Sunday, December 26, 2010

Who Watches the Watchmen?: Google Apps Governance to Protect Private Docs from Administrators

My Company is currently in the process of moving a good deal of our documents over to the Google Docs interface from the various places within our on-line HR system, which we'll be moving away from in the beginning of 2011.

While these documents are mostly public company documents -- forms, templates, etc. -- there is a growing requirement for the ability to store more sensitive company information. We're not talking sensitive financial data or anything, but department-level and project-level documents that should be accessed only by people in those respective groups.

I'm 90% of the way to a solution using group permission assignments, permission inheritance, etc., but one question remains...how do I protect those private docs from me?

While I can personally vouch for myself, there is now way for my company to guarantee that another administrator (or I, for that matter) -- as administrators of the entire structure -- won't abuse our "trickle-down" admin privileges on the documents, especially if we need to administer or support them. Group-based access is great, except the admins are the ones assigning the groups.

This is a pretty big sticking point. Has anyone had experience like this with Google Docs, and if so, do you know a way that (as the Counting Crows put it)I can "keep myself away from me"?

Feel free to leave perspectives / solutions in the comments. I'll update this post if/when I find a solution, and will certainly give credit where it's due. :)

Sunday, December 19, 2010

SunTrust is Awesome.

I wanted to let the world know about some great experiences I've had with SuntTrust bank lately. I only have an auto loan through them, but after these interactions, I'm considering moving all my business there. From what I can tell, you should, too.

Currently, I only have an auto loan account with SunTrust (which was set up when I bought my Ford Focus earlier this year.) I was in Washington, DC at the time of the purchase but have moved to Maryland and am in the process of transferring all the auto information (a real treat, let me tell you.) Part of this process involves needing the lienholder (bank) to send the title to the MVA so they can transfer it.

I envisioned hours on hold, tons of transfers, and lots of red tape. I called SunTrust (for the first time), and was surprised to be quickly connected to a person after entering a few options. I was at the MVA and didn't have my account number. No problem; they looked it up with my name and SSN. The rep I talked to transferred me quickly to someone who could help. The call wasn't dropped, and within a few minutes I had the correct fax number and was informed as to exactly how the process would work. Very easy.

Fast-forward a little bit. I re-visited the MVA a few weeks later,  and they informed me that they still didn't have the title. I figured there might have been a kink in the process, and the MVA was...well, let's say less than helpful. Not to worry, I called up SunTrust. Again, within one transfer I was connected to someone who knew what the process was (and the initial rep made sure to wait until I was connected). The rep was able to inform me exactly when the title was sent, explain why it probably hadn't gotten there yet, and give me all the information I needed.

But then they went one step further. I informed the rep that I was on sort of a deadline with the MVA (after a certain time, their fee goes from $100 to 6% of the vehicles value -- obviously a huge increase). The SunTrust rep put me on a brief hold, and came back with a solution: SunTrust would send a custom, signed letter to my address indicating when they had kicked off the process on the earlier date. With this proof, I will now be within the time limit when dealing with the MVA. SunTrust didn't have to do this, and I didn't expect it.

Fast-forward to today. I use Mint.com to manage most of my personal finances (they're great). Since I only have a loan with SunTrust, I don't have access to an on-line account and thus can't get my loan information to Mint. Their web site said you needed a credit or checking account, but I thought with all the success I've had, "why not?" So I called up SunTrust. First rep I talked to said "well, that is normally the case, but hold on, let me check with our on-line representative". Put me on hold for two minutes. When he came back, he told me that they were  custom-creating the account for me, and walked me through the setup process. I'll be getting an e-mail tonight or tomorrow with the link to setup my account.

So just to recap, unlike with any other financial institutions I've used (Wachovia and Bank of America come to mind), my experience with SunTrust has always consisted of the following:
  • Quick access to an actual human being.
  • Representatives who understand my question the first time.
  • Maximum of two transfers to someone who can solve my problem.
  • Hold times are short and courteous
  • Problem has always been solved, including custom solutions that go above-and-beyond my expectations.
    If all banks handled transactions this way, banking would have a much better name.

