Thursday, November 3, 2011
Slow Performance on Windows 7 while browsing IIS Apps - AutoTuning
We recently migrated all our IIS applications from old Windows 2000 Servers to Windows 2008. It was not a smooth ride but we did manage to get 99% of them into the new servers. There were ofcourse some apps with exe's that were not supported or cannot move to x64. Parallely most of our users were being upgraded from their Windows XP to Windows 7 PC/Laptops.
We found that users connecting from Win7 to IIS face performance problems in the corporate network. The performance was so bad that it took 20+ seconds to display a single page. We also found that the sites worked perfectly when users connected to IIS via a reverse proxy or when they connected using a Windows XP machine.
So the problem was with Windows 7 and by trial and error method we found that AutoTuning was the issue. I think Microsoft enabled AutoTuning by default in Windows 7 and somehow that setting is not compatible with our network gear.
To disable AutoTuning on a Windows7 Machine.
1) open command prompt as Administrator
search for cmd in ‘Start’ and press CTRL+SHIFT+ENTER instead of just enter.
2) paste the below command to get Ok.
netsh interface tcp set global autotuning=disabled
Restored Windows 2003 Server - IIS would not start
The IIS Admin Service service terminated with service-specific error 2148073483 (0x8009000B).
During a DR Drill when we recovered a Windows 2003 server, IIS would not start. The IIS Admin Service and WWW Service stopped and were giving the above error. To correct this reinstall did not work and it further corrupted everything.
Then we did a restore of SystemState and it resolved the issue.
During a DR Drill when we recovered a Windows 2003 server, IIS would not start. The IIS Admin Service and WWW Service stopped and were giving the above error. To correct this reinstall did not work and it further corrupted everything.
Then we did a restore of SystemState and it resolved the issue.
Wednesday, August 10, 2011
Siteminder - Fatal Error: Unable to fetch object
C:\>smobjimport -dsiteminder -wpa$$word -i"C:\Program Files\netegrity\siteminder\db\smdif\smpolicy.smdif" -v
Fatal Error: Unable to fetch object.
C:\>
*****
Open the policy server management console, data tab, and in Database for keystore select LDAP instead of default ODBC and select "use policy store database" if you using the same DB for both.
Saturday, July 2, 2011
New Directory Server in ODSEE
- Open ODSEE console
- Create new Directory Server
- Fill in the form as required. Below screen shot gives details of my directory server
- Click Next, Accept Certificate.
*- Here I had an issue that certificate was not accepted. We cannot move forward with out accepting certificate.
" An error occurred trying to acept the certificate. The error is com.sun.directory.dcc.ads.ADSContextException."
To resolve this, I had to re-initialize everything using the below commands. This effectively wiped everything, but I did not have any other choise.
C:\Sun\dsee7\bin>dsccsetup dismantle
C:\Sun\dsee7\bin>dsccsetup initialize
- Create new Directory Server
- Fill in the form as required. Below screen shot gives details of my directory server
- Click Next, Accept Certificate.
*- Here I had an issue that certificate was not accepted. We cannot move forward with out accepting certificate.
" An error occurred trying to acept the certificate. The error is com.sun.directory.dcc.ads.ADSContextException."
To resolve this, I had to re-initialize everything using the below commands. This effectively wiped everything, but I did not have any other choise.
C:\Sun\dsee7\bin>dsccsetup dismantle
C:\Sun\dsee7\bin>dsccsetup initialize
Friday, July 1, 2011
create a windows service for automatically starting glassfish 3.1 server
C:\glassfish3\glassfish\bin>
C:\glassfish3\glassfish\bin>asadmin create-service
The Windows Service was created successfully. It is ready to be started. Here are the details:
ID of the service: domain1
Display Name of the service:domain1 GlassFish Server
Server Directory: C:\glassfish3\glassfish\domains\domain1
Configuration file for Windows Services Wrapper: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.xml
The service can be controlled using the Windows Services Manager or you can use the
Windows Services Wrapper instead:
Start Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe start
Stop Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe stop
Restart Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe restart
Uninstall Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe uninstall
Install Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe install
Status Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe status
You can also verify that the service is installed (or not) with sc query state= all
windows.services.uninstall.good=Found the Windows Service and successfully uninstalled it.
For your convenience this message has also been saved to this file: C:\glassfish3\glassfish\domains\domain1\PlatformServices.log
Command create-service executed successfully.
