StartSSL offers a great service – free SSL certificates that are trusted by most browsers.
When generating a certificate from a Certificate Signing Request they require the private key to be RSA 2048 bits and SHA1. Below are the commands I used setting up Tomcat on windows. It took me a while to get it just right so I thought I would share.
First, create the keystore containing the self signed certificate using the java keytool command. The keypass and storepass must be the same (Tomcat limitation). The important things for StartSSL compatability are the keysize, key algorithm and signing algorithm.
keytool -genkey -keysize 2048 -keyalg RSA -sigalg SHA1withRSA -alias myserver -keystore serverkeystore -keypass changeit -storepass changeit -dname “CN=myserver.mydomain.com,OU=ITS,O=OurCompany,L=Memphis,ST=Tennessee,C=US”
Next create the CSR
keytool -certreq -alias myserver -file myserver.csr -keystore serverkeystore
Copy and paste the contents of the CSR into the StartSSL Certificate wizard when prompted. Once the certificate is issued import it into the keystore along with the Certificate Chain that should be downloaded from the StartSSL site.
keytool -import -alias startsslca -file startssl.ca.cer -keystore serverkeystore -trustcacerts
keytool -import -alias startsslca2 -file startssl.sub.class2.server.ca.cer -keystore serverkeystore -trustcacerts
keytool -import -alias myserver -file myserver.mydomain.com.cer -keystore serverkeystore
Now, modify the Tomcat server.xml file to enable SSL and restart Tomcat. Sample SSL section below using port 8443.
<!– Define a SSL HTTP/1.1 Connector on port 8443 –>
<Connector port=”8443″ maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” keystorePass=”changeit” keystoreFile=”D:\Program Files\Apache\Tomcat55\serverkeystore”/>
Filed under: Software General, Windows | 1 Comment
Tags: Certificate, SSL, StartSSL, Tomcat
iPhone battery life woes
I have an iPhone 3GS that is coming up on 2 years old. I keep it up to date and it currently has iOS 4.2.1 installed.
About two weeks ago it started getting very warm and the battery charge would only last about 5 hours. Initially I thought it was a program running in the background that was going crazy. So I rebooted by holding down the Home and Sleep buttons until the screen went blank and then restarted. Same thing continued to happen. Next I made sure I had a current backup in iTunes and then did a Reset / Erase All Content and Settings on the phone. Then, I did a restore from the backup. Same thing. The phone would get very warm and the battery charge would only last 5 hours.
So, I decided to try the battery. I didn’t want to pay Apple $79.00 + $6.95 S&H to change the battery when there was no guarantee this would fix it. So, I researched and purchased a battery and tools from http://www.directfix.com. I chose them because they have taken the time to produce PDF instruction sheets and videos stepping you through the process.
The parts arrived very quickly (2 days) and I successfully replaced the battery and powered the phone back on. Same thing – warm and 5 hours battery life 
The only thing left to try was to erase the phone and then reinstall all of the applications and settings manually, not using a backup. So, on the phone I did a Reset / Erase All Content and Settings. Then, I hooked up to iTunes and selected Setup as a new iPhone and went through the process of configuring the sync options and reloading all of my apps, music, email etc. and setting up the application settings.
Thankfully, this fixed the issues. My iPhone is now working as expected; it no longer gets warm and the battery has great life.
Could my phone have become infected with a virus? Or did something trip a bug in iOS? I just hope it wasn’t a virus but I am changing all of my passwords just in case.
Filed under: iPad / iPhone | Leave a Comment
Tags: battery, hot, iphone, warm
We recently had to renew a Verisign certificate for one of our domains.
We installed the renewed certificate and restarted Apache (we are running Apache on RHEL 5). Initially everything looked ok but we then found that Firefox was complaining that it could not validate the certificate although IE, Safari and Chrome did not complain. We also started seeing errors in our Weblogic logs for select applications running under that domain name -
java.io.IOException: weblogic.security.AuthenticationException: Incorrect block length 256 (modulus length 128) possibly incorrect SSLServerCertificateChainFileName set for this server certificate.
