Mac@Work : The Ultimate Business Machine

The
Ultimate
Business Machine

Technology, business
and innovation.

And, not least, about
the Mac.

Weblog • Archive • Cutedge

by: Bernard Teo

Fri 22 Jul 2005

A Standalone Web Server Configurator?

Category : Technology/WebConfigStandalone.txt

I'm still not sure I can guarantee near faultless SSH Remote Login set-ups because there seems to be a wide variance in the state of people's machines. For example, WebMon will break if somebody has used SSH Helper to set up SSH before. Now, with WebMon as it currently is, if you can't get past the SSH Connection part, then you can't get at all the other goodies, like WebDAV and SSL.

Like Postfix Enabler before it, WebMon works best with a plain un-customised OS X machine. If you take a freshly installed Mac Mini, say, then Postfix Enabler, DNS Enabler and WebMon will all work fine, out of the box.

The SSH part makes WebMon a little bit more brittle than the other two, which currently only work on the local machine. So I'm mulling over doing a standalone Web Server configurator. (But it's on to DNS Enabler, next.)

However, if WebMon's SSH set-ups really turn out to work OK, as I get feedback from the people using it, then this configuration could prove to be potentially very powerful. For example, one could use WebMon running on a PowerBook to configure (and monitor) any number of different servers. And WebMon will keep all their configurations straight.

So I haven't given up on this, yet.

Posted at 6:24PM UTC | permalink

WebMon 1.1.2 with SSL

Category : Technology/WebMon112.txt

WebMon can now set up PHP, WebDAV, and SSL for a plain Mac OS X machine running Apache via the Personal Web Sharing panel in System Preferences.

This is WebMon 1.1.2 with SSL support.

It'll allow you to serve out encrypted web pages on the alternate Port 443, using the self-signed "test" SSL certificates that it'll help you create. And all with just one click.

If you find that SSL works OK using the test certs, you can proceed to get "real" "live" certs from any of the certification authorities (CA's) using the Generate Certificate Request button. This will generate a block of text called the certificate request that you'll need to send to a CA. WebMon provides the interface for setting the various fields that a CA will require, e.g., the domain name, organisational unit, locality and country code.

The workflow works like this : after you've found yourself comfortable using SSL and things work OK when you type https://yourwebsite.com on your browser rather than plain http, you can check that the data you need to submit to a CA is correct. Then hit the Generate Certificate Request button. The block of text, above, that you see actually contains all the data that you entered into the WebMon fields.

Now you can go to a CA like freessl.com and try out their free one-month live certificate. I encourage you to try it because it's fun and it won't cost you a thing (yet, unless you opt to buy the cert in which case it's actually [Ok, admittedly] quite cheap now compared to a couple of years ago).

When the CA asks you for the Certificate Request (CSR in their parlance), paste the block of text generated by WebMon.

Then follow thru with the CA's procedure. (Freessl's system is really smooth and I think there's a lot any web-based business can learn from them.) At the end of the process, which takes less than 5 minutes, you get your cert, which is another block of text that looks like the CSR.

You copy this block of text, click on WebMon's Save Certificate From CA button, paste it into the field provided, and hit the Save Cert button. Then close the dialog box, make sure Use Test Cert is unchecked (because you're going to use a "live" cert now), and hit the Configure SSL button.

This time, Apache will use the "live" cert. If everything works OK, you can check this via your web browser - that you've got a legal functioning live cert (albeit for a month).

This is the process that I've always wanted to build, ever since I've learnt how to do it all manually. Before, if I didn't do this for a month, I'll need an hour just to figure out all the steps again. Now, it's just like Postfix Enabler - once I've systematised all these steps into just a few clicks, I'm able to clear the space in my brain for a lot more useful other things.

Posted at 1:52PM UTC | permalink

Sun 17 Jul 2005

Certificate Signing - Dead End

Category : Technology/chainOfTrust.txt

I'm going to wrap up my exploration of digital certificate signing, at least for a while until I get better ideas, but this is why I think I've hit a dead end.

According to the man page on the OpenSSL verify command, which is used to verify that a cert is OK all the way up its trust chain, one of the checks it does is to make sure that the issuer of a cert is actually allowed to sign certs :

... in addition the keyUsage extension of the candidate issuer (if present) must permit certificate signing ...

So, the freessl cert that I bought, which I was hoping will allow me to sign certs in turn for Hai Hwee, Bee Khim, Brendan, etc..., does not include cert signing among its allowed uses.

It has "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment". But nothing like cert signing. (It takes less effort to set it to "all", like freessl's own root cert).

