The accumulating cost of digital certificates

The last few months I’ve had to go through several of the annoying certificate-renewal processes that recur every year. It’s always a painful process, not only because you always start the process too late, it’s a lot of effort and paperwork (which never goes smoothly), but you also realize that you’re paying quite a lot of money, for what exactly?
We are a small SaaS (Software as a Service) company, and we have the following digital certificates:

  • Two wildcard SSL certificates. Every SaaS company that offers a separate sub-domain for each customer needs these. We pay €775 for each wildcard certificate, with a 2-year validity (from Thawte).
  • A code-signing certificate. We offer a few rich-client applications from our web-applications, using ClickOnce technology. These applications need a digital signature. Cost of the certificate is €385 for a 2-year code-signing (Authenticode) certificate from Thawte.
  • A BAPI certificate. This is needed for (e-mail) communications for the Dutch tax authorities. Costs €240, with a validity of 3 years.
  • A PKI certificate from the Dutch government, for SOAP-webservice communications with the Dutch authorities (Government, Chambers of Commerce, Banks). Cost: €600 for a certificate with a validity of 3 years.

In my case, the renewal of Thawte’s code-signing certificate was especially painful, as it didn’t work on Windows 8, and I was send into several dead-ends by Thawte’s support, such as “try it in Firefox” (Authenticode certificate renewal only works in IE), or “start IE9 in Windows 8” (how exactly?).

All in all, it may not seem a lot of money in total, but if you include the effort it takes every time, I find it quite a burden. It would be nice if in the future you would only need a single digital certificate for the company as a whole.

SQL Server connection timeout in .NET client also used as transaction timeout? Mmm…

Sometimes you spend several days (or nights) trying to solve a problem, only to find out your problem is caused by some inexplicable design decision you couldn’t possibly anticipate. In this case, I was investigating errors we’ve head on peak hours from our SQL Server database server, where we got “Timeout expired” errors on commit or rollback of database transactions, for the last two months.
Now, our database server probably doesn’t have enough capacity to deal with its load on peak hours, but still, we hadn’t had any errrors like this before, even at the busiest of times. Completion of transactions in SQL Server (and especially commits) have always been very fast on SQL Server, in my experience over the last 20 years.

When searching the internet, it turns out quite a few people have this same problem, but nobody knows exactly why. In the end, there’s exactly one place to find the surprising answer, provided by Matt Neerincx of the SQL Server team in a forum post:

The value used in the .NET SQLClient class for the client-side transaction timeout is the value set for the connection timeout of the database connection.

In his post, Matt explains that in this case they had no other values available in the class interface, so they decided to re-use the existing value for the connection timeout. Now, for me these two values are completely unrelated. Sometimes you want to set the connection timeout pretty low, so that un unavailable server, or incorrectly provided server name, is detected without a very long wait. I had done just that, by reducing our default connection timeout from 30 to 20 seconds, never suspecting this would have these drastic side-effects on the completion of transactions!

Ah well, problem solved, on to the next: This morning we had one of the infamous “Deadlock detected” errors in our ASP.NET web application. That’s another can of wurms, trying to make sense of the myriad of threadpool-related settings in ASP.NET.

I have to take a test before I’m allowed to give Microsoft money?

Today I was trying to renew the Microsoft Action Pack (MAP) subscription for my company. Now, the MAP really is a good deal: For €380 per year, any small company (less than 100 employees) that creates or integrates IT-solutions based on Microsoft technology gets access to almost all Microsoft software, with a small number of licenses for each product, that can be used for regular business use, including 3 full MSDN subscriptions. I had to do this renewal during my vacation, because Microsoft uses some pretty strong language for what happens if you let the subscription slip for only one day (you have to destroy all media, remove all licensed software, and even if you subscribe again later, you can never get the rights back to use older software versions).

