We recently acquired a software that allows our ApplicationSupport to move code to different environments (Dev-Stage-Prod) in IIS Servers. We used SiteServer3.0 earlier but since dear MSFT isnt supporting it any more, we had to buy this software outside. Its pretty neat software, I thought it was pricey but we did not have much of a choice.
Oh well..what do I know about cost.
The software can work as both SiteServer3.0 and ApplicationCenter2000 for Promoting and Loadbalancing. AppCenter2000 can be replaced by Microsoft WebDeply for the most part, but we still need code to be replicated between shared servers for loadbalancing. So we bought minimal license that allows SiteServer functionality (code Promote) and scheduled code copy (scheduled a copy for every 15 minutes) for loadbalancing. This minimal license however did not allow replication of IIS settings. So I installed webdeploy and wrote scripts to pull IIS Settings per website on the target server. Webdeploy is easy and very good.
This turned out extremely well and we havent had any issues till now. Fingers Crossed.
This saved us approx USD 200+ per server in licensing costs.
Monday, April 25, 2011
Siteminder NTLM on Windows 2008 add script map .ntc
Installation of Siteminder Webagent was pretty straight forward but I could not find any documentation in CA as to how to setup NTLM Authentication Scheme website on IIS 7.
For example we use http://ntlmprod.testdomain.com/siteminderagent/ntlm/creds.ntc as the url in the ntlm authentication scheme.
setting up /siteminderagent/ntlm/ virtual directory was straight forward but no where it is mentioned as how to add .ntc script maps. The documentation gives details for IIS 5 and IIS 6.
Here are the steps
- Create a website ntlmprod.testdomain.com with ntlmprod as ApplicationPool.
- make sure ntlmprod app pool is classic, (however I did not find any errors till now if we use integrated. But the docs say use classic for all Siteminder protected)
- we generally use just a single asp page called header.asp in the folders hosting the ntlm websites. so d:\inetpub\ntlmprod\header.asp.
- add virtual directory for siteminderagent
- add virtual directory for ntlm
finally it should look like http://ntlmprod.testdomain.com/siteminderagent/ntlm/
- For root website and siteminderagent - use just anonymous authentication
- For NTLM VD, use only Windows Authentication
for ntlmprod.testdomain.com
ISAPI Filters
- add SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
Handler Mappings
- add "WildCard Script Map" SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
- add "Script Map" NTC-Siteminder
Request Path = *.ntc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
- add "Script Map" FCC-Siteminder
Request Path = *.fcc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
For example we use http://ntlmprod.testdomain.com/siteminderagent/ntlm/creds.ntc as the url in the ntlm authentication scheme.
setting up /siteminderagent/ntlm/ virtual directory was straight forward but no where it is mentioned as how to add .ntc script maps. The documentation gives details for IIS 5 and IIS 6.
Here are the steps
- Create a website ntlmprod.testdomain.com with ntlmprod as ApplicationPool.
- make sure ntlmprod app pool is classic, (however I did not find any errors till now if we use integrated. But the docs say use classic for all Siteminder protected)
- we generally use just a single asp page called header.asp in the folders hosting the ntlm websites. so d:\inetpub\ntlmprod\header.asp.
- add virtual directory for siteminderagent
- add virtual directory for ntlm
finally it should look like http://ntlmprod.testdomain.com/siteminderagent/ntlm/
- For root website and siteminderagent - use just anonymous authentication
- For NTLM VD, use only Windows Authentication
for ntlmprod.testdomain.com
ISAPI Filters
- add SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
Handler Mappings
- add "WildCard Script Map" SiteminderAgent with executable D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll and make sure it is moved to the top of the list in "View Ordered List" view.
