Search This Blog

Thursday, December 13, 2012

Certificates: Common Name, Subject Alternative Names and ColdFusion

This article is about an issue that raised its head whilst installing a 2048bit key certificate into our ColdFusion servers.

I have already written an article about getting the certificates installed into the Java Engine lying under ColdFusion.

Now we were having issues with a certificate and an connection to a partner site. The connection used to work until they upgraded their certificate to a 2048bit key length certificate.

We had successfully added the certificate to the java keystore, which we have done numerous times in the past, but with this certificate, whilst it was in the keystore we still could not connect.

In the end what we found was that the certificate was a multi domain certificate, this means that the certificate is valid for a number of different domains. In certificates this is supported by the use of an extension field called

Subject Alternative Name (SAN)

Now according to the RFCs, the way the domain should be checked is that the application should check the SAN field and then check the Subject field (specifically the Common Name (CN) entry. The CN entry will house just one domain.

So what we found was that when we connected to the server that was running on the domain listed in the CN, the connection would be ok. Now if we tried to connect to one of the domains listed in the SAN field (other than the  domain in the CN) the connection would fail.

We have then traced this problem to an issue with ColdFusion prior to version 9. It appears that CF7, CF8 do not check the SAN field and only the CN entry. This means you can use multi domain certificates in CF7, CF8.

To use/trust multi-domain certificates in ColdFusion you have to use CF9+.

The images below are to help visualise the above fields in the certifcates.

Image 1 is from an article on digicert that explains Subject Alternative Names ( I include here to show where you can see the SAN field, in addition the 2nd image is showing the CN entry in the Subject field (green outlined rectangle), from the University of California Davis )

IE 7 certificate subject details


Share/Bookmark
Posted by Allan at 5:38 PM 1 comments
Labels: , , ,

Tuesday, December 11, 2012

2048bit key length certificates and Java (specifically ColdFusion)

Recently some of the partners we use have started to deploy certificates with key lengths of 2048bits. The 2048 bit length has become the standard accepted minimum key length for secure communication.

We have been using 2048bit key length for a couple for a few years now on our web sites, so we are not unused to them, however with the partners now using them it meant we had to trust these certificates. Now here comes the issue…. Our systems use ColdFusion and as such run on Java. Due to a US export policy which limited the key length US companies could provide outside the US. As such by default all versions of java up to 1.7, have this limitation and you would not be able to apply the certificate with a key length of 2048bit.

The way round this is to download the

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

These files overwrite the existing policy files, and are available for download from Oracle, from what I can see there are policy files for

Java SE 7,  Java SE 6, Java SE 5, Java 1.4.2, Java  1.2.2

To install these policy files is very easy, down load the correct version and extract. You then need to grab 2 files

  • local_policy.jar
  • US_export_policy.jar

Now in the java environment you want to amend locate the following folder

i.e. (default for Java SE6)

c:\Program Files\Java\jre6\lib\security

In here you should find files of the same name, create copies of these files. Now overwrite the original files with the files extracted from the downloaded JCE Policy zip file.

Now you will have to restart the Java instance.

OK, so now you should be able to install the 2048bit Key Length certificate in to the keystore (cacerts).

Below is a couple of commands for how to list existing certificates in a keystore and then how to install a certificate.

The cacerts keystore is usually found somewhere like this. (but it will be wherever the java instance is installed)

c:\Program Files\Java\jre6\lib\security

List out certificates in keystore, and dump into a text file.

<Java home>\bin>keytool.exe -list -v -storepass changeit -noprompt -keystore <Java home>\lib\security\cacerts>c:\certificate.txt

Install Certificate CertificateFileName.crt into keystore

note: -storepass changeit, is the default password for the keystore which can be changed.

<Java home>\bin>keytool.exe -import -keystore <Java home>\lib\security\cacerts -alias anyNameYouWantToReferenceYourCertificateInKeyStore -storepass changeit –noprompt –trustcacerts -file C:\temp\CertificateFileName.crt


Share/Bookmark
Posted by Allan at 5:37 PM 0 comments
Labels: , , ,

Thursday, November 29, 2012

Sapphire HD7850–Intermittent Audio Drop Out

Back in June 2012 I created a Home Theatre PC, i was really happy with the setup except that when I ran the audio through the HDMI to the receiver, I had intermittent sound dropouts. Now the dropouts were literally for a second, but it was random and is really annoying.

I tried a number of things, but nothing worked. Anyway I put up with issue for a while, I had other things going on and assumed that etiher Sapphire, AMD or Onkyo (receiver) would fix the issue.

So after 6 months, I have now found a solution. It was in a thread on the issue I was having.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Video\{XXXX...}\0000
( 'XXXX' means device number. There are several device number folder and u should find 'AdapterDesc' in 0000 folder which key value is 'amd radeon HD 7XXX Series'. )
At that '0000' folder, Change 'PP_SclkDeepSleepDisable REG_DWORD' value 0 to 1.

I rebooted, and touch wood the problem has gone.

