| *** alamarca_ (~alamarca@201.246.81.195) has joined #wikid | 01:17 | |
| *** alamarca has quit (Ping timeout: 240 seconds) | 01:18 | |
| *** finalbeta (~finalbeta@ip-81-11-184-217.dsl.scarlet.be) has joined #wikid | 07:11 | |
| *** finalbeta_ has quit (Ping timeout: 260 seconds) | 07:14 | |
| *** finalbeta has quit (Read error: Connection reset by peer) | 11:13 | |
| *** nowen (~nowen@adsl-66-164-120.asm.bellsouth.net) has joined #wikid | 12:51 | |
| *** alamarca_ has quit () | 13:24 | |
| *** alamarca (~alamarca@201.246.81.195) has joined #wikid | 13:24 | |
| alamarca | hi | 13:28 |
|---|---|---|
| nowen | morning | 13:28 |
| alamarca | morning | 13:35 |
| alamarca | nowen I am about to send mail | 13:36 |
| alamarca | xD | 13:36 |
| nowen | ok | 13:36 |
| alamarca | look you mail | 13:44 |
| nowen | got it | 13:45 |
| alamarca | thnxs | 13:45 |
| *** alamarca has quit () | 13:45 | |
| *** alamarca (~alamarca@201.246.81.195) has joined #wikid | 13:51 | |
| alamarca | nowen i repond you mail | 14:26 |
| nowen | got it :) | 14:29 |
| nowen | are they capable of installing and managing it themselves? | 14:30 |
| alamarca | I do not know | 14:41 |
| *** Ken (a5bd4f32@gateway/web/freenode/ip.165.189.79.50) has joined #wikid | 15:56 | |
| Ken | Hey Nick - Have time for two short questions? | 15:56 |
| nowen | yes | 15:57 |
| Ken | K. CA and Sub CA cert vail periods. How long on the CA and sub CA certs? How long on the client certs? | 15:59 |
| nowen | CA is 3 years, the others are 1, IIRC | 15:59 |
| nowen | you can check them with keytool | 16:00 |
| Ken | So what happens after three years when the CA certs needs updating? | 16:00 |
| nowen | keytool -list -v -keystore /opt/WiKID/private/intCAKeys.p12 -storetype pkcs12 -storepass yourpassphrase | 16:00 |
| nowen | you can just create new ones | 16:00 |
| nowen | we're going to be updated the CA code, btw | 16:01 |
| nowen | it will really tie into the subscription process. we might be able extend the certs instead of re-creating | 16:02 |
| nowen | what's your concern? That the certs will die and things will go bad? | 16:02 |
| *** Ken_ (a5bd4f32@gateway/web/freenode/ip.165.189.79.50) has joined #wikid | 16:03 | |
| Ken_ | Hmm got booted. You trying to tell me something Nick? | 16:03 |
| nowen | hehe | 16:03 |
| nowen | so, to re-state: let me know your concerns, we're updating the CA code shortly | 16:03 |
| nowen | currently, you just recreate the certs | 16:04 |
| *** Ken has quit (Ping timeout: 253 seconds) | 16:05 | |
| Ken_ | What about the clients and their ties to the original cert chain? | 16:06 |
| nowen | the token clients are not tied to the CA at all | 16:06 |
| nowen | their keys are stored in the db | 16:06 |
| Ken_ | What about the mutial validation | 16:12 |
| nowen | mutual validation is separate also. the ssl cert is stored in the db | 16:16 |
| *** Ken (a5bd4f32@gateway/web/freenode/ip.165.189.79.50) has joined #wikid | 16:18 | |
| Ken | So is there anything using the soft tokens on a pc or mobile device that woud need to be update or touched in any way over the course of 10 years | 16:19 |
| nowen | there shouldn't be | 16:21 |
| nowen | the tokens use a 'flat public key' architecture | 16:21 |
| *** Ken_ has quit (Ping timeout: 252 seconds) | 16:21 | |
| Ken | Shoot I had a second question but forgot what it was. :) | 16:22 |
| nowen | freenode is not liking you today | 16:22 |
| Ken | No it is not | 16:23 |
| Ken | Any ideas on when the new andriod client will be out? | 16:23 |
| nowen | hmm. not a lot of data, but we need to push it forward | 16:24 |
| Ken | Where is WiKID based out of and how big is your staff? | 16:24 |
| nowen | Atlanta, depends ;) | 16:24 |
| nowen | we're a pretty small company obviously. we use a lot of contractors | 16:25 |
| nowen | for example, we will go out of house for most non-java developement | 16:25 |
| Ken | I remembered: Where does PCI specifiy the need for xfactor or strong auth? | 16:25 |
| nowen | the windows mobile phone token eg | 16:25 |
| Ken | ? | 16:26 |
| nowen | you want the rule #? | 16:26 |
| nowen | we will outsource development of the windows mobile phone token | 16:26 |
