| *** WiKIDLogbot (~WiKIDLogb@ec2-174-129-6-100.compute-1.amazonaws.com) has joined #wikid | 15:27 | |
| card.freenode.net | Topic for #wikid is: support for the WiKID Strong Authentication System. If no one is here, try the nabble forums: http://www.wikidsystems.com/support/support/wikid-forums | 15:27 |
|---|---|---|
| card.freenode.net | Users on #wikid: WiKIDLogbot @nowen asofrank mick_laptop perestrelka | 15:27 |
| *** flexyz (5551950e@gateway/web/freenode/ip.85.81.149.14) has joined #wikid | 20:25 | |
| flexyz | hey | 20:25 |
| nowen | hi | 20:25 |
| flexyz | can I change port 443 to something else? I tries to modify server.xml but didnt work | 20:26 |
| nowen | what did you put in server.xml? | 20:26 |
| flexyz | just another port instead of 443 like 843 | 20:27 |
| nowen | that should work | 20:27 |
| flexyz | dont :( I seems only to work with 443 | 20:28 |
| nowen | here's ours: | 20:29 |
| nowen | <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" | 20:29 |
| nowen | maxThreads="150" scheme="https" secure="true" | 20:29 |
| nowen | keystorePass="changeit" keystoreFile="/ebs/opt/WiKID/conf/tomcatKeystore" keyAlias="tomcat" | 20:29 |
| nowen | clientAuth="false" sslProtocol="TLS" /> | 20:29 |
| flexyz | strange | 20:29 |
| flexyz | well gotta try again them | 20:29 |
| flexyz | should be changed in that file right | 20:30 |
| nowen | /opt/WiKID/tomcat/conf/server.xml | 20:30 |
| flexyz | yes that's where I changed it, wierd but thanks just wanted to know if there was a trick | 20:32 |
| nowen | is there an error? | 20:32 |
| flexyz | not really but nothing listens to the port, tried other ports | 20:34 |
| nowen | nothing in /opt/WiKID/tomcat/logs/catalina.out? | 20:41 |
| *** flexyz has quit (Ping timeout: 258 seconds) | 20:51 | |
| *** XaaS (ce705fb4@gateway/web/freenode/ip.206.112.95.180) has joined #wikid | 21:13 | |
| XaaS | @nowen - do you have a moment? | 21:13 |
| nowen | sure | 21:13 |
| XaaS | having issues with the example.jsp page... had it working on a previous rebuild of the eval server | 21:13 |
| XaaS | but it isn't working now | 21:13 |
| nowen | did the example.jsp get over written? | 21:14 |
| XaaS | changed the domain from 1270000000001 to the domain we are using | 21:14 |
| XaaS | no | 21:14 |
| XaaS | I backed up the original | 21:14 |
| nowen | and the passphrase is correct? | 21:14 |
| XaaS | using the passphrase for the localhost cert - not the Intermediate CA that WiKID issues | 21:14 |
| XaaS | and I left the passphrase ChangeIt there | 21:15 |
| XaaS | the one that Sun Java requires is still default | 21:15 |
| nowen | and you've restarted WiKID? | 21:16 |
| XaaS | yeup | 21:16 |
| nowen | is there an error in the WiKIDAdmin logs? | 21:16 |
| XaaS | actually there seems to be one - the localhost cert is invalid is what I think it says | 21:17 |
| *** FlexyZ (5551950e@gateway/web/freenode/ip.85.81.149.14) has joined #wikid | 21:17 | |
| XaaS | and I have recreated the cert several times from the gui | 21:17 |
| XaaS | Getting you the error from the log right now | 21:17 |
| nowen | hmm. Can you double check your passphrase from the command line: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid | 21:18 |
| XaaS | I think I have done this before - and it worked (I could see the contents of the keystore with the passphrase provided) | 21:18 |
| nowen | are the dates correct on the server? | 21:20 |
| XaaS | I can see the contents of both keystores - no errors - tried to change the passphrase to an incorrect one to see the results of a bad passphrase | 21:22 |
| XaaS | the passphrases I am using for both intCAKeys.p12 and localhost.p12 are valid | 21:23 |
| XaaS | The error com.wikidsystems.server.wAuth - Couldn't validate the client certificate. Verify the validity and dates of the client cert. | 21:24 |
| XaaS | date of the WiKID Virtual Machine is syncing to the VMware host and that host is syncing via NTP to tick.usno.navy.mil | 21:25 |
| XaaS | VMware Tools is installed on the WiKID Virtual Machine | 21:25 |
| XaaS | The file that I am modifying is /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp | 21:27 |
| XaaS | This is what I have in the example.jsp: | 21:29 |
| XaaS | String defaultservercode = "065122132008"; String status = ""; String chall; wClient wc; if (session.getServletContext().getAttribute("wClient") == null) { wc = new wClient("127.0.0.1", 8388, Config.getValue("BASEPATH") + "private/localhost.p12", "xaassecret", Config.getValue("BASEPATH") + "private/CACertStore", "changeit"); | 21:30 |
| nowen | hmm. looks ok to me | 21:32 |
| nowen | did you back up the original to the same directory?\ | 21:34 |
