On Monday March 30, Intel announced the availability of their much anticipated new line of processors, the Intel® Xeon® Processor 5500 series–nicknamed Nehalem.

Red Hat, a long-time partner of the market-leading chip maker , collaborated on the chip’s debut, testing and optimizing the recently released Red Hat® Enterprise Linux® 5.3 on the new processor.

Changes include a new processor architecture, platform architecture, memory subsystem, I/O subsystem, and options (including SSD and 10GbE).

So what’s the big deal? Why all the fuss? Here’s just a few of the improvements wrought by the combination of Intel’s processing power and Red Hat advancements in performance and efficiency.

Improved performance

According to Stream performance data, the new Intel Xeon 5500 series processor delivers a 2.25 times performance improvement, when compared to the performance of the preceding processor series (the Intel Xeon 5400). This allows the new processor to handle datacenter workloads at nearly twice the efficiency.

Intelligent performance

The processor can dynamically adapt throughput to the workload. Intel Hyper-Threading Technology lets system administrators increase workloads and add capabilities without slowing the system down—there’s plenty of reserve for usage peaks. Expanded physical server limits in Enterprise Linux 5.3 (255 CPUs and 1 TB main memory) improve system scalability dramatically.

Virtualization

Red Hat Enterprise Linux and Intel Virtualization Technology (Intel VT) deliver high consolidation ratios. These virtualization enhancements provide greater scalability and performance, and allow for the virtualization of a wide range of workloads, even those that are I/O intensive.

Automated energy efficiency

The combination of technologies supports low-latency changes between power states. This can help lower power consumption during off-peak hours . Integrated power gates and memory controllers deliver energy efficiency from the hardware side, while enhanced power management and CPU clock frequency scaling help conserve power from the Red Hat Enterprise Linux side.

Red Hat and Intel have a long history of working together to take open source technology to its full potential. Whether it’s combined open source contributions or corporate partnerships, the x86 platform and the open source software revolution have changed the face of computing. Integrated virtualization—and continued rapid improvements in processor technology—keeps the changes coming.

More information

• Red Hat and Intel: Industry Leaders Redefine Datacenter Price-Performance (Red Hat Press)
• What you need to know about Intel’s Nehalem CPU (ars technica)
• Internet: Meet your new processor (Intel.com)

Building software in most languages is a pain. Remember ant build.xml, maven2 pom files, and multi-level makefiles?

Python has a simple solution for building modules, applications, and extensions called distutils. Disutils comes as part of the Python distribution so there are no other packages required.

Pull down just about any python source code and you’re more than likely going to find a setup.py script that helps make building and installing a snap. Most engineers don’t add functionality when using distutils, instead opting to use the default commands.

In some cases, developers might provide secondary scripts to do other tasks for building and testing outside of the setup script, but I believe that can lead to unnecessary complication of common tasks.

For those who are not familiar with setup scripts, Figure 1 shows a simple example.

#!/usr/bin/env python
"""
Setup script.
"""

from distutils.core import setup

setup(name = "myapp",
    version = "1.0.0",
    description = "My simple application",
    long_description = "My simple application that doesn't do anything.",
    author = "Me",
    author_email = 'me@example.dom',
    url = "http://example.dom/myapp/",
    download_url = "http://example.dom/myapp/download/",
    platforms = ['any'],

    license = "GPLv3+",

    package_dir = {'myapp': 'src/myapp'},
    packages = ['myapp'],

    classifiers = [
        'License :: OSI Approved :: GNU General Public License (GPL)',
        'Development Status :: 5 - Production/Stable',
        'Topic :: Software Development :: Libraries :: Python Modules',
        'Programming Language :: Python'],
)

This setup script lists the metadata, maps to a package directory, and provides the general commands expected from distutils setup. This is great, but as I’ve said, it may not do everything you need it to.

What if, for example, we want to be able to see all the TODO tags in the codebase on any platform? In other words, grep won’t cut it.

Let’s start by writing a function that searches for TODO tags in files and prints them back to the screen in a nice format like:

src/myapp/__init__.py (11): TODO: remove me

def report_todo():
    """
    Prints out TODO's in the code.
    """
    import os
    import re

    # The format of the string to print: file_path (line_no): %s line_str
    format_str = "%s (%i): %s"
    # regex to remove whitespace in front of TODO's
    remove_front_whitespace = re.compile("^[ ]*(.*)$")

    # Look at all non pyc files from current directory down
    for rootdir in ['src/', 'bin/']:
        # walk down each root directory
        for root, dirs, files in os.walk(rootdir):
            # for each single file in the files
            for afile in files:
                # if the file doesn't end with .pyc
                if not afile.endswith('.pyc'):
                    full_path = os.path.join(root, afile)
                    fobj = open(full_path, 'r')
                    line_no = 0
                    # look at each line for TODO's
                    for line in fobj.readlines():
                        if 'todo' in line.lower():
                            nice_line = remove_front_whitespace.match(
                                line).group(1)
                            # print the info if we have a TODO
                            print(format_str % (
                                full_path, line_no, nice_line))
                        line_no += 1

The report_todo function is self-contained and quite simple, if a bit clunky by itself. Who wants to install and use a ‘report-todo’ command on machines just to look for TODO tags?

We want to turn this into a setup command so that we can ship it with our application ‘myapp’ to be used by developers via setup.py. We will probably add more setup commands in the future, so let’s create a class to subclass our commands from. We do this because most of our commands will probably be simple and won’t need to override the *_option methods (though they can if they need to).

import os

from distutils.core import setup, Command

class SetupBuildCommand(Command):
    """
    Master setup build command to subclass from.
    """

    user_options = []

    def initialize_options(self):
        """
        Setup the current dir.
        """
        self._dir = os.getcwd()

    def finalize_options(self):
        """
        Set final values for all the options that this command supports.
        """
        pass

The SetupBuildCommand defines a few methods that are required for all setup commands. As I stated before, most of our commands will probably not deviate from these defaults, so defining them higher in the object hierarchy means simpler code in the commands themselves. If we do want to add arguments to to any of our commands, we can override initialize_options() and finalize_options() to handle the arguments properly.

Now that we have the SetupBuildCommand to subclass from we can merge our report_todo function into a SetupBuildCommand class. To do this, we create a class that subclasses SetupBuildCommand, and then add a description variable and a run method (which is what is executed when the command runs).

class TODOCommand(SetupBuildCommand):
    """
    Quick command to show code TODO's.
    """

    description = "prints out TODO's in the code"

    def run(self):
        """
        Prints out TODO's in the code.
        """
        import re

        # The format of the string to print: file_path (line_no): %s line_str
        format_str = "%s (%i): %s"
        # regex to remove whitespace in front of TODO's
        remove_front_whitespace = re.compile("^[ ]*(.*)$")

        # Look at all non pyc files in src/ and bin/
        for rootdir in ['src/', 'bin/']:
            # walk down each root directory
            for root, dirs, files in os.walk(rootdir):
                # for each single file in the files
                for afile in files:
                    # if the file doesn't end with .pyc
                    if not afile.endswith('.pyc'):
                        full_path = os.path.join(root, afile)
                        fobj = open(full_path, 'r')
                        line_no = 0
                        # look at each line for TODO's
                        for line in fobj.readlines():
                            if 'todo' in line.lower():
                                nice_line = remove_front_whitespace.match(
                                    line).group(1)
                                # print the info if we have a TODO
                                print(format_str % (
                                    full_path, line_no, nice_line))
                            line_no += 1

The run method in this example is the same as report_todo but in a method format (with self) and renamed to run.

Now it’s time to bring all this together. If we add Figure 1 and Figure 2 to the setup script (Figure 1), then all that is left is to map the setup command with a command name. Do this via the cmdclass argument, and in the form:

cmdclass = {'name': CommandClass}

Figure 5 shows it all together in an abbreviated form.

#!/usr/bin/env python
"""
Setup script.
"""

import os

from distutils.core import setup, Command

class SetupBuildCommand(Command):
    """
    Master setup build command to subclass from.
    """
    # See Figure 3

class TODOCommand(SetupBuildCommand):
    """
    Quick command to show code TODO's.
    """
    # See Figure 4

setup(name = "myapp",
    version = "1.0.0",
    description = "My simple application",
    long_description = "My simple application that doesn't do anything.",
    author = "Me",
    author_email = 'me@example.dom',
    url = "http://example.dom/myapp/",
    download_url = "http://example.dom/myapp/download/",
    platforms = ['any'],

    license = "GPLv3+",

    package_dir = {'myapp': 'src/myapp'},
    packages = ['myapp'],

    classifiers = [
        'License :: OSI Approved :: GNU General Public License (GPL)',
        'Development Status :: 5 - Production/Stable',
        'Topic :: Software Development :: Libraries :: Python Modules',
        'Programming Language :: Python'],

    cmdclass = {'todo': TODOCommand},
)

You’ll notice that `python setup.py –help-commands` now shows ‘Extra commands’ with our TODO command listed.

Give it a go and see what you have left to do in your code!

Red Hat® Enterprise Linux® 4 was released on February 15th, 2005. This report takes a look at the state of security for the first four years from release. We look at key metrics, specific vulnerabilities, and the most common ways users were affected by security issues. We will show some best practices that could have been used to minimise the impact of the issues, and also take a look at how the included security innovations helped.

This report is an update to the three-year risk report published in Red Hat Magazine in February 2007.

1. Introduction

2. Vulnerabilities

2.1. Vulnerability Counts

2.2. Critical Flaws

2.3. Expanding “days of risk”

2.4. Riskiest packages

2.5. Advisory Workload

3. Threats

3.1. Exploits

3.1.1. Kernel exploits

3.1.2. Browser exploits

3.1.3. Other user-complicit exploits

3.1.4. PHP exploits

3.1.4. Servers and services exploits

3.2. Worms

4. Conclusion

5. Further Reading

6. About the Author

1. Introduction

We measure the overall risk of running Enterprise Linux 4 as a function of two factors; the vulnerabilities and the threats. Our first section covers the security vulnerabilities found in packages that are part of Enterprise Linux 4 and the advisories that address them. Our second section covers the threats by examining actual exploitation of those vulnerabilities through exploits and worms.

All the data used to generate this report, tables, and graphs, apply to Red Hat Enterprise Linux 4 AS from release day, 15 February 2005 to 14 February 2009 unless otherwise stated.

2. Vulnerabilities

At first sight it may appear that Red Hat have released a lot of updates for Enterprise Linux 4; in the last twelve months publishing a total of 107 security advisories to address 251 individual vulnerabilities. But in reality this is by far a worst-case metric, as it treats all vulnerabilities as equal, regardless of their severity and assumes a system that has installed every available package – which is not a default or even a likely installation.

With the release of Enterprise Linux 4, we started publishing severity levels with package errata to help users determine which advisories were the ones that mattered the most. Providing a prioritised risk assessment helps customers to understand and better schedule upgrades to their systems, being able to make a more informed decision on the risk that each issue places on their unique environment. Red Hat rates the impact of individual vulnerabilities on a four-point scale designed to be an at-a-glance guide to how worried Red Hat is about each security issue.

2.1. Vulnerability Counts

There are four variants of Red Hat Enterprise Linux 4; two targeted at server solutions with Enterprise Linux AS and ES, and two targeted at client solutions with Enterprise Linux WS and Red Hat Desktop. The package set available in Enterprise Linux WS and Red Hat Desktop is a subset of that available in Enterprise Linux AS.

During Enterprise Linux 4 installation, the user gets a choice of installing either the default selection of packages, or making a custom selection. Table 2 shows the vulnerability counts, normalised by CVE name, for some selected configurations.

A default install of Enterprise Linux 4 AS was only vulnerable to ten critical flaws in the whole four years. This is because most of the critical flaws have been in web browsers and their plug-ins: Firefox and Mozilla/SeaMonkey packages are not installed by default on distributions intended for server systems.

Client systems (Enterprise Linux WS and Red Hat Desktop) do include Firefox, Mozilla, and Helixplayer by default, leading to 126 critical vulnerabilities. A custom installation of AS, selecting every available package, would yield a system affected by the maximum possible number of critical vulnerabilities for the four years, 130.

For the purposes of this study we consider the worst-case scenario, a version of Red Hat Enterprise Linux 4 obtained on the day of release. During the first four years, six Update releases were made (Update 1 in June 2005, Update 2 in October 2005, Update 3 in March 2006, Update 4 in August 2006, Update 5 in May 2007, Update 6 in November 2007, Update 7 in July 2008). The Update releases are similar to a “service pack” and contain a roll-up of all security advisories. So, for example, a user who installed Enterprise Linux 4 in August 2008 would use Update 7 and be affected by only a subset of the issues. We’ve also counted vulnerabilities not advisories; it’s usual for a single security update of a package to fix a number of vulnerabilities at the same time, so the number of advisories and updates needed to be installed is far lower.

Tip

You can cut down the number of security issues you need to deal with by carefully choosing the right Enterprise Linux variant and package set when deploying a new system, and ensuring you install the latest
available Update release.

2.2. Critical Flaws

Vulnerabilities rated critical severity are the ones that can pose the most risk to an organisation. By definition, a critical vulnerability is one that could potentially be exploited remotely and automatically by a worm. However we also stretch the definition to include those flaws that affect web browsers or plug-ins where a user only needs to visit a malicious (or compromised) web site in order to be exploited. Since the vast majority of critical severity issues occurred due to web browsers or plugins, this is why there is such a difference between the number of critical issues that affects a default install of Enterprise Linux 4 AS and WS.

For the purposes of the severity classification we ignore what privileges the attacker would be able to gain: a remote root compromise via something like Samba would be of a much higher risk than a user-complicit Firefox flaw that results in running code as an unprivileged user, but both would be rated as critical on this scale.

To help qualify the risk we’ve split up the critical vulnerabilities into those that require some minimal user interaction to be exploitable (such as if a user visits malicious web page), and those that require no user interaction at all (and therefore could potentially be exploited by a worm).

For Enterprise Linux 4 AS with every package installed, Table 3 summarises all critical issues, and Table 4 breaks out the critical, non-browser flaws.

We’ve included in these tables the “days of risk” metric. This is commonly defined as the number of calendar days it takes for a vendor to produce updates that correct a flaw after the flaw is first known to the public.

Fixes for 87% of critical flaws were available from Red Hat Network the same day or next calendar day after public disclosure of the flaw. This fast response time is a deliberate goal of the Red Hat Security Response Team and forms an essential part of reducing customer risk from critical flaws.

