Oracle Announces Roadmap for Plumtree / AquaLogic / WebCenter

UPDATE 2: I’ve incorporated all the great feedback and comments from ex-Plumtreevians, ex-BEA and ex- and current Oracle folks.

UPDATE: A bunch of Plumtreevians are contributing really good comments on this post over on Facebook.

bea_think_oracleI worked at Plumtree Software, Inc. from June 1998 to December, 9th 2002. In four-and-a-half years, the company grew from 25 employees to over 400 and it had thousands of happy customers before it was purchased by BEA Systems in 2005 for $220M. Here at bdg, we’ve been supporting dozens of Plumtree/AquaLogic Interaction (ALI)/WebCenter Interaction (WCI) customers since we opened our doors in December of 2002.

Back around 2005, BEA’s BID (Business Interaction Division) still had a lot of really smart engineers from Plumtree working on a lot of really interesting things, including Pages (think CMS 2.0), Pathways (kind of an enterprise version of del.icio.us) and Ensemble (the portlet engine/gateway, minus the overhead and UI of the portal itself).

They were also working on an enterprise social network, kind of a Facebook for business if you will.

However, there was a lot of wrangling at BEA, primarily between BID/AquaLogic and BEA’s flagship product, WebLogic (the world-class application server). Most of the strife came in the form of WebLogic Portal vs. AquaLogic/Plumtree Portal nonsense. Senior management at BEA, in their infinite wisdom, had taken a “let’s try not to alienate any customers” policy and in the process they confused all their customers and alienated/frustrated quite a few of them as well. They renamed Plumtree to AquaLogic User Interaction (ALUI), put in place a “separate but equal” policy with WebLogic Portal (WLP) and spewed some nonsense about how WLP was for “transactional portal deployments” vs. ALI for .NET and non-transactional portals, but no one, including BEA management, had any idea WTF that meant. To further confuse the issue, the WLP team, which also had a lot of really smart engineers, built products like “Adrenaline” (which was basically a less-functional and more buggy version of Ensemble) rather than do the unthinkable and integrate Ensemble into WLP so that WLP could finally host non-Java/JSR-168 portlets.

I was really pissed about BEA’s spineless portal strategy, their “separate but equal” policy between WLP and BID/ALUI and their waste of precious engineering resources in an arms race between WLP and ALUI rather than just stepping back, growing a spine, and coming up with a portal strategy.

Because I can’t keep my pie hole shut, I started several loud, messy and public fights with BEA management. Why? Because the real loser here is the customer.

And BEA, because management got mired in politics and chose to waste engineers’ time on in-fighting and competition instead of building enterprise Facebook, which Steve Hamrick and I arguably already wrote in our spare time. All they needed to do was product-ize that and they would have owned that market.

In 2008, Oracle inherited this clusterfuck of a portal strategy when they bought BEA for $7B+, giving me new hope that cooler heads would prevail and fix this mess. The first thing they did was fire all the impotent BEA managers who were afraid to make any decisions. It took Oracle a while, but alas, they have finally arrived at a portal strategy that makes sense. I first learned about this strategy when I crashed the WebCenter Customer Advisory Board last Thursday.

First of all, let me say this: under the leadership of Vince Casarez, current (and future) customers are in good hands.

I realized when he said “everyone still calls it Plumtree” that this was going to be a bullshit-free presentation.

He also said something regarding the “portal stew” at Oracle that puts all of my ranting and raving in perspective: “Oracle did not buy BEA for Plumtree or WLP, just like it didn’t buy SUN for SUN’s portal product.” To rephrase that, Oracle bought BEA for WebLogic (the application server, not the portal) and Sun for their hardware (not for Java, NetBeans and all the rest of Sun’s baggage).

So, let’s face it, portals are a relatively insignificant part of Oracle.

However, they’ve finally did what I called for 2008 and what BEA never had the wits to do: pick a single portal strategy/stack and stick to it. SO, if you’re a current Plumtree/ALUI/WCI or a current WLP customer, you have a future with Oracle.

Here’s the plan, as I understand it.

All roads lead to Web Center (not Web Center Interaction, but Web Center)

At the heart of Web Center will be WebLogic’s app server and portal. Plumtree/ALUI as a code base will be supported, but eventually put into maintenance mode and retired. You get nine or twelve years of support and patches (blah blah blah) but if you want new features, you need to switch to the new Web Center, powered by WLP. CORRECTION: WebCenter will not be “powered by WLP.” At its core will be the Oracle-developed, ADF-based WebCenter Portal running on WebLogic Server.

All the “server products” (Collaboration, Studio, Analytics, Publisher) will be replaced by Web Center Services or Web Center Suite

Publisher will be subsumed by WCM/UCM (Web Content Management / Universal Content Management, formerly Stellent). The other products will be more-or-less covered by similar offerings in Suite or Services.

What about Pages, Ensemble and Pathways?

Pages is dead as WCM/UCM does it better. Pathways is getting rolled into the new Web Center somehow, but I’m not sure how yet. Perhaps I can follow up with another blog post on that. Ensemble has been renamed “Pagelet Producer” — more on that below. CORRECTION: Pathways is now called “Activity Graph” and it will be part of the new WebCenter. Think of an enterprise-class version of the Facebook News Feed crossed with Sales Force chatter and you’ll be on the right track.

What about .NET/SQL Server, IIS and everything else that isn’t Java?

This is a really interesting question and the key question that I think drove a lot of BEA’s failure to make any decision about portal strategy from 2005-2008. Plumtree had a lot of .NET customers and some of the biggest remaining Plumtree/ALUI customers are still running on an all-Microsoft stack. In fact, one of them told me recently that they have half a million named user accounts, two million documents and 72 Windows NT Servers to power their portal deployment.

