<< August 2015 | Home | October 2015 >>

PaaS, Bluemix and controlling runtime costs with cron

Back at IBM ConnectED 2015 I created a small demo for IBM using the yet-to-be-released extensibility API of IBM Verse to show of third party extension of IBM Verse. Ever since IBM has been using the demo which is great. The app I wrote is running on Bluemix and I turn it on and off whenever they need it. Now with Bluemix being a Platform As A Service (PaaS) offering I pay for the resource I use and since IBM is still to own up and provider partners with a free plan or larger allowance the monthly allowance of free gigabyte hours is cherished. Simply having it run day in and day out is burning up this free allowance. What is a geek to do? Script it of couse...

Since Bluemix is controllable using the cf command line tool I wrote a small script to allow me to start and stop the app on Bluemix using a script (see below). Invoking it is as simple as doing "versedemo_ctrl.sh start" or "versedemo_ctrl.sh stop" allowing me to do this remotely.

#!/bin/sh
cf login -a https://api.ng.bluemix.net -u {username} -p {password}
cf $1 "IBM ConnectED 2015 Verse Demo Contribution"
Even better is that I've added it to an existing on-prem servers crontab so that it starts and stops on business days in the period of time I need it. The cronjob even attaches the log of the start/stop and forwards it to our scheduled job management console so I'm only notified if stuff goes wrong. Love it. Below is a sample crontab entry.
0 12 * 9-11 1-5 ~/versedemo_ctrl.sh start 2>&1 > ~/versedemo.log && mail -s "Verse Demo App Started" 
     -a ~/versedemo.log ***XXX***@intravision.dk
The above job simply starts the app Mon-Fri at 12pm (Sept-Nov) and then emails the job logs to our Job Controller service as an attachment.

Tags : , , ,

Getting ready for iOS 9 and App Transport Security (ATS)

Much has already been written on the web about the upcoming iOS 9 release and how Apple is tightening security with App Transport Security (ATS) which basically only allows for HTTPS traffic using advanced and secure ciphers. Other voices in the community is staying on top and blogging much more about it and how it pertains to IBM Traveler and particularly if you are terminating your IBM Traveler connections on Domino. As it stands now (IBM Domino 9.0.1 FP4) IBM Domino cannot deliver the ciphers required for ATS. While the latest beta of iOS 9 can still connect insecurely I suggest you start to look for a right solution that is terminating your IBM Traveler traffic using TLS v. 1.2 using Elliptic Curve crypto and Diffie-Hellman key exchange.

For one of our OnTime Group Calendar demo servers we have IBM HTTP Server (IHS) in front which made the process pretty easy as IHS already support the required ciphers. As always configuring security is a mix of securing your server while keeping compatibility with older operating systems and browsers. For me this meant allowing both TLS v. 1.0, 1.1 and 1.2 and keeping some less secure ciphers for older operating systems and browsers while also enabling strong crypto to support ATS.

Below is our configuration from domino.conf which is used to configured IHS for IBM Domino (there are two ciphers supported by ATS that are not supported by IHS (based on SHA-1)).

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Making the above configuration changed will give you a A- score on ssllabs.com which is a pretty nice score while keeping backwards compatibility. If that kind of config isn't needed turn off TLS v. 1.0 and 1.1 and remove the lines starting with "SSLCipherSuite ALL" - that will give you a score of A.

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Tags : , , ,