Archive for October, 2010

Cool Tools 12: CACE’s WireShark

Saturday, October 30th, 2010

Sometimes tcpTrace just won’t do the trick when you need to monitor network traffic, such as when you need to see what’s going on in the network layer between servers where you can’t control the port used between endpoints.  I recently used today’s Cool Tool when diagnosing an email issue between IIS and a remote SMTP server trying to send mail: I needed to see why emails coming from the WebCenter Interaction Portal weren’t being accepted by the government server being used to route the traffic:

The problem ended up having to do with Reverse DNS lookups, which I’ll write about soon. 

For the purposes of this post, though, the Cool Tool is CACE’s WireShark, the Big Brother (read: later version after a name change) to Ethereal (see this post for a clarification to that comment: “ethereal is still ethereal, but ethereal development has ceased. All the core developers are currently working on wireshark. So do not expect new releases of ethereal any time soon, Wireshark is what’s being developed.”).

WireShark allows you to sniff all traffic going into and out of a network interface, which is hugely valuable (if not a bit more complicated as you get acquained with network protocols and WireShark’s powerful filtering capabilities).  As a portal administrator, you likely won’t need it daily, but when you do, it’s hands-down the best network sniffing tool for the good guys – and potentially dangerous for the bad guys if you haven’t, say, locked down your search server.

Update WebCenter Content Crawler and Job Owners

Tuesday, October 26th, 2010

As the portal evolved from Plumtree to ALUI (AquaLogic User Interaction) to WCI (WebCenter Interaction), there’s been a legacy feature that was born with good intentions, but like many things in human physical anatomy, it has survived evolution with little to no value.

This feature is object “owners” for Content Crawlers and Automation Jobs.  I’m sure there was a grand intent at some point for “owners” to mean something, but I haven’t found it yet.

The “owner” is the portal user that is scheduled to run a job.  But if that user is later deleted, the portal doesn’t clean up after itself – and all jobs that the user created are “orphaned” and won’t run, showing an error in PTSpy like:

Sep 12, 2010 10:07:02 PM- *** Job Operation #1 of 1 with ClassID 38 and ObjectID 202 cannot be run, probably because the operation has been deleted.

The fix – which I will condone until I can figure out why jobs need “owners” in the first place – is to just make the owner of all jobs and crawlers the Administrator user. The Administrator user can’t be deleted, and since I haven’t found any problems with running a crawler as this user, you can just do a portal-wide update making this change with the following SQL:


Helpful SQL to determine if you’re being bitten by this “vestigal organ” after the break.


Cool Tools 11: Microsoft BizSpark

Friday, October 22nd, 2010

This “Cool Tool” is yet another one of those that won’t directly help you with the Plumtree / ALUI / WebCenter portal, but is more of a collection of tools that will help out my fellow consulting colleagues, entrepreneurs, and hobbyists by offering access to a huge library of “Cool Tools”: every single Microsoft product ever created through Microsoft’s MSDN:

The “Cool Tool” is the Microsoft’s BizSpark program.  Started in 2008, BizSpark is Microsoft’s idea to incubate the startup community developing software around its own products.  It’s a great concept, although as a startup and mostly Microsoft shop myself, I honestly haven’t leveraged it as a way to “get my company name out there”, which is how the program is positioned.  Instead, as a consultant, I use it as a way to get almost-free ($100 or so) access to Microsoft’s MSDN program – which can cost in the thousands – for fully licensed versions of Microsoft’s products for some production applications I use (like Office 2010), and mostly test applications (like Excel 2003 to test the Plumtree Excel Portlets).

I realize most of my readers don’t meet the criteria for this program, but there are a couple of my consulting peers – and clients with “side businesses” – who could greatly benefit from this incredibly valuable program.  Just go to if you meet the following criteria and sign up!

  • Developing Software
  • Privately held
  • Less than three years old
  • Making less than $1M annually

As a final note, the BizSpark Team is wildly helpful and personal; when I was having problems logging into the site and submitted a request via email, I wasn’t hopeful for a response from the “giant conglomerate” of Microsoft.  Instead, I was pleasantly surprised to end up on a phone call with a real person on a LiveMeeting call showing her exactly what my problem was, and she fixed it within 10 minutes!