So, let’s start with the bad news: Oracle doesn’t want you to run .NET/Windows and they REALLY don’t want you to run on SQL Server.

(That will change when Oracle acquires Microsoft, but that’s not gonna happen, at least not any time soon.) WebLogic app server and WLP/WCI, to the best of my knowledge, will not run on SQL Server. They will, however, run on Windows, but I would not recommend that approach.

It’s inevitable that large enterprises will have both .NET and Java systems along with a smattering of other platforms.

So, if you’re a .NET-heavy shop, you’ll need to bite the bullet and have at least one server running JRockit or Sun’s JVM, one of Oracle’s DB’s (Oracle proper or MySQL), WLS/WLP/WCI and preferably Oracle Enterprise Linux, Solaris or some other other flavor of Un*x. CORRECTION: WLP will run on SQL Server. Not sure about the new WebCenter Portal, but my guess is that it does not.

Now, for the good news: the new WCI, powered by WLP and in conjunction with the Pagelet Producer (formerly Ensemble) and the WSRP Producer (formerly the .NET Application Accelerator) will run any and all of your existing portlets, regardless of language or platform.

This was arguably the best feature in Plumtree and it will live on at Oracle.

.NET/WRSP and even MOSS (Sharepoint) Web Parts will run in WebCenter through the WSRP Producer. The Pagelet Producer will run portlets written in ANY language through what is essentially a next generation, backwards-compatible CSP (Content Server Protocol, the superset of HTTP that allows you to get/set preferences, etc. in Plumtree portlets). So, in theory, if you’re still writing your portlets in ASP 1.0 using CSP 1.0 and GSServices.dll, they will run in the new Web Center via the Pagelet Producer. Time for us to update the PHP and Ruby/Rails IDKs? Indeed it is. Let me know if you need that sooner rather than later.

How do I upgrade to the new WebCenter?

Well, first off, you have to wait for it to come out later this fall. Then, you have to start planning for what’s less of an upgrade and more of a migration. Oracle, between engineering and PSO, has promised to provide migration for all the portal metadata (users, communities, pages, portlets, security, etc.) from Plumtree/ALUI/WCI to the new Web Center, with WLP at its heart. (Wouldn’t it have made sense for some of those WLP engineers to start building that migration script in 2005 instead of trying to compete with ALUI by building Adrenaline? Absolutely.) All your Java portlets, if you’re using JSR-168 or JSR-286, will run natively in WLP through a wrapper in WebCenter Portal. Everything else will either run in the WRSP Producer (if it’s .NET) or in the Pagelet Producer (if it’s anything else). The only thing I don’t fully understand yet is how to migrate from Publisher to UCM, but I’m due to speak with Oracle’s PSO about that soon. Please contact me directly if you need to do a migration from Publisher to WCM/UCM that’s too big to do by hand.

The only other unanswered question in my mind is how the new WebCenter will handle AWS/PWS services — the integrations that bring LDAP/AD users and profile information/metadata into Plumtree/ALUI/WCI. I wrote a lot of that code for Plumtree anyway, so if Oracle’s not working on a solution for the new Web Center, perhaps I can help you with that somehow as well. CORRECTION: User and group objects are fully externalized in Web Center, so there is no need for AWS/PWS synchronization. (Thanks, Vince, for pointing that out.)

So, that’s my understanding of the new portal strategy at Oracle.

Kudos to Oracle’s management for listening to their customers, making some really hard decisions and picking a path that I think is smart and achievable.

I’m here to help if you have questions or need help with your portal strategy or technical implementation/migration.

Q&A;

(Some other notes about discussions that have spawned from this original post.)

Q: What’s the future of the Microsoft Exchange portlets (Mail, Calendar and Contacts) and the CWS for crawling Exchange public folders. Retired and replaced with something Beehive related? Still supported? For how long? Against what versions of Exchange?

A: We’ve got updated portlets for Mail & Calendar in WebCenter now for Exchange 2003 & 2007. We don’t have a Contacts portlet but it could be added quickly if we see a large demand. Crawling public folders can be done with an adapter we have for SES [Oracle Secure Enterprise Search] already. We’re working but aren’t done with a new version of KD on top of the new infrastructure that will come out post PS3. (Contributed by Vince Casarez.)

Q: If migration scripts are provided to move WCI metadata into WebCenter, I understand that a portlet is a portlet, but what about pages and communities, users and groups, content sources and crawlers, etc.? Do they all have analogous objects in WebCenter or is there some reasonable mapping to some other objects?

A: Pages and Communities follow a model where we extract/export the meta data and data, then run it through a set of scripts that create a WebCenter Space for each Collab project/community and a JSPx page for every page. Users and Groups will come out of the LDAP/AD directory they are already using and the scripts associate the right permissions to each of the migrated objects. I don’t recall what we did about crawlers but since we use SES directly, all the hundred or more connectors we ship for SES are now available for direct usage. The scripts go through a multiphase approach to move content, then portlets, then pages, then communities so that dependencies can be fixed up versus trying to do a manual fix up. (Contributed by Vince Casarez.)

Q: Will any existing WCI-related products that are slated for retirement (e.g. Publisher, Collab, Studio, Analytics, etc.) be re-released with support for Windows Vista, Windows 7, IE 8, IE 9 or Chrome?

