Server-to-server SSL with Plumtree

Two different customers of ours have recently experienced problems with server-to-server SSL and Plumtree, so I thought I would shed some light on the issue in the hope that it might help someone else who’s having the same problem.

The reality is that server-to-server SSL is no different with Plumtree than it is in any other environment, but it’s just poorly understood in general. Also, Plumtree makes server-to-server requests in places where you might not think to look. For example, you might think that only end users hit the Image Server, but in fact both the Portal Server and the Collaboration Server make server-to-server connections to the Image Server to pull down javascript files. (It’s possible that Content Server, Studio Server and the new Analytics Server make similar requests; I just haven’t run into problems with these products — yet.)

So, here’s the gist: in order for a server to communicate with another server over SSL, the requesting server needs to have the host server’s certificate installed in it’s keystore. Doing this is pretty straighforward and well documented. First, you need to export the certificate from the host server and copy it over to the requesting server. You can read about how to do this in IIS or how to do this in a JVM-based application server such as Weblogic or Tomcat.

After exporting the cert, you’ll end up with a .cer file that you’ll need to install on the requesting server. Say that server is a Tomcat instance on which you’ve installed Plumtree’s Collaboration Server. In this case, this set of instructions should help you get that part working.

One gotcha is that the name of the server in the certificate must match the name being placed in requests made to that server. For example, if the requesting server is making a call to https://images.mycompany.com, you need to have images.mycompany.com as the name of the server in its certificate.

How to search for other Plumtree deployments

If you’d like to see what people are doing with Plumtree on the open internet, you can search Google using the allinurl: portal/server.pt syntax.

Bear in mind that Plumtree portal administrators can change both “portal” and “server.pt” to anything, but most do not choose (or do not know how) to change this. Really, it’s easy — just change the VirtualDirectoryPath and the HTTPEntryPoint in j_config.xml or n_config.xml.

bdg takes Wind River live on Plumtree 5.0.4J

All of us at bdg are very pleased to announce that our very own Andrew Morris has led Wind River to a successful launch of 5.0.4J on their corporate extranet with an extremely slick and highly customized UI. In fact, the UI is so good that if it weren’t for the portal/server.pt in the URL, you seriously wouldn’t know that it’s a Plumtree Portal!

To pull this off, Andrew leveraged bdg’s extensive knowledge of Plumtree UI customization (especially pluggable navigation) in Java along with a boatload of Plumtree Content Server magic. Up until now, I thought SunTrust was the most creative Plumtree 5x deployment in terms of UI tweaking, but this one trumps it. By a lot. If you don’t believe me, take a look for yourself.

The future of JSR-168

There is some interesting speculation about the future of JSR-168 going on at the Portlets Yahoo! Group. IMO (which is a redundant thing to say because this whole blog is My Opinion), I don’t think the spec is going away by any means. But at the same time, it seems that the entire industry has come to recognize it as the “lowest common denominator” of portlet functionality. In terms of features, it fails to specify portlet-to-portlet communication APIs among several other things. But worst of all, it’s designed with the presumption that the portlets will always run inside the portal container. Humph.

CSS — who knew?

I went to the final set of sessions at NVSS today which included a gem of a presentation by Eitan Suez, a Java programmer who also happens to be a CSS master. I had no idea you could you accomplish so much with CSS. For example, a lot of what I thought I had to do with Javascript and innerHTML() can be done with the CSS visibility attribute. Visit Eitan’s CSS Repertoire to find out more. Another site brought up during the talk was the CSS Zen Garden — a must see!

Did you write the famous hangman Java applet?

I also get asked this question from time to time. Unfortunately, I can’t take credit for that great little game (and one of Sun’s original sample applets for Java 1.0) because Patrick Chan wrote it.

However, the reason my name is in the source is because I ported it from Java 1.0 to Java 1.1 while interning at Sun in 1997.

Is Plumtree an “open” platform?

“We call this re-imagining Radical Openness. Radical Openness is our strategy to offer both J2EE and .NET versions of our entire application management framework, new points of integration for synchronizing the Enterprise Web environment with systems of record as well as desktop tools, and the ability to embed Enterprise Web services in any Web application,” Kunze continued. “Ultimately, we believe the way applications are being developed is fundamentally changing, and that with the Enterprise Web, applications can be developed in greater volumes, at lower cost, and on a wider variety of platforms than ever before.” –John Kunze, CEO, Plumtree, Inc. (excerpted from a 2003 press release).

bdg‘s response to this is that in some ways it is and in some ways it isn’t.

Plumtree is Open:

  • It runs on Windows (.NET or Java) or Solaris (Java)
  • It can embed portlets from anything that speaks HTTP(S)
  • It uses SOAP over HTTP for Crawlers, Authentication, Profiling and Search
  • It uses other nice, open-ish technologies like XML, SQL, HTML, CSS, Javascript
  • It runs on SQL Server or Oracle

Plumtree isn’t Open:

  • It only runs on only Windows and Solaris, not AIX, HP-UX, Linux, or any other *nix
  • It’s entire codebase, though highly pluggable and configurable, is proprietary
  • It uses proprietary headers (CSP, which stands for Content Server Protocol, no relation to Plumtree’s Content Server, don’t ask 🙂 to communicate information to and from portlets*
  • It only runs on SQL Server and Oracle, not MySQL or any other RDBMS

*Plumtree does support both WSRP and JSR-168 through plug-ins, though they limit functionality to some degree (more on this later).

I should preface all of this by saying that I still believe Plumtree is far and away the “best” portal solution for most mid- to large-size corporate intranets and even extranets for a whole host of reasons. I mean really, why would I bet my company on it if I didn’t?

However, it’s easy to confuse “open” with “pluggable” when they are in fact very different. When I hear things like, “my web service is written in Ruby on Rails, but .NET, Java and PHP clients use it all the time,” then I think “open.” (And no, if you’re wondering, I’ve never actually heard that, not even from Dave Thomas.) When I hear, “sure, you can replace the page navigation in my presentation layer, but only if do it with Tapestry” then I think “pluggable.”

Plumtree’s UI is pluggable; their WS/PRC server, EDK, CWS, AWS/PWS and SWS architectures are open; and their Portlets are, well, a little of both: they’re very open in that you can write them in anything that speaks HTTP(S), but only if you do it with their proprietary headers, but then, well, you can use JSR-168 or WSRP to get around that, but then, well, you can’t get all the functionality like Adaptive Portlets . . . .

When it comes to Plumtree’s Portlets (or Gadgets as they used to be called), it almost sounds like I’m arguing with myself.

In summary, if you’re looking for a proprietary product that’s built on some open standards that you can extend using open standards (sometimes) but that only runs on certain platforms, well, then Plumtree is for you.

While I’m not in the business of making excuses for Plumtree, I must say that every time a company with a proprietary enterprise software product needs to support a new OS or browser or database or “thingy” they need to run that combination through a testing matrix that grows exponentially each time you add a new “thingy” to it. That is a royal pain in the proverbial backside.

The complexity of the testing matrix alone is a great argument for open sourcing everything. (And yes, I understand that open and open source are not the same thing.) While I do see merit in commercial, proprietary software, I assure you that if Plumtree’s code base were open source it would already be running wild on Linux. Why? Because I would have compiled it myself. 🙂

How to pronounce (and not pronounce) Bucchere

 

No, it’s not boo-SHARE, it’s not buck-HEAR, and it’s certainly not buck-HAIRY.

Actually it’s easy: boo-CARE-eee. Once you’ve said it once or heard it twice, you’ll get it.

In fact, a lot of people call me Bucchere because Chris is just so, well, boring.