November 13, 2013 Errors, Security, Windows, WPF No comments
Federal Information Processing Standards (FIPS) enabled and your .NET code
Have you ever run into this error?
“This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”
FIPS is what US government came up with to standardize some of the aspects of processing information. FIPS 140heavily affects cryptographic area. For example, MD5 or SHA256 is not FIPS compatible. That’s why you would get an above error if you were using MD5, SHA256 algorithm on Windows with FIPS enabled.
If you are developing some governmental application (international in my case) there is high chance that this feature is enabled on target environment.
To enable FIPS locally for testing purposes do the following:
Start Local Group Policy Editor via “gpedit.msc” and go to: Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options –> System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
Or just HKLMSystemCurrentControlSetControlLsaFIPSAlgorithmPolicyEnabled if you are running Win7.
Be aware that this settings changes lots of things in your system. Especially old stuff. Read: http://support.microsoft.com/kb/811833, and for how MS tries to be compliant with FIPS http://technet.microsoft.com/en-us/library/cc750357.aspx.
Back to your .net code. These would be alternative hashing algorithms: HMACSHA1, MACTripleDES and few more, but I would go for one of SHA algorithms by using CryptoServiceProvider. For example SHA1CryptoServiceProvider. Except of hashing some of the encryption algorithms won’t be compatible as well, so you will need to figure out what works. Unfortunately MSDN doesn’t state it explicitly.
After I enabled FIPS to test the app I wasn’t even able to compile the solution. Visual Studio started to complain about xaml files. I found that I’m not the fist to see that problem. Strange, since I thought that I had required updates. Nevertheless fix is to put this: <enforceFIPSPolicy enabled=”false”/> into your msbuild.exe.config or denev.exe.config
I wonder how much unknown and strange stuff is hidden under the hood of operating system. Recently I’ve started discovering a lot of such things.
Application Fabric Cache – an easy, but solid start
I would like to share some experiences of working with Microsoft AppFabric Cache for Windows Server.
AppFabricCache is distributed cache solution from Microsoft. It has very simple API and would take you 10-20 minutes to start playing with. As I worked with it for about one month I would say that product itself is very good, but probably not enough mature. There are couple of common problems and I would like to share those. But before let’s get started!
If distributed cache concept is something new for you, don’t be scary. It is quite simple. For example, you’ve got some data in your database, and you have web service on top of it which is frequently accessed. Under high load you would decide to run many web instances of your project to scale up. But at some point of time database will become your bottleneck, so as solution you will add caching mechanism on the back-end of those services. You would want same cached objects to be available on each of the web instances for that you might want to copy them to different servers for short latency & high availability. So that’s it, you came up with distributed cache solution. Instead of writing your own you can leverage one of the existing.
Install
You can easily download AppFabricCache from here. Or install it with Web Platform Installer.
Installation process is straight forward. If you installing it to just try, I wouldn’t even go for SQL server provider, but rather use XML provider and choose some local shared folder for it. (Provider is underlying persistent storage as far as I understand it.)
After installation you should get additional PowerShell console called “Caching Administration Windows PowerShell”.
So you can start your cache using: “Start-CacheCluster” command.
Alternatively you can install AppFabric Caching Amin Tool from CodePlex, which would allow you easily do lot of things though the UI. It will show PowerShell output, so you can learn commands from there as well.
Usually you would want to create named cache. I created NamedCacheForBlog, as can be seen above.
Simple Application
Let’s now create simple application. You would need to add couple of references:
Add some configuration to your app/web.config
<section name="dataCacheClient" type="Microsoft.ApplicationServer.Caching.DataCacheClientSection, Microsoft.ApplicationServer.Caching.Core" allowLocation="true" allowDefinition="Everywhere"/> <!-- and then somewhere in configuration... --> <dataCacheClient requestTimeout="5000" channelOpenTimeout="10000" maxConnectionsToServer="20"> <localCache isEnabled="true" sync="TimeoutBased" ttlValue="300" objectCount="10000"/> <hosts> <!--Local app fabric cache--> <host name="localhost" cachePort="22233"/> <!-- In real world it could be something like this: <host name="service1" cachePort="22233"/> <host name="service2" cachePort="22233"/> <host name="service3" cachePort="22233"/> --> </hosts> <transportProperties connectionBufferSize="131072" maxBufferPoolSize="268435456" maxBufferSize="134217728" maxOutputDelay="2" channelInitializationTimeout="60000" receiveTimeout="600000"/> </dataCacheClient>
Note, that above configuration is not the minimal one, but rather more realistic and sensible. If you are about to use AppFabric Cache in production I definitely recommend you to read this MSDN page carefully.
Now you need to get DataCache object and use it. Minimalistic, but wrong, way of doing it would be:
public DataCache GetDataCacheMinimalistic() { var factory = new DataCacheFactory(); return factory.GetCache("NamedCacheForBlog"); }
Above code would read configuration from config and return you DataCache object.
