Architecture, Development and Security

Vested Outsourcing - An Implementation

2011-12-07T10:05:00.001-05:00

In March of this year I wrote a post about Vested Outsourcing principles, since that time I have been able to implement these concepts into a major IT Development outsourcing deal. In this engagement, I have been fortunate in that the client is very interested in creating a true partnership with a sourcing company. This partnership is based on creating additional value for their company not simply offshoring work to save money. This is not to say that saving money was not important but it was not the overriding concern.

Lessons Learned

In this post I will outline how we created a vested arrangement; that is how we put the five principles of vested outsourcing into practice; ultimately creating a win-win for both parties. Before I describe how we went about this, I want to articulate some of the advantages and lessons learned during this journey:

Starts Early - Creating a vested deal and building a true partnership starts early in the process. We started the RFI/RFP process with partnerships in mind. This meant being cognizant of the candidate partner's costs of sales up front. We weeded out candidates before the cost of sales became high. We kept the lines of communication open and created a transparent/open process that was fair to all participants.
Why are we Doing This Again ... - Establish clear achievable goals and communicate your them early and often(see staying on message and communication below). As with any large project sometimes the foundational reason for the effort is lost in the day to day, this must stay in the forefront of your mind. We spent a significant amount of time before the project kicked off to be sure the goals an objectives were clear and sold to the senior leadership.
Stay on Message - suppliers are not yet comfortable working in this model, as such, messaging is crucial. In short, they will be suspicious. Stay on message and remember; how you behave is more important than what you say. You can talk partnership but you better act it as well.
Communication - It is absolutely key to create a communication plan and execute against that plan. The constituents include employees, incumbent vendors, and candidate partners. Part of communication is articulating what is important to you as the buyer. One way we did this was in the form of a term sheet. The term sheet is a set of contractual terms that the buyer can not be flexible on -- defining this early has the benefit of keeping cost of sales down for participants (if they were not happy with the terms they could drop out early) and it sped up contract negotiations on the back end.
Differentiators - If you are engaging a tier-1 or even a tier-2 outsourcing vendor then it is safe to say they can handle the technologies involved, this is not their first rodeo -- how then will they differentiate themselves? Most clients assume differentiation comes from the team they put on the ground. While the team is important, the actual staffing structure is more critical to partnership success. If you don't like a particular team member, the partner will be more than happy to swap that person out. Your overriding concern should be the structure of the organization (this will not change) and how that structure fits with your company's org structure. Culture is equally important. Are they order takers? You need a partner who will tell you if you are going off the rails not a yes man. Senior leadership commitment is another differentiator - are you getting the attention of thier senior leaders, do they understand what you mean by a partnership, and are they commited to making this work?
Scope - We did not limit our scope to the immediate problem (development sourcing) but broadened our perspective to include process improvement initiatives that are key to the success of the sourcing effort but cut across the development organization, affecting the entire enterprise. These improvement initiatives encompassed areas such as: knowledge management, SDLC, metrics, technical readiness, organizational culture, etc. Including process improvement initiatives provided two main benefits - smoothed the sourcing transition and secondly provided a funding and process mechanism to initiate projects that typically are not easy to fund in IT organizations; for example: architecture, new technology analysis, strategic non-project based work.

The Five Rules in Practice

We were able to put the five rules of Vested Outsourcing (see March post for an intro to the five rules) into practice.

Outcomes Based -We looked for ways and coached the candidate partners to assist in identifying specific outcomes not transactions. The candidate partner has seen many sourcing deals you need to leverage that experience throughout this process. They brought many ideas to the table. In this case the client was very interested in code quality and the ability to flex capacity to meet business demand. It seems obvious to say, focus the sourcing arrangement to the outcomes but being crisp regarding outcome definition and consistent in the message is intricate, nuanced, and requires some thought.
Focus on the What - To be sure we focused on what needs to be accomplished and not how to perform a task. We created a small team within the sourcing project to analyze each area and document what the goals were, being careful to stay away from implementation. This sub-team then met with the candidate partners to solicit their best ideas regarding implementation. Forming a clear delineation in the project team between the what and the how helped to steer the group in the right direction. You will need to take care when staffing this sub-team, as this was a development initiative and developers tend to immediately dive down into the how of the solution - train and focus the group to stay away from implementation for this exercise.
Metrics - What metrics were needed to be sure we continue to achieve our target goals? Comparatively, this was an easy rule to put into practice as our candidates came to the table with a wealth of experience in this area. The difficulty arose not in getting the correct metrics but getting those measures into a useful format, tool, and within a governance model that provides oversight. We answered these latter issues with a comprehensive knowledge management approach and an integrated governance model that includes all aspects of IT management.
Pricing Model - The contracting process can not take place in isolation in a vested outsourcing deal. In a usual outsourcing arrangement the lawyers come in at the end and hash out details that would have been better discussed at the implementation team level. You and your partner should be prepared to work through contacting the same way you worked through the RFI/RFP process, that is in an open and collaborative method. The pricing has to tie together the "what of the deal" and the metrics; governance will then become the administrative arm of the model
Governance - Governance ties the entire process together. We established an enterprise governance structure with integration points into the sourcing initiative. This model was used to integrate into other areas of IT into the sourcing project. The client partner remained on the governance team in the out years but their focus changed from supporting the client to supporting the deal. That is a challenging transition to make, but one that is necessary if the deal is to be balanced and successful in the long term. Our governance process provided oversight back to what we want to accomplish - if we were careful and thoughtful around what needed to be accomplished then governance of the relationship can have the proper focal point.

Over the next few months as we begin transition and eventually move to steady state I will be updating this blog to report our progress, lessons learned and specific benefits and challenges we faced along the way.

