Scratchpad: 2015

Wednesday, June 3, 2015

RSA to CPASS migration on windows platform

For IIS7

Prerequisites

Put agent installer here. E:\csapps\PolicyAgentIIS7
Site should not be a virual directory(i.e. is being in default website folder), if it is so , you will have first make it as website and it should have dedicated application pool.
To check if it’s a dedicated or not . Goto “application pool” and check number of application associated with that app pool
Also check in the bindings of the application if the URL is “organisation1.com”, if not create new host name with organisation1.com domain name and get that configured with the help of IP DOMAIN team and after that manually enter in bindings too.
Close IIS manager

Configuring CPASS

Create a friendly text file and copy password in the bin folder of the installer at E:\csapps\PolicyAgentIIS7. Alternatively, for IIS6 the path will be E:\csapps\sun\webaggents
Cmd>installer bin>cscript IIS7CreateConfig.vbs ABCconf.txt

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\neha>e:

E:\>cd csapps\PolicyAgentIIS7\web_agents\iis7_agent\bin

E:\csapps\PolicyAgentIIS7\web_agents\iis7_agent\bin>cscript IIS7CreateConfig.vbs ABCconf.txt
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Copyright c 2009, 2011, Oracle and/or its affiliates. All rights reserved.
---------------------------------------------------------
Microsoft (TM) Internet Information Server (7.0)
---------------------------------------------------------
Enter the Agent Resource File Name [IIS7Resource.en] :

Enter the Agent URL (Example: http://agent.example.com:80) :
http://application1.lvs.organisation1.com:80

Displaying the list of Web Sites and its corresponding Identifiers (id)

SITE "Default Web Site" (id:1,bindings:http/xxx.xxx.xx.xxx:80:,http/xxx.xxx.xx.xxx:80:server.organisation1.net,http/xxx.xxx.xx.xxx:80:www8t.lvs.organisation.com,net.tcp/808:*,net.pipe/*,net.msmq/localhost,msmq.formatname/localhost,state:Starte)

SITE "Microsoft SharePoint Administration" (id:2,bindings:http/xxx.xxx.xx.xxx:6181:,state:Started)

SITE "application1"(id:7,bindings:http/xxx.xxx.xx.xxx:80:application1.lvs.organisation1.com,state:Started)

Web Site Identifier :
7
------------------------------------------------
Oracle OpenSSO Enterprise 8.0
------------------------------------------------
Enter the URL where the OpenSSO server is running. Please include the deployment
URI also as shown in the example (Example: http://opensso.example.com:58080/ope
nsso):
https://eifed-3-qa.organisation1.com:443/opensso

Please enter the Agent Profile name :
ABC

Enter the Agent profile password file :
ABCpwd.txt

-----------------------------------------------------
Agent Configuration file created : ABCconf.txt
------------------------------------------------------

3. Now, Configure this config file with the help of this other script “IIS7Admin.vbs”

E:\csapps\PolicyAgentIIS7\web_agents\iis7_agent\bin>cscript IIS7Admin.vbs -config ABCconf.txt

Microsoft (R) Windows Script Host Version 5.7

Enter the Agent Resource File Name [IIS7Resource.en] :

Creating the Agent Config Directory

Creating the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties File

Updating the Windows Product Registry

Installing the module into IIS.

Completed Configuring the IIS 7.0 Agent

4. Restart the iis service

5. Check if the CPASS is installed by following process

Go to instance in IIS> modules

See if the iis.dll is present

UNCONFIGURING CPASS

1. E:\csapps\PolicyAgentIIS7\web_agents\iis7_agent\bin>cscript IIS7Admin.vbs –unconfig itprodconf.txt

Microsoft (R) Windows Script Host Version 5.7

Enter the Agent Resource File Name [IIS7Resource.en] :

Removing the Agent Bootstrap file

Removing the Agent Config file

Removing the Agent Config Directory

E:\csapps\PolicyAgentIIS7\web_agents\iis7_agent\Identifier_14\config

Removing the entries from Windows Product Registry

Removing the module from IIS.