A: For Publisher, we are planning a set of migrations to quickly move them to UCM. For Collab & Studio, we have new capabilities in WebCenter Spaces to match these functions. For Analytics, we’ve also rebuilt it on top of the WebCenter stack with over 50 portlets for the different metrics and made sure we provide apis/ access to the data directly. These analytics data also feeds the activity graph in providing recommendations for people on the content and UIs that are relevant to them. These are tied into the personalization engine that we brought over from the WLP side. So there is a rich blending of the best features from WLP with WCI key features. As for Neo [the codename for the next release of WCI], we are certifying the additional platforms. On the IE 8 front, we’ve just released patches for WCI 10gR3 customers to be able to use IE8 without upgrading to Neo. (Contributed by Vince Casarez.)

On Open Letter to the Java Community

java_oracleIn the wake of the Sun acquisition by Oracle, the much-lambasted Oracle vs. Google lawsuit over Google’s alleged JavaME patent infringement, and the rumblings I’ve been hearing at Oracle Open World / JavaOne / Oracle Develop 2010, I have a message to the Java community:

Quit your bitching and moaning and start doing something productive!

Now that I’ve offended all the Java fanboys/girls out there, let me explain:

  1. Why I’m qualified to give you all one big collective kick in the ass, and
  2. Why this collective ass-kicking is coming from a place of love, not hate.

My first experience with Java was in 1994/95, when Stanford started switching its Computer Science curricula from C/C++ to Java. After struggling with memory management, segmentation faults, horrific concurrency problems and the other ways I kept shooting myself in the foot, Java was a breath of fresh air. My first corporate experience with Java was working as a summer intern for JavaSoft (a former subsidiary of Sun) in 1997 porting Patrick Chan’s Java 1.0 sample applications (remember Hangman?) from JDK 1.0 to JDK 1.1.

I went on to join Plumtree. Originally, they were a Microsoft darling. I helped lead the charge to switch them from COM/DCOM, ASP 1.0 and SQL Server to Java and Oracle.

In 2002, I started a Plumtree-focused consulting firm, helping 50+ customers install, maintain and grow their Plumtree deployments. In all but a precious few of those accounts, I wrote all of the code in Java/JSP.

Since about 2008, we’ve been using Ruby on Rails for most of our software. When Rails hit the scene, I had a similar “breath of fresh air” moment similar to when I first encountered Java.

But this letter is not about Ruby or about Rails; it’s about Java. A language I’ve used since it’s very first iteration in 1994/95 and up to the present day. A language wherein I’ve written at least half a million lines of code, most of which still run in production today inside Plumtree/AquaLogic User Interaction/WebCenter Interaction, at major customer sites in the corporate world and in the federal government.

So, fast-forward to today, this is what I’m hearing about Java, in a nutshell:

  1. Oracle’s going to kill/close-source/fuck up Java
  2. Life’s not fair!
  3. Blah blah blah

Twitter _ Jock Murphy_ @oracle I love Java, I do .All of this bitching and moaning starts right at the top with Java grandfather and CEW (Chief Executive Whiner) James Gosling, who is showing incredibly poor leadership, lousy judgment and massive immaturity with his totally irrelevant, outdated and hateful anti-Oracle bitch-fest.

Twitter _ Marcello de Sales_ Solaris 11 to be contI’ve heard people whining about everything around them that’s not running on Java: mobile applications, web sites, conference tools, Twitter, Facebook, etc.

Twitter _ Paweł Szymczykowski_ @dendro Awesome thaI even saw someone complain on Twitter that the Black Eyed Peas, who Oracle paid an undoubtedly handsome sum of money to entertain your sorry asses last night, gave a shoutout to Oracle and not “The Java Community.” Seriously? Give it a rest, folks!

There are lots of choices of development stacks and people are free to choose the one that works best for them.

Embrace that freedom; don’t fight it.

And the word Oracle doesn’t mean “database” anymore. It is an umbrella term that could refer to thousands of different products.

Let’s take a look at some of the advantages of Oracle owning Java.

With respect to OpenWorld, the Java Community got:

  1. Your own conference with around 400 sessions
  2. Your own tent
  3. Your own street closure (Mason Street)
  4. Invited to OTN Night, one of the best parties at OpenWorld

More importantly, with Oracle Corporation, the Java community gets:

  1. Cemented into the infrastructure of nearly all of Oracle’s products, meaning that nearly all of their customers — most of the Fortune 1000 — are now Java shops (if they weren’t already)
  2. Stability, stewardship, thousands of really bright engineers and nearly unlimited resources
  3. One of Corporate America’s most powerful legal teams backing you up
  4. A secure and promising future, including a just-announced roadmap for JDK 7 and 8

And, with all that being said, guess what?

Java is still open source.

Do you know what that means?

Let me answer that question with another question: what brilliant phoenix rose from the ashes of the debacle that was the AOL acquisition of Netscape in 1998?

It was Firefox, a free, open source-based browser that literally revolutionized the massively screwed up browser market and gave the dominant browser (IE 5, and later, IE 6) a true run for its money. From wikipedia:

“When AOL (Netscape’s parent) drastically scaled back its involvement with Mozilla Organization, the Mozilla Foundation was launched on July 15, 2003 to ensure Mozilla could survive without Netscape. AOL assisted in the initial creation of the Mozilla Foundation, transferring hardware and intellectual property to the organization and employing a three-person team for the first three months of its existence to help with the transition and donated $2 million to the foundation over two years.”

IBM’s symbiotic relationship with Eclipse is another great example.

So, dear Java community, to ensure your own survival, please, in the name of Duke, stop complaining and start thinking strategically about how you can “pull a Firefox” here. You’re all brilliant engineers, so start putting all the effort you’re wasting in complaining toward something productive.

I love you all and I love all your passion and energy, but I hate your bitching — use that energy to go save the world, Java style!

