Re: Postgress Performance
It could be a performance issue with Postgres. By default Postgres uses a "paranoid" setting that writes each transaction to disk immediately after the transaction is completed. This is done to protect the integrity of the database, as at anytime the database could go down and data could be lost. However, when dealing with large numbers of transaction this can severely impair performance. So, you can disable it by changing your postmaster line to something like this: postmaster -o -F -D /mypath/to/datadir You can also get a little speed out of detaching from the tty you started it from by using the "-S" switch. And, of course, in terms of performance when deploying you should really tweak the number of backend connections. Hope that helps. thanks, sach %s/windows/linux/g On Sun, 28 Jan 2001, Paul Fink wrote: In general Orion and postgres seem to work well together but I have a problem with the performance of inserts. As the size of the table increases the rate at which I can do inserts, or bean creates, decreases dramatically. I have a very simple Alarm entity bean with a single Long as the primary key. Running under Linux on a PIII. When I start with an empty table I can create new Alarm beans at a rate of about 40/sec. When the table reaches 10K entries the rate is down to 10/sec and continues to drop. I have the entity bean wrapped by a session bean and I do several creates per transaction. The only trick I've found for speeding up postgress is the "-o -F" flag which I've done.
RE: Is combining Orion and PostgreSQL a good choice
Yeah, we had a problem with On Wed, 17 Jan 2001, Randahl Fink Isaksen wrote: Interesting... but are you stating that without fixing bugs in the JDBC driver for PostgreSQL, it just will not work? If so, I would of course like to hear what you fixed exactly... Yours Randahl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Cannon-Brookes Sent: 17. januar 2001 13:51 To: Orion-Interest Subject: RE: Is combining Orion and PostgreSQL a good choice I'm using PostgreSQL on an application that is about to go live (within the next month). Seems to be working fine in testing so far, we're moving off Sybase 11.0.3.3 on Linux to PostgreSQL (probably 7.1 by the time we go live). I've personally fixed a bug or two in the JDBC driver, but other than that the latest driver seems very solid. I use the default schema (the latest one from Orion has a lot of fixes contributed by myself and others, the original was horrible). Let me know if there are any problems with the latest schema. -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randahl Fink Isaksen Sent: Wednesday, January 17, 2001 11:01 PM To: Orion-Interest Subject: Is combining Orion and PostgreSQL a good choice I am wondering if using PostgreSQL with Orion would be a good option. So my questions are: 1. Has anyone tried using PostgreSQL with Orion in a real-life application (running for a long period with no errors) - and was it a success? 2. Do you use the default database schema for PostgreSQL that comes with Orion? Yours Randahl
RE: Is combining Orion and PostgreSQL a good choice
We had a problem with either timestamp or date (i can't remember which now) with the default postgres JDBC driver, so we had to hack the driver to make it work right. So if you don't need anything to do with time and you don't need to store large binary data you should be fine. ;) Actually, it works quite well. We deployed a couple of months ago with 33 million records in the database (4 processor, 4GB RAM, Sun Server) and orion on two application boxes (dual processor, 4GB sun servers). It's incredibly fast. Thanks, sach robot6 %s/windows/linux/g On Wed, 17 Jan 2001, Randahl Fink Isaksen wrote: Interesting... but are you stating that without fixing bugs in the JDBC driver for PostgreSQL, it just will not work? If so, I would of course like to hear what you fixed exactly... Yours Randahl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Cannon-Brookes Sent: 17. januar 2001 13:51 To: Orion-Interest Subject: RE: Is combining Orion and PostgreSQL a good choice I'm using PostgreSQL on an application that is about to go live (within the next month). Seems to be working