2.3. Expanding “days of risk”

The “days of risk” metric has it’s limitations and so it isn’t particularly useful for comparing different software vendors against each other. The software that makes up the Enterprise Linux 4 distribution is open source, so we’re not the only vendor shipping each particular application. Unlike companies shipping proprietary software, Red Hat is not in sole control over the date each flaw is made public. This is actually a good thing and leads to much shorter response times between flaws being first reported to being made public. It also keeps us honest; Red Hat can’t play games to artificially reduce our #8220;days of risk” statistics by using tactics such as holding off public disclosure of important flaws for a long period, or until some regularly scheduled patch day.

A more useful metric to help assess risk would also take into account the amount of time that each issue was known to the vendor in advance. As part of our security measurement work since Enterprise Linux 4 we’ve been tracking how the Red Hat Security Response Team first found out about each vulnerability we fix. This information is interesting as it can also show us which relationships matter the most to us, and identify trends in vulnerability disclosure.

For each of the 1269 total vulnerabilities, across every package in Enterprise Linux in the 4 years, we determined if the flaw was something we knew about a day or more in advance of it being publicly disclosed, and how we found out ^[1] about the flaw. The results are summarised in Figure 2 and Figure 3.

Red Hat knew about 51% of the security vulnerabilities that we fixed at least a day in advance of them being publicly disclosed. For those issues, the average notice was 21 calendar days, although the median was much lower, with half the private issues having advance notice of 9 days or less. Figure 4 shows the distribution of notice periods in more detail.

2.4. Riskiest packages

In our work tracking and fixing vulnerabilities it sometimes seems like we produce a security advisory for the same packages every month. We therefore analysed Enterprise Linux 4 to find out which packages were
responsible for the most vulnerabilities, weighting them ^[2] to take into account their severity. The results are shown in Table 5, which lists the top 10, ranked across all four years.

These top 10 packages together totaled 79% of all the weighted vulnerabilities. The kernel, cups, php, krb5, and samba packages are part of the default installation of Enterprise Linux 4 AS.

Tip

You can reduce the number of vulnerabilities that will affect your systems by removing packages that you don’t need or don’t use, particularly those that have the worst security history. For example, if you don’t use thunderbird on a machine you could just remove the package.

2.5. Advisory Workload

In previous reports we’ve graphed the vulnerability workload, a measure of the number of vulnerabilities that security operations staff would need to worry about every day, weighted by severity. But the actual effort in maintaining an Enterprise Linux system is more related to the number of advisories we released, rather than the number of vulnerabilities: A single Firefox advisory may fix ten different issues of critical severity, but takes far less total effort to manage than ten separate advisories each fixing one critical Samba vulnerability.

Our Advisory Workload index gives a measure of the number of important advisories that users would need to worry about every day. The higher the number, the greater the workload, and the greater the general risk represented by the vulnerabilities addressed. This workload index is calculated in a similar way to the NIST workload index.

For a given month, Advisory Workload = weighted number of advisories ^[3] / days in the month. A workload of 1.0 would mean one important advisory a day.

Figure 5 shows the advisory workload index for a installation of Enterprise Linux 4 including every package. The initial peak during the first month looks surprising, but is easily explained, as the packages for Enterprise Linux 4 had a code freeze a few months prior to release. This led to a backlog of security issues that were fixed with updates on the date of release. The small peak in August 2005 aligns with the release of Update 1, and the other peaks align with Update releases or months during which there were several Firefox and SeaMonkey
updates.

Tip

Cut down on the number of alerts you receive. Register your systems with the Red Hat Network to get customised notifications for security updates for the packages your systems have installed. If you want to see all security updates for every Enterprise Linux version and package, subscribe to enterprise-watch-list mailing list as well.

3. Threats

The first part of this report analysed the total vulnerabilities found affecting Enterprise Linux 4. But to get a better evaluation of platform risk we also need to take into account the threat. This part therefore looks at
exploits and worms written to take advantage of the vulnerabilities.

Red Hat is continually developing technologies to help reduce the risk of security threats, and a number of these were consolidated into Red Hat Enterprise Linux 4. The most significant technologies were SELinux and
Exec-Shield. Exec-Shield is a project which includes support for the No eXecute (NX) memory permission, simulating NX via segment limits, Position Independent Executables (PIE), gcc, and glibc hardening. For more details, a table of the major security technology innovations in Enterprise 4 is available.

3.1. Exploits

An exploit is the way that an attacker makes use of a vulnerability. The Red Hat Security Response Team monitor numerous sources to track which vulnerabilities are being exploited. For this report we compiled a list of the publicly available exploits for the vulnerabilities that affected the first four years of Enterprise Linux 4.

We are interested in those exploits that have the potential to cause remote damage to the confidentiality or integrity of a system and we therefore don’t include exploits for vulnerabilities that are limited to a denial of service (affecting availability). We do, however, include exploits which are labeled “proof of concept”. A proof of concept exploit may only cause a crash or not quite work properly without modification, but in theory the vulnerability could be exploited properly leading to greater consequences. These proof of concept exploits often show techniques that a skilled attacker can turn into a full exploit.

We found exploits for 59 vulnerabilities for the first four years. 24 (40%) of these exploits are for buffer overflow vulnerabilities where in most cases the Exec-Shield technology should help prevent remote exploitation due to protections such as ASLR and enforcement of a non-executable stack.

3.1.1. Kernel exploits

The public exploits for the Linux kernel lead to one of two consequences: either a local unprivileged user can cause the machine to crash, or a local user can gain privileges.

We found exploits for nine vulnerabilities that had the potential to allow an unprivileged user to gain privileges on an unpatched Enterprise Linux 4 system. Of the nine, one required the target system to be using bluetooth drivers (CVE-2005-0750), another was exploitable only on systems with more than one CPU (CVE-2005-0001), one affected only x86_64 architectures (CVE-2007-4573), and one required a writable sgid directory (CVE-2008-4210).

The remainder (CVE-2006-3626, CVE-2006-2451, CVE-2005-0736, CVE-2004-1235, and CVE-2005-0531) could work on any default, unpatched system. Some of those exploits need unpublished source code adjustments in order to work against an Enterprise Linux 4 kernel.

3.1.2. Browser exploits

Around of quarter of the public exploits we found were for flaws in web browsers; and all but three targeted the Mozilla suite (Mozilla, Firefox, Thunderbird). These are detailed in Table 6. For each exploit, any resultant code execution would be limited to being run with the same rights as the user that is running the vulnerable browser. It is best practice to never use a web browser or email client as root. Some of these exploits are also blocked if JavaScript is disabled.

3.1.3. Other user-complicit exploits

The next class of exploits are those we term ‘user-complicit’, in that they need some involvement from the victim to be exploited. Some examples of user involvement would be opening a malicious file with a vulnerable application, or viewing an instant message from an unknown user. Table 7 lists the exploits we discovered that require some user involvement.

3.1.4. PHP exploits

During March 2007 the “Month of PHP bugs” uncovered a number of issues, some of which affected the PHP packages as distributed with Enterprise Linux 4. The PHP interpreter does not offer a reliable sand-boxed security layer (as found in, say, a JVM) in which untrusted scripts can be run, so any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. Therefore, in analysis of these issues, exploits which relied on an “untrusted local attacker” were not classified as security-sensitive since no trust boundary was crossed.

This leaves us with the exploits shown in Table 8. These exploits rely on the victim having PHP scripts installed that use the vulnerable PHP functions in a particular way or with untrusted data. In each case the default SELinux targeted policy for Apache would restrict what a successful exploit is able to do.

3.1.5. Servers and services exploits

Our final class of exploits are those that affect server applications and services, in Table 9. These are the most serious threats.

Tip

The way to reduce your risk from exploits is to make sure your systems have all applicable security updates installed. The Red Hat Network can help keep track of this.

3.2. Worms

Worms take advantage of vulnerabilities in order to compromise systems, then use the compromised system to seek out other systems to infect. By our definition, any vulnerability that could be exploited in this way would be classed as severity critical. In the first section of this report we listed every vulnerability that was rated as critical severity and showed that only a subset of those vulnerabilities could be actually used by worms. This is because we also class as critical some browser vulnerabilities where a victim has to take action (for example visiting a malicious web page) and therefore are not exploitable by a worm.

Worms affecting Linux platforms have been quite scarce in the last few years, and the anti-virus vendors who track malware recorded only two (although some variants of each exist) during the four year period of this study:

• Linux/MARE was discovered in November 2005 and was a worm that spread by exploiting a flaw in PHP-Nuke. PHP-Nuke is not shipped as part of Red Hat Enterprise Linux.
• Linux/Lupper was also discovered in November 2005 and was a worm designed to exploit CVE-2005-1921, a flaw in the PHP PEAR XML-RPC server package exploitable through a number of third party PHP applications. None of the affected third-party applications were shipped as part of Red Hat Enterprise Linux. Additionally, a PHP update in July 2005 fixed the underlying flaw in PHP. Even users that had not patched were also protected from this worm by the default SELinux configuration.

Without critical vulnerabilities to allow attackers to remotely exploit machines, we saw attackers instead try to focus on exploiting weak configurations. During the period of this study we tracked attempts by attackers to exploit machines with stolen passwords and brute-force password tools. The tools simply looked for internet-accessible SSH services they could connect to, then tried to log in with lots of combinations of common usernames and passwords. Restricting access to SSH remotely, moving the SSH daemon to a different port, and making sure all your users have strong passwords or use key authentication are all useful defenses against this particular attack.

4. Conclusion

The aim of this report was to get a measure of the security risk to users of Red Hat Enterprise Linux 4 during the first four years since release. We’ve shown that although on the surface it looks like Red Hat released a large number of security advisories, many of them do not apply to usual or default installations, and only a very small subset are a high risk. We’ve shown:

• A default installation of Enterprise Linux 4 AS was vulnerable to ten critical security issues over the first four years
• A customised installation of Enterprise Linux 4, selecting every package, would have been vulnerable to 114 critical browser security issues, and 16 in non-browser packages in the four years. 87% of those vulnerabilities had fixes to correct them available from the Red Hat Network within one calendar day of them being known to the public
• Red Hat knew about 51% of security issues affecting the first four years of Enterprise Linux 4 in advance. The average time between Red Hat knowing about an issue and it being made public was 21 days (median 9
  days)
• We found public exploits for 59 vulnerabilities that could have affected a customised full installation, although the majority relied on user interaction or non-default settings. Attempts to use many of the exploits would be caught by standard Enterprise Linux 4 security innovations
• The most likely successful exploits allowed a local unprivileged user to gain root privileges on an unpatched Enterprise Linux 4 machine
• Two worms targeting Linux systems were found during the four years, but both affected third party PHP applications not shipped in Red Hat Enterprise Linux 4. In addition, an update to PHP released over three months before one of the worms was released protected systems that had installed the third party applications

It would be foolish to draw conclusions about the future state of security in Red Hat Enterprise Linux 4 solely on the basis of this analysis of the past, however what we’ve tried to do is to enumerate the level of vulnerability and threat and hence overall platform risk. Red Hat treats vulnerabilities in our products and services seriously and the policies of the Red Hat Security Response Team are specifically designed to reduce the risk from security vulnerabilities:

• We place an emphasis on providing the fastest possible, highest quality, turnaround for critical vulnerabilities. We have a Security Response Team distributed globally which can draw on significant Engineering and Quality resources to get the things that matter the most fixed quickly
• We release updates for critical and important security issues as soon as possible rather than batching them into monthly or quarterly updates
• We provide transparency in the handling of vulnerabilities, our methods, and our metrics

All of the raw data used to generate the statistics in this report along with some tools to analyse them are available from the Red Hat Security Response Team. We also provide other tools and data that can help security measurement including CVE mappings for all our advisories and OVAL definitions.

5. Further Reading

• What’s new in security for Red Hat Enterprise Linux 4
• Vulnerability Types for Enterprise Linux 4
• Security Features in Red Hat Enterprise Linux and Fedora Core
• SELinux: A New Approach to Secure Systems
• Red Hat Enterprise Linux 4 Security Guide
• Statistics and data from the Security Response Team

6. About the author

Mark J Cox lives in Scotland and is Director of Red Hat Security Response. Over the last 14 years, Mark has developed software and worked on the security teams of some of the most popular open source projects including Apache, mod_ssl, and OpenSSL. Mark is a founding member of the Apache Software Foundation and the OpenSSL project, and a board member of the Mitre CVE project. In his spare time he finds geocaches with his family and occasionally plays music.

Python has a good reputation for tasks like systems programming, network programming, and scripting, but Python for the web is becoming red hot. Part of this has to do with the very popular web framework Django, that was developed at a newspaper to help quickly create Content Management Sites. . Another reason is that Google App Engine–Google’s Cloud Computing offering for developers–only exposes a Python API.

If you are new to Python Web Development, then I’d recommend Django, as it is ideal for building CMS-type applications, social networking websites, and blogs. On the other hand, If you want a hacker’s framework, you might want to give Pylons a look.

Please note: By hacker, I am referring to the kind of hacker Eric Raymond refers to when he writes, “Becoming a hacker will take intelligence, practice, dedication, and hard work. Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won’t let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued.”

Ok, so what problem does a hacker’s framework solve that a framework like Django doesn’t? According to some of the Pylons developers, their framework is geared to solve 80/20 problems. Most people—80% of people–want to build blogs, and CMS-type applications. And for that 80%, Django works just great. Of course, the other 20% is where Pylons comes in to play as a “hacker’s framework.”

Philosophically, Pylons is quite different. Pylons abstracts third-party libraries, such as WebOb, Mako, SQLAlchemy, Routes, and Beaker, to make a “hacker’s brew.” These libraries are loosely coupled–not in a internet marketing sense, but in a computer science sense. This means that it is quite easy to swap out the ORM, or templates, or URL routing, and create some alternate development stack. Note, that another hacker’s framework, Werkzeug, also follows a similar philosophy (See the references for more details).

What does a hacker’s framework buy you? Well, it allows you to change your web development paradigm. You no longer need to think in terms of what you can do with the choices defined by a framework. It allows the experienced developer to transcend this potential trap, and think about the actual problem at hand. For example, it may be more productive to start by using SQLAlchemy (the object-relational mapper) by itself.

Once the data model is working as expected, then it could turn into a command line tool, then potentially a WXPython application instead of a web application. Hacker’s frameworks let the developer decide what is best for them at any given situation. Additionally, by focusing on loosely coupling the “best of breed” components, it allows the user of a “hacker” framework, to use literally, the best component for the job. This extra power can come in handy with more complex problems.

Setup

In this article we dive into building an AJAX blog using Pylons. We cheat by using the bookmark tagging site, Del.icio.us as an admin interface that we don’t have to write. When a user creates content on Delicious, the Google AJAX feed API allows that content to be displayed locally on the web page. This is one of the most efficient type of blog that someone can create, as it reuses existing code, APIs, and services.

Building a Pylons AJAX blog

To get started you can download the whole example and run it, or you can follow the steps below. Note that in version control, each step is a separate Pylons project.

[ Step 1] http://code.google.com/p/pyatl-pylons/source/browse/#svn/trunk/1

1: Download http://www.pylonshq.com/download/0.9.7/go-pylons.py

ngift@noah][H:10471][J:0]# python gopylons.py --no-site-packages pylonsblog
New python executable in pylonsblog/bin/python
Installing setuptools..........................done.
Searching for Pylons
[snip]

Note: You will need to meet all requirements of the package.

2:

cd pylonsblog

3: Active environ

source bin/activate

4: Make project

mkdir -p src
paster create --template=pylons ajaxblog

5: Get Pylons running

cd ajaxblog

paster serve development.ini

6: Make a controller

paster controller blog

cd ajaxblog/controller to verify

go to page:

http://localhost:5000/blog

See Hello World, change it.

"Hello Red Hat Magazine"

[Step 2] http://code.google.com/p/pyatl-pylons/source/browse/#svn/trunk/step2

7: Change front page

Add your own content to public/index.html

8: Add a couple of templates, and hook up to blog controller

Create base.html
Create blog.html

Add this line to blog.html:

Hello from blog.html template: Red Hat Magazine

9: Change controller to render template

Edit controller/blog.py to this:

class BlogController(BaseController):

    def index(self):
        # Return a rendered template
        #   return render('/some/template.mako')
        # or, Return a response
        return render('/blog.html')

[Step 3] http://code.google.com/p/pyatl-pylons/source/browse/#svn/trunk/step3

10: Get Buzzword compliant: Adding AJAX, RSS, Mashup and Google

A. Sign up for AJAX RSS Developer Key:

http://code.google.com/apis/ajaxfeeds/

B. Add javascript Code to base.html
C. Call feed div in blog.html

11: See RSS Feed appear

If you go to localhost:5000/blog you will see my last RSS feeds

[Step 4] http://code.google.com/p/pyatl-pylons/source/browse/#svn/trunk/step4

Bonus Points: Try to add persistent comments using the SQLAlchemy ORM on your own!

Summary

In this article we explored some of the ideas behind Pylons, a hacker’s framework, and how it differs from a philosophy framework, like Django or Ruby on Rails. Note by philosophy framework, I am referring to how a developer must abide by the opinions of the developer of the framework, such as in the case of Django templates where a developer is handcuffed against running code in the template. For example, their idea of perfection might be different then yours. Some people refer to this as being an “opinionated” framework. Each one has its purpose, and place. If you just want to make a Content Management website MS website for your American Literature class project, then maybe a hacker’s framework isn’t suited for you or the project, as it is overkill. On the other hand, if you want maximum flexibility, power, (and, of course, “street cred”) you might give a hacker’s framework a try.

Finally, we got into making an actual Pylons AJAX blog that used Delicious to suck in feeds. This was accomplished by reusing code via the Google AJAX Feed API. Ok, enough talk, get to hacking….

Extra Credit: If you are interested diving into a more complex Pylons project template on your own take a look at this source code url. Jonathan Ellis, a Python hacker known for his work with SQLAlchemy, has donated a do-it-yourself tutorial on using FormAlchemy to create a simple blog in Pylons. I have included a link to his original article on the topic in the reference section.

References

Pylons Book: http://pylonsbook.com/alpha1/toc
Google AJAX Feed API: http://code.google.com/apis/ajaxfeeds/
SQLAlchemy: http://www.sqlalchemy.org/
Using SQLAlchemy: http://www.ibm.com/developerworks/aix/library/au-sqlalchemy/
How To Become a Hacker: http://www.catb.org/~esr/faqs/hacker-howto.html
Google App Engine: http://code.google.com/appengine/
WebOb: http://pythonpaste.org/webob/
Source Code For Example: http://pyatl-pylons.googlecode.com/svn/trunk/
Werkzeug (An alternate hacker’s framework): http://werkzeug.pocoo.org
Loose Coupling Computer Science Definition: http://en.wikipedia.org/wiki/Loose_coupling#Definition
Pylons FormAlchemy How To: http://spyced.blogspot.com/2008/10/formalchemy-10.html
Extra Credit Project: http://code.google.com/p/pyatl-pylons/source/browse/#svn/trunk/bonus_project_form_validation_jonathan_ellis

About the author

Noah Gift is the co-author of “Python For Unix and Linux” by O’Reilly, and “Google App Engine in Action” by Manning. He is an author, speaker, consultant, and community leader, writing for publications such as IBM Developerworks, Red Hat Magazine, O’Reilly, Manning and MacTech. He has a Master’s degree in CIS from Cal State Los Angeles, B.S. in Nutritional Science from Cal Poly San Luis Obispo, is an Apple and LPI certified sysadmin, and has worked at companies such as, Caltech, Disney Feature Animation, Sony Imageworks, Turner Studios, and–most recently–WetaDigital.

In the second installment of the Spotlight On series, we feature Red Hat engineer Richard Hughes on the fantastic new abstraction layer called PackageKit. PackageKit allows users to manage packages in a secure way using a cross-distro, cross-architecture API. This maintains a common set of GUI features, enabling the user to have a better session experience overall. For more information, visit www.packagekit.org.

co-authored with Grig Gheorghiu

Background

The dd command is one of those ancient UNIX tools that is extremely powerful, yet at the same time, the syntax can make it feel slightly archaic. A lot of seasoned sysadmins and developers still remember the first time they saw the dd command used by a bearded wizard. He might have used it to test the disk I/O, capture a disk image, or restore it.

In some ways, dd can seem like Old Spice–only the guys over 60 use it. But the younger generation should know that dd still has some tricks up its sleeve. In this article, we’re going to put a new twist on this old favorite and show how grandpappy really does know best sometimes. The new twist is to mix dd with Python and the Google Chart API to make a UNIX 2.0 mashup tool. (“UNIX 2.0″ is a play on words for what happens when you change the original behavior of a tool like dd to make it do something a bit different.)

Setup

For this article, we assume you’re running Fedora Core 8. We’re actually just renting some time from Amazon in all of these examples. To do that we allocated a 1 GB Elastic Block Storage volume from Amazon and attached it as the device /dev/sdd to an Amazon Machine Instance (AMI) running Fedora Core 8. Learn more about using Amazon Cloud Computing with Red Hat.

Using dd for disk benchmarking with Google Charts API and Python

We benchmarked the throughput of the disk by running the dd command with various block sizes from 128 KB to 1 MB. (Note: If you want to run the script on your own machine, make sure that the volume you use doesn’t contain any valuable data, because the data will be erased by the dd command. Remember, data loss makes grandpappy mad!)

For the benchmark, we wrote a Python script that uses the commands module to run and capture the output of the dd command. The script also uses the csv module to generate a comma-separated values file so that we can graph the results later. For this example, we chose to graph the results using the Google Chart API.

#!/usr/bin/env python
import commands
import re
import csv

Next we define the main function, which takes a device name and a block size as parameters, and returns the throughput measured with dd and the unit of measure (e.g. MB/s). We use the regular expression module (re) to isolate the throughput value and unit of measure from the output of the dd command.

Editor’s note: In the code below, unit = "" has been added since the article was posted.

def get_disk_throughput(device, blocksize):

    blocksize = str(blocksize) + 'k'

    cmd = "dd if=/dev/zero of=%s bs=%s" % (device, blocksize)

    output = commands.getoutput(cmd)

    throughput = 0

    unit = ""

    for line in output.split('\n'):

        s = re.search(' copied,.*, (\S+) (\S+)$', line)

        if s:

            throughput = s.group(1)

            unit = s.group(2)

            break

    return (throughput, unit)

Here is the portion of the script that is executed when it’s run from the command line. We open a csv file and associate it with a csv writer. We then use the writerow method of the writer to append the header and each data row. We iterate over the list of block sizes and call the get_disk_throughput function for each block size.

We also compose the Google Chart URL by filling in the exact data values, represented by the throughput numbers that we obtain from the get_disk_throughput function. Then we print the URL to stdout. If you check the URL, you’ll see the chart generated with our data.

For details on the Google Chart API and what each parameter to the URL represents, see the Developer’s Guide.

Editor’s note: This is an updated version of the code that originally appeared with this article. It has command-line argument processing, and it composes the Google Chart URL in a better, more self-explanatory fashion. See the end of the article for the original.

f = open('disk_throughput.csv', 'w')
        writer = csv.writer(f)
        writer.writerow( ('Block size (KB)', 'Throughput') )
        blocksizes = [128, 256, 512, 1024]
        gchart_url = "http://chart.apis.google.com/chart?"
        gchart_type = "cht=bvs"
        gchart_title = "&chtt=Disk%20throughput"
        gchart_size = "&chs=400x250"
        gchart_axis_labels = "&chxt=x,y"
        gchart_data = "&chd=t:"
        gchart_labels = "&chl="
        max_t = 0.0
        for blocksize in blocksizes:
            (t, u) = get_disk_throughput(device, blocksize)
            if float(t) > max_t:
                max_t = float(t)
            writer.writerow( (blocksize, t) )
            print 'Block Size: %sk Throughput: %s %s' % (blocksize, t, u)
            gchart_data += t + ","
            gchart_labels += str(blocksize) + "k" + "|"
        gchart_data = gchart_data.rstrip(',')
        gchart_labels = gchart_labels.rstrip('|')
        gchart_axis_range = "&chxr=1,0," + str(max_t+10.0)
        gchart_scaling = "&chds=0," + str(max_t+10.0)
        gchart_url += gchart_type + gchart_title + gchart_size + gchart_data + gchart_labels
        gchart_url += gchart_axis_labels + gchart_axis_range + gchart_scaling
        print "Google Chart URL (just paste in a browser):", gchart_url
    finally:
        f.close()

Here is the output of the script in one of our runs:

Block Size: 128 Throughput: 62.8 MB/s

Block Size: 256 Throughput: 61.8 MB/s

Block Size: 512 Throughput: 57.1 MB/s

Block Size: 1024 Throughput: 56.5 MB/s

Now here is the actual image that gets created:

Full script

#!/usr/bin/env python

import sys
import commands
import re
import csv
from optparse import OptionParser

def get_disk_throughput(device, blocksize):
    blocksize = str(blocksize) + 'k'
    cmd = "dd if=/dev/zero of=%s bs=%s" % (device, blocksize)
    output = commands.getoutput(cmd)
    throughput = 0
    unit = ""
    for line in output.split('\n'):
        s = re.search(' copied,.*, (\S+) (\S+)$', line)
        if s:
            throughput = s.group(1)
            unit = s.group(2)
            break
    return (throughput, unit)

if __name__ == "__main__":

    usage = "usage: %prog options"
    parser = OptionParser(usage=usage)
    parser.add_option("-d", "--device", dest="device",
            help="Disk device to operate on (NOTE: any data on that device will be lost)")
    (options, args) = parser.parse_args()
    device = options.device
    if not device:
        parser.print_help()
        sys.exit(1)

    try:
        f = open('disk_throughput.csv', 'w')
        writer = csv.writer(f)
        writer.writerow( ('Block size (KB)', 'Throughput') )
        blocksizes = [128, 256, 512, 1024]
        gchart_url = "http://chart.apis.google.com/chart?"
        gchart_type = "cht=bvs"
        gchart_title = "&chtt=Disk%20throughput"
        gchart_size = "&chs=400x250"
        gchart_axis_labels = "&chxt=x,y"
        gchart_data = "&chd=t:"
        gchart_labels = "&chl="
        max_t = 0.0
        for blocksize in blocksizes:
            (t, u) = get_disk_throughput(device, blocksize)
            if float(t) > max_t:
                max_t = float(t)
            writer.writerow( (blocksize, t) )
            print 'Block Size: %sk Throughput: %s %s' % (blocksize, t, u)
            gchart_data += t + ","
            gchart_labels += str(blocksize) + "k" + "|"
        gchart_data = gchart_data.rstrip(',')
        gchart_labels = gchart_labels.rstrip('|')
        gchart_axis_range = "&chxr=1,0," + str(max_t+10.0)
        gchart_scaling = "&chds=0," + str(max_t+10.0)
        gchart_url += gchart_type + gchart_title + gchart_size + gchart_data + gchart_labels
        gchart_url += gchart_axis_labels + gchart_axis_range + gchart_scaling
        print "Google Chart URL (just paste in a browser):", gchart_url
    finally:
        f.close()

Summary

In this article we shattered the myth that you must be 60, have a massive grey beard, and have worked at Bell Labs to use the dd command. Even for a newer generation, dd can be used in some inventive ways. We combined Python, the Google Chart API, and Red Hat on Amazon’s cloud computing infrastructure to create a novel way to measure and chart disk I/O and performance. Go celebrate by buying yourself a bottle of Old Spice.

References

Python: http://www.python.org/
dd example scripts: http://tldp.org/LDP/abs/html/extmisc.html
Google Chart API: http://code.google.com/apis/chart/

Original code

if __name__ == "__main__":

    try:

        f = open('disk_throughput.csv', 'w')

        writer = csv.writer(f)

        writer.writerow( ('Block size (KB)', 'Throughput') )

        device = '/dev/sdd'

        blocksizes = [128, 256, 512, 1024]

        google_chart_url = "http://chart.apis.google.com/chart?cht=bvs&chd=t:"

        google_chart_data = ""

        google_chart_labels = ""

        max_t = 0.0

        for blocksize in blocksizes:

            (t, u) = get_disk_throughput(device, blocksize)

            if float(t) > max_t:

                max_t = float(t)

            writer.writerow( (blocksize, t) )

            print 'Block Size: %s Throughput: %s %s' % (blocksize, t, u)

            google_chart_data += t + ","

            google_chart_labels += str(blocksize) + "k" + "|"

        google_chart_data = google_chart_data.rstrip(',')

        google_chart_labels = google_chart_labels.rstrip('|')

        google_chart_url += google_chart_data +"&chl=" + google_chart_labels

        google_chart_url += "&chtt=Disk%20throughput" +"&chs=400x250&chxt=x,y"

        google_chart_url += "&chxr=1,0,%s&chds=0,%s" % (str(max_t+10.0), str(max_t+10.0))

        print google_chart_url

    finally:

        f.close()

Authors

Noah Gift is the co-author of Python For Unix and Linux by O’Reilly, and Google App Engine in Action by Manning. He is an author, speaker, consultant, and community leader, writing for publications such as IBM Developerworks, Red Hat Magazine, O’Reilly, Manning, and MacTech. He has a master’s degree in CIS from Cal State Los Angeles, a B.S. in nutritional science from Cal Poly San Luis Obispo, and is an Apple and LPI certified sys admin. He’s worked at companies that include Caltech, Disney Feature Animation, Sony Imageworks, Turner Studios, and most recently, WetaDigital.