C:\glassfish3\glassfish\bin>
C:\glassfish3\glassfish\bin>asadmin create-service
The Windows Service was created successfully. It is ready to be started. Here are the details:
ID of the service: domain1
Display Name of the service:domain1 GlassFish Server
Server Directory: C:\glassfish3\glassfish\domains\domain1
Configuration file for Windows Services Wrapper: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.xml
The service can be controlled using the Windows Services Manager or you can use the
Windows Services Wrapper instead:
Start Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe start
Stop Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe stop
Restart Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe restart
Uninstall Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe uninstall
Install Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe install
Status Command: C:\glassfish3\glassfish\domains\domain1\bin\domain1Service.exe status
You can also verify that the service is installed (or not) with sc query state= all
windows.services.uninstall.good=Found the Windows Service and successfully uninstalled it.
For your convenience this message has also been saved to this file: C:\glassfish3\glassfish\domains\domain1\PlatformServices.log
Command create-service executed successfully.
C:\glassfish3\glassfish\bin>
Thursday, June 30, 2011
INSTALLATION OF Oracle Directory Server Enterprise Edition (11.1.1.5.0)
INSTALLATION OF Oracle Directory Server Enterprise Edition (11.1.1.5.0)
Check prerequesites post below before this.
http://tummypain.blogspot.com/2011/06/pre-requesites-for-oracle-directory.html
(1) Download Oracle Directory Server Enterprise Edition (11.1.1.5.0) from the below
this is also called DSEE 7 or 11g.
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html
(2) I installed a W2k8 x86 Standard Server on a VM.
(3) I installed GlassFish 3.1 and JDK6. Check Pre-requesites.
(4) unzip ofm_odsee_win_11.1.1.5.0.zip
(5) idsktune -> is a Server precheck/tuning application. It only checks and recomends. IT does not modify any thing. I had couple of errors about unsupported OS, but may be because I am using msdn build.
(6) Install the VC++ redistributable that is included if not already installed on the server. Update with required windows patches and restart if necessary.
(7) unzip dsee7 and move all the folders to c:\Sun\
(8) Modify registry as below if you are not using a LocalAdmin user
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableInstallerDetection
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA
(9) Follow the steps below in Command prompt with Admin privileges
**********************
C:\Windows\system32>cd C:\Sun\dsee7\bin
C:\Sun\dsee7\bin>dsccsetup war-file-create
DSCC registry must be created first using the following command:
dsccsetup ads-create
(REMEMBER THE PASSWORD BELOW)
C:\Sun\dsee7\bin>dsccsetup ads-create
Choose password for Directory Service Manager: xxxxx
Confirm password for Directory Service Manager: xxxxx
Creating DSCC registry...
DSCC Registry has been created successfully
C:\Sun\dsee7\bin>dsccsetup war-file-create
Created C:\Sun\dsee7\var\dscc7.war
C:\Sun\dsee7\bin>dsccsetup cacao-reg
Configuring Cacao...
Cacao will listen on port 21162
Cacao has been successfully configured.
Registering DSCC Agent in Cacao...
Checking Cacao status...
Starting Cacao...
DSCC agent has been successfully registered in Cacao.
C:\Sun\dsee7\bin>
**********************
(10) Append the below lines in glassfish server.policy file
C:\glassfish3\glassfish\domains\domain1\config\server.policy
//**********************
// Permissions for Directory Service Control Center
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/dscc7/-"
{
permission java.security.AllPermission;
};
//**********************
(11) Browse to glassfish console
http://localhost:4848/common/index.jsf
Go to Applications -> Deploy -> "Local Packaged File or Directory That Is Accessible from GlassFish Server" -> Browse -> C:\Sun\dsee7\var\dscc7.war -> click OK.
(12) Select dscc7 -> Enable -> Launch to start Directory Service Control Center
http://localhost:8080/dscc7/dcc7Module/DCC
(14) If you are unable to login then try the below
**********************
C:\>
C:\>C:/Sun/dsee7/bin/dsccsetup.exe status
***
DSCC Agent is registered in Cacao
Cacao is down. Start it using:
C:/Sun/dsee7/ext/cacao_2/bin/cacaoadm.bat start
Cacao uses a custom port number (21162)
***
DSCC Registry has been created
Path of DSCC registry is C:/Sun/dsee7/var/dcc/ads
Port of DSCC registry is 3998
DSCC registry is not running. You may start it using:
C:/Sun/dsee7/bin/dsadm.exe start C:/Sun/dsee7/var/dcc/ads
***
C:\>C:/Sun/dsee7/bin/dsadm.exe start C:/Sun/dsee7/var/dcc/ads
Directory Server instance 'C:/Sun/dsee7/var/dcc/ads' started: pid=3448
C:\>
**********************
Check prerequesites post below before this.
http://tummypain.blogspot.com/2011/06/pre-requesites-for-oracle-directory.html
(1) Download Oracle Directory Server Enterprise Edition (11.1.1.5.0) from the below
this is also called DSEE 7 or 11g.
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html
(2) I installed a W2k8 x86 Standard Server on a VM.