    Though it's a hassle, I'm considering moving all my accounts to SunTrust, because businesses who treat customers this way deserve more business.

    Other thoughts stemming from this:
    • I hope SunTrust turns out to be the main partner for BankSimple (another site I'm excited about). It seems like they have similar mindsets.
    • Another thing that would be awesome? A company that functions as a "Google Voice" concept for your accounts. Which is to say, you set up an account, and pick the providers, but can swap them out. A company that automates the transfers to other organizations. You deal with them directly, but look at your information for them. This would be a great feature set for Mint, or an organization that works with them.
    Update 12/21/2010: After receiving some thanks from the @SunTrust Twitter account, I mentioned I hadn't received the account creation e-mail yet. They re-sent it (ETA 15 minutes). More continued success and great service!

      Thursday, November 11, 2010

      Uncle Tommy

      [Updated with some corrections from Mom.]

      My Great-Uncle Tommy passed away today.

      It's hard to ever pay tribute to someone completely, but I feel like I should at least attempt to do so here, however the scattered thoughts present themselves. The details might be slightly incorrect, but that happens sometime when there's some myth attached to the man.

      Firstly, to mark the symbolic occasion -- Uncle Tommy was a WWII veteran who launched aircraft off the U.S.S. Enterprise. I believe he was at the battle of Midway. He never really talked about it, likely with good reason. It's pretty symbolically fitting that today would be his day to go.

      There were no noise-canceling headsets for those on the flight deck in those days, so his service accounted for the loss of much of his hearing for his life after the war. Most conversations I had with Uncle Tommy consisted 40% of the word "What?" I remember learning as a little kid that if you wanted Uncle Tommy to hear you, you had to speak loudly. Poor guy probably had to deal with kids incomprehensibly screaming stuff at him all the time.

      He was a big man, in the way that statues are big to a kid. He was a veteran, but someone who was kind. Often quiet, but with a big laugh. He just always seemed sort of larger-than-life to me.

      Some stories -- unfortunately the details are lacking, because I didn't experience them first-hand, but nevertheless, here they are anyway:

      My mom always loved to tell me about the time, for his daughter (my Aunt) Barb's wedding, he went down to the Navy Yard and somehow "acquired" an entire van-full of liquor. I mean we're talking Econo-van sized, full of liquor. And just brought it back and parked it in the yard.

      Also, after my mom's first marriage, when it didn't work out, he told her "why didn't you just tell us at the wedding? We'd have had a party anyway!" -- he was always very supportive like that.

      He loved whiskey -- Jim Beam was his favorite. He was actually a life-time member of the Jim Beam club, I believe. I don't know what this means, but I know it means you probably had to drink a hell of a lot of whiskey to get there. There will be some in his honor this weekend, my brother and I decided.

      Another favorite: My brother was a pretty fearless kid (guess he's still pretty fearless, actually) -- and Uncle Tommy loved to challenge him. My Uncle Tommy and Aunt Peg owned one of the original Levittown houses (yes, that's right folks -- he helped START suburbia), and had an in-ground pool as well. My brother was really really young, and Uncle Tommy dared him to jump in the pool. Without a second thought, my brother -- unable to swim and seemingly without having considered any risks -- said "Okay!" and jumped in. Uncle Tommy promptly had to rescue him, and then deal with my (I imagine very angry) mother.

      Later in life, I remember another incident. A family member of mine has some mental health issues, and had gone off the deep-end with him in a parking lot, talking and acting crazily. Uncle Tommy -- probably a little under twice the age of this family member -- took his bear-paw hands and jacked him up against a van to tell him to knock it off. It worked. You're talking about a guy who I think had already beaten cancer at least once at that point, putting an end to a situation like that. Those huge hands were an enforcer; though he was always loving, you just knew never to trifle with him.