- add "Script Map" NTC-Siteminder
Request Path = *.ntc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
- add "Script Map" FCC-Siteminder
Request Path = *.fcc"
Executable = D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll
ISAPI and CGI restrictions
- make sure the dll is set to allowed "D:\Program Files (x86)\netegrity\webagent\bin\ISAPI6WebAgent.dll"
Tuesday, April 12, 2011
Updating ROOT Certificates in Websphere
locations :
/opt/was51/AppServer/java/jre/bin
/opt/was51/AppServer/java/jre/lib/security/cacerts
just in case make a copy of the file cacerts
copy the new certs to this folder
/opt/was51/AppServer/java/newCerts
Command to view the current Root certificates
/opt/was51/AppServer/java/jre/bin/keytool -list -v -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -storepass changeit
Command to update cacerts with new certificate
/opt/was51/AppServer/java/jre/bin/keytool -import -file /opt/was51/AppServer/java/newCerts/Domain-ROOT.cer -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -alias DomainRoot -trustcacerts
/opt/was51/AppServer/java/jre/bin
/opt/was51/AppServer/java/jre/lib/security/cacerts
just in case make a copy of the file cacerts
copy the new certs to this folder
/opt/was51/AppServer/java/newCerts
Command to view the current Root certificates
/opt/was51/AppServer/java/jre/bin/keytool -list -v -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -storepass changeit
Command to update cacerts with new certificate
/opt/was51/AppServer/java/jre/bin/keytool -import -file /opt/was51/AppServer/java/newCerts/Domain-ROOT.cer -keystore /opt/was51/AppServer/java/jre/lib/security/cacerts -alias DomainRoot -trustcacerts
Monday, April 11, 2011
Unix scripting - basic notes
Conditional execution operators
||
You use the double pipe operator in the form
command1 || command2
In the above syntax, the second command executes only if the first command fails.
&&
You use the double ampersand operator in the form
command1 && command2
In the above syntax, the second command executes only if the first command executes successfully.
Command grouping operators
{ }
You can enclose multiple statements in braces ({}) to create a code block. The shell returns one exit status value for the entire group, rather than for each command in the block.
( )
You can enclose multiple statements in round brackets to create a code block. This code block functions in the same way as a code block enclosed in braces, but runs in a subshell.
I/O redirection operators
>
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output unless the noclobber environment variable is set.
>|
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output even if the noclobber environment variable is set.
>>
You use this operator to redirect command output to a file. If the file doesn't exist, the shell creates the file. If it does exist, the shell appends the new data to the end of it.
< You use this operator to redirect command input from a file. File descriptor redirection operators <&n You use this operator to redirect standard input from file descriptor n. >&n
You use this operator to redirect standard input to file descriptor n.
n< filename You use this operator with a filename to redirect descriptor n from the specified file. n> filename
You use this operator with a filename to redirect descriptor n to the specified file. Unlike ordinary redirection, this will not overwrite an existing file.
n>| filename
You use this operator with a filename to redirect descriptor n to the specified file, overriding the noclobber environment variable if it is set.
n>> filename
You use this operator with a filename to redirect a descriptor to the specified file. This will redirect to a file but, unlike ordinary redirection, this will append to an existing file.
Filename substitution
*
You use the * wildcard to match a string of any length.
?
You use the ? wildcard to match a single character.
[abc] , [a-c] , [a-c1-3]
You use square brackets to match only characters that appear inside the specified set. For increased convenience, you can specify multiple ranges.
!pattern
You use the ! operator with a pattern to perform a reverse match. The shell returns only filenames that don't match the pattern.
Command substitution
$(command)
You use this form of command substitution to resolve a command and pass its output to another command as an argument.
$(< filename)
You use this form of command substitution to pass the entire contents of a file to a command as an argument.
Tilde substitution
~
You use the ~ operator to instruct the shell to return the value of the $HOME variable.
~username
You use the ~ operator with a username to instruct the shell to return the full path of a specific user's home directory.
~+
You use the ~+ operator to instruct the shell to return the full path of the current working directory.
~-
You use the ~- operator to instruct the shell to return the full path of the previous working directory you used.
Miscellaneous syntax ;
If you enter several commands on the same line, you need to separate the commands with semicolons. The shell will execute each command successively once you press Enter.
\
You use a backslash to allow you to press Enter and continue typing commands on a new line. The shell will only begin executing your commands when you press Enter on a line that doesn't end in a backslash. Using a backlash in this way is known as backslash escaping.
&
You add a single ampersand at the end of a command to run that command as a background process. This is useful for tasks that are likely to take a long time to complete.
||
You use the double pipe operator in the form
command1 || command2
In the above syntax, the second command executes only if the first command fails.
&&
You use the double ampersand operator in the form
command1 && command2
In the above syntax, the second command executes only if the first command executes successfully.
Command grouping operators
{ }
You can enclose multiple statements in braces ({}) to create a code block. The shell returns one exit status value for the entire group, rather than for each command in the block.
( )
You can enclose multiple statements in round brackets to create a code block. This code block functions in the same way as a code block enclosed in braces, but runs in a subshell.