Grig Gheorghiu is the director of technology for RIS Technology, a web hosting company based in Los Angeles. Grig has 15 years industry experience, during which time he has worked as a programmer, research lab manager, system/network/security architect, IT consultant, and lead test engineer.

Grig is an active member of the Python and agile testing communities. He maintains a blog dedicated to agile testing, Python programming, and automated testing tools and techniques. Grig is the founder of the Southern California Python Interest Group, aka “the SoCal Piggies”. He lives in Los Angeles with his wife and two children.

Guvnor is the business rules management system in Drools 5. When you deploy it out of the box, you get an unsecured web application that stores data in Jackrabbit’s embedded Derby database.

This two-part article explains how to tune Guvnor deployed on JBoss Application Server 4.2.3. (If you missed the first half of the series, catch up in our archives.)This means that we will use the container’s configuration files and security infrastructure. This installment covers enabling password validation based on an OpenLDAP server, moving from the default data repository, and enabling SSL for better security.

1. Use OpenLDAP as a user repository
2. Use MySQL as a data repository
3. Enable SSL
4. How to use a secured Guvnor package
5. Summary

Use OpenLDAP as a user repository

There are several reasons why you would want to use an LDAP directory instead of a clear text file — security, provisioning, and reuseability are just a few. First of all, we need a directory. OpenLDAP will do for this example. Download and extract the bits from the OpenLDAP home page. In this example, I’ve used openldap-2.3.39.tgz. Next, go to the directory where you’ve extracted the installation files and perform following steps:

$ mkdir -p /data/openldap-2.3.39
$ ./configure --prefix=/data/openldap-2.3.39
$ make depend
$ make
$ make install

For more detailed instructions, look at the INSTALL file or the OpenLDAP Administrator’s Guide.

The next instructions will configure our directory and create a tree which looks like this:

We need to initialize the LDAP server and provide data like the root suffix, directory manager, and password. We also want to enable SSL like so:

$ mkdir /data/openldap-2.3.39/ssl
$ openssl req -newkey rsa:1024 -x509 -nodes -out /data/openldap-2.3.39/ssl/server.pem -keyout /data/openldap-2.3.39/ssl/server.pem -days 365
Generating a 1024 bit RSA private key
....++++++
................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:EU
State or Province Name (full name) [Berkshire]:Mazovia
Locality Name (eg, city) [Newbury]:Warsaw
Organization Name (eg, company) [My Company Ltd]:Kijanowski
Organizational Unit Name (eg, section) []:Guvnor
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:a@a.a

Since this is a self-signed certificate we will need to add it to the client’s (JBoss AS) truststore.

$ openssl
OpenSSL> x509 -inform PEM -outform DER -in /data/openldap-2.3.39/ssl/server.pem -out /data/openldap-2.3.39/ssl/server.der
OpenSSL> exit

$ keytool -import -file /data/openldap-2.3.39/ssl/server.der -keystore $JBOSS_SERVER/conf/ldap.truststore

Enter keystore password:  qwerty
Owner: EMAILADDRESS=a@a.a, CN=localhost, OU=Guvnor, O=Kijanowski, L=Warsaw, ST=Mazovia, C=EU
Issuer: EMAILADDRESS=a@a.a, CN=localhost, OU=Guvnor, O=Kijanowski, L=Warsaw, ST=Mazovia, C=EU
Serial number: d8537a079c5eed59
Valid from: Wed Jul 16 18:35:50 CEST 2008 until: Thu Jul 16 18:35:50 CEST 2009
Certificate fingerprints:
         MD5:  25:C5:88:7B:D4:88:02:46:F1:EF:0D:6B:D6:EE:1F:A7
         SHA1: 57:B8:F4:25:77:F0:12:BD:B2:2E:DD:7D:CE:09:D2:D4:96:56:BC:26
Trust this certificate? [no]:  yes
Certificate was added to keystore

To enable the new truststore, edit $JBOSS_SERVER/deploy/properties-service.xml and add following lines:

    javax.net.ssl.trustStore=/data/jboss-4.2.3.GA/server//conf/ldap.truststore
    javax.net.ssl.trustStorePassword=qwerty

Now edit the file /data/openldap-2.3.39/etc/openldap/slapd.conf:

include         /data/openldap-2.3.39/etc/openldap/schema/core.schema
include         /data/openldap-2.3.39/etc/openldap/schema/cosine.schema
include         /data/openldap-2.3.39/etc/openldap/schema/inetorgperson.schema

pidfile         /data/openldap-2.3.39/var/run/slapd.pid
argsfile        /data/openldap-2.3.39/var/run/slapd.args

database        bdb
suffix          "dc=kijanowski,dc=eu"
rootdn          "cn=DirManager,dc=kijanowski,dc=eu"
rootpw          secret
directory       /data/openldap-2.3.39/var/openldap-data
index   objectClass     eq

TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /data/openldap-2.3.39/ssl/server.pem
TLSCertificateFile /data/openldap-2.3.39/ssl/server.pem
TLSCertificateKeyFile /data/openldap-2.3.39/ssl/server.pem
TLSVerifyClient never

The rootpw attribute should be changed from ’secret’ to:

$ /data/openldap-2.3.39/sbin/slappasswd -s admin123

where ‘admin123′ is the new directory manager’s password. For better performance, you can create a config file for the backend database or copy the sample configuration file like so:

$ cp /data/openldap-2.3.39/var/openldap-data/DB_CONFIG.example /data/openldap-2.3.39/var/openldap-data/DB_CONFIG

To start the server with a customized listener, run:

$ /data/openldap-2.3.39/libexec/slapd -h ldaps://localhost:16636

You can make sure your LDAP server is up and running (listening) by running:

$ netstat -an|grep 16636
tcp        0      0 127.0.0.1:16636             0.0.0.0:*                   LISTEN

To create tree like the one shown above, we need to add the following myorg.ldif file:

dn: dc=kijanowski,dc=eu
objectclass: top
objectclass: dcObject
objectclass: organization
dc: kijanowski
o: kijanowski

dn: o=guvnor,dc=kijanowski,dc=eu
objectclass: top
objectclass: organization
o: guvnor

dn: ou=People,o=guvnor,dc=kijanowski,dc=eu
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=admin,ou=People,o=guvnor,dc=kijanowski,dc=eu
objectclass: top
objectclass: uidObject
objectclass: person
objectClass: inetOrgPerson
uid: admin
cn: Guvnor Admin
sn: Administrator
userPassword: {SSHA}ZGUjbzh0wN0JoWxIAcZfFXpV5MIu/gZw

dn: uid=user1,ou=People,o=guvnor,dc=kijanowski,dc=eu
objectclass: top
objectclass: uidObject
objectclass: person
objectClass: inetOrgPerson
uid: user1
cn: Regular User
sn: Regular
userPassword: {SSHA}Gcif1SlGPu2vHrtoLGYlKXbKBytJiVVF

dn: ou=Roles,o=guvnor,dc=kijanowski,dc=eu
objectClass: top
objectClass: organizationalUnit
ou: Roles

dn: cn=admin,ou=Roles,o=guvnor,dc=kijanowski,dc=eu
objectClass: top
objectClass: groupOfNames
cn: admin
description: the GuvnorAdmin group
member: uid=admin,ou=People,o=guvnor,dc=kijanowski,dc=eu

dn: cn=regular,ou=Roles,o=guvnor,dc=kijanowski,dc=eu
objectClass: top
objectClass: groupOfNames
cn: regular
description: the Guvnor Regular group
member: uid=user1,ou=People,o=guvnor,dc=kijanowski,dc=eu

The passwords for admin and user1 are ‘9uvn04′ and ‘user1′ (respectively) and were generated with slappasswd. To add this ldif to our directory, we will use an ldap client application called ldapadd. First we need to update its configuration to be able to talk over SSL. Edit the file /data/openldap-2.3.39/etc/openldap/ldap.conf and add following line:

TLS_REQCERT allow

This will prevent us from getting errors like these:

client side:
ldap_initialize( ldaps://localhost:16636 )
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

server side:
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1057
connection_read(11): TLS accept failure error=-1 id=4, closing
connection_closing: readying conn=4 sd=11 for close
connection_close: conn=4 sd=11

Now we can add the ldif file to our directory:

$ /data/openldap-2.3.39/bin/ldapadd -x -D "cn=DirManager,dc=kijanowski,dc=eu" -H ldaps://localhost:16636 -w admin123 -f myorg.ldif

adding new entry "dc=kijanowski,dc=eu"
adding new entry "o=guvnor,dc=kijanowski,dc=eu"
adding new entry "ou=People,o=guvnor,dc=kijanowski,dc=eu"
adding new entry "uid=admin,ou=People,o=guvnor,dc=kijanowski,dc=eu"
adding new entry "uid=user1,ou=People,o=guvnor,dc=kijanowski,dc=eu"
adding new entry "ou=Roles,o=guvnor,dc=kijanowski,dc=eu"
adding new entry "cn=admin,ou=Roles,o=guvnor,dc=kijanowski,dc=eu"
adding new entry "cn=regular,ou=Roles,o=guvnor,dc=kijanowski,dc=eu"

The last step is to configure JAAS in $JBOSS_SERVER/conf/login-config.xml. Replace the previous file based login module with this one:

            ldaps://localhost:16636
            ssl
            cn=DirManager,dc=kijanowski,dc=eu
            admin123

            ou=People,o=guvnor,dc=kijanowski,dc=eu
            (uid={0})

            ou=Roles,o=guvnor,dc=kijanowski,dc=eu
            (member={1})
            cn

            -1
            ONELEVEL_SCOPE

Now restart JBoss AS and try to login as admin with password 9uvn04. The application server will talk with the OpenLDAP server over SSL. If you want to shutdown the OpenLDAP server you need to determine its PID and interrupt it by sending the process a SIGINT signal:

$ kill -INT `cat /data/openldap-2.3.39/var/run/slapd.pid`

Use MySQL as a data repository

Jackrabbit has been chosen as a Java Content Repository (JCR) implementation. By default, it uses the Derby database as a backend. You may want to switch to a database you are more familiar with, and can regularly back up and properly tune. If you have already used the file-based repository and don’t want to loose all your assets, export them. After MySQL is up and running, import them back. To export your current repository, go to the ‘Administration’ menu on the left side, expand ‘Admin,’ choose ‘Import/Export,’ and click on ‘Export’:

Shut down the server and set up MySQL as your new repository. First, download MySQL and extract it. I will use the community server 5.0.51a standard, extracted to /data/mysql-5.0.51. As root, perform the following steps. (For more details, have a look at the INSTALL-BINARY file):

$ /usr/sbin/groupadd mysql5
$ /usr/sbin/useradd -g mysql5 mysql5
$ cd /data/mysql-5.0.51
$ chown -R mysql5 .
$ chgrp -R mysql5 .
$ /data/mysql-5.0.51/scripts/mysql_install_db --user=mysql5

$ chown -R root .
$ chown -R mysql5 data

# now start MySQL
$ /data/mysql-5.0.51/bin/mysqld_safe --user=mysql5 &

# and create a password for root
$ /data/mysql-5.0.51/bin/mysqladmin -u root password mysqladminpwd
To shutdown the MySQL server run:
$ /data/mysql-5.0.51/bin/mysqladmin -u root shutdown -p
Logout as root and log in to MySQL to create a user and database for Guvnor:
$ /data/mysql-5.0.51/bin/mysql -u root -p
mysql> create database guvnor;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on guvnor.* to 'guvnor-user'@'localhost' identified by 'guvnor-pwd';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Now the DB side is complete.

Edit the $GUVNOR/WEB-INF/components.xml file and provide a path to where you would like to keep the repository configuration files. You can leave the default value–which is the JBoss Application Server’s bin directory–however it is recommended to provide a location that is regularly backed up. Under the ‘repositoryConfiguration’ component add:

/data/GuvnorRepo/

This last step creates a repository.xml file. It is created by default when running Guvnor the first time and is placed into the AS bin directory. This file configures the data repository. We would like to use MySQL, so we will create /data/GuvnorRepo/repository.xml:

As you see we’re using the com.mysql.jdbc.Driver, so we need to provide it. Download the mysql java connector from MySQL, unzip it, and copy the JAR file to $JBOSS_SERVER/lib. (I’m using mysql-connector-java-5.1.6.)

Now you can start the app server. If you have exported your assets, just go to the ‘Administration’ menu, expand ‘Admin,’ choose ‘Import/Export,’ and import your xml file. Please note that you have to unzip your exported xml file before you can upload it.

Enable SSL

The last tweak is enabling SSL. It not only provides security, but also ensures the transmitted data hasn’t been modified. This is strictly a server-side task.

First, we need a certificate. Please note that as the “first and last name” you have to provide the fully qualified domain name of the host. For testing purposes you can use localhost like so:

$ keytool -genkey -alias guvnor -keyalg RSA -keystore $JBOSS_SERVER/conf/guvnor.keystore -validity 365

Enter keystore password:  guvnorkspwd
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  My Department
What is the name of your organization?
  [Unknown]:  My Company
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=My Name, OU=My Department, O=My Company, L=My City, ST=My State, C=US correct?
  [no]:  yes

Enter key password for
        (RETURN if same as keystore password):

Now we can enable an SSL connector. Edit the file $JBOSS_SERVER/deploy/jboss-web.deployer/server.xml like so:

Restart your JBoss Application Server. Guvnor should be available at https://localhost:8443/drools-guvnor.

How to use a secured Guvnor package

The last part of this article shows how you can access a drools package from Guvnor in a secure way. This is very straight forward if you use certificates signed by trusted authorities. In our test environment, it’s a little bit more complicated since we use self-signed certificates.