The “interesting” part is, that just before you’re trying to use your credit card to pay, you get the message that you first have to complete an online seminar, with an accompanying assessment (test) for which you have to score 70%, before being allowed to proceed. So you have to go to 30 or so slides of an online seminar (which seems to be pretty outdated, with no mention of Windows 8 at all), trying to remember the differences between the various versions of Windows Sever 2008. This takes maybe 30 minutes, including the test. And after that, as it turns out, you have to take another online seminar and test, this time with specific questions about the Development & Design MAP (with questions like wat LINQ stands for). Not only is it a little bit absurd that to be allowed to pay money to Microsoft you have to complete some tests first, but also that it is assumed that the person who does the ordering and payment is able to follow these seminars and do the tests.

So, after an hour I passed all the tests (mostly answering “All of the above” to questions about what a specific piece of Micosoft software can do), and finally I was allowed to enter my credit-card details. Well, at least now I know that Windows Server 2008 Foundation can do nothing useful, and that the Microsoft licensing options are too complex for anyone to understand. Still love Visual Studio 2012 though (after removing the all-caps menus), so all’s good!

Iain Banks, world’s greatest living science-fiction writer, is terminally ill

Most of his readers probably already know this, but I only read about it yesterday: Iain Banks, in my opinion, the greatest science-fiction writer of the last 25 years, has announced that he’s terminally ill, with possibly only a few months to live. Sad news. Best wishes too all.
Having discovered his books 4 years ago, Banks’ books made me read science-fiction again after many, many years of disinterest (I read all the classic science-fiction works by Heinlein, Herbert, Vance, etc. in my teens). Nobody in human history has described in so much detail a utopian society, with all its challenges and possibilities as Banks has done with his “Culture”. His books are in turn very clever, witty and uplifting, and bleak and even hopeless at other times.

Some Banks trademarks, which have become science-fiction standards:

  • The AI characters (in the form of spaceships or drones) are the funniest and smartest in the book.
  • The spaceship names are poetry in themselves. Some of my favorite spaceship names in Banks’ books:
    • “Attitude Adjuster”
    • “All through with this Niceness and Negotiations Stuff”
    • “Me, I’m Counting”

    Too many to mention, this is a full list.

My favorite Banks novels:

  • Against a Dark Background. Great adventure (a classic quest, the search for a superweapon, the “Lazy Gun”), superb heroine and supporting characters. Great, if bleak ending.
  • Use of Weapons. Banks’ masterpiece. Very complex (but extremely rewarding) story. Has Banks’s funniest AI (the drone Skaffen-Amtiskaw), and his most enduring heroine (Diziet Sma). A must-read.

Introduction

My name is Sebastian Toet, I live in the Netherlands, and I’m the Chief Software Architect at Yuki, a SaaS (Software as a Service) company that offers online accounting and general business administration services. I was trained as a theoretical physicist (at the University of Technology in Eindhoven, and the Department of Theoretical Physics of the University of Amsterdam). I’m active in software development since 1993, first at Exact Software in Delft (The Netherlands), and since 2005 at the company I co-founded, that was first called FamilyWare, and is now called Yuki.

Since 1995 I have worked on web-based ERP/accounting systems, and some of my main interests lie in the following areas:

  • Relational database systems and structures for complex data, complex reporting needs, and high number of concurrent users.
  • Optimum strategies in Software Release Management for SaaS providers.
  • Workflow systems that deliver the actual service in SaaS.

The last point is pretty important to me, as many SaaS providers don’t actually provide a real service, but just provide online access to software. At Yuki my main attention goes to building great workflow systems, that deliver the actual (accounting) service that really allow users to leave the work to others.

In this blog I want to talk about, and discuss, some of the experiences and insights I have had in the last 15 years in creating web-based ERP and accounting systems, and especially about those subjects that are generally not discussed very much, or at all, live macro-scale database infrastructure  and design, internal workflow system for SaaS providers, patch management for SaaS providers , etc.

SQL Server Blog

Thoughts about SaaS software architecture

Brent Ozar Unlimited®

Thoughts about SaaS software architecture

The Visual Studio Blog

Thoughts about SaaS software architecture

Microsoft Azure Blog

Thoughts about SaaS software architecture

AWS News Blog

Thoughts about SaaS software architecture

%d bloggers like this: