Search This Blog

Thursday, December 13, 2012

Certificates: Common Name, Subject Alternative Names and ColdFusion

This article is about an issue that raised its head whilst installing a 2048bit key certificate into our ColdFusion servers.

I have already written an article about getting the certificates installed into the Java Engine lying under ColdFusion.

Now we were having issues with a certificate and an connection to a partner site. The connection used to work until they upgraded their certificate to a 2048bit key length certificate.

We had successfully added the certificate to the java keystore, which we have done numerous times in the past, but with this certificate, whilst it was in the keystore we still could not connect.

In the end what we found was that the certificate was a multi domain certificate, this means that the certificate is valid for a number of different domains. In certificates this is supported by the use of an extension field called

Subject Alternative Name (SAN)

Now according to the RFCs, the way the domain should be checked is that the application should check the SAN field and then check the Subject field (specifically the Common Name (CN) entry. The CN entry will house just one domain.

So what we found was that when we connected to the server that was running on the domain listed in the CN, the connection would be ok. Now if we tried to connect to one of the domains listed in the SAN field (other than the  domain in the CN) the connection would fail.

We have then traced this problem to an issue with ColdFusion prior to version 9. It appears that CF7, CF8 do not check the SAN field and only the CN entry. This means you can use multi domain certificates in CF7, CF8.

To use/trust multi-domain certificates in ColdFusion you have to use CF9+.

The images below are to help visualise the above fields in the certifcates.

Image 1 is from an article on digicert that explains Subject Alternative Names ( I include here to show where you can see the SAN field, in addition the 2nd image is showing the CN entry in the Subject field (green outlined rectangle), from the University of California Davis )

IE 7 certificate subject details


Share/Bookmark

Tuesday, December 11, 2012

2048bit key length certificates and Java (specifically ColdFusion)

Recently some of the partners we use have started to deploy certificates with key lengths of 2048bits. The 2048 bit length has become the standard accepted minimum key length for secure communication.

We have been using 2048bit key length for a couple for a few years now on our web sites, so we are not unused to them, however with the partners now using them it meant we had to trust these certificates. Now here comes the issue…. Our systems use ColdFusion and as such run on Java. Due to a US export policy which limited the key length US companies could provide outside the US. As such by default all versions of java up to 1.7, have this limitation and you would not be able to apply the certificate with a key length of 2048bit.

The way round this is to download the

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

These files overwrite the existing policy files, and are available for download from Oracle, from what I can see there are policy files for

Java SE 7,  Java SE 6, Java SE 5, Java 1.4.2, Java  1.2.2

To install these policy files is very easy, down load the correct version and extract. You then need to grab 2 files

  • local_policy.jar
  • US_export_policy.jar

Now in the java environment you want to amend locate the following folder

i.e. (default for Java SE6)

c:\Program Files\Java\jre6\lib\security

In here you should find files of the same name, create copies of these files. Now overwrite the original files with the files extracted from the downloaded JCE Policy zip file.

Now you will have to restart the Java instance.

OK, so now you should be able to install the 2048bit Key Length certificate in to the keystore (cacerts).

Below is a couple of commands for how to list existing certificates in a keystore and then how to install a certificate.

The cacerts keystore is usually found somewhere like this. (but it will be wherever the java instance is installed)

c:\Program Files\Java\jre6\lib\security

List out certificates in keystore, and dump into a text file.

<Java home>\bin>keytool.exe -list -v -storepass changeit -noprompt -keystore <Java home>\lib\security\cacerts>c:\certificate.txt

Install Certificate CertificateFileName.crt into keystore

note: -storepass changeit, is the default password for the keystore which can be changed.

<Java home>\bin>keytool.exe -import -keystore <Java home>\lib\security\cacerts -alias anyNameYouWantToReferenceYourCertificateInKeyStore -storepass changeit –noprompt –trustcacerts -file C:\temp\CertificateFileName.crt


Share/Bookmark

Thursday, November 29, 2012

Sapphire HD7850–Intermittent Audio Drop Out

Back in June 2012 I created a Home Theatre PC, i was really happy with the setup except that when I ran the audio through the HDMI to the receiver, I had intermittent sound dropouts. Now the dropouts were literally for a second, but it was random and is really annoying.