First create a package and deploy it. I’ll use the package we made during the quick introduction. This package is available under https://localhost:8443/drools-guvnor/org.drools.guvnor.Guvnor/package/myNewPackage/LATEST. Replace the url attribute with the new value in Guvnor.properties:

url=https://localhost:8443/drools-guvnor/org.drools.guvnor.Guvnor/package/myNewPackage/LATEST

One would expect that running the Drools application should end successfully, however this is not the case:

RuleAgent(default) INFO (Wed Jul 23 20:38:03 CEST 2008): Configuring with newInstance=false, secondsToRefresh=-1
RuleAgent(default) INFO (Wed Jul 23 20:38:03 CEST 2008): Configuring package provider : URLScanner monitoring URLs:  https://localhost:8443/drools-guvnor/org.drools.guvnor.Guvnor/package/myNewPackage/LATEST
RuleAgent(default) WARNING (Wed Jul 23 20:38:04 CEST 2008): Was an error contacting https://localhost:8443/drools-guvnor/org.drools.guvnor.Guvnor/package/myNewPackage/LATEST. Reponse header: {}
RuleAgent(default) EXCEPTION (Wed Jul 23 20:38:04 CEST 2008): Was unable to reach server.. Stack trace should follow.
java.io.IOException: Was unable to reach server.
        at org.drools.agent.URLScanner.hasChanged(URLScanner.java:149)
        at org.drools.agent.URLScanner.getChangeSet(URLScanner.java:113)
        at org.drools.agent.URLScanner.loadPackageChanges(URLScanner.java:90)
        at org.drools.agent.RuleAgent.checkForChanges(RuleAgent.java:341)
        at org.drools.agent.RuleAgent.refreshRuleBase(RuleAgent.java:300)
        at org.drools.agent.RuleAgent.configure(RuleAgent.java:285)
        at org.drools.agent.RuleAgent.init(RuleAgent.java:209)
        at org.drools.agent.RuleAgent.newRuleAgent(RuleAgent.java:177)
        at org.drools.agent.RuleAgent.newRuleAgent(RuleAgent.java:149)
        at org.drools.agent.RuleAgent.newRuleAgent(RuleAgent.java:217)
        at kijanowski.eu.GuvnorTest.main(GuvnorTest.java:12)
Exception in thread "main" java.lang.NullPointerException
        at org.drools.agent.RuleAgent.refreshRuleBase(RuleAgent.java:301)
        at org.drools.agent.RuleAgent.configure(RuleAgent.java:285)
        at org.drools.agent.RuleAgent.init(RuleAgent.java:209)
        at org.drools.agent.RuleAgent.newRuleAgent(RuleAgent.java:177)
        at org.drools.agent.RuleAgent.newRuleAgent(RuleAgent.java:149)
        at org.drools.agent.RuleAgent.newRuleAgent(RuleAgent.java:217)
        at kijanowski.eu.GuvnorTest.main(GuvnorTest.java:12)

If you navigate with your browser to this URL, you will be asked to accept the non-signed certificate. In case of our test application, we need to trust the server by importing its public key to our (temporary) local keystore:

$ mkdir /data/ssl

# export the public key
$ keytool -export -alias guvnor -keystore $JBOSS_SERVER/conf/guvnor.keystore -file /data/ssl/out.cert

# you don't have to provide a password
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Certificate stored in file 

# import this key to a local truststore
$ keytool -import -alias guvnor -file /data/ssl/out.cert -keystore /data/ssl/myKS

Enter keystore password:  qwerty
Owner: CN=localhost, OU=My Department, O=My Company, L=My City, ST=My State, C=US
Issuer: CN=localhost, OU=My Department, O=My Company, L=My City, ST=My State, C=US
Serial number: 48862cb6
Valid from: Tue Jul 22 20:53:42 CEST 2008 until: Wed Jul 22 20:53:42 CEST 2009
Certificate fingerprints:
         MD5:  81:FD:97:97:12:E7:2B:94:DA:62:35:11:2C:2B:4E:2B
         SHA1: 7E:B1:36:F4:C9:F9:45:5A:98:F2:F1:46:F6:58:E6:0D:81:46:EC:B5
Trust this certificate? [no]:  yes
Certificate was added to keystore

Now we have a keystore with a server’s key that we trust. To use this keystore, just start the drools application with the following property:

-Djavax.net.ssl.trustStore=/data/ssl/myKS

In Eclipse, click on GuvnorTest.java. From the menu Run -> Open Run Dialog and then add this property to the VM arguments:

Now your Drools application runs in a secure environment.

Summary

This article has shown how you can upgrade your BRMS, which should only be deployed out-of-the-box for testing purposes. For a multiuser environment with mission-critical applications, Guvnor should be tuned. Have a look at this blog post, the JSSE Reference Guide or the key tool docs page for more details about the tools we used. For LDAP browsing I recommend this user-friendly and light-weight tool.

Voice over Internet Protocol (VoIP) has emerged as a popular technology for modern voice communications. Many organizations have replaced their analog or proprietary digital telephone systems with VoIP-based solutions. This allows the consolidation of telephone services into an existing IP infrastructure. In addition, using IP to host voice services lets the organization leverage existing expertise–while retaining all of the network’s management advantages. Though not without its disadvantages, VoIP provides a compelling option to those looking for a telephone solution.

This article will present a simple VoIP solution using Asterisk, an open source private branch exchange (PBX) product. It will show you how to install Asterisk, configure it using its LDAP backend, and connect to it using the Ekiga software VoIP client and a Cisco 7900 Series VoIP telephone to make calls.

Prerequisites

Important note about Asterisk:

Asterisk 1.6 Beta 10 has not yet been released. This version will fix a bug in Asterisk’s realtime LDAP code that causes the server to crash. In the meantime, one may compile the upcoming realtime LDAP module and install it for use with Fedora’s packages. In order to do this, follow the following instructions after installing the Fedora Asterisk packages:

1. Execute “yum install openldap-devel”
2. Download the Asterisk 1.6 Beta 9 source from http://www.asterisk.org/ and extract it.
3. Enter the resulting asterisk-1.6.0-beta9 directory.
4. Apply the patch available at http://www.flyn.org/patches/asterisk-1.6.0-beta9-crashfix/asterisk-1.6.0-beta9-crashfix.patch.gz by downloading it and executing “gunzip -c PATH-TO-PATCH.gz | patch -p1″ from within the asterisk-1.6.0-beta9 directory.
5. Execute “./configure –prefix=/usr –sysconf=/etc”
6. Execute “make res”
7. Execute “cp res/res_config_ldap.so /usr/lib/asterisk/modules/”

There are a few prerequisites to discuss before covering the configuration of Asterisk. First, my instructions assume that you have already installed Fedora 9. Second, you must have an existing LDAP server. The LDAP schema I use in this article is compatible with Fedora Directory Server. I recommend using the FreeIPA system to manage FDS. Fedora 9 provides packages for both FDS (fedora-ds-base) and FreeIPA (ipa-server). Finally, the machine hosting Asterisk must allow incoming UDP connections to ports 5060 (Session Initiation Protocol) and 69 (TFTP) to pass through its firewall.

Note:

In general, the LDAP database is optional. All configurations may be stored in flat files on the Asterisk server’s disk. However, I have chosen to store my Asterisk users and extensions in an LDAP database. This is beneficial for organizations that wish to consolidate user information in LDAP. In addition, Asterisk’s realtime LDAP backend is new to 1.6. I hope to help fill the gap in existing documentation with this article.

Install the Asterisk components by executing the command yum install asterisk asterisk-ldap asterisk-alsa asterisk-voicemail asterisk-voicemail-plain. In order to configure a Cisco 7900 Series VoIP telephone, you will also need to execute yum install tftp-server, have an existing DHCP server (the one on an inexpensive wireless router will work fine) and a copy of Cisco’s Session Initiation Protocol (SIP) software for the phone.

Note:

Depending on how you buy a Cisco telephone, you may need to purchase the rights to Cisco’s SIP software. Cisco telephones are typically sold with support for the proprietary SCCP protocol. In order to use the telephone with SIP, one must load a SIP flash image onto the telephone. This image may not have been included in the original telephone purchase. One way to obtain a license for the software is to purchase a Cisco SmartNet support package. Support for a 7900 Series telephone costs less than $10 and should be available from the vendor that sold you the telephone. I will cover installing the SIP software later in the article.

The Fedora project does not yet package Asterisk’s audio files because their copyright holder has not yet assigned a license to them (see Red Hat Bugzilla bug #428832). These audio files are required to implement features like an echo test and voicemail. Fortunately, it is quite simple to install them. Visit the Asterisk website and download the latest Asterisk 1.6 series release. Inside the Asterisk archive is another, sounds/asterisk-core-sounds-en-gsm-1.4.11.tar.gz. Extract this archive file into /usr/share/asterisk/sounds.

Configuring the Asterisk PBX

The Asterisk PBX has many features and is very flexible. In this section, I will focus on configuring four things: the SIP module, the extensions module, the external configuration engine, and the realtime LDAP backend. Once Asterisk is configured, I will demonstrate how to add SIP users and extensions to your LDAP database.

Asterisk provides a module to support the SIP protocol. SIP is used to set up and tear down a VoIP phone call. Though individual SIP users will be stored in an LDAP database, some global parameters will exist in the following configuration file. Save this configuration as /etc/asterisk/sip.conf:

[general]
videosupport=yes
allow=all
bindaddr=0.0.0.0
realm=example.com

videosupport

Enable support for video streaming.

allow

List of CODEC’s to allow.

bindaddr

IP address of the device to bind to. 0.0.0.0 ensures that Asterisk will listen on all available network devices.

realm

The authentication realm.

We will now move on to define extensions. In many cases, an extension is simply a telephone number that will be associated with a SIP user. Individual extensions, like SIP users, will be stored in an
LDAP database. However, as with the SIP configuration, global parameters will be configured in a file,
/etc/asterisk/extensions.conf. The following example supports the LDAP entries I will use in this article:

[users]
switch => Realtime/@

[demo]
switch => Realtime/@

[default]
include => users
include => demo

This example defines three contexts: default, users, and demo. The line switch => Realtime/@ states that the extensions in a context will be defined using one of Asterisk’s realtime back-ends (in our case, LDAP). Each individual extension will be assigned to one of these contexts. As a collection of available extensions, contexts determine what happens when a user dials a phone number.

Asterisk’s external configuration engines are activated in /etc/asterisk/extconfig.conf. The following example configures Asterisk to pull SIP and extension information using its real-time LDAP back-end:

[settings]
sipusers => ldap,"dc=example,dc=com",sip
sippeers => ldap,"dc=example,dc=com",sip
extensions => ldap,"dc=example,dc=com",extensions
 

This example causes Asterisk to activate its real-time LDAP back-end look for SIP users, SIP peers, and extensions in the LDAP database. In addition, the base DN used for queries is specified.

Note:

All of the examples in this article will use dc=example,dc=com as the LDAP database’s base DN. This should be replaced with your organization’s base DN.

The final configuration file we will write configures Asterisk’s real-time LDAP back-end and should be saved as /etc/asterisk/res_ldap.conf.

[_general]
url=ldaps://ldap.example.com:636
protocol=3
basedn="dc=example,dc=com"
user=cn=Directory Manager
pass=LDAP-PASSWORD

[config]
additionalFilter=(objectClass=AstConfig)
filename = AstConfigFilename
category = AstConfigCategory
variable_name = AstConfigVariableName
variable_value = AstConfigVariableValue
cat_metric = AstConfigCategoryMetric
commented = AstConfigCommented

[extensions]
context  =  AstContext
exten  =  AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData
additionalFilter=(objectClass=AsteriskExtension)

[sip]
name = cn
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
canreinvite = AstAccountCanReinvite
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = AstAccountFullContact
host = AstAccountHost
ipaddr = AstAccountIPAddress
insecure = AstAccountInsecure
mailbox = AstAccountMailbox
md5secret = AstAccountRealmedPassword
nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
additionalFilter = (objectClass=AsteriskSIPUser)

The config, extensions, and sip sections of this file map Asterisk configuration options to LDAP attributes and do not need to be customized. The _general section contains the following options:

url

The URL pointing to the organization’s LDAP server. The example above uses LDAP over SSL on port 636.

protocol

The LDAP version to use.

basedn

The base DN used for queries.

user

The name of the LDAP administrator. Directory Manager is the name used by the Fedora Directory Server.

pass

The LDAP directory manager’s password.

Configuring LDAP

With the exception of actual users and extensions, our simple Asterisk installation is fully configured. We will now finish our installation by adding users and extensions to our LDAP database. First, we need to install an Asterisk schema for LDAP at /etc/dirsrv/slapd-DOMAIN/schema/99asterisk.ldif. After the schema has been installed, restart FDS using service dirsrv restart.

