Thursday, October 31, 2013

Oracle WebLogic services and non-WebLogic clients

Currently trying to configure WebLogic web service to connect with non-WebLogic client for message-level encryption. It was suggested the following resources might hold the key. So far, my problem doesn't seem to involve any of these, rather a problem with certificates that have been set up properly with certificate chaining.

Oracle Fusion Middleware Documentation: Attaching Policies - 12c (12.1.2)

http://docs.oracle.com/middleware/1212/owsm/OWSMS/attach-owsm-policy.htm#OWSMS5613
  • http://docs.oracle.com/middleware/1212/owsm/OWSMS/attach-owsm-policy.htm#OWSMS5613
  • http://docs.oracle.com/middleware/1212/wls/WSSOV/owsm-security.htm#CHDBAHBI

It appears there are some proprietary resources that may be used to set up webservices using WebLogic. There are both Java code solutions as well as Java annotations to save the time of writing straight Java code.

weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature class (single policy)
weblogic.wsee.jws.jaxws.owsm.SecurityPoliciesFeature class (multiple policies)

Java / Oracle SOA blog: Calling an OWSM protected service with Axis 1.4 and WSS4J

http://biemond.blogspot.com.au/2011/09/calling-owsm-protected-service-with.html
  • http://biemond.blogspot.com.au/2011/09/calling-owsm-protected-service-with.html
  • http://docs.oracle.com/cd/E21764_01/web.1111/e16098/interop_axis.htm#CHDCICGG

We're using Apache CXF. If you are using Fusion Middleware, there are some limitations to what Axis and WSS4J standards are supported.

...you can't use every OWSM policy with Axis. Oracle made an interoperability documentation page what is possible with Axis 1.4 and OWSM 11g, please check this first.

http://biemond.blogspot.com.au/2011/09/calling-owsm-protected-service-with.html

Oracle documentation provides some help on how you would create your webservices under various scenarios including SAML authentication/authorization and username token. Again, not useful in our case.

Posted by at No comments:
Labels:

understanding certificate chaining

Help - WebSphere MQ

http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10600_.htm

Illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins

Intel(R) AMT SDK Implementation and Reference Guide

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fcertificatechainsforhostbasedconfiguration.htm

Certificate chains may be included with a public key by simply including the rfc blocks in pem format. Their inclusion order is important, though. Consider using cat so that no extra whitespace gets introduced.

-----BEGIN CERTIFICATE-----
Body of the leaf certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the first intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the second intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the root certificate
-----END CERTIFICATE-----

OpenSSL - User - check certificate chain in a pem file

http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

It is highly recommended that you convert to and from .pfx files on your own machine using OpenSSL so you can keep the private key there. Use the following OpenSSL commands to convert SSL certificate to different formats on your own machine:

#Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

#see html reference for more

check certificate chain in a pem file

https://www.sslshopper.com/ssl-converter.html

Concatenate all the previous certificates and the root certificate to one temporary file (This example is for when you are checking the third certifate from the bottom, having already checked cert1.pem and cert2.pem

Thus for the first round through the commands would be

   Unix:     cat root.pem > root-chain.pem
   Windows:  copy /A root.pem root-chain.pem
   Both:     openssl verify -CAfile root-chain.pem cert1.pem

And the second round would be

   Unix:     cat cert1.pem root.pem > cert1-chain.pem
   Windows:  copy /A cert1.pem+root.pem cert1-chain.pem
   Both:     openssl verify -CAfile cert1-chain.pem cert2.pem

Etc.

"keytool -export/import" - Exporting and Importing Certificates

http://www.herongyang.com/JDK/keytool-export-import-Certificates.html
  • The "-export" command option exports the self-signed certificate of my public key into a file, my_home.crt.
  • The "-printcert" command option prints out summary information of a certificate stored in a file in X.509 format. As you can see from the print out, I am the issuer and the owner of this certificate.
  • The "-import" command option imports the certificate from the certificate file back into the keystore under different alias, my_home_crt.

TechStump.com: How to Rearrange a Certificate Chain using OpenSSL

http://www.techstump.com/2012/10/how-to-rearrange-certificate-chain.html

..you do need to know the correct certificate order. The first two are easy, the key should be first and the Server Certificate should be second. Generally the third certificate will be an intermediate and the last will be a root. If you look at each section, you’ll see a -------Begin Certificate------ and -------End Certificate------ section preceded by a header. In the header you’ll see what certificate is what.

keytool-Key and Certificate Management Tool

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html 
-importcert {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg</pre>
 {-v} {-protected} {-Jjavaoption}

Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or certificate chain is read from stdin.

.. keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "-----BEGIN", and bounded at the end by a string that starts with "-----END".

Option defaults for keytool

-storetype the value of the "keystore.type" property in the security properties file,
           which is returned by the static getDefaultType method in
           java.security.KeyStore

Help - IBM SDK and Runtime Environment Java Technology Edition Version 6

http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2FkeytoolDocs%2Fsupportedkeystoretypes.html

Supported Key Store Types

  • JKS
  • JCEKS . This keystore implementation employs a much stronger protection of private keys (using password-based encryption with Triple DES) than JKS. You can upgrade your keystore of type "JKS" to type "JCEKS" by changing the password of a private-key entry in your keystore.
  • PKCS12. There is a difference between PKCS12 type keystore created on the keytool provided in the IBM JVM and the keytool provided in an Oracle JVM. The keytool in an IBM JVM uses a PKCS12 keystore to store both key entries and certificate entries.The keytool in an Oracle JVM uses a PKCS12 keystore to store key entries. The keytool program in IBM's JVM can read the keystore created by the keytool program provided by an Oracle JVM, but not the other way around.
  • PKCS12S2. This is a second version of PKCS12 type keystore. It can be read by the keytool program in an Oracle JVM.
  • JCERACFKS. This is a RACF® keyring keystore. This type is available only on z/OS® systems with RACF installed.

OpenSSL: Documents, pkcs7(1)

http://www.openssl.org/docs/apps/pkcs7.html

A different way to package a keystore. Like JKS, only different format.

Creating a PKCS7 (P7B) Using OpenSSL

https://langui.sh/2009/03/20/creating-a-pkcs7-p7b-using-openssl/

This example assumes that you have 2 different certificate files, each in PEM (Base64) format. You can add as many -certfile elements as you want to package in the file. Additionally, concatenated certificate chains are supported.

openssl crl2pkcs7 -nocrl -certfile cert1.cer -certfile cert2.cer -out outfile.p7b

OpenSSL: Documents, verify(1)

http://www.openssl.org/docs/apps/verify.html

The verify command verifies certificate chains.

Posted by at No comments:
Labels: ,

Monday, October 14, 2013

jQuery timepicker

Subversion (source control)

Subversion Tutorial: 10 Most Used SVN Commands with Examples

Needed to know how to retrieve information in svn. It's been a long time. Git is so much better.

svn checkout/co URL PATH

jQuery Timepicker

Was looking for a viable time picker for tracker.

JQuery

.addClass() | jQuery API Documentation

http://api.jquery.com/addClass/

Adds the specified class(es) to each of the set of matched elements.

$( "p" ).addClass( "myClass yourClass" );

How can I make a redirect page in jQuery/JavaScript? - Stack Overflow

http://stackoverflow.com/questions/503093/how-can-i-make-a-redirect-page-in-jquery-javascript

Redirecting users after an AJAX call using JavaScript.

window.location.replace(...)

It is better than using window.location.href =, because replace() does not put the originating page in the session history, meaning the user won't get stuck in a never-ending back-button fiasco

Ryan McGeary, Feb 3 '09

Ruby/Rails

ruby - Radio buttons on Rails - Stack Overflow

http://stackoverflow.com/questions/623051/radio-buttons-on-rails

How to use Rails models in combination with radio buttons.

<div class="form_row">
    <label for="theme">Theme:</label>
    <% [ 'plain', 'desert', 'green', 'corporate', 'funky' ].each do |theme| %>
      <br><%= radio_button_tag 'theme', theme, @theme == theme %>
      <%= theme.humanize %>
    <% end %>
</div>

Run migrations from rails console - Stack Overflow

I love this! Use console to run migrations instead of waiting for the environment to load with each run.

# run migrations
ActiveRecord::Migrator.migrate "db/migrate"
ActiveRecord::Migrator.down "db/migrate", 20131011115823

# show the available migrations
puts ActiveRecord::Migrator.get_all_versions
puts ActiveRecord::Migrator.migrations_path

# show the available migrations; does not show whether those migrations have been applied or not 
puts (ActiveRecord::Migrator.migrations "db/migrate").map{|x| "#{x.version}: #{x.filename}"}
Posted by at No comments:
Labels: ,

Thursday, October 3, 2013

Illegal key size and JCE

android - java.security.InvalidKeyException: Illegal key size - Stack Overflow

Java publishes the "JCE Unlimited Strength Jurisdiction Policy Files" separate from it's normal distribution so that laws around cryptography are not violated. In order to get past this error, you must update local_policy.jar and US_export_policy.jar as indicated in the installation instructions (which come packaged with the download). One place you can download these is from Oracle.