We called Verisign Support and they pointed us to the following bulletin
Apparently to use certificates issued by them after October 2010 requires new intermmediate CAs. The article gives a link to download the required CA Bundle (Primary Intermediate CA and a Secondary Intermediate CA). Instead of supplying a file the page contains the text that has to be copied and pasted to create the certificate file. On Windows 7 using IE9 Beta and on XP using IE 8 we had issues copying and pasting the text; It would paste and look correct in Notepad but Apache would reject the file. In the end I tried using Google Chrome and Notepad on Windows 7 and it finally worked.
In case you run into the same problem, here is a link to Verisign2010.doc for you to use as your SSLCertificateChainFile in Apache. Save it as verisign.2010.cer – don not open in MS Word (I had to use the .doc extension to be able to upload it to wordpress).
http://magictrevor.files.wordpress.com/2010/12/verisign2010.doc
Filed under: Linux, Software General, WebLogic | Leave a Comment
Tags: verisign CA error
Fix mouse pausing issues
My work laptop was recently upgraded to a Dell Latitude E6500 running Windows 7.
I wanted a mouse that didn’t have a cable or require a dongle. So, I installed a Dell Wireless 370 Bluetooth Mini-card (purchased for $9.95 from eParts and More), installed the Dell drivers and paired the Microsoft Bluetooth Notebook Mouse 5000 that I got on eBay for $29.95.
Everything went smooth except that randomly the mouse would pause / freeze for a few seconds and then start working again. This got annoying very quickly. I did some searching and found quite a lot of posters with the same problem but no solution. I tried various solutions with no success but then found some information that led to a solution that worked for me. I thought I would post here in the hope of helping others solve this frustrating issue.
Go to Control Panel and select Power Options. Select the High Performance plan and then Select Change plan settings. Select Change advanced power settings. Scroll down to USB settings and click the + to expand. Click + to expand USB selective suspend setting. Disable Plugged in and On battery. Click Apply / OK and then close the power plan window.
The mouse will no longer pause / freeze.
Filed under: Windows | Leave a Comment
Tags: Bluetooth, freeze, mouse, pause, windows 7
Securing SiteScope 10.10
We are running SiteScope 10.10 on Windows Server 2003 authenticating against Active Directory using LDAP. We needed to secure SiteScope by using https for the interface and secure LDAP (ldaps) for authentication. The manuals for Version 10.10 are not complete in their instructions on how to do this. This is how we did it.
Note: These instructions work if you have the Enable configuration files box checked in the Preferences Main Panel. If not checked you will have to use PersistencyViewer.bat in the SiteScope bin directory to make the changes to master.config.
SiteScope runs on Tomcat and has a builtin http server used to display reports. Both have to be reconfigured to use https.
The instructions assume the Domain Controllers are already setup to accept secure ldap connections on port 636.
- We use our own Certificate Authority (CA) and so needed SiteScope to trust it. This was done by importing our CA’s root certificate into the correct java certificate store. c:\ss_10.10 is the directory where we have SiteScope is installed. These are the commands we used.
cd c:\ss_10.10\sitescope\java\lib\security
..\..\bin\keytool -import -alias ourca -file our-ca.crt -keystore cacerts
The default password for the cacerts store is changeit . - Next we changed the ldap service provider values in c:\ss_10.10\SiteScope\groups\user.config from
ldap://dc.ourdomain.local:389
to
[LDAP-SSL]ldap://dc.ourdomain.local:636 - Next a keystore was setup for SiteScope to use. Per HP, the keypass and storepass should be the same.
..\java\bin\keytool -genkey -alias sitescopeserver -keyalg “RSA” -keystore serverKeystore -keypass changeit -dname “CN=sitescope.ourdomain.local,OU=ITS,O=OurCompany,L=Memphis,ST=Tennessee,C=US” -storepass changeit - Next, a certificate request was generated and sent to the CA
..\java\bin\keytool -certreq -alias sitescopeserver -file sitescope_local.csr -keystore serverKeystore -keyalg “RSA” - The issued certificate was then imported into the keystore
..\java\bin\keytool -import -trustcacerts -alias sitescopeserver -file c:\Certs\drsitescope_local.crt -keystore serverKeystore - Next, tomcat had to be configured to create an https connector and disable the http connector.