I tried a number of things, but nothing worked. Anyway I put up with issue for a while, I had other things going on and assumed that etiher Sapphire, AMD or Onkyo (receiver) would fix the issue.

So after 6 months, I have now found a solution. It was in a thread on the issue I was having.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Video\{XXXX...}\0000
( 'XXXX' means device number. There are several device number folder and u should find 'AdapterDesc' in 0000 folder which key value is 'amd radeon HD 7XXX Series'. )
At that '0000' folder, Change 'PP_SclkDeepSleepDisable REG_DWORD' value 0 to 1.

I rebooted, and touch wood the problem has gone.

References are here

http://www.overclockers.com/forums/showthread.php?s=13d1bbb978d7106ac1b27ca8efa9374d&p=7337754#post7337754

There was another solution that seemed to work, but needed to be done after each reboot. The above registry entry should work all the time.

http://www.overclock.net/t/1295464/intermittent-hdmi-audio-output-on-7970-12-8-drivers


Share/Bookmark

Samsung Galaxy SII (i9100)–Android–100% Battery Charge Issue (USB)

Recently had an issue where my phone battery status would start behaving erratically. Not showing the correct level, then saying full charged and then immediatly changing after disconnetion from charger.

eventually after pouring over numerous battery notification forums I found this blog

http://andycorps.blogspot.com.au/2011/10/samsung-galaxy-s2-i9100-erratic-battery.html?showComment=1333511234964#c1325155034377407919

It fixed my issue by just cleaning the usb port.

I now have another issue where if I disconnect the usb charger without


Share/Bookmark

Wednesday, June 06, 2012

How to run Robocopy from SQL without a batch file

There is a problem running Robocopy from a command step in SQL server jobs. Robocopy returns a non zero code for success, I won;t go into why that is here. It is to do with flags and ANDing if you want to look it up.

So if you call Robocopy directly the SQL step will always fail (even though it is successful).

My way round that it is to use START. Now this solution will always return success so if Robocopy does actually fail you will never know. For my purpose this was acceptable. You can get around this by placing your Robocopy command in a batch file, call the batch file from SQL Server job step.

So to use START

START "<window title>" /WAIT ROBOCOPY /COPY:DAT /MOV /NP ^"<source>^" ^"<destination>^"

This works for me.


Share/Bookmark

Thursday, April 26, 2012

Create an anonymous share in Windows 2008 server

I wanted to mount an iso in Hyper-V across a network share, however Hyper-V will not let you do this. It is due to security which I won’t go into here. To get round this you have to either copy the iso locally or create the remote share to allow anonymous access. Now this is obviouly a security issue, so  you should judge whether this solution is suitable for you, but for me it makes sense.

I am grabbing the necessary fragment from a fuller article here by Scott Havens.

In an environment without Active Directory (like my home network), or when the machines in question are in domains that don’t talk with each other, we need something else.  One option is to enable anonymous access to the share where the ISOs are stored.  This solution is fine for my home network, and may be feasible for other small networks where security isn’t as much of an issue.  While the instructions below are for Windows Home Server specifically, they are easily adapted to a bog-standard (non-WHS) file server.

  1. First, go to Administrative Tools->Local Security Policy.

    In Security Settings/Local Policies/Security Options, make the following changes:

    - Network Access: Do not allow anonymous enumeration of SAM accounts and sharesDisabled
    - Network Access: Let Everyone permissions apply to anonymous usersEnabled
    - Network Access: Restrict anonymous access to Named Pipes and SharesDisabled
    - Network Access: Shares that can be accessed anonymously – Add SOFTWARE (or the appropriate share) to the existing list

    In Security Settings/Local Policies/User Rights Assignment:

    - Access this computer from a network – Add ANONYMOUS LOGON and Everyone if they’re not already there

  2. After closing the Local Security Settings window you’ll need to reboot the server or force application of security policy via gpupdate.
  3. Then, open up Computer Management and go to System Tools->Local Users and Groups->Groups.
    Windows Home Server creates several security groups that provide read-only and read/write access to the shares it manages.  Find which group offers Read-Only access to the share and add Everyone to this group.  On my computer, the Software share is managed by RO_8 and RW_8, so I added Everyone to the RO_8 group.
  4. While you’re in Computer Management, go to System Tools->Shared Folders->Shares.  In the properties for the appropriate share, add Everyone to the Share Permissions.

