I’m probably overstating the experience, but I had a rather close-call on Wednesday which has given me a bit of time to reflect on what I’ve been doing to date.

In a nutshell, I wasn’t overly happy with what I was doing and where I was heading. Overall, the course is great – but a few small decisions needed to be corrected, and I think what’s great about getting some perspective like this is that it helps to enrich the rest of the decisions you’ve made.

Needless to say, expect some announcements in the coming few weeks around a few strategic changes in direction.

Requesting a Client Certificate in Tomcat

In the post Client Certificate in Apache2 I covered off creating a CA cert and setting up signed client certificates to authenticate client endpoints, if you want to challenge for a certificate in Tomcat, you can, and here is how:

<Connector acceptCount=”100″
maxSpareThreads=”75″ maxThreads=”150″
minSpareThreads=”25″ port=”443″

You can now access it via:

String cipherSuite = (String) req.getAttribute(“javax.servlet.request.cipher_suite”);

if (cipherSuite != null) {

X509Certificate certChain[] = (X509Certificate[]) req.getAttribute(“javax.servlet.request.X509Certificate”);
if (certChain != null) {

for (int i = 0; i < certChain.length; i++) {

System.out.println (“Client Certificate [" + i + "] = ”
+ certChain[i].toString());





You can also specify in the connector to use the params:

  1. SSLCertificateFile (Point to your cert)
  2. SSLEnabled (Set to true)
  3. SSLCertificateKeyFile (Point to your server Key)
  4. SSLCACertificateFile (Point this to the CA certificate we created in the post Requesting and presenting a Client Certificate in Apache2
  5. SSLCertificateChainFile (Our CA Chains)

Now, make sure the following is set:

  1. secure=”true”
  2. SSLVerifyClient=”require” – Force an SSL check on the client
  3. SSLVerifyDepth=”2″ – Maximum depth of check
  4. sslProtocol=”TLS”

Hope this helps.

Presenting a Client Certificate in PHP

In CURL, you need TWO different files to request, so you need to convert the certificate;

openssl pkcs12 -in client.p12 -out client.crt -nodes

and use the original key too:

Create a test.php file with the content:


$RequestURL = “https://dalek-caan.clom.intra/cert/”;
$CertFile = ‘client.crt’;
$KeyFile = ‘client.key’;
$CertPassword = ’1234′;

$ch = curl_init();
$options = array(

//CURLOPT_HEADER         => true,
CURLOPT_USERAGENT => ‘Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)’,
//CURLOPT_VERBOSE        => true,
@curl_setopt_array($ch , $options);
$output = @curl_exec($ch);


Should load the data just file.

On the PHP side, we have the following now available in the $_SERVER tag,

[SSL_CLIENT_V_START] => Apr 5 11:10:12 2014 GMT
[SSL_CLIENT_V_END] => Apr 5 11:10:12 2015 GMT
[SSL_CLIENT_S_DN] => /C=AU/ST=NSW/L=Sydney/O=ORG CO/OU=Domains/CN=Private Cert/
[SSL_CLIENT_I_DN] => /C=AU/ST=NSW/L=Sydney/O= ORG CO/OU=Domains/CN=dalek-caan.clom.intra/
[SSL_CLIENT_A_KEY] => rsaEncryption
[SSL_CLIENT_A_SIG] => sha1WithRSAEncryption

We can use the serial as an authentication point, or alternatively the DN (much like LDAP)

You also have access to:

[SSL_CLIENT_S_DN_L] => Sydney
[SSL_CLIENT_S_DN_OU] => Domains
[SSL_CLIENT_S_DN_CN] => Private Cert
[SSL_CLIENT_S_DN_Email] =>
[SSL_CLIENT_I_DN_L] => Sydney
[SSL_CLIENT_I_DN_OU] => Domains
[SSL_CLIENT_I_DN_CN] => dalek-caan.clom.intra
[SSL_CLIENT_I_DN_Email] =>

Requesting and presenting a Client Certificate in Apache2

Another one of securing your applications is via Certificate Authentication. In this method, the client makes a request presenting a certificate to the server, which the server knows has previously been signed on the clients behalf. This way, the server knows whether a certificate has been signed by the correct authority (one it has a CA for) and if the certificate is still valid and who it is valid for.