Edit c:\ss_10.10\SiteScope\Tomcat\conf\server.xml . Comment out the http connector definition and add the https connector definition
<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” acceptCount=”100″
debug=”0″ connectionTimeout=”20000″
scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”C:\SS_10.10\SiteScope\groups\serverKeystore” keystorePass=”changeit”
disableUploadTimeout=”true”
compression=”on”
compressionMinSize=”2048″
noCompressionUserAgents=”gozilla, traviata”
compressableMimeType=”text/html,text/xml”
/> - Next, edit c:\ss_10.10\SiteScope\groups\master.config and define the new https port and cert password with the following lines
_httpsActivePort=8889
_httpSecurePort=8889
_httpSecureKeyPassword=changeit
_httpSecureKeystorePassword=changeit - Once all of the above steps were completed we restarted the SiteScope windows service and then in IE went to the new URL https://sitescope.ourdomain.local:8443/SiteScope/ and logged in.
Filed under: Software General | 1 Comment
Tags: https, ldaps, SiteScope
We are running Subversion version control V1.6.3 on Red Hat Enterprise Linux (RHEL) V5.5. It is integrated with our Active Directory (Windows 2003 Domain Controllers) via Secure LDAP (ldaps) for user authentication. This is how it is setup.
- We use our own Certificate Authority (CA) to issue certificates for the Domain Controllers. So, to trust the certificates that AD presents when we connect to it we need to trust the root CA. We copied the CA’s root certificate to the /opt/CollabNet_Subversion/openssl/certs directory. Then, we trust it by adding the following line to the httpd.conf file
LDAPTrustedGlobalCert CA_BASE64 opt/CollabNet_Subversion/openssl/certs/root-ca.crt - We enable LDAP SSL by adding the following line to the httpd.conf file
LDAPTrustedMode SSL - Next we configured a combination of file and secure ldap authentication by adding the following lines in the Apache VirtualHost configuration. A regular domain user account (ldapuser in our case) is needed for the ldap lookups as AD does not allow anonymous ldap connections.
AuthType Basic
AuthBasicProvider file ldap
AuthName ”Ourdomain Subversion repository”
AuthUserFile /etc/httpd/conf/svn.pass
AuthzLDAPAuthoritative off
AuthLDAPBindDN “cn=ldapuser,ou=Corp,dc=ourdomain,dc=local”
AuthLDAPBindPassword youguessit
AuthLDAPURL ldaps://dc3.ourdomain.local:636/DC=ourdomain,DC=local?sAMAccountName?sub?(objectClass=user)
Require valid-user
AuthzSVNAccessFile /etc/httpd/conf.d/svn.access
Filed under: Linux, Software General, Windows | Leave a Comment
Tags: Active Directory, Collabnet, ldap, ldaps, secure, subversion, svn
We are running Joomla! Content Management System (CMS) Version 1.5.9 on Red Hat Enterprise Linux (RHEL) V5.5. It is integrated with our Active Directory (Windows 2003 Domain Controllers) via Secure LDAP (ldaps) for user authentication. This is how it is setup.
- We use our own Certificate Authority (CA) to issue certificates for the Domain Controllers. So, to trust the certificates that AD presents when we connect to it we need to trust the root CA. We copied the CA’s root certificate to /etc/pki/tls/certs on the Linux server hosting Joomla! and then ran the commands
cd /etc/pki/tls/certs
ln -s root-ca.crt `openssl x509 -hash -noout -in root-ca.crt`.0 - Next we had to tell Joomla! to connect to Active Directory using the Secure LDAP (ldaps) protocol. This is not documented anywhere but by looking at the Joomla! code we found out the way to do this is in the Host parameter field of the LDAP Authentication plugin. Instead of just entering a host name put in the full connection string e.g.
ldaps://dc3.ourdomain.local . Note the name of the domain controller must be as it is specified on the Domain Controllers certificate. In the Port field, enter 636. It is best to point Joomla! to a DC that is also a Global Catalog server, particularly if you have a multi-domain forest; you may have problems with referrals otherwise. - These are the rest of the parameters for the LDAP Authentication plugin. All of our user accounts are in an Organizational Unit (OU) Corp.
After making the changes, restart Apache.
Note that Active Directory does not allow ldap anonymous connections so you must have a user setup to be able to connect to AD via LDAP. A regular Domain User acount is all that is needed in this case.
