SSL/TLS: A Primer

We all use SSL or TLS every day. But how does it work and what infrastructure is involved? For the rest of the article, I will be referencing both SSL and TLS but will be using the blanket term “TLS” to refer to both.

Continue reading

Recently I built up a new storage server running FreeBSD. Initially I was going to go with FreeNAS like my old storage server, however the FreeNAS project is in a bit of flux at the moment and I thought this would be a good way to learn about the inner workings of FreeBSD. Part of this is segregating the applications running on the server in to “jails”. They are a form of OS-level virtualization, where each jail has its own files, processes and user accounts.

Continue reading

Foglight for Virtualization 7.0 Standard uses Tomcat under the covers to serve the web interface. To replace the SSL certificate, follow the instructions below. I started with a password-protected PFX file that had the password foglight.

  1. Copy the PFX file to the server to the /usr/local/tomcat/conf directory
  2. Run the following to convert the PFX in to a Java keystore file, entering foglight for all password prompts: /usr/local/jre1.6.0_43/bin/keytool -importkeystore -srckeystore /usr/local/tomcat/conf/foglight.pfx -srcstoretype pkcs12 -destkeystore /usr/local/tomcat/conf/foglight.jks -deststoretype JKS
  3. Open /usr/local/tomcat/conf/server.xml in your favourite editor
  4. Replace the Connector section with SSL with the following:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    <Connector server="VKernel" port="443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    SSLEnabled="true" keystoreFile="conf/foglight.jks"
    keystorePass="foglight" clientAuth="false" sslProtocol="TLS"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />
  5. Restart Tomcat with service tomcat restart

After a restart, the web interface will now be using the new certificate.

For reference, the username and password for the appliance is vkernel/vkernel and the su password is password.

Comment and share

Password policies are a good thing, however as users aren’t chained to their desks anymore they might not realize that their AD password is expiring. Here’s a script that you can run as a scheduled task that will notify users that their password is expiring.

It was roughly copied from a Reddit thread (link) however it had a few bugs relating to fine-grained password policies and was using .NET methods for a few things instead of Powershell cmdlets.

Hope it comes in useful for someone.

Comment and share

It turns out there’s a lot to getting Powershell to connect to FTP servers. Here’s two functions I’ve written that can list FTP contents and download files. Enjoy.

Comment and share

Set-Permissions

Hee’s a basic script I created recently to set permissions on a file/folder. This can be integrated with other scripts quite nicely.

Enjoy!

Comment and share

As of v45, Chrome is now blocking HTTPS sites with weak Diffie-Hellman public keys. Whilst this is good for everyone, it does cause certain things to stop working. Our Foglight for Virtualization Standard instance stopped working with Chrome and had to be fixed. Although this applies for Foglight, it can be used for any Tomcat 7 instance.

  1. SSH in to the Foglight virtual machine. Default username is vkernel and password is vkernel also.
  2. Change to root by typing su -. Default password is password.
  3. Type nano /usr/local/tomcat/conf/server.xml to edit the Tomcat config file.
  4. Under the HTTPS config section (starts with <Connector server="VKernel" port="443" maxHttpHeaderSize="8192" ....), you will find a cipher list like ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ....". Replace this with: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
  5. Press Ctrl + X and then y to save the file.
  6. Type service tomcat stop then service tomcat start to reload the config file

You should now be able to access the site properly with Chrome v45+.

Comment and share

I’ve been using MessageOps Exchange Migrator for a while now and while it is an amzing product, it isn’t without its quirks. Here are some I came across whilst migrating a small org (80 users) to Office365

  1. Make sure that the account you’re migrating isn’t disabled. If it is disabled, it doesn’t show up in the source mailbox list.
  2. Ensure the mailbox isn’t hidden from the GAL. If it is, the migration will fail with a MAIL_E_NAMEN error and then WSAECONNRESET.
  3. Ensure you have proper rights on the mailbox you are migrating from.
  4. Ensure the mailbox you are migrating to has an Exchange license assigned. This can be E1, E2, E3, whatever.
  5. If you change change any permissions or disable/enable accounts, hit back in the tool and let it rescan everything. This saves you restarting the app and having to type all your credentials again.

Comment and share

Jacob Ludriks

Nerd


System Administrator


Australia