-npv

Outsourcing - A Better Way

2011-03-06T13:56:00.002-05:00

As a software engineer and security professional one can not help but be exposed to and involved in outsourcing of all types - BPO (Business Process Outsourcing), software development and maintenance, KPO (Knowledge Process Outsourcing), etc. While outsourcing does not necessarily mean off-shoring the two are usually closely linked.

Defining our terms -- Outsourcing is the process of subcontracting services to a third party. Where off-shoring is relocating the business processes from one country to another. The overwhelming reason companies outsource work is to lower costs and increase efficiencies.

The Usual Approach - We run your mess for less

I have been involved in evaluating vendors, negotiating contracts, and implementing outsourcing deals across many business domains for the last ten years. In the vast majority of cases a senior executive (or team) decides to outsource to save many -- typically thinking that they will take advantage of the labor arbitrage because outsourcing and off-shoring are thought of as the same thing. The senior staff's thinking goes something like: "we have problems let someone else (the experts) run/manage this thing".

The marching orders are then filtered down to the line staff that evaluates vendors, negotiate the deals and lives with the day to day consequences. This dance usually takes the form of the company doing the outsourcing writing contracts and statements of work telling the service provider how they want to manage the work and for the most part the processes are the same as those used before outsourcing. In addition to these process constraints the contracts are usually written to manage piece work. That is to say, suppliers are reimbursed by how many operations they perform or manage. For example; vendors that manage data centers get reimbursed by number of servers managed, calls centers by how many calls, and if you outsource development then you pay for each of the developers. The incentive for the outsourcing vendor is to sell more of whatever it is they are managing. Cost savings are not passed along and innovations are not sought; why would they be.

Now how is this process managed? Not by mutual cooperation because it is a zero sum game. It is managed by nit-picking the contract by both sides, antagonism and the larger more powerful company throwing it's muscle around (the proverbial 300 pound gorilla).

Overlay these process inefficiencies with a piece-work mentality, all wrapped around a zero sum game based contract and there is no wonder that the typical outsourcing arrangement evolves from, year one when the supplier tells the company "don't worry you will see savings when the process settles down". In year two, the company moves to disillusionment and hope that this will turn itself around. To finally, in year three of a seven year deal where the company is just counting down the time until it all ends.

Vested Outsourcing - A Better Way

Over the last two years I have been involved in a better approach and methodology to outsourcing. It is called Vested Outsourcing (VO) - www.vestedoutsourcing.com. Unlike other approaches VO has been tested in academia and across a number of business sectors (public and private). VO is based on research conducted by the University of Tennessee and the Air Force in which five key tenets were developed and built upon, to set the stage for companies to fix their outsourcing issues. I have become involved in VO as a research analyst conducting a VO study for the University of Tennessee (UT) and as a implementer of VO concepts for companies across the USA as an associate with a consulting company (www.capto-consulting.com). My work in these two areas has convinced me that VO is truly a better way to outsource.

I won't try to explain all of VO in one blog post (there are many other sources for that) but I will summarize the five rules of vested outsourcing:

Rule 1: Focus on the outcome - As you look to outsource, the focus should be on the goals not on the transactions. The supplier is paid to meet mutually agreed upon outcomes. Outsourcing is then about buying and achieving desired business outcomes not about transaction management.

Rule 2: Focus on What not How - Remember earlier in this post, I was talking about running your mess for less... well usually the company outsourced a function because they wanted to leverage the experts. When it came time to write the contract they are then structured specifically telling the experts how to do their tasks. A vested deal focuses on what the outcome should be not telling the supplier how to implement.

Rule 3: Agree on Clearly Defined Measurable Outcomes - I am convinced that the focus shifts to measuring transactions because it's easier. remember Rule 1 - stay focused on the outcomes and measure results against those.

Rule 4: Optimization of Pricing Model Incentives - this involves the balance of risk and reward while setting up a deal that is mutually beneficial to both parties and adhering to tenets of VO. In the past I have witnessed companies that have set up incentive structures for vendors and then went to great lengths NOT to pay them the incentive. In a vested deal the pricing is optimized and tied to outcomes the customer wants to pay the incentive - it is to the advantage of all parties to reach their outcomes based incentives.

Rule 5: Governance Structure that Provides Insight Not Only Oversight - In a vested deal we look for insights, ways to improve outcomes, methods and processes that help all parties reach their goals.

Due to space constraints this is a simplification of VO but hopefully it will entice you to do more research. I am involved with a number of companies at this time assessing their capabilities for outsourcing, implementing VO, and researching the field. VO as a methodology will be a fundamental enabler or successful outsourcing.

-npv

Head First Java - What a way to learn Java and OO programming

2010-12-16T09:59:00.001-05:00

I occasionally teach Java programming at a local university and I am always on the lookout for books that can easily explain the necessary concepts to students. In addition, (like most people in the technical field) I have purchased literally hundreds of books over the years to explore new topic and to keep up on trends.

Most programming books are very formulaic -- Basic overview; Hello World; each chapter takes a concept and shows some coding samples etc... these books are text heavy and proceed with some esoteric examples that do not transfer well to student/reader experience.

Wow what a difference when I stumbled upon Head First Java; A Brain Friendly Guide by Kathy Sierra and Bert Bates. As I was browsing this book on Amazon I thought what kind of programming book is this -- cute pictures from the 1950's; strange graphics; not much text per page -- this can't be any good; does not appear serious enough. Was I wrong! The creators of the series and the authors have created an incredible way to make learning a new and technical topic easy, fun, and engaging; all without loosing touch with the material. A huge amount of serious technical material is covered. I actually found myself reading the book cover to cover and learning a few new things along the way.

