February 05, 2013

Changing Java keystore passwords...

Sometimes you need to update a KeyStore password - use the following method to complete the process.

First, locate the keystore that you need to modify:
[root@swift cdgrieb]# ls /usr/share/certs/certs/pact.hf.mcarepartners.org.p12
/usr/share/certs/certs/pact.hf.mcarepartners.org.p12

Next, issue the password update command:
[root@swift cdgrieb]# keytool -storepasswd -keystore /usr/share/certs/certs/pact.hf.mcarepartners.org.p12 -storetype pkcs12
Enter keystore password:
New keystore password:
Re-enter new keystore password:

Note: remember to specific the keystore type (wit the -storetype pkcs12 switch), unless you're using the standard format. Otherwise, it'll fail.

Posted by cdgrieb at 12:32 PM | Comments (0)

January 24, 2013

Enumerate protocols and ciphers for Tomcat

By default, Tomcat instances configured for SSL will accept pretty much any secured cipher, which, obvously, this not always optimal. Use the following method to insure AES 128 or AES 256.

First, insure that a protocol is specified within the connector block, for example:
sslProtocol="TLS"

Next, add your cipher specifications:
ciphers="TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA"

Finally, restart Tomcat. You should have enforced AES 128/256.

Posted by cdgrieb at 01:19 PM | Comments (0)

August 08, 2012

Apache - multiple virtual hosts on *80

When you have multiple virtual hosts on port *80, you need to specific a virtual host name, for example, at the very top of your virtual host configuration file, add an entry that states:
NameVirtualHost *:80

Otherwise, you'll receive the following warning:
"[warn] _default_ VirtualHost overlap on port 80, the first has precedence"

Posted by cdgrieb at 09:59 AM | Comments (0)

June 25, 2012

Apache - disabling HTTP TRACE / TRACK

In order to resolve trace / track security issued related to Apache, simply append the following Rewrite rule to the Apache configuration file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

and restart the server. Done.

Posted by cdgrieb at 11:52 AM | Comments (0)

June 22, 2012

Managing WordPress blogs

Currently, ISSC hosts a number of WordPress-based blogs for various organizations, including EVPMA, MICHR, etc. One of the numerous issues we've encountered with hosting these blogs including managing plugins, themes, access, and blog migrations. In order to resolve this issue, we've started looking into various blog management tools, including RHN, in-house development tools (scripts, etc), and cloud-based utilities. One example of a WordPress tool we've looked into is https://managewp.com - currently, we have a dedicated system administrator researching functionality, etc. More information soon!

Posted by cdgrieb at 03:46 PM | Comments (0)

June 11, 2012

Nested LDAP groups and coSign, continued...

So, upon further inspection, we've concluded that re-creating UMOD legacy groups in MCommunity has solved the initial nesting problems we've been experiencing with LDAP-based coSign authentications, for example: the 'umms-anatomy-secured-student' group existed as a UMOD group, but failed to authenticate against coSign. We recreated the group, and migrated individual users into MCommunity, resulting in properly functioning coSign logins. Woot!

Posted by cdgrieb at 01:47 PM | Comments (0)

June 07, 2012

WordPress blogs...

This is the current, unverified list of WordPress blogs:

- michart.org
- mottblog.org
- mottmdrounds.org
- msatmichigan.org
- umchop.org
- umevpma.org
- umfertilityjourney.org
- umhsheadlines.org
- umhsicd10.org
- umhsnursenegotiations.org
- umhsnursing.org
- umhsupdate.org
- uminsideview.org
- umwomenshospitalblog.org

Posted by cdgrieb at 03:07 PM | Comments (0)

May 30, 2012

Nested LDAP groups and coSign....

We've noticed a specific issue with MCommunity, coSign, and nested LDAP groups - essentially, they don't work in some situations. For example, the following coSign entry should allow individuals from the 'm1' and 'm2' LDAP groups to authenticate....
-----------------------------------------------------------------
require ldap-group cn=g1,ou=User Groups,ou=Groups,dc=umich,dc=edu
require ldap-group cn=g2,ou=User Groups,ou=Groups,dc=umich,dc=edu
-----------------------------------------------------------------
However, only direct users are allowed access, in addition to one or two folks from the nested groups. We're not positive if this is a result of UMOD group translations, LDAP naming conventions, or something else...more investigation forth coming...

Posted by cdgrieb at 09:22 AM | Comments (0) | TrackBack

May 29, 2012

WordPress and RHEL 5

So, we've had a few issues with WordPress and RHEL 5.0, specifically recent builds of WP requiring a minimum of PHP 5.2.4. A quick query against the rpm database on a RHEL 5 system reveals the following php packages:
----------------------------------------------------
[cdgrieb@ginkgo ~/Downloads]# rpm -qa | grep 'php'
php-gd-5.1.6-34.el5_8
php-mcrypt-5.1.6-5.el5
php-pdo-5.1.6-34.el5_8
php-common-5.1.6-34.el5_8
php-5.1.6-34.el5_8
php-mbstring-5.1.6-34.el5_8
php-cli-5.1.6-34.el5_8
php-mysql-5.1.6-34.el5_8
----------------------------------------------------

Obviously, PHP 5.1.6 will only get you antiquated support for WP, so we've decided that all existing WP blogs should be migrated to RHEL 6, at least.

Posted by cdgrieb at 11:35 AM | Comments (0)