  • local_policy.jar
  • US_export_policy.jar

maven 2 - Can I change the alias of my key? - Stack Overflow

Want to change the alias for a trusted public key or private key entry? Easy, peasy.

keytool -changealias -alias "your-very-very-long-alias" -destalias "new-alias" -keypass keypass -keystore /path/to/keystore -storepass storepass

iOS 7 iMessages and Facetime won't activate! - MacRumors Forums

http://forums.macrumors.com/showthread.php?t=1594713

I was experiencing some problems on my iMac with getting iMessages to be active. I applied updates and restarted the computer and I was back in business.

Apparently other people have had problems, especially with iOS 7.

My Apple ID

https://iforgot.apple.com/password/verify/appleid?app_type=ext&app_id=1581

Hey; it's hard remembering all those passwords all the time, right?

Bash-Prog-Intro-HOWTO-8: Functions

http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-8.html

Bash functions.

   #!/bin/bash 
   function quit {
       exit
   }
   function hello {
       echo Hello!
   }
   hello
   quit
   echo foo
Posted by at No comments:
Labels: , ,

Tuesday, October 1, 2013

weblog; missing CA Root

X.509 Certificates

The Most Common Java Keytool Keystore Commands

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Display the contents of a stand-alone certificate. Doesn't show as much details as the openssl command.

Keytool

keytool -printcert -v -file mydomain.crt

OpenSSL

openssl x509 -noout -text -in mydomain.crt

Download Primary PCA Root Certificates | Symantec

http://www.symantec.com/page.jsp?id=roots

Needed to complete CA Root chain for Oracle/PeopleSoft. This seems to do the trick.

wget http://www.verisign.com/repository/roots/root-certificates/PCA-3G3.pem

No trusted certificate found : when opeing a ssl connection from behind the proxy. (Open Source Projects forum at JavaRanch)

http://www.coderanch.com/t/62494/open-source/trusted-certificate-opeing-ssl-connection
  • http://www.coderanch.com/t/62494/open-source/trusted-certificate-opeing-ssl-connection
  • http://stackoverflow.com/questions/10749803/validatorexception-no-trusted-certificate-found-in-java

Two-way ssl handshake

  1. handshake initiated by client; client sends it's identification
  2. server receives, authenticates client and accepts
  3. server sends it's identification
  4. client receives, but fails to authenticate

In our case, it seems the problem is an incomplete CA Root chain.

Posted by at No comments:
Labels: , ,

Saturday, September 28, 2013

weblog; Apache CXF; getting message-level encryption to work

Bash

Bash Arrays | Linux Journal

http://www.linuxjournal.com/content/bash-arrays

Provide a list in open/close parentheses, unadorned.

array=(one two three four [5]=five)

echo "Array size: ${#array[*]}"

echo "Array items:"
for item in ${array[*]}
do
    printf "   %s\n" $item
done

Bash For Loop Examples

http://www.cyberciti.biz/faq/bash-for-loop/

The array here doesn't use parentheses.

for VARIABLE in 1 2 3 4 5 .. N
do
 command1
 command2
 commandN
done

bash - escaping newlines in sed replacement string - Stack Overflow

http://stackoverflow.com/questions/8991275/escaping-newlines-in-sed-replacement-string

Newlines will be recognized in the replace clause (the second half), but not in the match clause. Instead, you will need to use the N and D flags.

echo 'abc' | sed 's/b/\ 
> /'
a
c

Gather dependencies from pom files

http://www.grymoire.com/Unix/Sed.html#uh-51

Navigate to the root directory of Maven project with sub-modules, copy and paste the following code. The code depends on the correct order of a dependency declaration: groupId, articleId, version. Otherwise, all bets are off. This is intended to be quick and dirty; a SAX parser would be more robust.

The following temp files are used for each pom.xml in turn.

