We all use SSL or TLS every day. But how does it work and what infrastructure is involved? For the rest of the article, I will be referencing both SSL and TLS but will be using the blanket term “TLS” to refer to both.Continue reading
Following on from the previous post about thin jails, we can now procede to install the following applications in to seperate jails:
- nginx as a reverse proxy for the above applications
Recently I built up a new storage server running FreeBSD. Initially I was going to go with FreeNAS like my old storage server, however the FreeNAS project is in a bit of flux at the moment and I thought this would be a good way to learn about the inner workings of FreeBSD. Part of this is segregating the applications running on the server in to “jails”. They are a form of OS-level virtualization, where each jail has its own files, processes and user accounts.Continue reading
Foglight for Virtualization 7.0 Standard uses Tomcat under the covers to serve the web interface. To replace the SSL certificate, follow the instructions below. I started with a password-protected PFX file that had the password
- Copy the PFX file to the server to the
- Run the following to convert the PFX in to a Java keystore file, entering
foglightfor all password prompts:
/usr/local/jre1.6.0_43/bin/keytool -importkeystore -srckeystore /usr/local/tomcat/conf/foglight.pfx -srcstoretype pkcs12 -destkeystore /usr/local/tomcat/conf/foglight.jks -deststoretype JKS
/usr/local/tomcat/conf/server.xmlin your favourite editor
Replace the Connector section with SSL with the following:12345678910<Connector server="VKernel" port="443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"SSLEnabled="true" keystoreFile="conf/foglight.jks"keystorePass="foglight" clientAuth="false" sslProtocol="TLS"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />
Restart Tomcat with
service tomcat restart
After a restart, the web interface will now be using the new certificate.
For reference, the username and password for the appliance is
vkernel/vkernel and the
su password is
Password policies are a good thing, however as users aren’t chained to their desks anymore they might not realize that their AD password is expiring. Here’s a script that you can run as a scheduled task that will notify users that their password is expiring.
It was roughly copied from a Reddit thread (link) however it had a few bugs relating to fine-grained password policies and was using .NET methods for a few things instead of Powershell cmdlets.
Hope it comes in useful for someone.
As of v45, Chrome is now blocking HTTPS sites with weak Diffie-Hellman public keys. Whilst this is good for everyone, it does cause certain things to stop working. Our Foglight for Virtualization Standard instance stopped working with Chrome and had to be fixed. Although this applies for Foglight, it can be used for any Tomcat 7 instance.
- SSH in to the Foglight virtual machine. Default username is
vkerneland password is
- Change to root by typing
su -. Default password is
nano /usr/local/tomcat/conf/server.xmlto edit the Tomcat config file.
- Under the HTTPS config section (starts with
<Connector server="VKernel" port="443" maxHttpHeaderSize="8192" ....), you will find a cipher list like
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ....". Replace this with:
Ctrl + Xand then
yto save the file.
service tomcat stopthen
service tomcat startto reload the config file
You should now be able to access the site properly with Chrome v45+.
HP has released the new ProLiant SPP for October 2015.
I’ve been using MessageOps Exchange Migrator for a while now and while it is an amzing product, it isn’t without its quirks. Here are some I came across whilst migrating a small org (80 users) to Office365
- Make sure that the account you’re migrating isn’t disabled. If it is disabled, it doesn’t show up in the source mailbox list.
- Ensure the mailbox isn’t hidden from the GAL. If it is, the migration will fail with a
MAIL_E_NAMENerror and then
- Ensure you have proper rights on the mailbox you are migrating from.
- Ensure the mailbox you are migrating to has an Exchange license assigned. This can be E1, E2, E3, whatever.
- If you change change any permissions or disable/enable accounts, hit back in the tool and let it rescan everything. This saves you restarting the app and having to type all your credentials again.
- OLDER POSTS
- page 1 of 5