How to Install Glassfish

Glassfish is a Java Library for creating Java Message Queues. Regular readers my be surprised to know I am also a Java coder since I usually talk about Python and C++, but just as I occasionally speak Italian, I am multilingual. In this case, though, this is all about Java.

Unfortunately, despite what it’s billed to be, Glassfish 5 isn’t as turn-key an application as it appears to be and therefore I wanted to fill in the gaps for would be message queuers—whatever the word is—who may be struggling.

First, let’s download Glassfish: https://javaee.github.io/glassfish/download

When you check out the readme file, you’ll see the following text:

2. Starting GlassFish
=====================
The 'asadmin' command-line utility is used to control and manage GlassFish (start, stop, configure, deploy applications, etc).

To start GlassFish, just go in the directory where GlassFish is located and type:
        On Unix: glassfish5/glassfish/bin asadmin start-domain
        On Windows: glassfish5\glassfish\bin asadmin start-domain

After a few seconds, GlassFish will be up and ready to accept requests. The default 'domain1' domain is configured to listen on port 8080. In your browser, go to http://localhost:8080 to see the default landing page.

To manage GlassFish, just go to web administration console: http://localhost:4848

The GlassFish README.txt file.

That’s all well and good, but, if you’ve never used Glassfish before, when you follow those steps, you’ll see the following cryptic error:

Exception in thread “main” java.lang.NullPointerException: Cannot invoke “org.glassfish.hk2.api.DynamicConfigurationService.createDynamicConfiguration()” because “dcs” is null
      at com.sun.enterprise.module.common_impl.AbstractModulesRegistryImpl.initializeServiceLocator(AbstractModulesRegistryImpl.java:152)
      at com.sun.enterprise.module.common_impl.AbstractModulesRegistryImpl.newServiceLocator(AbstractModulesRegistryImpl.java:144)
      at com.sun.enterprise.module.common_impl.AbstractModulesRegistryImpl.createServiceLocator(AbstractModulesRegistryImpl.java:218)
      at com.sun.enterprise.module.common_impl.AbstractModulesRegistryImpl.createServiceLocator(AbstractModulesRegistryImpl.java:224)
      at com.sun.enterprise.module.single.StaticModulesRegistry.createServiceLocator(StaticModulesRegistry.java:88)
      at com.sun.enterprise.admin.cli.CLIContainer.getServiceLocator(CLIContainer.java:217)
      at com.sun.enterprise.admin.cli.CLIContainer.getLocalCommand(CLIContainer.java:255)
      at com.sun.enterprise.admin.cli.CLICommand.getCommand(CLICommand.java:231)
      at com.sun.enterprise.admin.cli.AdminMain.executeCommand(AdminMain.java:371)
      at com.sun.enterprise.admin.cli.AdminMain.doMain(AdminMain.java:306)
      at org.glassfish.admin.cli.AsadminMain.main(AsadminMain.java:57)

$ glassfish5/glassfish/bin/asadmin start-domain

Clearly, Glashfish is not a turn-key installation.

From here, it was up to me. Google was no help. "dcs" is null as a search term was too generic and including the full, topmost error only gave a page with sample Java code, not how to actually start the server.

To the best of my ability, I believe the error is related to the DynamicConfigurationService object—that’s what dcs stands for.

Looking through the QuickStart document I thought maybe it’s because I didn’t install to my home directory, ~, but moving it there produced the same results.

The next thing to try is to downgrade to Java 8. I’m not fond of Java 8 as it was one of the last Java versions to be 32-bit—which is incompatible with MacOS Catalina—but fortunately, Oracle provides a 64-bit, Catalina-compatible version.

Once Java 8 was installed, I just needed to tell my terminal to use that version instead of the default one. First, I needed to get the location for Java 8 in the list of installed Java VMs:

$ /usr/libexec/java_home -V
Matching Java Virtual Machines (3):
    15, x86_64:         "OpenJDK 15" /Users/username/Library/Java/JavaVirtualMachines/openjdk-15/Contents/Home
    13.0.4, x86_64:     "Zulu 13.33.25" /Users/username/Library/Java/JavaVirtualMachines/azul-13.0.4/Contents/Home
    1.8.0_261, x86_64:  "Java SE 8" /Library/Java/JavaVirtualMachines/jdk1.8.0_261.jdk/Contents/Home

/Users/username/Library/Java/JavaVirtualMachines/openjdk-15/Contents/Home
$

What Java VMs are available?

Finally, I had to set the local Terminal to use the Java 8 VM:

$ export JAVA_HOME=`/usr/libexec/java_home -v 1.8.0_261`
$

Set the Java VM to Java 8.

Success!

$ glassfish5/glassfish/bin/asadmin start-domain
Waiting for domain1 to start ......
Successfully started the domain : domain1
domain  Location: /Users/username/glassfish5/glassfish/domains/domain1
Log File: /Users/username/glassfish5/glassfish/domains/domain1/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.
$

Starting Glassfish!

I hope that helps and I am so happy with my new job!

Microsoft Teams is not quite the Team Player we thought

The folks at CyberArk uncovered a new vulnerability in Microsoft Teams. In Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, they investigate a serious security hole in Teams that could threaten your organization and provide access to confidential information. Fortunately, Microsoft has, in theory, patched this vulnerability thanks to locking down any vulnerable Microsoft Teams servers.

This is a startling development considering how I’ve had to defend Zoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.

The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.

Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.

The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.

Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.

Below, you can watch a video of how this attack might actually work.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | CyberArk

So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.

You can have any star you want, as long it is gold

One huge flaw with Google‘s iPhone app for Gmail is that it doesn’t support multiple star types. You are only allowed a gold star, while with the computer-based web interface, you can have many different colour stars, warning, and other alerts.

This is a huge oversight in the GMail app compounded by the fact that the applications like Safari, which allow the user to simulate Desktop browsing crash when you activate the standard web interface and try to select a star colour other than gold.

It used to be you could just open up a desktop browser session to manually set the star level but now even that doesn’t work and still the app can’t handle it.

Stars are a very useful aspect to GMail. With stars you can denote more than just that an email is important, but why it is important. For instance, I like to use the blue stars for coupons. I don’t want to mix coupons in with stars to indicate a SpamGourmet email address is about to expire.

This, in my opinion, is a major flaw to the Apple iOS GMail app and I hope someday they add an option to modify star type because I had to spend two hours today unable get my coveted blue star and ended up having to get out of bed and go to the computer just for this very simple action.

As a software, I know they could do better. As a software engineer, I may just end up doing better. Thanks to the Python interface to Google, I likely will do better.

So unless they want to hire me, bugger you, Google!

I Am Irate

Google ate me email

From about 2020-03-23T14:30:00Z (10:30 am, Monday) to about 2020-03-23T23:30:00Z (7:30 pm, Monday), Google was redirecting all my email and either bouncing it or deleting it.

I Am Irate
Too angry for words!

Let me repeat, google deleted or bounced my email for Nine Hours, as a part of the setup of my setup for a paid Google Apps account. The setup for these accounts are a bit weird. They require you to create a new google entity with your own company URL. Fortunately, I have multiple domains I own and maintain, including this one, TimeHorse.com.

I probably should have used my writing group domain, RestonWriters.org. After all, the whole reason I wanted to get a paid Google account is because Meetup was moving to Online-Only meetings, following the outbreak of SARS-COV-2, and I needed a tool that allowed for video conferencing.

Skype was a non-starter. For one thing, it’s great for person-to-person communications, but for group chats, it has this annoying habit of muting everyone except the current speaker and you have to wait until that speaker stops to get a word in edgewise. My understanding is WhatsApp has the same problem.

Meetup actually suggested using Google Hangouts or Zoom. I happen to like Zoom. I use it for my regular NPVIC Grassroots strategy meetings and for Toastmasters and it’s always worked great. Zoom does support up to a hundred participants, both free and Pro. The only problem is, each of those Zoom sessions are either limited to the free forty-minute block or are using an up-to-24-hour Zoom Pro Account. Since most of my Meetups are at least an hour, breaking meeting up into forty-minute chunks would be tedious. And, at $14.99 a month, the professional account is well out of my price range.

Just before the first week of Virtual meetings began, my writing colleagues and I, including Elizabeth Hayes, who runs The Hourlings, tested both free Zoom and Google Hangout. Despite being limited to ten people, we decided on Google Hangout and I mapped it to our official Virtual Meeting URL.

Ten people worked fine for Reston Writers and for the Saturday Morning Review. The Saturday Morning Review actually worked out quite well because Meetup, despite suggesting we move to a virtual platform, still won’t let you delete the venue from your event and mark it as virtual, which, when editing events can cause some confusion. But when the Library cancelled all our events, I just deleted them all from the Meetup Calendar, and recreated them with no Venue and just announced them as occurring in Cyberspace.

Stay with me folks, I’m getting to the email…

As Sunday approached, I new ten participants wouldn’t be enough. Google Hangout would be fine for Bewie Bevy of Brainy Books and Saturday Morning Review, and likely The Science Book Club, as they all usually have fewer than ten participants for each meeting. The Hourlings, on the other hand, often had twelve, and sometimes as many as sixteen!

I new Zoom was $14.99 a month, but I read that Google App accounts could up the number of participants to twenty-five. Unfortunately my 2TB Google Drive account didn’t qualify. I had to get a Google Apps account.

And that’s where my troubles began.

At first, I could only sign up for the $12 per month account, even though I’d read it could be had for $6. Since the setup has a fortnight trial period, I didn’t worry about the financial discrepancy. I set up the account with my business email address for TimeHorse, LLC. I associated it with with that email, it connected to my Gandi Registrar, and my account was ready to go. I created a Google Hangout and assigned it to the Virtual Meeting URL, hoping it would allow twenty-five. The plan was to use it with the Hourlings to verify that fact.

It failed! We still could only get ten people into the meetup despite it being a paid account.

Unfortunately, since Monday I’ve been on Weather and Safety Leave from work because my Telework agreement was revoked, but that’s a story for another day as this post is long as it is! However, it did allow me to speak to Google and they suggested I try Google Meet. Meet was included with all Google App paid accounts, and it would allow for up to a hundred people and could be as long as I needed. Also, I could downgrade to the $6 per month account and I would still be able to use it. I thus downgraded.

We tried it with Reston Writers Review and it worked wonderfully. We had up to twelve connections simultaneously! But I’m getting ahead of myself.

At around 10:30 am, that Monday, after chatting with Google, I was examining my Google Apps account more closely. It was telling me I had one last step I needed to complete: integrate me email with Gmail.

Stop
Stop, do not pass Go. You’re done!

That’s when my troubles began. You see, what this innocuous, turn-key step says it does is it says it sets up GMail for your company. What it actually does is obliterate all the MX Records (email routing information) of your DNS (Internet routing information) Zone File (routing configuration file) on Gandi and replace it with MX Records that point to Google. The setup wizard doesn’t actually tell you this and I’m totally oblivious.

At current writing, I have 188 forwarded email addresses set up on Gandi with their MX Servers. One of those is my business email, the one Google took over and is my Google Apps login. That’s the email google set up as the official email address used in GMail. Once the GMail setup goes through and I send an email from the GMail interface to my personal email address on the timehorse.com domain.

It never arrives. All day long, I watch my email and, strangely, nothing arrives after 10:30 in the morning. I refresh and refresh, and it’s still nothing. Where have all my emails gone?

It’s not until I’m setting up for Reston Writers that I decide to contact Google about this. I’m crazy-busy setting up the Google Meet, opening up the pieces we’d be reviewing on my computer, and, simultaneously, chatting with Google, trying to figure out why I’m not receiving any email.

Eventually, Google Tech Support starts talking about MX Records and a chill runs down my spine. As you probably gathered by now, I am well versed in DNS records and Zone File manipulation. I even have a Python script which updates my DNS A Record when the IP Address for this server changes.

With trepidation, I logged into my Gandi account and saw the damage. Google had modified my Zone file and added a bunch of strange new MX Records pointing to Google. They had nuked all my Gandi Email forward since they’d redirected all email traffic to google. As google only had one account registered on the domain, timehorse.com, namely my business email address, every other email address I possessed was either being deleted or bounced by google!

Fortunately, Gandi’s Email Forwarding page provides a warning when the Zone file doesn’t point to their email server, listing the correct MX Record settings to use Gandi as the mail hosting server. I quickly commented out the Google MX Records and pasted in the Gandi MX Records around 7:30 pm, in the middle of my Reston Writers meeting.

Needless to say, I was miffed that I could not give my full attention to my writers during our weekly writing gettogether. But it’s good I finally did figure out the disastrous actions committed by Google after only nine hours, and not a day or more.

I may never know what was contained in those nine hours of lost emails. I suppose there is one blessing, though. I get too much email already and still have dozens of unread messages I’m desperately trying to catch up on. One Covidapolis, novel-length email after another from every business under the sun. STFU companies, you’re all doing the same thing and I don’t like reading the same message again, and again, and again! You have a plan, that’s all I need to know!

Maybe Google was doing me a favor?

In the end, I was able to solve the problem because I got skills and I’m available for hire!