(3) I installed GlassFish 3.1 and JDK6. Check Pre-requesites.
(4) unzip ofm_odsee_win_11.1.1.5.0.zip
(5) idsktune -> is a Server precheck/tuning application. It only checks and recomends. IT does not modify any thing. I had couple of errors about unsupported OS, but may be because I am using msdn build.
(6) Install the VC++ redistributable that is included if not already installed on the server. Update with required windows patches and restart if necessary.
(7) unzip dsee7 and move all the folders to c:\Sun\
(8) Modify registry as below if you are not using a LocalAdmin user
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableInstallerDetection
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA
(9) Follow the steps below in Command prompt with Admin privileges
**********************
C:\Windows\system32>cd C:\Sun\dsee7\bin
C:\Sun\dsee7\bin>dsccsetup war-file-create
DSCC registry must be created first using the following command:
dsccsetup ads-create
(REMEMBER THE PASSWORD BELOW)
C:\Sun\dsee7\bin>dsccsetup ads-create
Choose password for Directory Service Manager: xxxxx
Confirm password for Directory Service Manager: xxxxx
Creating DSCC registry...
DSCC Registry has been created successfully
C:\Sun\dsee7\bin>dsccsetup war-file-create
Created C:\Sun\dsee7\var\dscc7.war
C:\Sun\dsee7\bin>dsccsetup cacao-reg
Configuring Cacao...
Cacao will listen on port 21162
Cacao has been successfully configured.
Registering DSCC Agent in Cacao...
Checking Cacao status...
Starting Cacao...
DSCC agent has been successfully registered in Cacao.
C:\Sun\dsee7\bin>
**********************
(10) Append the below lines in glassfish server.policy file
C:\glassfish3\glassfish\domains\domain1\config\server.policy
//**********************
// Permissions for Directory Service Control Center
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/dscc7/-"
{
permission java.security.AllPermission;
};
//**********************
(11) Browse to glassfish console
http://localhost:4848/common/index.jsf
Go to Applications -> Deploy -> "Local Packaged File or Directory That Is Accessible from GlassFish Server" -> Browse -> C:\Sun\dsee7\var\dscc7.war -> click OK.
(12) Select dscc7 -> Enable -> Launch to start Directory Service Control Center
http://localhost:8080/dscc7/dcc7Module/DCC
(14) If you are unable to login then try the below
**********************
C:\>
C:\>C:/Sun/dsee7/bin/dsccsetup.exe status
***
DSCC Agent is registered in Cacao
Cacao is down. Start it using:
C:/Sun/dsee7/ext/cacao_2/bin/cacaoadm.bat start
Cacao uses a custom port number (21162)
***
DSCC Registry has been created
Path of DSCC registry is C:/Sun/dsee7/var/dcc/ads
Port of DSCC registry is 3998
DSCC registry is not running. You may start it using:
C:/Sun/dsee7/bin/dsadm.exe start C:/Sun/dsee7/var/dcc/ads
***
C:\>C:/Sun/dsee7/bin/dsadm.exe start C:/Sun/dsee7/var/dcc/ads
Directory Server instance 'C:/Sun/dsee7/var/dcc/ads' started: pid=3448
C:\>
**********************
Pre-requesites for Oracle Directory Server Enterprise Edition 11g (11.1.1.5.0) or DSEE version 7
Pre-requesites for ODSEE 11g
I am trying to install Siteminder r12SP3 on a VM. Before that I need to get Oracle Directory Server Enterprise Edition 11g.
Below are the pre-req for ODSEE
a- A Windows 2008 Server x86 Standard Version. Production needs 4GB of RAM, but my for test I used 1.5GB. I am performing all installs using an ID with Local Admin permissions on the server. Make sure the server is fully updated with latest patches.
b- JDK 6. install jdk6 from the below link
http://www.oracle.com/technetwork/java/javase/downloads/index.html
c- Download and install an application server like glassfish, tomcat etc. I installed Glassfish. Pretty straight forward installation.
http://glassfish.java.net/downloads/3.1-final.html
d- Once glassfish is installed, start the application Server if not automatically started. It should be present in the Start-> Programs->Glassfish-> StartServer.
Or it can be started using the below in cmd prompt
"C:\glassfish3\glassfish\bin\asadmin.bat start-domain domain1"
e- Access GlassFish Console using the below link, make sure everything is working.
http://localhost:4848/common/index.jsf
**********************
I am trying to install Siteminder r12SP3 on a VM. Before that I need to get Oracle Directory Server Enterprise Edition 11g.