A note: You should take the below as playful instruction and not just go implement it on your website without thinking. I take no responsibility for any of the content on this blog in general – it is a guide.

This example will establish:

    1. An Apache2 instance with a self signed cert (named dalek-caan.clom.intra)
    2. Enable Apache2 to use the CA to validate client certificates
    3. A client side key and CSR
    4. A CA to sign the CSR

First, we need to create a new CA Certificate that we can use to sign all client requested CSRs who we want to give access to the endpoint. The CA Certificate is the most important part of the server security, as it is our ‘authority’ to know who we approve and do not approve. As an FYI, I usually use a working directory for certificates, such as ~/sslworking on a machine not affiliated with the end result.

Create a new Key

openssl genrsa -out ca.key 2048

Create a new signing request

openssl req -new -key ca.key -out ca.csr

Self sign the certificate

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Now you’ll want to install the ca.crt on the web server. Copy it over and install it on the server, usually like so:

sudo mkdir /etc/ssl/ca/
sudo cp ca.crt /etc/ssl/ca/
sudo chown -R root:root /etc/ssl/ca

Now, you have an ‘authority’ of which you can compare signed certificates. To let Apache know about the authority, you need to edit your virtual host.

In your for the endpoint you want to use Certificate Authentication on, you need to add the following line:

SSLCACertificateFile /etc/ssl/ca/ca.crt

You will also need to tell Apache that you want to authenticate requests to a specific point, or the whole thing if you like, as follows using a tag <Location>

<Location /cert>…

SSLVerifyClient require
SSLVerifyDepth 10


Now restart apache:

/etc/init.d/apache2 restart

If you try and access the endpoint, you should get an error as follows:


Now we need to create a client certificate to access.  On your desktop (or client Server):

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr

Now we need to copy the client CSR to where CA data is. Sign it!

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

You can set the days to however long you need.

Get the certificate back to your desktop. You can now compile it down properly, and create a password protected certificate for use.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Enter a password when prompted.

On your client, install the new certificate to test it out (Mac is easiest – just double click the p12):



You’ll need to enter the password:



Now you should see it in your keychain (Mac).



Now if you try and access the endpoint again, you will see:


You’ll have to allow access to the password too:



That’s it, you’re ready to go!

Reverse SSH Tunnels – Remote Access made Simple

Let’s say you drop a box in a hostile firewall managers environment which you need to regularly log in to in order to perform some maintenance, or only in emergencies when everything is going down fast.

While you could convince the destination for your hardware to open all these fancy firewall ports, a simple way might be reverse SSH tunnels that originate from the box, out to your data centre.

Reverse SSH connections are pretty simple, what you do is initiate an SSH call from the target box, and use a reverse port forward, such as:

(From the box behind a firewall, of which is impossible to directly connect to)

steve@search-a: ssh -R 4000:localhost:22 chocolatebunny@dalek-caan.clom.intra

* Note, you can even do this with an SSH Key so that you don’t have to manually do it, but rather do it via some kind of automation.

Now on the origin box, can connect via the tunnel, back to the target machine. In our case, on dalek-caan we can now connect to search-a by punching in:

steve@dalek-caan: ssh root@localhost -p 4000

The great thing about reverse SSH tunnels is that you can also set them up so that your destination SSHd is running on a standard web port, or SSL port. Ie, you could setup an SSHd on port 443, which most environments will allow out without too much trouble.

Hope this helps.

Stale GPG Keys on Older Versions of Debian

Ok, something that happens from time to time, is that your Public Keys become stale and you get this warning:

W: GPG error: squeeze-updates Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY XXXXXXXXXXXXXXXX. It doesn’t even matter what the key is.

There is a quick two step solution to this:

gpg –keyserver –recv-key XXXXXXXXXXXXXXXX

Replace, XXXXXXXXXXXXXXXX with whatever the key failing was, ie: 934FAX62FF9251X3

Then, we run a combined process, first to export the key to our output, then push the output to the apt-key program:

gpg -a –export XXXXXXXXXXXXXXXX | apt-key add -

(Adding | apt-key add – will simply tell your shell to “Pipe” the output of the first program, in our case gpg, in to the next program, in our case apt-key. The – on the end, tells apt-key to take the “input” from the pipe, and take it as input to the program. Simple!)