There’s a WCI App For That 5: SearchFixer

Monday, October 18th, 2010

We’ve discussed a tiny bit about Knowledge Directory cards and how the WCI Search Update plays into the crawler ecosystem, and seen that it’s possible to directly query the WebCenter Search Service, so how ’bout a quick real-world application example, expanding both of those concepts?

Here’s the scenario:  I had a client that was showing discrepancies between “Browse” and “Edit” modes in the ALUI Knowledge Directory, and in Snapshot Queries.  I suppose I owe you all a more detailed explanation of these topics – which I’ll put up in a couple of days – but for the purposes of this article, suffice it to say that the “Search Index” and “Database” were mis-matched, and the WCI search index didn’t match the database.  Worse, the regular method of repairing this discrepancy (using the Search Update job after scheduling a Search Repair) wasn’t working.

So, to fix this issue, I developed another quick and dirty application that enumerated all folders in the Knowledge Directory, doing a search for cards within the folder, then querying the database.  The application would then compare the results, and if they were different, would allow the admin to “fix” the problem by deleting all cards from the Search Index for that folder.  When the Search Repair job next ran, it would re-create these entities without all the extraneous records in there.

Like this post, I’m not particularly proud of the code as a well-architected solution, but it works and I’d be happy to help you out if you want to get in touch.  Some of the relevant code is after the break. (more…)

Sorting News Articles in ALUI Publisher

Thursday, October 14th, 2010

Out of the box, WebCenter Interaction Publisher has a News portlet template that allows Content Managers to create News Articles, and display them in a summary portlet with a link to see the entire list of articles.  The articles themselves are:

  1. stored as Content Items under the -article_path-/ Articles folder,
  2. created based on the templates in /Portlet Templates/ _NEWS/ en/, and
  3. rendered by the “Main Page” (the portlet itself showing the top n articles) and “Index” (the list of all news articles when the user clicks “more”) Presentation Templates.

The problem is, the articles are listed based on when they were published, not when they were created or modified.  Which doesn’t make sense all the time – what if someone goes in and publishes the entire folder?  You’d end up with all news items showing up on the same day.  The fix here is to update the two Presentation Templates mentioned above to sort and display on when the “article” Content Items were modified, not published.

What you may not know is that when a user creates a portlet from a Publisher template (such as the one in /Portlet Templates/ _NEWS/ en/), Publisher creates a COPY of ALL OBJECTS into the new Publisher folder the Content Manager specifies when creating it.  The implication here is that you not only need to apply these fixes to the Content Item TEMPLATES in Publisher, but also each individual News Portlet independently.  (Or, you could use something like PublisherManager, but that’s another story entirely).

However you do it, the changes that need to be made can be found after the break. (more…)

SSL Portlets can’t be accessed in WebCenter Interaction

Sunday, October 10th, 2010

If you had asked me last month if you should install Windows Updates, I’d have said, “without hesitation, it’s a Best Practice to install Windows Updates as soon as possible; I’ve never seen one break portal functionality – whether it was in the Plumtree days, ALUI days, or lately with WebCenter”. 

This month, the answer is: “without hesitation, it’s a Best Practice to install Windows Updates as soon as possible, but make sure to keep track of those updates and keep an eye out for problems when you’re done”.  Generally, I still think they’re safe and don’t warrant a full regression test once you’re done, but for the first time, I’ve come across a Windows Update that breaks a piece of the WCI portal – specifically, portlet requests to SSL-protected Remote Servers.

Fortunately, Oracle’s support center came through on this one, and clearly documents the problem in KB article 1131443.1: “SSL Portlet Communication Fails After Installing Microsoft Recommended Security Update KB968389 [ID 1131443.1]“.  In summary, there are a certain combination of hotfixes that cause SSL connections from the portal to the remote tier, as documented in the KB article and reproduced after the break.

The thing is, the KB article talks about one “real” Microsoft hotfix [KB968389] interacting with two other “unsupported” hotfixes [KB973667 and KB942636].  It talks about removing the two unsupported fixes, but on the system I was experiencing the problems on, those two weren’t actually installed.  But I did see the one hotfix in there, and once I uninstalled that one (and rebooted), the problem went away.

My best guess at this point is that those two hotfixes from Microsoft (unsupported ones that “are intended to be installed only for customers experiencing this problem”) eventually got rolled into an official, supported hotfix with a different number since the Oracle article was published in June 2010.  And Oracle will eventually update the above KB article listing that “official” hotfix number as well.


