最近有需要了解一IA 方面的东西。最开始从字面的理解，我感觉IA应该是和TIBCO现在所做的东西是很符合的。即解决企业内部甚至是企业间不同系统的信息如何组织的问题。但是查阅了些资料，却发现，IA目前的应用似乎更多地集中在图书馆或者Web设计方面。这让我感到有些不爽。

以下内容转自：http://articles.techrepublic.com.com/5100-22_11-5074224.html

10 questions about information architecture

by Guest Contributor | Sep 29, 2003 7:22:00 PM

Takeaway: Very few people understand exactly what information architects do and why we need them in Web design. CNET Builder.com answers your top 10 questions about IA and information architects: who they are, how they get there, what they do, and why in the Web world.

By Shel Kimen

Information architecture. IA. Industry buzzwords? Fancy degrees? Web firms can't hire information architects fast enough, but, while the field has been around and growing for years in software, engineering, and library science, very few people understand exactly what information architects do and why we need them in Web design. And we do need them.

With today's complex, superfly, dynamically driven database Web sites and networks, information architects have become critical to--if not the cornerstone of--most large Web design projects. Blending the technical and the visual with a keen sense for organizational structures and usability, IA is a multidimensional field that puts place in space. Knowing the demand, CNET Builder.com answers your top 10 questions about IA and information architects: who they are, how they get there, what they do, and why in the Web world.

1. What is information architecture?
At its most basic, information architecture is the construction of a structure or the organization of information. In a library, for example, information architecture is a combination of the catalog system and the physical design of the building that holds the books. On the Web, information architecture is a combination of organizing a site's content into categories and creating an interface to support those categories. It stems from traditional architecture, which is made up of architectural programming and architectural planning.

Traditional architectural programming
The traditional discipline of architecture, which is the design of buildings and physical space, involves problem-making and problem-solving. It requires a thoughtful analysis (programming) to manifest a thoughtful synthesis (design).

Architectural programming is an objective approach to understanding the nature of the task so that a specific problem can be identified as something for space planners and designers to solve. The programmer establishes goals, collects and analyzes facts, uncovers and tests concepts, determines needs, and states the problem. The programmer's responsibilities include: client interviews, research and understanding of emerging technologies, reviews of case studies, budget planning, scheduling long-term deadlines, anticipating the future, and formulating functional requirements. The research results in a program document that specifically outlines the limits of the project and any unique problems.

Traditional architectural planning
Between the analysis and synthesis stages exists what William Pena, author ofProblem Seeking: An Architectural Programming Primer, calls the synthesis gap. In large projects, a space planner manages this gap by taking the program document and defining the space to be designed, aligning the rooms, and assigning priorities to the interior structural elements. The space planner works with both the programmer and the designer to develop a structure that accommodates the function as well as the form. (Although sometimes, depending on the firm, the space planner is also the programmer or designer.)

In Web design, a person who helps develop programs and also plans is an information architect. The information architect maps the entire structure of the site and organizes the positioning of pages within sections, developing a functional and intuitive plan to get the user from point A to point B on the path of least resistance.

2. How do information architects fit into a Web team?
Some Web design firms have highly compartmentalized departments that separate problem finders from problem planners and problem synthesizers, but flexibility is the key to success. Information architects should meet with clients to help define a project's scope, as well as plot the path to meet the objective and work with the designers and technologists to develop engaging and intuitive visual interfaces. It is important for them to be present during all three phases and to get a client's objectives firsthand. Poor secondhand interpretations can be a project's death. It isn't that managers are inept at translating clients desires, but architects have special architectural questions that a business manager or producer might not be able to intuit.

It's also important for information architects to work closely with visual designers, helping to maintain the balance between form and function. Design effects architecture as much as architecture effects design. Working in a vacuum of compartmentalized skills isn't good for anyone, and it's definitely not good for the end result. Information architects also bridge architecture with development and work with technologists, database engineers, and HTML coders.

Most of the larger Web firms, such as Organic, Razorfish, Studio Archetype, andAgency, have established IA departments operating under various names. Some firms base their definitions on software design, while others take a more traditional, physical structure architecture approach. It's impossible to say what works best, because it's relative to the overall environment and work process. In general, it's good to take elements of software design, library science, traditional architecture, and industrial design and sift through for the elements that most apply to Web design and its nuances.

3. What do architects create for clients?
If there were a template or system for what information architects need to prepare, no one would need them. While there are certain key deliverables that most projects require, the work is most often determined on a case-by-case basis dependent on scope and function. Presentation is as much about showing information as it is about showing information in a way that is understandable to each client's specific Web knowledge and thought process. Some people prefer paper, while others need to see things clicking and moving in order to make sense of it.

Some of the basic deliverables include:

Site Maps: Maps reflect navigation and main content buckets. They are usually constructed to look like flowcharts and show how users navigate from one section to another.

Content Maps: Detailed maps that show what exists on each page and how content on some pages interacts with content on other pages.

Page Schematics: Black and white line drawings or block diagrams to hand off to a visual designer. These may, or may not, reflect layout and are used mostly to inform the designer and the client exactly what information, links, content, promotional space, and navigation will be on every page of the site. Schematics also help illustrate priority.

Text-Based Outlines: Sometimes information architects want to show architecture as indented text outlines and lists.

Interactive, Semi-Functional Prototyping: In some cases, information architects are responsible for outlining or storyboarding functional prototypes, and in others they actually build prototypes with HTML, Flash, Director, or PowerPoint.

Anyone who has seen the effects of unplanned projects--Web or otherwise--knows why it is important to have a plan before starting to build. Some clients don't understand the expense--and professional information architects are expensive. Also, due to the complex nature of information architects' work--representing sites with thousands of pages on 11-by-17 pieces of paper and presentation boards, director prototypes, and HTML schematics, for example--clients are sometimes confused and unable to see the value. It's important for any company that builds information architecture into its structure to support that structure by educating clients on its value. It's the responsibility of everyone on the team to help the client understand why every member is there.

4. How do architects evaluate or design a site?
First, even before evaluating an existing site for architectural improvements, it's extremely important to find out who's using it, who's building it, and what its goals are. Maybe the hardest part of information architecture is to help identify a focus--a necessary component of intuitive form and function. But after focusing, evaluation is all about anticipated user paths, logical process flows, and determining how to balance efficiency with ease of use. Good, consistent information architecture will help users build relationships and trust with the technology and product. So, a good place to start is to look for the ways sites are, and are not, consistent.

When designing a new site, it's always best to start with all the pieces, though this is seldom the case. You'll probably be hard-pressed to find a client who didn't change their minds half a dozen times over three phases of project architecture. And architects can change their minds because it is often difficult to predict all the pieces beforehand. It is the responsibility of the design firm and architect to ask the right questions, and it's client's responsibility to understand what they are trying to build.

Architecture can and should be an extremely collaborative and iterative process, which evolves somewhat organically in as much structure that can be defined up-front as possible. Anything an IA can do to ask as many questions and get as many answers up-front will ultimately help the process. Architects also need to focus on who will be using the site, strategic and business goals, key usability principals, technical constraints, and future needs.

5. What kinds of IA problems are difficult to solve?
The latest Web site trends all point to scaleable, personalized, and customizable portals with dynamic content, which usually involves a mix of onsite content creation and third-party vendors. Integrating the complexity of these requirements into a single user-friendly interface is difficult at best.