| Ken | Yes. I do some work for a company that deals in CC transactions | 16:26 |
| nowen | 8.3 Implement 2-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as RADIUS or TACACS with tokens, or VPN with individual certificates. | 16:27 |
| nowen | that might be dated | 16:27 |
| Ken | That should be close enought for me to investigate | 16:27 |
| nowen | http://publib.boulder.ibm.com/infocenter/wchelp/v7r0m0/index.jsp?topic=/com.ibm.commerce.pci.doc/concepts/csepcireq8.htm | 16:28 |
| Ken | So is there support for windows phones? | 16:28 |
| nowen | 6.5 currently, | 16:28 |
| nowen | we'll be doing a 7 soon. | 16:28 |
| nowen | here's the pdf https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf | 16:29 |
| Ken | 10.2 If the payment application may be accessed remotely, remote access to the payment application must be authenticated using a twofactor authentication mechanism. | 16:33 |
| Ken | Thanks for your time Nick. I am off to lunch. Going to start our pilot this week. | 16:34 |
| nowen | awesome! | 16:36 |
| nowen | ah - yes, 10.2 | 16:36 |
| *** Ken has quit (Disconnected by services) | 16:45 | |
| alamarca | nowen | 17:58 |
| alamarca | good weekend | 17:58 |
| alamarca | gL | 17:58 |
| *** alamarca has quit () | 17:58 | |
| *** Matt_ (4211be12@gateway/web/freenode/ip.66.17.190.18) has joined #wikid | 18:46 | |
| Matt_ | Hello | 18:46 |
| *** Matt_ is now known as Guest84750 | 18:47 | |
| nowen | hi | 18:47 |
| Guest84750 | We are trying to determine what ports need to be open for the wikid server for a client to connect | 18:47 |
| nowen | 80 | 18:47 |
| nowen | the WiKID admin runs on 443 | 18:47 |
| Guest84750 | Even for grabbing a token? | 18:47 |
| nowen | the tokens use asymmetric encryption, so no need for ssl. we went with 80 b/c it is usually open | 18:48 |
| Guest84750 | alright thanks | 18:49 |
| nowen | np | 18:49 |
| nowen | you can NAT the wikid box, too | 18:49 |
| nowen | just use the external ip for the domain identifier | 18:49 |
| Guest84750 | ok | 18:50 |
| *** Guest84750 has quit (Ping timeout: 252 seconds) | 20:09 | |
| *** MattN (4211be12@gateway/web/freenode/ip.66.17.190.18) has joined #wikid | 20:58 | |
| MattN | hello again. what doe s a "0" mean in response to trying to create a new domain from a new client. the user is able to connect via port 80 using a straight telnet. any ideas? | 21:00 |
| nowen | MattN: hmm. is there an anti-spyware solution keeping the token from writing to the drive? | 21:00 |
| nowen | what OS? | 21:00 |
| MattN | windows 7 | 21:01 |
| nowen | and are they using the installer? | 21:01 |
| MattN | yes the installer bundle and also tried the no install executable | 21:01 |
| nowen | does it happen after the PIN prompt? | 21:02 |
| MattN | before | 21:04 |
| MattN | right after we try adding the domain. | 21:04 |
| nowen | check the anti-virus, anti-spyware | 21:04 |
| MattN | actually about an hour ago we were able to add the pin but we cancelled it | 21:04 |
| nowen | huh | 21:05 |
| nowen | deleted the domain? | 21:05 |
| MattN | well it never got added | 21:05 |
| MattN | when we try to add the domain it says connecting and throws 0 | 21:05 |
| nowen | is the a wikidtoken.wkd file on the pc? | 21:06 |
| nowen | are you on this pc or is this remote or are you on the phone? | 21:07 |
| MattN | well i have remote session going on with him | 21:07 |
| nowen | cool | 21:08 |
| MattN | i can see his computer | 21:08 |
| nowen | can you control it? | 21:08 |
| MattN | i can have him do whatever i want pretty much | 21:08 |
| MattN | what do you want me to check on his computer | 21:09 |
| nowen | I'm wondering if he has some anti-spyware that is blocking the connection or preventing the token from saving the file | 21:09 |
| MattN | so basically the connection to the gateway server is happening | 21:10 |
| MattN | ? | 21:10 |
| nowen | you see the traffic on your gateway? | 21:10 |
| MattN | yeah | 21:10 |
| MattN | i did tcpdump on his ip | 21:10 |
| MattN | and i see the traffic | 21:10 |
| nowen | is it just this user? | 21:10 |
| MattN | no everybody in that network | 21:11 |
