpractices,withoutrequiring sensitiveenterprisedatatobemovedoutsidethecorporatefirewall.Projectdataishostedseparately,facilitatingoptimalperformancewhileensuringprivacy. www.talend.com.
NovellAnnouncesReal-TimeLinuxEnhancementsandPartnerships (NewYork)–NovellhasannouncednewenhancementstoSUSELinuxEnterpriseRealTime andunveilednewpartnershipsthatexpandtheecosystemaroundNovell’slow-latencyLinux solution.SUSELinuxEnterpriseRealTime,anenterprise-class,opensourcereal-timeoperating system,isacustomizable,fullysupportedsolutionforrunningmission-criticalapplicationsthat requiredeterministicprocessingandspeed.Asaresult,customerscanruntheirtime-sensitive mission-criticalapplicationsreliablyandpredictably,evenunderseveresystemloads,withSUSE LinuxEnterpriseRealTime. BuiltontopofSUSELinuxEnterprise’sdesktoptodatacenterplatform,SUSELinuxEnterprise RealTimecontainsthekernelenhancements,packages,toolsandutilitiesthatcreatearobust, high-performance,deterministicandlowlatencyoperatingsystem.NovellbuildsSUSELinux EnterpriseRealTimeinconjunctionwithConcurrentComputerCorporation,aproviderofrealtimeLinuxsoftwaretechnology.Withreal-timetechnology,customerscansegmentportions oftheirprocessors,networkbandwidthandotherhardwareforhigh-prioritymission-critical workloads. http://www.novell.com/beta/auth/request_form.jsp
CapgeminiandNovellEnterBroadMixed-SourcePartnership (Paris/Waltham,MA)–CapgeminiandNovellhaveannouncedabroadpartnershipthatwilldelivernewsolutionstoenterprisecustomersusingacombinationofopensourceandproprietary software.Undertermsoftheagreement,Capgeminiwillenhanceitsopensourceconsulting practicewithNovellcapabilities,specificallycenteredonthedeploymentofITsolutionsusing SUSELinuxEnterprisefromNovellalongwithmixed-sourceapplicationsandmanagement tools.Asaresult,customerscandeployaLinuxplatformacrosstheirentiredesktop-to-datacenterinfrastructureswiththeconfidencethatcomesfromworkingwithaglobalconsultingleader. Withthispartnership,Capgemini’scustomersgainfullysupportedmixed-sourcesolutions builtonopensourceandproprietarysoftwarethatCapgeminiwillhelpbuild,deployand maintain.TheCapgeminiOpenSourcepracticewillhelpcustomersdefineenterpriseopen sourcegovernanceandselecttherightopensourcepackagesandsolutionstodeployontopof aflexible,fullysupportedNovellplatformthatdeliversoptimizedperformance.World-classenterprisesolutionsforserversanddesktopswillbedelivered,alongwithdatacentervirtualization andmanagementcapabilities.Inaddition,Novellopensourcesolutionswillbesupportedvia Capgemini’sopensourceSupportServiceCenter(OSSPartner)offering.Novellplanstoprovide Level3supporttoCapgemini. www.novell.com www.capgemini.com June/July 2007
PAGE 32
EnterpriseOpenSource.SYS-CON.com
��������������������������������������������������������������������������������� ��������������������������������������������������������������������������������� ��� ��������������������������������������������������������������������������������� ���� ��� ������������������������������������������������������������������������������� ��� ��� ��������������������������������������������������������������������������������� ��� ������������������������������������������������������������������������������ ��� ��� �������������������������������������������������������������������������������� ������������ ����������� ���� ���� ������������� ����������� ���� ���� ������������� �� �������� ���� ���� ������������� ����������� ���� ���� ������������� ����������� ���� �� ������������ ����������� ���� ���� ������������� ����������� ���� ���� ������������� �� �������� ���� ���� ������������� ����������� ���� ���� ������������� ����������� ���� ��
����������� ����������� ������������������ ������������������
��������������������� ����������������������������� ���������������������������� ��������������� ������������ �������������������� ����������������������� ���������������������� ������������������������������
������������������������������������������������ ������������������������������������������������������� �������������������������������������������������������������� �������������������������������������������������������������� ������������������������������������������������ ������������������������������������������������� ������������������������������������������������������� ������������������������������������������������� ������������������������������������������������ ������������������������������������������������������ ������������������������������������
COPYRIGHT ©2007 SYS-CON MEDIA
ALL RIGHTS RESERVED