Below are the pre-req for ODSEE
a- A Windows 2008 Server x86 Standard Version. Production needs 4GB of RAM, but my for test I used 1.5GB. I am performing all installs using an ID with Local Admin permissions on the server. Make sure the server is fully updated with latest patches.
b- JDK 6. install jdk6 from the below link
http://www.oracle.com/technetwork/java/javase/downloads/index.html
c- Download and install an application server like glassfish, tomcat etc. I installed Glassfish. Pretty straight forward installation.
http://glassfish.java.net/downloads/3.1-final.html
d- Once glassfish is installed, start the application Server if not automatically started. It should be present in the Start-> Programs->Glassfish-> StartServer.
Or it can be started using the below in cmd prompt
"C:\glassfish3\glassfish\bin\asadmin.bat start-domain domain1"
e- Access GlassFish Console using the below link, make sure everything is working.
http://localhost:4848/common/index.jsf
**********************
Friday, June 24, 2011
Script to Search list of Servers with Local Administrator Privileges
I had a need for checking all servers in a list to which my AD Group has access. The list was around 3000 Windows servers and there is no way I could do it manually. So I did a Google search and found a nice script written by Brian Desmond at this link which shows all the users who are added as Local Administrators.
_briandesmond.com/blog/script-to-collect-local-administrators-membership-from-list-of-machines/
Thanks Brian.
--
I did a small modification so that it just prints out the names of the servers to which my AD group has access and also print out server names which I am unable to ping. The script is pretty raw and takes lot of time to check each server, but this is the only one I have for now.
->Save the below script as localadminFile.vbs
->create localadminfiles.bat with the below line
wscript localadminFile.vbs
-> place localadminfiles.bat in scheduler and let it run. Keep checking for the completed.
-> also you will find 'wscript' in taskmanager if you want to kill of the running script.
Modify it according to your need.
**************************
Option Explicit
Const LogFile = "G:\temp\LogFile.log"
Const resultFile = "G:\temp\LocalAdmin.csv"
Const inputFile = "G:\temp\serverList.txt"
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
Dim shl
Set shl = WScript.CreateObject("WScript.Shell")
Dim fil
Set fil = fso.OpenTextFile(inputFile)
Dim results
Set results = fso.CreateTextFile(resultFile, True)
WriteToLog "Beginning Pass of " & inputFile & " at " & Now()
'On Error Resume Next
Dim grp
Dim line
Dim exec
Dim pingResults
Dim member
While Not fil.AtEndOfStream
line = fil.ReadLine
Set exec = shl.Exec("ping -n 2 -w 1000 " & line)
pingResults = LCase(exec.StdOut.ReadAll)
If InStr(pingResults, "reply from") Then
'WriteToLog line & " responded to ping"
On Error Resume Next
Set grp = GetObject("WinNT://" & line & "/Administrators")
'results.WriteLine line & ",Administrators,"
For Each member In grp.Members
If member.name = "AdminGroup AD" Then
WriteToLog line & "--> Server is supported by Team"
results.WriteLine ",," & member.Name
End If
Next
Else
WriteToLog line & "did not respond to ping"
End If
Wend
WriteToLog line & "-->Script END - COMPLETED.."
results.Close
Sub WriteToLog(LogData)
On Error Resume Next
Dim fil
'8 = ForAppending
Set fil = fso.OpenTextFile(LogFile, 8, True)
fil.WriteLine(LogData)
fil.Close
Set fil = Nothing
End Sub
**************************
_briandesmond.com/blog/script-to-collect-local-administrators-membership-from-list-of-machines/
Thanks Brian.
--
I did a small modification so that it just prints out the names of the servers to which my AD group has access and also print out server names which I am unable to ping. The script is pretty raw and takes lot of time to check each server, but this is the only one I have for now.
->Save the below script as localadminFile.vbs
->create localadminfiles.bat with the below line
wscript localadminFile.vbs
-> place localadminfiles.bat in scheduler and let it run. Keep checking for the completed.
-> also you will find 'wscript' in taskmanager if you want to kill of the running script.
Modify it according to your need.
**************************
Option Explicit
Const LogFile = "G:\temp\LogFile.log"
Const resultFile = "G:\temp\LocalAdmin.csv"
Const inputFile = "G:\temp\serverList.txt"
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
Dim shl
Set shl = WScript.CreateObject("WScript.Shell")
Dim fil
Set fil = fso.OpenTextFile(inputFile)
Dim results
Set results = fso.CreateTextFile(resultFile, True)
WriteToLog "Beginning Pass of " & inputFile & " at " & Now()
'On Error Resume Next
Dim grp
Dim line
Dim exec
Dim pingResults
Dim member
While Not fil.AtEndOfStream
line = fil.ReadLine
Set exec = shl.Exec("ping -n 2 -w 1000 " & line)
pingResults = LCase(exec.StdOut.ReadAll)
If InStr(pingResults, "reply from") Then
'WriteToLog line & " responded to ping"
On Error Resume Next
Set grp = GetObject("WinNT://" & line & "/Administrators")
'results.WriteLine line & ",Administrators,"
For Each member In grp.Members
If member.name = "AdminGroup AD" Then
WriteToLog line & "--> Server is supported by Team"
results.WriteLine ",," & member.Name
End If
Next
Else
WriteToLog line & "did not respond to ping"
End If
Wend
WriteToLog line & "-->Script END - COMPLETED.."
