May 2015 - markwilson.it

Dabbling at DIY: fixing dripping taps and wiring bathroom extractor fans

Posted on Sunday 17 May 2015 By Mark Wilson

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

This week, my blog is in danger of transforming from markwilson.it to markwilson.diy. Fear not, normal service will be resumed soon!

As I’ve worked through the seemingly never-ending list of jobs-that-need-to-be-done-one-day this week, I dabbled in some minor plumbing and electrical work… I thought I’d blog some notes because I’m bound to have to come back to this again one day!

Changing the ceramic valve in a dripping tap

The Franke Panto taps that were installed in our kitchen/utility room have been great – after all, their function is pretty straightforward: all I want a tap to do is look good and dispense water on demand!

Unfortunately the kitchen tap had begun to drip on the cold flow. A mini science experiment with my sons told me it was losing quite a lot of water every day so I turned off the cold supply using the isolator valve below the sink. I couldn’t see how to fix the tap though, so we asked advice from a plumber we’ve worked with before. He didn’t know how to get into the tap but told us it would be the ceramic valve that needed replacing (cue sucking of air through teeth and “it’ll cost you” look) and we might as well get a new tap.

What nonsense! After 3 months of confusion about which part to buy based on my Internet “reaseach” and putting off calling Franke’s spares/service partners for fear of being bamboozled, Central Services were really helpful, a new ceramic valve cost me just over £15 and I installed it myself in 5 minutes…

One of the challenges I had was whereas it seems for many taps you can prise away the cap on the end of the tap (the bit with the red or blue marker on it), ours didn’t work like that as the Panto just has a tiny marker on the front of the tap to show which side is hot/cold. Then I realised that there was a cap on the end – it was on a screw thread, which then exposed the grub screw inside, allowing access to the valve, which was then easily removed with a spanner (after removing the collar that covers it).

Of course, after I had asked a plumber, procrastinated, and finally done the job myself I found this video (ignore the sexist comments if you view it on YouTube…):

Blue and yellow wires for live and neutral?

Another job was to change the old, noisy, bathroom fan for something quieter as part of my preparation for an upcoming bathroom refit. When I took the old one out I was surprised to find that the wiring used red/yellow/blue (what appears to be three-phase wiring) instead of twin and earth.

(My house was built in the 1990s – today the red/yellow/blue would be brown/black/grey.)

I could see that blue was neutral and yellow was live (based on how the old fan was wired) but couldn’t understand why until I found this advice on installing a shower extractor fan. Yellow (now black) is switched live (cf. red/brown for live, not used in my installation).

Short takes: Symbols in Office applications and converting numbers to text in Excel

Posted on Sunday 17 May 2015Sunday 17 May 2015 By Mark Wilson

A few snippets I found on scraps of paper whilst sorting out my office this week…

Shortcuts to symbols in Office applications

Many people will be familiar with typing (c) to generate a © symbol in Microsoft Office applications but you can also use (R) or (TM) for trademark symbols ® and ™. One more that’s useful to know is (e) for the European currency symbol € (at least, it’s useful if your keyboard doesn’t recognise the Euro!).

Another useful code to know is the shortcut to create the symbol used to denote “therefore”, which is ? (and doesn’t appear in any dialogs I’ve seen to insert a symbol/special character). In Office applications running on a Windows PC, it’s possible to type ALT+8756 to generate the symbol.

I’ve tried these in Word and OneNote but see no reason why it shouldn’t work in other Office applications. Unfortunately the functionality is limited to Office rather than part of the operating system – it doesn’t seem to work in a browser, or in NotePad for example.

Converting numerical data to text in Excel, or SharePoint, or something like that…

A few months ago I was creating a SharePoint list and wanted to display a unique ID for each entry but couldn’t use calculated values in the title column to base it on the actual ID for the list item (at least not when provisioning via the GUI). I can’t remember the exact circumstances but, looking back at my notes it appears I used the following formula in Excel to create a text version of a numerical cell:

=TEXT(A1,"0000")

I probably then uploaded that to SharePoint as a list and messed around with the columns displayed in a particular view… although it’s all a bit vague now. I no longer have access to the list I was working on, but it might jog my memory if I have to do something similar again…

Some observations on modern recruiting practices

Posted on Friday 15 May 2015Thursday 15 October 2015 By Mark Wilson

The weekend before I start a new job seems like an ideal time to comment on my experience of searching for the right role over the last several months. It’s been a long time since I had to seriously look for work – all of my interviews since late-2003 have been internal, or with organisations where I already had a working relationship – and boy has the world changed!