���������������������������������� ������������������������������� ���������������������������������� ����������������������������������������������������� �������������������������������������������������� ��������������������������������������������������� ��������������������������������������������������� ���������������������������������������������������� ��������������������������������������������� �������������������������������������������������� ����������������������������������������������� ���������� ������������������������������������������������ ����������������������������������������������������� ������������������������������������������������ �������������������������������
COPYRIGHT ©2006 SYS-CON MEDIA
ALL RIGHTS RESERVED
Hyatt Regency Silicon Valley Santa Clara, CA
���������������� �������������������� ���������������� ����������������� ������������� ������������������� ����������������������������������������������������������� ������������������������������������������������������������� ��������������������������������������������������������������� ������������������������������������������������������������� ������������������������������������������������������������ �������������������������� ����������������������������������������������������������� ������������������������������������������������ ������������������������������������������������������������ ������������������������������������������������������������� ��������������������������������������������������������� ���������������������������������������������������������� �����������������������������������������
������������������������
�������������������������������������������������� VISIT WWW.AJAXWORLD.COM FOR THE MOST COMPLETE UP-TO-DATE INFORMATION
news
MotorolaHasReleasedPreciseProcessAccounting fortheLinuxKernelUnderGPLversion2
M
otorolahasreleasedthesourcecodeofPreciseProcessAccounting(PPA)for theLinuxKerneltotheOpenSourcecommunityonApril23,2007,underthe GNUGeneralPublicLicense(GPL)version2.Thecurrentreleasesupportsthe
Linuxkernelversion2.6.18.6.
FuturePPAfeatures The PPA team is planning to implement the following features by the end of 2007: • Support for thread overload protection, i.e., signal runaway threads • Settable thresholds (per-thread) counters to measure various thread latency occurrence counts – schedule, interrupt, system calls. Allows further root cause of sporadic field incidents and related latency bottlenecks in the system. • CPU enforcement based on user, group IDs or group of process IDs. • Port PPA to other architectures For additional information, access to source code, articles and whitepapers, mailing list and contact information, please visit http:// sourceforge.net/projects/ppacc/.
Pleaseconsiderthisanopeninvitationto participateinthePPAproject,providefeedback andcomments,offercontributions,andhelp guidePPAdevelopment.
June/July 2007
OverviewandBenefitsofPrecise ProcessAccounting CurrentCPUaccountingintroducesmanygaps incarrier-gradeenvironments,makingitunfit forhigh-availabilityenvironments(five-nines andsix-ninesavailability).PPAisanadditional timingandactivityframeworkintheLinuxkernel thatcoexistswiththeexistingLinuxkernelCPU accounting.ItfillsthegapbetweencurrentCPU accountingandPerformanceMonitoringUnit (PMU)basedprofilersandtracetools,andit’s lightenoughforfielddeploymentinfive-nines environments.PPAislightweightandisusablein thefieldforrootcauseofexecutionandscheduling-relatedincidents.Furthermore,PPAisfully scalable;allmeasurementsmayberuntime disabled(i.e.,user,interrupt,system).Alongwith thePPAkernel,patch-relatedtoolsareprovided suchasppatop,whichmakesuseofPPAmeasurementsandprovidessortingofprocessesor threadsbasedonPPAmeasurements(i.e.,overall, user,systemCPUusage,schedulinglatency,etc. PPAisespeciallydesignedforcarrier-gradeLinux serversrunninginmission-criticalenvironments anditoffersprecise: • Measurementofper-threadandprocess executionintervals • Measurementofsystem-wideexecution intervals • Accountingofschedulingevents • Accountingofschedulinglatencies • Enforcementofexecutionlimits PPAfeaturesandcapabilitiesarederivedfrom Motorola’sexperienceinenvironmentsthat requirehighavailability,highreliability,highscalability,andsupportforlargetrafficcapacity.Furthermore,PPAhelpssolveday-to-dayoperational problemsincarrier-gradeandmission-critical environments,managecapacity,improvereliability,hardenthesystemduringdevelopment,and exposerisksorprobableincidentsthatotherwise wouldremainunknownuntilfielddeployment.