fine in testing so far, we're moving off Sybase 11.0.3.3 on Linux to PostgreSQL (probably 7.1 by the time we go live). I've personally fixed a bug or two in the JDBC driver, but other than that the latest driver seems very solid. I use the default schema (the latest one from Orion has a lot of fixes contributed by myself and others, the original was horrible). Let me know if there are any problems with the latest schema. -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randahl Fink Isaksen Sent: Wednesday, January 17, 2001 11:01 PM To: Orion-Interest Subject: Is combining Orion and PostgreSQL a good choice I am wondering if using PostgreSQL with Orion would be a good option. So my questions are: 1. Has anyone tried using PostgreSQL with Orion in a real-life application (running for a long period with no errors) - and was it a success? 2. Do you use the default database schema for PostgreSQL that comes with Orion? Yours Randahl
RE: Is combining Orion and PostgreSQL a good choice
That could very well be. We were using postgres 7.0.1 and it may have been a known bug. Tell you what, Randahl, if you end up having issues with date let me know and i'll send you our driver hack. I fully recommend postgres, it's by far my favorite opensource database. sach robot6 %s/windows/linux/g On Wed, 17 Jan 2001, Tim Drury wrote: I use the latest postgresql jdbc driver that came with 7.0.2 and this postgresql.xml database config file and everything works fine for me. -tim ?xml version="1.0"? !DOCTYPE database-schema PUBLIC "-//Evermind//- Database schema" "http://www.orionserver.com/dtds/database-schemas.dtd" database-scheme name="PostGreSQL" max-table-name-length="25" not-null="not null" null="" primary-key="primary key" type-mapping type="java.lang.String" name="varchar" / type-mapping type="java.lang.Integer" name="int8" / type-mapping type="int" name="int4" / type-mapping type="long" name="int8" / type-mapping type="float" name="float4" / type-mapping type="double" name="float8" / type-mapping type="byte" name="int2" / type-mapping type="char" name="char" / type-mapping type="short" name="int2" / type-mapping type="boolean" name="bool" / type-mapping type="java.util.Date" name="timestamp" / type-mapping type="java.io.Serializable" name="oid" / type-mapping type="java.math.BigDecimal" name="decimal" / disallowed-field name="parent" / disallowed-field name="password" / disallowed-field name="username" / disallowed-field name="date" / disallowed-field name="order" / disallowed-field name="old" / disallowed-field name="user" / /database-scheme -Original Message- From: Randahl Fink Isaksen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 11:21 AM To: Orion-Interest Subject: RE: Is combining Orion and PostgreSQL a good choice Interesting... but are you stating that without fixing bugs in the JDBC driver for PostgreSQL, it just will not work? If so, I would of course like to hear what you fixed exactly... Yours Randahl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Cannon-Brookes Sent: 17. januar 2001 13:51 To: Orion-Interest Subject: RE: Is combining Orion and PostgreSQL a good choice I'm using PostgreSQL on an application that is about to go live (within the next month). Seems to be working fine in testing so far, we're moving off Sybase 11.0.3.3 on Linux to PostgreSQL (probably 7.1 by the time we go live). I've personally fixed a bug or two in the JDBC driver, but other than that the latest driver seems very solid. I use the default schema (the latest one from Orion has a lot of fixes contributed by myself and others, the original was horrible). Let me know if there are any problems with the latest schema. -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randahl Fink Isaksen Sent: Wednesday, January 17, 2001 11:01 PM To: Orion-Interest Subject: Is combining Orion and PostgreSQL a good choice I am wondering if using PostgreSQL with Orion would be a good option. So my questions are: 1. Has anyone tried using PostgreSQL with Orion in a real-life application (running for a long period with no errors) - and was it a success? 2. Do you use the default database schema for PostgreSQL that comes with Orion? Yours Randahl
Re: How to test my SSL works or Not ?
