We were scratching our heads and twirling our moustaches at LDC Via Towers, wondering what we could do as a bit of fun for ConnectED next week.
And then the penny dropped: what could be more “ConnectED” than … a competition crossword?! At what seems (no official word, but we all know it is don’t we?) to be our last January visit to the Swan & Dolphin, and possibly (perhaps IBM will tell us next week) the last conference recognisable as the “Lotusphere” we know and love, we decided to create a little bit of fun to fill in the dull moments (as if!) and test your knowledge of Lotus, Lotusphere and IBM. And, yes, we’re freely using the ‘L’ word, without embarrassment, because this is an unashamedly nostalgic effort, looking back affectionately on our collective journey down the years with the softwareformerlyknownasLotusNotes and its stablemates from Lotus and IBM.
You may have noticed that this is a ‘competition’ crossword. Yes, there will be a prize: a Sonos Play:1. If you’re not a Sonos user already, you will love it. And if you are a Sonos user already, you will love it.
In the next post we’ll outline the rules for the competition, and reveal the crossword itself.
Meanwhile here, as a little teaser, is the crossword grid.
We’ve talked previously about integrating LDC Via with XPages but the whole point of our REST API is that anything that can talk over a network can use our services. So we’ve been busy.
So far, when you access the LDC Via website, you get some pre-rolled templates that allow you to view your old Domino data in an easier to read way. We provide templates that work with your migrated Mail Files, Discussions, Document Libraries and Teamrooms. But how about creating your own custom applications?
Today we have released our first public template. It’s a standalone implementation of the classic Teamroom that has been created using AngularJS.
First things first, you can go and play with the template here the username is [email protected] and the password is Password00.
What this means is that you can create and deploy quite complex business applications with nothing more than a simple HTTP server, LDC Via takes care of everything else for you including data storage and authentication.
We’ve made the source code for the template available for use from Github under the MIT license, so you will be able to make use of the code to get going with your own custom applications.
Mark, Julian and Ben will all be at IBM ConnectED from Friday evening this week. If you’d like to say hello, talk about LDC Via, enter our competition (come back in a couple of days to find out about that) or simply share a beer / some ludicrous sugary confection (in the case of the Wookiee), we’d be delighted to see you.
As you probably know, the conference itself is taking place in the Swan this year. Mark will be around a lot, although staying off-site, whilst the other two reprobates are also residing in the Swan, so will no doubt be irritatingly easy to find.
In addition to general lingering and chatting, you will be able to find Mark at his splendidly useful “Beyond The Every Day” session, “1 App, 2 Developers, 3 Servers: Getting the Same Application to Run on Different Servers” which is happening at 3.45pm in Mockingbird 1 - 2 on Tuesday—here’s a session link for those with ConnectED site access: https://portal.ibmeventconnect.com/wps/myportal/connected/site/Sessions/SessionFinder/detail/00071
Additionally, Mark has somehow become an IBM Champion (no we don’t know how either), and as such you will be able to find him at the Leadership Alliance events looking out of place and desperate to talk tech with anyone.
If you need to know what we look like (oof), take a look-see here. Smooth.
(For those wondering why Matt is not with us this week… he claims to have a very good reason, but we’re unconvinced ;-))
One of the key use cases for LDC Via that we see is for archiving data for successful IBM Domino applications. We all know that Domino has limitations: when a database gets too big, it can really affect performance… but there’s so much good stuff in Domino–like security and integration with email–that it would be a shame to have to migrate your whole application to a completely different platform.
What if there was a “middle ground”? How about moving older or inactive data to a different storage area, but one that still maintains document-level security? You may be surprised to learn how straightforward it is to integrate XPages with other platforms via a REST API.
By way of illustration, we’ve created a sample Domino application that connects to the LDC Via service, obtains a list of LDC Via-supplied databases that the current user can see, and lets the user browse those databases (an individual MongoDB database contains one or more “collections”, and each collection contains documents). Hopefully you can see by looking at the code that makes up the sample app just how easy this is. The main component that drives it all is a managed bean that pulls data from our REST services:
Using this code combined with a single XPage, we can retrieve the aforementioned database list, together with lists of collections within those databases, and for each collection the documents it contains (all based on what the user is permitted to see):
The screenshot shows the list of migrated NSF files (“databases”) that our test user has access to. We’ve selected the database called unpsampler.nsf, and then a collection therein called “Document”. This collection contains 88 documents accessible to the user, and using the API we can then view the first 30 documents, paging through the rest in much the same way you would with a Domino view.