LDAP V3 – Yes
Negotiate TLS – No
Allow Refferals – No
Authorization Method – Bind and Search
Base DN – OU=Corp,DC=ourdomain, DC=local
Search String – sAMAccountName=[search]
User’s DN – Blank
Connect Username - CN=ldap_user,OU=Corp,DC=ourdomain,DC=local
Connect Password – ********
Map: Full Name – displayName
Map: E-mail – mail
Map: User ID – sAMAccountName - In the plugin Details section, enable the plugin, set Access level to Public and Order to 1.
Important: Make sure the Authentication – Joomla plugin is enabled and and set to Order 2. Also, in User Manager make sure you have the local admin account defined and enabled so you can still login and make changes if ldap fails!
The way this works is when a user first logs in using their domain credentials Joomla! will create a local matching entry in the user table. You can then use User Manager to assign the user to a group if they need more priviliges and to make other changes as required. You will see that the password fields are greyed out as this is set in AD.
Filed under: Linux, Software General, Windows | 1 Comment
Tags: Active Directory, AD, Joomla!, ldap, ldaps, secure
So, I get the AT&T Home Phone Bill and there is a new charge on their called “Worldwide Occasional Calling Monthly Fee”. It is $1 a month but with the associated “Federal Universal Service Fund Fee”, “Carrier Cost Recovery Fee” and TN taxes it has increased my monthly bill by almost $4. I don’t use my AT&T line for Worldwide calling (I use Google Voice or Skype) and did not order this service. I went on the AT&T website but it would not let me remove this service. So, I called AT&T. The customer service rep. said he had no idea why this was added to my bill, removed it and credited me the amount.
Now I don’t know how many customers AT&T has but charging each one an additional $4 a month would be a nice chunk of change I am sure. Just saying……
Filed under: General | Leave a Comment
I had the need to authenticate logins to some CentOS 5.3 Linux box against a Windows 2000/2003 Active Directory domain. This blog entry details the setup I used.
All of the users in AD are in an OU called Corp. We decided to make a new AD security group LinuxUsers; to login to a Linux box the AD user has to be a member of this group.
We wanted the communications between the Linux boxes and the Windows Domain Controllers (DCs) to be secure so we wanted to use Secure LDAP (LDAPS) on port 636. This requires a certificate to be installed on each Domain Controller. This could be done by installing the Microsoft Certificate Authority on one of the DCs but this causes all machines in the domain to request a certificate and to start performing all domain communications over SSL. As this can cause issues and headaches I opted to just install a 3rd party certificate on each DC. Doing this just enables LDAPS on the DCs after they are rebooted and does not affect other domain traffic. I followed the instructions documentd by Microsoft in their KB article 321051. We already have a certificate authority (CA) we use for issuing our own certificates (the XCA program). This happily accepted the cert requests generated on the DCs and generated certs that the DCs liked.
The DCs also had to be configured to trust our CA. This involved installing our CA’s root certificate in the ‘Trusted Root Certification Authorities\Certificates’ folder in the Local Computer certificate store on each DC using the Certificates MMC plugin. If this is not done errors will occur when Windows boots.
Each of the Linux boxes also had to be setup to trust our CA. This is so they will trust the certificate presented to them by the DCs when they open the LDAPS connection to the DCs. This involved importing our CA’s root certificate into Linux with these commands where root-ca.crt is our CA’s root certificate filename.
cp root-ca.crt /etc/pki/tls/certs; cd /etc/pki/tls/certs;ln -s root-ca.crt `openssl x509 -hash -noout -in root-ca.crt`.0
The next step was to setup the ldap client configuration on the CentOS 5.3 Linux boxes. Below is the /etc/ldap.conf file used to do this. Note that the servername in the URI must match what was used for the DCs certificates. Also not that AD does not allow anonymous lookups so a regular user account has to exist in AD that can be used by the Linux machines to bind with. In our case I used linuxldapuser.
base ou=Corp,dc=test,dc=local
binddn cd=linuxldapuser,ou=Corp,dc=test,dc=local
bindpw GuessThis!
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password ad
pam_login_attribute sAMAccountName
pam_filter &(objectclass=User)(!(sAMAccountName=root))
pam_member_attribute member
pam_groupdn cn=LinuxUsers,ou=Corp,dc=test,dc=local
uri ldaps://dc1.test.local ldaps://dc2.test.local ldaps://dc3.test.local
ssl on
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,vcsa,dbus
The pam_filter line is structured to prevent a potential security issue where a user called root could be created in Active Directory to gain root access on the Linux boxes.