That's a pretty strange problem. Usually if there is something wrong with the certificate the client browswer will let you know, otherwise you just get that "you are about to enter a secure site" message. Which browser are you using to test your site? If you are using ie, just letting your mouse sit on top of the little lock icon will let you know what level it is encrypted at. One way to tell if it is working for sure is to get a line sniffer (ala tcpdump). Just monitor the line and see if you can read the traffic as it goes across, since that is exactly what you are trying to provent against. cheers, sach %s/windows/linux/g On 12 Jan 2001, mohan krishna wrote: Hi all, Recently i implemented 128bit certificate (from verisign) to my E-commerce Application but at the time of installing the cert with the following command... keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer i got this message... "keytool error:java.security.cert.CertificateException:unsupported encoding"...even though it gives this error i got the end result. i implemented that to my application... but i am not sure whether my ssl certificate is working or not? how can i check whether my application is under secure? when i run this under https:// the lock is not broken... but the suspect is i got some error at the time of getting the certificate(Error is mentioned above)... So plz anyone help me how i test my application? plz any help is appreciated.. Thankz MohanKrishna Get free email and a permanent address at http://www.netaddress.com/?N=1
Re: Orion/SSL with 128bit-Thawte-Cert
This is legacy problem left over from the stupid restrictions on exporting encryption software from the United States. You will have to go to http://java.sun.com/products/jsse/ and download the latest version (i think it's 1.0.2) that's NOT FOR U.S. EXPORT. This version will support 128bit encryption. Please read the installation instructions as you will have to made some modifications to $JAVA_HOME/jre/lib/security/java.security. You --MIGHT-- need to create a new keystore and regenerate your certificate request and run through the whole process again. Read the instructions on orionserver.com howto carefully. People on this list have gotten Orion to work with Verisign's Netscape 128bit certificate and thwate's 128bit SuperCert (or Super-something err-rather). cheers, sach On 10 Jan 2001, mohan krishna wrote: Hi all... i want to implement 128bit cert to my application but i am not sure that whether orion can support 128 bit with its default jsse... if doesn't which jsse we have to download and what r the steps i have to follow... when i am trying to installing the 128bit certificate it is giving the following error keytool error:java.security.cert.certificateException:unsupported encoding... i am not sure that is the problem with orion or with jsse... what the steps i have to follow to make orion to use 128bit... any help is appreciated... thankz mohan Sach Jobb [EMAIL PROTECTED] wrote: No problem. Well, other have got the Thawte SuperCert working before so i think you are in good shape. I'm not sure if this is the cause of your error message, but the version of the JSSE that comes with orion will only do 40bit encryption so you will have to go to http://java.sun.com/products/jsse/ and download the 1.0.2 NOT FOR U.S. EXPORT version. This version will support 128bit encryption. Simply follow the instructions that come with the download to install. You will _might_ have to regenerate your certificate request. good luck, sach On Tue, 9 Jan 2001, Klaus Thiele wrote: thanks for responding. it's a "Thawte SuperCert" (128 bit(?)) i'm using the JSSE that comes with orion. thanks klaus Sach Jobb wrote: 128bit is a try-your-luck situation. I got it to work with the verisign netscape 128bit and i heard someone on the list say that they got the "supercert" (or something like that) with thawte to work too. Sounds like it can't read the keystore, but i think that's a different error message. Klaus, can you give us more info on the type of cert you have, which version of the JSSE you are using, etc? thanks, sach %s/windows/linux/g On Tue, 9 Jan 2001, Juan Lorandi (Chile) wrote: won't it be a 128 bit certificate which orion can't handlewon't it? JP -Original Message- From: Klaus Thiele [mailto:[EMAIL PROTECTED]] Sent: Martes, 09 de Enero de 2001 13:09 To: Orion-Interest Subject: Urgent: Orion/SSL with Thawte-Cert Hello, after a long time i've got now the real Cert from Thawte. but now I get following error when orion comes up: Error starting HTTP-Server: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key [...] -- Klaus Thiele - Personal Informatik AG mailto:[EMAIL PROTECTED] "There's got to be more to life than compile-and-go." Get free email and a permanent address at http://www.netaddress.com/?N=1
Re: Native user support
Are you sure that's not just JNDI? On Sun, 7 Jan 2001, Mathias Bogaert wrote: Hello, An article on dcb.sun.com (http://dcb.sun.com/practices/profiles/orion_appserver.jsp) says native user support with Orion is available. "Unlike native Web servers such as Apache that utilize user IDs and security, Orion's Java technology-based system will run with the permissions of the user who started the server. Orion developers offer a security workaround by providing "native user" support for various platforms. With the appropriate library, you can start Orion with a given user ID to increase security and prevent malicious attacks. The "native user" support is available at: http://www.orionserver.com/private/native_user_support.tar.gz" Does anyone have experience with native user support with Orion? The http://www.orionserver.com/private/native_user_support.tar.gz is not a valid url (404), so can somebody send me this file? TIA Mathias Bogaert
Re: How do you get Orion to serve up 128 vs. 40 bit encryption?