Completed Unconfiguring the IIS 7.0 Agent

2. Restart IIS service

3. If its still not visible in the module add the “maps” in “configuration” manually and then restart IIS

Regedit>HKEY_LOCAL_MACHINE>SOFTWARE>ORACLE>OPENSSO>IIS6AGENT>

If this identifier is not present then make it

NOTE

Site should not be a virtual directory(i.e. being in default website folder), if it is so then you will have to first make its website and then it should have dedicated application pool.

Tuesday, June 2, 2015

Certificate renewal on Unix box

What are web site certificates?

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption:

a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
a URL that begins with "https:" rather than "http:"

By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information.

RAISING A CERTIFICATE REQUEST

1. Run the command for extracting server key (server.key)

/home/u2/neha>openssl genrsa -out server.key 2048

Generating RSA private key, 2048 bit long modulus

.........+++

..................+++

e is 65537 (0x10001)

this will give a file named 'server.key'

2. generate .csr file

home/u2/neha>openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:Global

Common Name (eg, YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

/home/u2/neha>ls -lrt

-r-xr-x--x 1 neha staff 990930 Aug 21 11:54 openssl

-rw-r----- 1 neha staff 1675 Aug 21 11:54 server.key

-rw-r----- 1 neha staff 1074 Aug 21 11:58 server.csr

/home/u2/neha>cat server.csr

-----BEGIN CERTIFICATE REQUEST-----

MIIC3zCCAccCAQAwgZkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhEZWxhd2FyZTEP

MA0GA1UEBxMGTmV3YXJrMSwwKgYDVQQKEyNFLkkuIERVIFBvbnQgREUgTmVtb3Vy

cyBhbmQgQ29tcGFueTEPMA0GA1UECxMGR2xvYmFsMScwJQYDVQQDEx5pYm0tbmV0

Y29vbC1kZXYubHZzLmR1cG9udC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw

ggEKAoIBAQC/pvRekxQ1pio1ZY4u7Id4hBe7uc9C1p/7dIC705tu2iZpLcEj9W8M

UKdwwD/cNHgYpK1JLynaCC3Fl9M6C6MDU9JAH5FzO8vwB4HUi//vkuszzMZoF+R3

V7urYOihXbreASVURu5PZfHfARhdnq+5J355798lkj2fANjnhWbK+QlzoWIieWdy

3roaw6fHixEXC8FZ9+I8GD9gkx/KFRTnBmpw6lGslPhAmM3lUuU+I3qLKetWCvDQ

IeIebm989hFKiCx2RjAfz5jJbmtqPfeTbJRZihzVxM+SW+TZJHM6RHwL7huVyMWZ

dQmWfeML7VAYkmdWdu9myAtJ0kgk998fAgMBAAGgADANBgkqhkiG9w0BAQUFAAOC

AQEArcAW4NjNIZRW5NF/aLdZn+KELWt39dzz5mvNSkifAc2d5f4T/KZaaoP+3blZ

NtwqlWOQnG5cUy37pQm0Lq4GV+65VmnGYp/jmmEMkTntyp4tiKK84/JZe/FIQrIg

sgFTZoEB9oO3HhHWyhjnTq8hCSt8HLrziXMSBtAgVntBAOKpJbio9OdhWGCwo8cG

hzsh2C2uT+mg/ssun7x9trljkASCuE9AwGawO9/cLZ1CkQrIIjPmwOth59UxS6ni

eVphJGoo2gA+gUtPZyW91tc0jHasHZU1OBR2X2Dy03kEt3QducbzP0JgI2rezYCj

T/Zg9eDa5bXNgLK4JnQEh7v0lg==

-----END CERTIFICATE REQUEST-----

3. get these files on Desktop by FTP from path of server to Desktop. The mode of FTP should be ASCII while doing get

4. Send server.crt file to personnel in a organisation who can get this certified

5. Person sends back the crt file in this form

Web Server CERTIFICATE

-----------------

-----BEGIN CERTIFICATE-----

MIIEfzCCA2egAwIBAgIDA35GMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT

blablablablavlablablablablablablablablablablablablavlablablablablablablablabla

blablablablavlablablablablablablablablavblablablablavlablablablablablablablabla