| *** FlexyZ has quit (Ping timeout: 258 seconds) | 21:35 | |
| XaaS | yes | 21:36 |
| nowen | ok - try running diff on the the two files. maybe there is an extra character somewhere | 21:36 |
| XaaS | can you tell anything from that error? - he error com.wikidsystems.server.wAuth - Couldn't validate the client certificate. Verify the validity and dates of the client cert. | 21:37 |
| XaaS | hmm | 21:37 |
| XaaS | [root@wikid WiKIDAdmin]# diff example.jsp example.jsp.org 45c45 < String defaultservercode = "065124132008"; --- > String defaultservercode = "127000000001"; 50c50 < wc = new wClient("127.0.0.1", 8388, Config.getValue("BASEPATH") + "private/localhost.p12", "xaassecret", --- > wc = new wClient("127.0.0.1", 8388, Config.getValue("BASEPATH") + "private/localhost.p12", "passphrase", | 21:38 |
| nowen | well, that looks ok. | 21:39 |
| XaaS | only looks like the changes I did are showing up | 21:39 |
| XaaS | no "extra" characters are being picked up by diff | 21:39 |
| nowen | so, when you say you created new certs did you create just a new localhost cert or both? | 21:40 |
| XaaS | also getting a com.wikidsystems.client.wClient - ERROR: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown | 21:41 |
| nowen | the logs are just saying that the cert isn't valid. typically, this is an b/c of a typo in the file or a date issue | 21:42 |
| XaaS | created intermediate csr - imported existing valid Intermediate CA cert - created localhost cert with IntCA passphrase and local passphrase | 21:42 |
| nowen | it can also happen if the dates are wrong and the cert is no longer valid. | 21:43 |
| nowen | hmm. | 21:43 |
| XaaS | clock is correct | 21:43 |
| nowen | is this a new server? | 21:43 |
| XaaS | yes | 21:43 |
| nowen | new ip or domain? | 21:43 |
| XaaS | ip addresses, fqdn, and wikid domains are all the same | 21:44 |
| nowen | ok - try this. run 'wikidctl stop' and then 'killall -9 java' and then 'wikidctl start' | 21:45 |
| XaaS | I've seen that before on the forums! :) | 21:45 |
| nowen | just to make sure that everything is being cleared. | 21:46 |
| nowen | another idea: | 21:46 |
| nowen | after you run wikidctl stop | 21:46 |
| nowen | go into /opt/WiKID/tomcat/work | 21:46 |
| nowen | and run 'rm -Rf *' < make sure you are in the right directory | 21:46 |
| XaaS | [root@wikid WiKIDAdmin]# killall -9 java | 21:47 |
| XaaS | java: no process killed | 21:47 |
| nowen | that will force tomcat to rebuild the work directory | 21:47 |
| XaaS | Are we to destroy the Catalina subdirectory in work then? | 21:48 |
| nowen | yes\ | 21:48 |
| XaaS | ok - just did it and did a wikidctl start | 21:50 |
| nowen | and...? <fingers crossed> | 21:52 |
| XaaS | Still "The wClient connection to the server was NOT successfully established " | 21:56 |
| nowen | ok - I recommend you go ahead and create new intermediate and localhost cert | 21:57 |
| XaaS | How do I recreate the local cert ? | 21:57 |
| nowen | just through the WiKIDAdmin - see the Configuration page | 21:58 |
| nowen | maybe that's all you need to do | 21:58 |
| XaaS | OK - let me try that again | 21:59 |
| nowen | If you create a new intermediate ca, you need to create a new localhost | 21:59 |
| XaaS | nope | 22:00 |
| *** FlexyZ (5551950e@gateway/web/freenode/ip.85.81.149.14) has joined #wikid | 22:00 | |
| XaaS | I am going to blow away example.jsp and recopy from the original | 22:00 |
| nowen | what did you do? | 22:00 |
| nowen | I don't think it is example.jsp - I think it might be your certs | 22:01 |
| XaaS | hmm | 22:04 |
| XaaS | I blew away the example.jsp file and restored a copy from the original copy and then edited it, no joy. | 22:04 |
| XaaS | so I guess you will need to reset wikid.secureaddres.com | 22:05 |
| nowen | no problem | 22:05 |
| XaaS | sorry wikid.secureaddress.com | 22:05 |
| XaaS | and that is not for leaving the last s off for savings | 22:06 |
| nowen | hehe | 22:06 |
| nowen | done | 22:06 |
| XaaS | <cool that you know the 1-800-MATTRES commercials> | 22:07 |
| XaaS | the guys can't wait until this is all done | 22:10 |
| nowen | same here! ;) | 22:10 |
| XaaS | they have show the token off to a few customers and interested partners - a lot of interest | 22:10 |
| XaaS | Had to make the adjustments to the architecture to include multiple NPS servers which took a longer time to implement | 22:11 |
| XaaS | @nowen - you da man! | 22:13 |
| XaaS | it's working now! :) Yeay! :) | 22:13 |
| nowen | Great! | 22:14 |
| XaaS | can you point me to the way to create sub-admin accounts to provide the ability to compartmentalize the ability to manage wikid domains? | 22:14 |