• Scaleable is a polite way to say no one knows exactly what content will be included, so the site needs to be flexible to expand to house unknown amounts and types of information.
• Personalization requires an intelligent back-end to filter demographic information and track user preferences in order to provide content that is relevant to an individual user.
• Customization, on the other hand, is what users do to set their own preferences for a site experience. Building interfaces that are modular enough for a user to customize is extremely difficult, and setting a structure so that a user can select what he or she wants is even more difficult.
• Dynamic Content is another tricky one because it mandates that content will be produced on the fly, based on any number of parameters, including copy length. Since the proliferation of the portal, sites have begun to aggregate content (collect it from other sites), which presents further design and architecture issues: Whose server holds the content? Who is responsible for third-party design and interface? And how are the partner sites effected when third-party providers change their service offerings?

In addition to these difficulties, there are standard issues, such as understanding--and defining--the target audience, determining how much and what type of information should be on a page, knowing when it's important to lean more toward visual cues (MSNBC) or more toward text (Yahoo), and choosing a content-based or contextual navigation system.

6. What software do architects use and need?
Unfortunately, the perfect tool hasn't been invented yet. There seems to be an abundance of tools for software architecture that are suitable, but they aren't necessarily great for presentation. And there are a few Web-specific tools that don't come close to fully demonstrating the complexity of a dynamic, contextualized navigation system.

However, the word on the street is that Adobe has heard the information architects' cries and is working fast and furious to produce a tool that gives them the best of precision layout and quick drag and drop objects. Until then, other options include Dreamweaver, Photoshop, and Visio, but ultimately it depends on what type of document you are trying to make. A versatile suite of tools is the best way to go for now.

7. Are there evolving standards for IA?
Like any discipline, industry standards set the pace, for good or bad, for most mainstream development. Some of the more common standards for information architecture revolve around navigation, transaction processes, and link use.

Structural Navigation
Most Web surfers have experienced what designers call the inverse L, which is essentially a navigation system that runs top-level categories--or buckets--horizontally across the top of the screen with secondary and tertiary links listed down the left side. Another standard is a horizontal tabbed metaphor, which has two--sometimes three--layers of links that are stacked. Clicking one of the horizontal links reveals a second row of horizontal links that relate to the clicked item. While it's important to break from these standards, it's also important to note that this is what people have gotten used to, and deviations are sometimes extremely confusing--even if they offer better solutions.

Financial Transactions
Transactions that involve the exchange or transference of funds tend to involve at least three steps: submit, verify, and confirmation of order received. The middle step, verify, is usually a page that shows the user what s/he has just submitted. It is a good idea tonot allow users to make changes on the verify page but to send them to an edit screen instead. After the edit screen, they will see a new verify screen. Allowing users to make changes on a verify screen increases the margin for error. Removing or mistyping even a single number in a financial transaction is easy to do and potentially disastrous.

Redundant Links
It has been proven that people like to click, and when users are confused, they start scanning pages for whatever clickable links they can find. This is why sites such asAmazon.com have so much redundancy. In some cases, there are as many as three different links on one page to a single book or article somewhere else on the site. Some of these links are graphic, some are text, some are mixed into content areas, and others are highlighted on the side. No matter how perfect a site architecture may seem, because we all interpret information in different ways, it is important to be as inclusive as possible and provide as many points of entry into content that will fit on a screen without cluttering it.

8. How does usability relate to IA?
Usability testing ranges from observing how users react to color palettes to timing how long it takes someone to find a log out button. Sometimes testing is one-on-one, with a moderator asking an individual tester to go through the process of using a Web site--asking questions along the way about what they like and don't like, what is easy and difficult, and how it could be improved. Other times it consists of 10 to 20 person focus groups that also work with a moderator to determine preferences of target audiences and look at big picture issues, such as color treatment and content needs.

Some firms employ entirely separate departments for usability, while others look to information architects for this skill. It's a logical connection because IAs are responsible for making it easy it to find information and create most products with a focus on user-centered design (thinking of the user first). But even if they aren't usability experts, IAs usually think about usability testing as they are planning the site structure. They keep notes about what might be confusing and design prototypes specifically for user testing in order to isolate issues in navigation, process, and understandability.

Basic Rules for Usability Test Scripts
While there are entire books on usability test script writing, the best rule is to keep it simple and straightforward. We try to keep questions as objective as possible. For example, instead of asking, "Was it easy to use this site?" we would ask, "How would you rate using this site?" with check boxes for Very Easy, Easy, Not Easy or Difficult,Difficult, and Very Difficult. Five is a good number for choices, leaving room for a neutral response. It's good to ask questions with one word answers as well as request that testers write out some comments in their own words, as they often suggest ideas and feelings that site creators and project managers never imagined related to their product. A good book to help understand usability testing is Handbook of Usability Testing by Jeffrey Rubin, and some good web sites include:

IBM Ease of Use Web site--User Centered Design
An outstanding look at the process and concept of user-centered design. While it won't go very deep, it will give a good overview of the process of design as it applies to human-web interaction.

Alert Box
Current Issues in Web Usability, a biweekly column by Dr. Jakob Nielsen, principal, Nielsen Norman Group, covers everything from bandwidth issues to micropayments.

9. How do I become an information architect?
The best way to find a job in information architecture is to look at the Web sites of companies that produce work you admire. If the company doesn't have an IA department, it may be developing one, so you could get in early if you contact them.

If the company already knows that information architects are important to the design process, chances are they are probably on the hunt for qualified people because there are more positions available than people applying. Most large Web design and software design companies hire architects, as do consulting firms, banks, insurance companies, and public relation agencies. Basically, anyone who runs a large Web site, designs large Web sites, or hires people to design large Web sites has the need for an information architect.

The Skills You Need
Attention to detail and a strong sense of organization are the most obvious skill requirements for a position in IA. It isn't so important how one organizes information so much as that the organization is consistent. Information architects require strong logic and analytic skills, as well as the ability to ask appropriate questions and communicate effectively to a broad range of people: designers, executives, artists, marketers, producers, and technical staff. Information architects also need to be able to conceptualize the abstract and manufacture the concrete to explain it.

The Schools
Carnegie Mellon University has some excellent programs: Communication Planning and Design (CPD) and Information Design (ID) offer master of design degrees, and there's also a master of arts degree with emphasis on writing. Both programs lead to information architecture depending on the way a student structures coursework.

Similarly, Rennessler Polytechnic Institute offers a master in communications, a master in interactive arts, and a graduate certificate in human computer interaction with emphases in writing, design, or technology. New York University offers an Interactive Telecommunications Program and has sent dozens of people into information and interface design careers in the last few years. The program has traditional information technology offerings (Introduction to Computational Media and Elements of Visual Language) as well as flexible build-your-own theoretical studies (New Media and Interpersonal Behavior and Information Contours).

That said, any school that offers strong computer science, design, and writing programs will be able to build a liberal arts program in information architecture. The University of California at Berkeley, the Massachusetts Institute of Technology, University of Illinois, and Stanford University are all great places to start.

If you want to read more about information architecture, you can try these books:

• Envisioning Information, Visual Display of Quantitative Information, and Visual Explanations by Edward R. Tufte
• Information Graphics by Robert L. Harris
• Information Architects by Richard Wurman
• Handbook of Usability Testing by Jeffrey Rubin
• The Art of Human-Computer Interface Design edited by Brenda Laurel
• About Face by Alan Cooper

10. What is the future of IA in Web design?
In the immediate future, information architecture will have more room for creativity because more Web sites may stray from a standardized navigation system and a consistent toolbar on every page.

Looking further into the future and watching the portal trend, information architecture might not only be about architecting individual Web sites, it also will be about architecting massive networks, and even cities. In any case: think big. Information architecture is soon going to be about architecting customizable and personalized views of the entire Internet, along with entirely new business and social models to go with it.

The world will need a lot more information architects over the next few years.

Shel Kimen is an information designer for Razorfish, Inc., New York, a strategic digital communications company. She has been online for a very long time and holds a B.A. in human environment and design with emphasis on architectural theory and planning.