What I Really Liked

Examples that are easy to understand - when explaining inheritance they use common household items and animals for their examples. This makes it easy to understand and explain to students. Many other books use the concept of shapes to explain inheritance -- from my experience this does not translate well to student's experience.
Making it Visual - actually help the reader remember concepts and puts the new material into a familiar "schema" so recall is easier.
Conversational - it's written in a conversational style free of jargon to help comprehension. Then the computer speak is added - now the reader understands the concept and is buzz word compliant.

This book is a bit dated; the 2nd edition was published in 2005; up to Java 5.0. This does not affect the quality of the work or detract from its value as a teaching aid.

I could go on because I love this book; but I will close by saying this book Rocks -- buy it for anyone interested in leaning Java and OO concepts; you won't regret it.

Good reading...

-npv

Windows Live Mesh 2011 - Key Component in My Backup Plan

2010-12-07T09:39:00.000-05:00

I have recently experienced a PC failure. The failure necessitated that I send the machine back to the manufacturer. My business requires that I be back up and running within a few hours which technically I was because I had a spare PC. The issues I experienced were as follows:

backups were a few days old - not bad but had some problems,
bookmarks were missing,
reconfiguring software took time - outlook, accounting packages, IDE environments, etc.
the "feel" between PC was different and took a while to get my productivity level back up.

In short, it took a few days to be back up and running normally. I wanted a better way to seamlessly move from one environment to the other and started to look for a more automated solution. This post explains what I did.

Windows Live Mesh 2011

I needed a program that would keep my documents, source code (that is not in source control), pst files, bookmarks, and music all in sync between two PC's and that is where Windows Live Mesh 2011 comes in. Microsoft advertises Mesh to do three main things (http://explore.live.com/windows-live-mesh-devices-sync-upgrade-ui?wa=wsignin1.0): Keeps files up to date across numerous computers, connect computers remotely, and sync program settings between computers -- sounds like what I needed.

I then configured my backup PC to match my working PC with respect to software and settings -- which I no longer use a "old" computer as a backup; I spent the extra money to have two computers of equal configuration for the kinds of tasks I subject them to.

I then loaded and configured Windows Mesh to sync the two computers. Microsoft's documentation and intuitive nature of Mesh made this easy. I can now move from one system to the other seamlessly. If my main PC should crash now I would be back up and running in the time it takes me to sign on to my backup. It is truly a hot back up. I have added to this the additional precaution of using windows backup of each PC should they have to have some type of full recovery but that seems unlikely.

Another feature of Windows Mesh is that Microsoft provides 5GB of cloud storage free of charge. I use this to sync some data to the cloud.

If your business requires seamless PC recovery you may consider this solution.

-npv

Windows Azure - Data Storage in the Cloud

2010-11-17T16:41:00.000-05:00

Cloud Computing

Industry hype has not been in short supply regarding cloud computing -- there is even a Microsoft commercial touting cloud computing for the every day user -- but until relatively recently I have not had clients asking me about it for industrial strength applications. I have put up a quick and dirty Amazon EC2 instance for some non-mission critical applications but I have not had mission crucial apps move to the cloud, why would this be the case - FUD, security, control, cost ...

I am now getting some serious queries related to the Microsoft Cloud offerings. Windows Azure offers two persistent data storage choices -- Windows Azure Table Storage and SQL Azure. In this post I will discuss features of the two choices, how they differ, and when one is a more appropriate choice.

SQLAzure

In Microsoft's cloud environment SQLAzure is analogous to SQLServer. It's not a 1:1 match, at the present time SQLAzure has a number of limitations compared to full blown SQLServer see http://msdn.microsoft.com/en-us/library/ee336245.aspx for more info. In general SQLAzure can be thought of as cloud based SQLServer. There are many good reference on Microsoft's site or provided by others to get you started.

What I immediately liked about SQLAzure was once you have a dB setup you can access it using the old familiar tools like SQLServer Management Studio (as long as you are using 2008 R2) and accessing the dB via your applications will also be familiar ground for the developers. As a matter of fact Microsoft provides tools for you to create and test connection strings; often times a topic of confusion, if the number of web discussions is any indication.

When getting started one area where SQLAzure differs from SQLServer is that you can not use the SSMS GUI to modify the schema or add data to tables, this work has to be done using SQL statements - templates are provided for assistance. Houston to the rescue (well kind of) -- https://manage-ch1.cloudapp.net/.

Project Houston is a very early Microsoft beta Silverlight application that supports tables, views, data entry, and stored procedures thru a SSMS like GUI. Folks who have been working with Microsoft for a while will know that when they call something beta it's going to be rough (this is early beta, so brace yourself) in contrast with Google a company that is known for betas that last for 5 years+.

Azure Table Storage

Now this construct will take some getting used to for people who are longtime RDBMS users. There has been some movement in the industry to simplify the RDBMS model -- loosen the rules a bit, if you will.

See: http://perspectives.mvdirona.com/CommentView,guid,afe46691-a293-4f9a-8900-5688a597726a.aspx or http://www.computerworld.com/s/article/9135086/No_to_SQL_Anti_database_movement_gains_steam_ or http://nosql-database.org/.

With table storage you don't have to deal with pesky features like indexes, referential integrity, views, or stored procedures. When I first started working with Table Storage I was reminded of IBM's VSAM (Virtual Storage Access Method) Keyed Sequence Data Sets or maybe a more common analogy would be a simple spreadsheet. Like a KSDS in VSAM the key provides efficient querying with limited constraints. Like a spreadsheet the table in Table Storage does not have a schema. The rows are a simple structure that contains data and the data does not have to be of a common type.

When to Use Which Technology

The bottom line question that is usually posed is; when would I use one approach over the other.

Size Matters -- From a data volume (scalability) point of view Table Storage is more scalable than SQLAzure, by far. Table Storage can currently scale to 100TB in size where SQLAzure limit is 50GB.