Chris Bucchere’s Oracle Open World Schedule

oracle_open_world_unconferenceI’m headed to Oracle Open World on Saturday, 9/20. Here’s my proposed schedule. Like I said earlier, I’m probably going to spend most of my time in the unconference anyway, but here’s what looked interesting to me.

[Editor’s note: I’ve removed the gCal from here because it defaults to the current date, so it’s not really usable anymore, now that Oracle Open World 2008 is a thing of the past.]

If you’d prefer, you can also access this schedule in XML or ICAL format.

Four ALI IDKs at your Disposal — Fifth One on the Way?

As most of you already know, there are four IDKs out there in IDK-land. To take a step back, if you’re really new to ALUI (formerly Plumtree) development, you can read about how ALUI handles portlets and how an IDK helps you write portlets. So, back to the four IDKs. They are all freely-downloadable from BEA — I’ve included links here:

*These two IDKs were written by developers at bdg and then released to the open source community on dev2dev’s CodeShare.

edocs warns you in boldface type: always use the IDK. That’s sound advice, given that the IDK API isolates you, as a portlet developer, from changes to the underlying protocol that ALUI uses to communicate between the portal and portlets (CSP). However, what if you’re not writing a portlet in Java, .NET, Ruby or PHP? As an aside, once upon a time, there were Perl and ColdFusion GDKs (predecessor to the EDK/IDK), but these development kits are no longer maintained by anyone, although I know for a fact that the ColdFusion GDK is still in use by an ALUI customer because it came up during a sales call!

So, back to my “what if” question: how can you write a portlet without an IDK? It’s actually not too hard if you’re just getting information from the portal. However, it gets challenging when you start setting preferences and then it starts to get really painful when you start dealing with Unicode issues, encrypted settings and some of the other really hairy stuff. So that’s why edocs implores you to use an IDK, when one is available.

If you do go down the road of writing a portlet in a language where an IDK isn’t available, I highly recommend that you at least abstract out your CSP calls such that they’re isolated from the rest of your portlet code. While you’re at it, you might as well follow the same API that BEA uses; in other words, write your own IDK (or at least the parts of it that you need to get your portlet done). To get you started, here’s how BEA probably implemented one of the IDK methods in Java:

public AggregationMode getAggregationMode() {
  if (!request.isGatewayed()) {
    throw new NotGatewayedException("Request not gatewayed.");
  }
  
  if (request.getHeader("CSP-Aggregation-Mode").equals("Multiple"))
    return AggregationMode.Multiple;
  } else {
    return AggregationMode.Single;
  }
}

So, go forth and write your own IDK. Or, preferably, ask a bdg-er to write one for you!

On a related note, one of our customers recently asked us to build an IDK for Lotus Notes/Domino in LotusScript. We’re trying to figure out if other people might be interested in this IDK so that we can decide if we’re going to open source it or do it as a consulting project (or some hybrid of the two). If you are interested in LN/Domino development for ALUI, let us know by commenting on this blog. I always love hearing feedback from users of the PHP and Ruby IDKs as well.

Comments

Comments are listed in date ascending order (oldest first)

  • Hi Chris. We have a couple of remote portlets on web servers running Perl so I looked around for awhile for the original Perl IDK but couldn’t locate it, so I’ve written a Perl module that supports the methods provided by IPortletRequest. They’re read-only methods but are really all we needed access to. man-page is here…
    http://webdev.co.nz/Perl/IPortletRequest.txt Is this worth placing in codeshare do you reckon? I don’t see a lot of action in the forums concerning Perl use.

    Dean Stringer ([email protected])

    Posted by: deeknow on March 22, 2007 at 2:00 PM

  • Hello Dean! The original Perl GDK was written so long ago that I’m not sure how much good it would do. It was based on CSP 1.0 and it followed the old GSServices API rather than the new com.plumtree.remote.portlet API.

    I’m pretty stoked to find out that someone else has written at least part of an IDK — that’s impressive. Do I think it’s worth posting to CodeShare? I haven’t heard much talk about ALUI and Perl, but I guess it can’t hurt.

    Posted by: bucchere on March 22, 2007 at 5:03 PM

  • Hi, Chris. We would love to have a Lotus Notes/Domino IDK available to us, as we have lots of “legacy” applications in Domino that we want to expose in ALUI, and an IDK would certainly help! Just my nickel’s worth… 🙂

    Posted by: kcepull on March 30, 2007 at 11:21 AM

  • Thanks for your comment. If you don’t mind my asking, would you be willing to pay for such a thing or is it only a nice-to-have that you would download and use if it were opensource, but not pay for it if it were a commercial product?

    Posted by: bucchere on March 31, 2007 at 6:07 PM

ALI G6 on Ubuntu?

Some of you may be familiar with my rants on the bdg blog about how Linux just isn’t ready for the desktop. My opinion on that matter has largely changed with the release of Ubuntu 6.06 LTS (Dapper Drake), which I have been running with minimal hassle on my newish Gateway MP6954 laptop since last summer. It has a tasty coffee-colored UI (mmm), it NEVER crashes, it basically takes care of itself with updates and has equivalent — or better — software for pretty much everything you’d ever want to do with Windows or OSX at a great price: free.

Of course ALUI is only officially supported on two Linux plaforms: RHEL and Suse. But Linux is Linux, right? Well, sort of. I had all sorts of “fun” getting ALUI running on Oracle on Fedora. However, with Ubuntu, getting Oracle and ALUI up was a breeze.

First off, unless you call yourself a DBA, you don’t want to mess around with a full-blown Oracle instance. Instead, just follow these easy steps to install something called Oracle XE. It has certain limitations — the most important of which is that you can’t create more than one database.