Communicating Directly with WebCenter Interaction Search Server

Wednesday, October 6th, 2010

Years ago I wrote about checking the Plumtree (ALUI?) Search Server Status The Hard Way.  And I just let it go.  A couple days ago, I told you about a great webinar on Oracle’s support site, and it took that great presentation for me to put two and two together: communicating directly with the search server is possible for more than just “checking its status the hard way”:  once you know how to connect to the port and issue commands via Telnet, you can do ALL KINDS of stuff.  Anything, in fact, that the portal can do – and more.

It turns out that WebCenter Interaction – the portal, IDK, custom code, you name it – is just building complex text queries under the covers based on the actions a user performs (such as typing a search term in the search box).  And you can see these queries when you run PTSpy (Turn on INFO for the SEARCH component):

Taking this search string and adding the (secret?) key, you can compose an identical query:

KEY redacted (((NAMESPACE english BESTBET “matt chiste”) TAG bestbet OR ((ptsearch:”matt chiste”) TAG phraseQ OR ((ptsearch:matt or ptsearch:Matt or ptsearch:Matt_) order near 25 ptsearch:chiste) TAG nearQ OR ((SPELLCORRECT (ptsearch:matt) or ptsearch:Matt or ptsearch:Matt_) and SPELLCORRECT (ptsearch:chiste)) TAG andQ)) AND (((ancestors:”dd1″)[0]) OR (((subtype:”PTUSER”)[0]) OR ((subtype:”PTCOMMUNITY”)[0]) OR ((subtype:”PTPAGE”)[0])) OR (((subtype:”PTGADGET”)[0]) AND ((gadgetsearchtype:”bannersearch”)[0])) OR ((@type:”PTCOLLAB”)[0]) OR ((@type:”PTCONTENT”)[0]))) AND (((((@type:”PTPORTAL”)[0]) OR ((@type:”PTCONTENTTEMPLATE”)[0]) OR ((@type:”PTCONTENT”)[0])) AND (((ptacl:”u200″) OR (ptacl:”212″) OR (ptacl:”211″) OR (ptacl:”207″) OR (ptacl:”202″) OR (ptacl:”201″) OR (ptacl:”51″) OR (ptacl:”1″))[0]) AND (((ptfacl:”u200″) OR (ptfacl:”212″) OR (ptfacl:”211″) OR (ptfacl:”207″) OR (ptfacl:”202″) OR (ptfacl:”201″) OR (ptfacl:”51″) OR (ptfacl:”1″))[0])) OR (((@type:”PTCOLLAB”)[0]) AND ((istemplate:”0″)[0]) AND ((collab_acl:”- \~ 1″)[0]))) METRIC logtf [1]

Then, you telnet to the search server port and paste in the text.  Search will respond with an XML formatted reply (in this case, no results):

Of course, once you have this revelation, you can see how the search text can be tuned based on the folder you’re looking for, the ACLs you want to check, or any other number of parameters.

The other startling revelation is that security is applied at the portal tier, and not the search server tier. That is, if I’m a bad guy and I know that key, and I know the query format, I can construct a query that goes against the search server to circumvent any security that has been applied to cards. Notice there are no credentials or login token passed in the query for the search service to check. Now, before you get all up in arms about this being a major security vulnerability, I offer some counter-points:

  1. Anyone with any knowledge of network sniffers or tunnel tools could easily find this key, as the traffic is not encrypted – “Security through obscurity” is not valid security.  However, I don’t consider this a fundamental design flaw or major security hole, and it is no doubt not the security that the Plumtree engineers had in mind when they implemented this. Instead, the search server should reside in a DMZ, and the port shouldn’t be open within the general network anyway. The port is NEVER to be opened to the Internet (try it on my site – “telnet 15250” doesn’t work).
  2. Even if someone did have this secret key, and they had network access to the search server port, and they knew the search format, and they knew how to craft the request to omit ACLs, the most they could get was search results they didn’t have privileges for – not the documents themselves.

How can this be applied in a real-world scenario?  Stay tuned!

Oracle Support Master Notes and Webinars

Saturday, October 2nd, 2010

I’ve been critical of Oracle Support in the past, but recently had a great experience with some of the old Plumtree support buddies that are still around – specifically, Merrick Huang in Oracle Support was able to provide a tremendous amount of assistance on a very thorny search issue I was having at a client site and will be writing about here in upcoming posts.  Before we get into the nitty gritty of that problem, I want to share with you a great resource I didn’t know existed until now: Oracle Support Master Notes and Webinars (login required).