dn: cn=schema
#
attributeTypes: (
  NAME 'AstContext'
  DESC 'Asterisk Context'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstExtension'
  DESC 'Asterisk Extension'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstPriority'
  DESC 'Asterisk Priority'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstApplication'
  DESC 'Asterisk Application'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstApplicationData'
  DESC 'Asterisk Application Data'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountAMAFlags'
  DESC 'Asterisk Account AMA Flags'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountCallerID'
  DESC 'Asterisk Account CallerID'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountContext'
  DESC 'Asterisk Account Context'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountMailbox'
  DESC 'Asterisk Account Mailbox'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstMD5secret'
  DESC 'Asterisk Account MD5 Secret'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountDeny'
  DESC 'Asterisk Account Deny'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountPermit'
  DESC 'Asterisk Account Permit'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountQualify'
  DESC 'Asterisk Account Qualify'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountType'
  DESC 'Asterisk Account Type'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountDisallowedCodec'
  DESC 'Asterisk Account Disallowed Codec'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountExpirationTimestamp'
  DESC 'Asterisk Account Allowed Codec'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRegistrationContext'
  DESC 'Asterisk Account AMA Flags'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRegistrationExten'
  DESC 'Asterisk Account AMA Flags'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountNoTransfer'
  DESC 'Asterisk Account AMA Flags'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountCallGroup'
  DESC 'Asterisk Account Call Group'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountCanReinvite'
  DESC 'Asterisk Account Can Reinvite'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountDTMFMode'
  DESC 'Asterisk Account DTMF Flags'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountFromUser'
  DESC 'Asterisk Account From User'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountFromDomain'
  DESC 'Asterisk Account From Domain'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountFullContact'
  DESC 'Asterisk Account Full Contact'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountHost'
  DESC 'Asterisk Account Host'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountInsecure'
  DESC 'Asterisk Account Insecure'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountNAT'
  DESC 'Asterisk Account NAT'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountPickupGroup'
  DESC 'Asterisk Account PickupGroup'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountPort'
  DESC 'Asterisk Account Port'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRestrictCID'
  DESC 'Asterisk Restrict CallerID'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRTPTimeout'
  DESC 'Asterisk RTP Timeout'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRTPHoldTimeout'
  DESC 'Asterisk RTP Hold Timeout'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRealmedPassword'
  DESC 'Asterisk RTP Hold Timeout'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountAllowedCodec'
  DESC 'Asterisk Account Allowed Codec'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountMusicOnHold'
  DESC 'Asterisk Account Allowed Codec'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountCanCallForward'
  DESC 'Asterisk Can CAll Forward'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountSecret'
  DESC 'Asterisk Can CAll Forward'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountName'
  DESC 'Asterisk Account Username'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstConfigFilename'
  DESC 'Asterisk LDAP Configuration Filename'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstConfigCategory'
  DESC 'Asterisk LDAP Configuration Category'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstConfigCategoryMetric'
  DESC 'Asterisk LDAP Configuration Category Metric'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstConfigVariableName'
  DESC 'Asterisk LDAP Configuration Variable Name'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstConfigVariableValue'
  DESC 'Asterisk LDAP Configuration Variable Value'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstConfigCommented'
  DESC 'Asterisk LDAP Configuration Commented'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountIPAddress'
  DESC 'Asterisk Account IP Address'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountDefaultUser'
  DESC 'Asterisk Account Default User'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstAccountRegistrationServer'
  DESC 'Asterisk Account Registration Server'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
objectClasses: (
  NAME 'AsteriskExtension'
  DESC 'PBX Extension Information for Asterisk'
  SUP top
  AUXILIARY
  MUST cn
  MAY ( AstContext $ AstExtension $ AstPriority $ AstApplication
      $ AstApplicationData )
  )
#
objectClasses: (
  NAME 'AsteriskIAXUser'
  DESC 'IAX2 User information for Asterisk'
  SUP AsteriskExtension
  AUXILIARY
  MUST cn
  MAY ( AstAccountAMAFlags $ AstAccountCallerID $ AstAccountContext
      $ AstAccountFullContact $ AstAccountHost $ AstAccountMailbox $ AstMD5secret
      $ AstAccountDeny $ AstAccountPermit $ AstAccountPort $ AstAccountQualify
      $ AstAccountType $ AstAccountDisallowedCodec $ AstAccountExpirationTimestamp
      $ AstAccountRegistrationContext$ AstAccountRegistrationExten
      $ AstAccountNoTransfer $ AstAccountName )
  )
#
objectClasses: (
  NAME 'AsteriskSIPUser'
  DESC 'SIP User information for Asterisk'
  SUP AsteriskExtension
  AUXILIARY
  MUST cn
  MAY ( AstAccountAMAFlags $ AstAccountCallGroup $ AstAccountCallerID
      $ AstAccountCanReinvite $ AstAccountContext $ AstAccountDefaultUser
      $ AstAccountDTMFMode $ AstAccountFromUser $ AstAccountFromDomain
      $ AstAccountFullContact $ AstAccountHost $ AstAccountInsecure
      $ AstAccountIPAddress $ AstAccountMailbox $ AstAccountRealmedPassword
      $ AstAccountNAT $ AstAccountDeny $ AstAccountPermit $ AstAccountPickupGroup
      $ AstAccountPort $ AstAccountQualify $ AstAccountRestrictCID
      $ AstAccountRTPTimeout $ AstAccountRTPHoldTimeout $ AstAccountType
      $ AstAccountDisallowedCodec $ AstAccountAllowedCodec $ AstAccountMusicOnHold
      $ AstAccountExpirationTimestamp $ AstAccountRegistrationContext
      $ AstAccountRegistrationExten $ AstAccountRegistrationServer
      $ AstAccountCanCallForward $ AstAccountSecret $ AstAccountName )
  )
#
objectClasses: (
  NAME 'AsteriskConfig'
  DESC 'Asterisk configuration Information'
  SUP top
  AUXILIARY
  MUST cn
  MAY ( AstConfigFilename $ AstConfigCategory $ AstConfigCategoryMetric
      $ AstConfigVariableName $ AstConfigVariableValue $ AstConfigCommented )
  )

We may now create two SIP users, one for our Ekiga installation and the other for our Cisco telephone. If you write the following LDIF into a file, you may load it into the LDAP database using ldapadd -x -D "cn=Directory Manager" -W -f PATH-TO-LDIF.

dn: ou=sippeers,dc=example,dc=com
ou: sippeers
objectClass: top
objectClass: organizationalUnit

dn: cn=user1,ou=sippeers,dc=example,dc=com
objectClass: top
objectClass: AsteriskSIPUser
cn: user1
AstAccountCallerID: 2001
AstAccountHost: dynamic
AstAccountRealmedPassword: {MD5}a94775781e5bb7d3e4ec047c56f0acc5
AstAccountContext: default
AstAccountType: friend

dn: cn=user2,ou=sippeers,dc=example,dc=com
objectClass: top
objectClass: AsteriskSIPUser
cn: user2
AstAccountCallerID: 2002
AstAccountHost: dynamic
AstAccountRealmedPassword: {MD5}3c7806fa6e6c3416d57f2de223cdea5d
AstAccountContext: default
AstAccountType: friend

The example above defines a minimal SIP user. The attributes used are:

cn

The SIP user’s account name.

AstAccountCallerID

The user’s caller ID information.

AstAccountHost

The user’s host. The dynamic keyword allows a user’s telephone to dynamically register its IP address by logging into Asterisk.

AstAccountRealmedPassword

The account’s password. The hash of a user’s password may be generated by executing echo -n "SIPUSER:example.com:PASSWORD" | md5sum

AstAccountContext

The context this user will exist in. This determines which extension context applies to this user. Extension contexts were defined in extensions.conf.

AstAccountType

Defines the type of client. Asterisk sends calls to peers (i.e., a SIP provider). The user type may place calls only. Friends are both peers and users.

Once a user is defined, one may test Asterisk. Start the Asterisk service by executing service asterisk start as root. Execute an Asterisk shell using the command asterisk -rv. At Asterisk’s prompt, execute sip show peer user1 load. Asterisk should print all of the information for user1.

Once you have defined a user, you may start writing your dial plan. First, we will associate a phone number with each user. Use ldapadd to add the following to your LDAP database:

dn: ou=extensions,dc=example,dc=com
ou: extensions
objectClass: top
objectClass: organizationalUnit

dn: cn=2001-1,ou=extensions,dc=example,dc=com
cn: 2001-1
objectClass: top
objectClass: AsteriskExtension
AstContext: users
AstExtension: 2001
AstPriority: 1
AstApplication: Dial
AstApplicationData: SIP/user1,20

dn: cn=2002-1,ou=extensions,dc=example,dc=com
cn: 2002-1
objectClass: top
objectClass: AsteriskExtension
AstContext: users
AstExtension: 2002
AstPriority: 1
AstApplication: Dial
AstApplicationData: SIP/user2,20

AstContext

The context in which this extension exists.

AstExtension

The extension ID (e.g., what you dial to reach this extension).

AstPriority

Each extension can execute several commands when it receives a call. The priority determines the order in which commands are executed.

AstApplication

The command to execute when the extension receives a call. The command Dial connects to another Asterisk user.

AstApplicationData

Arguments, separated with commas (without spaces), and passed to a command. The Dial has two arguments. The first is the user that the call will be connected to. The second is the number of seconds to wait before quitting.

In order to facilitate testing our installation, we will define the following additional extension. This extension executes three commands to implement an echo test that may be reached by dialing ‘600.’

dn: cn=600-1,ou=extensions,dc=example,dc=com
cn: 600-1
objectClass: top
objectClass: AsteriskExtension
AstContext: demo
AstExtension: 600
AstPriority: 1
AstApplication: Playback
AstApplicationData: demo-echotest

dn: cn=600-2,ou=extensions,dc=example,dc=com
cn: 600-2
objectClass: top
objectClass: AsteriskExtension
AstContext: demo
AstExtension: 600
AstPriority: 2
AstApplication: Echo

dn: cn=600-3,ou=extensions,dc=example,dc=com
cn: 600-3
objectClass: top
objectClass: AsteriskExtension
AstContext: demo
AstExtension: 600
AstPriority: 3
AstApplication: Playback
AstApplicationData: demo-echodone

After schema edits, FDS must be restarted using service dirsrv restart.

The basic Asterisk configuration is now complete. Restart the Asterisk service using service asterisk restart.

Configuring the Ekiga VoIP client

Ekiga is a software VoIP application that supports SIP. Its configuration is straightforward. The first time Ekiga is executed by a user, it provides a wizard that allows one to configure the user’s full name,
ekiga.net account (this is not required for the purpose of this article), connection type, audio devices, and video devices. Once the software is configured, setup a SIP account by clicking on Edit→Accounts and selecting add. Figure 1 displays an account configured for our SIP user identified as user1.

After an account is set up, it must be activated. Figure 2 shows that the account I just configured is displayed in Ekiga’s list. Click the checkbox to activate the account.

Figure 3 shows Ekiga’s main interface window. Here, you can see how many accounts have been registered. In order to test your configuration, make a SIP connection to extension 600 and perform an echo test.

Configuring a Cisco VoIP telephone

As mentioned before, using a Cisco phone to connect to Asterisk using SIP requires Cisco’s SIP software. When a Cisco 7900 Series telephone boots, it will try to configure itself using TFTP. We will place some firmware and configuration files on our server so that the phone will boot properly for our installation.

In order to enable TFTP on the Asterisk server, edit /etc/xinetd.d/tftp and set disable to no. The TFTP daemon is configured on Fedora to serve files out of /var/lib/tftpboot. After you have modified its configuration, restart xinetd with the command service xinetd restart. Cisco’s SIP software package provides the files P0S3-08-2-00.sb2, P0S3-08-2-00.sbn and P0S3-08-2-00.loads. Copy these files to /var/lib/tftpboot.

Note:

The filenames used by your Cisco firmware may be slightly different. Cisco’s naming convention is P0S3-xxx-y-zz, where x is the major version, y is the minor version, and z is the subversion. P0S3 indicates SIP firmware, P003 indicates SCCP firmware, and P0M3 indicates MGCP firmware.

When booting SIP firmware, the telephone will look for three configuration files: OS79XX.TXT, SIPDefault.cnf, and SIPMAC-ADDRESS.cnf. These files should also
be placed in /var/lib/tftpboot.

OS79XX.TXT contains one line: the firmware version to load. Mine contains P0S3-08-2-00.

SIPDefault.cnf contains configurations common to all SIP telephones. The following example lists the image version and the address of our Asterisk server, and instructs the telephones to register with Asterisk:

image_version: P0S3-08-2-00 ;
proxy1_address: 192.168.0.10 ;
proxy_register: "1" ;

Per-telephone configurations are stored in a file named after the telephone’s MAC address. The telephone’s MAC address may be found in its configuration menu. This configuration will correspond with the SIP information found in LDAP and should be saved as SIPMAC-ADDRESS.cnf:

line1_name : user2
line1_authname : user2
line1_password : PLAINTEXT-PASSWORD

The first step in preparing the telephone is to clear any existing configuration. This may be done by pressing **# settings 3 to access an unlocked Network
Configuration menu. Here, find the Erase Configuration menu item and select it. Restart the phone and return to the Network Configuration menu. Ensure DHCP Enabled is set. Reboot the phone.

The phone will pull its network configuration from DHCP and should now respond to pings. Return to the Network Configuration menu and deactivate DHCP. Select the TFTP Server 1 option and set it to your Asterisk / TFTP server. Do not disable DHCP or manually set a TFTP server if your DHCP server provides your TFTP server’s IP address. Reboot the telephone and it should load the SIP software and configuration. As the phone boots, you may see it request files using TFTP by watching the Asterisk server’s /var/log/messages log.

Once the telephone boots, test its configuration by dialing 600. This will execute an echo test. After the echo test, you may make a Cisco telephone to Ekiga call by dialing 2001.

Configuring voicemail

In this section, we will cover configuring Asterisk to provide a voicemail system. The configuration process is similar to that of SIP users and extensions, so this should also serve to reinforce the techniques covered in those sections. We will configure the voicemail module, the external
configuration engine, and the real-time LDAP back-end. After the configuration files are setup, we will add information to the LDAP database.

/etc/asterisk/voicemail.conf is similar to sip.conf and
extensions.conf. This file configures the voicemail module. As with SIP users and extensions, we will configure global parameters in a file, leaving extension-specific parameters to be configured in LDAP:

[general]
searchcontexts=yes

Add the following line to /etc/asterisk/extconfig.conf in order to activate the real-time LDAP back-end for voicemail:

voicemail => ldap,"dc=example,dc=com",voicemail
 

Map Asterisk voicemail configuration options to LDAP attributes by adding the following to /etc/asterisk/res_ldap.conf:

[voicemail]
context = AstVMContext
mailbox = AstVMMailbox
password = AstVMPassword
fullname = AstVMFullname
email = AstVMEmail
pager = AstVMPager
tz = AstVMTz
attach = AstVMAttach
saycid = AstVMSaycid
dialout = AstVMDialout
callback = AstVMCallback
review = AstVMReview
operator = AstVMOperator
envelope = AstVMEnvelope
sayduration = AstVMSayduration
saydurationm = AstVMSaydurationm
sendvoicemail = AstVMSendvoicemail
delete = AstVMDelete
nextaftercmd = AstVMNextastercmd
forcename = AstVMForcename
forcegreetings = AstVMForcegreetings
hidefromdir = AstVMHidefromdir
stamp = AstVMStamp
additionalFilter = (objectClass=AsteriskVoicemail)

Now we will move to updating our LDAP database. First, we must add to the LDAP schema that we installed earlier. The following will add support for the attributes required to provide basic voicemail:

attributeTypes: (
  NAME 'AstVMMailbox'
  DESC 'Asterisk Voicemail Mailbox'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstVMPassword'
  DESC 'Asterisk Voicemail Password'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstVMFullname'
  DESC 'Asterisk Voicemail Fullname'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
attributeTypes: (
  NAME 'AstVMEmail'
  DESC 'Asterisk Voicemail Email'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
#
objectClasses: (
  NAME 'AsteriskVoicemail'
  DESC 'Voicemail information for Asterisk'
  SUP top
  MUST cn
  MAY ( AstContext $ AstVMMailbox $ AstVMPassword $ AstVMFullname
      $ AstVMEmail )
  )

Add the following LDIF to the LDAP database using ldapadd in order to add voicemail support for the extensions 2001 and 2002:

dn: ou=voicemail,dc=example,dc=com
ou: voicemail
objectClass: top
objectClass: organizationalUnit

dn: cn=2001,ou=voicemail,dc=example,dc=com
cn: 2001
objectClass: top
objectClass: AsteriskVoicemail
AstContext: users
AstVMMailbox: 2001
AstVMPassword: 1234
AstVMFullname: User 1
AstVMEmail: user1@example.org

dn: cn=2002,ou=voicemail,dc=example,dc=com
cn: 2002
objectClass: top
objectClass: AsteriskVoicemail
AstContext: users
AstVMMailbox: 2002
AstVMPassword: 1234
AstVMFullname: User 2
AstVMEmail: user2@example.org

dn: cn=2000-1,ou=extensions,dc=example,dc=com
cn: 2000-1
objectClass: top
objectClass: AsteriskExtension
AstContext: users
AstExtension: 2000
AstPriority: 1
AstApplication: Voicemailmain

dn: cn=2001-2,ou=extensions,dc=example,dc=com
cn: 2001-2
objectClass: top
objectClass: AsteriskExtension
AstContext: users
AstExtension: 2001
AstPriority: 2
AstApplication: Voicemail
AstApplicationData: 2001,u

dn: cn=2002-2,ou=extensions,dc=example,dc=com
cn: 2002-2
objectClass: top
objectClass: AsteriskExtension
AstContext: users
AstExtension: 2002
AstPriority: 2
AstApplication: Voicemail
AstApplicationData: 2002,u

The second entry defines a mailbox for extension 2001. It uses the following options:

AstContext

The context in which this mailbox exists.