Is this a test certificate or a real one? There are no 128bit test certificates that i know of. We ended up using the Netscape 128bit certificate from verisign and that worked fine. A couple of messages back someone got the "supercert" from thwarte to work as well. cheers, sach On Fri, 8 Dec 2000, Keith Kwiatek wrote: Hello, I am using JSSE with Keytool. I followed the Orion ssl guide (http://www.orionsupport.com/articles/ssl-howto.html) but when I use netscape browsers it says that it is only 40 bit encryption.. . IE doesn't say anything... How do I get 128 encryption (or higher) ??? Keith
Re: Can orion ssl bind to non-default port (443)?
in ~/config/secure-web-site.xml web-site host="[ALL]" port="8443" secure="true" display-name="mysite" cheers, sach On Thu, 7 Dec 2000, Keith Kwiatek wrote: Hello, I have an apache web server running openssl, and when I try to launch orion with ssl , it says that is can not bind to the port because it is in use. Can I specify another port other than 443? Thanks, Keith
RE: 128-bit SSL
I think the max you can do with JavaSoft is 40bit. I would try using the Netscape 128bit one. Make sure you generate the original key pair using the US "Do-Not-Export-Or-We-Will-Kill-You" version of the JSSE. We used RSA too. sach On Fri, 3 Nov 2000, Raymond Pancura wrote: We are using the US release of the JSSE version 1.0.2. The cert was provided by verisign for a keysize of 1024 bits. The keyalg we used to generate the key was "RSA". The provider we choose when we made the cert request was JavaSoft (it was the closes on the list). I have just had verisign reissue the cert using a 512-bit key. If this works I will let everyone know. If anyone else has any ideas I would REALLY like to hear from you. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lorin Kobashigawa-Bates Sent: November 3, 2000 2:23 PM To: Orion-Interest Subject: Re: 128-bit SSL Which JSSE are you using? If it's the one packaged with Orion, you have ot go and get the US one from Javasoft. Which 128bit key are you using? We were successful using the Netscape 128bit key, but it was kind of tricky, we ended up having to re-run the key several times because of hostname mixups. -Lkb On Fri, 3 Nov 2000, Raymond Pancura wrote: Has anyone been successful in configuring Orion to use 128-bit SSL (1024-bit public key in cert)? I don't have a problem with the test certs, but they only allow 40-bit (512-bit key in cert). Whenever I try to start Orion, I get the following message: Licensed to e-plicity.com Orion/1.3.8 initialized Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. The production certificate from Verisign has been imported into our keystore. Does anybody know if this is an Orion problem or a JSSE issue? I am at a loss.