The purpose of “Master Notes” is to “provide the most important links that users will need to install and support the product”, and there are some pretty decent pages in there if you know where to look.  For example, the IDK Master Note is a collection of a bunch of documentation, KB articles, known issues, and bug fixes all in one place.

But what I really wanted to highlight here is the Webinars provided by Oracle Support – with one in particular being the best Oracle Webinar I’ve seen: the Search Webinar, by Eno Gjerasi.  Eno shows that there’s still life left from the Plumtree support group, and demonstrates a level of knowledge of the Search Server that rivals most engineers or consultants.  There was one tip in particular that I’ll focus on in upcoming posts (about how to communicate directly with Search), but I encourage you to check out all three Webinars (Search, Portal / SSO, and Analytics) and the other Master Notes – you may just find a gem in there and wonder how you made it all these years without knowing “that one thing” you never knew you needed.

Keep up the good work, Oracle support!

R.I.P. BlogLines

Friday, October 1st, 2010

I admit, I am a bit old-school.  I have a Twitter account, but I don’t get the fascination of people reporting on their latest bowel movements or how they try to sum up the new iPhone in 140 characters or less.  I still prefer Outlook over Gmail’s wonky tagging approach (where are my folders!?), and while I once described a new technology thusly: “I have seen the future, and it is Google Wave” (it’s now dead), I still like my old-school, tried-and-true methods of consuming content.

For over a half-decade, I’ve used as my home page and primary RSS reader, and as of November 1, it is no more.  Quoting from (the owners of BlogLines):

A little perspective: when we originally acquired Bloglines in 2005, RSS was in its infancy. The concept of “push” versus “search” around information consumption had become very real, and we were bullish about the opportunity Bloglines presented for our users. 
Flash forward to 2010. The Internet has undergone a major evolution. The real-time information RSS was so astute at delivering (primarily, blog feeds) is now gained through conversations, and consuming this information has become a social experience. As Steve Gillmor pointed out in TechCrunch last year , being locked in an RSS reader makes less and less sense to people as Twitter and Facebook dominate real-time information flow. Today RSS is the enabling technology – the infrastructure, the delivery system. RSS is a means to an end, not a consumer experience in and of itself. As a result, RSS aggregator usage has slowed significantly, and Bloglines isn’t the only service to feel the impact.. The writing is on the wall.

Good points, indeed, and certainly not ones I haven’t made myself in the past.  But as a consultant from the Plumtree world, then the AquaLogic User Interface (ALUI) world, and now the WebCenter Interaction (WCI) world, I’m faced with a lot of questions like “should I migrate to WebCenter Spaces?”.  My answer has universally been something along the lines of:

WebCenter Spaces is still a reasonably new technology, there are still quite a few rough edges, and it’s not for everyone (like .NET shops).  And since as of this writing there’s no official migration path yet from WebCenter Interaction, I suggest either playing ‘wait and see’, or starting over with an evaluation of ALL products (Sharepoint, Confluence, Alfresco, you name it!) from scratch, based on your business needs NOW, not what they were 5 years ago when you bought Plumtree.  It’s going to hurt going from WCI to WebCenter Spaces, so why not accept that pain and consider alternatives that have emerged since then?  (Oracle: Don’t get me wrong – you may still have the best solution for legacy Plumtree customers, I’m just suggesting you need to still work for them!)

Which brings me back to my original point about BlogLines:  sure, it was old-school, and RSS Reader technology has progressed rapidly in the past 5 years, but what about those of us that actually prefer the “original” way of consuming RSS content (one feed at a time)?  I’ve tried Google Reader, but frankly I prefer this (individual feeds with full :

… over this:

So my questions to you, friends, are:

  1. How do you embrace new technology?  Out with the old, in with the new at any cost (see: What would email look like if it were invented today?)?  Or do you prefer incremental changes that expand on an existing platform to maintain the old way of doing things (see: Google Wave is Dead)?
  2. Do you have any suggestions for a great RSS reader that can consolidate content as well as Bloglines?  While I knocked Google Reader above, it really does a great job of handling feeds and making them searchable, but it almost feels like “too much” (given many of my feeds in the screen shots above generate hundreds of articles/day, and aggregate feed reader is the least of my requirements; I prefer reading my daily Dilbert cartoon separately from today’s CNN’s news articles).