results.Close
Sub WriteToLog(LogData)
On Error Resume Next
Dim fil
'8 = ForAppending
Set fil = fso.OpenTextFile(LogFile, 8, True)
fil.WriteLine(LogData)
fil.Close
Set fil = Nothing
End Sub
**************************
Monday, April 25, 2011
Windows 2008 - IIS 7 Replication Loadbalancing & Code Promote
We recently acquired a software that allows our ApplicationSupport to move code to different environments (Dev-Stage-Prod) in IIS Servers. We used SiteServer3.0 earlier but since dear MSFT isnt supporting it any more, we had to buy this software outside. Its pretty neat software, I thought it was pricey but we did not have much of a choice.
Oh well..what do I know about cost.
The software can work as both SiteServer3.0 and ApplicationCenter2000 for Promoting and Loadbalancing. AppCenter2000 can be replaced by Microsoft WebDeply for the most part, but we still need code to be replicated between shared servers for loadbalancing. So we bought minimal license that allows SiteServer functionality (code Promote) and scheduled code copy (scheduled a copy for every 15 minutes) for loadbalancing. This minimal license however did not allow replication of IIS settings. So I installed webdeploy and wrote scripts to pull IIS Settings per website on the target server. Webdeploy is easy and very good.
This turned out extremely well and we havent had any issues till now. Fingers Crossed.
This saved us approx USD 200+ per server in licensing costs.
Oh well..what do I know about cost.
The software can work as both SiteServer3.0 and ApplicationCenter2000 for Promoting and Loadbalancing. AppCenter2000 can be replaced by Microsoft WebDeply for the most part, but we still need code to be replicated between shared servers for loadbalancing. So we bought minimal license that allows SiteServer functionality (code Promote) and scheduled code copy (scheduled a copy for every 15 minutes) for loadbalancing. This minimal license however did not allow replication of IIS settings. So I installed webdeploy and wrote scripts to pull IIS Settings per website on the target server. Webdeploy is easy and very good.
This turned out extremely well and we havent had any issues till now. Fingers Crossed.
This saved us approx USD 200+ per server in licensing costs.
Siteminder NTLM on Windows 2008 add script map .ntc
Installation of Siteminder Webagent was pretty straight forward but I could not find any documentation in CA as to how to setup NTLM Authentication Scheme website on IIS 7.
For example we use http://ntlmprod.testdomain.com/siteminderagent/ntlm/creds.ntc as the url in the ntlm authentication scheme.
setting up /siteminderagent/ntlm/ virtual directory was straight forward but no where it is mentioned as how to add .ntc script maps. The documentation gives details for IIS 5 and IIS 6.
Here are the steps
- Create a website ntlmprod.testdomain.com with ntlmprod as ApplicationPool.
- make sure ntlmprod app pool is classic, (however I did not find any errors till now if we use integrated. But the docs say use classic for all Siteminder protected)
- we generally use just a single asp page called header.asp in the folders hosting the ntlm websites. so d:\inetpub\ntlmprod\header.asp.
- add virtual directory for siteminderagent
- add virtual directory for ntlm
finally it should look like http://ntlmprod.testdomain.com/siteminderagent/ntlm/
- For root website and siteminderagent - use just anonymous authentication
- For NTLM VD, use only Windows Authentication
for ntlmprod.testdomain.com
ISAPI Filters
- add SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
Handler Mappings
- add "WildCard Script Map" SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
- add "Script Map" NTC-Siteminder
Request Path = *.ntc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
- add "Script Map" FCC-Siteminder
Request Path = *.fcc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
For example we use http://ntlmprod.testdomain.com/siteminderagent/ntlm/creds.ntc as the url in the ntlm authentication scheme.
setting up /siteminderagent/ntlm/ virtual directory was straight forward but no where it is mentioned as how to add .ntc script maps. The documentation gives details for IIS 5 and IIS 6.
Here are the steps
- Create a website ntlmprod.testdomain.com with ntlmprod as ApplicationPool.
- make sure ntlmprod app pool is classic, (however I did not find any errors till now if we use integrated. But the docs say use classic for all Siteminder protected)
- we generally use just a single asp page called header.asp in the folders hosting the ntlm websites. so d:\inetpub\ntlmprod\header.asp.
