Changing the world one system at a time
Show MenuHide Menu

Single Sign On and Kerberos

March 16, 2013

I am currently working on a Single Sign On project involving a Unisys ClearPath MCP mainframe. The main interface that ClearPath has for this is Kerberos. The basic idea is to use the application to set HTTP headers to set WWW-Authenticate header (as described in RFC 4559). The first step to make this work is to integrate Kerberos into an active directory environment. I still have more work to do to make this work, but as I will continue to update information here for others. Coincidentally, UNITE placed their call for presentations for the September 2013 conference in Chicago. I submitted using Kerberos in an SSO environment for my topic.

When is it not about the network?

April 29, 2009

I was trolling around LinkedIn tonight and I saw many ads for various positions. For some reason, my mind drifted to see if DICE had any listings for jobs requiring iRule programming skills (iRules is a scripting language/event engine inside of the F5 Networks’ BigIP device). For those that don’t know, the BigIP could be considered an SSL accelerator and LoadBalancer. If you only used it for that, you would be seriously missing something. Back to DICE… When I searched for iRule, I discovered three Network Engineer positions. That is it! In my experience, many network engineers are not true coders (two different disciplines). As a developer for many years, I think we tend to see how we can make the world better through our software. I also believe that many network engineers and sys admins want to keep the world the same–after all stabiity means uptime. While this is partially true, truly innovative solutions come from looking at the tools available and determining how to better the environment with the tools. Using proper service management procedures such as ITIL can minimize the risk, but innovation is why services exist.

How to keep your Free WiFi session private.

September 27, 2008

So, you are really digging the free WiFi in Panera or Hooters or your hotel, but did you know that most of the traffic you send is viewable by some guy in the corner with a sniffer? I’m not talking about any websites you use where the address (URl) starts with https. Those are fine *You do make sure you use GMail or Yahoo Mail with https right?). I am talking about things like AIM and MSN as well as anyone that is still using unsecured Outlook Express or some other POP mail client. All this data is easily viewable by someone else in the vicinity. So, how do you secure this? Well, there is an answer and it sort of depends on your ISP setup. There are products you can use for a fee like GoTrusted Secure Tunnel (I have not used it so that’s not a recommendation) If you have an ISP like XMission, you may be able to use a shell account. I use XMission for a basic website, some email and the shell server. There are some steps to doing this but basically, you do the following:

  • Get a shell account (XMission charges $10/month or $100 per year).
  • Download an ssh client (I like Tunnelier from BitVise – Free for personal use)
  • Get the address of your ISPs proxy server ( for example)
  • Get the port information for the proxy (usually 8080)
  • Setup Tunnelier with a tunnel on the C2S Forwarding Tab
  • The local host is port 8080 and the destination is your proxy ( port 8080
  • Connect with your user and password on the login tab
  • Go to your browser and tell it to use a proxy and point it to localhost as the proxy server and port 8080

Now, this configuration may change depending upon several factors. The thing to remember is that you are creating a server on your local system (localhost) to listen for any data on port 8080. Tunnelier will take any data it gets on port 8080 and send that to the port 8080. This in turn will send the data to the Internet.

You can also configure AIM, or another instant messenger to connect to the Proxy. Note that this should always work from a free WiFi site, but it may even work from within a company network. This would mean you could browse the web anonymously. I am not suggesting you do this to avoid working, but if you have a need to test a web site from outside, this is a good solution too.

If you have a different configuration and are having trouble, please let me know and I will see if I can help you out (subject to me doing actual work too 🙂 ).

Good luck

Upcoming Speaking Engagements

September 6, 2008

I am presenting 3 sessions at the Unisys North American Users Group (UNITE) conference in October in Orlando this year. The sessions include:

  • Techniques to Secure Web Applications Including the OWASP Top 10
  • Comparing Different Web Interfaces to MCP Applications
  • Real World Experiences Implementing sftp to a ClearPath MCP System
  • The Changing MCP Discussion (A panel discussion)

I am also speaking at the Gilbane Boston content management conference regarding my experiences implementing the Thunderstone Search Appliance.

Intranets: The Real Story

September 6, 2008

This article was written 14 years ago, but some of the questions seem topical.