      When I last saw him, he was much smaller in his chair than I'd remembered him -- cancer had claimed a lot of his weight, his motion, and his awareness. He was without his stomach, part of his colon, and part of his lung, which was also collapsed at that point. But he was still, somehow, "big" -- even after beating cancer several times, beaten only by cancer's unlimited re-matches. I realized that it's impossible for him to lose that monumental impression. He is one of the unfortunately ever-dwindling numbers of that "great generation" -- he helped build and shape the world as we know it, and embodied much of what it means to be a man in my eyes.

      Uncle Tommy lived life on his terms. A few days before he became less responsive, he said to one of my relatives, "I'm done." And just like that, he began to go. He lived on his terms, and he passed on his terms, too. Death took orders from him; not vice versa.

      He rarely complained -- I actually don't think I ever once heard him complain about his own situation. The biggest complaint I heard from him the entire time I saw him during that last visit was that he couldn't get rid of his cough. "It sucks," he said. "If I can just get rid of this cough, I'll be fine."

      Well, you're rid of that now, Uncle Tommy, and anything else that ailed you. Rest in peace, and thanks for the time you spent on this Earth.

      Monday, October 25, 2010

      Tip: apt-get can't find any package in Ubuntu Maverick 10.10? Rename Your Repositories.

      It appears that the shipped version of Ubuntu Maverick 10.10 (at least the server version) comes with repository  server URLs that are incorrect -- or at least non-functioning. I discovered this the hard way after much trial, error, and self-doubt. I hope the masses benefit from my suffering. :)


      The symptoms:

      • Can connect to the network
      • Can run "sudo apt-get update"
      • Can run "sudo apt-get upgrade"
      • Cannot run "sudo apt-get install [package name]" for ANY package.

      The Solution:

      • Open nano to edit the file sudo nano /etc/apt/sources.list
      • Edit all "http://us.archive.ubuntu.com" to "http://archive.ubuntu.com"
      • Uncomment all the lines that start with "deb" or "deb-src" (if you know what you're doing). NOTE: Make sure that the text starts the line (i.e. don't leave a space -- bad practice).
      • CTRL + X, Y to allow overwrite, enter to save to the current file name.
      • run sudo apt-get update
      • run sudo apt-get upgrade
      • Badda-bing, it works!

      Not sure if this is an ongoing or temporary issue, but hopefully this will be fixed by the team in time one way or another.

      NOTE: This is a bit of short-hand post, meant mostly as a reference for those who know their way around a little. If you have any questions, please ask in the comments, and I'll be happy to help!

      For the full discussion, please see the thread on ServerFault.com

      Thanks for reading. Any clarifications or other tips regarding this? Sound off in the comments -- all are welcome! :)

      Tuesday, October 12, 2010

      Truth in Advertising

      Looking over a post I recently made about restricting IP access with Tomcat server, I noticed the following banner ad (highlighting is mine):


      Google gets it.

      (P.S. I have one already, but thanks, Google)

      Monday, October 04, 2010

      Politics: Extremism Cannot be Fought With Censorship

      I received this e-mail from a campaign that I'm somehow subscribed to:

      Dear Sean,


      It's happened to all of us. You're in a public place and FOX News is on TV. You sit and simmer, or pack up and move on. You can't bear the idea that the lies, distortions and race-baiting that FOX News uses to divide our country are being promoted as mainstream news.
      FOX is poisonous — and it spreads and is legitimized partly through public TVs. It's why CREDO is joining with Color of Change to launch Turn Off FOX — a massive campaign to get FOX turned off in stores, restaurants, and other public places.

      Will you join us in calling on businesses in your community and across the country to stop airing FOX, and declare your own household a "FOX-free zone"? With thousands of our signatures to back them up, Turn Off FOX members will visit local businesses that play FOX, explain how divisive and dangerous it is, and ask them to turn it off.

      Please take a moment to add your voice — you'll get a FREE "Turn Off FOX" sticker, and we'll tell you how to get more involved.
      Some people watch Fox at home because it reflects their view of the world; but there are others who see it on TV in public places and assume that it's legitimate news. FOX News is often on in bars, restaurants, airport lounges, stores — appearing to be real news, while spreading lies, hate, division and promoting the political agenda that was confirmed with FOX parent company News Corporation's $1 million contribution to elect Republican governors.