AstVMMailbox

The extension that this mailbox corresponds to.

AstVMPassword

The password used to access the mailbox.

AstVMFullname

The full name of the mailbox owner.

AstVMEmail

The mailbox owner’s email address.

Entity four defines an extension, 2000, that will provide access to the voicemail system when dialed.

Entity five adds a command to extension 2001 that executes the Voicemail and provides access to the voicemail system. This command will execute if the Dial command defined earlier is not answered within 20 seconds.

To test the voicemail system, use Ekiga to dial 2002. If you don’t answer the call on the other end, then you should be directed to Asterisk’s voicemail system. To listen to new voicemail, dial 2000.

Conclusion

This article demonstrated how to install Asterisk on a Fedora system and configure SIP users, extensions, and voicemail. We installed all user data into an LDAP database in order to keep it consolidated.

Asterisk has far too many features to cover in one article. The VoIP Wiki has a section dedicated to Asterisk and is a great place to learn more. The VoIP Wiki covers topics such as hooking Asterisk up to the standard public-switched telephone network using direct inward dialing and automatically emailing voicemail messages to users. You can even find information on how to route calls to a user based on his Jabber presence. Clearly, Asterisk is capable of a wide range of applications. And, perhaps best of all, it’s entirely open source!

For years I have envied how easy my Windows- and Mac-based peers had it when traveling with their laptops. They connect to hotspots with ease, get online while I was still logging into root and running some tools. It just wasn’t fair. I wanted an integrated easy-to-use tool that did not require bringing up a shell or logging into root.

I now have that tool in NetworkManager. In this article I will explain what NetworkManager is, what capabilities exist in the tool (in both Fedora and Red Hat Enterprise Linux), and what you can do to extend it to give you more control over your system than before.

What is NetworkManager?

NetworkManager is a software utility that allows a desktop user to manage wired, wireless, modem, WWAN/3G, and VPN network connectivity from a single source. It does not require root access or manual editing of configuration files.

NetworkManager started as a Gnome project and initially appeared in Fedora. It is now supported on multiple desktop environments (Gnome, KDE, Xfce, etc.) and in multiple distributions (Fedora, SuSE, Ubuntu, Gentoo, Debian, etc.). NetworkManager uses dbus and hal to provide network status updates to other desktop applications, allowing them to alter their operation based on this information. For instance, if NetworkManager shows the network is offline, then apps like Evolution and Pidgin will put themselves into offline mode andwait for the network to come online.

How is the NetworkManager software deployed on the system?

NetworkManager is deployed in two parts. The first part is the NetworkManager daemon, which is found in the package NetworkManager. This daemon should be set to start while the system is booting. This can be accomplished by entering the following command as root:

    # /sbin/chkconfig NetworkManager on

You can also start NetworkManager manually by entering the following command as root:

    # /sbin/service NetworkManager start

The second part is the user client, which normally takes the form of an applet. This applet (nm-applet) can be found in the NetworkManager-gnome package, and should be part of the basic Gnome desktop installation. You will not need to add this applet to your desktop. Gnome will add the nm-applet control to the Notification Area applet when the NetworkManager daemon is active.

How does NetworkManager work?

For the user, most everything will be done via the NetworkManager applet. Exactly what needs to be done depends on the type of networking the user needs to activate.

Wired network

If the system the user is logged into is on a wired network (Ethernet), the user does not need to do anything. NetworkManager will look for the link on the network port. When the link is active, it will bring up the interface and then ask for network information via DHCP.

Wireless Network

If the user is trying to connect via wireless, NetworkManager is especially helpful. As long as the wireless device is active, NetworkManager will scan for available networks and will attempt to connect to the last network you connected to that it can see. If the network it is trying to connect to is a secure network (using WEP, WPA, WPA2, or LEAP) it will request the appropriate security information. Once the information is entered, NetworkManager will try to store this information into the GNOME keyring manager.

To connect to a different network than the one that NetworkManager chooses, simply click on the applet and choose a different wireless network.

WWAN network (3G/EVDO/HSDPA/RTTx1/EDGE)

With the release of NetworkManager 0.70, users can now choose WWAN networking. Most of these cards require activation in Windows, but NetworkManager can handle the auto-configuration some cards need for use under Linux. Other cards may still require some minimal account information to activate and use.

If the card is plugged in when NetworkManager starts, it will be autodetected and an attempt to auto-configure the card will be made when you request a connection to the network. If auto-configuration is successful, the user can then just select the card in the applet menu and connect.

VPN connectivity

Once a successful network connection has been made, the user can also use NetworkManager to activate a VPN connection. Currently, there are modules providing support for OpenVPN and Cisco (via vpnc) VPN connectivity.

The VPN connection will be configured, activated, and deactivated via the applet. Username, password, group passwords, and other information can be stored in the GNOME keyring manager, or the user can choose to be prompted to enter some—or all—of the information at each login.

What else can NetworkManager do?

Beside managing your network connectivity, NetworkManager has another key feature. NetworkManager can run scripts when there is a network state change on any interface, using the network interface and the up/down state as variables. In prior releases, this functionality was provided by a separate daemon called NetworkManagerDispatcher. As of NetworkManager 0.70 in Fedora 9, this functionality is now integrated into NetworkManager itself.

In Bash scripts written for NetworkManager, the variable $1 equals the interface whose state has changed and triggered the script. Variable $2 equals the state of the interface (up or down). No other variables are needed.

Let’s take a look at one of the scripts that is included with Fedora 9:

# cat /etc/NetworkManager/dispatcher.d/05-netfs

#!/bin/sh

export LC_ALL=C

if [ "$2" = "down" ]; then
        /sbin/ip route ls | grep -q ^default || {
                [ -f /var/lock/subsys/netfs ] && /etc/rc.d/init.d/netfs stop
        }
fi

if [ "$2" = "up" ]; then
        /sbin/ip -o route show dev "$1" | grep -q '^default' &fi

When an interface comes up and adds itself as the default route, the script starts the netfs service. This script also stops the netfs service when an interface goes down and no default route remains. Effectively, this will mount your NFS and CIFS shares when you have access to the network, and will unmount those same shares when the network goes down. Using this script as an example, you can easily write your own scripts to run various commands as the network state changes.

How can I best use NetworkManager in the field?

Now that you have a good idea of how NetworkManager works and what it can do, let’s talk about how to best use NetworkManager in the field. Now that you have NetworkManager managing your network connectivity, make sure your network interfaces are not trying to start on boot. Nothing is more annoying than having your laptop tell you that your wired network is not available when you are sitting on a plane. If you are using NetworkManager 0.70 (currently in Fedora 9), you should also disable the network service itself, as it may conflict with NetworkManager.

You can go further, writing NetworkManager scripts to activate various services only when they are needed. Many of the init scripts in Linux make the assumption that your system is a server or a workstation with continuous access to the network. Things like ntp, cups, sshd, even rhnsd do not need to be running while you have no network connectivity. These services can be disabled, set to run only when NetworkManager starts them via a custom script on a network state change.

Using the previously posted script as a guide, a script to manage sshd might look like this:

# cat /etc/NetworkManager/dispatcher.d/10-sshd

#!/bin/sh
#
# Start and stop sshd based on network availability using NetworkManager
#

export LC_ALL=C

if [ "$2" = "down" ]; then
        /sbin/ip route ls | grep -q ^default || {
                [ -f /var/lock/subsys/sshd ] && /etc/rc.d/init.d/sshd stop
        }
fi

if [ "$2" = "up" ]; then
        /sbin/ip -o route show dev "$1" | grep -q '^default' &fi

You could substitute “rhnsd” or “cups” for “sshd”, and the script should work equally well for those tasks..

If you are a administrator tasked with managing Red Hat or Fedora systems of remote employees, the scripting functionality can be even more handy. You can write a script that looks for the activation of the VPN interface then sends an email letting you know the system is online. You could have the system check in with a Satellite server located within your firewall, installing updates you previously scheduled for it. The possible uses here are many.

The student is now the master

No longer do I envy my Windows-based peers and their easy mobile connectivity. NetworkManager is constantly impressing me, adding functionality and allowing me to be more efficient on the road. This Swiss Army knife of Linux networking gives me the control I need over my connectivity whether at home, coffee house, or airport. Now that you know what NetworkManager is, how it works, and how best to use it, try it out of your own system. I trust you will find NetworkManager works as well for you as it did for me.

More information

1. NetworkManager main project page
2. NetworkManager in Fedora
3. dbus and hal
4. KNetworkManager

Jaroslaw is a JBoss QA Engineer based in Poland, and recently published an introduction to Drools that he kindly shared with us. This second piece covers Drools (or JBoss Rules), the open source business rules engine… in this case combining it with Hibernate.

This article is presented here in its entirety (with a trackback). The original can be found on Jaroslaw’s site. This article is also available in German and Polish.

Justification:

Drools evaluates facts which are present in the working memory. But could it also reason over data stored in a relational database? This feature would extend Drools’ range of applicability and since this is an often asked question in the mailing list, it’s worth to know the answer which sounds: “of course Drools can!”

Abstract:

Hibernate, one of the most favorite ORM tools, allows to handle data stored in a relational database. This article will describe how one can access a Hibernate session from inside the rule engine. I will use PostgreSQL as a data source. Besides that I will create two classes, Game and Player, having a many-to-many relationship.

1. Creating a new Drools project
2. Class files
3. Hibernate
4. Drools
5. How does it work?
6. Results
7. Summary

Creating a new Drools project

You still don’t have installed the Drools 4.0.7 Eclipse Workbench? Just have a look at this article: “Rules fall from your eyes”.

Menu File -> New -> Project -> Drools – > Rule Project -> Next. Provide the project’s name, drools-hibernate-demo, and click on Next, to uncheck the example files

Class files

Create a package “eu.kijanowski.drools.hibernate” in the src/main/java directory. We will use two class files, Player.java and Game.java. They have a many-to-many relationship, since one player can own many games and one game can be owned by many players

Class Game.java

package eu.kijanowski.drools.hibernate;

import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;

public class Game implements Serializable {
	private static final long serialVersionUID = 1L;
	private Long id = null;
	private String name;
	private double price;
	private int levels;
	private Set players = new HashSet();

	public Game() {
	}

	public Game(String name, double price, int levels) {
		this.name = name;
		this.price = price;
		this.levels = levels;
	}

	public Long getId() {
		return id;
	}

	@SuppressWarnings("unused")
	private void setId(Long id) {
		this.id = id;
	}

	public String getName() {
		return name;
	}

	public void setName(String name) {
		this.name = name;
	}

	public double getPrice() {
		return price;
	}

	public void setPrice(double price) {
		this.price = price;
	}

	public int getLevels() {
		return levels;
	}

	public void setLevels(int levels) {
		this.levels = levels;
	}

	public Set getPlayers() {
		return players;
	}

	public void setPlayers(Set players) {
		this.players = players;
	}

	public String toString() {
		return name + " with " + levels + " levels for " + price;
	}
}

Class Player.java

package eu.kijanowski.drools.hibernate;

import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;

public class Player implements Serializable {
	private static final long serialVersionUID = 1L;
	private Long id;
	private String name;
	private int age;
	private Set games = new HashSet();

	public Player() {
	}

	public Player(String name, int age, HashSet games) {
		this.name = name;
		this.age = age;
		this.games = games;
	}

	public Long getId() {
		return id;
	}

	@SuppressWarnings("unused")
	private void setId(Long id) {
		this.id = id;
	}

	public String getName() {
		return name;
	}

	public void setName(String name) {
		this.name = name;
	}

	public int getAge() {
		return age;
	}

	public void setAge(int age) {
		this.age = age;
	}

	public Set getGames() {
		return games;
	}

	public void setGames(Set games) {
		this.games = games;
	}

	public String toString() {
		return name;
	}
}

Hibernate

Without going into details, download the binaries, Hibernate Core 3.2.6 and extract the archive.

In our project create a directory called lib and copy over following files:

• hibernate-3.2.6.GA/lib/antlr-2.7.6.jar
• hibernate-3.2.6.GA/lib/asm.jar
• hibernate-3.2.6.GA/lib/cglib-2.1.3.jar
• hibernate-3.2.6.GA/lib/commons-collections-2.1.1.jar
• hibernate-3.2.6.GA/lib/commons-logging-1.0.4.jar
• hibernate-3.2.6.GA/lib/dom4j-1.6.1.jar
• hibernate-3.2.6.GA/hibernate3.jar
• hibernate-3.2.6.GA/lib/jta.jar

Now we have to add these libraries to the “build path”: from the menu choose Project -> Properties -> Java Build Path -> Libraries and then Add External JARs and navigate to the project’s lib directory. Mark all files and click OK.

It’s time to configure Hibernate. In the src/main/java directory create a file called hibernate.cfg.xml:

         org.postgresql.Driver
         jdbc:postgresql://localhost/droolsdb
         droolsuser

         1
         org.hibernate.dialect.PostgreSQLDialect
         org.hibernate.transaction.JDBCTransactionFactory

         thread
         org.hibernate.cache.NoCacheProvider
         true
         create

As you see, we’re going to use the org.postgresql.Driver class, hence we need to add another library to our project. From the PostgreSQL home page we can download the required driver. I’m using 8.2-508 JDBC 3. Don’t forget to add it to the Java Build Path, like we did with the hibernate library.

It’s time to download and start PostgreSQL and create a user and schema.

