Rundeck Windows SSL - rundeck

Has anyone configured SSL for a windows node in rundeck? I've configured the framework properties:
framework.server.name = myservername.domain.com
framework.server.hostname = myservername.domain.com
framework.server.port = 4443
framework.server.url = https://myservername.domain.com:4443
and the rundeck-config properties:
server.address=myservername.domain.com
server.port=4443
grails.serverURL=https://myservername.domain.com:4443
What I am missing is I assume I need to import a cert into the keystore? Next steps are a bit vague since they are nix specific.

You need to create the keystore/truststore using java keytool command (check how to do that here, on the generating keystore step), add your cert to the keystore, copy your Keystore as Truststore, then edit the ssl.properties file to aim the keystore/truststore Windows path location.
With your config posted above, you can start Rundeck indicating the ssl.properties file location with the -Drundeck.ssl.config=c:\rundeck\server\config\ssl.properties and -Dserver.https.port=4443 attributes in your .bat startup script (check the start_rundeck.bat file model here).

Related

Allow own signed certificat in owncloud on a synology

I have owncloud version 9.1.8 running on a synology. Now I installed onlyoffice on a local server with a self signed certificat. It is important to know, that the onlyoffice server is running locally in a network. So I cannot access the server like e.g. with lets encrypt, because I only have a local server name and not a public server name. Lets Encrypt therefore cannot verify the server. However if I want (and if you have a solution doing that), I can access the internet using the server.
Now i have the problem, that owncloud delivers me the following error message
"Error while downloading the document file to be converted."
when I want to save the url in the onlyoffice configuration in owncloud. I guess the problem is, that I am using a self signed certificat. Do you know what I can do? Google does not really help me.
"Error while downloading the document file to be converted."
means that DocumentServer cannot validate your storage's self-signed certificate (OC in your case)
There are 2 possible workarounds:
1) Change "rejectUnauthorized" to false in the /etc/onlyoffice/documentserver/default.json config file
2) Change the default Node.js CAstore:
Edit the files:
/etc/supervisor/conf.d/onlyoffice-documentserver-converter.conf
/etc/supervisor/conf.d/onlyoffice-documentserver-docservice.conf
Add a flag --use-openssl-ca to the parameters in this line
Then you need to add your certificate to the the default CA store and restart ONLYOFFICE services:
supervisorctl restart all

Enable SSO on redhat Environment

I need to enable SSO on my redhat environment. I need to know which rpms needs installation.
believe it’s a case of configuring AD to support the single sign-on against the WebSeal instance.i am installing WebSeal 6.1(Tivoli Access Manager WebSeal 6.1).
I have no knowledge regarding this.Can anyone brief me out and help me here how to proceed and what steps should be taken. What should be the prerequisites ?
There is a good writeup on IBM's InfoCenter about how to do this:
TAM 6.0:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc_6.0/rev/am60_webseal_admin211.htm?path=5_8_1_6_0_6_0_2_1_10_1_2#spnego-cfg-unix
TAM 6.1.1:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc_6.1.1/am611_webseal_admin709.htm?path=5_8_1_3_1_11_1_2#spnego-cfg-unix
SAM 7.0:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_webseal_guide/concept/con_config_win_desktop_sso_unix.html
You have to:
Install IBM Kerberos client for WebSEAL
Create an entry in AD for the Linux server to auth against
Map the Kerberos principal to that AD user (the hardest part)
Enable SPNEGO on WebSEAL
Here are some of my notes that may help. However, I would strongly recommend walking down through the instructions on the InfoCenter site, as they are almost right on.
For step 1, in the linux_i386 directory, install the IBM Kerberos client using:
rpm -i IBMkrb5-client-1.4.0.2-1.i386.rpm
For step 2, the ktpass command you run on your AD controller should look something like:
ktpass -princ HTTP/WEBSEAL_SERVER_NAME_NOTFQDN#ad-domain.org -pass new_password -mapuser WEBSEAL_SERVER_NAME_NOTFQDN -out c:\WEBSEAL_SERVER_NAME_NOTFQD_HTTP.keytab -mapOp set
Transfer that keytab file to your Linux server.
Also make sure the keytab file on the Linux server is chown ivmgr.ivmgr; chmod 600. Otherwise the WebSEAL process won't be able to read it.
For step 3, you will need to edit /etc/krb5/krb5.conf and configure the KDC, AD realm, and local DNS name. You can use the mkkrb5clnt utility to help with this:
config.krb5 -r AD-DOMAIN.ORG -c ad-domain.org -s ad-domain.org -d AD-DOMAIN
Edit krb5.conf and change:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
From my notes, I had you can test the Kerberos configuration using (this is all documented on the infocenter article):
/usr/krb5/bin/kinit webseal#AD-DOMAIN.ORG
Enter the password for the WebSEAL user, then use klist to check things.
For step 4, just edit the WebSEAL config file and change:
[spnego]
spnego-auth = https
[authentication-mechanisms]
kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.so
If you are clients are configured correctly, as long as their AD account name matches their TAM account name then it will work. You can also have WebSEAL prepend the #DOMAIN.ORG when mapping to a TAM user, which is handy if you are going to have multiple domains setup for SSO. However, you have to have TAM accounts with user#domain.org within your directory to map to.
You can specify what auth level SPNEGO comes in by modifying the [authentication-levels] section in the WebSEAL config file. That level would be level = kerberosv5
Good luck and have patience. Getting the Kerberos client setup on the Linux box was the most difficult part. It's a bit tricky when it wants capital DNS domain name, lower case DNS domain name, or just the plain vanilla AD domain name.