      The goal of Turn Off FOX is to reduce the number of public TVs showing FOX News, while spreading the word about FOX's poison (and how it works) to those who don't know.

      Signing up for the campaign is just the first step. We make it easy for you to tell us about businesses playing FOX. If you're willing to talk with them, we'll provide you with straightforward materials that explain why they shouldn't be a party to what FOX is doing. And if there are businesses you know that want to tell the world they would never play FOX, you can help them declare themselves a "FOX-free zone."


      As businesses Turn off FOX and stand up as FOX Free, and as we encourage our friends and family to do the same, we'll help make clear, to people across the country, what FOX is about. And we'll reduce their ability to do harm.

      Thoughts on this:

      • Both sides need to be heard in a debate.
      • The best way to battle Fox isn't to censor them, it's to highlight the flaws in what they say.

      The e-mail I sent back:

      As a moderate, this campaign concerns me. I don't like Fox, and I certainly don't agree with 99% of its content, and agree with the statements made about its divisiveness.

      However, the way to further an agenda isn't to tune fox out of the public consciousness -- that simply won't happen. The way to change the tide of opinion, if anything, is to use fox to open up public discourse on the things that it does wrong. Point to examples, provide facts. Don't limit Fox's airtime -- that seems like a half-hearted, slightly disingenuous way to counter the news.

      Get Fox out there on the TVs or start a "fox watchdog" group to fact-check and exploit the way that fox reports news. THEN you'll have my support. Heck, I'd even help you plan / run it.

      But a word of caution to you: limiting either side of a conversation is never a way to make sure that your side is heard. Those are the tactics employed by, well, places like Fox.

      The way to win in the fight against Fox is not to attempt to silence the network -- it's a multi-million dollar corporation and the bottom line is, you're not going to get it turned off. The way to fight Fox is by making sure that when Fox says something divisive or incendiary or false, someone is there to counter it with well-reasoned argument (which is to say, not partisan hackery of the opposite end of the spectrum, either).

      Social change comes not from tactics, but from activism, the key here being that you can’t go around the mountainous obstacle that is Fox – you have to go through it.

       

      Thoughts? Leave ‘em in the comments.

      Thursday, September 30, 2010

      How To: Allow only Specific IP Addresses in Tomcat 6.0

      This one's not exactly under-documented, but I wanted to post here as a reference and in the hopes that someone else might have to not dig around.

      The Problem

      Our client needed to take a webapp down for maintenance (re-organization across the institution) and needed to block access to Tomcat for all users except the specific administrators performing the re-organization).

      The Solution

      Use Tomcat to block all connections with the exception of administrator IP Addresses (which were static to us and known).

      The Steps

      • Open the context.xml file, located in [Tomcat]\conf\context.xml, where [Tomcat] is the base location of your Tomcat server.
      • If you've never edited this file before, you should see a line like the following:

          <WatchedResource>WEB-INF/web.xml</WatchedResource>

      • Add the following line directly after the </WatchedResource> tag:

      <Valve className="org.apache.catalina.valves.RemoteAddrValve"    allow="IP1|IP2|IP3"/>

      • ...where IP1, IP2, IP3, etc. are the IP addresses you would like to allow.
      • Restart the Tomcat server.

      Notes on How it Works

      This valve uses regular expressions, so if you decided to get fancy with it, you certainly could (provided you know a little about Java Regular Expressions). For our purposes, the pipe ("|") character in-between the IP addresses works as an "or" operator. If the Remote Address Value matches any of these full strings, it is allowed.

      Note that by default, this denies every other connection.

      If you'd like to allow all connections except certain IP addresses, you can change the "allow" attribute to "deny"; all connections will be allowed except those in the deny attribute, which still uses Java regular expressions.