/usr/local/pgsql/bin/postgres -D /usr/local/pgsql/data>logfile 2>&1 &
/usr/local/pgsql/bin/createuser -h 127.0.0.1 -p 5432 -U postgres -s -d -R droolsuser
/usr/local/pgsql/bin/createdb -h 127.0.0.1 -p 5432 -U postgres -O droolsuser droolsdb

The last step is mapping – this is connecting the world of Java objects with the world of relations (tabels). Create model.hbm.xml in the eu.kijanowski.drools.hibernate package:

				player_id_seq

				game_id_seq

Drools

We’re almost there. We olny have to create the rule file and a testing class which will start our example. But how are we going to use Hibernate in our application? Well, in our testing class we will create a Hibernate session and provide it to the rule engine’s working memory as a constant global value. This allows us to access the database from inside the rule file. Next we will create a query and access the result’s objects using the keyword “from”. Let’s do this:

Class DroolsHibernateTest.java

package eu.kijanowski.drools.hibernate;

import java.io.InputStreamReader;
import java.io.Reader;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.drools.RuleBase;
import org.drools.RuleBaseFactory;
import org.drools.WorkingMemory;
import org.drools.compiler.PackageBuilder;
import org.drools.rule.Package;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.hibernate.Transaction;
import org.hibernate.cfg.Configuration;

public class DroolsHibernateTest {

	private final static SessionFactory factory;
	static {
		Configuration cfg = new Configuration().configure();
		factory = cfg.buildSessionFactory();
	}

	public static final void main(String[] args) {
		try {

			Game g1 = new Game("BF2", 39.99, 5);
			Game g2 = new Game("AoE3", 129.99, 45);
			Game g3 = new Game("BF3", 139.99, 15);

			HashSet games1 = new HashSet();
			games1.add(g1);
			games1.add(g2);
			games1.add(g3);
			HashSet games2 = new HashSet();
			games2.add(g1);
			games2.add(g3);

			Player p1 = new Player("jarek", 26, games1);
			Player p2 = new Player("ewelina", 25, games2);

			System.out.println(p1.getGames());
			System.out.println(p2.getGames());

			/* open a Hibernate session and persist data */
			Session session = factory.openSession();
			Transaction tx = session.beginTransaction();
			session.save(p1);
			session.save(p2);
			tx.commit();
			session.close();

			/* Let's verify the persisted data */
			session = factory.openSession();
			tx = session.beginTransaction();

			List players = session.createCriteria(Player.class).list();
			System.out.println(players.size() + " player(s) found:");
			for (Iterator iter = players.iterator(); iter.hasNext();) {
				Player player = (Player) iter.next();
				System.out.println(player.getName() + " has following games: "
						+ player.getGames());
			}
			tx.commit();
			session.close();

			// load up the rulebase
			RuleBase ruleBase = readRule();
			WorkingMemory workingMemory = ruleBase.newStatefulSession();

			/* pass a hibernate session to the working memory as a global */
			session = factory.openSession();
			workingMemory.setGlobal("hibernateSession", session);

			workingMemory.fireAllRules();
			session.close();

		} catch (Throwable t) {
			t.printStackTrace();
		}
	}

	private static RuleBase readRule() throws Exception {
		// read in the source
		Reader source = new InputStreamReader(DroolsHibernateTest.class
				.getResourceAsStream("/Demo.drl"));

		PackageBuilder builder = new PackageBuilder();

		// this will parse and compile in one step
		builder.addPackageFromDrl(source);

		// get the compiled package (which is serializable)
		Package pkg = builder.getPackage();

		// add the package to a rulebase (deploy the rule package).
		RuleBase ruleBase = RuleBaseFactory.newRuleBase();
		ruleBase.addPackage(pkg);
		return ruleBase;
	}

}

The rule file can be created using the drools plug-in. Just click on the src/main/rules directory and from the menu File -> New -> Other… click Drools -> Rule Resource:

Demo.drl

package eu.kijanowski.drools.hibernate

global org.hibernate.Session hibernateSession;

rule "hibernate_from"
	when
		game:Game() from hibernateSession.createQuery("select games from Player p where p.age >= :age").setProperties( {"age" : 18 }).list()
	then
		System.out.println("The game "+game.getName() +"is owned by "+game.getPlayers());
end

How does it work?

Let’s have a look at the global keyword in the rule file. This allows us to provide the rule engine with constants and variables from outside. Potential usecases are:

• return results back to the application
• access services, like Hibernate, JMS, file writers, email senders, etc.

What’s worth to know is that you should never change a global, when you use it in the condition part (LHS) of a rule. Moreover globals are not designed to share any data between rules, this can be done via facts living in the working memory.

The condition element from allows to access data from other sources than the working memory. These can be Collectins, Maps and results coming from called methods. In our scenario we’ve created a query and received a list of games.

Results

After running our example (Run as -> Java Application) the console will show:

Jun 14, 2008 8:58:11 AM org.hibernate.cfg.Environment 

INFO: Hibernate 3.2.6
Jun 14, 2008 8:58:11 AM org.hibernate.cfg.Environment
INFO: hibernate.properties not found
Jun 14, 2008 8:58:11 AM org.hibernate.cfg.Environment buildBytecodeProvider
INFO: Bytecode provider name : cglib
Jun 14, 2008 8:58:11 AM org.hibernate.cfg.Environment 

INFO: using JDK 1.4 java.sql.Timestamp handling
Jun 14, 2008 8:58:11 AM org.hibernate.cfg.Configuration configure
INFO: configuring from resource: /hibernate.cfg.xml
Jun 14, 2008 8:58:11 AM org.hibernate.cfg.Configuration getConfigurationInputStream
INFO: Configuration resource: /hibernate.cfg.xml
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.Configuration addResource
INFO: Reading mappings from resource : eu/kijanowski/drools/hibernate/model.hbm.xml
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues
INFO: Mapping class: eu.kijanowski.drools.hibernate.Player -> PLAYERS
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.HbmBinder bindCollection
INFO: Mapping collection: eu.kijanowski.drools.hibernate.Player.games -> PLAYERS_GAMES
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues
INFO: Mapping class: eu.kijanowski.drools.hibernate.Game -> GAMES
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.HbmBinder bindCollection
INFO: Mapping collection: eu.kijanowski.drools.hibernate.Game.players -> PLAYERS_GAMES
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.Configuration doConfigure
INFO: Configured SessionFactory: null
Jun 14, 2008 8:58:12 AM org.hibernate.connection.DriverManagerConnectionProvider configure
INFO: Using Hibernate built-in connection pool (not for production use!)
Jun 14, 2008 8:58:12 AM org.hibernate.connection.DriverManagerConnectionProvider configure
INFO: Hibernate connection pool size: 1
Jun 14, 2008 8:58:12 AM org.hibernate.connection.DriverManagerConnectionProvider configure
INFO: autocommit mode: false
Jun 14, 2008 8:58:12 AM org.hibernate.connection.DriverManagerConnectionProvider configure
INFO: using driver: org.postgresql.Driver at URL: jdbc:postgresql://localhost/droolsdb
Jun 14, 2008 8:58:12 AM org.hibernate.connection.DriverManagerConnectionProvider configure
INFO: connection properties: {user=droolsuser, password=****}
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: RDBMS: PostgreSQL, version: 8.2.5
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: JDBC driver: PostgreSQL Native Driver, version: PostgreSQL 8.2 JDBC3 with SSL (build 508)
Jun 14, 2008 8:58:12 AM org.hibernate.dialect.Dialect 

INFO: Using dialect: org.hibernate.dialect.PostgreSQLDialect
Jun 14, 2008 8:58:12 AM org.hibernate.transaction.TransactionFactoryFactory buildTransactionFactory
INFO: Transaction strategy: org.hibernate.transaction.JDBCTransactionFactory
Jun 14, 2008 8:58:12 AM org.hibernate.transaction.TransactionManagerLookupFactory getTransactionManagerLookup
INFO: No TransactionManagerLookup configured (in JTA environment, use of read-write or transactional second-level cache is not recommended)
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Automatic flush during beforeCompletion(): disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Automatic session close at end of transaction: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: JDBC batch size: 15
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: JDBC batch updates for versioned data: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Scrollable result sets: enabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: JDBC3 getGeneratedKeys(): disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Connection release mode: auto
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Default batch fetch size: 1
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Generate SQL with comments: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Order SQL updates by primary key: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Order SQL inserts for batching: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory createQueryTranslatorFactory
INFO: Query translator: org.hibernate.hql.ast.ASTQueryTranslatorFactory
Jun 14, 2008 8:58:12 AM org.hibernate.hql.ast.ASTQueryTranslatorFactory
INFO: Using ASTQueryTranslatorFactory
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Query language substitutions: {}
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: JPA-QL strict compliance: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Second-level cache: enabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Query cache: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory createCacheProvider
INFO: Cache provider: org.hibernate.cache.NoCacheProvider
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Optimize cache for minimal puts: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Structured second-level cache entries: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Echoing all SQL to stdout
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Statistics: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Deleted entity synthetic identifier rollback: disabled
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Default entity-mode: pojo
Jun 14, 2008 8:58:12 AM org.hibernate.cfg.SettingsFactory buildSettings
INFO: Named query checking : enabled
Jun 14, 2008 8:58:12 AM org.hibernate.impl.SessionFactoryImpl
INFO: building session factory
Jun 14, 2008 8:58:12 AM org.hibernate.impl.SessionFactoryObjectFactory addInstance
INFO: Not binding factory to JNDI, no JNDI name configured
Jun 14, 2008 8:58:12 AM org.hibernate.tool.hbm2ddl.SchemaExport execute
INFO: Running hbm2ddl schema export
Jun 14, 2008 8:58:12 AM org.hibernate.tool.hbm2ddl.SchemaExport execute
INFO: exporting generated schema to database
Jun 14, 2008 8:58:13 AM org.hibernate.tool.hbm2ddl.SchemaExport execute
INFO: schema export complete
[BF3 with 15 levels for 139.99, BF2 with 5 levels for 39.99, AoE3 with 45 levels for 129.99]
[BF3 with 15 levels for 139.99, BF2 with 5 levels for 39.99]
Hibernate: select nextval ('player_id_seq')
Hibernate: select nextval ('game_id_seq')
Hibernate: select nextval ('game_id_seq')
Hibernate: select nextval ('game_id_seq')
Hibernate: select nextval ('player_id_seq')
Hibernate: insert into PLAYERS (NAME, AGE, PLAYER_ID) values (?, ?, ?)
Hibernate: insert into GAMES (NAME, PRICE, LEVELS, GAME_ID) values (?, ?, ?, ?)
Hibernate: insert into GAMES (NAME, PRICE, LEVELS, GAME_ID) values (?, ?, ?, ?)
Hibernate: insert into GAMES (NAME, PRICE, LEVELS, GAME_ID) values (?, ?, ?, ?)
Hibernate: insert into PLAYERS (NAME, AGE, PLAYER_ID) values (?, ?, ?)
Hibernate: insert into PLAYERS_GAMES (PLAYER_ID, GAME_ID) values (?, ?)
Hibernate: insert into PLAYERS_GAMES (PLAYER_ID, GAME_ID) values (?, ?)
Hibernate: insert into PLAYERS_GAMES (PLAYER_ID, GAME_ID) values (?, ?)
Hibernate: insert into PLAYERS_GAMES (PLAYER_ID, GAME_ID) values (?, ?)
Hibernate: insert into PLAYERS_GAMES (PLAYER_ID, GAME_ID) values (?, ?)
Hibernate: select this_.PLAYER_ID as PLAYER1_0_0_, this_.NAME as NAME0_0_, this_.AGE as AGE0_0_ from PLAYERS this_
2 player(s) found:
Hibernate: select games0_.PLAYER_ID as PLAYER1_1_, games0_.GAME_ID as GAME2_1_, game1_.GAME_ID as GAME1_2_0_, game1_.NAME as NAME2_0_, game1_.PRICE as PRICE2_0_, game1_.LEVELS as LEVELS2_0_ from PLAYERS_GAMES games0_ left outer join GAMES game1_ on games0_.GAME_ID=game1_.GAME_ID where games0_.PLAYER_ID=?
jarek has following games: [AoE3 with 45 levels for 129.99, BF3 with 15 levels for 139.99, BF2 with 5 levels for 39.99]
Hibernate: select games0_.PLAYER_ID as PLAYER1_1_, games0_.GAME_ID as GAME2_1_, game1_.GAME_ID as GAME1_2_0_, game1_.NAME as NAME2_0_, game1_.PRICE as PRICE2_0_, game1_.LEVELS as LEVELS2_0_ from PLAYERS_GAMES games0_ left outer join GAMES game1_ on games0_.GAME_ID=game1_.GAME_ID where games0_.PLAYER_ID=?
ewelina has following games: [BF3 with 15 levels for 139.99, BF2 with 5 levels for 39.99]
Hibernate: select game2_.GAME_ID as GAME1_2_, game2_.NAME as NAME2_, game2_.PRICE as PRICE2_, game2_.LEVELS as LEVELS2_ from PLAYERS player0_ inner join PLAYERS_GAMES games1_ on player0_.PLAYER_ID=games1_.PLAYER_ID inner join GAMES game2_ on games1_.GAME_ID=game2_.GAME_ID where player0_.AGE>=?
Hibernate: select players0_.GAME_ID as GAME2_1_, players0_.PLAYER_ID as PLAYER1_1_, player1_.PLAYER_ID as PLAYER1_0_0_, player1_.NAME as NAME0_0_, player1_.AGE as AGE0_0_ from PLAYERS_GAMES players0_ left outer join PLAYERS player1_ on players0_.PLAYER_ID=player1_.PLAYER_ID where players0_.GAME_ID=?
The game BF2is owned by [jarek, ewelina]
Hibernate: select players0_.GAME_ID as GAME2_1_, players0_.PLAYER_ID as PLAYER1_1_, player1_.PLAYER_ID as PLAYER1_0_0_, player1_.NAME as NAME0_0_, player1_.AGE as AGE0_0_ from PLAYERS_GAMES players0_ left outer join PLAYERS player1_ on players0_.PLAYER_ID=player1_.PLAYER_ID where players0_.GAME_ID=?
The game BF3is owned by [jarek, ewelina]
Hibernate: select players0_.GAME_ID as GAME2_1_, players0_.PLAYER_ID as PLAYER1_1_, player1_.PLAYER_ID as PLAYER1_0_0_, player1_.NAME as NAME0_0_, player1_.AGE as AGE0_0_ from PLAYERS_GAMES players0_ left outer join PLAYERS player1_ on players0_.PLAYER_ID=player1_.PLAYER_ID where players0_.GAME_ID=?
The game AoE3is owned by [jarek]
The game BF2is owned by [jarek, ewelina]
The game BF3is owned by [jarek, ewelina]

Summary

This article shows how you can easily integrate Hibernate with the Drools rule engine. This allows you to reason over data, which does not only live in the working memory, but also in an external database.

Related articles

• Video: Mark Proctor and JBoss Drools
• Video: Mark Proctor, part 2: Origins and uses of JBoss Drools