- add virtual directory for siteminderagent
- add virtual directory for ntlm
finally it should look like http://ntlmprod.testdomain.com/siteminderagent/ntlm/
- For root website and siteminderagent - use just anonymous authentication
- For NTLM VD, use only Windows Authentication
for ntlmprod.testdomain.com
ISAPI Filters
- add SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
Handler Mappings
- add "WildCard Script Map" SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
- add "Script Map" NTC-Siteminder
Request Path = *.ntc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
- add "Script Map" FCC-Siteminder
Request Path = *.fcc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
ISAPI and CGI restrictions
- make sure the dll is set to allowed "D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll"
Tuesday, April 12, 2011
Updating ROOT Certificates in Websphere
locations :
/opt/was51/AppServer/java/jre/bin
/opt/was51/AppServer/java/jre/lib/security/cacerts
just in case make a copy of the file cacerts
copy the new certs to this folder
/opt/was51/AppServer/java/newCerts
Command to view the current Root certificates
/opt/was51/AppServer/java/jre/bin/keytool -list -v -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -storepass changeit
Command to update cacerts with new certificate
/opt/was51/AppServer/java/jre/bin/keytool -import -file /opt/was51/AppServer/java/newCerts/Domain-ROOT.cer -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -alias DomainRoot -trustcacerts
/opt/was51/AppServer/java/jre/bin
/opt/was51/AppServer/java/jre/lib/security/cacerts
just in case make a copy of the file cacerts
copy the new certs to this folder
/opt/was51/AppServer/java/newCerts
Command to view the current Root certificates
/opt/was51/AppServer/java/jre/bin/keytool -list -v -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -storepass changeit
Command to update cacerts with new certificate
/opt/was51/AppServer/java/jre/bin/keytool -import -file /opt/was51/AppServer/java/newCerts/Domain-ROOT.cer -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -alias DomainRoot -trustcacerts
Monday, April 11, 2011
Unix scripting - basic notes
Conditional execution operators
||
You use the double pipe operator in the form
command1 || command2
In the above syntax, the second command executes only if the first command fails.
&&
You use the double ampersand operator in the form
command1 && command2
In the above syntax, the second command executes only if the first command executes successfully.
Command grouping operators
{ }
You can enclose multiple statements in braces ({}) to create a code block. The shell returns one exit status value for the entire group, rather than for each command in the block.
( )
You can enclose multiple statements in round brackets to create a code block. This code block functions in the same way as a code block enclosed in braces, but runs in a subshell.
I/O redirection operators
>
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output unless the noclobber environment variable is set.
>|
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output even if the noclobber environment variable is set.
>>
You use this operator to redirect command output to a file. If the file doesn't exist, the shell creates the file. If it does exist, the shell appends the new data to the end of it.
< You use this operator to redirect command input from a file. File descriptor redirection operators <&n You use this operator to redirect standard input from file descriptor n. >&n
You use this operator to redirect standard input to file descriptor n.
n< filename You use this operator with a filename to redirect descriptor n from the specified file. n> filename
You use this operator with a filename to redirect descriptor n to the specified file. Unlike ordinary redirection, this will not overwrite an existing file.
n>| filename
You use this operator with a filename to redirect descriptor n to the specified file, overriding the noclobber environment variable if it is set.
n>> filename
You use this operator with a filename to redirect a descriptor to the specified file. This will redirect to a file but, unlike ordinary redirection, this will append to an existing file.
Filename substitution
*
You use the * wildcard to match a string of any length.
?
You use the ? wildcard to match a single character.
[abc] , [a-c] , [a-c1-3]
You use square brackets to match only characters that appear inside the specified set. For increased convenience, you can specify multiple ranges.
!pattern
You use the ! operator with a pattern to perform a reverse match. The shell returns only filenames that don't match the pattern.
Command substitution
$(command)
You use this form of command substitution to resolve a command and pass its output to another command as an argument.
$(< filename)
You use this form of command substitution to pass the entire contents of a file to a command as an argument.
Tilde substitution
~
You use the ~ operator to instruct the shell to return the value of the $HOME variable.
~username
You use the ~ operator with a username to instruct the shell to return the full path of a specific user's home directory.
~+
You use the ~+ operator to instruct the shell to return the full path of the current working directory.
~-
You use the ~- operator to instruct the shell to return the full path of the previous working directory you used.
Miscellaneous syntax ;
If you enter several commands on the same line, you need to separate the commands with semicolons. The shell will execute each command successively once you press Enter.
\
You use a backslash to allow you to press Enter and continue typing commands on a new line. The shell will only begin executing your commands when you press Enter on a line that doesn't end in a backslash. Using a backlash in this way is known as backslash escaping.