The nss_initgroups_ignoreusers line prevents the Linux machine from hanging on boot if it cannot contact one of the DCs; this is a documented bug.
The next step was to configure PAM on the CentOS boxes to use ldap for authentication. Below are the authentification directives from the pam configuration file /etc/pam.d/system-auth that I used.
auth required pam_env.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
This tells pam to try authenticating the user using the ldap module first. If this fails it will try using the unix authentication module, using the password that was typed in. This allows us to still authenticate accounts that are set up locally on the CentOS boxes that do not have a matching AD account, such as root and other service accounts. It also means these accounts can authenticate even if access to the DCs is down (network issues, maintenance etc.).
Finally, make sure that the CentOS boxes can resolve the hostnames of the Domain Controllers either via DNS or with entries in the local /etc/hosts file.
The above configuration is very basic; it does not try and do password synchronization between environments or any kind of UID/GID maping. It merely does authentication.
Users must have an account in AD and Linux and the login name must be the same as this is what ldap uses to do the matchup and authentication. To ensure that these users only use their AD password to login their Linux password is locked using the usermod -L username command. To prevent them trying to change their password in the Linux environment we use the command passwd -n 10000 username. This means they have to change their password in the AD environment and that AD is used to control password policies for all accounts except for those that we specifically allow to login via the unix pam module.
Useful links
The Linux-PAM System Administrators’ Guide
The PAM LDAP module
Red Hat Bug # 234541
Filed under: Linux, Windows | Leave a Comment
I recently purchased a nice little dock for my iPhone from Mertline. As well as being able to charge my iPhone when I need to it also has an audio out jack. This I planned on connecting to the Mic input on my work Dell laptop so I could listen to music when I didn’t want to wear headphones.
The dock arrived from Singapore ($3.99 with free shipping!) and I hooked up the cables (purchased seperately from Honk Kong), docked my iPhone and selected some music to play. No sound from my Dell laptop. I checked the cable (3.5mm to 3.5mm stereo jacks) and found no problem. I plugged headphones into the dock instead of the cable and I got music. I plugged the cable back in – still no music from the laptop speakers. I tested that I could hear the regular windows sounds no problem.
So, I decided to turn to google.com for help. What I found was interesting. Turns out Dell ships most of their laptop models configured so that you cannot hear anything that is connected to the line-in or mic-in inputs; you can only record the input. I assume this is so that you do not get audio feedback and other issues with a mic being so close to the speakers.
Changing this depends on the operating system running and the sound card/chip installed.
On my work Dell D630C with SigmaTel sound running Windows XP SP3 I had to change three registry settings, reboot and then configure setting in Control Panel to make this setup work.
If you have a different model laptop or operating sytem a search on google and some poking around in the registry (be careful!) will be needed.
- Run regedit
- Change the value of all occurences of EnableInputMonitor from 0 to 1
- Change the value of all occurences of EnableIntSpkrMute from 1 to 0
- Change the value of all occurences of RecMonitorMute from 1 to 0
- Reboot the machine
- In Control Panel, click on Sounds and Audio Devices
- Click on Audio
- Click on Volume in the Sound recording section
- Click on Options/Properties and check the Microphone box and click OK
- Check the box for Microphone, set the Microphone volume level mid-way and then close the Recording Control window
- Click OK in the Sounds and Audio Devices Properties window.
My iPhone now plays through the speakers of my Dell laptop. Yay…
Filed under: iPad / iPhone, Windows | Leave a Comment
Search
-
Blogroll
Recent Entries
- StartSSL (StartCOM) certificates and Tomcat
- iPhone battery life woes
- Verisign Certificate issues with Firefox
- Fix mouse pausing issues
- Securing SiteScope 10.10
- Integrate Subversion with Active Directory via Secure LDAP
- Integrate Joomla! with Active Directory via Secure LDAP
- AT&T customer? Check your bill carefully.
- Authenticating Linux logins against Active Directory
- Listen to iPhone on Dell laptop speakers
- Mothers Day Gift
Categories
- General (3)
- iPad / iPhone (4)
- Linux (4)
- Software General (5)
- WebLogic (3)
- Windows (6)