NoSQL or Not - If you are a traditional RDBMS company and you see benefits with the approach then you will opt for SQLAzure. If you are in the NoSQL camp and want a less restrictive more RESTful approach for data persistence then Table Storage would be more appropriate for your enterprise.

In-Out of The Cloud - With either approach data can be accessed via an application from in or out of the cloud. If you need the flexibility to move data from the cloud back into your data center databases then SQLAzure is the better choice. Not only does SQLAzure align from a technical perspective but there are tools to assist you in this migration.

Money Matters - As always cost will be a factor in any decision. Microsoft provides pricing information (http://www.microsoft.com/windowsazure/pricing/) and maybe you can cut a better deal if you are a large enterprise. I have signed up for Microsoft cloud services via the MSDN which allows developers access for testing and planning, an option for you to kick the tires for low cost.

I would be willing to bet that as new software is released SQLAzure looks more and more like SQLServer and the data limitations are removed.

Good luck in the cloud....

-npv

Android Development with Hello, Android 3rd Edition

2010-11-01T11:29:00.000-04:00

In a previous post I talked about my experience with the Android 2 phone and my desire to look into it from a development perspective. To that end, I purchased Ed Burnette's book Hello, Android 3rd Edition. What a great book on getting started with developing for the Android.

Basic Concepts to the Complex

Hello, Android takes you from the very basic steps of getting the Eclipse IDE set up for development to the more complex topics of data persistence (local storage and SQLite), graphics, and publishing to the Android market. Ed does this by taking an example; a Sudoku application and demonstrates the topics while building an application. I find this method of teaching technical material very effective and it worked extraordinarily well for me.

I especially liked the getting started chapters -- laying down a good foundation and I enjoyed learning about SQLLite a very nice little dB engine in a 150KB package.

One area I wish was covered in more detail is security in the Droid 2 development process. This is an area I plan on exploring in the future.

Overall, a great book to get you started in Android 2 development and highly recommended.

-npv

Android Development

2010-09-13T21:35:00.000-04:00

Life with an Android

I bought a Motorola Android phone 4 weeks ago and fell in love with it. What I liked about it was its; fit-and finish, Google application integration, and the intuitive UI. I had to purchase an application that would sync my Outlook contacts, notes and calendar but other than that everything I needed was on the phone when I opened the box. Who knows, maybe I have incentive to get off Outlook soon.

I had to return the phone due to a hardware issue. I was reluctant because after 4 weeks it was set up how I liked it, things were working great. The day my replacement phone arrived I thought I was in for a few hours of work as I made the switch. I was in for a pleasant surprise -- after activating the phone and giving it my gmail account info I was up and running on the new phone in less than10 minutes -- all my settings with the exception of my speed dial numbers were set up automatically. It was fantastic. I was impressed.

Open Platform

I then started looking into application development on the Android and discovered lots of benefits to being on the Android OS. It is a truly open development platform based on Linux and open source. As a developer you are not locked into a vendor. Third party applications are treated as equals to native applications. Third party app developers have access to the same API's, all code is executed in the same run time environment, system services are exposed the same way to all developers, and you are permitted to add your code to the Android market place.

Installing the Tools for Android Development

I thought it would be interesting to explore the Android development environment. So I set up my PC to do some Android programming, if you are going to do this you will need to:

Download and install the latest Sun JDK SE.
Download and install Eclipse - I used Eclipse IDE for Java Developers.
Install the Android SDK.
In Eclipse you will install a plug-in called the Android Development Toolkit (ADT).

Each of the components listed above is free of charge and you will find plenty of instructions on the web to walk you through the install process. However, as I set up my development environment I did run into an error that I had a difficult time figuring out a solution for and I could not find an answer for on the web.

Error in Eclipse Setup -- Android not showing up in Eclipse Preferences

After the ADT plug-in is installed within Eclipse you should then be able to set your preferences for the Android environment by selecting Window -- Preferences and Android should be the second option in the left-hand pane. However, in my environment (Windows 7 Ultimate, 64 bit) the Android option was not available. Strangely, I had to run the Eclipse program as an administrator (even though I was signed on with admin privileges) and install the ADT (after uninstalling it from my first try), the Android preference option was then available. You don't have to continue to run Eclipse as an admin only for the initial set up.

I plan on doing some application development for this platform and periodically I will report my findings and any issues/solutions.

Hope this helps

-npv

PKI Certificate Policy Creation

2010-06-18T10:54:00.000-04:00

Part of planning and implementing x.509 certificates for enterprise usage involves documenting the appropriate policies and procedures. Input for these documents comes from a variety of sources - the organization's technology and legal departments as well as any vendor used.

Categories of Documentation

There are numerous ways to organize this documentation and I will outline a method in this post. Documentation can be organized into three main categories, see diagram below.

Policies from higher levels feed into lower level documents creating a logical chain of information appropriate for various audiences in the company.

Security Policies - the usage of certificates can be documented in existing security policies; should they exist. The SP for certificates should include information such as: the current applications that will require certificates, type of situations and data requiring certificates, security services that exist for their usage, and list responsible people such as business and technical owners of the system.
Certificate Policies - these are specific policies as they pertain to the usage of certificates. This document will contain info related to the Certificate Authority (CA), Registration Authority (RA), and Local Registration Authority (LRA). Technical information would include key lengths, position on weak ciphers (SSL 1.0, 2.0, 3.0), key management, revocation policies, and audit requirements.
Certificate Practice Statement - the CPS translates the policies into practical guidance. This document contains the most detail and will include a long list of items:

CA information - certificate name -O, OU, C. certificate DNS,
Usage Info - how are certs issued, revoked, when do they expire, how are they recovered, who are the admins, usage of cross certificates.
Certificate Expiration - after a cert expires what is the process or renewal.
Revocation Lists - usage of CRL and or OCSP.
Usage of the CA administrative tools (web site).
Usage of the CA enrollment web site.
Certificate installation support process and method. This can be a knowledge base that assists users of your certificate with implementation information. If a help desk is available information on how to contact them would be provided.