Intranets: Wave of the Future?
Open any magazine today and you are sure to find something about an intranet and why your company should have one. Most “Internet” companies are actually more interested in the business intranet market rather than its well-known cousin — the Internet. Industry forecasts predict the intranet market to reach $20 billion by the end of the decade. Of course, the facts must be separated from the hype. Exactly how will an intranet benefit your company? More importantly, what will your end users gain by having access to the company intranet?

Intranets Defined
First, some definitions are required. Exactly, what is an intranet? By exact definition, an intranet consists of two computers connected via a network interface. Typically, this is the Transmission Control Protocol/Internet Protocol, or simply TCP/IP, but that is not required. By practical standards, an intranet consists of at least one World Wide Web (WWW) server accessed via the corporate LAN using TCP/IP. Of course, WWW server may be misleading since two computers communicating across an office is not exactly “World Wide,” but this is all that is required for an intranet. While this may be a practical definition, in reality, if your company is using TCP/IP as a network, you have an intranet right now. Of course, you may not be using the applications that one typically associates with the Internet, but the concept is the same.

Business Evolution
Now that we understand what an intranet is, we can ask how and why they are developed. Most intranets evolve in two fashions — the company establishes a working group to formally coordinate new servers and their content, or employees in the company install and configure their own web servers for everyone to see. Both methods have merit, but the former allows the company to place a common “face” on internal company data. Generally, a policy of co-existence works best where official company information is left to the company intranet administrator and all web pages of a personal nature are clearly marked as such. While the company can enforce a policy of “one voice” for web servers, the basis of the web is the free sharing of ideas. To create a policy to stifle employee creativity will only serve to cause resentment and, most importantly, revolt against the idea of an intranet. Just as a company is only as good as the people it hires, an intranet is only as good as the available data.

What Does That Have Do With Mainframes?
When people think of the intranet, their last thought would be of that old dinosaur affectionately called the mainframe. The fact is that the current family of mainframes sold by Unisys are as open as any UNIX system and much more reliable. To offer mainframe data to the intranet, a method is required to send the data from the mainframe to the end user’s web browser. Ultimately, this requires a web server. While there are various ways to approach this, the most desirable is to place the web server directly on the mainframe. This approach sends the actual TCP/IP request from the web browser directly into the mainframe and the response directly back to the browser. Several web servers are available for the A-Series from Unisys and third-parties. Additionally, Unisys includes a web server on both the 2200 and A-Series versions of the Clearpath systems. Once the mainframe has the ability to directly interface to the intranet, the next step is to determine the types of applications to make use of this connection.

Terminal Emulation
One intranet application that can access the mainframe is terminal emulation. Frequently, companies find themselves with multiple desktop environments such as Windows, Macintosh, and UNIX among others. Too often the company settles on an emulator for one environment simply because it is available for most, if not all, of the other environments. In many cases, the company has one vendor for the Macintosh emulators and another vendor for the Windows and UNIX systems. The possibilities for confusion are clear. What if the company could use a single emulator on all desktop platforms? The terminal emulator would run on all systems and be downloaded from the mainframe. Believe it or not, this is possible. All that is required is a common desktop operating system on all systems and a web server. Now, before you discount me as a mad hatter, an operating system does exist that will run on the systems mentioned. This operating system is called Java.

Java: The Virtual Machine
If ever there was a computer term that could be more overused than the “Internet,” it’s Java. Simply put, Java is a virtual machine (an operating system within an operating system) that allows applications written in the Java language to run on the Java system. The fact that the Java Virtual Machine (JVM) is running on a Macintosh or a Windows PC, or even a Sun system is immaterial. The Java system on the particular workstation is responsible for implementing a standard operating environment that will allow Java applications, or “applets,” to run on them. So, in order to continue the idea of a “Universal” terminal, you need a terminal emulation application written in Java. Also required is the virtual machine. Fortunately for this scenario, you may already have a Java virtual machine on your desktop. The good folks at Netscape, Microsoft, Apple, and Sun have implemented the virtual machine in their web browsers. So, if you have Netscape Navigator 3.0 for Windows for example, you already have the required software to run any Java applet. Several companies offer a Java-based terminal which emulates a Unisys T27. As in the web server case, these are implemented either as a PC-Gateway or on the mainframe itself. The same concerns about extra protocol and coordination of messages exist in this PC-Gateway approach. Therefore, mainframe-based Java emulation is preferred. So, with these emulators in hand, you can offer A-Series terminal access from any web browser in the company.