So I think it's not the technology. We've got everything there in OS X, under the OpenSSL umbrella of commands, to do it - , i.e., sign certs as a valid intermediate Certification Authority, so long as we have a valid cert that will allow us to establish that "chain of trust". Whatever limitations now are man-made.

This is what irks me about the whole SSL, digital certs thing. It does use some relatively esoteric Unix incantations but it's all clearly understandable. The first time I bought a Verisign cert, I was awed by all this PKI "our facility is protected by seven rings of security" thing. But you could do all this on your Mac.

We need digital signatures and message encryption more than we need these guys to insert themselves into the "Chain of Trust".

Posted at 9:01AM UTC | permalink

Airport Base Station Firmware Update Warning

Category : Technology/AEBSFirmwareUpdateWoes.txt

I've tried to connect my "old" Airport Extreme base station (the one that went PPoE dead after the firmware 5.6 update) to the broadband modem and again it fails to connect to PPoE. But it worked fine at Hai Hwee's house after a hard reset.

So now, I'm not sure if it has somehow acquired an incompatibility with the Efficient Speedstream 5250 ADSL modem or is it with Singnet itself. Hai Hwee's house is on PacNet, using an Aztech DSL 305E modem.

Anyway, this is a warning for Singapore-based users. Think twice before you do that 5.6 firmware update.

Posted at 8:29AM UTC | permalink

Thawte

Category : Technology/thawte.txt

Right after making that last post, I realised I forgot to mention Thawte. You can get a free cert for use with mail from Thawte, as did almost everyone who has ever sent me signed messages.

But the Thawte application is a tortuous process. After about ten pages, I get to the page to download my cert and hit a ".exe cannot be downloaded" error. Seems like you've got to use Mozilla download it but the page warns that you've got to use the same browser throughout the whole process. I remember vaguely that I've done this before. It's the .exe that shuts my brain.

There's got be a more Mac-like way.

There should be this democratisation of the process. Buy a cert for each company or organisation and then use it to vouch for the people in it, using tools like the Certificate Assistant.

Maybe Apple should get into this business and offer certs as part of the .Mac experience and tie it into the Certificate Assistant, because frankly, if I have to pay for a cert each year, it makes no difference whether I pay freessl or Apple, so it might as well go to Apple.

It looks like it's going to be a great Sunday. Time to get out.

Posted at 3:26AM UTC | permalink

WebMon, SSL, Mail, and Digital Certificates

Category : Technology/sslUpdates.txt

Just some updates about WebMon and SSL.

I'm almost done with the interface. I'm able to get WebMon to generate a certificate request (a CSR in SSL parlance) and display the block of text containing that CSR, so that the user can paste that into his application at one of the certification authorities.

I enjoyed the fluidity of the process at freessl.com, or rapidssl.com as they're now known, and I'm going to recommend it.

I just need to wrap it up by providing an interface for the user to paste the returned certificate, so that WebMon can copy that to the right location and restart the server.

I've been experimenting Apple's very excellent Certificate Assistant (that comes with Tiger's new Keychain Access application), but I think that serves a more mail client-centric need.

If you use WebMon's SSL-enabler, you should be able to set the web server up for SSL, and get the certs and keys stashed into all the right places in one fell swoop. Or at least that's what I hope I could do.

But, back to the Certificate Assistant. I think it's very well thought out. I've used something similar in Windows 2000 (I haven't thought about Windows in ages) but Apple's implementation is better.

"Better" because, if good design is about stripping things down to the barest minimum that the user needs to touch to get something done, then Certificate Assistant has succeeded in this respect.

I now know how the process works, both via Certificate Assistant, as well as manually via the OpenSSL commands. But I still haven't found the answer to the question : if I have a valid live SSL cert, can I use it to sign other certificates so that other mail clients don't complain when they receive mail from all of us here at cutedgesystems.com? (- because currently I could only use a self-signed cert, and that is not linked to the so-called "chain of trust" - unless I know how to bring the live cert into the equation).

Currently, Certificate Assistant works with self-signed certs. If I make myself a Certification Authority, I can't issue a cert for Hai Hwee, say, and link that all the way back to the root certificate used by freessl.com, even though I, as the sub-level Certification Authority, has a valid certificate from freessl.com.

I've been banging my head over this the last couple of days. Sending mail without signing and encrypting it is, like someone said, sending business information using postcards, for everyone to read who handles its delivery. We really need to get to this next stage of e-mail usage. And the process has got to be simpler and cheaper than it is now.