My first — and really my only — mistake during this setup process came next (and it’s related to this one-database issue). I tried to drop the XE default database (ORACLE_SID=XE) and run the crdb1_oracle_unix.sql script to create the PLUM10 database. This was a bad idea. I poked around on Google a bit and then thought, well, I don’t really need my own database. (Had I had this epiphany before starting down that path, I could have saved two hours and had ALUI up and running on Ubuntu in fewer than 30 minutes.) So, instead of running crdb1_oracle_unix.sql, just edit create_tables_oracle.sql and remove any reference to PLUMINDEX, then run the following commands on the XE database:

$sqlplus sys as sysdba
SQL>create user plumtree identified by password
SQL>grant connect, resource, create view to plumtree

This creates the plumtree user on the XE database, which gives ALUI its own schema, which, for our purposes, is just as good as having your own DB. Now you can basically just run the out-of-the-box scripts (keeping in mind the changes I made to create_tables_oracle.sql):

$sqlplus plumtree/password@XE
SQL>@create_tables_oracle.sql
SQL>@load_seed_info_oracle.sql
SQL>@stored_procs_oracle.sql
SQL>@postinst_oracle.sql

At this point, ALUI was ready to rock. I only ran into one small snag. One of the native search libraries complained about a missing LD_LIBRARY_PATH dependency on libstdc++. This was not a showstopper. I did the following:

$ln -s /usr/lib/libstdc++.so.6.0.7 /usr/lib/libstdc++-libc6.1-1.so.2

From there I configured the bundled tomcat to host the portal and the imageserver and viola, ALUI 6.0SP1, in all its glory, was up and running on Ubuntu. (BTW, I would have used ALUI 6.1.0.1, but when I wrote this article, the RHEL and Suse versions weren’t available yet.)

Comments

Comments are listed in date ascending order (oldest first)

  • I’ve also successfully installed ALUI 6.1.1 (6.1MP1) on Ubuntu 7.04 (Server). Required one workaround for the LAX installer shared libraries problem (can’t find libc.so.6 etc):
    $cp AquaLogicInteraction_v6-1_MP1 AquaLogicInteraction_v6-1_MP1.bak
    $cat AquaLogicInteraction_v6-1_MP1.bak | sed "s/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/" > AquaLogicInteraction_v6-1_MP1

    Posted by: rdouglas on May 7, 2007 at 10:45 AM

  • hey Chris, appreciate the post! just wanted to give the hint that to change the plumindex on the create_tables script, you can do this in vi: :1,$s/PLUMINDEX/USERS/g

    Posted by: jbell on June 2, 2007 at 8:57 PM

  • Chris, nice post…I referenced this post while trying to get the new ALUI 6.1 quickstart installer to correctly intall the portal on windows xp. I’ve tried the installer on several xp machines but it is still failing…i think the error has to do with the way the installer is setting up the paths/environmental variables – when i run the diagnostics tool i get an invalid entry point…my paths look correct and i’ve tried re-installing multiple times on multiple machines…any ideas? Thanks.

    Posted by: phil- on September 10, 2007 at 8:41 AM

  • Well, after some troubleshooting I figured it out…here is the solution…I hope this is helpful to someone in the future…I needed to rename the icuuc30.dll in C:WINXPsystem32 to icuuc30_from_system32.dll and paste the icuuc30.dll from C:beaaluicommoninxight3.7.6binnative into the C:WINXPsystem32 directory before the installation would work.

    I did try just moving the INXIGHT_PATH variable so that it is loaded on the PATH before the C:WINXPsystem32 but the error still occured. BTW – icuuc30.dll is a component for Unicode version 3.0

    Posted by: phil- on September 12, 2007 at 11:47 AM

  • Thank you so much for this post, I had the same problem on XP. I’m just curious, how were you able to debug this problem? What pointed you to icuuc30.dll?

    Posted by: fhkoetje on December 4, 2007 at 9:31 AM

WLP + Adrenaline = ALI?

I recall sitting in a meeting in 1998 where we were discussing how to aggregate portlet content into a portal page. We talked a lot about iframes but couldn’t consider them as a serious integration option because of security, scalability/performance, caching and portal-to-portlet communication. Instead, we spent the next year building and testing the HTTPGadgetProvider, which later came to be called the “(Massively) Parallel Portal Engine.” (The term “Massively” was later dropped and I believe the name “Parallel Portal Engine” or PPE for short finally stuck.) I won’t go into details about how the PPE works, but if you’re interested, you can check out this great page in edocs that sums it up nicely.

So anyway, iframes are certainly reasonble way to build a portal in a day. But, in terms of building a robust enterprise portal that can actually withstand the demands of more than say, ten users, and that will pass even the most rudimentary security evaluation, iframes are complete nonsense.

So, today, during my lunch break, I attended Peter Laird’s Webinar, which he advertised in his nascent blog. It was all about enterprise mashups, a topic by which I’m very much intrigued. (Recall that PTMingle, my winning entry in the 2005 Plumtree Odyssey “Booth of Pain” coding competition was a mashup between Hypergraph, Google Maps, del.icio.us and Plumtree User Profiling.)

Imagine my surprise when Peter described how you can mash up Google “Gadgets” and other resources available via URLs using Adrenaline, a “new” technology from the WLP team based on, of all things, iframes. It was like entering a worm hole and being transported back to 1998. (I was single again, I had no kids, I was thinner and I had more hair on my head . . . and less on my back.) But the weird thing about this parallel universe is that BEA engineers were telling me that iframes were a great way to mashup enterprise web content and that intranets all over the world could benefit from this revolutionary concept. Intranets? You mean the things that everybody replaced with portals in the last millennium? Iframes? I must have been dreaming . . . .