Re: Obtaining an SSL Certificate
I have it working with netscape 128bit from Verisign, --BUT-- make sure that you have the US version of the JSSE that supports 128bit encryption (you have to go and download this). sach On Thu, 26 Oct 2000, Paul Knepper wrote: Hi, I've successfully installed a 40-bit Versign Cert. There was no 128-bit "Javasoft" Cert available from Verisign. Does anyone know of a 128-bit Cert that works with Orion. Thanks, Paul [EMAIL PROTECTED] Re: Obtaining an SSL Certificate From: Dale Bronk Subject: Re: Obtaining an SSL Certificate Date: Tue, 29 Aug 2000 05:03:39 -0700 Did you get a 40-bit or 128-bit cert? Orion informed me we can use 128-bit if we get the domestic JSSE from Sun. Dale
Re: Orion under Solaris
Yes, there was a huge discussion on this recently, please check the list archives. thanks, sach On Tue, 17 Oct 2000, Kemp Randy-W18971 wrote: Can the Orion server processes be run as someone other then root (under Solaris) and how?
Re: SSL question
the first line is correct. it's telling you that this certificate does not match the private key (which you made with -genkey first, right?) in your keystore. in the second one you didn't specify where your keystore is. this this and see if you have both the private key and the certificate in your keystore. keytool -keystore keystore -v -list cheers, sach On Thu, 12 Oct 2000, Kit wrote: Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit
Yet Another SSL Question.
On the topic of keystores, is it possible to have a 128bit key and a 56bit key installed on the same store, and have it configured as such, to allow the client to connect at 128bit, if possible, and then fall back to 56bit if not? cheers, sach
Re: No response from Customer Support for Licensed Version
No, actually that last phone call was very useful. We also called verisign and were able to get some good direction from them. I'm still having problems getting Orion to use the keystore... Orion/1.2.9 initialized Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. ... but i sure have learned alot about SSL! I have the feeling you all will be seeing another document on orionsupport.com when i finally get this thing working. ;) Thanks Karl, i will send another message to support now (you guys are probably still in bed). But i will still be up untill around 09:00 your time. thanks, sach On Fri, 22 Sep 2000, Karl Avedal wrote: Hello Sach, Are there any additional outstanding issues rather than the ones we have acknowledged and talked to you about? If so, send a new mail to support@, I thought all your issues had been answered to on the phone and via mail. On suspected bugs, it can take a few days before we have any information to give, since we initially try to reproduce and analyze the behaviour. Sometimes that can be a tedious process and take time and we can't always find or fix the bugs within days, and sometimes it can even take a few weeks, but I think that's still very fast compared to most companies in the business. We always try to fix it as soon as possible, and try to communicate any progress or need for extra info to the reporter, either via mail or via Bugzilla. Sometimes we are bad at telling the reporter about the progress on a bug. That's when nothing new has been found yet, but I know it's essential for you to immedietaly get an estimate on when we will know if it's a bug and when the fix can be issued, and we'll try to improve on that point. If nothing else we'll try to be faster to tell you that we can't estimate the time for an available fix. Regards, Karl Avedal
Re: Run Orion on port80 without being root?
Idealy that is what i'm looking for: basically having it start up as root and then switching the process over to another user (like apache does). In our dev env this isn't a problem because they use non-priv ports, but there's just something about seeing a billboard with an add like: "come visit us at our new web site www.bigcompany.com:8092" that just doesn't have quite the right ring to it. ;) What's the theory behind using the JNI code? I'm not familiar with it. cheers, sach %s/windows/linux/g On Mon, 11 Sep 2000, John Barrett wrote: In *nix systems, there isnt a solution except to startup as root and then change to another user/group, like Apache does. I dont think that Java has the ability to manipulate its UID/GID without JNI code. - Original Message ----- From: Sach Jobb [EMAIL PROTECTED] To: Orion-Interest [EMAIL PROTECTED] Sent: Monday, September 11, 2000 1:11 PM Subject: Run Orion on port80 without being root? Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? cheers, sach %s/windows/linux/g
Re: Run Orion on port80 without being root?