&
You add a single ampersand at the end of a command to run that command as a background process. This is useful for tasks that are likely to take a long time to complete.
||
You use the double pipe operator in the form
command1 || command2
In the above syntax, the second command executes only if the first command fails.
&&
You use the double ampersand operator in the form
command1 && command2
In the above syntax, the second command executes only if the first command executes successfully.
Command grouping operators
{ }
You can enclose multiple statements in braces ({}) to create a code block. The shell returns one exit status value for the entire group, rather than for each command in the block.
( )
You can enclose multiple statements in round brackets to create a code block. This code block functions in the same way as a code block enclosed in braces, but runs in a subshell.
I/O redirection operators
>
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output unless the noclobber environment variable is set.
>|
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output even if the noclobber environment variable is set.
>>
You use this operator to redirect command output to a file. If the file doesn't exist, the shell creates the file. If it does exist, the shell appends the new data to the end of it.
< You use this operator to redirect command input from a file. File descriptor redirection operators <&n You use this operator to redirect standard input from file descriptor n. >&n
You use this operator to redirect standard input to file descriptor n.
n< filename You use this operator with a filename to redirect descriptor n from the specified file. n> filename
You use this operator with a filename to redirect descriptor n to the specified file. Unlike ordinary redirection, this will not overwrite an existing file.
n>| filename
You use this operator with a filename to redirect descriptor n to the specified file, overriding the noclobber environment variable if it is set.
n>> filename
You use this operator with a filename to redirect a descriptor to the specified file. This will redirect to a file but, unlike ordinary redirection, this will append to an existing file.
Filename substitution
*
You use the * wildcard to match a string of any length.
?
You use the ? wildcard to match a single character.
[abc] , [a-c] , [a-c1-3]
You use square brackets to match only characters that appear inside the specified set. For increased convenience, you can specify multiple ranges.
!pattern
You use the ! operator with a pattern to perform a reverse match. The shell returns only filenames that don't match the pattern.
Command substitution
$(command)
You use this form of command substitution to resolve a command and pass its output to another command as an argument.
$(< filename)
You use this form of command substitution to pass the entire contents of a file to a command as an argument.
Tilde substitution
~
You use the ~ operator to instruct the shell to return the value of the $HOME variable.
~username
You use the ~ operator with a username to instruct the shell to return the full path of a specific user's home directory.
~+
You use the ~+ operator to instruct the shell to return the full path of the current working directory.
~-
You use the ~- operator to instruct the shell to return the full path of the previous working directory you used.
Miscellaneous syntax ;
If you enter several commands on the same line, you need to separate the commands with semicolons. The shell will execute each command successively once you press Enter.
\
You use a backslash to allow you to press Enter and continue typing commands on a new line. The shell will only begin executing your commands when you press Enter on a line that doesn't end in a backslash. Using a backlash in this way is known as backslash escaping.
&
You add a single ampersand at the end of a command to run that command as a background process. This is useful for tasks that are likely to take a long time to complete.
linux - disable GUI
In Red Hat linux to disable GUI during startup
modify the file /etc/inittab to
'id:3:initdefault:'
to start GUI from shell use the below command
init 5
To shutdown use
init 0
or halt, poweroff, shutdown.
modify the file /etc/inittab to
'id:3:initdefault:'
to start GUI from shell use the below command
init 5
To shutdown use
init 0
or halt, poweroff, shutdown.
Friday, April 8, 2011
Old Laptop virtualization to New with VMWare VCenter
Three weeks ago I got a new work laptop with Vista. I downgraded it to XP after struggling with it for 2 days. My office VPN software wouldnt install.
However after xp install and setting up everything I still had 2 days to give my old laptop back. This is not enough time to configure all software and test it connects well.
So I installed VMWare Player on my new system and copied the whole old system to a virtual machine using VMWare Vcenter Converter Standalone. So essentially I am running my old machine in my new laptop.
I created a sharedfolder through which I am sharing files/folders between the two machines and setting up the software one by one as time permits.
The conversion process took around 2 Hours for my old system that had around 35GB of data. and copy and setup on the new system took another 2 hours.
I am running the VMWARE-old network as NAT so that it shares the host OS IP. This way I am not connecting again to VPN inside the guest system. If host is connected to VPN, guest inherits the same network.
VMWare Player is free, VMWare VCenter Converter is also free. We just need to register to vmware using our email address. Installation and the move were pretty straight forward and I did not face any issues.
However after xp install and setting up everything I still had 2 days to give my old laptop back. This is not enough time to configure all software and test it connects well.
So I installed VMWare Player on my new system and copied the whole old system to a virtual machine using VMWare Vcenter Converter Standalone. So essentially I am running my old machine in my new laptop.