Understanding the types of documentation that should be created when implementing certificates will also assist you in the actual implementation process, as it will give you a blue print of the types of decisions that need to be made before implementation and will provide a preview to some of the issues you may encounter.

As always I hope this helped....

-npv

IIS 7 as Web Front End to Systinet UDDI (or any Java Application)

2009-11-20T12:47:00.000-05:00

It seems like an easy problem to solve. You have a java application listening on port 8080 (in this case Systinet) and you want to use Microsoft IIS to front end the incoming requests. I found that a number of people had this issue and there was not clear directions on how to solve the problem. HP support had little sympathy and suggested we stay with Jetty (Jetty ships with Systinet).

Some background on the problem that needed to be solved - I have a UDDI registry (java based set of services) on the application server. Test service registry calls to: http://localhost:8080/uddi/inquiry work perfectly fine. In this case the service calls are accessing the registry directly.

The goal is to have the service calls from user community come into IIS and these calls would look something like: http://localhost/uddi/inquiry. In production of course we can substitute the IP for localhost.

Solving the Problem

A lot has been written on the web about solving this problem but everything I read didn't seem to work or was based on a different version of IIS or used another software add-in, such as APE by Helicon. We didn't want to add another piece of software into the mix.

This is how I solved this problem:

First, download and install ARR from Microsoft -- http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ed922306-0d35-4764-8c2c-a378b54e90e1.

Application Request Routing (ARR) is a IIS module from MS that forwards HTTP requests to application servers. After ARR installs successfully you will notice a number of new features in your IIS management console. For the problem at hand, the Server Farms functionality is a key component to the solution.

The second step is to create a new server farm - right click on server farms and select Create Server Farm:

In this example my server farm is all on one physical server -- Systinet and IIS are on the same server. As you set up the new server farm you will be asked a series of questions. In the second panel of the Server Farm set up wizard - enter server address (in this example localhost) then press the add button. After the new server is added, select the advanced settings link. Then open the application request routing link and change the port to 8080. Then press finish. See screen shot below.

The third step in the process - you have to set up routing rules for the new server farm. In the IIS management console select the new server farm you just created and double click on the Routing Rules (note you have to be in Feature View to see these options):

When you get into the Routing Rules area be sure to select the option that reads Use URL Rewrite to inspect incoming requests and assuming you are not using SSL deselect the option that reads Enable SSL offloading. You may accept all other defaults on this page.

Save the Routing Rules by selecting Apply in the Action pane on the right.

For the last step in the process select URL Rewrite in the Action pane on the right. The URL Rewrite screen should look something like the screen shot below. Be sure that your Action Type is Route to Server Farm and the pattern match is set up correctly.

From the URL Rewrite screen select Add Rules option and add a Blank rule. The Edit Inbound Rule screen will then be displayed. Set up the inbound rule to look like the screen below:

Apply the changes and you are done!

I verified my work by creating a VB.Net test application that makes UDDI calls to the registry. If I connect to the registry with the following connection string - Dim myConn As New Microsoft.Uddi.UddiConnection("http://localhost:8080/uddi/inquiry") the application is accessing Systinet directly and it works fine but does not use IIS.

However, if I use this connection string (notice the absence of port number in connection) -
Dim myConn As New Microsoft.Uddi.UddiConnection("http://localhost/uddi/inquiry") I am accessing the registry via IIS and the request is successfully routed to Systinet on port 8080 via the Server Farm and URL Rewrite Rules that were established above.

I hope this helps....

-npv

Below is an update to this blog entry -- setting up SSL in an IIS server farm - 02-10-2010

The steps that I took to use SSL to protect my web service -- Systinent UDDI -- are defined below.

First, you will need to create your CSR (certificate Signing Request) in IIS. The steps for requesting and installing the certificate are straight forward and well documented. One item of caution however, make sure the certificate name which will translate to "issue to" in IIS, matches the site you are calling. For example; in my test environment I intend to call: https://nick-dell/uddi/inquiry therefore the name of the cert should be nick-dell.

After you have requested and installed the certificate (this is installed at the root level in IIS), your next step is to be sure that the company that has issued your certificate has their root certificate installed in your trusted root store. This will complete the chain of trust between your certificate and the issuing authority. The company that issues the certificate will have instructions on doing this. In general, the company issuing the certificate will give you a link to their root certificate. You will install the cert on your IIS machine. Be sure you install it into the trusted root store.

At this point your certs are installed and the trust chain is established. The next steps will configure IIS and the server farm to use the certificate you just installed. The first step in this process is to bind your certificate to the web site. In my case, this was not intuitive in that I did not have a web site per se, I was calling a web service on another server -- in this case the certificate has to be bound to IIS's default web site. Right click on the default web site and select edit bindings; see screen print below:

The next screen will allow you to bind your certificate to to the https port - 443. Screen shot below:

At this point in the process the SSL certificate is bound to your IIS site. Again, the cert is bound to the default web site not to the server farm.

We are almost done configuring the web site. The next steps involve changes to the web server farm that we set up in the beginning of this post. In the current version of IIS there is no way to edit the properties of a server in the server farm so you have to delete the server and re-add with the new properties.

If you have been following this post from the beginning; your next step will be to remove the server from the IIS farm. If you are installing from scratch then obviously there will be no server to remove. See delete of server screen shot on left:

When the server is removed a new server must be re-added with the appropriate Application Request Routing rules established. See Screen shot below:

My web service was listening on 8080 and 8443 so the server in the farm is put on the same ports. The calls into IIS will come in on the standard 80 and 443.

