Author Archive

Setting Security Certificate: What VMware Did Not Tell You

March 20th, 2014 No comments

In my last article, I discussed on the format requirement for Java APIs and how I found out the root cause and its solution. Even more mysterious is the format requirement of VMware vCenter as I discovered in another VMware related project, in which I needed to register an extension with vCenter and set up its certificate.

Categories: vSphere API Tags: , , ,

Reading X.509 Certificate in Java: How to Handle Format Issue

March 16th, 2014 12 comments

I got into a very interesting problem while writing code to read a X.509 certificate. It’s a standard PEM encoded certificate (shown below) as you would find anywhere else.

-----BEGIN CERTIFICATE-----IBAgIJAKMIIDRTCCAi2gAwlwrFcAdHQtMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDAyMjExMzM4NTBaFw0yNDAyMTkxMzM4NTBaMCAxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPFUHIMCZdvngHxBhSPf2LezpXTzQ7cOsfv2G0xVBJjkYKfffLxKmm0S3/ZEeGoXz1x/kQUoohYMf4ormOZwO+XL/9aVvj569t8siykGa0u15vAl2JASbHdGtzccD7V/3sz9rW5lLGq+ZsdU4n9r0opwSwlr6dSkWmv2OC8joSxwGWVbZREWi5j0vf/F76WjTSNHIruJpeST476UFBVrh633cwRoJoyDkuvM2lpze1WGBLKqk/kmGcnpBsjdDLGDKHgxlou3BstBjuq6nYaFAV1zHCc9SyM0KmZs8UJ5TX/3vnpxCyCMbcz9mGYU8Z+6eKVLG3xT7iWQsf1JZZMVwPUCAwEAAaOBgTB/MB0GA1UdDgQWBBRQc0tKrMgUvO6ne29Yfvp7U/28iDBQBgNVHSMESTBHgBRQc0tKrMgUvO6ne29Yfvp7U/28iKEkpCIwIDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWluggkAqXCsVwB0dC0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAVn+5vniECIvs4IdW+Ix556daxP7mu7Xu1AoUxtMCXkwGovkuQvguabd+WAV2nQKVEdCC9b61mGQAueCHWaONGV2ZkMIHh5uoheiX8QAkbxjYijXlqS7bPbFW9faF8icrXg1rKuRTW/rt7WVL7FER/88zU65b5HCzyXfRrb48E4xBBpSc/QE/zgtHWqxeFG/+FJvJBRlXtxDZRWbLCy0HhZf0SvcPoQ1JqHI0lJC43RQzXrfo9GGVS34wb7Pi+6lYHVnh71zfypXXDrfzKzEJM+zwri6KX+BpSMV9pMqgqeew+Bp95+uKYTY4bnOixW/3X80t+2zMnJqPJ62UhHuKzw==-----END CERTIFICATE-----

The exception is as follows. It’s pretty clear, but also confusing because the certificate string has included both BEGIN and END. It seems to me very complete. Of course, the program does not lie and we have to trust it most of the time unless there is a bug.

Categories: Uncategorized Tags: , , ,

Cisco UCS Director REST APIs: Step By Step Tutorial

March 10th, 2014 7 comments

As I introduced in last article, there are two sets of APIs in UCS Director: north bound APIs, and south bound APIs. The north bound APIs are REST styled, allowing other applications to invoke UCS Director functionalities, or simply retrieve information from UCS Director. We’ll go through the REST APIs in details so that you can quickly get started with it.


Nginx: How to Fix Timeout Issues and More

March 2nd, 2014 5 comments

If you’ve followed my blog, you’ve read several articles on Nginx. This is the last article of the series, and also an interesting one. While troubleshooting a system I helped to build, I found a very challenging problem that I think is worthwhile to share. The system consists of a client and a server, between which is a Nginx server as reversed proxy. This is a typical setting for flexibility and control. Somehow, the client got disconnected pretty consistently but the back end work went through successfully. It’s really a false alarm but not good for a product.

Categories: Applications & Tools Tags: , ,

Cisco UCS Director: An Overview of APIs

February 26th, 2014 3 comments

I just went through a two day training course on Cisco UCS Director APIs that covers both the REST APIs and Open Automation SDK. For people who don’t know UCS Director yet, it’s the orchestration engine Cisco acquired from a start-up company Cloupia more than one year ago. If you know VMware vCenter Orchestrator, UCS Director is something very similar but with more features on various hardware components for converged infrastructure. To fit into its unified data center strategy, Cisco re-branded it as UCS Director.

Nginx: How to Find out Real Source of HTTP Request

February 19th, 2014 2 comments

In a recent project using Nginx as reversed proxy server, I got into an interesting problem: how can the server behind the Nginx tell whether a HTTP request comes from remote host or local host? If I just look at the IP header of the request, they are all local because the reversed-proxied packets from remote seems to be sent from local as well. So I cannot really tell the source of a HTTP request.

Categories: Software Development Tags: , ,

Refreshing vSphere Web Client Plugin

February 11th, 2014 1 comment

While debugging a vSphere Web Client plugin project, I found it’s not easy to refresh the services with the Virgo server which acts as the back end for the plugin GUI but as client for the vCenter server. Packaged as OSGi bundle, it’s supposed to be easy to reload the service. Mixed together with various components in the plugins, however, it’s sometimes not quite straight forward for the re-deployment for updated code. Here is a brute force approach I found while playing with it.

Authenticating Users in Nginx Using Both User Password and Client Certificates

February 5th, 2014 No comments

In some use cases, you want to protect different parts of a Web application with different approaches. For example, the admin related resources normally require stronger mechanism than the user related ones. The following I will show how to use Nginx with client side certificate for the resources under /admin namespace for admins, and user/name for normal users.