Share/Bookmark

Wednesday, April 25, 2012

Win2k8R2 - Unable to rename a connection–already exists

I image a lot of machines, saves me having to keep going through the complete setup with each machine.

On a couple of occasions I have had issues with network connections, it seems windows retains the old imaged server nic info, but it sees the hardware on the new server as new. Therefore it will not add them teaming or call them the right name if you have renamed them.

On trying to rename them to the same name you had on the original machine, you will get an error saying the name already exits. But in network connections they will not show up, even if you start device manager and select view\hidden devices they will not show.

You need to run the following from an elevated command prompt

SET DEVMGR_SHOW_NONPRESENT_DEVICES=1

and then open device manager, select view\show hidden devices. The devices that are no longer present on the new machine will be greyed out and can be uninstalled.

You will now be able to rename the connection.


Share/Bookmark

Wednesday, March 28, 2012

Cisco Pix 6.3–allow ping replies

How to set a PIX 6.3, to allow ICMP replies from inbound initiated icmp traffic.
i.e Allow a computer on the inside interface to ping external (outside computers).

By default outbound icmp traffic is allowed but the responses are denied.

First we need to create a access-list to allow the types of icmp traffic.

example:

access-list 155 permit icmp any host 192.168.72. echo-reply

 

access-list <acl id> permit <protocol> any host <host ip> echo-reply

any – is shorthand for any ip (0.0.0.0) with any subnet (wildcard mask  255.255.255.255.)

host – short hand for wildcard mask of (0.0.0.0)

 
With the acl setup we need to bind the acl to the outside interface on inbound traffic.
<note: only assign one access-group to an interface, if you already have one don’t add another.>
access-group 155 in interface outside
 

Share/Bookmark

Tuesday, March 27, 2012

Enabling ICMP on Cisco ASA firewall - ADSM

As always this is really for my reference in the future.

I wanted to allow icmp traffic (Pings, traceroutes) from inside to outside, I had setup ACLs etc like other protocols which were working however ICMp traffic refused to work.

In the end I traced it down to a setting in (ASDM)

ASDM\Configuration\Service Policy Rules\inspection_default\<edit>

\Rule actions

Check ICMP.

image

OK and then apply.

Ping and traceroute should now work, assuming you have created an acl to allow the appropriate traffic. In addition this will set the firewall to respond to ICMP traffic, I think that's somewhere else.

In addition I believe the following is the CLI for the above (I have not tested it or used it), it is here for info only.

policy-map global_policy
class inspection_default
inspect icmp
exit
exit

Share/Bookmark

Thursday, February 23, 2012

PING–Partimage is not Ghost–How to manually force an ip

When booting from the PING iso, you are prompted to either go to a shell or to continue onto the PING gui.

If you are having trouble with it assigning a IP during the gui, you can go to the shell first manually assign an ip and then restart the GUI.

Go to the shell (x).

use root with no password

then type

  • ifconfig eth0 up
  • ifconfig eth0 <ip> netmask <netmask>
  • route add default gw <gateway ip>

Once this is done run, this will restart the gui and you should be able to progress.

  • /etc/rc.d/rc.ping

Note: Also in the shell you could add a route if needed

  • route add –net <ip> netmask <netmask> gw <ip> dev eth0

added 20120426 – Note:

On machine with multiple network cards I found it hard to identify which nic was which on the DELL servers. Luckily One card was a 4 port intel card and the other was the onboard broadcom nics. I brought the interfaces up one at a time using the ifconfig ethx up, then used ifconfig ethx to show details about the interface. Then i took the first 3 parts of the hardware/MAC address of the nic and looked it up online. The broadcom nics came up as DELL and the Intel Nics as Intel. As the purpose of the nics was split broadcom to the network i needed to use and intel to another network, this allowed me to identify the nic i needed to add an ip to.