I find this complete and detailed instruction on how-to add mouse gesture feature to your Google Chrome.

--------------------------------

It is a simple mouse gesture extension for Google Chrome. This extension is designed to add mouse gesture support to Google Chrome, it's considered beta and work in progress.

The information about Gestures extension

Name: Gestures extension

Download: ChromeGestures.crx

File size: 74 KB

Developer: kryptyx, sevencoloredbox, GuiSim

Requirement: Google Chrome developer version 3.0.189.0 or above.

Version 1.0.6w

Last Build: July 18, 2009

Screenshot of Gestures extension

Guidelines: Install Gestures extension for Google Chrome

1. Download and install Google Chrome developer version. If you have installed, ignore this step.
2. Add --enable-extensions parameter:
   • Right click the Chrome icon in your desktop, then click Properties.
   • Click Shortcut tab.
   • Add --enable-extensions parameter in the Target field:

     

     Screenshot: Instructions to enable extensions for Chrome

3. Launch Google Chrome.
4. Install Gestures extension for Chrome.
5. Restart Google Chrome.

Get source code of Gestures extension

The Code license of Gestures extension is GNU General Public License v3, you can use following command to anonymously check out the latest project source code:

# Non-members may check out a read-only working copy anonymously over HTTP.
svn checkout http://chromegestures.googlecode.com/svn/trunk/ chromegestures-read-only

Other resource about Google Chrome Extersions

1. Google Chrome extensions and plug-ins
2. Google Chrome Extension: Delicious extebsion - Add current web page to Delicious bookmark.
3. Google Chrome Extension: PageRank Status - Check the Google PageRank. based Google Chrome Extension.
4. Google Chrome Plugin: PageRank Status Checker - Check the Google PageRank & Alexa Rank, based JavaScript bookmarklet.
5. Google Chrome Extension: Digg This
6. Google Chrome Plugins: Download YouTube Videos in Google Chrome
7. Google Chrome extension tutorial for developers
8. Chromium Developer Documentation: Extersions

http://java.sun.com/developer/technicalArticles/javase/nio/

By Janice J. Heiss and Sharon Zakhour, May 2009

JSR 203, a major feature of JDK 7 under the leadership of Sun software engineer Alan Bateman as an OpenJDK project, contains three primary elements that offer new input/output (I/O) APIs for the Java platform:

• An extensive File I/O API system addresses feature requests that developers have sought since the inception of the JDK.
• A socket channel API addresses multicasting, socket binding associated with channels, and related issues.
• An asynchronous I/O API enables mapping to I/O facilities, completion ports, and various I/O event port mechanisms to enhance scalability.

This article provides a basic overview of the first element, the File I/O API. The abbreviation NIO generally refers to new I/O APIs that allow for I/O operations in Java technology. The java.nio,java.nio.channels, and java.nio.charset packages have been in existence since the inclusion of JSR 51 in Java version 1.4.* JSR 203 adds NIO.2 in JDK 7.

In NIO.2, the file system API is contained in a new package, java.nio.file, with two subpackages. The java.nio.file.attribute subpackage supports bulk access to file attributes, and the service provider interface (SPI) subpackage java.nio.file.spi, an interface for pluggable file system implementations, is designed for advanced developers who wish to create their own provider implementations.

Contents

• The Need for Java NIO.2 File Revision
• The Path Class Operations
• Directories in NIO.2
• The FileVisitor Class Interface -- Developing Recursive Operations
• Symbolic Links
• The WatchService API and File Change Notification
• Two Security Models
• File Attributes and the java.nio.file.attribute Package
• The java.nio.file.spi Package
• Looking Ahead
• For More Information

……

Apache provides a mod which could make Apache acts as a proxy. Here are some links regarding its configuration.

http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

http://www.apachetutor.org/admin/reverseproxies

While finding information regarding the BusinessEnents, I found this web page with a list of TIBCO interview FAQ. As a developer in TIBCO, I found this a little funny. I guess some of them are so easy and will not affect the developing process if you do not that the answer. I went through the whole list, questions are mainly focus on BW and working flow developing. Most of them are easy to answer for a developer who have experience on BW.

------------------

1.What are the modes of TIBCO BW Installations ?

• GUI mode
• Console mode
• Silent mode

2.If you have installed a particular version of TIBCO software e.g. TIBCO BW X.Y.Z, What are X, Y and Z number stands for?

Integration can be at different application layers:

• X:Patch
• Y:Major
• Z:Minor

3.What is the role of TRA?

TRA stands for TIBCO Runtime Agent.
The TRA has two main functions:

• Supplies an agent that is running in the background on each machine.
  1. The agent is responsible for starting and stopping processes that run on a machine according to the deployment information.
  2. The agent monitors the machine. That information is then visible via TIBCO Administrator.
• Supplies the run-time environment, that is, all shared libraries including third-party libraries.

4.What are the resources that gets included in the EAR file, created by the TIBCO Designer?

An EAR file can contain local project resources, LibraryBuilder resources, and files as specified in AliasLibrary resources. In addition, the TIBCO Designer classpath may include references to other files that are included in the EAR file.

5.What are the revision control system options available in TIBCO designer?

• File sharing
• VSS
• Perforce
• XML Canon
• ClearCase
• iPlanet
• CVS
• PVCS

6.What are the different modes of service invocation?

Services can be invoked in several ways.

• A one-way operation is executed once and does not wait for a response.
• A request-response operation is executed once and waits for one response. In a request-response service, communication flows in both directions. The complete interaction consists of two point-to-point messages—a request and a response. The interaction is only considered complete after the response has arrived.
• Publication (notification) means an operation sends information on an as-needed basis, potentially multiple times.
• Subscription means incoming information is processed on an as-needed basis, potentially multiple times.

7.What is vcrepo.dat?

TIBCO Designer creates a file named vcrepo.dat in the project root directory when you first save the project. This file is used to store properties such as display name, TIBCO Rendezvous encoding, and description. This file can be used for identification in place of the project root directory and can be used as the repository locator string (repoUrl).

8.What are the TIBCO BW activities that can participate in transactions?

Not all TIBCO BusinessWorks activities can participate in a transaction. Only the following types of activities have transactional capabilities:

• JDBC activities
• JMS activities
• ActiveEnterprise Adapter activities that use JMS transports
• EJB activities
• TIBCO iProcess BusinessWorks Connector activities

9.What are the different types of Transactions TIBCO provides?

TIBCO BusinessWorks offers a variety of types of transactions that can be used in different situations. You can use the type of transaction that suits the needs of your integration project. When you create a transaction group, you must specify the type of transaction. TIBCO BusinessWorks supports the following types of transactions:

• JDBC
• Java Transaction API (JTA) UserTransaction
• XA Transaction

10.What activities are supported in JTA Transaction?

The Java Transaction API (JTA) UserTransaction type allows:

• JDBC
• JMS
• ActiveEnterprise Adapter (using JMS transports)
• EJB activities

to participate in transactions.

11.What activities are supported in XA Transaction ?

The XA Transaction type allows:

• JDBC activities
• ActiveEnterprise Adapter activities that use the JMS transport
• JMS activities

to participate in transactions.
Note:For JMS activities and ActiveEnterprise Adapter activities, request/reply operations cannot participate in an XA transaction. Also, EJB activities cannot participate in an XA Transaction group.

12.What are the possible Error output's of Read File activity?

Integration can be at different application layers:

• FileNotFoundException :Thrown when yhe file does not exist.
• UnsupportedEncodingException:Thrown when the text file’s encoding is not valid and the content of the file is read into process data.
• FileIOException :Thrown when an I/O exception occurred when trying to read the file.

13.What is the purpose of the inspector activity ?