  • work.txt: contains ''
  • work2.txt: strips off '', leaving groupId:articleId:version

results.txt: The final file, providing a compilation of dependencies for all pom.xml files.

for file in $(find . -name "pom.xml")
do

cfile=$(printf '%q' $file)

sed '
# look for a <groupId>...</groupId>
/[^<]*<groupId>\([^<]*\)<\/groupId>.*$/ {
# Found one - now read in the next line
 N
# delete the <groupId>...</groupId> and replace with <maven-dependency>
 s/[^<]*<groupId>\([^<]*\)<\/groupId>[\n\r]*[^<]*/<maven-dependency>\1/
}

/<artifactId>\([^<]*\)<\/artifactId>.*$/ {
 N
 s/<artifactId>\([^<]*\)<\/artifactId>[\n\r]*[^<]*/:\1/
}

s/<version>\([^<]*\)<\/version>.*/:\1<\/maven-dependency>/

' $file > work.txt

echo -e "\n${cfile}\n===========================================" > work2.txt

cat work.txt | grep "<maven-dependency>[^<]*<\/maven-dependency>" | sed "s/<maven-dependency>\([^<]*\)<\/maven-dependency>/\1/" >> work2.txt; cat work2.txt

cat work2.txt >> results.txt

done

Along the same lines, there is also a little Ruby script for extracting out the articleId from the groupId:articleId:version:

#[Extract dependency name (Ruby)]

#E.g., 
dependencies = %w[
edu.ucmerced.ucpath.idm:ucm-ucpath-idm:0.0.2-SNAPSHOT
it.svario.xpathapi:xpathapi-jaxp:RELEASE
org.eclipse.m2e:lifecycle-mapping:1.0.0
org.apache.maven.plugins:maven-install-plugin:2.4
com.google.code.maven-replacer-plugin:replacer:1.5.2
org.codehaus.mojo:properties-maven-plugin:1.0-alpha-2
org.apache.maven.plugins:maven-install-plugin:2.4
com.google.code.maven-replacer-plugin:replacer:1.5.2
]

puts dependencies.map{|x| first = x.index(/:/); x.slice(first+1, x.index(/:/, first+1) - first-1)}

How to reference a variable within sed? - The UNIX and Linux Forums

http://www.unix.com/shell-programming-scripting/39175-how-reference-variable-within-sed.html 
tmp="abcdefg"
sed "s/${tmp}/good"

Replace the single quotes with double quotes. Single quotes prevent variable expansion.

http://www.unix.com/shell-programming-scripting/39175-how-reference-variable-within-sed.html

escape string in bash script so it can be used in command line

http://www.linuxquestions.org/questions/linux-software-2/escape-string-in-bash-script-so-it-can-be-used-in-command-line-360664/

Use double quotes.

You don't need to escape a string if you quote it - say you want to pass all the arguments to ls, instead of

ls $*

write

ls "$*"

Java; web services

Web Service Definition Language (WSDL)

http://www.w3.org/TR/wsdl#_soap:address

What purpose does soap:address serve? It appears to be the actual endpoint.

<definitions .... >
    <port .... >
        <binding .... >
           <soap:address location="uri"/> 
        </binding>
    </port>
</definitions>
? Apache CXF -- WS-SecurityPolicy http://cxf.apache.org/docs/ws-securitypolicy.html

Configuration for message-level encryption can be easily accomplished. The following server and client configurations should be loaded either in the Server/Client Java class or in the pom.xml configuration

Java Class

  SpringBusFactory bf = new SpringBusFactory();
  URL busFile = new ClassPathResource("wssec-server.xml").getURL();
  Bus bus = bf.createBus(busFile.toString());
  BusFactory.setDefaultBus(bus);

pom.xml

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>exec-maven-plugin</artifactId>
    <executions>
        <execution>
            <phase>test</phase>
            <goals>
                <goal>java</goal>
            </goals>
            <configuration>
                <mainClass>edu.ucmerced.ucpath.idm.Runner</mainClass>
                <arguments>
                    <argument>../ws-ora-idm-wsdl/src/main/resources/wsdl/IDMServices/IDMServices.wsdl</argument>
                </arguments>
                <systemProperties>
                  <systemProperty>
                    <key>cxf.config.file</key>
                    <value>cxf-client.xml</value>     
                  </systemProperty>
                </systemProperties>
            </configuration>
        </execution>
    </executions>
</plugin>

Server

    <jaxws:endpoint id="server"
      implementor="demo.wssec.server.GreeterImpl"
      endpointName="s:SoapPort"
      serviceName="s:SOAPService"
      address="http://localhost:9001/SoapContext/SoapPort"
      wsdlLocation="wsdl/hello_world.wsdl"
      xmlns:s="http://apache.org/hello_world_soap_http">
        
      <jaxws:properties>
         <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
         <entry key="ws-security.signature.username" value="myservicekey"/>