This should result in a simple output of:


And you’re done.

Installing VMware Tools on Debian

Here’s something I have to do regularly when installing a new VM on the farm. Simply, follow these steps and you should be able to get up and running pretty quickly. This works for ANY version of Debian.

1. Right click on your VM and go to Guest > Install VMWare Tools and accept the popup.

2. Then do the following as one copy and paste step:
mkdir /vmwaretools
cd /vmwaretools
mount /dev/cdrom /mnt
tar xzf /mnt/VMwareTools*
umount /mnt
apt-get update

3. Then do this one:

apt-get install gcc make linux-headers-$(uname -r)

4. If all goes well, do these two:

cd vmware-tools-distrib

5. The above, needs lots of interaction, but once you’re done:

cd ..
rm -rf vmware-tools-distrib
shutdown -r now

Now you should be done!

Music and the Brain

It’s something that’s kinda fascinating. Music has the power to move you, make you tap your feet, bop, sing, hum, dance and more. Everyone has a different taste in music, some have an eclectic taste and others stick to what they know. Some function better with music, others without. Some people are moved by what they hear, some gain deep insights, reflect, gain respect or generally shift their attitudes depending on what they hear.

Take Pop music, which is easy to consume and the most prolific. As the fast food of the music industry it’s mass produced, cheap and relatively lacking in any form of nourishment.

Is music food for the soul, or is it a reflection of the soul. Whichever way you think about it, music has a profound impact on a human. Take Pop music, which is easy to consume and the most prolific. As the fast food of the music industry it’s mass produced, cheap and relatively lacking in any form of nourishment. The true ‘music connoisseur’ might catch the occasional moving element to a pop song, much like the good tasting vegetarian gnocchi that you thought had meat in it, while others will see many pop songs as the most amazeballs thing they have ever heard in their whole lives ever.

The hipster music scene (not singling you folks out, I promise I’ve thought of words I haven’t written yet) is interesting. Friends of mine actively seek out what I feel is the most bizzare and painful music to listen to, yet I’m convinced if I listen to Vampire Weekend too long I’ll probably like it. Punk, in it’s attempt to be anti establishment, became the establishment and we were promised rock would corrupt our teens, but Don McClean flipped it all on it’s head and asked if it’d save our mortal soul.

Physically speaking music offers us nothing. Stuck on a deserted island with nothing but your iPod, it would only be a few days before you hated yourself for loading the entire Depeche Mode catalogue, if the battery even lasted that long. It would probably be a tragic race to the death, between you and your iPod battery. The cultist in you eventually believing Jobs built some kind of Cylon resurrection ship into every one ever built.

So what is it that makes you well up, get angry, move faster, cheer up, get sad, reflect or get nostalgic when you listen to music? Neurologically speaking in your brain there are some intensely pleasurable responses to music which correlate with activity in regions implicated in reward and emotion. Ok, so basically the tones, sounds and vibrations being passed between Grooveshark and your brain equates to a uniquely pleasurable experience, triggering all kinds of ‘nice’ feelings. Let’s not forget though, they are merely vibrations, tones, samples and other pieces of noise all put together into a pleasurable package of vibrating air. Weird.

There’s plenty of evidence around music and memory, we know that music is attributed to memory triggers, explaining why when you listen to music regularly some folks associate mental pictures, scenes or ‘clips’ in their head to various pieces or subsets of music. Then there’s also the use of music in the treatment of dementia and in those with psychological issues.

Bass, perhaps one of my favourite parts of music, is a low frequency vibration that travels quite far over the rest of the frequencies generated in music. It’s why you can hear the local ‘doof doof’ cars well before you can see them and what gives them their distinctive sound. Bass, is the part of music you feel in your stomach ‘deep’ down because it penetrates further, something perhaps all the unborn children of the world feel first. When we listen to music on speakers, or live, bass is the vibration that goes the farthest, the slowest, high pitched tones travel fast but are short lived, so each and every individual person in the crowd experiences a song differently. Cool huh? Deaf people feel plenty of music. Using visual influences around them to piece together a totally different and unique experience. It gives us all confidence that Dubstep sounds like two robots having angry sex, to everyone.

The power of music is even recognised by some serious researchers, Oxford put out a handbook on music for psychology and it’s not limited to the hearing enabled. It’s been found that music does alter mood states, improve relaxation, affects language acquisition, literacy, numeracy, measures of intelligence, concentration and emotional sensitivity – amongst other things. Music stimulates the right side of the brain as a creative element, but also the left side, your brain seemingly enjoys and derives a great deal of pleasure out of listening to it. And then there are braingasms, or the autonomous sensory meridian response as it’s more formally known, which are small ‘events’ described as an orgasm of the brain which is triggered by things like, sounds.

So think about it, the next time you’re listening to music and ask yourself, is this pleasurable, why, what part of it is most pleasurable and what does my brain want to do, because after all, you may have one hand in your pocket, but the other one could very well be playing the piano.

Auspost Attempted Delivery

You may have seen it all before. You order something online and have the delivery sent to your home address. Then immediately regret it, because you know exactly what comes next. Days of frustration, anticipation and anxiety.

I’m talking about the¬†dreaded¬†”Australia Post attempted delivery of your parcel…” message / card.


The first thing you do, is try to rationalise which day the parcel is going to arrive. You plan it out with some wizardry. Like trying to calculate the rate of decline of an orbiting satellite along with the weather and other atmospheric conditions that will ultimately affect the final resting location of your rock, you calculate your parcel will arrive on Thursday.


Should you take the morning off? Will it arrive in the afternoon? They’ve given you a tracking number, so you log in every 5 minutes to check to see if they’ve updated it. You quickly interpret the changes in information as your parcel moves from conveyor to conveyor, until ultimately it hits the back of a truck. “Onboard for delivery.”. YES you think to yourself, this is it! All of my training, planning and preparedness have paid off. Now to execute the perfect hand off, be there at the right time to ensure that the delivery man attends.

You strand your loved one at home, safe in the knowledge that they’ll be there to intercept your parcel so the ordeal can end there and then. You tell them it’s for the greater good, you kiss them goodbye and wish them well.


“Australia Post attempted delivery” – no you didn’t you filthy liars.

You’re stranded love one pleads with you over the phone. “I was there! I didn’t have my headphones on! I had the music down so low I could hear the old man muttering to himself three doors down”. It’s time to choose sides, your loved one and their pleas for mercy, or Australia Post, the faceless organisation who has burned you before.

You chose to believe that no one is at fault. “hey” you think to yourself, “No one is out to get me, my loved one must have been using the blender, or the kettle was boiling, or they dropped a pan, then slammed the cupboard at the exact moments that the postman was knocking¬†with an UNQUESTIONABLE DETERMINATION on the door, until his hands were red and sore from beating on the door to gain attention from within only to exhaust all options and walk away defeated, all the while the noise of the kettle, pots and pans or some other freakishly timed events within preventing your loved one from hearing the calls of your valiant Australia Post delivery man.

You make your second mistake, you look at where the delivery has been ‘delivered’ for your ‘convenience’ to collect within 72 hours. It’s Ethiopia.

It may as well be. You can’t drive to the postal location because there’s no parking, or it’s a school zone, next to a shopping strip that doesn’t have it’s own parking. It’s right near a speed camera, on a one way street, down a dark alley on a hill that’s guarded by the riders of the night.

“Ok,” you think to yourself, “You can do this!”. Step one, return home. You know you can’t collect your spoils without that little paper card they left in your mailbox, or your door, or on the floor because it blew out of the door. You attempt to reconstruct the few parts missing that the snails ate. “Is that a 5?… blast” you think to yourself, “the postal people know how to read swiss letters”.

You take the morning off, because the post office is only open from 9:59am to 10:01am on every second day, that’s not a thursday or Tuesday, when the sun rises between 5:58 and 6:04am on the days after the sun sets with a red haze and lowband cloud cover.

You plan your attack. You’ll be smart, you’ll park a little away because you know you won’t get a spot out the front. You know it’s safer to walk the gauntlet of the local strip mall that it is to attempt to arrive directly at your destination.

Frustration Again, bit of anxiety

“Sorry love, you need to collect this after 3pm”. You call in sick to work. It’s your only hope, you don’t even make an excuse, you just tell them simply “I’m collecting a parcel” and they get it. They sign off with the faintest “good luck”.

You hang around the house, pacing. Your spoils are only a mere hours away. You wait, you pace, you take your mind off it with some daytime tv. 4:06pm. “SHIT”, you think “SHIT, I fell asleep!”. You grab your keys, race out the door “no time to lock the house!” and in your car you go. They close in 54… no 53 minutes and you know they’ll shut the doors early.

As you near the strip mall that announces the post offices presence you see it, the little red and white P, the flag of the emPire, you dart down the road, do an illegal u-turn, you trawl the front of the store. End to end cars, no space for you, you see another panicked face of the driver heading towards you, you know their pain, but you’ll stop at nothing – NOTHING, even if it means their demise, to beat them to a suitable space.

You race around the corner, “Small car only” PERFECT, you think, “I’ll get my 4WD in there!”. You park at an angle, with the rear of your car half hanging out, you stick on your hazard lights and hope that everyone ‘gets’ it. You leg it to the front of the store and just make it in as a cranky person gives you a huff, then a dry smile “I was just going to lock that”, “I bet you were” you snark to yourself.

You stand in the line, which feels like it takes forever. The 35 people in front of you all seem to want to know why the increase in stamps has been so sharp of late. By the time you reach the front few places in the queue you can recite their response¬†subconsciously, “it goes up every year, but it hasn’t really changed that much in the past few years”. You’re at the front. Someone is muttering as they are walking past you! “YES” you think “Empty counter”. *This counter is closed* “Noooooo” you scream as you fall to your knees.

“NEXT” – excellent, you race, flustered to counter 4 and you shove the little red and white checkered card on their padded little counter puff, and wonder if it makes it easier for them to stamp things, or to buffer the anger of the folks who work there… “Oh, a parcel is it, ID?” you fumble with your wallet. You KNEW this was coming, you didn’t prepare! IDIOT! You clumsily throw your cards all over the floor, sacrificed while you fiddle with the licence which just won’t come out. Success! You go to hand it over and accidentally throw it at her boob. “Sorry” you mutter. “It’s alright love” she says, as she gives you a stern look. “You could have just popped down the side of the queue for a parcel”. How? YOU KNEW THAT! but you didn’t want to bear the judgement of the souls in the queue ahead of you, as somehow you’d be burnt at the stake for attempting to queue-jump for such a trivial visit. Aren’t they all trivial? SOLIDARITY you think, as you mumble “Oh, ok, next time! Thanks.” Lies, you spout, lies to appease the lady with your spoils.

“Hang a tic, it will just be a second” she recites as she turns to head out the back. An hour passes? An hour? Maybe, I can’t remember. In all the time you’ve been¬†fidgeting¬†int he queue and now standing here knowing your moments from your goal, NOW your brian can process everything. Operating at 300% it’s normal speed, your brain cycles through all the things wrong: “Pretty sure that flash was a speed camera, I bet I got a parking fine, I wonder if I turned the stove off, did I really leave the front door open? Oh god, I hope this parcel has all my items and no backorder!” She’s back. “Here you go, thankyou, NEXT” she says without a pause.

You collect all your cards from the floor, why, why did you wait this long? You hold your parcel under your arm and as you pass the reaming few souls in the queue you avert your eyes in shame. This has not been you at your best, don’t make eye contact, just get out!

You return to your car and find a small yellow envelope in the window. You don’t care, it’s been worth it. The $160 visit to the post office is pretty standard. You jump in the drivers seat, place the parcel on the seat next to you and collapse on the steering wheel for just a moment before honking behind you as someone actually in a small car appears in your side mirror, motioning at you with a cranky face to move your car.

