Testing Cassandra write performance

Posted on November 30, 2011 by Chintana

With below tests I was trying to measure Cassandra write performance. First off this is probably not a good performance comparison for a number of reasons. Main one being I was running this on my laptop. If you ran this on server grade hardware with a tuned Cassandra setup you probably would get higher numbers. That being said, this was done to get a general idea about write performance in Cassandra ‘cos “You can’t do much without measuring”.

My setup was,

  • Cassandra running in a VirtualBox VM with default parameters. Only the data directories were changed
  • VM was running Kubuntu 11.04
  • JDK 1.6.0_27
  • JVM was not warmed up before carrying out the test. I started Cassandra with an empty keyspace for each case
  • I was testing the code hosted here

Here’s how the three column families look like.

REGData column family,

PropertyIndex column family,

TagIndex column family,

Here are the results,

The graphs looks very similar. However Cassandra 1.0.2 is has faster write speeds. Here are the raw data. T in the graph represent number of tags and P number of properties.

Sudden spike in write speed increase is a bit scary. That can be due to I/O bottleneck in the machine. At that point my disk started grinding heavily. During the time of the tests, I didn’t do any other disk intensive tasks. On server grade hardware with a few fast disks results might be different. Radically even.

Posted in cassandra, performance | Leave a comment

Creating a signed message with .Net WCF

Posted on November 13, 2011 by Chintana

A step by step guide to create a signed message with .Net WCF and consume a service secured service written in Java. Service can be implemented in any language as long as it support standard WS-Security standards. In order to have a service running in minutes and applying security I’ll be using WSO2 ESB.

  1. Certificates. We’ll be using two certificates for signing. We’ll create a private/public keypair in the client side and import the client’s public key to server. Likewise, we’ll import server’s public key to the machine running the client.
  2. First let’s create a key pair to be used in the client, 
    makecert -r -pe -n "CN=mycert" -sky exchange -sv mycert.pvk mycert.cer

    This will create a private and public key pair. Next we need to import this into Windows certificate store. In order to do that we need to convert our key pair to PFX format which includes both the private and the public key,

    pvk2pfx -pvk mycert.pvk -spc mycert.cer -pfx mycert.pfx

    Now, run mmc and add a certificate snap-in for the Local Computer. Browse into Trusted People and import mycert.pfx. Just click next when it asks for the private key password.

  3. We have set the certificates for the client. Next we have to extract server’s public key and import it into Windows certificate store. Since I’m going to use WSO2 ESB for the server side, we need to extract the public key from the Java keystore that’s being used by the ESB. Browse to <ESB HOME>\repository\resources\security and give the following command. Java needs to be in your PATH. When prompted type “wso2carbon” as the keystore password. 
    keytool -keystore wso2carbon.jks -export -alias localhost -file localhost.cer

    Import localhost.cer into Trusted People just like before.

  4. Now we need to import the client’s public key to the server. Start the ESB by double clicking wso2server.bat. Browse into https://localhost:9443 and login with admin/admin. Click Configure -> Key Stores.

    Click Import Cert

    and browse and select mycert.cer we just created and click Import.

  5. We’re done setting up certificates. Let’s create a simple secure service. Luckily ESB ships an echo service which when you send a message, echoes it back. Click Main -> List (under Web Services).

    Here you see a list of web services. In front of the echo service you’ll see a link saying “Unsecured”.

    Click it and select “yes” from the drop down to apply security for the echo service.

    Here you’ll see a list of pre-configured security scenarios. We’ll be using number 2, Non-Repudiation under Basic Scenarios. Select it and click Next.

    Select wso2carbon.jks as a trusted keystore and click Finish. Echo service is secured now.