The Role of HTML
Other methods to access the mainframe from a web browser are to have a process “convert” terminal screens to the language of the web — HTML — or to create the applications with HTML in mind. It is possible to create a process to accept data from a typical on-line application and convert it into HTML to send to a web browser. Basically, there are two general approaches: PC-gateway based, or mainframe-based. The PC approach sends data from mainframe applications, converts it to HTML on the PC, and uses the PC web server to send data to the web browser. The mainframe approach interfaces directly to the mainframe applications, converts the data to HTML and uses a mainframe-based web server to send data.

Rather than converting terminal screens to HTML, which does not always work quite as anticipated on screens with a lot of fields, you can create applications with HTML in mind. One of the features of some mainframe-based web browsers is the ability to interface with another program running on the same system. If so desired, the mainframe applications could be modified to accept data from the web server in addition to terminals. If the data is sent in from the web server, the proper fields need to be moved to where the program expected the data from the terminal. In this case, the application processes the message according to the same business rules, but instead of sending the message back to the terminal, it responds to the web server. Again, instead of sending form delimiters, the resultant output is formatted in HTML. The web server will send this data to the web browser without conversion. While this method requires more up-front coding, the actual execution time is less since there is no data conversion required.

Hopefully, you now have an understanding of an intranet and how it can be used in your company. Additionally, after this reading this article, there should be no doubt that once again, the mainframe is still a viable business resource for your entire company. Next month, I will examine some applications to put the mainframe on the actual Internet and allow customers to order products and perform their own customer service inquiries.

Connecting the Mainframe to the Internet

September 6, 2008

The Internet
As with intranets, the Internet has produced an abundance of information in trade journals. Internet usage grows more with each passing day. While most businesses are interested in utilizing this medium, several questions must be asked. If the company mainframe is placed on the Internet, will it be secure? Is the benefit of an Internet presence worth the initial and ongoing expenditures to maintain the presence? In order for a company to justify an Internet site, these questions must be answered. As explained last month, it is possible to place your Unisys mainframe on your company intranet. However, before connecting it to the actual Internet, several security concerns must be addressed. Once theses concerns are addressed, the mainframe can be placed on the Internet to allow direct access to your applications via the World Wide Web.

How Secure Is It?
The news media is full of cases of “hackers” breaking into large corporations and U.S. government organizations. With each of these high profile cases, comes additional worries regarding the security of any computer placed on the Internet. What one must remember about these cases is that generally the transgression involves some form of UNIX system. It is a well-documented fact that the UNIX operating system has many security “holes” that a knowledgeable person can exploit. As UNIX has evolved, many of these items have been removed, especially in proprietary UNIX systems like those offered by Sun, HP and Unisys. But with a long history in the educational and research communities, UNIX still contains esoteric options to infrequently used programs that allow compromising of security. This is not to say that a security breach is impossible on a mainframe. Simply put, security on a mainframe will be compromised far less than on a UNIX system because someone e-mailed themselves a copy of the password file. One example of robust password security is with the Unisys A-Series. Once a password is stored, it can never be retrieved in its original form. An algorithm exists that changes the password into an encrypted form. This form does not allow reversing the password into a legible form. Whenever a user logs into the system, the password they supply is converted, then compared to the converted password present in the password file. Therefore, it becomes easy to understand that a user will not be using a program to ask for a list of passwords on an A-Series. Of course, if a technical support person with high security clearance uses their spouse’s name as a password, all bets are off. As with any computing platform, a well-documented and well-executed security policy is the best and safest policy.

Data Security
Another security issue is the actual data sent over the Internet. Certainly, you would not want customers to feel uncomfortable sending credit card numbers over the Internet. Fortunately, technology exists to allow encryption of the data from the user to your system to ensure data security. This encryption method involves a unique “key” of at least 40, but normally 128 bits. It ensures that only the intended person can de-encrypt the messages. To put this in perspective, most Internet security experts calculate the amount of time to “crack” a 128-bit key in terms of Supercomputer-Months. Of course, while people involved with the Internet may be comfortable sending credit card information over the Internet, getting your customers to be comfortable with the idea is another story. Just as with any new technology, customer education is key. Many call center operations find a high initial resistance to Interactive Voice Response systems. Once the concept is marketed correctly, the customer population becomes accustomed to the idea and even embraces it. With time and accurate information, you and your customers can overcome any security concerns to the point where useful Internet applications can be created for your mainframe.