Generating Certificates and Keys

Simplest Way to Encode Base64 in Java

February 3rd, 2014 4 comments

Base64 is a straight forward encoding for binary data into readable characters (RFC 4648 and RFC 2045). Although you can do it by yourself, more often than not you would like use an existing library, for example, Apache common. If you just need the Base64 encoding but have to import the whole library, it’s not a good idea. There is actually a better way without introducing extra dependency, which is to hack Java standard library 1.6.

MultiSSH: Productivity Multiplier for Managing Multiple Servers like ESXi

January 28th, 2014 1 comment

As I develop software, I rarely need to manage several servers using SSH at same time. If I do, I just manually connect to each server and type same commands over and over. Of course, it takes much time for the repeated work. More importantly, it’s very hard to repeat the steps consistently across multiple servers especially when there are more than 4 servers.

Categories: Applications & Tools Tags:

User Authentication with Thrift Service: Comparing Different Approaches

January 27th, 2014 No comments

We’ve covered Apache Thrift in last few articles from simple HelloWorld sample, Python Thrift client, to the securing Thrift traffic. Here I am going to discuss more on user authentication, which is a must for protecting the services and user authorization. This is in general a weakness of Thrift, but could be solved with different approaches. Having said that, if you have chosen Thrift, you probably build internal system where user access control is not important.

Categories: Uncategorized Tags:

Securing Thrift Traffic: Uncommon But Important Use Case

January 22nd, 2014 No comments

Thrift is mostly used for distributed systems which run mostly in house. There is no strong demand for securing the traffic on the wire. There are however use cases in which the Thrift services are exposed as a public service. In these use cases, the Thrift traffic should be secured with SSL/TLS. It comes with a price which more work on client and server on encryption and decryption. This is not a big deal for light load server, but for heavy load server it could be a problem. It can be mitigated with hardware acceleration on load balance servers between which and the client can be SSL, but not after that to the Thrift server.

Categories: Software Development Tags: ,

Thrift Client in Python: Hello World Sample

January 20th, 2014 No comments

As mentioned in my last post, Thrift is a cross-language and cross platform RPC framework. We’ve seen how a Java based Thrift server and client work there. Let’s take a look how to write a quick python script that connects to the Java Thrift server. It’s all possibe to write a Python based Thrift server, but probably not what most people want to do due to performance and scalability.

Apache Thrift Hello World Sample

January 15th, 2014 No comments

Thrift is one of the RPC frameworks that are widely used nowadays. It’s originally developed at Facebook and then open sourced under Apache Foundataion. It’s supported by major programming or scripting languages like Java, C++, Python, Ruby, etc. The typical use case is for building distributed systems, mostly in house.

Categories: Applications & Tools Tags: ,

Tomcat Behind Proxy: How to Block Direct Access

January 14th, 2014 1 comment

As discussed in my last post, after installing and configuring Nginx as the reversed proxy server for Tomcat, it’s necessary to block remote access to the original port served by Tomcat. To achieve this, iptables should be a good solution. Simpler solution is to change one line in the Tomcat server configuration file so that Tomcat accepts only requests from local host.

With Tomcat 7 on Ubuntu, the configuration file is /var/lib/tomcat7/conf/server.xml. Just add address=”″ into the related Connector section as follows:

Linux Firewall with iptables Command

January 12th, 2014 1 comment

After proxying a service with Nginx, it’s always a good idea to block the service from direct remote access. For example, you have a tomcat server running on port 8080, and you’ve configured Nginx to proxy requests from port 80 to port 8080. The port 8080 should then be blocked from any host except localhost.

To do this on Linux, one of the ways is to just install iptables. On Ubuntu, issue the following commands to install and add rules:

Announcing vijavaNG: Much Lighter and Faster with Commercial License and Support

January 8th, 2014 19 comments

Since I left VCE four months ago, I have been working intensively on a commercial version of the open source vijava API supporting all versions of vSphere APIs (5.5 is the latest). If you have used the open source API, you know the vijava is much faster than other alternatives. Since its debut, it has been used in many commercial products from companies like Cisco, EMC, HP, etc.

Nginx with PAM Authentication

January 7th, 2014 6 comments

As I introduced in last article, Nginx is a lightweight Web and reversed proxy server that is gaining momentum. If you have URLs to be accessed only by authenticated users, you can have many options. In this article, I just introduce a very easy way for the Nginx to leverage the PAM (Pluggable Authentication Module) for user authentication. We will use OS user for authentication (there are many more methods supported by PAM). If you have a valid user with the Linux on which Nginx runs, your request will pass through; otherwise, it would be blocked.

Categories: Applications & Tools Tags: , , ,

Configuring Nginx as Reversed Proxy Server for HTTPS

January 6th, 2014 No comments

Nginx (pronounced as ‘engine x’) is a light-weight HTTP/reverse proxy/mail proxy server written by Igor Sysoe. It is flexible, lightweight compared, and high-performant with Apache. The official nginx site is here. The beginner guide is a very good starting point. The following is based on my hands-on experience with Nginx. If you have similar requirement, you can copy over the scripts and configuration for your environment.

Installing and running Nginx

Categories: Applications & Tools Tags: , ,

Three Ways to Get Certificate and Thumbprint from ESXi

January 2nd, 2014 1 comment

Happy New Year 2014!

When adding a new ESXi host to vCenter server via vSphere API, you can supply the certificate thumbprint of the ESXi server expected to have. Before calling the vSphere API, you can get the thumbprint directly or indirectly from the ESXi server to be added. Here are three different ways to do that. The first two approaches retrieve SSL certificate with which you can generate thumbprint.

Categories: Uncategorized Tags: ,