  6. We created and setup certificates and now have a secured service. Open up Visual Studio and create a new console application. You can create any kind of project but I’d prefer to create console apps for testing these type of scenarios.
  7. Add a Service Reference to your project. WSDL file for the service is located at http://localhost:8280/services/echo?wsdl
  8. For the binding that you’ll be using you have to configure security, 
    <security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificateDuplex"
    requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
    keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
    messageSecurityVersion="Default" requireSignatureConfirmation="false">
<localClientSettings cacheCookies="true" detectReplays="true"
    replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
    replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
    sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
    timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
    maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
    negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
    sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
    reconnectTransportOnFailure="true" maxPendingSessions="128"
    maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
  9. Your actual service should looks like this, 
    static void Main(string[] args)
{
    svc.echoPortTypeClient echo = new svc.echoPortTypeClient("echoHttpSoap11Endpoint");

    echo.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
       System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine,
       System.Security.Cryptography.X509Certificates.StoreName.TrustedPeople,
       System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName, "localhost");

    echo.ClientCredentials.ClientCertificate.SetCertificate(
        System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine,
        System.Security.Cryptography.X509Certificates.StoreName.TrustedPeople,
        System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName, "mycert");

    System.Console.WriteLine(echo.echoString("hello"));
    System.Console.ReadLine();
}

    Note that we set the correct service and client certificates. As you can see I’m using an HTTP endpoint. This is useful to test the messages going through a tool like TCPMon. When you have the scenario working you can just switch to the HTTPS endpoint.

Useful references,

Posted in .net, security, wcf, ws-security | Leave a comment

Java PaaS : Building multitenant applications

Posted on September 13, 2011 by Chintana

This shows you how to write multitenant applications. If you haven’t already, please read the following two posts before you read this. Those two sets the stage for the rest of this post.

  1. Java Paas : Building your first app
  2. Java PaaS : Handling authentication in your web apps

Before proceeding further let me clarify some terms that we’ll be using . It has become a bit cloudy (no pun intended) since many people mean different things for the same word.

Multitenancy – In the context of Stratos, I’m using the word multitenancy to mean as defined in Wikipedia.

Multitenancy refers to a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants).

When you register and get an account in Stratos, that’s a tenant. An organization. Your data will be isolated from other tenants/organizations in the system. When you sign up, you’ll be creating the administrator account for your tenant. Which we naturally refer to as the tenant admin. Tenant admin can add users to your domain, turn off/on various Stratos services such as the ESB, App Server, Data Services Server etc… Monitor data and bandwidth usage of your users, grant/revoke permissions to users.

Let’s me take a little step back here. When you talk about Stratos, there are two major deployment scenarios. One that’s hosted by WSO2. That’s available to users as a service, you sign up, you get an account, your data is hosted on hardware that we manage. This version is called StratosLive. Other scenario, you setup Stratos on your hardware in your private data center, you control everything it’s not accessible to anyone else.

2 scenarios. StratosLive vs Stratos on your private cloud.

Now, coming back to multitenancy, there’s one user we called the super tenant. This acts as an admin account for all the tenants in Stratos. It’s configured at the time of setting up Stratos. In StratosLive scenario, super tenant is WSO2. In the other scenario, super tenant is you. You can do stuff which will affect to all the tenants across the system. Why would you need this? It’s necessary when you’re developing SaaS applications. You’re providing a service which all the tenants can use.

In Stratos, to make your applications SaaSify you need to add a context parameter to your deployment descriptor.

<context-param>
    <param-name>carbon.enable.saas</param-name>
    <param-value>true</param-value>
</context-param>

Authentication mechanism will be the standard form based authentication that we configured in the Jwitter app we developed earlier. This however, does not mean that this is the only thing that you need to build SaaS applications, nor does it allow you to take any existing web app out their and magically turn it to a multitenanted app. For that you need to have a multitenant data architecture for you application.

When you add the context parameter and deploy the web application as the super tenant, Stratos will authenticate against any user account in the system that has sufficient permissions. When you call request.getPrincipal().getName(), user account will appear in the format foo@example.com. From this point on it’s upto you to move to the bits of your application.

Posted in cloud, cloud apps, java, paas, stratos | Leave a comment