The last item you should check is the routing rules that we created earlier in the process. Select your server farm and then select routing rules. Make sure that the check box for SSL off loading remains unchecked. In addition, the if you have established URL rewrite rules as I deomstrated above; the "Scheme" for the rule should remain as http not https.

The final item I will mention is the requirement to support SSL and non-SSL traffic. IIS makes this very easy option to set. Select SSL settings for the the default web site. You will then see a check box that if selected will require the use of SSL. If you want to support both SSL and non-SSL calls to the site then leave this unchecked.

Your IIS proxy should now work with X.509 certificates.

As always I hope this helps ...

-npv

VeriSign Managed PKI and IIS

2009-08-18T19:25:00.000-04:00

I was contracted to set up a managed PKI site for a client. We choose VeriSign Managed PKI. All in all VeriSign works well and is easy to set up. I was conducting some tests and hit a couple snags. I thought others would benefit if I documented them and provided a solution:

VeriSign Managed PKI - Enrolling for a Cert

After you have successfully generated a CSR (Certificate Signing Request); I used IIS to create the CSR and the enrollment process to create a certificate on VeriSign's website is straight forward. The questions that are asked are what you would expect.

The one catch -- like a misdirection in a crossword puzzle - I received an error message that read "Error 950b - Invalid State". Hmmm, I start thinking like a computer science guy -- is this an information processing state, a compatible state, or maybe something related to the state of the server?

Then in dawns on me -- oh, a state like in the United States!! I get it. I used the abbreviation for the state of Connecticut (CT) when I created my CSR and that is what VeriSign did not like; you have to spell it out -- so remember no abbreviations for the state in the CSR.

IIS - Installing the Certificate

After I figured out my "state" error and successfully submitted the certificate request, VeriSign then sent the certificate. Installation of the certificate was also somewhat straight forward except for a hiccup with IIS. In IIS, once you have the certificate from the CA you install it by selecting the "Complete Certificate Request" link.

However, in IIS 7.0 when you point to the file name provided by VeriSign you get an error of "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created." Like any good MS developer, I took this in stride and tried again and got the error message "ASN1 bad tag value". At which point I was stuck. I happened to press F5 refreshing the screen and the server certificate was then presnted in the list box. This should be fixed in subsequent versions of IIS.

I hope this can help others when dealing with VeriSign mPKI and IIS.

-npv

Can Silverlight be This Cumbersome?

2009-06-24T11:27:00.000-04:00

First off a confession - I am not a front end GUI designer kind of guy. I have traditionally left that to others on my projects but I have done some UI design in my career. Furthermore I am familiar with Flash development so when MS came out with Silverlight (SL) I was intrigued but did not pursue it in detail until recently. I was asked by a client, a Microsoft based enterprise, to do an evaluation of Silverlight for some rich web content development they had in mind. The goal was to determine how easily Silverlight was to work with and how well SL would integrate into their overall application architecture.

Silverlight 2.0 Set-up

No issues here. I am using VS 2008 on Vista and had no issues downloading or installing SL packages. I then created a a Silverlight project with the intent of creating a basic Silverlight page or two... then the fun began.

Silverlight Issues:

I open up the VS toolbox and attempt to drag a button onto the page and designer does not support that; come again?? I must have done something wrong.... check settings, scratch head, try again... no luck. OK, I am a real man but I will read the manual anyway.... everyone is having this problem -- no drag and drop.

To get the button on the screen you have to hand code the XAML. So I hand coded the button and a text box with of course the corresponding properties.

I did get this small app to work and developed a few more complicated examples as a Proof of Concept for my client.

Microsoft is also offering a free hosting solution for Silverlight applications as a way to test your SL apps. You can sign up for this by visiting: http://silverlight.live.com/. This site worked very well and I had my SL applications up and running for demo in no time.

My next attempt to deal with the cumbersome process of hand coding XAML was to try and port my project to MS Expression Blend with the hope that I could eliminate some of the issues faced in VS 2008.... but no. Expression Blend found all kinds of "errors" in the XAML that VS was fine with. I have since found other reports on the web that indicate that the XAML created in VS is not compatible across Microsoft products.

Navigation

Transitioning from page to page in a Silverlight application should be straightforward, after all we have been doing this with MS tools for a long time. Surprisingly, MS did not supply any built in navigational capabilities within Silverlight. Multiple user controls can be added to a SL application but there is no automated way to transition from one to another. SL does provide a HyperlinkButton control, its purpose is to link between HTML pages. If the user clicks on the HyperlinkButton control then the Silverlight application is unloaded and the user is directed to a new URL. If this new application is a SL app then a new instance of SL is started all over again. While this is cumbersome to code it's undoubtedly a performance problem as well.

A nice feature of Silverlight development is you do not require a separate design tool or different programming language for RIA development. Furthermore, the calling of server-side .Net code is much easier with SL than with Flash.

To address the XAML issues I am told to purchase VS Team Edition and things will work better.... oh well, maybe I will wait for the next version of Silverlight and in the mean time I will stay with CSS and Ajax.

TrackMeNot - Obfuscation and Security

2009-05-06T15:58:00.000-04:00

Our Searches Define Us

The Atlantic Monthly magazine recently published an article about Internet search privacy -- Atlantic Monthly May 2009; "Without a Trace" (http://www.theatlantic.com/doc/200905/web-tracking). This article got me thinking that it has become a fairly hot topic -- Internet search companies (Yahoo!, Google, MSN etc...) storing our search data, potentially correlating it with our identity, and using it to sell us stuff or handing it over to the government to determine if we have been thinking about doing something illegal. Back in 2006 the NY Times reported that it was fairly trivial task to tie a particular user to their searches that were saved and published by AOL. In the same article the DOJ (Department of Justice) is accused of coercing search companies into handing over search data.