I/O redirection operators
>
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output unless the noclobber environment variable is set.
>|
You use this operator to redirect command output to a file. If the specified file doesn't exist, the shell creates the file. If the file does exist, the shell overwrites it with the command output even if the noclobber environment variable is set.
>>
You use this operator to redirect command output to a file. If the file doesn't exist, the shell creates the file. If it does exist, the shell appends the new data to the end of it.
< You use this operator to redirect command input from a file. File descriptor redirection operators <&n You use this operator to redirect standard input from file descriptor n. >&n
You use this operator to redirect standard input to file descriptor n.
n< filename You use this operator with a filename to redirect descriptor n from the specified file. n> filename
You use this operator with a filename to redirect descriptor n to the specified file. Unlike ordinary redirection, this will not overwrite an existing file.
n>| filename
You use this operator with a filename to redirect descriptor n to the specified file, overriding the noclobber environment variable if it is set.
n>> filename
You use this operator with a filename to redirect a descriptor to the specified file. This will redirect to a file but, unlike ordinary redirection, this will append to an existing file.
Filename substitution
*
You use the * wildcard to match a string of any length.
?
You use the ? wildcard to match a single character.
[abc] , [a-c] , [a-c1-3]
You use square brackets to match only characters that appear inside the specified set. For increased convenience, you can specify multiple ranges.
!pattern
You use the ! operator with a pattern to perform a reverse match. The shell returns only filenames that don't match the pattern.
Command substitution
$(command)
You use this form of command substitution to resolve a command and pass its output to another command as an argument.
$(< filename)
You use this form of command substitution to pass the entire contents of a file to a command as an argument.
Tilde substitution
~
You use the ~ operator to instruct the shell to return the value of the $HOME variable.
~username
You use the ~ operator with a username to instruct the shell to return the full path of a specific user's home directory.
~+
You use the ~+ operator to instruct the shell to return the full path of the current working directory.
~-
You use the ~- operator to instruct the shell to return the full path of the previous working directory you used.
Miscellaneous syntax ;
If you enter several commands on the same line, you need to separate the commands with semicolons. The shell will execute each command successively once you press Enter.
\
You use a backslash to allow you to press Enter and continue typing commands on a new line. The shell will only begin executing your commands when you press Enter on a line that doesn't end in a backslash. Using a backlash in this way is known as backslash escaping.
&
You add a single ampersand at the end of a command to run that command as a background process. This is useful for tasks that are likely to take a long time to complete.
linux - disable GUI
In Red Hat linux to disable GUI during startup
modify the file /etc/inittab to
'id:3:initdefault:'
to start GUI from shell use the below command
init 5
To shutdown use
init 0
or halt, poweroff, shutdown.
modify the file /etc/inittab to
'id:3:initdefault:'
to start GUI from shell use the below command
init 5
To shutdown use
init 0
or halt, poweroff, shutdown.
Friday, April 8, 2011
Old Laptop virtualization to New with VMWare VCenter
Three weeks ago I got a new work laptop with Vista. I downgraded it to XP after struggling with it for 2 days. My office VPN software wouldnt install.
However after xp install and setting up everything I still had 2 days to give my old laptop back. This is not enough time to configure all software and test it connects well.
So I installed VMWare Player on my new system and copied the whole old system to a virtual machine using VMWare Vcenter Converter Standalone. So essentially I am running my old machine in my new laptop.
I created a sharedfolder through which I am sharing files/folders between the two machines and setting up the software one by one as time permits.
The conversion process took around 2 Hours for my old system that had around 35GB of data. and copy and setup on the new system took another 2 hours.
I am running the VMWARE-old network as NAT so that it shares the host OS IP. This way I am not connecting again to VPN inside the guest system. If host is connected to VPN, guest inherits the same network.
VMWare Player is free, VMWare VCenter Converter is also free. We just need to register to vmware using our email address. Installation and the move were pretty straight forward and I did not face any issues.
However after xp install and setting up everything I still had 2 days to give my old laptop back. This is not enough time to configure all software and test it connects well.
So I installed VMWare Player on my new system and copied the whole old system to a virtual machine using VMWare Vcenter Converter Standalone. So essentially I am running my old machine in my new laptop.
I created a sharedfolder through which I am sharing files/folders between the two machines and setting up the software one by one as time permits.
The conversion process took around 2 Hours for my old system that had around 35GB of data. and copy and setup on the new system took another 2 hours.