      To my knowledge, this "valve" structure can't be stacked. That is to say, you can't do a "deny all" valve and then stack multiple types of "allow valves" on top of it. If anyone knows if this is possible, feel free to sound off in the comments.

      Hope this helps!

      Monday, September 13, 2010

      A Tale of Two Platforms: From iPhone to Android and Back Again

      [Ed. Note: This is the first blog post I've done on an actual topic. Please be kind to me, blogosphere -- I'm just learning! Leave me some comments to help me find my way. For starters, I expect to edit this one down soon and add  links to other relevant articles on the interwebs.]

      After trashing Apple and making a long-anticipated switch to Android, two weeks later I was back on an iPhone 4. Why was my Android honeymoon so short-lived and what sent me back into the silicon arms of an abusive tech giant?

      Why I Wanted to Switch

      I've long been a vocal opponent of the way apple does business -- from their draconian app store, to their willingness to leave operating technology in the dust for the sake of forced upgrades, to their "technologier-than-thou" attitude in the public spotlight. I owned an iPhone 3G, but with the birth of Android and all the bad Apple press (which I agreed with), I couldn't wait to move away from the iOS platform.
      Why go to Android? The list was extensive, but a few of my top reasons were: 
      • The ability to load apps that I wanted and to more easily program for the platform.
      • The openness of the Android Market
      • Replaceable batteries (and the capability of extra batteries)
      • Expandable storage
      • A notifications area (no more awful push notifications!)
      • Multi-tasking capabilities (the iPhone 3G was incapable of it by Apple's standards, except then I jailbroke it and it worked perfectly)
      • In general, a more "open" ecosystem.
      After the iOS upgrades turned my 3G -- which otherwise had served me reasonably well -- into iMolasses, I was fed up. "I've had enough!" I proclaimed to friends -- "I'm switching to Android!" ...and then some time went by and I finally put some upgrade where my mouth was. I switched to the Samsung Captivate on AT&T (AT&T's variant of the Samsung Galaxy S).
      But, I didn't get what I expected.

      AT&T (and carriers in general) are Killing Android

      My first experience with an Android phone went something like this:
      I was incredibly happy to walk out of the AT&T store with my Captivate. I turned on the phone, was impressed with the screen quality and speed and other things that a latest-generation smart user would be impressed with. After going through the initial setup process, I selected my first app to use -- "Where", a location-based directory app that was pre-loaded on the phone. This program had been available for the iPhone and was pretty straightforward to use/test.
      Upon diving in and opening the app, I received a "Terms & Conditions" message box, which I instinctively agreed to -- and as I did, noticed some disturbing fine print. On Android/AT&T, this app had been turned into a subscription app -- to use this pre-loaded app, I unwittingly agreed to allow AT&T to charge me $2.99 per month after the first 30 days. Naturally, I was not pleased.
      But the application still worked, right? Well...not really. To be fair, this more likely due to the GPS Problems with the Galaxy S in general, but the application could not find my location or display data properly.  Okay, I said -- I can get over that. Carriers need to make money, too, and though I don't agree with this method, I did click yes to the terms, after all. I would just avoid the "crapware" that AT&T loaded (a lot of it, for the record).
      So, next up, I decided to load a great utility, PdaNet, because I'd paid for it before only to find out that I had to jailbreak my iPhone 3G to use it (a point of contention with me). But Android Market wasn't the locked down app store, and I was excited to finally be able to access it. Except...when I searched for it, it wasn't there. I know the popularity of this application -- surely it would be listed in the market? It turns out, it is listed, but AT&T censored the Android Market results. AppBrain found the application, but upon attempting to install or update, the package could not be found. I searched on-line and found that this was something AT&T had done.But certainly I could side-load apps, right? Nope. AT&T had taken that ability away, too.
      I hate to use the pun -- I truly do -- but this was not the 'droid I was looking for. I've heard similar things about other carriers -- crapware, custom UIs, lockdowns, and other carrier-introduced features are effectively destroying the intended Android experience.