Order Processing
One such mainframe application is order processing. Order processing, or order entry, is one of the more common uses of a business-based mainframe. In the typical scenario, an order processor situated at a fixed terminal enters information into an application. The application, after receiving the screen, processes the incoming data according to a set of business rules contained in the mainframe application. The result is then written to a database, and the output is sent back to the terminal to confirm or deny the order. This type of transaction occurs literally millions of times per day at Unisys customer sites. An analysis of this system illustrates several advantages of a large, centralized system. The primary advantage is that the business rules are contained in a single, central location. Second, all the information regarding the order is kept in a single database available to all users from all locations. Of course, central reliance upon a single computing platform may pose a problem, but on a highly reliable and resilient mainframe this risk is far outweighed by the benefits.

A Different Approach
A different approach to the standard type of order processing is to enable the existing applications to accept input from the Internet. As with enabling applications to work on an intranet, a method is required to connect the existing applications to a web server. Again, a web server is the software that runs on the mainframe to send data to a web browser like Netscape’s Navigator or Microsoft’s Internet Explorer. One method to connect the applications with the web server is to use a tool that translates the standard forms data to the language of the World Wide Web, HTML. HTML, or Hyper Text Markup Language, is a page definition language that instructs web browsers about how to display the supplied data. With HTML, your existing order entry screens can be displayed to users of the World Wide Web to allow placing orders from the Internet. While this may be an interesting ability from a technology standpoint, the real question is how can it be used for actual business. Well, in the order entry case, the business application can fall into several categories. If your company has a field sales force, salespeople can enter their own orders right from the customer site. This occurs without having to create special applications in specialized languages on the mainframe or the PC. Another option is to allow your customers to connect to your system over the Internet and place their orders on their own time. Since the users are not using your toll-free telephone lines, the cost savings will add up rapidly especially for larger call centers. Keep in mind that even though your applications are now available to users of the Web, your existing terminal users can still enter data through your large terminal investment. Of course, once the applications are enabled to accept data from the Web, the same applications can accept data from your web browser-equipped internal users.

Service After the Sale
Most sales-oriented companies pride themselves on their customer service, and one area where customer service can be improved is to allow customer access to data over the Internet. Normally if a customer has questions about the status of an order, a toll-free call is placed to a customer service representative (CSR). The CSR greets the customer and inquires about the request. The CSR then looks up the customer order based upon an order number or the customer’s name. Assuming that an item was shipped to the customer, the CSR then takes the tracking number of the package and locates the package with the shipper. Some companies call the shipper while the caller is still on hold. The costs involved in this system are obvious. The web-enabled customer service applications on the mainframe can perform the same functions either directly for the customer or via the CSR. If the customer has Internet access, they can connect to your system, enter their identification information, then check on the status of an order without any assistance. Since many of the shipping companies like United Parcel Service, Federal Express, and Roadway Package Systems offer Internet tracking of packages, customers can track their own packages simply by clicking a button on their web browser. Of course, this all occurs without a single customer service person involved or any toll-free phone charges to the company. Even if the customer calls into Customer Service, the web browser will allow the CSR access to all the data in one place in a clean, efficient fashion. No longer are phone calls or dedicated data connections required to track a UPS package. The CSR can click on the same button the customer would have to track a package. Greater accuracy, reduced costs and quicker service are the benefits of this system. Coupled with your intranet operations, a mainframe Internet presence results in a faster, streamlined organization that will enhance your company’s image in the eyes of your customers, your competition, and your stockholders.

I hope these articles have improved your understanding of Internet technology. We have covered methods and applications for placing your system on the Internet. Additionally, we have discussed specific applications that your company can use to gain a competitive advantage over your competition. As with any new technology, customers, and frequently internal users, will have to be coddled into accepting this new approach to your business. While the Internet has been the subject of excessive “hype,” make no mistake – the Internet, and more specifically the sensible business uses of it, will make or break the companies of the 21st century. Good luck and I look forward to using your “World Class Web Site.”