The Inspector activity is used to write the output of any or all activities and process variables to a file and/or stdout. This is particularly useful when debugging process definitions and you wish to see the entire schema instead of mapping specific elements to the Write File activity.

14.What are the maximum/minimum of threads available for incoming HTTP ?

The maximum/minimum of threads available for incoming HTTP : 75/10

15.How can unauthorized users be prevented from triggering a process ?

Unauthorized users be prevented from triggering a process by giving 'write' access for the process engine to only selected users. Only users with 'write' access can do activities like deploying applications, starting/stopping process engines etc.

16.What are the mandatory configuration parameters for FTP Connection & FTP with firewall ?

The mandatory configuration parameters for FTP Connection

• FTP host
• Port
• Username & Password>

If Firewall is enabled in addition the proxy host and port are required.

17.how to design a process such that depending on number of records updated in a database, 3 different sub-processes may be called ?

Define 3 transitions from JDBC update with condition on the no of updates and call appropriate child processes.

18.How to use legacy .dat file format with latest designer ?

Convert .dat file to multi file project using Administration tab while starting up Designer(Other one being Project tab) and then open the multifile project in the normal way.

19.What are the encodings supported by designer ?

Encodings supported by designer are

• ISO8859-1(Latin-1)
• UTF-8

20.What are the 4 main panels of the Designer window ?

The 4 main panels of the Designer window are

• Project panel
• Palette panel
• Design panel
• Configuration panel

21.How do you determine if there are broken references in the project?

Project -> Validate for deployment

22.Where are the Designer preferences stored ?

Designer preferences stored are stores in a file called 'Designer <ver>.prefs' in the user home directory.

23.Explain the process configuration parameters - Max Jobs, Flow Limit & Activation Limit ?

• Max Jobs :

  Max Jobs specifies the number of process instances that are kept in memmory. Once this limit is reached newly created process instances (subject to flow limit) are paged out to disk.0 specifies no limit and is the default.

• Flow Limit :

  Flow Limit specifies the maximum number of running process instances that are spawned before the process starter is suspended ie it enters a FLOW_CONTROLLED state and does not accept new events. This can be used to control the number of process instances running simultaneously and when the protocol generating the event can store the event till it is received, like email servers, JMS, RV etc. 0 specifies no limit and is the default.

• Activation Limit :

  Activation limit flag specifies that once a process instance is loaded it must be placed in memmory till it completes execution. By default it is enabled.

24.What are the options for configuring storage for process engine's checkpoint repository ?

The options for configuring storage for process engine's checkpoint repository are:

• Local File
• Database. Fault tolerant engines can recover from a checkpoint only when database is used.

25.Process engines in a fault tolerant group can be configured as peers or master secondary.How do these differ ?

The options for configuring storage for process engine's checkpoint repository are:

• - Peer means all of them have the same weight. In this case when one engine fails another one takes over and continues processing till it fails.
• - In master secondary configuration weights are unequal, the secondary starts processing when master fails. But when master recovers, secondary stops and master continues processing.

26.What are the uses of grouping activities ?

Uses of grouping activities are:

• Create a set of activities having a common error transition.
• Repeat group of activities based on a condition.
  1. - Iterate over a list.
  2. - Repeat until condition true.
  3. - Repeat on Error until condition true.
• Group activities into a transaction.
• To create a critical section area that synchronizes process instances.
• A 'Pick First Group' allows you to wait for the occurence of multiple events and proceed along a path following the first event to occur.

27.What is the purpose of a Lock shared configuration resource?

A Lock is specified for a 'Critical Section' group when the scope is 'Multiple'. It can be used to ensure synchronization across process instances belonging to multiple processs definitions or for process instances across engines(Check multi engine flag for lock in this case and the BW engine needs to be configured with database persistence while deployment). If synchronization is for process instances belonging to the same processs definition inside one engine, just specify the scope as 'Single'.

28.How to control the sequence of execution of process instances created by a process starter ?

Use the sequencing key field in the Misc tab of any process starter. Process instances with the same value for this field are executed in the sequence in which they are started.

29.Can there be two error transitions out of an activity ?

No. There can be only one Error and one Success if no matching condition transition out of each activity.

30.When is a 'No Action' group used ?

'No Action' group used to have a set of activities having a common error transition

31.What activity can be used to set the value of a 'User defined process variable' ?

The 'Assign' activity can be used to set the value of a 'User defined process variable'.

32.Which are the two process variables available to all activities with inputs ?

• $_globalVariables
• $_processContext

33.Which mechanism can be used to pass data between a process instance and a called sub process other than mapping from/to the callee's input/output ?

This can be accomplished using job shared variables, unless in the call process activity the 'Spawn' flag is enabled in which case the called sub process is a new job and hence gets a fresh copy of the job shared variable initialized as per its configuration. A shared variable can overcome this limitation as it's scope is not limited to one job.

34.What are the three scenarios where BW engine has to be configured with database persistence instead of Local File ?

The three scenarios are:

• Shared Variables across BW engines.
• Locking across groups in multiple BW engines.
• Wait Notify across BW engines.

35.If you want a group to be executed if there is some unhandled error but subject to some max number of iterations which group do you use ?

We can use Repeat on Error until true

36.When is a 'Generate Error' activity useful?

When you handle an error inside a called subprocess or group and want to rethrow the error to the caller(happens by default if you dont handle the error in the called process)

37.Which activity is used for detecting duplicate message processing?

CheckPoint activity - Specify the uniqueID for the duplicate key field and engine maintains list of these key fields. When a process come to checkpoint activity with the same value for duplicate key which already exists, it throws a DuplicateException. An error transition can then handle this case.

38.Give an example where graceful migration of service from one machine to another is not possible.

HTTP Receiver. In this case the receiver on new machine starts listening on the same port, but you need to redirect requests from the old machine to the new one.

39.What are the types of adapter services ?

Types of adapter services are :

• Subscriber Service
• Publisher Service
• Request-Response Service
• Request-Response Invocation Service

40.If the business process needs to invoke another web service which resource do you use ?

SOAP request reply activity. If the business process needs to be exposed as SOAP service use SOAP Event Source in conjunction with SOAP Send Reply or SOAP Send Fault.

41.What is the functionality of the Retrieve Resources resource?

It can be used to serve the wsdl file of a SOAP Event Source to a (http) client.
Construct a process like: HTTP Receiver -> Retrieve Resources -> Send HTTP Response
Now the WSDL file for a SOAP service can be retreived using the http request
http://<host>:<port>/<path>/<resourceName>?wsdl
where 'path' is the folder path to the SOAP Event Source process and 'resourceName' is the name of the process
Example : http://purch:8877/Purchasing/GetPurchaseOrder?wsdl

42.What is the scope of user defined process variables ?

The scope of user defined process variables is only the process in which it is defined.(Not even inside a sub process that is invoked from this process)

43.What is difference between shared variable and job shared variable ?

• Both of them can be manipulated via the palette resources 'Get shared variable' and 'Set shared variable'.

• A job shared variable is private to one instance of job or in other words each job has a fresh copy. In the case of shared variable the same copy is shared across all job instances. It can even be persisted and can survive BW engine restarts and even shared across multiple BW engines(when deployed using DB persistence).

44.How do wait-notify resources work ?

Basically wait and notify should share a common notification configuration which is just a schema definition for data that will be passed from notifier to waiter. Specific instances of waiter & notifier are corrrelated via a key.

For example: when one process is in wait state for key 'Order-1', it waits till another process issues a notification with the same key value.

45.What is the default Axis in XPath ?

Child axis- What this means is that when you select "BOOK" from the current context, it selects a child node with that name, not a sibling with that name. Other axes are parent , self , sibling etc.