TrackMeNot

Concern over the privacy of searches has lead to tools that will hide search results. TrackMeNot (TMN) is a software Add-on for Firefox that generates a series of fake queries to obfuscate the users real search intentions. TMN was created by Daniel Howe and Helen Nissenbaum both affiliated with New York University. From the TMN site, it is defined as:

"TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one's tracks), but instead, paradoxically, by the opposite strategy: noise and obfuscation. With TrackMeNot, actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with the Firefox Browser and popular search engines (AOL, Yahoo!, Google, and MSN) and requires no 3rd-party servers or services." http://mrl.nyu.ed/~dhowe/trackmenot/

Will TMN Work?

Creating noise in the communication channel would make the data mining problem more difficult but would it really stop someone from determining if you were doing something they needed to pay attention to; I don't think so.

Let's say you were interested in researching some illegal activity, such as car theft. In doing your research you used Google to search for something like -- "hot wiring cars", "easiest auto to steal". Now suppose TMN adds hundreds of innocuous false searches like "bird watching", "movie reviews" etc. This noise might bog down an analyst researching these queries using paper and pencil but would it stop a computer program analyzing millions of searches? No it wouldn't. Additionally, it wouldn't matter how many false queries were in the mix if I only cared about hits on "interesting" subjects like automobile theft.

Obfuscation is not Computer Security

Users who are serious about privacy will use an anonymization software product -- products such as: Tor, JonDo, or Anonymizer.

ASP.Net - Model View Conrtoller (MVC) Framework

2009-04-04T15:14:00.000-04:00

Microsoft Download

Microsoft is providing a very useful download for creating MVC applications using ASP.Net 3.5 run time. The install is very straight forward and I did not experience any issues. I am using VS 2008 Professional Edition on Vista.

Get the download from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyID=53289097-73ce-43bf-b6a6-35e00103cb4b&displaylang=en

Model View Controller Pattern

The MVC framework has been used for a long time now. It was first defined in the late 70's but came into its own in the 1990's and is widely used today. It's a great way to separate business logic from the user interface. Do a quick web search should you need to convince yourself of the utlity of this pattern.

Using the Framework

ASP.Net MVC 1.0 -- with this framework Visual Studio will generate the inital code for the models, views, and controllers. Much of the code framework is in place for you and your job is to expand on that code.

I used the framework to quickly create a intranet application that a client needed to query a dB, retrieve rows, and allow the client to update that data. In very short order I had a well designed application -- becasue we all know a customer asks for a very quick thing and it then can take on a life of its own and pretty soon you have a large application that is around for many years -- that could be built upon later if need be.

Getting Started:

I would highly recommend checking out this site:

http://www.asp.net/learn/MVC/tutorial-21-vb.aspx.

It is an ASP.Net tutorial that takes you step by step through using the MVC framework. I had no problems setting up and using the framework. One thing I did change with this tutorial is I used SQL Server Enterprise Edition not Express because that was easier for me. The steps for using EE are pretty much the same as if you were to use Express.

Give it a try....

-npv

Microsoft Data Access -- It's Getting Confusing

2009-01-09T15:43:00.000-05:00

Well in actuality Microsoft data access has always been confusing due to too many choices. A decision theory paradox is that too many options causes decision paralysis and that has been the case with Microsoft data access methods for a very long time -- many will recall RDO, ADO, ODBC, and now we have LINQ, ADO.Net Core, ADO.Net Data Services Framework, ADO.Net Entity Framework .... Add to this that Microsoft and some other who may be just stirring the pot have published that LINQ may not be a strategic dirction for the Redmond Gods... What is an architect or development lead to do... ??

I have always found it difficult to read the tea leaves regarding technology direction. It would see that the best an architect can do is follow the advice provided by Microsoft in their Application Architecture Guide. This is part of the Pocket Guide Series collection. The use case based advice they provide is:

ADO.NET Core

Consider using ADO.NET Core if you:

• Need to use low level API for full control over data access your application.
• Want to leverage the existing investment made into ADO.NET providers.
• Are using traditional data access logic against the database.
• Do not need the additional functionality offered by the other data access technologies.
• Are building an application that needs to support disconnected data access experience.

ADO.NET Data Services Framework

Consider using ADO.NET Data Services Framework if you:

• Are developing a Silverlight application and want to access data through a data centric
service interface.
• Are developing a rich client application and want to access data through a data centric
service interface.
• Are developing N-tier application and want to access data through data centric service
interface.

ADO.NET Entity Framework

Consider using ADO.NET Entity Framework (EF) if you:

• Need to share a conceptual model across applications and services.
• Need to map a single class to multiple tables via Inheritance.
• Need to query relational stores other than the Microsoft SQL Server family of products.
• Have an object model that you must map to a relational model using a flexible schema.
• Need the flexibility of separating the mapping schema from the object model.

ADO.NET Sync Services

Consider using ADO.NET Sync Services if you:

• Need to build an application that supports occasionally connected scenarios.
• Need collaboration between databases.

LINQ to Data Services

Consider using LINQ to Data Services if you:

• Are using data returned from ADO.NET Data Services in a client.
• Want to execute queries against client-side data using LINQ syntax.
• Want to execute queries against REST data using LINQ syntax.

LINQ to DataSets
Consider using LINQ to DataSets if you:

• Want to execute queries against a Dataset, including queries that join tables.
• Want to use a common query language instead of writing iterative code.

LINQ to Entities
Consider using LINQ to Entities if you:

• Are using the ADO.NET Entity Framework
• Need to execute queries over strongly-typed entities.
• Want to execute queries against relational data using LINQ syntax.

LINQ to Objects
Consider using LINQ to Objects if you:

• Need to execute queries against a collection.
• Want to execute queries against file directories.
• Want to execute queries against in-memory objects using LINQ syntax.

LINQ to XML
Consider using LINQ to XML if you:

• Are using XML data in your application.
• Want to execute queries against XML data using LINQ syntax.