In many cases, writing a covering letter and attaching your CV seems to have gone out in favour of automated recruitment systems. Recruitment consultants can help get you in the door (the good ones can, anyway) but many organisations only work with certain agencies – so you need to build the right contacts. And LinkedIn is all over the place…

But it’s not all bad – the interview experience should be two way – for the candidate to gauge the potential employer as well as the other way around. That’s why I’m going to write here about two roles I applied for. In both cases I was unsuccessful – for different reasons – and both left me with negative feelings (about the organisation, or about the process). Written at another time it might have sounded like sour grapes; today I hope it won’t!

Organisation A

A friend who works for a large financial services company commented that he’d seen some Solution Architect roles advertised on their job site. Sure enough, there was one which looked a good fit on paper – and it sounded extremely interesting. He referred me internally and I navigated the company’s Oracle Taleo-based job site to apply for the post.

A few weeks later, I was invited to a telephone interview to “describe the role in some more detail and get a better understanding of my experience”. With just a 30 minute telephone interview (and having done my homework on the company’s interview process), I was expecting a fairly high-level discussion with subsequent interviews going into more detail.

What I got was a technical grilling, without any context about what the role entailed, and when I tried to ask questions at the end of the interview (to understand more about the role), it was clear that the interviewer was out of time and overdue for their next appointment.

It was probably the worst interview of my career – I hadn’t performed well, partly because the questioning was not what I expected in a first-stage telephone interview; but also bad because the interviewer was pretty poor at managing the time, representing the company in a good light and allowing the candidate to discover more about the role.

My last contact with the resourcing team was over seven months ago, when they promised that they “would let me know as soon as they have feedback”. That feedback has never come, despite internal chasing and we’re now way past the time when it would have any value (the interviewer won’t remember anything useful at this late stage). What it has done though is set me a poor impression of this particular financial services company – and that impression is one I’m likely to share with others in my professional network. No-one wins in this scenario.

I’ve logged in to the recruitment website this evening and my application is still there… showing as “Submission Status: Interview Process” with the last update dated the day before my interview. Meanwhile the position remains open for applications.

Organisation B

The second job application was with a major national infrastructure organisation. I do admit I allowed myself to get very excited (and then very disappointed) about this one but imagine my joy when I found out that the only person I know in that particular company worked in the department that was hiring. We met up and they told me more about the role, I made sure that my application was the strongest it could be – and then it failed at the first stage.

Even though I’d made sure that the team recruiting for the role knew my application was on its way, analysis of the communication I received from the HR department leads me to believe it failed a keyword search from the automated screening systems. That might sound like a candidate who thinks they are perfect and I’ve seen enough CVs pass over my desk to know that first-round screening can be hit and miss; however, using your network to make sure that the application is expected ought to help a little. Unfortunately it wasn’t to be the case for me. I’ve since learned that one commonly-used trick is to paste the entire job spec into the end of your application, in white text, and a tiny font.

A piece of LinkedIn advice

One piece of advice I received from a recruiter, which seems to have been very worthwhile, is to turn on InMail in LinkedIn (it’s under Privacy and Settings, Manage, Communications, Member Communications, Select the types of messages you’re willing to receive.

Since I enabled InMail, the volume of contact I’ve received has hugely increased. There’s a lot of noise but some of it is worthwhile (especially now recruiters are having to target more carefully) and it may just bring you a contact that leads to a great new opportunity.

And finally

The good news for me is that I have a new role – one I’m really looking forward to starting on Monday. I applied directly via the company website and the interview process has been enjoyable, just as when I was growing my team at Fujitsu and I recruited people who I genuinely enjoyed meeting and talking with about how they would fit in and what we could do to help them achieve their goals.

Now I have a six-month probationary period to navigate but logic tells me all should be well. The difference with the company I’m joining on Monday is that they were as keen to make sure they would fit me as that I would them. Good recruitment works for all parties – it’s the human part of “human resources” that needs the emphasis!

Windows Media Player keeps re-opening? Stuck key on keyboard?