46.What are the output formats for XSLT?

• XML
• HTML
• Text

47.What does ' Success if no matching condition' transition mean ?

Lets say between two nodes N1 and N2, there are 3 success transitions with condition and there is no success transition without condition. If none of the conditions match then a 'Success if no matching condition' transition can be used. Also if there is a success transition and also success transitions with condition and if the condition matches then both the sucess transition (no condition) as well as the transition(s) with matching conditions are followed. So you can use 'Success if no matching condition' to prevent duplicate paths of execution.

48.What is the Purpose of $_error variable ?

$_error variable is available in the node following the error transition. It captures the error message, error code etc.

49.What are the cases where business process cant proceed correctly subsequent to restart from a checkpoint ?

• Sending HTTP response, confirming an email/jms message etc. This is because the confirmation or sending HTTP response has to done in the same session. When engine crashes these sessions are closed at their socket level. In such cases send response/confirm before checkpoint.

50.Which group do you use to wait for multiple events and proceed with the first to occur ?

A 'Pick First Group'.

- a so called Client Authentication is just to verify that the leaf cert is issued by an expected CA, which is done by providing the CA’s cert.

- the verification of the client name, or the CN of the client is not part of this, it should be done manually. At least, this is what TIBCO does for now.

- OpenSSL is a powerful tool for debugging SSL related issues. It could not only generate and sign private or public keys, certs, it also has tools to test connect an SSL enabled site to pull authenticating information out from the site. I googled OpenSSL official site, then followed the document there to set it up.

- Java Keytool is another handy tool.

- the default SSL vendor used by TIBCO is not Java but entrust. A property setting should be added into the tra file if you want to change the default vendor.

- the client cert, or the so called leaf cert provided by Salesforce.com, I think it is useless until I implemented the client name validation.

Here is the main site about TIBCO BusinessEvents: http://www.tibco.com/software/complex-event-processing/businessevents/default.jsp

I need to get my hands on to see how this giant works. I found it a little surprised that TIBCO claims that the product or the solution has an over 40 percent market share.

http://www.tibco.com/software/complex-event-processing/businessevents/businessevents.jsp

After reading these, I found to implement some app related to SSL or just encryption in JAVA could be easy. Say if you what to read some information from a cert, then you simple create a file stream to read the file first, then

http://xwhoyeah.javaeye.com/blog/86377

http://www.it918.com/htm/jc/jcwygs/Javascript/20040414C152728.shtml (Good!)

http://topic.csdn.net/t/20041026/18/3493313.html

http://books.google.com/books?id=eqFZUksRDcMC&printsec=frontcover&dq=java.security (Attention: Limited Preview)

http://java.sun.com/javase/technologies/security/

http://java.sun.com/j2se/1.5.0/docs/guide/security/index.html

http://java.sun.com/j2se/1.5.0/docs/guide/security/cert3.html

http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/Certificate.html

A Chinese Instruction with code samples:

证书(Certificate，也称public-key certificate)是用某种签名算法对某些内容(比如公钥)进行数字签名后得到的、可以用来当成信任关系中介的数字凭证。证书发行机构通过发行证书告知证书使用者或实体其公钥(public-key)以及其它一些辅助信息。证书在电子商务安全交易中有着广泛的应用，证书发行机构也称 CA(Certificate Authority)。

应用证书

证书在公钥加密应用中的作用是保证公钥在某些可信的机构发布，其在协议SSL、电子交易协议SET等方面有重要的应用。图1显示了一个最简单的证书应用方法：

图1 证书应用方法

证书的应用步骤是：
（1） A把自己的公钥PKA送到CA(Certificate Authority)；
（2） CA用自己的私钥和A的公钥生成A的证书，证书内包括CA的数字签名。签名对象包括需要在证书中说明的内容，比如A的公钥、时间戳、序列号等，为了简化这里不妨假设证书中只有三项内容：A的公钥PKA、时间戳TIME1、序列号IDA。那么CA发送给A的简单证书凭证可表达为：CertA=Eca[TIME1,IDA,PKA]；
（3） B同样把自己的公钥PKB送到CA；
（4） B得到CA发布的证书CertB;
（5） A告知B证书CertA；
（6） B告知A证书CertB。
A、B各自得到对方证书后，利用从CA得到的公钥(在CA的自签证书中)验证彼此对方的证书是否有效，如果有效，那么就得到了彼此的公钥。利用对方的公钥，可以加密数据，也可以用来验证对方的数字签名。
本文为了方便说明，并没有使用从CA获得的证书，而是通信双方各自产生自签证书，也就是说图1的A和B并没有经过CA，不过前提是A和B之间是互相拥有对方的证书。
证书的内容和意义如表1所示（这里以通用X .509证书格式为例）。

表1 证书内容和意义

证书内容
意义

Version
告诉这个X.509证书是哪个版本的，目前有v1、V2、v3

Serial Number
由证书分发机构设置证书的序列号

Signature Algorithm Identifier
证书采用什么样的签名算法

Issuer Name
证书发行者名，也就是给这个证书签名的机构名

Validity Period
证书有效时间范围

Subject Name
被证书发行机构签名后的公钥拥有者或实体的名字，采用X.500协议，在Internet上的标志是惟一的。例如：CN=Java,OU=Infosec,O=Infosec Lab,C=CN表示一个subject name。

对证书的详细定义及其应用相关的各种协议，这里不加详细说明，详细细节请查看RFC2450、RFC2510、RFC2511、RFC2527、RFC2528、RFC2559、RFC2560、RFC2585、RFC2587等文档。

生成自签证书

个人或机构可以从信任的证书分发机构申请得到证书，比如说，可以从http://ca.pku.edu.cn 得到一个属于个人的证书。这里可以利用J2SDK的安全工具keytool手工产生自签证书，所谓自签证书是指证书中的“Subject Name”和“Issuer Name”相同的证书。

下面产生一个自签证书。安装完J2SDK（这里用的是J2SDK1.4）后，在J2SDK安装目录的bin目录下，有一个keytool的可执行程序。利用keytool产生自签证书的步骤如下：
第一步，用-genkey命令选项，产生公私密钥对。在控制台界面输入：keytool -genkey -alias testkeypair -keyalg RSA -keysize 1024 -sigalg MD5withRSA。这里的-alias表示使用这对公私密钥产生新的keystore入口的别名(keystore是用来存放管理密钥对和证书链的，缺省位置是在使用者主目录下，以.keystore为名的隐藏文件，当然也可指定某个路径存放.keystore文件)；-keyalg是产生公私钥对所用的算法，这里是RSA；-keysize定义密钥的长度；-sigalg是签名算法，选择MD5withRSA，即用RSA签名，然后用MD5哈希算法摘要。接下来，系统会提示进行一些输入：

输入keystore密码：  abc123
您的名字与姓氏是什么？
  [Unknown]：  Li
您的组织单位名称是什么？
  [Unknown]：  InfosecLab
您的组织名称是什么？
  [Unknown]：  InfosecLab Group
您所在的城市或区域名称是什么？
  [Unknown]：  Beijing
您所在的州或省份名称是什么？
  [Unknown]：  Beijing
该单位的两字母国家代码是什么
  [Unknown]：  CN
CN=Li, OU=InfosecLab, O=InfosecLab Group, L=Beijing, ST=Beijing, C=CN 正确吗？
[否]：  y
输入<testkeypair>的主密码 (如果和 keystore 密码相同，按回车）：

第二步，产生自签证书，输入以下命令：

keytool -selfcert -alias testkeypair -dname "CN=Li, OU=InfosecLab, O=InfosecLab 
Group, L=Beijing, ST=Beijing, C=CN" 
输入keystore密码：  abc123