Share/Bookmark

Tuesday, February 14, 2012

SQL Server - List Database Recovery Models

Nice simple queries to list all databases with recovery models

SQL Server 2000
SELECT name,DATABASEPROPERTYEX (name, 'Recovery')
FROM sysdatabases
WHERE category IN ('0', '1','16')

If you want to limit results
AND DATABASEPROPERTYEX (name, 'Recovery') = 'SIMPLE'


SQL Server 2005+
SELECT name AS [Database Name], recovery_model_desc AS [Recovery Model]
FROM sys.databases

If you want to limit results
WHERE recovery_model_desc = 'SIMPLE'
Share/Bookmark

Thursday, January 26, 2012

Reg Expression: Match between characters (non greedy)

Needed to match characters on one line from start string >; to end string <

>;(.*?)<

Note:

.* –This will match all characters (except end of line), this is called greedy as it will keep on matching until eol. then backtrack as it still wants to match the <. It will therefore match from first to last.

.*? – This will make it not greedy and will match from >; to first instance of <

i.e.

Example

string to be searched:- >;banana<blinky>;apple<cider>;orange<beer>

Greedy
reg expressions:-
>;(.*)<
result:- >;banana<blinky>;apple<cider>;orange<

Non Greedy
reg expressions:-
>;(.*?)<
result:- >;banana<


Share/Bookmark

Monday, January 23, 2012

ColdFusion 9.01 Native IIS 7 support (applicationhost.config and web.config)

We recently have been upgrading our CF servers and wanted to utilise the new native support for IIS, removing the IIS6 compatibility that we had to use prior to 9.01.

Now if you have done the install then you will know that the easiest way to set this up is to run through the install and then run the IIS configurator (wsconfig). This java tool uses ASP.NET to setup IIS.

You have an option to add CF to individual sites or All. Now all is a bit misleading as in fact it will just go through the sites individually (but will do all sites). This is different from the CF8 we were using, in that if you selected all it would add the necessary settings at the server level, this meant any new websites created would inherit the CF settings. With the CF9.01 wsconfig tool setting things up per site, it means that every time you add a new website in IIS you will have to run the wsconfig tool.

Now by running the wsconfig tool it is doing a couple of things

1. Adding an IIS config file called web.config to the root of each website folder, it then places the additional CF IIS config in that file. (So you will find a web.config file for each website you run the wsconfig tool against).

2. It kindly adds VDs cfdocs and cfide to all sites…. What this means is that you may find that the CF administration site is available through every single website on your server. For us this was a security risk and a pain as every time the wsconfig tool was run you had to remember to go and clear out these newly created VDs.

In addition for us the web.config file caused us issues with code deployment, as it was not included.

So I started to look for a way to try and get the old functionality back that allowed CF to be set up at the server level and then all sites created would inherit these settings.

I won’t bore you with all the ins and outs, but in essence IIS runs a master config file called applicationhost.config which you should find here

C:\Windows\System32\inetsrv\config\applicationhost.config

Now individual site config can be included in this applicationhost.config file or in web.config files in the root of each website. Now Adobe chose to put there config in the web.config, and I can see why, there is less risk in totally screwing up the entire IIS config.

Now the settings can be applied to site or server levels. So below I show the web.config file that a CF install will create for per site config.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <defaultDocument>
      <files>
        <remove value="index.cfm" />
        <add value="index.cfm" />
      </files>
    </defaultDocument>
    <handlers>
      <add name="JWildCardHandler" path="*" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\1\jrun_iis6_wildcard.dll" resourceType="Unspecified" requireAccess="None" />
      <add name="hbmxmlHandler" path="*.hbmxml" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="cfswfHandler" path="*.cfswf" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="cfrHandler" path="*.cfr" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="cfcHandler" path="*.cfc" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="cfmlHandler" path="*.cfml" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="cfmHandler" path="*.cfm" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="jwsHandler" path="*.jws" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
      <add name="jspHandler" path="*.jsp" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
    </handlers>
    <staticContent>
      <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package zip" />
    </staticContent>
  </system.webServer>
</configuration>


So what I wanted to do was move this config to applicationhost.config.



Note: It must be noted that I had run the wsconfig tool once in the initial setup, so you will need to do this once to ensure that everything is initially setup properly for IIS and CF to interface. By running the wsconfig it creates a subfolder in




C:\ColdFusion9\runtime\lib\wsconfig with the more content.