Posted on Friday 15 May 2015 By Mark Wilson

Being at home this week means that I have had a stack of “jobs” to get through (and I haven’t completed most of them… although at least the decorating is done) but it also means I’m “on call” for family IT issues.

This morning, my wife exclaimed that Windows Media Player was “throbbing” in the taskbar on her Windows 7 computer. Sure enough, there it was, pulsing away to suggest an alert but there was no dialog asking for input. I closed Media Player and it came back; I killed the process via Task Manager and it came back; I did what every self-respecting PC support guy would do and asked when she last rebooted the computer and Mrs W replied that she had already tried that (as every self-respecting user will respond to such advice!)…

Fearing a virus I decided to search the net for advice and found a Tom’s Hardware forum post which suggested it might be a stuck media key. Sure enough, examining the external keyboard shown that was the problem! A quick nudge on the key and Windows Media Player started to behave itself again…

Miscellaneous painting and decorating tips

Posted on Wednesday 13 May 2015Wednesday 13 May 2015 By Mark Wilson

This week, I’m between jobs (technically, I’m on holiday from Fujitsu, but I’ve already worked my last day there). I was going to spend time sorting out the myriad things that never get done in my home office but, unfortunately, some decorating (ahead of a replacement bathroom) has got in the way and this got me thinking about some decorating tips I’ve picked up over the years:

Cheap paints can be a false economy. Almost every wall I’ve ever painted with a DIY (B&Q, Homebase, etc.) paint has looked tired after a while, whilst walls painted with branded paints seem to have kept their finish for longer. I don’t know how much difference it makes but I always buy Dulux Trade paints from my local decorators’ merchant (Brewers) rather than the consumer Dulux paints from a DIY shed.
Having said that it’s sometimes worth buying branded paints, there are jobs where it’s just not worth the expense. All of our ceilings are painted with white emulsion (Albany Supercover), and the high-traffic rooms with magnolia walls (like our halls/stairs/landing) also use decorators’ merchant paints. I’ve just accepted that they need painting more often anyway!
There’s no such thing as “one coat” paint – it’s pure marketing! Some paints are thicker than others though and you might get away with fewer coats (for example two coats rather than three when trying to cover a bold colour).
Kitchen and bathroom paint is not just a way to sell a more expensive product – it really is moisture-resistant (and I really do wish I’d used it in our en-suite…) but there is an alternative. For my current job, in order to have the finish that I want (matt ceiling, soft sheen walls), I used the same paints as normal but added some VC175 mould-killer to the paint before applying it (as recommended by the Manager at my local decorators’ merchant).
Brushes and rollers can be wrapped in cling-film overnight; trays of paint can be placed in a bin liner (folded over to keep the air out). This saves a lot of paint wastage between coats, when you need to come back to the job the next day anyway! Of course, brushes, rollers, etc. should always be properly cleaned when the job is finished.
Most decorating jobs will need some holes filling, or minor repairs to plasterwork. After years of fighting with (and losing to) consumer-marketed products like Polyfilla (from Polycell), I found a product that’s really easy to work with and does a great job – unfortunately it only comes in large bags! It’s called Gyproc Easi-Fill and it’s made by British Gypsum. (This tip came via a professional plasterer and was recently reiterated by our bathroom fitter.) Even though I’ve only used a tiny amount of our huge bag of Easi-Fill over the years, it doesn’t seem to have “gone off” and is still working well – I’ve also used it as plaster for modelling purposes.
Baby wipes are great for cleaning up – like if you didn’t mask a door handle (because you weren’t painting the door) but it got splattered with specks of emulsion from the roller… actually, baby wipes are great for cleaning all sorts of things!

Just bear in mind that I wouldn’t take IT advice from a professional decorator – so those who paint people’s houses for a living might not entirely agree with my decorating advice!

Replacement PSU for an LCD monitor? If only these things were standardised…

Posted on Tuesday 12 May 2015Tuesday 12 May 2015 By Mark Wilson

Sod’s law says that, a few hours after I handed in all of Fujitsu’s kit in preparation for leaving the company, my own monitor would stop working…

I had spares, but only old 15″ 4×3 flat panels with VGA connections – this was the only monitor I have that will take an HDMI/DVI signal from my Mac Mini, or my Raspberry Pi so VGA was no good to me here.