Clearpath Revealed

September 6, 2008

This is an article I wrote several years ago that may be of interest to the ClearPath community.

When the first Clearpath NX server was shipped, the computing world as we know it changed. Such a bold statement surely requires an explanation. While most of us working with Unisys technology know better, the rest of the world considers Unisys simply a mainframe vendor. Even with their marketing conversion into a services company, the core computing line of Unisys is what makes those services possible. The A-Series, 2200, and UNIX systems all contribute to a terrific line of systems capable of integration into any business. While these systems are no secret to those of us in the industry, the rest of the airline-magazine reading public is infatuated with conversions to UNIX and other “client-server” platforms. With the advent of Clearpath, mainframe integration with “industry-standard” operating systems has never been higher.

A Match Made in Redmond
Since the inception of Windows NT, Microsoft has positioned it as an answer to the business application, print, and file server market. Obviously, the market share achieved by Novell’s NetWare product was an attractive target for Microsoft. With the invasion of Windows NT into the corporate IS departments previously dominated by NetWare, Microsoft seems to be wining this battle. Of course, this still leaves the question of what to do with the mainframe. Most IS departments have at least one advocate for replacing the mainframe with PC file servers or UNIX systems. I recall an individual that wanted to replace a four processor Unisys A-19 system with 60 Novell file servers and PC application software. While this approach may seem attractive to non-mainframe people, in reality, it’s been proven to be both more costly and less efficient to rid the company of the mainframes. Of course, it is not without some benefit to utilize an application or file server as part of a larger data processing system. These products can be symbiotically joined to capitalize on each others strengths and minimize each others weaknesses. Historically, however; this approach has been littered with broken vendor promises and difficult, if not impossible, hardware and software combinations. This is where Clearpath comes into the equation. With the advent of the Unisys Clearpath, an IS organization can make data and applications on both the A Series and Windows NT available to the entire organization and the entire world! But, before we embark on this grand day out, perhaps some first hand observations about the components of Clearpath are in order.

The Sum of the Parts…
As most Unisys professionals already know, the NX version of Clearpath is simply an A-Series (“the mainframe”) and a Windows NT computer in the same box. Included within the same cabinet as the A-Series and the Windows NT PC is an Ethernet switch to allow central connection of network devices in both systems to a common point. Also included in the box is a UNIX system. The UNIX system is only for maintenance administration of the mainframe side. Since the units are in the same box, I have noticed that some are under the impression that the systems are dependent upon one another for certain things. In reality, any connections between the mainframe side and the NT side could also be from across the world. There is no software on either side that requires the computers be in the same cabinet. That being said, then why are the units in the same box? Simply put, being in the same cabinet adds the ability to interconnect the Windows NT system to the mainframe via a higher speed connection than 10 megabit Ethernet.

Software Makes Hardware Work
The truly magical part of Clearpath is the A-Series software. Specifically, the way in which it presents itself as an NT server. This software, called NX Services, make the A-Series appear to the Windows network as a Windows NT print and file server. Any printer to which the A-Series can print can also be accessed by any computer on the Windows NT network. This means that if you have a high-speed printer connected to the A-Series, a PC connected to the A-Series can print to the printer just as if it was physically connected to the PC. This model works for file access as well. Files on the A-Series can be accessed by Windows and UNIX systems on the network. In Windows terminology, this act of central network access to server resources is known as sharing. No longer do you need to run a file transfer process to move files between the mainframe and the PC. Of course, since mainframe disk is considerably more expensive than PC disk (although it is the same disk), it would be silly to store all PC files on the mainframe. The most efficient use of this technology is for file sharing applications between the mainframe and the PC. Whenever file sharing is an option, security is always a concern. As with any A-Series file access, the security is controlled by the usercode/password combination supplied to the software. Shared A-Series devices such as CD-ROMs and printers can be protected in the same manner. Another available resource of NX Services is the application interfaces. Now that the files and printers are shared with the help of Clearpath, the next step is to “open up” the applications. While interfacing to applications is not as transparent as file or printer sharing, it is only minimally more difficult. Basically, one writes an application using standard TCP/IP programming methods which the Clearpath software then interfaces to a COMS station on the mainframe. This allows external interfaces to legacy applications without modification to the existing A-Series programs. While this method of integration has been available on the A-Series for several years from third-party vendors, only with the Clearpath system does Unisys provide a direct interface into COMS from external TCP/IP systems.