第三步，导出自签证书，由上面两步产生的证书，已经存放在以“testkeypair”为别名的keystore入口了，如果使用其文件，必须导出证书。输入:

keytool -export -rfc -alias testkeypair -file mycert.crt  
输入keystore密码：  abc123
保存在文件中的认证 <mycert.crt>

这样，就得到了一个自签的证书mycert.crt。注意，选项rfc是把证书输出为RFC1421定义的、用Base64最终编码的格式。

读取证书

Java为安全应用提供了丰富的API，J2SDK1.4 的JSSE (JavaTM Secure Socket Extension) 包括javax.security.certificate包，并且提供对证书的操作方法。而对证书的读操作，只用 java.security.cert. CertificateFactory和java.security.cert.X509Certificate就可以了。下面是读取证书内容的部分代码：

import javax.swing.*;
import java.awt.*;
import java.awt.event.*;
import javax.swing.table.*;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.io.*;
public class CARead extends JPanel {
 private String CA_Name; 
 private String CA_ItemData[][] = new String[9][2];
 private String[] columnNames = {"证书字段标记","内容" };
 public CARead(String CertName) {
  CA_Name=CertName;
  /* 三个Panel用来显示证书内容*/
  JTabbedPane tabbedPane = new JTabbedPane();
  JPanel panelNormal = new JPanel();
  tabbedPane.addTab("普通信息", panelNormal);   
  JPanel panelAll=new JPanel();
  panelAll.setLayout(new BorderLayout());
  tabbedPane.addTab("所有信息",panelAll);
  JPanel panelBase64=new JPanel();
  panelBase64.setLayout(new BorderLayout());
  tabbedPane.addTab("Base64编码信息",panelBase64);
  /* 读取证书常规信息 */
  Read_Normal(panelNormal);
  /* 读取证书文件字符串表示内容 */
  Read_Bin(panelAll);
  /* 读取证原始Base64编码形式的证书文件 */
  Read_Raw(panelBase64);
  tabbedPane.setSelectedIndex(0);
  setLayout(new GridLayout(1, 1)); 
  add(tabbedPane);
 }
  /*以下是定义的Read_Normal()，Read_Bin(),Read_Raw()以及main() 
  这里省略...   */  
}

定义证书信息的读取函数如下：

private int Read_Normal(JPanel panel){
 String Field;
 try{
  CertificateFactory certificate_factory=CertificateFactory.getInstance("X.509");
  FileInputStream file_inputstream=new FileInputStream(CA_Name);
  X509Certificate 
x509certificate=(X509Certificate)certificate_factory.generateCertificate
(file_inputstream);
  Field=x509certificate.getType();
  CA_ItemData[0][0]="类型";
  CA_ItemData[0][1]=Field;
  Field=Integer.toString(x509certificate.getVersion());
  CA_ItemData[1][0]="版本";
  CA_ItemData[1][1]=Field;	
  Field=x509certificate.getSubjectDN().getName();
  CA_ItemData[2][0]="标题";
  CA_ItemData[2][1]=Field;
  /* 以下类似，这里省略 
  Field=x509certificate.getNotBefore().toString();得到开始有效日期
  Field=x509certificate. getNotAfter().toString();得到截止日期
  Field=x509certificate.getSerialNumber().toString(16);得到序列号
  Field=x509certificate.getIssuerDN().getName();得到发行者名
  Field=x509certificate.getSigAlgName();得到签名算法
  Field=x509certificate.getPublicKey().getAlgorithm();得到公钥算法 */
  file_inputstream.close();
  final JTable table = new JTable(CA_ItemData, columnNames);
  TableColumn tc=null;
  tc = table.getColumnModel().getColumn(1);
  tc.setPreferredWidth(600); 
  panel.add(table);
 }catch(Exception exception){
  exception.printStackTrace();
  return -1;
 }
 return 0;
}

如果以字符串形式读取证书，加入下面Read_Bin这个函数。其中CertificateFactory.generateCertificate() 这个函数可以从证书标准编码(RFC1421定义)中解出可读信息。Read_Bin函数代码如下：

private int Read_Bin(JPanel panel){
 try{
  FileInputStream file_inputstream=new FileInputStream(CA_Name);
  DataInputStream data_inputstream=new DataInputStream(file_inputstream);
  CertificateFactory certificatefactory=CertificateFactory.getInstance("X.509");
  byte[] bytes=new byte[data_inputstream.available()];
  data_inputstream.readFully(bytes);
  ByteArrayInputStream bais=new ByteArrayInputStream(bytes);
  JEditorPane Cert_EditorPane;
  Cert_EditorPane=new JEditorPane();
  while(bais.available()>0){
  X509Certificate 
Cert=(X509Certificate)certificatefactory.generateCertificate(bais);
  Cert_EditorPane.setText(Cert_EditorPane.getText()+Cert.toString());
 }
 Cert_EditorPane.disable();
 JScrollPane edit_scroll=new JScrollPane(Cert_EditorPane);
 panel.add(edit_scroll);
 file_inputstream.close();
 data_inputstream.close();
 }catch( Exception exception){
  exception.printStackTrace();
  return -1;
 }
 return 0;	
}

如果要得到原始证书编码后的信息，则可用如下代码：

private int Read_Raw(JPanel panel){
 try{		
  JEditorPane Cert_EditorPane=new JEditorPane();
  String CertText=null;
  File inputFile = new File(CA_Name);
  FileReader in = new FileReader(inputFile);
  char[] buf=new char[2000];
  int len=in.read(buf,0,2000);
  for(int i=1;i<len;i++) 
  {   
   CertText=CertText+buf[i];
  }
  in.close();
  Cert_EditorPane.setText(CertText);
  Cert_EditorPane.disable();
  JScrollPane edit_scroll=new JScrollPane(Cert_EditorPane);
  panel.add(edit_scroll);
 }catch( Exception exception){
  exception.printStackTrace();
  return -1;
 }
 return 0;	
}

最后用这个小程序看一看刚才生成的证书mycert.crt内容，把文件名写入main()中：

public static void main(String[] args) {
 JFrame frame = new JFrame("证书阅读器");
 frame.addWindowListener(new WindowAdapter() {
  public void windowClosing(WindowEvent e) {System.exit(0);}
 });
 frame.getContentPane().add(new CARead("mycert.crt"),BorderLayout.CENTER);
 frame.setSize(700, 425);
 frame.setVisible(true);
}

证书mycert.crt的内容显示如图2所示，所有信息和Base64的显示内容，这里不再列举。

图2 证书mycert.crt的内容显示

现在已经读取了证书的一些内容，那么怎样使用证书呢？我们可以假设A和B要共享一个绝密的文件F，B信任并拥有A的证书，也就是说B拥有A的公钥。那么A通过A和B共知的加密算法(对称密钥算法，比如DES算法)先加密文件F，然后对加密后的F进行签名和散列摘要(比如MD5算法，目的是保证文件的完整性)，然后把F发送到B。B收到文件后，先用A的证书中的公钥验证签名，然后再用通过共知的加密算法解密，就可以得到原文件了。这里使用的数字签名，可以保证B得到的文件，就是A的，A不能否认其不拥有文件F，因为只有A拥有可以让A的公钥验证其签名的私钥，同时这里使用DES算法加密，使得文件有保密性。
使用DES算法的加密解密函数类似，这里不对加密算法做进一步讨论，详细请看J2SDK的JSE部分内容，加密签名、解密验证文件结构见图3。

图3 加密签名、解密验证文件结构图

加密函数中的desKeyData存放DES加密密钥，如果要在程序中指定，可以设置为：

static byte[] desKeyData = { (byte)0x01, (byte)0x02, (byte)0x03, (byte)0x04, 
(byte)0x05, (byte)0x06, (byte)0x07, (byte)0x08 };