Using DataCache is extremely easy:
object blogPostGoesToCache; string blogPostId; dataCache.Add(blogPostId, blogPostGoesToCache); var blogPostFromCache = dataCache.Get(blogPostId); object updatedBlogPost; dataCache.Put(blogPostId, updatedBlogPost);
DataCache Wrapper/Utility
In real world you would probably write some wrapper over DataCache or create some Utility class. There are couple of reasons for this. First of all DataCacheFactory instance creation is very expensive, so it is better to keep one. Another obvious reason is much more flexibility over what you can do in case of failures and in general. And this is very important. Turns out that AppFabricCache is not extremely stable and can be easily impacted. One of the workarounds is to write some “re-try” mechanism, so if your wrapping method fails you retry (immediately or after X ms).
Here is how I would write initialization code:
private DataCacheFactory _dataCacheFactory; private DataCache _dataCache; private DataCache DataCache { get { if (_dataCache == null) { InitDataCache(); } return _dataCache; } set { _dataCache = value; } } private bool InitDataCache() { try { // We try to avoid creating many DataCacheFactory-ies if (_dataCacheFactory == null) { // Disable tracing to avoid informational/verbose messages DataCacheClientLogManager.ChangeLogLevel(TraceLevel.Off); // Use configuration from the application configuration file _dataCacheFactory = new DataCacheFactory(); } DataCache = _dataCacheFactory.GetCache("NamedCacheForBlog"); return true; } catch (DataCacheException) { _dataCache = null; throw; } }
DataCache property is not exposed, instead it is used in wrapping methods:
public void Put(string key, object value, TimeSpan ttl) { try { DataCache.Put(key, value, ttl); } catch (DataCacheException ex) { ReTryDataCacheOperation(() => DataCache.Put(key, value, ttl), ex); } }
ReTryDataCacheOperation performs retry logic I mentioned before:
private object ReTryDataCacheOperation(Func<object> dataCacheOperation, DataCacheException prevException) { try { // We add retry, as it may happen, // that AppFabric cache is temporary unavailable: // See: http://msdn.microsoft.com/en-us/library/ff637716.aspx // Maybe adding more checks like: prevException.ErrorCode == DataCacheErrorCode.RetryLater // This ensures that once we access prop DataCache, new client will be generated _dataCache = null; Thread.Sleep(100); var result = dataCacheOperation.Invoke(); //We can add some logging here, notifying that retry succeeded return result; } catch (DataCacheException) { _dataCache = null; throw; } }
You can go further and improve retry logic to allow for many retries and different intervals between retries and then put all that stuff into configuration.
RetryLater
So, why the hell all this retry logic is needed?
Well, when you open MSDN page for AppFabric Common Exceptions be sure RetryLater is the most common one. To know what exactly happened you need to verify ErrorCode.
So far I’ve see this sub-errors of the RetryLater:
There was a contention on the store. – This one is quite frequent one. Could happen when someone is playing some concurrent mess with cache. Problem is that any client can affect the whole cluster.
The connection was terminated, possibly due to server or network problems or serialized Object size is greater than MaxBufferSize on server. Result of the request is unknown. – This usually has nothing to do with object size. Even if configuration is correct and you save small objects you can still get this error. Retry mechanism is good for this one.
One or more specified cache servers are unavailable, which could be caused by busy network or servers. – Have no idea how frequent this one could be, but it can happen.
No specific SubStatus. – Amazing one!
Conclusion
AppFabricCache is very nice distributed cache solution from Microsoft. It has a lot of features. Of course not described here, as you can read it elsewhere, say here. But to be able to go live with it you should be ready for AppFabricCache not being extremely stable & reliable, so you better put some retry mechanisms in place.
To be honest if I was one to make decision if to use this dcache, I would go for another one. But who knows, maybe other are not much better… I’ve never tried other distributed caches.
Links
Thank you, and hope this is of some help.
WCF and versioning – my adventures (or “The resource MultipleIdDefinition was not found”)
May 14, 2011 Errors, WCF No comments
Hey, I believe that everyone of us have ever dealt with versioning. Versioning inside of WCF doesn’t exist if so to say, but it is very easy to keep all your stuff running until you actually have to validate schema of the messages.
In recent time me with my team had to make our Phone client of version 1.0 and 1.1 work with either version of server 1.0 or 1.1. In other words we had 4 cases. Two of them are obviously non-problematic and two are not that clear. Accordingly to MSDN there is no direct support for versioning in WCF, except of that each data elements are optional by default. This means that if you haven’t specified opposite all of your DataMembers are going to be null if they are missed in incoming XML.
So having this in mind I expected that all of our versioning scenarios will go smoothly, but this did not happen. We were getting ugly exception looking like this: “The resource MultipleIdDefinition was not found”. Honestly it was very surprisingly since google search did not give me any good answer for this.
So here are steps that I took to figure out where the problem is:
-
Made the way up to the deserialization code.
-
Debugged to the point where I can see actual payload.
-
For same data request I copied payloads as is from two server versions.
-
Did text comparison and found what I was looking for.
Added properties could not brake serialization, so I found other differences, which were additional z:Id=”i7” right after one of the data contracts. Some of you might know that this is cause of IsReference=true of the DataContract. So I did research if this really has been changed between version 1.0 and 1.1 and found out that it was.