You comply, and as you’re relaxing, smiling and thinking to yourself “I’ve made it! It’s done!” you pull the car out onto the road, start on your journey home and catch a glace of the parcel on the passenger seat. “Dr Rick Montoro”. Wait a minute, you’re not a Dr. You’re not Rick.


A Kinship

For those not accustomed to disability this post may be confronting, so I’m posting this warning right at the top, so you can be sure to read it and decide if you want to continue reading.

This post contains details discussing death and life with a terminal illness.

Quite late Thursday we heard news from a friend with a terminal illness that she was in hospital and her doctors were fairly convinced that she wasn’t going to live much longer. We, of course, were on the first flight we could get on to head to her to say goodbye.

Our friend has something called Eisenmenger’s Syndrome, which means that she’s constantly struggling to breathe, to move blood through her body and fighting against heart failure almost constantly. This is something we are both very familiar with. Eisenmenger’s Syndrome cannot be fixed with surgery alone, it requires a full heart and double lung transplant in order to correct the problems.

When you are dealing day to day with an incurable disease you learn to rate problems accordingly, you change the way you operate across the board. It’s not something you have to do consciously your brain just does it itself. Small things become huge, huge things become small.

Because of the significantly reduced amount of oxygen pumping around an Eiso’s (person with Eisenmenger’s Syndrome and significantly shorter to type) body they can’t do some simple things. Like walk up stairs, or ramps, or far, or sometimes at all. There’s a very good analogy using spoons which you can read here: Spoon Theory

Everything “normal” seems a bit “foreign”, problems and issues get compared to the bigger picture and sometimes this means that I appear cold, or heartless about people going through challenges. You also start to think of accomplishment, achievement and goals differently – your interests and objectives start to deviate considerably from the norm.

Suddenly you’re not moving to a suburb because it’s a beautiful place to live, with great schools, your assessing the hospitals and medical clinics. When you go out you look for fun, excitement – a lack of stairs, an elevator and good parking and distances.

This gives people a weird impression of you – you’re difficult to go hang out with, because there’s a list of checks and balances that you have to do, it’s not hard for us, but I can imagine when you don’t have to deal with it, the list seems extreme! So you start to really identify with your “kind”, people who are sick and caring for those who are sick.

Your people become really important – they get you without having to explain it, they get what’s happening and they understand. While I happen to be fit and abled, I get to identify with families and partners and you can just ‘click’ and share stories. For all those involved there’s history, before you’ve even met – you’re all the same, your history is inherited with only the stories that change.

Having been apart of this click and the military click I can tell you they are both the same in many ways. The stories, deployments, government oversight, special services, family services, insurance, finance and travel are all your stories and your wars and merits, your surgeries and your episodes are your medals to discuss at length.

This kinship is deeply rooted while you are always aware of the inevitable, the sudden and unexpected sickness and hospitalisation, the strokes, threat of embolism, sudden spike or drop in chemical levels, the knowledge that before you can get transplanted you have to be given a timeframe to die, you work through it all and contemplate a future.

So when you hear one of your kinsmen is at their end, you act. We flew immediately to her and her family and I can’t tell you how surreal that is. You are acutely aware of everything, the insignificance of the parking ticket the woman is getting, the seeming waste of energy the people fighting have – perspective, it gets right up in your face.

Travel time is where all of this happens, but when we got to the hospital and were met with an open embrace by our friend all of this was suddenly gone. The world, was in that room, our universe contained within the walls of the hospital, nothing else mattered and time seemed to stop completely.

We spent the next two days talking about life, adventure, hospital visits,¬†doctors¬† clinics and perception (a post for another day), the transplant system (another post) and of course death. It was wonderful. Our friend was so content with her future and what was happening to her that we could just talk openly and freely about everything – it was one of the most refreshing conversations I’ve had with a group of people in a long time.

Time went very quickly and by the end of our visit we were all feeling tired but so very happy to have been blessed with spending time with her, and hopefully her with us – we talked about her funeral and the places she loved and of course traded war stories and opinions on the ‘system’.

Returning home we were reminded of the fragility of life itself, the importance of the time we have and of the people we surround ourselves with – and importantly having been able to be there for our friend.

Hang in there.

All about me