| nowen | I suspect it was something with signing request. you can move certs in general | 22:15 |
| XaaS | what's the best way to move certs - keep the cert issued by the CA in a notepad or backup the file?? | 22:15 |
| nowen | you can just copy the contents of /opt/WiKID/private to the new server. | 22:16 |
| XaaS | oh ok! that's easy | 22:16 |
| nowen | but it is no issue for us to delete the existing cert | 22:16 |
| XaaS | I installed webmin on the VM. I will get SAMBA or FTP or something going to make it easy to work on it for the ops guys | 22:17 |
| XaaS | so, can you point me to the way to create sub-admin accounts to provide the ability to compartmentalize the ability to manage wikid domains? | 22:18 |
| nowen | hmm. I worry about that because a vulnerability in webmin would put the WiKID server at risk | 22:18 |
| nowen | well, currently that is all via the API | 22:18 |
| XaaS | can you point me to the article on how to create the accounts? | 22:18 |
| nowen | there are only Admin accounts on the WiKID server. So what you would have to do is create an app that used your existing account system that supported the WiKID API | 22:19 |
| nowen | so, the admin would log in to your app then be able to re-enable a user, etc | 22:20 |
| nowen | how are your admins authenticated now? | 22:21 |
| XaaS | so, I can't create a example-like.jsp page that can create a sub-admin account? | 22:21 |
| XaaS | admins are using l/p | 22:22 |
| XaaS | no 2fa yet | 22:22 |
| XaaS | all systems are tied to IP address filters | 22:22 |
| XaaS | we do have Active Directory for most everything however | 22:22 |
| nowen | The example.jsp is protected by the WIKIDAdmin security realm. You would need to create new realms if you wanted to do that on tomcat | 22:23 |
| XaaS | so we are talking using Linux security with Tomcat to create user accounts that can be used to manage WiKID via a modified example.jsp file with limited capabilities? | 22:25 |
| nowen | you could do it that way. or you could check out the C# api package and do it on windows | 22:26 |
| XaaS | where is that? | 22:27 |
| nowen | http://www.wikidsystems.com/downloads/network-clients | 22:28 |
| XaaS | I have been looking here for it - http://www.wikidsystems.com/support/wikid-support-center/manual | 22:28 |
| XaaS | Have you seen anyone do the ASP AD integration? Do you know if it is available without having to code? | 22:30 |
| nowen | that code was contributed by someone who was using it. You may or may not have to code to get it running. There should be an example file just like the example.jsp page in that package. if you handle the auth to that page you should be able to edit it to do what you want. | 22:32 |
| XaaS | OK - I will fire up IIS to see what damage I can do | 22:33 |
| nowen | hehe | 22:33 |
| nowen | have at it | 22:33 |
| XaaS | So long and thanks for all the fish! :) | 22:33 |
| nowen | later | 22:34 |
| nowen | come back and let me know how it goes | 22:34 |
| XaaS | I will - you can be sure | 22:34 |
| XaaS | I think it would be good if WiKID had more tools for Windows Admins to be able to manage the environment more than just the web GUI and the API | 22:35 |
| nowen | yeah, I hear you | 22:35 |
| nowen | I think we need to address the *asS market and see what it needs | 22:35 |
| XaaS | Correct - that multi-tenancy will go a long way to address that market | 22:37 |
| XaaS | especially being able to support multiple devices supporting multiple wikid domains | 22:37 |
| *** XaaS has quit (Quit: Page closed) | 22:41 | |
| FlexyZ | nowen - remeber I had problems starting admin on another port | 22:41 |
| nowen | yes | 22:46 |
| FlexyZ | must be local iptables | 22:47 |
| FlexyZ | blocking | 22:47 |
| nowen | ? | 22:47 |
| nowen | you mean selinux> | 22:47 |
| nowen | ? | 22:47 |
| FlexyZ | is there a local firewall? | 22:47 |
| FlexyZ | when i change port to "843" for admin instead of "443" - is not working, no errors in log | 22:48 |
| FlexyZ | must be local firewall not permiting? | 22:48 |
| nowen | try 8443 | 22:48 |
| FlexyZ | same | 22:48 |
| nowen | run 'sestatus' | 22:48 |
| nowen | and see if selinux is enabled | 22:49 |
| FlexyZ | it is | 22:49 |
| nowen | ok that's probably it | 22:49 |
| nowen | you can run setenforce to disable it temporarily | 22:50 |
| FlexyZ | how do I accept port 8443 | 22:50 |
| nowen | take a look at http://wiki.centos.org/HowTos/SELinux | 22:51 |
| FlexyZ | alright thx | 22:52 |
| nowen | I gotta run | 22:58 |
| *** nowen has quit (Quit: Leaving.) | 22:59 | |
| *** FlexyZ has quit (Quit: Page closed) | 23:32 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!