So, long story short, if you having some issues with serialization inside of WCF when dealing with versioning think less about new or even deleted elements of you contract, but think more what can cause mismatch in messages. And dong forget to see source control logs.
Wow – Always check the Inner Exception
August 4, 2010 Errors, QuickTip 3 comments
Today, I worked with services logic that sends me light objects mapped from NHibernate entities with AutoMapper, and I got an exception stating that something is wrong with mappings. I wrote UT that reproduces my issue and surrounded code with try{}catch(){} to see exception closer, and it said me the same I saw. I took a look on Inner exception message and at first glance it was absolutely identical to parent message.
Then I spent about 10-20 minutes verifying all my entities, trying to find some stupid mistake and I would spend more if I would not take a look on Inner exception of the Inner exception and it was a bit different, saying that another entity mapping is wrong, so I took a look into Inner exception of it and so on…
So do you have an idea where did I stop? See:
So I went through 11 Inner Exceptions to get to the null Inner Exception :) Highlighted message provided me information I needed to resolve my issue.
Moral: Always take a look into Inner Exception!
Installation VS2010 RC on Windows XP – Issue: “To help protect your computer, Windows has closed this program. Name: Suite Integration Toolkit Executable”
February 23, 2010 Errors, IDE, VS2010 4 comments
I have found that not only my project has a lot of stupid bugs with more unexpected fixes, but also some well known products like Visual Studio.
Today I tried to install VS2010 RC on the XP system. Before that I had Beta 1 installed, but now it requires Service Pack 3.
So I installed Service Pack 3, deinstalled Beta 1 and was expecting to install VS2010 RC without any pain.
But what happen was interesting:
Installation process runs… and then just dies without explanations.
Playing with it I’ve got this
Error message:
To help protect your computer, Windows has closed this program. Name: Suite Integration Toolkit Executable
I searched over the internet how to fix this. And I found it:
Go to input languages settings and do the next for each input language you have:
I could not imagine that someone is able to guess such strange fix itself. :)
Of course there are explanations here and here.
Session.Merge(object obj) to RESCUE
January 29, 2010 Errors, NHibernate No comments
Error:
“a different object with the same identifier value was already associated with the session: 14, of entity: Developer.RoadMap.To.Success.Entities.Customer”
I had something like this in the SaveCustomer method:
if ( customer.CustomerID > 0 )
{
Session.Update( customer);
}
else
{
Session.SaveOrUpdate( customer);
}
transaction.Commit();
{
Session.Update( customer);
}
else
{
Session.SaveOrUpdate( customer);
}
transaction.Commit();
And this don’t work correctly. Simple change to
if ( customer.CustomerID > 0 )
{
customer = Session.Merge( customer );
}
else
{
Session.SaveOrUpdate( customer);
}
transaction.Commit();
{
customer = Session.Merge( customer );
}
else
{
Session.SaveOrUpdate( customer);
}
transaction.Commit();
resolved my issue.
Event Name: CLR20r3
January 27, 2010 Deployment, Errors 2 comments
I got error which says “MyApplicationName has stopped working” once deployed simple tool application to the deployment machine which is MS 2008 Server.
But application works just fine on my Dev Machine.
I took a look on event viewer and it says:
Fault bucket 952814299, type 5
Event Name: CLR20r3
Response: None
Cab Id: 0
Event Name: CLR20r3
Response: None
Cab Id: 0
Problem signature:
P1: myapplicationname.exe
P2: 1.0.0.0
P3: 4b607991
P4: MyApplicationName
P5: 1.0.0.0
P6: 4b607991
P7: 83
P8: f
P9: System.IO.FileNotFoundException
P10:
It looks like something I was referencing is something in the framework that wasn’t installed on the server.
But what?
I remembered that when worked with UI I inadvertently took some thing from ToolBox. I immediately removed that thing, but REFERENCE were left in projects references.
It was Microsoft.VisualBasic and Microsoft.VisualBasic.PowerPacks.Vs.
Moral:
Once you get errors on deployment machine check carefully if you haven’t referenced something that is not needed. And remember about Event Viewer.
IDENTITY_INSERT is already ON for table [Table_Name]
January 19, 2010 Errors, SQL 20 comments
I was editing some script in SQL Server Management Studio.
And then suddenly this error appeared:
IDENTITY_INSERT is already ON for table [Table_Name]
So, how did I come to this error?
My script looked like one below:
SET IDENTITY_INSERT [TABLE_NAME] ON
–insert statements
—failure on one of inserts because of not existing column
SET IDENTITY_INSERT [TABLE_NAME] ON
The script failed on one of the inserts, because of a missing column.
I added a column to fix the problem but then I started getting this error: IDENTITY_INSERT is already ON for table [Table_Name].
I tried to run inserts independently but error persisted.
Why does it happen?
IDENTITY_INSERT works in scope of one session. If you read corresponding MSDN page it says: “At any time, only one table in a session can have the IDENTITY_INSERT property set to ON.”
How to solve?
You just need another session. I simply reconnected to the same database and it run without any issues.
Of course I changed the script to set IDENTITY_INSERT to OFF in the end.