As it happened, further investigation showed it wasn’t the monitor itself (although it is 9 years old now) but the power “brick”. I’m sure there are websites that specialise in selling universal power supplies for laptops but I haven’t found one yet for LCD monitors (I needed a 60W/12V/5A supply with a 2.5mm centre-positive tip).

Thankfully, my local Maplin store had something that would do the trick – a little expensive at £37.99 but far cheaper than a new monitor…

It does beg the question though – all mobile phones (except Apple iPhones) come with a standard USB charging cable. Why don’t all TVs/monitors/laptops have similarly standardised power supplies?

Working with the Exchange 2013 Server Role Requirements Calculator

Posted on Monday 11 May 2015Saturday 16 May 2015 By Mark Wilson

For the last couple of years, I’ve had the privilege of leading a team of talented Exchange and Lync subject matter experts (either directly or more recently as a virtual team). I’ve tried to keep up my technical skills but inevitably I’m not at the level of detail I once was and, as I switch to a more technical role, I’m expecting to have to re-learn a lot.

Thankfully, I won’t be alone – the team I’m joining is also full of talented subject matter experts – but I will need to stand on my own two feet.

That’s why I thought I’d write this post, with a few notes that are based on a recent conversation when my former colleague Mark Bodley checked over the Exchange calculations I’d used to create a guide price for a customer solution… [I’ve since made a couple of extra edits based on advice from Fujitsu’s resident Exchange Master, Nick Parlow]

Inputs

To get started, some educated guesses can be made to adjust the defaults:

Exchange environment configuration:
- 64-bit GCs, multi-role servers, non-virtualised, HA deployment (in line with our design principles).
- Set number of servers per DAG and number of DAGs according to size of solution. Start DAG count low to keep hardware down – revise up later if required based on guidance elsewhere in the tool.
Site resilience configuration:
- Single active/active resilient DAG (i.e. no passive servers).
- Watch the RPO value – it won’t affect the server count but could be a factor in inter-datacentre bandwidth calculations.
Mailbox database copy configuration:
- Increased HA database copies to 4; decreased lagged copies to 0 (lagged copies require more storage as transaction logs are retained for longer).
- Increased number of HA database copies in secondary datacentre to account for non-lagged copies (in this case I had a 50/50 split between DCs).
Lagged database copy configuration: not used.
Exchange data configuration: left at defaults.
Database configuration: left at defaults.
Exchange I/O configuration: left at defaults
Transport configuration:
- Set Safety Net expiration to 2 days (unless using lagged copies).
User mailbox configuration:
- One tier for each logical group of users.
- Days in work week set to 5 – unless there are significant groups of people working 7 days a week (affects log replication).
- Mailbox configuration values will depend on organisation but the advice given for a starting point was to set:
  - Total send/receive capacity per mailbox per day to 100 (down from 200) messages.
  - Average messages size to 150KB (affects storage).
  - Mailbox size limits are used for capacity growth planning – split between main and personal archive should not affect the calculations.
  - Deleted item retention window may need to be increased to meet requirements (14 days is low if not using backups).
  - Multiplication factors come into play with mobile devices.
  - Desktop search engine value is more significant in Citrix environments than with Outlook cached mode clients.
Backup configuration:
- Assumed software VSS via SCDPM, daily full backups.
- Calculator will take highest value of backup/truncation failure tolerance and network failure tolerance (so only one of these really matters!).
Storage options:
- JBOD with multiple databases per disk (in line with our design principles).
- Main thing to watch here is the number of auto reseed volumes per server – align to failure rate of the disks.
Disk configuration: will depend on servers in use. For reference, with our Fujitsu PRIMERGY servers, the available options led us to:
- 900GB system disks (10K RPM SAS 2.5″).
- 4000GB database plus log disks (7.2K RPM SATA 3.5″).
- 4000GB restore volume (7.2K RPM SATA 3.5″).
Processor configuration:
- Core/server is of secondary interest but helps the calculator to advise on Global Catalog cores.
- SPECint2006 value set to the lowest that will allow a suitable server utilisation number. In practice there will be a balance between servers/processor options and price. It’s useful to have a lookup of SPECint2006 values for a range of servers (e.g. Fujitsu PRIMERGY RX300) or you can search the SPECint site and take the value from the result column.
Log replication configuration:
- Will vary according to environment (and international spread of users) but rule of thumb used was (this should add up to 100%):
  - 1: 0.33%.
  - 2: 0.24%.
  - 3: 0.24%.
  - 4: 0.2%.
  - 5: 0.82% (I’m not sure why we have a night-time peak – automated emails sent overnight? Or this could be spread across others…)
  - 6: 0.31%.
  - 7: 0.34%.
  - 8: 1.46%.
  - 9: 6.46%.
  - 10: 10.08%.
  - 11: 10.55%.
  - 12: 11.06%.
  - 13: 9.48%.
  - 14: 9.61%.
  - 15: 10.52%.
  - 16: 10.41%.
  - 17: 8.31%.
  - 18: 5.07%.
  - 19: 1.94%.
  - 20: 0.95%.
  - 21: 0.84% (I might be tempted to up this slightly for the evening email check in many organisations…).
  - 22: 0.36%.
  - 23: 0.21%.
  - 24: 0.21%.
- Network configuration: latency will depend on available datacentre connectivity.
Environment customisation: only used to generate naming configuration.