References are here

http://www.overclockers.com/forums/showthread.php?s=13d1bbb978d7106ac1b27ca8efa9374d&p=7337754#post7337754

There was another solution that seemed to work, but needed to be done after each reboot. The above registry entry should work all the time.

http://www.overclock.net/t/1295464/intermittent-hdmi-audio-output-on-7970-12-8-drivers


Share/Bookmark
Posted by Allan at 1:13 AM 0 comments
Labels: , , ,

Samsung Galaxy SII (i9100)–Android–100% Battery Charge Issue (USB)

Recently had an issue where my phone battery status would start behaving erratically. Not showing the correct level, then saying full charged and then immediatly changing after disconnetion from charger.

eventually after pouring over numerous battery notification forums I found this blog

http://andycorps.blogspot.com.au/2011/10/samsung-galaxy-s2-i9100-erratic-battery.html?showComment=1333511234964#c1325155034377407919

It fixed my issue by just cleaning the usb port.

I now have another issue where if I disconnect the usb charger without


Share/Bookmark
Posted by Allan at 1:07 AM 0 comments

Wednesday, June 06, 2012

How to run Robocopy from SQL without a batch file

There is a problem running Robocopy from a command step in SQL server jobs. Robocopy returns a non zero code for success, I won;t go into why that is here. It is to do with flags and ANDing if you want to look it up.

So if you call Robocopy directly the SQL step will always fail (even though it is successful).

My way round that it is to use START. Now this solution will always return success so if Robocopy does actually fail you will never know. For my purpose this was acceptable. You can get around this by placing your Robocopy command in a batch file, call the batch file from SQL Server job step.

So to use START

START "<window title>" /WAIT ROBOCOPY /COPY:DAT /MOV /NP ^"<source>^" ^"<destination>^"

This works for me.


Share/Bookmark
Posted by Allan at 9:45 PM 0 comments

Thursday, April 26, 2012

Create an anonymous share in Windows 2008 server

I wanted to mount an iso in Hyper-V across a network share, however Hyper-V will not let you do this. It is due to security which I won’t go into here. To get round this you have to either copy the iso locally or create the remote share to allow anonymous access. Now this is obviouly a security issue, so  you should judge whether this solution is suitable for you, but for me it makes sense.

I am grabbing the necessary fragment from a fuller article here by Scott Havens.

In an environment without Active Directory (like my home network), or when the machines in question are in domains that don’t talk with each other, we need something else.  One option is to enable anonymous access to the share where the ISOs are stored.  This solution is fine for my home network, and may be feasible for other small networks where security isn’t as much of an issue.  While the instructions below are for Windows Home Server specifically, they are easily adapted to a bog-standard (non-WHS) file server.

  1. First, go to Administrative Tools->Local Security Policy.

    In Security Settings/Local Policies/Security Options, make the following changes:

    - Network Access: Do not allow anonymous enumeration of SAM accounts and sharesDisabled
    - Network Access: Let Everyone permissions apply to anonymous usersEnabled
    - Network Access: Restrict anonymous access to Named Pipes and SharesDisabled
    - Network Access: Shares that can be accessed anonymously – Add SOFTWARE (or the appropriate share) to the existing list

    In Security Settings/Local Policies/User Rights Assignment:

    - Access this computer from a network – Add ANONYMOUS LOGON and Everyone if they’re not already there

  2. After closing the Local Security Settings window you’ll need to reboot the server or force application of security policy via gpupdate.
  3. Then, open up Computer Management and go to System Tools->Local Users and Groups->Groups.
    Windows Home Server creates several security groups that provide read-only and read/write access to the shares it manages.  Find which group offers Read-Only access to the share and add Everyone to this group.  On my computer, the Software share is managed by RO_8 and RW_8, so I added Everyone to the RO_8 group.
  4. While you’re in Computer Management, go to System Tools->Shared Folders->Shares.  In the properties for the appropriate share, add Everyone to the Share Permissions.

Share/Bookmark
Posted by Allan at 10:20 PM 0 comments
Labels: , ,

Wednesday, April 25, 2012

Win2k8R2 - Unable to rename a connection–already exists

I image a lot of machines, saves me having to keep going through the complete setup with each machine.

On a couple of occasions I have had issues with network connections, it seems windows retains the old imaged server nic info, but it sees the hardware on the new server as new. Therefore it will not add them teaming or call them the right name if you have renamed them.

On trying to rename them to the same name you had on the original machine, you will get an error saying the name already exits. But in network connections they will not show up, even if you start device manager and select view\hidden devices they will not show.

You need to run the following from an elevated command prompt

SET DEVMGR_SHOW_NONPRESENT_DEVICES=1

and then open device manager, select view\show hidden devices. The devices that are no longer present on the new machine will be greyed out and can be uninstalled.

You will now be able to rename the connection.


Share/Bookmark
Posted by Allan at 6:16 PM 1 comments
Labels: , , ,
Subscribe to: Posts (Atom)