I am running the VMWARE-old network as NAT so that it shares the host OS IP. This way I am not connecting again to VPN inside the guest system. If host is connected to VPN, guest inherits the same network.
VMWare Player is free, VMWare VCenter Converter is also free. We just need to register to vmware using our email address. Installation and the move were pretty straight forward and I did not face any issues.
Friday, April 1, 2011
open IKEYMAN - in X window from AIX Server using Cygwin
I was trying to start up ikeyman from our AIX - IBM-IHS to update SSL Certs I was getting the below errors
$ ikeyman
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
The java class could not be loaded. java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
$
Turns out I need to disable security in X windows using command "xhost +" to allow connections from AIX Server. Also I had to add a rule in my laptop's McAfee Intrusion Detection System to allow connections
Notes Below
- Install Cygwin with x window and ssh components on your laptop (takes a while to install this)
- start up cygwin
- From the Cygwin window start Xwindow using startxwin. This will open up another X window.
$ startxwin
- Now every thing needs to be done in the X Window.
- First Step is to disable security
$ xhost +
access control disabled, clients can connect from any host
- Once security on local system is disabled, SSH to the AIX Server using the below
$
localuser@localmachine ~
$ ssh -l
$
$ su - httpadm
httpadm's Password:
$ export DISPLAY=:0.0
$ export JAVA_HOME=/usr/java14
$ ikeyman
Couple of internet links helped me, but the below helped me with the xhost command.
http://www.staff.uni-mainz.de/pommeren/DSVorlesung/Material/Xsecurity
********************************************************
$ ikeyman
Xlib: connection to "
Xlib: No protocol specified
The java class could not be loaded. java.lang.InternalError: Can't connect to X11 window server using '
$
Turns out I need to disable security in X windows using command "xhost +" to allow connections from AIX Server. Also I had to add a rule in my laptop's McAfee Intrusion Detection System to allow connections
Notes Below
- Install Cygwin with x window and ssh components on your laptop (takes a while to install this)
- start up cygwin
- From the Cygwin window start Xwindow using startxwin. This will open up another X window.
$ startxwin
- Now every thing needs to be done in the X Window.
- First Step is to disable security
$ xhost +
access control disabled, clients can connect from any host
- Once security on local system is disabled, SSH to the AIX Server using the below
$
localuser@localmachine ~
$ ssh
$
$ su - httpadm
httpadm's Password:
$ export DISPLAY=
$ export JAVA_HOME=/usr/java14
$ ikeyman
Couple of internet links helped me, but the below helped me with the xhost command.
http://www.staff.uni-mainz.de/pommeren/DSVorlesung/Material/Xsecurity
********************************************************
Entrust SSL Cert on Windows 2003 - IIS 6
Installing a Entrust CA SSL Cert on IIS-6 Server.
1- Download Root Certificate as root.cer to the server
- double click it
- Install Certificate
- Next
- Automatically select the certificate store based on the type of certificate
- Next
- Finish
2- Download Chain Root Certificate Chainroot.cer to the server
- double click it
- Install Certificate
- Next
- Place all certificates in the following store
- Next
- Click the Show physical stores box, and then expand the Intermediate Certification Authorities folder. Select Local Computer and click OK.
- Next
- Finish
You will get the below error if you mess step 2
"The security certificate presented by this website was not issued by a trusted certificate authority"
3- Download Server Cert as ServerCert.cer to the server
- In IIS6 go to the website properties
- Directory Security
- Secure Communications - Server Certificate
- Next
- Process the pending request and install the certificate
- Next.
.....
- SSL Port 443
- review and finish
1- Download Root Certificate as root.cer to the server
- double click it
- Install Certificate
- Next
- Automatically select the certificate store based on the type of certificate
- Next
- Finish
2- Download Chain Root Certificate Chainroot.cer to the server
- double click it
- Install Certificate
- Next
- Place all certificates in the following store
- Next
- Click the Show physical stores box, and then expand the Intermediate Certification Authorities folder. Select Local Computer and click OK.
- Next
- Finish
You will get the below error if you mess step 2
"The security certificate presented by this website was not issued by a trusted certificate authority"
3- Download Server Cert as ServerCert.cer to the server
- In IIS6 go to the website properties
- Directory Security
- Secure Communications - Server Certificate
- Next
- Process the pending request and install the certificate
- Next.
.....
- SSL Port 443
- review and finish
Subscribe to:
Posts (Atom)