WSO-AM 1.5.0: Change keystore

I have changed the carbon.xml file and axis2.xml to point to my own key-store. But when I start the wso2-am, the log says:
WARN - ValidationResultPrinter The default keystore (wso2carbon.jks)
is currently being used. To maximize security when deploying to a
production environment, configure a new keystore with a unique
password in the production server profile.
Exmaple from axis2.xml
<KeyStore>
<Location>/data/wso2/certs/ibridge.jks</Location>
<Type>JKS</Type>
<Password>****</Password>
<KeyPassword>****</KeyPassword>
</KeyStore>
There will be 2 main reasons you to change keystore default password which is "wso2carbon".
When moving to production environments keystore should be altered
from the default of 'wso2carbon'.
When changing the default keystore.
You can learn how to do this by following this blog post.
Did you point your jks file in the secret-conf.properties file (AM_HOME\repository\conf\security)?
Did you specify wso2carbon as the alias when creating the KeyStore? When the server starts up it'll search for KeyStores having wso2carbon alias, and if it finds any, it'll assume the default keystore is being used. If this is the case try giving a different alias.

About Getting Started with the Facebook SDK for Unity

I am trying the new Facebook SDK for Unity and I would like to deploy the example included in this SDK but like I am not running any web server. I installed the Python software in the default path (C:\Python33) and the I created web.py file and saved it into the built my Unity game (where is web.unity3d file). More info here.
See I don't have a web server available part.
Since my English is not so good, I could not understand the following part:
Then (install openssl)[http://www.openssl.org/related/binaries.html]
if it isn't already on your computer. In the same directory as above,
generate a key file:
openssl req -new -x509 -keyout server.pem -out server.pem -days 365
-nodes Provide a non-blank answer to each prompt (correctness won't matter, but empty values may).
Start the server:
python web.py
For this, could anybody explain to me how I would have to do it?
Facebook is providing instructions on how to deploy a simple web server locally if you don't already have one, specifically the SimpleHTTPServer one (http://docs.python.org/2/library/simplehttpserver.html). The prerequisite is to have a SSL/TLS-capable Web server. So
First Step: Allow for SSL capability by using openssl to generate a key file for use in the server. (Keep it in the same directory)
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -node
After executing this command, a series of prompts will be asked but for the purposes of the tutorial it isn't important what the values are as long as they are non-blank
Second Step: Create a file called web.py with the following contents
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='server.pem', server_side=True)
httpd.serve_forever()
This line
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler),
is how the server will be presented in a browser, https://localhost:44443/, where the game object will be at https://localhost:44443/web.unity3d
This line
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='server.pem', server_side=True)
sets up SSL with the server key file generated earlier with openssl
Finally httpd.serve_forever() executes the requests and deploys the server at https://localhost:44443/
Third Step: Call the program just created by executing the following command
python web.py
Fourth Step: Navigate to https://localhost:44443/web.unity3d
Alejandro - you don't actually need to set up a localhost server, in fact, I don't recommend it unless you really want to iterate on some Facebook callbacks and you're having trouble getting them working.
Instead I would:
do in-editor testing just to see how things might work. The editor dialogs use fake data, but are indicative of the in-game experience.
push to a hosting site for live testing. e.g. use parse hosting and do 'parse deploy' to push a static file live. I can help with this if you'd like.
Thanks for checking out the SDK!
you are installing the wrong python version. Use 2.7, not 3.3. 3.3 doesn't have that library.

Trouble installing certificate from .pfx file

I am trying to install a certificate on my local machine (Win Server 2003) with the X509Certificate2 class in a C# test console application. When I install the certificate with the following code, everything is fine:
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
Problem is, that the private key of the certificate is not persisted, when installed without the X509KeyStorageFlags.PersistKeySet. So I tried to instanciate the certificate like this (the private key has no password, so I pass in an empty string):
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath, "", X509KeyStorageFlags.PersistKeySet);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
But trying to instanciate the certificate throws a System.Security.Cryptography.CryptographicException "Failed to load certificate: The specified network password is not correct.", even though the private key has no password.
If I import the certificate in the Microsoft Management Console without specifying a password it works great.
Does anybody know how to do this programmatically?
If you try to create an instance of X509Certificate2 with an empty password on Windows XP or Windows 2003, the "Failed to load certificate: The specified network password is not correct." exception will be thrown.
If you can, try to create a certificate with a password which is not empty. Then everything should be fine.
Hopefully this will help somebody (and to expand on uGeeen's answer:
User "S C" points out the following requirement for certificate passwords on Windows XP and Windows Server 2003.
0 < password.Length < 32
I have seen conflicting reports on whether 32 is allowed. I can confirm that I was using a 32 character password (an MD5 hash), and truncating it to 30 characters fixed the issue.
are you doing it from worker process or some other impersonated process? it may be just that the identity your process uses is initialized WITHOUT loading the identity user's profile, what seems to result with no access to the user's cerificate store.
i've had similar problem when loading a x509 cert with private keys from within ASP.Net/IIS proces, and turning on profile-loading for worker processed did the trick
In case anybody has a similar problem: I managed to install the certificate and persist the private key in another fashion. I found the WinHttpCertCfg command line tool that you can get from here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp
I then call this command line tool programmatically to install the certificate. This site gave me a hint on how to use it: weblogs.asp.net/hernandl/archive/2005/02/09/…
Cheers, Chris