| nowen | is this a remote office? | 21:11 |
| MattN | : 16:03:21.610460 IP 192.168.237.101.arkivio > gtwlsb01.tcprod.local.http: S 557591423:557591423(0) win 65535 <mss 1260,nop,nop,sackOK> 16:03:21.610511 IP gtwlsb01.tcprod.local.http > 192.168.237.101.arkivio: S 3830385880:3830385880(0) ack 557591424 win 5840 <mss 1460,nop,nop,sackOK> 16:03:21.736432 IP 192.168.237.101.arkivio > gtwlsb01.tcprod.local.http: . ack 1 win 65535 16:03:27.735477 IP gtwlsb01.tcprod.local.http > 192.168.237.101.a | 21:12 |
| MattN | tcpdump on the gateway | 21:12 |
| MattN | gtwlsb is the gateway server | 21:13 |
| nowen | do you see the server responding? | 21:13 |
| MattN | i see the traffic comign to it on http port | 21:13 |
| MattN | if you look at the tcpdump that i sent you | 21:14 |
| nowen | anything in the WiKIDAdmin logs? | 21:16 |
| nowen | you might have to set the loggers to debug and have him run it again | 21:16 |
| nowen | also, can the token client add this domain: 88888888888 | 21:17 |
| nowen | that should be 12 8s | 21:17 |
| MattN | ok | 21:17 |
| MattN | the 888xxx is stuck on connecting | 21:19 |
| MattN | which log filter i have to set to debug | 21:20 |
| MattN | on gateway | 21:20 |
| nowen | MattN: if you also can't add our domain, then it is probably something on the PC | 21:20 |
| nowen | or something in the network locally? | 21:21 |
| MattN | what logger file i have to set to debug | 21:21 |
| MattN | i see 5 options | 21:21 |
| MattN | some are set to warn and info | 21:21 |
| nowen | com.wikidsystems, | 21:21 |
| nowen | wclient and wauth | 21:22 |
| MattN | ok | 21:23 |
| MattN | tryign linux client connection | 21:24 |
| nowen | MattN: is this in production? testing? | 21:25 |
| MattN | works in linux | 21:26 |
| nowen | hmm, linux on the same network? | 21:26 |
| MattN | yup | 21:27 |
| nowen | the windows boxes must have anti-malware | 21:27 |
| MattN | you were right | 21:27 |
| MattN | looks like some IT policy on the antivirus that he cant turn off | 21:28 |
| nowen | well, benefit of experience | 21:28 |
| nowen | is this one of your offices? or a different company? | 21:28 |
| MattN | our other branch | 21:28 |
| MattN | thanks for your help though | 21:33 |
| MattN | after disabling anti virus its working in windows too | 21:34 |
| nowen | you think you can get it changed? | 21:34 |
| nowen | what anti-virus is it | 21:34 |
| nowen | ? | 21:34 |
| MattN | nod32 | 21:34 |
| nowen | just went through this with someone else | 21:35 |
| MattN | they have to create some exception | 21:36 |
| nowen | 1. Open NOD32. If it's not in advanced mode click "Toggle advanced mode" and answer yes to the prompt.2. Click on "Enter entire advanced setup tree"3. Navigate to Protocol Filtering and change the option to "Applications marked as Internet bowsers and email clients" | 21:37 |
| nowen | that maybe on the client side | 21:37 |
| MattN | having him try that right now | 21:40 |
| nowen | any luck? | 21:53 |
| MattN | sorry | 21:56 |
| MattN | he is trying now | 21:56 |
| nowen | np | 21:57 |
| MattN | he is not seeing "Applications marked as Internet bowsers and email clients" | 22:00 |
| MattN | although he did it for wikidtoken application in the list | 22:01 |
| MattN | which application in particular | 22:02 |
| nowen | c:/program files/wikidtoken/wikidtoken.jar i would think | 22:03 |
| MattN | so he selected everything from protocol filtering in nod32 | 22:04 |
| MattN | and still the same thing | 22:04 |
| nowen | installing it now | 22:04 |
| nowen | well, waiting for the download email now ;) | 22:07 |
| MattN | its ok | 22:08 |
| nowen | http://kb.eset.com/esetkb/index?page=content&actp=LIST_RECENT&id=SOLN560 | 22:12 |
| nowen | that might help | 22:12 |
| MattN | will try that | 22:12 |
| MattN | right now i got him working on linux | 22:12 |
| MattN | so he is good now | 22:13 |
| MattN | thanks for you help though | 22:13 |
| *** MattN has parted #wikid (None) | 22:13 | |
| nowen | oh, ok | 22:13 |
| nowen | cool | 22:13 |
| nowen | i've got to head home | 22:23 |
| *** nowen has parted #wikid (None) | 22:24 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!