Check the results

With the main inputs in place, some fine tuning is probably required:

Role requirements:
- Watch out for errors (e.g. over-utilised servers). This is where the server count may need to be adjusted, or a higher-specification server used (SPECint2006 values). Ideally, servers should be close to 80% utilised [in a failure scenario] but not over. Getting the right CPU is more critical than memory as RAM can normally be added later! [also bear in mind the impact of other software on utilisation – for example file level antivirus, and any message hygiene software running on the box.]
- Also check the recommended transport database location (we’ll come back to that in a moment).
Volume requirements:
- Watch out for disk sizes/configurations that can’t be met! If the solution is storage-bound, then it may be necessary to add additional servers (we use direct attached storage as a design principle) or, if available, then larger commodity disks would help. One clue to a potential issue is if the DB and log volume design/server table has DBx as a database copy name, rather than DB1-DB4, etc.
Storage design: confirms (or otherwise) that the solution can be deployed in a JBOD configuration (as per our design principles, although RAID is also an option).
- This worksheet will also give the number of disks required in each server. Note that this is the count for database and log disks, restore volumes and auto reseed volumes – don’t forget the system disks for operating system/application binaries… and then think about the transport database.
- In my solution, the recommended transport database location (from the role requirements) was the system disk but we were using 900GB 10K RPM SAS 3.5″ disks. With OS (150GB), Anchor LUN (2GB), Exchange binaries (50GB), and consideration for Exchange Logs (maybe 600GB) those disks are already pretty full, so it’s worth considering an extra RAID 1 volume for the transport database (over-ruling the calculator) and possibly hot spares for the RAID volumes too (depending on your attitude to risk).

A couple of other points to consider: public folders and unified messaging. I didn’t need public folders but don’t overlook them in your plans if they are in use. As for unified messaging, it’s no longer a server role so is included in the calculations, up to a point – UM is likely to hit the CPU load, so it might be prudent to factor in some additional headroom with the SPECint2006 of the servers (to keep the utilisation well below the 80% mark).

YMMV

Of course, there are just my notes on some of the things I checked to fit our reference design and they are not exhaustive. As the saying goes, your mileage may vary. For reference, I was using Exchange 2013 Server Role Requirements Calculator v6.6 but you should always use the latest available version and there is a very useful readme file which should be referenced when working with the calculator. You should also factor in this guidance on sizing Exchange 2013 deployments and consider the Exchange 2013 performance recommendations too.

[Edited 16 May 2015 to clarify comments re: server utilisation]

Replacing an all-in-one OfficeJet with a colour laser printer and some free software

Posted on Friday 8 May 2015Tuesday 5 May 2015 By Mark Wilson

One downside of moving jobs is that I’ve had to give back all of the kit I was using that belongs to Fujitsu*. The car went back last month at the end of its lease but yesterday I returned a pile of technology to the office including mobile phone, laptop, monitor, printer.

Hang on. Printer. I’m not the only user of that particular device…

I never liked it anyway – I’ve had a succession of OfficeJet all-in-one devices since I swapped out my trusty old LaserJet for a company-supplied printer and I’ve found inkjet devices to be expensive in consumables (non-OEM cartridges gunking up; OEM cartridges running out even when they say they have ink in them) and the HP OfficeJet 4620 that I’ve used for the last couple of years was particularly unreliable from a software perspective too. So I decided to pick up a small-office laser printer instead and the Samsung SL-C410W was just £130 for a colour laser printer.