Posted at 1:57AM UTC | permalink

Airport 4.2 and Airport Base Station 5.6 Updates

Category : Technology/airport5dot6firmware.txt

I applied the Airport Base Station 5.6 Firmware Update and it stopped being able connect to the broadband modem. So for a couple of sessions over the weekend, we were off the air (or blogosphere) for about half an hour each.

If you're trying to get here and couldn't connect, that was the cause.

Fortunately I have a spare base station somewhere else. While I went to retrieve it, we were running the server directly off the broadband modem, and using the server's Airport card to share its connection with the other machines on our network.

And I was thinking about how things still work while we're getting flustered. At times like these, you can't think, you just want to get back up as quickly as possible. And thankfully, just three clicks later, we've got server's Airport card sharing its broadband connection to everybody else on the network. So our Disaster Recovery Standard Operating Procedure (SOP) works.

I'm now running the system off the spare base station. As for the "spoilt" one, we went over to Hai Hwee's house, did a hardware reset, and found that it worked again on her broadband connection. So I'm going to switch everything back, later today, at about three or four in the afternoon, when my server's at its quietest time of the day.

Posted at 12:59AM UTC | permalink

Wed 13 Jul 2005

WebMon and SSL

Category : Technology/WebMonSSL.txt

I'm now able to get WebMon to set up SSL on the server with one click of the button. It now uses a test cert, which WebMon also generates.

The idea is that you can use the test cert to test that you can serve web pages on port 443 and that they're encrypted (the lock shows on the browser), and that you can still continue to use port 80.

And then you can use WebMon to generate a certificate request and get a real cert from a proper issuing authority, which you can stick in place of the test cert. (This should probably get done by tomorrow.)

But the thing I'm interested in finding out is, if you have a legal properly verified cert, can you turn around and be your own certification authority, and issue certificates to each of your own employees, which they could use to sign, encrypt their mail, and prove that they are who they say they are?

I think it's very do-able technically. I already have all the pieces, but whether it will work or not, I will only know when I try putting it all together.

The bonus, when you get a properly verified cert, is that you can use the same cert for your mail server. I can make a change to Postfix Enabler so that it'll be able to share the cert with the web server. Actually, I'm already doing that with our own server. Things are starting to come together.

Posted at 4:55PM UTC | permalink

Postfix Enabler 1.1.6 and OS X Tiger 10.4.2

Category : Technology/Tiger10_4_2.txt

We did a test when 10.4.2 came out. It looks OK and everything still runs fine. I may be speaking too soon (I hope not) but I think it's okay to upgrade to 10.4.2 if you're running Postfix Enabler for Tiger 1.1.6.

Okay, hope to see Xcode 2.2 next because 2.1 is still pretty buggy.

Posted at 4:27PM UTC | permalink

Tue 12 Jul 2005

Bobos in a Flat World

Category : Commentary/bobos.txt

I first saw the word "Bobo" on a column in the Raffles City in Shanghai, whose thick round grey metal-clad columns look exactly like the ones we have in the Raffles City in Singapore, no doubt to make us Singaporeans feel right at home.

I was waiting for my chicken rice and, as usual when I don't have a book to read, I was reading anything that pass my way - the menu, the exit signs, the words on people's T-shirts - but this time I didn't need to bother. I was sitting next to a column that had past issues of the Straits Times wrapped all round it. And right at my eye level was the story of the Bobos in China.

"The term BoBo, short for Bourgeois Bohemian, has caught on in China since David Brooks's book "BoBos in Paradise: The New Upper Class and How They Got There" was translated into Chinese and published in separate editions in Taiwan and China.

"In cities such as Beijing, Shanghai, Guangzhou and Shenzhen, the word is on everyone's lips - especially young executives and other members of the nouveau riche, known in Chinese as "xiaozi" or "petit bourgeoisie" - a group that was once a target of ideological campaigns.

"Even for a casual observer from Hong Kong, the new social scene is fascinating. For the Chinese BoBos have matched, if not surpassed, their American and European counterparts in the wealth, glamour and intellectual elitism of their self-constructed images."

I didn't write that - it was written by someone called "Leo Ou-fan Lee", evidently for the International Herald Tribune and reproduced in the Straits Times, and I could only find a reference on the Net in, of all places, the on-line version of "The Kathmandu Post" (for the full article, look under the section - "China's BoBos mountain (sic) urban revolution").

Anyway, I made a point to read that book when I got back and I've just finished it and I'm wondering what could have been going on in the Chinese bobos' minds' when they were reading it. It's funny in (increasingly sparse) parts (as you go further into the book). It made some excellent points but I couldn't quite get past the smugness in its tone. I feel more like the reviewer in this critique of the book. The book is sub-titled : "The New Upper Class and How They Got There". And so I'm thinking about trajectory - what could happen next.