Besides file, print, and application integration, Clearpath also excels in the area of system administration. In order to setup file and printer sharing, as well as any application interfaces, a graphical, windows-based program runs on the NT server to administer these items. This program, the Admin Center, normally runs on the NT server collocated to the mainframe side. There is, however, no requirement that this be the case. With the correct Windows NT network security established, a workstation anywhere in the world can administer the NX/Services on the mainframe. Additional Windows administration tools supplied are the Task Center and the User Center. The Task Center allows system console monitoring including all operator display terminal (ODT) commands normally used by operations personnel. The User Center allows administration of mainframe user information from a Windows system anywhere on the network. Of course, proper security is again required and enforced. Also, these packages are not simply text-based screen images running on a Windows workstation. These applications take full advantage of Windows features including list-boxes, radio buttons and check boxes.

The Whole Package
The items discussed so far are already worth the price of admission to the Clearpath show. Some notable items included with the base Clearpath NX systems are LPR/LPD printing, TransIT/ODBC and a Web server. LPR/LPD printing allows UNIX systems to print to the A-Series printers and vice-versa. TransIT/ODBC allows PC access of a DMS II database on the mainframe. A 4-user license of TransIT/ODBC is included mainly for development and small-scale production purposes. The web server allows serving of both static and dynamic web pages directly from the mainframe. From the PC side, several items have been added as well. We have already discussed the User Center and Task Center, but also available is a terminal emulator. This emulator, called NX/View, was originally supplied free with the system, but due to previous licensing agreements is now offered for sale at a very reasonable cost. NX/View interfaces directly to the TCP/IP software on the mainframe so InfoConnect is not required. While many of the “new” interfaces available on Clearpath have been available from various third-party vendors, they were not available from a single source and except for the comparatively minimal emulator licensing fee for NX/View, they are included with the base price of the system.

With the promulgation of Clearpath, Unisys and the A-Series have turned a new corner. No longer will true platform integration simply be a marketing term or a “hodgepodge” of distinct components made to work together. No longer can the idea of a closed proprietary system that will not work with other hardware or software be propagated. With Clearpath, the mainframe will continue to be a critical focus in the corporate IS picture for many years to come.

Alignment of the Planets Reliability

September 6, 2008

I have often said that certain products carry with them what I call “Alignment of the Planets” reliability. This means that you would blame everything in the computer room–including the alignment of the planets–before you blame the particular system. Having started my professional computing career on the Burroughs A Series systems, I learned that Burroughs (now Unisys) designed software that just worked. Of course, no software is perfect, but it was designed with an expectation of working well, not the too common expectation of today where we assume the system will fail. The has become a standard expectation of computer people and unfortunately, this attitude has permeated software development. Another product I feel has this level of reliability is the BigIP line of Web Application Front-ends from F5 Networks. I have been doing quite a bit of development in iRules on the bigIP platform and it is just a great box. As I said before, nothing is perfect, but the odds of a problem actually beng causes by the bigIP are remote in my experience. More on iRules later.

New case study published on Thunderstone

September 6, 2008

Thunderstone is a search appliance used by the General Services Administration (GSA). The company asked me to participate in a case study whitepaper. This was a good review of the appliance and why we choose to use it. You can find it here.

Welcome to the New Company

September 6, 2008

Welcome. My name is Tom Schaefer and I am the owner of Better Software Solutions. This company is a boutique software consulting firm specializing in developing software and processes that are beyond the normal applications. Specifically, the method we employ is to use highly-qualified consultants that understand business and technology and how they intersect. I believe if you hire naturally curious people they can directly impact the client’s bottom-line. Our consultants are not afraid to speak “Truth to Power” and have no problem telling you the facts as they see them. Our current clients include Unisys, the US General Services Administration and the Smithsonian Institution.

As with most blogs, I hope to use this one to write on topics relating to the state of the software industry and technology adoption. We may have some interesting diversions along the way, but hopefully, I can share some knowledge and learn a few things.