Of course some will say, if I think ink cartridges are expensive, wait until I have to buy toner and the other items that the new printer will need but we’re talking in thousands of pages here… for someone who gets through about a box of paper (2500 sheets) every 2 years or so (and half of that has been taken by the kids for drawing)!

Anyway, back to the point. The SL-C410W was available at a great price direct from Samsung (£20 cheaper than John Lewis or PC World – and Staples were way off the mark), with free next-day delivery. Setup was simple, following the supplied instructions to get connected to my Wi-Fi network (although I did install the software on a PC and use the supplied USB cable to make things easy). There were a couple of points that it might have been useful to know though:

Setting a static IP address needed a connection to the printer’s SyncThru web service – either using the supplied software to find the device on the network or using the DHCP logs to work out which IP address it was using and going to http://ipaddress/sws/index.html.
Once in SyncThru, login is required to make changes – default username is admin and password is sec00000.

With the password and IP address changed and discovery services configured, our family PC (running Windows 8.1) automatically found and connected to the printer, whilst the Windows 7 PCs only needed me to walk through a wizard (printer and driver location was automatic).

That just left the issue of copying – a feature on the OfficeJet that we do use sometimes. Here, some open source software called iCopy came to the rescue. It does exactly what it says on the tin – provides a “free photocopier” by linking a scanner and a printer – nothing that can’t be done manually but a single button was helpful for family members who use this feature.

The only slight problem was locating Windows Image Aquisition (WIA) drivers for my elderly CanoScan N650U/N656U with Canon not offering anything for Windows 7 and the Internet seemingly littered with dead links. Luckily, Tom Heath has posted a link to the drivers and these worked a treat.

Only time will tell whether the SL-C410W was a wise buy or not – but at least my family have a means to print homework, my wife has a printer (and copier) again for her work, and I have something that should be reasonably reliable and hassle-free…

As the HP OfficeJet pile of uselessness goes back to my employer, let’s hope this replacement is better… pic.twitter.com/qW25QXVSRz

— Mark Wilson (@markwilsonit) May 5, 2015

* There are lots of upsides too – including that my new “laptop” will be a Surface Pro 3, and that I’ll be using modern software to help me in my work.

Moving on…

Posted on Thursday 7 May 2015Wednesday 6 May 2015 By Mark Wilson

Just under ten years ago, I wrote a blog post to say I was leaving Conchango, and (re-)joining Fujitsu (it was ICL when I left). Since then, I’ve moved through a succession of roles (technical, IT strategy and governance, management and pre-sales), worked with some extremely talented people and I’ve had some good times (as well as some less good) but one of the highlights has to be when I was given a Fujitsu Distinguished Engineer award last year.

Receiving a Fujitsu Distinguished Engineer award from Michael Keegan (Head of UK and Ireland region) and Jon Wrennall (CTO), in October 2014

Now, that time has come to an end, because today’s my last day at Fujitsu before I take up a new role in just over a week’s time.

For those who didn’t see my tweet last month, I’ll be returning to technical consultancy, joining the unified communications team at risual.

risual is a dedicated, UK based, globally recognised IT Services organisation delivering business aligned consultancy, solutions and services based solely on the Microsoft platform. Along with several thousand others, I first came across risual when their corporate video was launched at Microsoft Future Decoded last year and what a refreshing change it made! Digging a little deeper told me they have a great reputation – and that’s capped off by appearing in The Sunday Times’ top 100 best small companies to work for list.

Big changes for me over the next few weeks and I’m very excited to announce that I’ll be joining the @risual team soon :-)

— Mark Wilson (@markwilsonit) April 7, 2015

I have to admit I am a little anxious about the move – but really excited too and looking forward to joining the risual “family” and getting stuck in. And, if ever there was proof of what a small industry we work in, I already found that I’m linked to quite a few of my new colleagues through Twitter or this blog!