The subfolder is \1\, and contains a few files. These need to be there for the wildcard handler



OK with the Dlls in place, the first thing is to allow IIS to run the CF dlls, this is done in the isapiCgiRestrictionsection of the applicationHost.config file



<isapiCgiRestriction>

                <add path="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />


                <add path="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />


                <add path="C:\ColdFusion9\runtime\lib\wsconfig\1\jrun_iis6_wildcard.dll" allowed="true" description="Macromedia Server Extensions" />

                <add path="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" allowed="true" description="Macromedia Server Extensions" />


            </isapiCgiRestriction>



Now the applicationhost.config file is huge so I am summarising below, showing where each of the entries will go within that xml file, I have highlighted the added data.




  • “xxxxxxxx” indicates there is content in the file that I am not showing


  • “………” indicates there is further content in the file that I am not showing



<system.webServer>
xxxxxxxxxxx
<staticContent lockAttributes="isDocFooterFileName">
  <mimeMap fileExtension=".323" mimeType="text/h323" />
  <mimeMap fileExtension=".aaf" mimeType="application/octet-stream" />
  <mimeMap fileExtension=".aca" mimeType="application/octet-stream" />
  <mimeMap fileExtension=".accdb" mimeType="application/msaccess" />
  <mimeMap fileExtension=".accde" mimeType="application/msaccess" />
  <mimeMap fileExtension=".accdt" mimeType="application/msaccess" />
  <mimeMap fileExtension=".acx" mimeType="application/internet-property-stream" />
  <mimeMap fileExtension=".afm" mimeType="application/octet-stream" />
  <mimeMap fileExtension=".ai" mimeType="application/postscript" />
  <mimeMap fileExtension=".aif" mimeType="audio/x-aiff" />
  <mimeMap fileExtension=".aifc" mimeType="audio/aiff" />
  <mimeMap fileExtension=".aiff" mimeType="audio/aiff" />
  <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package zip" />


 



  1: <location path="" overrideMode="Allow">
  2:   <system.webServer>
  3:     <modules>
  4:       xxxxxxxxxxx
  5:     </modules>
  6:   <handlers accessPolicy="Read, Script">
  7:     <clear />
  8:     <add name="JWildCardHandler" path="*" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\1\jrun_iis6_wildcard.dll" resourceType="Unspecified" requireAccess="None" />      
  9:     <add name="hbmxmlHandler" path="*.hbmxml" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 10:     <add name="cfswfHandler" path="*.cfswf" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 11:     <add name="cfrHandler" path="*.cfr" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 12:     <add name="cfcHandler" path="*.cfc" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 13:     <add name="cfmlHandler" path="*.cfml" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 14:     <add name="cfmHandler" path="*.cfm" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 15:     <add name="jwsHandler" path="*.jws" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 16:     <add name="jspHandler" path="*.jsp" verb="*" modules="IsapiModule" scriptProcessor="E:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />
 17:     <add name="ISAPI-dll" path="*.dll" verb="*" modules="IsapiModule" resourceType="File" requireAccess="Execute" allowPathInfo="true" />
 18:     <add name="TraceHand........


I hope that is clear.



There is one other settings that we put in to allow coldfusion errors to be displayed, without this IIS intercepts the error status and displays a “friendly message” is stead of of a helpful CF error page. The addition here is just this httpErrors node attributeexistingResponse="PassThrough", I am afraid my highlight only allows entires lines to be highlighted.



  1: <httpErrors lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath" existingResponse="PassThrough">


So with these changes in place in the applicationhost.config file you can remove the web.config files from the website root folders.



As always please back up these files before you start messing with them.



You will need to restart IIS for the changes to be picked.



Now I have not yet tried not running the wsconfig on a new install and then adding these changes to the applicationhost.config file. That is next on my list. When I do I will update here.



Default Documents



To add a default document to all sites, i.e. to add index.cfm, add the bold line to applicationhost.config



<defaultDocument enabled="true">

            <files>


                <add value="Index.cfm" />

                <add value="Default.htm" />


                <add value="Default.asp" />


                <add value="index.htm" />


                <add value="index.html" />


                <add value="iisstart.htm" />


                <add value="default.aspx" />


            </files>


</defaultDocument>


Share/Bookmark