         <entry key="ws-security.callback-handler" 
                value="demo.wssec.server.ServerCallbackHandler"/>

         <entry key="ws-security.encryption.properties" value="serviceKeystore.properties"/>
         <entry key="ws-security.encryption.username" value="myclientkey"/>
      </jaxws:properties> 
    </jaxws:endpoint>

Client

    <jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort" createdFromAPI="true">
       <jaxws:properties>
           <entry key="ws-security.signature.properties" value="clientKeystore.properties"/>
           <entry key="ws-security.signature.username" value="myclientkey"/>
           <entry key="ws-security.callback-handler" 
                  value="demo.wssec.client.ClientCallbackHandler"/>
           <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/> 
           <entry key="ws-security.encryption.username" value="myservicekey"/>
       </jaxws:properties>
   </jaxws:client>

Propery files should include location of certificates and keystore password. The private key password cannot be provided here, but should use the callback to provide the correct private key.

Properties

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=sspass
org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey
org.apache.ws.security.crypto.merlin.keystore.file=keys/servicestore.jks

Java callback-handler

public void handle(Callback[] callbacks) throws IOException,
        UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {
        if (callbacks[i] instanceof WSPasswordCallback) {
            WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
            if ("myservicekey".equals(pc.getIdentifier())) {
                pc.setPassword("skpass");
                break;
            }
        }
    }
}

See https://github.com/dcvezzani/mustached-batman for a complete example.

Maven Repository: org.apache.ws.security » wss4j

» 1.5.6 http://mvnrepository.com/artifact/org.apache.ws.security/wss4j/1.5.6

Pom.xml dependency entry.

<dependency>
 <groupId>org.apache.ws.security</groupId>
 <artifactId>wss4j</artifactId>
 <version>1.5.6</version>
</dependency>

WS-SecurityPolicy 1.2

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html

Documentation of the nodes in the WS-SecuirtyPolicy namespace.

XML Namespace Document for WS-Security-Policy 1.3

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802

Documentation of the nodes in the WS-SecuirtyPolicy namespace.

Re: Eclipse, CXF and WS-SecurityPolicy

http://mail-archives.apache.org/mod_mbox/cxf-users/201307.mbox/%3CF172D30F-6747-44B2-A4CE-7EFBD7710DEA@indivica.com%3E

An error like what follows indicates that possibly the wrong namespace is being specified or the namespace is missing altogether.

> Jul 27, 2013 12:41:56 AM org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl handleNoRegisteredBuilder
> WARNING: No assertion builder for type {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}RequiredParts registered.

Maven Repository: org.apache.cxf » cxf-rt-ws-security

» 2.4.1 http://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-ws-security/2.4.1

Entry description

<dependency>
 <groupId>org.apache.cxf</groupId>
 <artifactId>cxf-rt-ws-security</artifactId>
 <version>2.4.1</version>
</dependency>

Java web services: WS-Security with CXF

http://www.ibm.com/developerworks/library/j-jws13/

Walk-through for creating a web service, using WS-Security with the Apache CXF web services stack

X.509 Certificates

X.509 - Wikipedia, the free encyclopedia

http://en.wikipedia.org/wiki/X.509

Was researching what exactly the significance is of signed certificates.

As far as I can tell, most of the time it's only purpose is to validate a trusted public key.

The Most Common Java Keytool Keystore Commands

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

A great resource common keytool commands.

Posted by at No comments:
Labels: , , , ,

Tuesday, September 24, 2013

weblog; a miraculous build

Maven

Developing Web services using Apache CXF and Maven

http://www.ctrl-alt-dev.nl/Articles/CXF-Maven/CXF-Maven.html

Step-by-step instructions on how to develop a web service using CXF and Maven. Starts off by creating a web service without CXF, adds tests and then replaces non-test code with code generated by CXF. Should be a worth while walkthrough.

Oracle

WadeLiu Blog On Oracle: query and kill oracle connection session

My tests failed initially due to the fact I had not added new trusted certificate entries into the existing client certificate. This happened repeatedly and must have used up all the connections in the database pool. They were eventually released, but I tried to see if I could hurry that cleanup along.

I had permissions to execute the first two lines, but not the last one.

SQL> SELECT s.sid, s.serial#, s.osuser, s.program FROM v$session s; 

SQL> select sid from v$session where audsid= userenv('SESSIONID'); 

SQL> ALTER SYSTEM KILL SESSION 'sid,serial#' IMMEDIATE;
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)