加密函数写成：

public static void crypt(byte[] cipherText,String outFileName){		
 try{
  DESKeySpec desKeySpec = new DESKeySpec(desKeyData);
  SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
  SecretKey secretKey = keyFactory.generateSecret(desKeySpec);
  Cipher cdes = Cipher.getInstance("DES");
  cdes.init(Cipher.ENCRYPT_MODE, secretKey);
  byte[] ct = cdes.doFinal(cipherText);
  try{
   FileOutputStream out=new FileOutputStream(outFileName);
   out.write(ct);
   out.close();
  }catch(IOException e){
   e.printStackTrace();
  }
 }catch (Exception e){
  e.printStackTrace();
 }
}

其中ct就是加密后的内容,outFileName保存加密后文件的文件名。把cdes.init(Cipher.ENCRYPT_MODE, secretKey)换成cdes.init(Cipher.DECRYPT_MODE, secretKey)就是解密文件了。
文件加密后就要对文件签名，保证A发送到B的文件不可伪造。下面是用存放在.keystore中的私钥进行签名的函数，签名使用的摘要算法是MD5。其中 sigText是被签名内容的输入数组，outFileName是保存签名后输出文件的名称，KeyPassword是读取Keystore使用的密码，KeyStorePath是存放.keystore文件的路径，函数代码如下：

public static void sig(byte[] sigText, String outFileName,String 
KeyPassword,String KeyStorePath){
 char[] kpass;
 int i;
 try{
  KeyStore ks = KeyStore.getInstance("JKS");
  FileInputStream ksfis = new FileInputStream(KeyStorePath); 
  BufferedInputStream ksbufin = new BufferedInputStream(ksfis);  
  kpass=new char[KeyPassword.length()];
  for(i=0;i<KeyPassword.length();i++)
   kpass[i]=KeyPassword.charAt(i);
  ks.load(ksbufin, kpass);
  PrivateKey priv = (PrivateKey) ks.getKey(KeystoreAlias,kpass );
  Signature rsa=Signature.getInstance("MD5withRSA");  
  rsa.initSign(priv);
  rsa.update(sigText);
  byte[] sig=rsa.sign();
  System.out.println("sig is done");
  try{
   FileOutputStream out=new FileOutputStream(outFileName);
   out.write(sig);
   out.close();
  }catch(IOException e){
   e.printStackTrace();
  }    
 }catch(Exception e){
  e.printStackTrace();
 }
}

验证签名需要存放签名文件和被签名的文件以及证书，其中，updateData存放被签名文件的内容，sigedText存放得到的签名内容，CertName是证书名。验证签名代码如下：

public static void veriSig(byte[] updateData, byte[] sigedText){
    try{  
        CertificateFactory 
certificatefactory=CertificateFactory.getInstance("X.509");
		FileInputStream fin=new FileInputStream(CertName);
		X509Certificate 
certificate=(X509Certificate)certificatefactory.generateCertificate(fin);
	    PublicKey pub = certificate.getPublicKey();
	    Signature rsa=Signature.getInstance("MD5withRSA");
        rsa.initVerify(pub);
        rsa.update(updateData);
        boolean verifies=rsa.verify(sigedText);
        System.out.println("verified "+verifies);
        if(verifies){
               System.out.println("Verify is done!");
          }else{
               System.out.println("verify is not successful");
        }	    
	  }catch(Exception e){    
            e.printStackTrace();	           	
	 }
}

可以用keytool产生两个自签的签名证书，或者到某个CA去申请两个证书。用Java编写加密和验证程序，上述例子只是一个非常简单的证书应用，实际协议对证书的使用(比如SSL)要比这个复杂多了。

I need to read this when I am free.

In the article, it at least mentioned some internal attributes which would be helpful in some situation and they are something you should read from document, not something you could get from a bare code.

• javax.servlet.request.cipher_suite : A String representing the cipher suite used by HTTPS, if any
• javax.servlet.request.key_size : An Integer representing the bit size of the algorithm, if any

call javax.servlet.http.HttpServletRequest.getAttribute(“javax.servlet.request.cipher_suite”) at runtime, it will return a String. This means you could get SSL info from a HTTP Request Message.

Some other attributes defined in tomcat.util.net.SSLSupport:

from : http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. It also allows users to cache certificates. Java Keytool stores the keys and certificates in what is called a keystore. By default the Java keystore is implemented as a file. It protects private keys with a password. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates. Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate.

Note: For easier management of your Java Keystores (using a GUI) check out Portecle.

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

• Generate a Java keystore and key pair

  keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks

• Generate a certificate signing request (CSR) for an existing Java keystore

  keytool -certreq -alias "mydomain" -keystore keystore.jks -file mydomain.csr

• Import a root or intermediate CA certificate to an existing Java keystore

  keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

• Import a signed primary certificate to an existing Java keystore

  keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

• Generate a keystore and self-signed certificate

  keytool -genkey -keyalg RSA -alias "selfsigned" -keystore keystore.jks -storepass "password" -validity 360

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

• Check a stand-alone certificate

  keytool -printcert -v -file mydomain.crt

• Check which certificates are in a Java keystore

  keytool -list -v -keystore keystore.jks

• Check a particular keystore entry using an alias

  keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

• Delete a certificate from a Java Keytool keystore

  keytool -delete -alias "mydomain" -keystore keystore.jks

• Change a Java keystore password

  keytool -storepasswd -new new_storepass -keystore keystore.jks

• Export a certificate from a keystore

  keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

• List Trusted CA Certs

  keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

• Import New CA into Trusted Certs

  keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you need to move a certificate from Java Keytool to Apache or another type of system, check out these instructions for converting a Java Keytool keystore using OpenSSL. For more information, check out the Java Keytool documentation or check out our Tomcat SSL Installation Instructions which use Java Keytool.

key and csr generation instructions

https://www.thawte.com/ssl-digital-certificates/technical-support/keygen/index.html

for Tomcat:

Key and CSR Generation Instructions

An Important Note Before You Start:
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key

The utility "keytool" that you use to generate the private key (keyEntry) and CSR comes with the Sun JDK toolkit. If you do not have JDK installed please download it from the following link: http://java.sun.com/J2SE/downloads.html

We recommend that the latest version be used, which is 1.5.0.

The following sequence of commands will generate a keystore and keyEntry. Tomcat currently supports JKS and PKCS#12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format generated by the keytool command-line utility which is packaged in the JDK kit. The PKCS#12 format is a general format which can be converted using the Openssl toolkit. The following instructions make use of keytool only.

Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum suggested strength to be used in the issuance of thawte digital certificates.

1. Generate a keystore and keyEntry

Please type the following command at the prompt:

keytool -genkey -alias [keyEntry_name] -keyalg RSA -keystore [keystore_name]

Note: If you do not specify a keystore (-keystore omitted from the command) name, the keystore will be saved to your local profile directory as a .keystore file (i.e C:\Documents and Settings\your name\.keystore)

When you execute this command you will be prompted for a keystore password. The default password used by Tomcat is "changeit" although you can specify a password of your choice.

The term "First and last name" is X.509 speak for the name that distinguishes the certificate best, and ties it to your Organization. Enter your exact host and domain name that you wish to secure. Example: If you wish to secure www.mydomain.com, then you will need to enter the exact host (www) and domain name (mydomain.com) in this field. If you enter mydomain.com then the certificate issued to you will only work error free on https://mydomain.com. It will cause a certificate mismatch error when you or your users access the domain via https:// www.mydomain.com.

Enter your country, state or province and locality or city. You should enter the company name as it appears on your official company registration documents. The organization unit is optional, we verify and authenticate the company name and not the organization unit. To skip the organization unit (OU) field please press enter on your keyboard.