When I finally came back to my senses, a few things occurred to me.

First of all, it’s 2007. Portals are a thing of the past. For some of us, that will be a hard pill to swallow. But let’s face it, innovators have moved on to blogging, wikis, tagging/folksonomies and lots of other nice web 2.0 sites that all have rounded corners. The bleeding edge folks have decided that many is smarter than any. The rest of the world will catch up soon.

Secondly, if you are still building a portal or composite application of any flavor, iframes are not a viable solution. They fall short in the following ways:

Portal-to-Portlet Communication

Say you want to send information (like the name of the current user) down to a portlet running in an iframe. Hmmm, the request for an iframe comes from the browser, not from the portal. So, if anything needs to be passed into the iframe, I guess you have to put in in the URL in the request for the iframe. That’s great, but that URL is now visible in the page’s source. So a simple, “Hello [your name]” portlet where the portlet gets the name from the portal is doable. But what about passing a password? That information would need to go first to the browser and then back to the remote tier, which, from a security standpoint, is a complete showstopper.

Security

Let’s talk a little more about security. Since you’re using an iframe, the requests aren’t proxied by the portal. Instead, a page of HTML gets sent from the portal to the browser and then the browser turns around and makes requests to all the iframes on that page. Since the portal isn’t serving as a proxy, it can’t control what you do and don’t have rights to see, so security is completely thrown out of the window. (Or should I say, thrown out of the iframe?) Moreover, in an enterprise deployment, the portal usually sits in the DMZ and proxies requests out to bits and pieces of internal systems in order to surface them for extranet users. If you’re using iframes, every bit of content needs to be visible from an end user’s browser. So what’s to stop an end-user from scraping the URL out of a portal page and hitting a portlet directly? Nothing! (If I understand what I’m reading correctly, the WLP team is calling this a feature. I would call it a severe security risk.)

Scalability/Performance

Yes, this approach will work for Google Gadgets. But Google has more money than pretty much everyone. They can afford to spend frivolously on anything, including hardware. However, the rest of the world actually cares about the kind of load you put on a system when you create a “mashup.” A page consisting of five iframes is like five users hitting the sites with five separate requests, separate sessions and separate little “browsers.” If any of the iframes forces a full-page refresh or if the user does the unthinkable and say, moves to another page, every request is reissued and the mashup content is regenerated. This simply does not scale beyond a few users, unless you have as much money and as much hardware as Google does.

Caching

A properly designed portal or content aggregation engine will only issue requests to portlets when necessary. In other words, each remote portlet will only get a request if it needs to be loaded because the portal doesn’t have a cached entry. Unfortunately, you can’t do this with iframes because the portal doesn’t even know they exist. (Remember, all requests for iframe content go directly from the browser to the remote content, bypassing the portal entirely.)

What baffles me is why a company would acquire another company with a revolutionary technology (the PPE) and then start from ground zero and build a technology that does the same thing but without a portal-to-portlet communication model (preferences), security, scalability or caching. If consumers weren’t already confused, now they most certainly are.

As technologists, I hope you can see through the hype about Adrenaline and consider a product that actually allows you to mash up web content in a scalable and secure way and has been doing so since 1999. It’s called AquaLogic Interaction and it’s sold by a company we all know and love called BEA.

Comments

Comments are listed in date ascending order (oldest first)

  • I just discovered that the BID/AquaLogic (formerly Plumtree, Fuego, Flashline, etc.) folks are having another webinar, entitled “Harnessing Enterprise Mash-ups with Security and Control.” This webinar (I hope) will show:
    1. how ALI has been handling mashups since before mashups was even a buzzword and
    2. how Project Runner enables next generation mashups that allow you to invoke back-end applications and provision security, branding, SSO, etc. without actually funneling everything through the portal.

    If you were at today’s webinar and you’re now wondering how to do mashups with more robustness and security, then I hope you’ll attend this webinar. By all means, it’s just the responsible thing to do in order to offer customers different integration options when creating their mashups.

    Posted by: bucchere on January 10, 2007 at 7:31 PM

  • I’d like to add a couple points of clarity from BID product management. First of all, we’re happy to have passionate developers, but I fear this post may give the wrong impression about some of BEA’s technology and plans.

    WLP Adrenaline, ALUI, and project Runner are all complementary technologies that have a very exciting future when applied to problems such as Enterprise Mashups. You’ll be hearing more about them from BEA over the coming months through various venues, including Webinars targeted at WLP-specific use cases (such as Peter’s excellent talk) and ALUI use cases (including tomorrow’s Runner Webinar). There will also be the usual blogging and other activities.

    Just as WLP and ALUI product teams are aligned, these different technologies are aligned. Adrenaline offers WLP customers a way to extend their reach in fundamentally new ways, and Peter will expound on some technical subtleties to address some of Chris’ concerns. Runner, too, is very exciting, enabling a completely different set of use cases. As the details unfold we’ll demonstrate how well aligned these technologies are — just wait until you see them working together!

    – David Meyer

    Posted by: dmeyer on January 10, 2007 at 10:41 PM

  • Just for those that don’t know about Adrenaline, here’s an article introducing Adrenaline.

    Posted by: jonmountjoy on January 11, 2007 at 12:19 PM

  • Chris,

    As David writes, BEA is moving ahead with multiple approaches to address the enterprise mashup space. My webinar covered the approach WLP is taking, and in no way implied that ALUI is not also a viable player in this space. We offer our customers a choice of products, and different products make sense to different customers.