I created a sharedfolder through which I am sharing files/folders between the two machines and setting up the software one by one as time permits.
The conversion process took around 2 Hours for my old system that had around 35GB of data. and copy and setup on the new system took another 2 hours.
I am running the VMWARE-old network as NAT so that it shares the host OS IP. This way I am not connecting again to VPN inside the guest system. If host is connected to VPN, guest inherits the same network.
VMWare Player is free, VMWare VCenter Converter is also free. We just need to register to vmware using our email address. Installation and the move were pretty straight forward and I did not face any issues.
Friday, April 1, 2011
open IKEYMAN - in X window from AIX Server using Cygwin
I was trying to start up ikeyman from our AIX - IBM-IHS to update SSL Certs I was getting the below errors
$ ikeyman
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
The java class could not be loaded. java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
$
Turns out I need to disable security in X windows using command "xhost +" to allow connections from AIX Server. Also I had to add a rule in my laptop's McAfee Intrusion Detection System to allow connections
Notes Below
- Install Cygwin with x window and ssh components on your laptop (takes a while to install this)
- start up cygwin
- From the Cygwin window start Xwindow using startxwin. This will open up another X window.
$ startxwin
- Now every thing needs to be done in the X Window.
- First Step is to disable security
$ xhost +
access control disabled, clients can connect from any host
- Once security on local system is disabled, SSH to the AIX Server using the below
$
localuser@localmachine ~
$ ssh -l
$
$ su - httpadm
httpadm's Password:
$ export DISPLAY=:0.0
$ export JAVA_HOME=/usr/java14
$ ikeyman
Couple of internet links helped me, but the below helped me with the xhost command.
http://www.staff.uni-mainz.de/pommeren/DSVorlesung/Material/Xsecurity
********************************************************
$ ikeyman
Xlib: connection to "
Xlib: No protocol specified
The java class could not be loaded. java.lang.InternalError: Can't connect to X11 window server using '
$
Turns out I need to disable security in X windows using command "xhost +" to allow connections from AIX Server. Also I had to add a rule in my laptop's McAfee Intrusion Detection System to allow connections
Notes Below
- Install Cygwin with x window and ssh components on your laptop (takes a while to install this)
- start up cygwin
- From the Cygwin window start Xwindow using startxwin. This will open up another X window.
$ startxwin
- Now every thing needs to be done in the X Window.
- First Step is to disable security
$ xhost +
access control disabled, clients can connect from any host
- Once security on local system is disabled, SSH to the AIX Server using the below
$
localuser@localmachine ~
$ ssh
$
$ su - httpadm
httpadm's Password:
$ export DISPLAY=
$ export JAVA_HOME=/usr/java14
$ ikeyman
Couple of internet links helped me, but the below helped me with the xhost command.
http://www.staff.uni-mainz.de/pommeren/DSVorlesung/Material/Xsecurity
********************************************************
Entrust SSL Cert on Windows 2003 - IIS 6
Installing a Entrust CA SSL Cert on IIS-6 Server.
1- Download Root Certificate as root.cer to the server
- double click it
- Install Certificate
- Next
- Automatically select the certificate store based on the type of certificate
- Next
- Finish
2- Download Chain Root Certificate Chainroot.cer to the server
- double click it
- Install Certificate
- Next
- Place all certificates in the following store
- Next
- Click the Show physical stores box, and then expand the Intermediate Certification Authorities folder. Select Local Computer and click OK.
- Next
- Finish
You will get the below error if you mess step 2
"The security certificate presented by this website was not issued by a trusted certificate authority"
3- Download Server Cert as ServerCert.cer to the server
- In IIS6 go to the website properties
- Directory Security
- Secure Communications - Server Certificate
- Next
- Process the pending request and install the certificate
- Next.
.....
- SSL Port 443
- review and finish
1- Download Root Certificate as root.cer to the server
- double click it
- Install Certificate
- Next
- Automatically select the certificate store based on the type of certificate
- Next
- Finish
2- Download Chain Root Certificate Chainroot.cer to the server
- double click it
- Install Certificate
- Next
- Place all certificates in the following store
- Next
- Click the Show physical stores box, and then expand the Intermediate Certification Authorities folder. Select Local Computer and click OK.
- Next
- Finish
You will get the below error if you mess step 2
"The security certificate presented by this website was not issued by a trusted certificate authority"
3- Download Server Cert as ServerCert.cer to the server
- In IIS6 go to the website properties
- Directory Security
- Secure Communications - Server Certificate
- Next
- Process the pending request and install the certificate
- Next.
.....
- SSL Port 443
- review and finish
Subscribe to:
Posts (Atom)