Public key infrastructure explained

Posted on Wednesday 6 May 2015 By Mark Wilson

Last week, I was attending a presentation skills course where we had to give an impromptu presentation (well, we had an hour to prepare) on a topic of our choice. One of my colleagues, Richard Butler, gave his talk on public key infrastructure (PKI) and Richard was the first person who has explained PKI to me in a way that made me go “ah! got it!” because he used a great analogy.

So, I’m going to attempt to repeat it here (with Richard’s permission)… and hopefully I’ll get it right!

Richard’s first point was that PKI is thought of as a security tool, some technology, or something that’s needed to make the network secure. Actually, he suggests, there’s more to it than that…

The first example Richard gives is one of a server certificate (used to ensure that a service can be trusted and that confidentiality is maintained), illustrated by way of border control.

An airline passenger approaches a border (e.g. an immigration desk at the airport):

The border is where the passenger expects it to be.
A border guard wears a uniform, with an insignia (badge).
The passenger recognises the insignia and trusts it as genuine.
The passenger interacts with the border guard to negotiate entry to the country.

A server certificate is similar because it’s presented to prove that the server is who they say they are and is trusted by users accessing its services. The certificate is issued by a certificate authority, just as the border guard’s badge is issued by a government agency.

In Richard’s second example, a certificate is used to provide confidence that you are who you say you are, a process known as integrity or repudiation.

As a citizen of a country, I request a passport from my government.
The government validates my request.
If my request is valid, a passport is issued.
When visiting a foreign country, I present my passport at the border.
The government of the foreign country trusts the government that issued the password to have carried out the necessary background checks that confirm I am who I say I am.
I’m authorised to enter the country.

In this case:

The issuing government’s passport authority can be thought of as a certificate authority (CA) or issuing authority (IA) – it’s trusted by other countries to authorise passports.
The passport can be thought of as a validated “client” certificate – it is trusted, because the passport authority is trusted (i.e. there is a chain of trust).
The government in the foreign country can also be thought of as a certificate authority – it is trusted and authorises the immigration control.
As described in the first example, the border guard’s insignia can be thought of as a “server” certificate – it is trusted as the foreign country is trusted to issue certificates.
Humans apply logic to the approach and automatically make the appropriate assumptions and associations.

In a public key infrastructure, there’s a hierarchy of certificate authorities:

The offline root CA signs requests for sub-ordinate servers and holds the private key for the certificate root.
A networked, subordinate CA signs requests for clients, and holds its own private key.
A certificate distribution point stores the public keys for the root CA and the subordinate CA (used to validate requests). It also holds information about certificate revocation (to use the passport analogy, this might be where a citizen has been denied the right to travel, for example due to a pending prosecution).

Using this PKI infrastructure a number of interactions take place:

A device creates a signing request and sends it to a certificate authority.
The CA receives the signing request, validates the request, and issues a certificate signed with its private key.
The original device receives the signed certificate and stores it for future use as a client/server certificate.
When a connection to a service is attempted, the connecting device receives a copy of the certificate and validates the name and signing CA using their public key. This validates the certificate chain and the certificate is proved to be valid.

At the outset of this description, Richard explained that there is more to PKI than just a security tool, or some technology services. There’s actually a hierarchy of deployment considerations:

Private key protection. Private keys are critical to the ability to sign certificates and therefore crucial to the integrity of the chain of trust.
- A chain is only as strong as its weakest link.
Management procedures:
- Validation of requests (stopping fraudulent certificates from being issued).
- Management of certificates (issuing, revocation, etc.)
Deployment procedures:
- Deploying and managing the PKI infrastructure itself.
Technology choices:
- Whose PKI infrastructure will be used?

Drawn as a hierarchy (similar to Maslow’s hierarchy of needs), technology choices are at the top and are actually the least significant consideration. Whilst having a secure technical solution is important, having the procedures to manage it are more so.

Richard wrapped up his presentation surmising that:

PKI is 10% technology and 90% process.
Deployment is 10% of the solution and management is 90%.
PKI needs management from day one.

If you do still want to know more about the technology (including seeing some diagrams that might have helped to illustrate this post if I’d had the time), there’s a Microsoft blog post series on designing and implementing PKI, written by the Active Directory Directory Services team. Other PKI solutions exist, but as many organisations have an Active Directory, looking at the Microsoft implementation is as good a place as any to start to understand the various technologies that are involved.

markwilson.it

get-info -class technology | write-output > /dev/web

Month: May 2015