This is a very simple demo, and it wouldn’t take much effort to customise the code to fit your specific requirements. From the end user’s point of view there need be no difference at all in their experience, except that your XPages application is hopefully more responsive as you reduce the amount of live data you’re working with!
There is a phrase regarding security on websites that terrifies developers: “It’s not a question of whether you get hacked, but when.” It’s popular with the media of course―doom-laden articles will always sell, and strictly speaking this terrifying sentence is correct―but only for a given value of ‘correct’.
For example, I don’t think anyone could stop the NSA getting access to private data if the NSA had a thousand years and warehouses of dedicated brute-force script kiddies at their disposal (no doubt backed by law). What we can do however, is make cracking data so bloody hard that the whole process becomes untenable. For LDC Via, we consider the “base data type” for all migrations to be financial transactions from large corporates―in other words, we do not play fast and loose with this stuff.
As we built LDC Via we had to consider the usual suspects in terms of attack vectors, and the defensive layers we need to provide. This is compounded by the fact that IBM Domino has always provided such good, simple security. We provide various options when using LDC Via, from simple data conversion to fully-converted applications with reasonably complex security requirements―and so there are appropriate decisions to be made.
Thankfully, different members of LDC take care of different areas of the application, and this enables us to impose a global security policy with each member taking care of a number of the constituent layers.
We break down the defensive layers into two categories:
- “The Usual Suspects”
- “Just For Us”
###“The Usual Suspects”###
These are the layers that all web apps have to deal with. Quite a lot of them are irrelevant for on-premises solutions, but take on huge importance in our cloud offering.
Ports and firewalls. An easy one―only those ports absolutely necessary are opened. By default this means SSL (port 443), with the option of port 80 if non-secure transactions are required. That is it: no database ports, no remote access ports etc. We separate dedicated client servers from each other with firewalls as well, so there is no inter-communication between your dedicated boxes and those used by our other clients.
Operating system. We use a hardened Linux build for our production servers, with proper patching and all the things that keep administrators happy.
Hardware. Where provided by our hosting providers we offer hardware encryption. Now that most decent physical storage is based on solid-state technology, we have found that hardware encryption is not the performance horror it once was. If this is a requirement for your implementation, please tell us.
NSA. A new player in the security arena is the National Security Agency in the US. Their curious assertion that they have the right to take any data they deem fit for their purposes from anywhere on the planet means that even if your data is not stored in the continental USA, if the hosting provider has an office registered there then the NSA can pressure that organisation to provide access to your data (with the hosting provider and LDC Via legally obliged not not to tell you about it).
Well, we are registered in the UK, and we have access to multiple hosting providers, both local and international, to meet the different data security needs of clients.
Databases. All databases offer a variety of security options, and the methods we implement will vary according to the back-end server involved. In our current offering (based on MongoDb) we use both standard MongoDb users and roles for security (rather than those wide-open “service accounts” that so often lead to wholesale database leaks in the case of a security breach).
However, that’s not enough: MongoDb only really offers granular security down to a “collection” level, so that leads us on to the the next level of security…
###“Just For Us”
Readers and authors. One of the core tenets of IBM Domino security, and something that is a devil to reproduce in other systems. Readers and authors fields, controlling document- and field-level access to data. Very few systems and databases provide document-level security, so to effect this level of security, we have a “data wrapper”: we have constructed a wrapper that goes round any attempt to access the database from the application (a Java driver wrapper is also provided). The meta-data stored in the database is checked against the requesting user and the various levels of access are granted on that basis. This includes group access as well as individual rights.
Configurable security. At any time, administrators can modify which fields in a collection are used to define security, and of course, will always be able to see all documents (you won’t lose anything!)
So there you go, some of the background to security in LDC Via. As Mark says, it’s like arguing about politics: never-ending, often quite heated, but one day we will build a better world (if the rest of the buggers stop talking rubbish).