    As for the specific issues you raised:

    ** Technical Reply

    Good technical points, but I think you overemphasized the role of iframes within WLP. Let me cover the two places we showed the use of iframes:

    Use Case 1: injecting a portlet into a legacy webapp

    Demo: An iframe was used in the demo to inject a portlet into a legacy static html page with almost no modification to that page (one line change).

    WLP does support an alternative approach – an Ajax streamed portlet. I simply did not have time to demo it. Also, this is not a portal use case for including external non-portal content into a Portal; instead it is the inverse, which is to publish existing portal content into legacy web applications . It was intended to show a very inexpensive way to energize a dated application until it is rationalized into a portal. The focus here is on minimizing cost of supporting legacy, while building portlets in transit to a portal solution.

    Use Case 2: WLP as a Mashup composition framework

    Demo: Iframes were used to pull in non-WSRP capable components (e.g. Google Gadgets) onto a WLP page

    First, as background info, the WLP architecture supports the rendering of various types of portlets:

    • Local portlets (deployed within the webapp, JSF, JPF, etc)
    • WSRP portlets – an advanced remoting approach which handles security, inter-portlet communication, etc…
    • Iframe portlets – an available remoting approach
    • WLP partners with Kapow for remote clipped portlets (similar to the ALUI approach)

    In regards to this use case, you brought up specific concerns:

    Security

    Concerns about shared authentication were noted in my talk. If components come from outside the enterprise, there is no easy solution to that problem, regardless of what product you are using. However, I spoke of a couple approaches in the webinar, including SAML.

    If those components come from inside the enterprise, the security hacks you were referring to are generally not necessary. Our customers that expect SSO have a web SSO solution (typically, cookie powered, not password in the URL powered) in place within the enterprise.

    Caching/Performance

    The most serious concerns of yours appear to be performance related. Specifically, the concern is that a full page refresh of a page that contains N number of iframes will cause an N+1 number of requests. To expand on your concern, I will add that this is not only seen in pages with iframes, but also pages that use Ajax to pull in data. I would say that there are several reasons why this does not invalidate WLP’s approaches:

    1. Mashup pages with lots of iframe portlets approach

    Google Personalized Home Page makes use of iframes to implement their mashup framework. Many of the Gadgets on the page are rendered with an iframe. But you are mistaken in saying that this scales because Google is throwing tons of hardware at the problem. The iframe Gadgets rendered in GPHP are rendered not by Google, but by 3rd party gadget hosting servers around the world. Google does NOT have to process those iframe Gadget requests, it is a distributed approach. Likewise, you could create a WLP page where most of the portlets are iframe portlets that hit a distributed set of servers, if that makes sense. Or…

    2. Mashup pages with a mixture of portlets

    The 2nd demo in my webinar wasn’t showing a page with all iframe portlets. Rather, what the demo was showing was a WLP page with a couple of iframe portlets mixed in with local portlets. As shown above, WLP supports a number of portlet types, and a good approach is to build pages that are a mixture of that set.

    3. Ajax helps minimize page refreshes

    Your concern about iframe performance stems from the case in which the entire page refreshes. With the usage of Ajax becoming common, plus with WLP 9.2 built in support for auto-generating Ajax portlets, this impact can be minimized. Page refreshes are becoming more rare. With WLP 10.0, which releases in a few months, the Ajax support has been expanded to support Ajax based portal page changes, further reducing the liklihood of a page refresh.

    4. The “Bleeding Edge” guys are also using browser based mashup approaches

    You referred to the “Bleeding Edge” technologists in your blog as the people that are doing things correctly. What are they doing? Some of the time, those guys are doing browser based Mashups. They often use a combination of iframes and Ajax from the browser to implement their mashups. So the same approach that you dislike is already in common use across the web.

    ** Market Reply

    You state “Portals are a thing of the past”. An interesting opinion, but just that. IT cannot afford web sprawl, and so a framework for rationalization will always be in demand whether you call it a Portal or something new.

    New technologies continue to provide alternatives to existing methodologies and portals are no different. However, one thing that has distinguished portal frameworks is their ability to embrace new technologies. Struts, WSRP, JSF are all examples of this as are the Web 2.0 constructs like mashups and rich interfaces based on Ajax. This is all good news as the enterprise has a wealth of options to choose from.

    Posted by: plaird on January 11, 2007 at 2:56 PM

  • I must say, as a customer and developer, it’s great plumtree (I mean BEA, or is it Oracle) management allows you guys to express your own opinions. It so happens I’ve spent quite a bit of time trying to get JBoss Seam (and Ice Faces) to work with Aqualogic 6.1. I’ve been looking at the IFrame route, because the gateway stuff just isn’t working (it doesn’t properly rewrite the URLs for the Ajax stuff). I’ve come to hate the gateway. I bet it was a great idea before Ajax, but now it seems like almost every web 2.0 application is incompatible (needs major modification to get it to work). Or maybe I just don’t understand how to get it to work. Is there any good documentation on it? I’m hoping for some major improvements when 6.5 comes out though.

    Posted by: cmann50 on April 4, 2008 at 2:28 PM

How to Integrate PKI Certs or CAC Cards with ALI

In his 1947 speech to the House of Commons, Winston Churchill quipped, “It has been said that democracy is the worst form of government except all those other forms that have been tried.”

I’m not nearly as pithy as Sir Winston (nor as portly — at least not yet), but yet I feel the same way about passwords being used to protect web sites or other enterprise systems. In many ways, they’re the worst form of security out there except for everything else that’s been tried. Part of this has something to do with what I’ve coined Bucchere’s Axiom of Strong Passwords, which is a derivative of Murphy’s Law (which states that whatever can go wrong will). It goes something like this: the stronger a password is, the easier it is to hack. Why? Because if you force users into using a strong password, they’re more likely to write it down. And writing a password down defeats its purpose entirely.