       

      "Closed" vs. the Myth of "open"

      Apple's App Store is famously closed -- apps are reviewed, verified, inspected and occasionally often denied admittance based on (previously) unpublished and seemingly arbitrary guidelines. However, this is the way Apple has always been. I knew that going in, and nothing has changed since (though Apple did relax its restrictions on 3rd-party development apps and publish its app review guidelines). 
      One thing I will say -- while Apple was "closed" about its ecosystem, these restrictions never went so far as to actually be a hassle for me. They were restrictions I disagreed with deeply, and that made it a pain point for me, but none of my actual productivity or experience was hampered (need something that's not allowed? There's a jailbreak for that.)
      However, as offended as I am by a closed ecosystem, it's nothing compared to how angry I was at an ecosystem that pretended to be open. Switching to Android, I found the same roadblocks I encountered with the iPhone -- only in this case, I hadn't expected to encounter them, and wasn't supposed to. 
      Android is a fantastic open-source product -- until the carriers get their dirty, grubby paws on it. Then it is locked down, the source code is hidden, features are removed, the UI is stripped of its functionality, and it's published as Android when in reality, it's another OS entirely.
      Android -- and the promise of Android to deliver us from the clutches of ecosystems like Apple's -- comes with a set of expectations, and the carriers have all but abandoned those principles in its implementation. In my opinion, this proves to be much more damning and hurtful to the mobile arena.
       

      The Android Time Sink

      I'm by no means a novice phone or device user, and one of my favorite things is to tinker with a new gadget. I was actually excited to get under the hood of Android, deep into the settings, and customize it to work exactly how I wanted. But, almost 2 weeks in, my phone still didn't do nearly wanted I wanted it to.
      Synchronize only a subset of my contacts? No, I had to pull down all 1600 of them. Alerts? Still scattered all over my phone and going off even with Silent mode turned on. Daily workflow? I found myself messing with all sorts of settings just to get through an average day.
      Working with Android makes me realize that a proper analogy for comparison would be cars. Android is great for "mechanics" -- those who like getting under the hood and messing with something to see how it works for its own sake will love it. But most people just want a car to get them places in a pleasing way. After two weeks of experienced tinkering, reading, and adjustment, my phone still did not fit smoothly into my standard day-to-day life. The phone had become the center of my productivity, when it should have been my productivity that became the center of my phone. I don't want to be playing with my phone all the time; I want to be accomplishing things with my phone.

      Where Apple Shines: Appreciating a Thorough Experience


      Say whatever you want about Apple politically (and the things I say don't tend to be nice), but one place where iOS is undeniably king is making things work without you noticing how they're working, or even that they're working in the first place.
      Within one hour, I had my e-mail/calendar (both work & personal), contacts, apps, notes, feeds, articles, music, and videos set up, connected and synced exactly the way I wanted them to be, and haven't had to change a setting since. That's powerful stuff.
      The truth is, I hadn't noticed Apple's UI consistency until it wasn't there. Like all good design, it felt natural and intuitive, and going back to it after the scatterbrained and varied nature of Android is like a breath of fresh air. Even the frustrating things about iOS (push notifications, etc.) are at least consistently frustrating.

      How Android can Save Itself

      All is not lost, and I think Google has the ability to save the Android platform before it's too late.
      What does Android need to do?

      1. Google Needs to wrestle control away from the carriers. Carriers have taken Android's good name and reduced it to a second-class mobile OS. Google has the finances and industry power to get tough with its licensing, and now that Android is accepted as the main alternartive to iOS in the smartphone world, Google needs to treat it like such and lead the charge against carriers wrecking its product.
      2. UI Consistency Standards need to be agreed upon and passionately enforced; branding should be relegated to the hardware. A part of removing carrier control should be to disallow any UI modifications that users don't explicitly authorize. They deserve to start on the same level as all other Android products, and carriers UIs should succeed on the basis of their merits, not carrier lockdown. Let carriers compete to be offering the best phones that run Android, and not trying to differentiate themselves through crapware and UI branding that does nothing but give Android a bad name.
      3. Open needs to commit to being open to realize its full potential. Android has more potential than any OS because its ecosystem wants to be open. If it embraces this mantra in an unwavering way, and backs it up, it will rightly dominate the smartphone OS market.
      For now, I'll wait to see if Android grows up into the power mobile OS that I know it can be.