A good book to read in parallel (and maybe in opposition) to Bobos is Thomas Friedman's "The World is Flat". Both books talk about the role technology plays as the defining element in 21st Century lives. But, while one book talks about the feast, the other has you picturing the hungry hordes that are about to eat the Bobos' lunch.

I don't know. I'm still digesting it - both of them. But it's one past midnight and all this talk about food and chicken rice is working up an appetite.

Posted at 5:40PM UTC | permalink

WebMon 1.1.1 with PHP and WebDav Support

Category : Technology/webmon111.txt

I've released WebMon 1.1.1. WebMon can now turn on PHP and WebDav on the web server with just one click. The WebDav folder name and path, login user name, and password can all be customised. The WebDav folder can be used to store (and publish) iCal calendars.

The folder name, login, and password correlates with the three fields on iCal's Publish Calendar dialog box. It's really powerful being able to integrate the use of shared calendars. Together with ability to store address book data on a shared LDAP server, we've got the beginnings of a pretty promising Customer Relationship Management System on the Mac with largely off-the-shelf parts. One day, I'll get there.

After this, it will be SSL - turning on SSL using test certs that you can generate from within WebMon. And then, the ability to make a certificate request to an issuing authority. And finally, the ability to stick a "real" cert into the web server. And all without needing to know any Unix.

After all that, I'll be going back to DNS Enabler. I'm this close to making DNS Enabler work for the public network (rather than just the local network).

I'm trying to build this suite of applications that can help people put a business together quickly using the Mac. I can visualise how it'll all work. And we could tie in PayPal so that you could just sell your stuff (and collect money) on the web (assuming you have stuff to sell that people want to buy). Hai Hwee's going to have Luca, the accounting system, ported over to Objective-C soon, using an embedded SQLite database that will make it so much easier to deploy and install. So the key is to figure out how it'll all come together and make it sing.

Posted at 4:05PM UTC | permalink

Fri 08 Jul 2005

The Nordstrom of the Software Business?

Category : Commentary/nordstrom.txt

I don't know but when I first started my own company I had dreams of providing the best service, the most thoughtfully designed software, the best quality bug-free systems, and the most enthusiastic passionate support. But over a decade, these dreams have gone through quite a bit of wear and tear.

Providing consistently good service over any length of time, in spite of the vagaries of human nature - that's really hard to do. And I've developed quite a jaundiced eye when I cast my mind over the prospects.

So it's always been a wonder to me : how did companies like Nordstrom do it? How do you keep your optimism in the face of all these disenchantments?

I've read my share of Nordstrom books, always looking for an answer. Here's a little bit of a clue, as I was reading yet another Nordstrom book from Robert Spector - if you can grow your business to a certain size, you can then pay people to do it, i.e., provide excellent service on your behalf.

Nordstrom's return policy is virtually an unconditional, money-back guarantee. If customers aren't completely satisfied with their purchase, for whatever reason, the store takes it back, no questions asked.

Doesn't that unconditional policy invite abuse? Sure it does, but central to the Nordstrom policy is a desire not to punish the many for the dishonesty of a few.

Which is not to say that returns are not often frustrating for Nordstrom salespeople. You have that customer who "borrows" a dress for a couple of years and then returns it. But top salespeople realize that returns are part of the game; they take back the returns with a smile, knowing that many of those customers will come back.

Some enterprising Nordstrom people will even send a thank-you note to a customer who has returned a purchase. Wouldn't a gesture like that get your attention as a customer?

That kind of resourceful thinking was exactly what Everett, Elmer, and Lloyd Nordstrom had in mind when they established this generous warranty back when Nordstrom was a two-store operation. The brothers dreaded having to deal with obviously outrageous or unreasonable returns, so, they reckoned, if they could pass off the responsibilities for the adjustments and complaints, the business would be more personally enjoyable.

So, it's good to know that they were also human after all. That's one way to do it - split the responsibilities so that you can do what's right for the business and "delight the customer", and yet maintain enough detachment to get over any sense of dread or outrage, over any perceived injustice or unfairness (which is really not a good thing to harbour when you're in business).

So, this is what I have learnt : among the customers, there are the many and there are the few. The many are mostly good. Among these, the best are the ones who show their appreciation. They're the ones to slog our heart out for. They're why we're in business. And business is meant to be enjoyable.

And then there are the bad. But the good vastly outnumber the bad.

So just focus on the good. And try to be happy. Otherwise there is no other reason to be taking this route. Perhaps, one day, we'll get to reach our Nirvana?

Posted at 6:06PM UTC | permalink