Finally, you will be prompted for the keyEntry password, which is the password which protects the private key. Please specify the same password for the keystore and the keyEntry or else you will receive the following error message when you restart the Tomcat engine: java.security.UnrecoverableKeyException: Cannot recover key

2. Generate the CSR

Please type the following command at the prompt:

keytool -certreq -alias [keyEntry name] -file request.csr -keystore [keystore name]

The CSR will be saved to your JDK/bin directory. You have now created a public/private key pair. The private key (KeyEntry) is stored inside the keystore in the JDK/bin directory and is used for decryption. The public portion is sent to thawte in the form of a Certificate Signing Request (request.csr), and will be used by your users to encrypt the data they send to your site. The Certificate Signing Request (CSR) looks something like this:

3. Backup your private key

Please backup your keystore file and make a note of the password. A good choice is to create a copy of this file onto a diskette or other removeable media.

Please backup your private key using the instructions at the following link: http://www.thawte.com/ssl-digital-certificates/technical-support/backup.html

4. Start the thawte certificate request process

To submit the CSR for processing you should start the certificate enrollment process at the following link:

https://www.thawte.com/buy

Note: If you have a SPKI or Reseller account please submit the CSR through the enrollment process in your account.

If you encounter any problems, or errors when going through these steps, please read our Tomcat FAQ’s.

We export the root and intermediate cert from the client cert.

What is an 'Intermediate' certificate?

An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate.
The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.
Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

Root certificate

In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).

Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA).

A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates below the root certificate inherit the trustworthiness of the root certificate - a signature by a root certificate is somewhat analogous to "notarizing" an identity in the physical world.

Many software applications assume these root certificates are trustworthy on the user's behalf. For example, a Web browser uses them to verify identities within SSL/TLS secure connections. However, this implies that the user trusts their browser's publisher, the certificate authorities it trusts, and anyone the certificate authority may have issued a certificate-issuing-certificate, to faithfully verify the identity and intentions of all parties that own the certificates. This (transitive) trust in a root certificate is the usual case and is integral to the X.509 certificate chain model.

The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers.

Intermediate certificate authorities

• Two types of Certificate Authorities

• Intermediate Certificate Authority verification process

• Intermediate Certificate Authority certificate installation

• Intermediate Certificate Authorities

An instruction on how to create server and client certificates

I am working on a project which has high requirement on performance and memory consuming. So I need to take care of the data structures that I created in my program. When doing some research on java.util.Calendar, this lovely class, I run into this essay. I think I should take care of the use of this heavy buddy.

The essay Java Tip 130: Do you know your data size? is also a good one.

---------------------------

The size of a java.util.Calendar is 432 bytes

Calendar's are cool. They're one of the few objects (in any language) which I consider to have solved the datetime problem. So many datetime objects require extra work from the programmer for (seemingly) simple queries such determining whether x occurred before or after a month ago. You typically can't simply add a year/month/date/hour/etc. and you always have to be careful of whether an index value is 0, 1, or -1900 based. Calendar lets you focus on the date operations you are performing rather than devising tricks to get around other people's laziness. You can add just about any date/time quantity, there are static fields for month values, and you can compare two Calendar's via the before and after methods.

But, recently, my love of Calendar's took a big hit. This was shortly after I stumbled upon Java Tip 130: Do you know your data size? I was tempted to discount this article due to it's age---5.5 years---so much has changed since then in the Java world. But, after running the SizeOf code and discovering that memory consumption for the various basic objects Vladimir Roubtsov tested hadn't changed, I re-read his article carefully and took every word to heart. That an empty String consumes 40 bytes took me by surprise. But, it wasn't until I tested Calendar that I was truly shocked. In the current system I'm working on, I am storing hundreds-of-thousands of objects with Calendar's as fields. No wonder they consumed so much memory! Now I understand whence that outlandish consumption came.

Going forward, I won't stop using Calendar's, but I'll be much more careful about my usage of them. No more throwing a Calendar into an object that I'll allocate thousands of times...

Other useful articles on memory usage:

• Playing with the Tiger: Measuring the size of your objects by Michael Nascimento Santos
• Determining Memory Usage in Java by Dr. Heinz M. Kabutz

Posted by Pussinboots at 5:42 PM

1 comments:

Andy Malakov said...

Aside from size in memory, each Calendar instance is very expensive to initialize (see constructors).

September 2, 2008 2:38 PM

太弱了，数据库很久不用，都忘得差不多了

select t1.ktime, t1.closeprice, t2.ktime, t2.closeprice, (t2.closeprice * 100 / t1.closeprice - 100) tableName t1, tableName t2
where t1.stockcode='000005' and t1.ktype='1MIN'
and t2.stockcode='000005' and t2.ktype='1MIN' and t2.ktime = t1.ktime + (1/24/60)

上面这个语句是用oracle数据库中对某张表中的数据完成形如CLOSE*100/REF(CLOSE,1)-100 的计算。表中的close是与时间相对应的，每分钟有一条。在这个语句的基础上，根据需要可以在数据库中作程序计算的数据的正确性验证。

最后演变成这样：

select case indication.linevalue1
       when round((t2.closeprice * 100 / t1.closeprice - 100),2) then 'GOOD'
       else 'BAD' end,
       t2.ktime, indication.linevalue1,
       round((t2.closeprice * 100 / t1.closeprice - 100),2),
       t1.ktime, t1.closeprice, t2.closeprice,
       (t2.closeprice * 100 / t1.closeprice - 100)
from tableName t1, tableName t2, tableName2 indication
where t1.stockcode='000005' and t1.ktype='1MIN' and
      t2.stockcode='000005' and t2.ktype='1MIN' and t2.ktime = t1.ktime + (1/24/60) and
      indication.indicationtime = t2.ktime and
      indication.stockcode = '000005' and
      indication.indicationtype = 'ALF' and indication.ktype = '1MIN'
order by t2.ktime

第一列根据比对的结果给出状态提示。虽然功能是实现了，但是觉得做法有点笨，有什么更好的方法可以留言告诉我。很感谢。在复杂点的估计就要用存储过程了。

感谢Abin的帮助。

相关参考：

Oracle Document Library：http://www.oracle.com/pls/db10g/portal.portal_demo3?selected=5

main.cpp: In function 'int main(int, char**)':
main.cpp:47: error: 'srand' was not declared in this scope
make: *** [.obj/main.o] Error 1

At first, I though there may be something wrong with gcc or maybe the standar lib on my Ubuntu is missing. But actually those things have been installed.
After reading some references, I find the way to solve the problem. That is: open the header.h file in ../qsopcast-0.3.5/src and append the '#include <cstdlib>' in the include block of the code.
Save and go back to build again. It should work now.

References:

There are classes in Java which are locale sensitive. In some situation, programmers may not realize this. Their code may work well on their own machine, but when it has been delivered to customer, the locale environment may be different to where it had been tested. And problems may occur.

Here are some useful URLs:

http://www.j2ee.me/docs/books/tutorial/essential/environment/sysprop.html

http://java.sun.com/j2se/1.4.2/docs/api/java/text/SimpleDateFormat.html

http://www.mindspring.com/~mgrand/java-system-properties.htm

http://www.exampledepot.com/egs/java.lang/GetAllSysProps.html

http://java.chinaitlab.com/base/38294.html

同事的code里有一堆中文的注释，但是在我的英文操作系统上运行的Eclipse里却总是显示乱码，即便换成UTF-8也不行。

解决方法：

到目标工程的properties -> Resource ->TextFileEncoding 的下拉菜单，虽然其中可能没有GB2312这个选项，但是可以手动填写上。然后确认推出就行了。