      Saturday, September 11, 2010

      I was featured on the Charity:Water blog!

      I was featured on the Charity: Water blog!

      Check it out here. I'm the one next to the cupcake.
      Then, please consider donating to a good cause.
      You can also follow Charity : Water on twitter.

      Wednesday, September 01, 2010

      My birthday gift to the world -- A Charity: Water campaign

      Hi everyone,

      This year, for my 24th birthday, I wanted to do something different. Inspired by Chris Sacca and the Charity: Water project, I want to try to donate $500 by September 30th, which I hope will be easily accomplished.

      Please donate here: Charity: Water -- Sean's 24th Birthday.

      I'll appreciate it, but the 25 people (5 families) with clean drinking water will appreciate it the most.

      I've donated $5 to my own campaign to prove that I'm willing to put my money where my birthday-cake-eating mouth is.

      I'm lucky as hell to be where I am, and hope those who know me will help support me in helping others.

      Thanks!

      Tuesday, August 31, 2010

      How To: Enforce TLS Encryption on Tomcat Server 6.0

      Note: I should begin this post by saying that I’m no expert on SSL or TLS encryption or the “handshakes” and negotiations that browsers and servers go through when giving the user a connection to secure material. Feel free to jump in on the comments if I get the terminology or methodology wrong.
      As far as I understand it, SSL is pretty secure, but TLSv1 (its successor) is the max you can get on a standard web browser for encrypted traffic between the browser and the server today.
      Recently, I was tasked with setting up a Tomcat server to enforce TLS for a government client. We had already defined a server.xml file that specified “TLSv1″ as the protocol and AES encryption. However, apparently Tomcat 6.0 doesn’t strictly enforce TLS if SSL is also enabled. That is to say, if TLSv1 is not enabled on the browser, but SSL is, the server will “fall back” to SSL in the hopes of displaying the content — I suppose it takes the “well, SSL is better than nothing” approach.
      However, this wasn’t going to fly for my client — an institution with strict security rules for its web applications — which, really, is a good thing. If TLSv1 wasn’t enabled properly, the site shouldn’t display, even if SSL is enabled.
      I looked around for how to do this, and to my surprise, it was incredibly difficult to find. After a great deal of Google searches and frustration, I finally found this post  on the old, archived Tomcat developers listserv/group [Note: I am currently working on finding the source link again. Will update when I do.] It turns out that there’s another attribute you can add to your server connector in server.xml — the “protocols” attribute (standing for "secure" I believe; not a pluralization)
      So, in short, a Tomcat 6.0 connector in server.xml that enforces TLS looks something like the connector below (I’ve changed the password to a dummy, of course):
      <Connector
      port="8443"
      protocol="HTTP/1.1"
      protocols="TLSv1"
      SSLEnabled="true"
      enableLookups="false"
      acceptCount="100"
      maxThreads="200"
      scheme="https"
      keystoreFile="d:\keystore\.keystore"
      keystorePass="changeme"
      secure="true"
      clientAuth="false"
      sslProtocol="TLSv1"
      cipher="AES"
      allowUnsafeLegacyRenegotiation="false"
      />

      I wanted to provide this bit of knowledge as a public service. Would love to hear about your own experiences enforcing TLS or security in Tomcat and other web servers in the comments! Please let me know if you’ve found this useful.

      Site Rebirth

      Hello, everyone! Since redirecting the SeanKilleen.com domain name to WordPress, I’ve been trying to invest more time into revamping the look and content of the site.
      Initially developed as a place to archive old English papers (which I will leave up for humor’s sake have since taken down), I’d like to turn this space into a place to discuss technology, theatre, and whatever else suits my fancy.
      As always, I look forward to any feedback and hopefully your readership in the future!