PAGE 34
PPAhardensnetworkelementsinseveralways: • Systemcharacterization:Abilitytocharacterizesystemperformance,latency,and executionbehaviorduringdevelopment topreventsurprisesinlaterphases(for example,duringorafterfielddeployment). • Capacitymanagement:Abilitytomanagereliablyavailablecomputebandwidth. BasedonavailableCPUbandwidth,thenetworkelement/servercanselectivelyprocess inboundrequests,throttlebacklow-priority activities,ordistributeandmigrateload. • Fieldincidentrootcause:Abilitytoroot causehigh-CPUloadorexcessivelatenciesthatoftengetattributedtounrelated causes.Inmission-criticalenvironments, thereisaneedtoimmediatelyfind,analyze, andsolveincidentsthatrequireimmediate analysisandtherootcauseofincidents.PPA providesdataandcluestosolvecomplex incidents. PPATechnicalSpecifications: • Portedtox86,x86_64,PPC32,IntelItanium processors • Developedtocharacterizetoday’svarious flavorsofSMParchitectures • Largepercentageofmeasurementslivesin kernelgenericcode • Precisetime-stampedmeasurementsutilizingnativehigh-resolutiontimestampcounter,eliminatesstatistical/samplingerrors • Precisesystem-wideandper-cpu–idle, interrupt,deferredinterruptsandsystemmodemeasurements • Precisethread–user,system,andinterrupt measurements • Preciseprocesswide–user,system,and interruptmeasurements • PreciseenforcementofCPUexhaustion limitsandprofile(facilitatesreliablegprof measurements),virtualtimers • Precisemeasurementofvariousthreadexecutionlatencies:associateusersreportedincidentstoexecutionlatenciesinthesystem. • Offerstoolssuchasppatopthatabstractthe PPA/procinterface • PPAconformancetestverifiesallPPAmeasurementsandmarginoferrorintroduced bynativeaccounting
EnterpriseOpenSource.SYS-CON.com
Systems Management is Now Open ������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������� ������������������������������������������������������������������������������ ������������������������������������������������������� ������������������������������������������������������ ����������������������������������������������������������������������������������� ������������������������������������������������������������������������� �������������������������������������������������������������� ��������������������������������������������������������� ����������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������� ��������������������������������������������������������������������������������� �������������������������������������������������������������������������������������������� �����������������������������������������
www.open-management.org
BREAK THE CYCLE. The HP BladeSystem c-Class, featuring efficient Dual-Core AMD Opteron™ processors, helps free I.T. from the cycle of server management. It’s equipped with HP’s exclusive Insight Control Linux Edition, a comprehensive blade management and deployment package built specifically for Linux. Manage multiple servers and infrastructures while automating routine tasks, giving you more time to spend on the tasks that really drive your business.
Download the IDC White Paper “Better Together: Blades, Linux and Insight Control.” Call 1-866-625-0806 Visit www.hp.com/go/breakthecycle66
Set I.T. Free
Linux is a U.S. registered trademark of Linus Torvalds. AMD, the AMD Arrow logo, AMD Opteron, and combinations thereof are trademarks of Advanced Micro Devices, Inc. The information contained herein is subject to change without notice. © 2007 Hewlett-Packard Development Company, L.P.