This _is_ a great idea and i considered something like it before, the only problem is that we are deploying on Solaris. sach On Tue, 12 Sep 2000, Brian Beaulieu wrote: My solution seems to be working so far. I have Orion running as an arbitrary user bound to port 8000 I'm redirecting with ipchains all requests to port 80 to port 8000 with: ipchains -A input -p tcp -s 0/0 -d 0/0 80 -j REDIRECT 8000 The logs show the originating host since I'm not masquerading - this is obviously very important. I haven't run into a problem yet.. I'll try to break it and report here if I do. Regards, Brian Sach Jobb wrote: Thanks guys, This sums up everything pretty well: http://www.orionsupport.com/users.html The root of the problem (pun intended) is here: "Java, however, has no concept of a user, because Java is cross-platform and some platforms don't have any real user (such as Win98, which uses the term "user" very loosely.)" cheers, sach %s/windows/linux/g On Tue, 12 Sep 2000, Brian Beaulieu wrote: I tried this (had to recompile the library though). It says it's running it as user 'nobody' however all processes are stilled owned by nobody. When I attempt to create a directory '/blah' (shouldn't be able to), it works. I have to find a way to do this. I'm going to try running orion on a port 1024 and do port forwarding but that might cause some issues with advanced functionality. I'll look at the JINI library to see if I can find the problem and do some more debugging. Are there any other solutions out there? Regards, Brian Markus Holmberg wrote: On Mon, Sep 11, 2000 at 11:11:57AM -0700, Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? Changing Orion's uid using JNI: http://www.orionsupport.com/users.html Markus -- Markus Holmberg | Give me Unix or give me a typewriter. [EMAIL PROTECTED] | http://www.freebsd.org/
Run Orion on port80 without being root?
Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? cheers, sach %s/windows/linux/g
Re: graphical console remotely
Sure, there are a number of xservers for win32, like x-win32 (http://www.starnet.com/productinfo/). The other alternative is to go with something like vnc (http://www.uk.research.att.com/vnc/), or if you have an xserver and and windows box side by side try x2vnc (http://fredrik.hubbe.net/x2vnc.html). I also strongly recommend that you replace your telnet client with ssh, there are now a number of free or open source ssh clients for win32 that work quite nicely and are secure. sach %s/windows/linux/g On Sun, 30 Jul 2000, Brady Moritz wrote: I have a linux box running orion, but i dont have x on it. I do my work on the linux machine via telnet from a windows box. is there a way tor un the graphical console locally and connect to the actual server remotely? Thanks Brady Moritz
tunnel servlet: method not found error
Hi, Has anyone set up and got working the tunnel servlet? I want my main web site handled by Orion, but would like to pass all .cgi scripts to an Apache/ModPerl server. I found and read the 'integration with existent www-servers' thread, and followed what it says, about adding the tunnel servlet and servlet-mappings. The servlet mapping works, because when i try to follow a .cgi link, it passes it to the tunnel servlet, which then complains: 500 Internal Server Error java.lang.NoSuchMethodError: java.net.URL: method getPath()Ljava/lang/String; not found at com.evermind.server.http.TunnelServlet.init(JAX) at javax.servlet.GenericServlet.init(GenericServlet.java) at com.evermind.server.http.HttpApplication.to(JAX) at com.evermind.server.http.HttpApplication.ta(JAX) at com.evermind.server.http.HttpApplication.sy(JAX) at com.evermind.server.http.HttpApplication.rt(JAX) at com.evermind.server.http.dr.p1(JAX) at com.evermind.server.http.dr.p0(JAX) at com.evermind.util.f.run(JAX) My global-web-application.xml has the following entries: servlet servlet-nametunnel/servlet-name servlet-classcom.evermind.server.http.TunnelServlet/servlet-class init-param param-nametargetRoot/param-name param-valuehttp://localhost:80/param-value /init-param /servlet servlet-mapping servlet-nametunnel/servlet-name url-pattern/*.cgi/url-pattern /servlet-mapping Any suggestions, or working configurations? thanks, sach robot6 %s/windows/linux/g