LINQ to SQL Considerations

LINQ to Entities is the recommended solution for LINQ to relational database scenarios. LINQ to SQL will continue to be supported but will not be a primary focus for innovation or
improvement. If you are already relying upon LINQ to SQL you can continue using it. For new
Rich Internet Application Architecture solutions, consider using LINQ to Entities instead. At the time of this writing, this is the product group position:

“We will continue make some investments in LINQ to SQL based on customer feedback.
This post was about making our intentions for future innovation clear and to call out the fact that as of .NET 4.0, LINQ to Entities will be the recommended data access solution for LINQ to
relational scenarios.”

Keep reading and keep watching...

'

The Missing LINQ

2008-12-10T15:21:00.000-05:00

I recently returned from a Microsoft training session for the data access technology called -- LINQ (Language Integrated Query). In short, I am impressed.

Ever since graduate school I have been thinking about and working through the issue commonly known as impedance mismatch. In software engineering impedance mismatch is the difficulties that arise between a programming language and the relational database system used to persist data. In an OO language there is disconnect between the language and the dB constructs. This mismatch occurs at various levels -- data structure, data types, data models, and the way in which the engineer programs in an OO language vs. SQL. This mismatch is exacerbated when you add additional data stores -- how we access a RDBMS is different than how we access LDAP, which is different from how we access XML, and they are all different from the language that we are programming in, VB.net for example.

The Missing LINQ

LINQ is not a new programming language. LINQ is integrated into the .net languages -- VB.net, C#. The beauty of LINQ is that once you learn its syntax and concepts the methods by which you access data are the same (or at least very similar) across data sources. This has two key benefits -- one, the language that you access the data source with is the same as the language you are programming in and two, disparate data sources are accessed using very similar syntax.

The diagram below provides an overview of the LINQ architecture. Click on image for clearer view.

Support in multiple .net languages integrate with LINQ.

LINQ engine provides interface between the programming language and the LINQ providers.

LINQ providers support multiple data sources so the developer can use the same concepts and syntax to access data stored in different formats.

Closer language integration means easier coding and testing.

Will LINQ Fly

As a technology LINQ is fabulous and will only get better. Will LINQ take hold with developers and IT departments? If you were developing a system from scratch you would be much more likely to use the technology, however the "L" word (Legacy Code) is bound to be an issue. As companies add LINQ to their technology toolbox their will be a point that adding another technology for data access will be just too painful. I would hope that architects and designers begin to steer their companies towards this compelling technology. I have a few customers that have dabbled with LINQ but as of yet I have not seen a big push to the technology... Time will tell.

Some books I have found helpful when learning LINQ are:

Programming Microsoft LINQ by Paolo Pialorsi and Marco Russo

http://www.amazon.com/Programming-Microsoft%C2%AE-PRO-Developer-Paolo-Pialorsi/dp/0735624003/ref=pd_bbs_sr_3?ie=UTF8&s=books&qid=1228942086&sr=8-3

ProLINQ: Language Integrated Query in C# by Joseph Rattz Jr.

http://www.amazon.com/Pro-LINQ-Language-Integrated-Windows-Net/dp/1590597893/ref=pd_bbs_sr_1_s9_rk?ie=UTF8&s=books&s9r=8a02b541179b7cc00117aa39be1302e0&itemPosition=1&qid=1228942086&sr=8-1

As more of my clients begin to use LINQ I will share my experiences.

Roles Management or Identity Management – What comes first?

2008-11-26T16:14:00.000-05:00

“What do we implement first, a roles management system or an Identity Management system?” I get asked this question frequently by clients contemplating a project to put order to their roles management and provisioning process. Unfortunately, like a lot of things in life the answer depends -- and it depends on a number of factors, some of which are:

Your current situation – do you have some sort of system(s) in place already, what tools are you currently using and how well will with integrate with an IdM or roles solutions.

Where are the current pain points – I have had clients starting out wanting an IdM solution only to change gears as analysis reveals that the current pain point is around roles.

Green field – no systems online to perform these tasks – well this is a nice place to be and you have some choices (see below for standalone IdM vs. combined IdM and Roles Management).

Budge Size: Poor Man’s IdM – I have had clients use a roles management system and make some integration enhancements to create a low end provisioning solution.

A critical point to consider when choosing a direction is the trade off between a best of breed solution or a one vendor solution. Purchasing an IdM and Roles Management solution separately and integrating has some downside risks, such as integration costs and gottchs tend to rise.

Most companies look to a one vendor solution if they are in a green field situation. Some obvious one vendor solutions are SUN – use SUN Identity Manager and you get their newly acquired Vaau system for roles management. There is a similar solution option with Oracle and their
acquisition of BridgeStream.

Once you choose a vendor(s) direction the next critical question will be identity mapping process and which package (IdM or Roles Management) will become the reconciliation hub for identities and entitlements across the enterprise. My experience has been that this integration can be done in either tool but if you are planning to implement both IdM and Roles Management with separate packages I would architect the IdM act as the enterprise identity vault and be the source of record for the collected data.

These are a few of the items to consider in your IdM and Roles Management acquisition process.

Vista - Add Windows Authentication Provider for IIS 7.0

2008-11-21T13:21:00.000-05:00

I had installed IIS 7.0 in Windows Vista (Ultimate) machine and sat down to work on some ASP.Net application for a client. As I tried to use a site location choice of HTTP and I get an error message telling me to configure Windows Authentication ... but how??

Well after some looking around here is how to add Windows Authentication to IIS after it has been installed (Note: during install the default is not to install windows authN).

In Vista: Open Control Panel --> select Programs and Features --> Select Turn Windows Features On-Off --> Locate IIS --> Select Security Node --> and you will find Windows Authentication.

I hope this saves you some time

-npv