The bottom line: passwords suck. But they’ve become the de-facto standard because they’re easier and cheaper than everything else we’ve tried, including PKI certs, biometrics (e.g. fingerprints, retina-scans), CAC cards, RSA secure IDs, etc. (Even for a cert-based authentication scheme, you still need a key to generate your cert, which is essentially just a glorified password.)

Just because passwords are the de-facto standard for authentication does not mean that we should quit trying to use other, ostensibly better forms of security, especially if 1) you’re protecting particularly sensitive data, 2) you’re open to the internet and 3) you have the resources (e.g. $$$) to invest in more robust forms of security. And I’m not talking about just buying an SSL cert from Verisign and continuing to have your users write down their passwords on post-it notes attached to their monitors. (Note to self: remove the post it note on your monitor with your password on it when you get back to the office.) I’m talking about using some sort of “soft” cert (e.g. PKI) or “hard” cert (e.g. CAC) to protect your system and your data.

Now if your system is ALI (formerly known as Plumtree Foundation or Plumtree Portal), you’re in luck, because the eggheads at what was once known as Plumtree have made this particularly easy to do. In fact, the hardest part is just getting the user’s identity out of the cert (see below the code snippet for some suggestions). Once you’ve done that, just drop a class into a jar that implements the ISSOProvider interface. (For those of you running on Windows, please don’t ask me to “port” this to C# — just take the Java code, drop it into Visual Studio.NET and then fix the syntax errors.)

But wait, SSO stands for “Single Sign On,” right? And what you’re really doing here is passing credentials from a cert to Plumtree and that has little or nothing to do with SSO. That’s a true statement. The subtlety here is that ISSOProvider, while it contains the letters SSO in its name, can be used for pretty much any form of authentication, whether you are using an SSO product or not.

CertIntegration.java

package com.bdgportal.alui.auth;

import com.plumtree.openfoundation.util.*;
import com.plumtree.openfoundation.web.*;
import com.plumtree.portaluiinfrastructure.sso.*;

public class CertIntegration implements ISSOIntegration {
 
   private XPHashtable settings;
 
   public CertIntegration() {
     ;
   }
 
   public boolean Initialize(XPHashtable settings) {
     this.settings = settings;       
     //String exampleSetting = ((XPArrayList)settings.GetElement("SettingName")).GetElement(0);
   }

   public String GetSSOProductName() {
     return "My Favorite Cert Integration";
   }

   /**
    * Gets the username from the cert and returns it to Plumtree. This will fail if the username
    * does not have a matching account in Plumtree. This can be a Plumtree database user or a user
    * imported from an authentication source, in which case you need to include the auth source
    * prefix in the username, e.g. "MyAuthSource/cbucchere"
    *
    * @param request The wrapped HttpServletRequest from the web container.
    * @return The object passed back to Plumtree for authentication with the portal.
    */
   public SSOLoginInfo GetLoginInfo(IXPRequest request) {
     String userName = ((XPRequest)request).GetUnderlyingObject().getUserPrincipal().getName();
     return new SSOLoginInfo(userName);
   }

   public String[] GetSecureCookies() {
     return null;
   }

   public String[] GetSecureHeaders() {
     return null;
   }

   public boolean OnLogout(IXPResponse response, String returnURI) {
     return false;
   }   
}

The hardest part about all this, as I said above, is getting the user name out of the PLI cert/CAC card/retina scan/etc. In the example above, I made MANY assumptions. First, I assumed that your portal is running on Weblogic, which understands and correctly implements Principal, which is a Java Servlet’s way of knowing who’s using it. Weblogic lets you plug custom implementations of the Principal class into its security infrastructure. All you need to do is extend java.security.Principal and then walk through a bunch of magical configuration steps to enable it.

Speaking of magical configuration, I neglected to mention that there are two small configuration steps that you need to perform in order to get your shiny new ISSOIntegration working in ALI. In portalconfig.xml, you need to set the value of SSOVendor setting to 100 (or greater) and then set the CustomSSOClass to the fully qualified name of the class you wrote that implements ISSOIntegration. For our Java example above, that would be com.bdgportal.alui.auth.CertIntegration and for .NET, it would the the name of your C# class.

Speaking of .NET . . . as many of you know, it is an entirely different animal with its own way of provisioning security to web applications (e.g. System.Web.Security).

Regardless of your platform, you need to get the user name out of whatever authentication method you’re using. Once you’ve accomplished that, just drop the code above into your project and replace the getUserPricipal().getName() with whatever mechanism you can find for getting your users’ names.

Assuming you trust your authentication mechanism to return the appropriate user name, you’ll have users getting logged into the portal via pretty much however you would like — CAC, PKI, biometrics, etc.

If only implementing a democracy were this easy . . . .

Comments

Comments are listed in date ascending order (oldest first)

  • This is wonderful article. How ever I’ve researched for a long time but still can not figure out what to do with Bea Weblogic to use Costom Identify Assertion. I wish this artical to have link to the document of how to “do the magical configuration steps”.

    Posted by: minh.tran on January 9, 2007 at 9:04 AM

  • This article was intended to be application server independent, but if you’re using BEA WebLogic, there’s a great article on how to set up custom identity providers which should work with this ALUI SSO solution.

    Posted by: bucchere on January 10, 2007 at 6:44 PM

  • NOTE: 1. the user’s password in the portal must be empty string. 2. jar should be put in portal.war and lib/java.

    Posted by: luotuoci on April 28, 2007 at 8:31 PM