| *** vladdy has quit (*.net *.split) | 05:21 | |
| *** joevano has quit (*.net *.split) | 05:21 | |
| *** vladdy (~vladdy@194.242.5.47) has joined #wikid | 05:22 | |
| *** joevano (~joevano@bzflag/developer/JoeVano) has joined #wikid | 05:22 | |
| *** R\Peaceman has quit (Ping timeout: 250 seconds) | 13:19 | |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 14:17 | |
| *** autodata (cdcd1c11@gateway/web/freenode/ip.205.205.28.17) has joined #wikid | 15:46 | |
| autodata | hi nowen, how are you? | 15:47 |
|---|---|---|
| nowen | fine | 15:47 |
| nowen | how does it? | 15:47 |
| nowen | or goes it? | 15:47 |
| autodata | I installed the ISO, I still can't access to the WIKID admin page, again, it says it failed to connect to the DB..:( | 15:48 |
| nowen | ok | 15:48 |
| autodata | SEVERE: Exception opening database connection | 15:48 |
| autodata | org.postgresql.util.PSQLException: FATAL: role "tomcat" does not exist | 15:49 |
| autodata | but tomcat is there | 15:49 |
| nowen | what version is this? | 15:49 |
| autodata | java version "1.6.0" | 15:50 |
| nowen | sorry- what version of WiKID? | 15:50 |
| autodata | How I can tell? | 15:51 |
| nowen | run 'rpm -qa | grep wikid | 15:51 |
| nowen | ' | 15:51 |
| nowen | and it will tell you which version of enterprise you have installed | 15:52 |
| autodata | wikid-server-enterprise-3.4.87.b1216-1 | 15:52 |
| nowen | ok cook | 15:52 |
| nowen | cool | 15:52 |
| autodata | wikid-utilities-3.0.9-1 | 15:52 |
| nowen | run 'wikidctl stop' | 15:52 |
| nowen | and then 'service postgresql start | 15:52 |
| nowen | ' | 15:52 |
| autodata | it seems it starts OK | 15:53 |
| nowen | did you setup replication? | 15:54 |
| autodata | start wikid again? | 15:54 |
| autodata | no | 15:54 |
| nowen | yes, go ahead and start wikid | 15:54 |
| autodata | yeap, it starts OK, let me try the admin page | 15:55 |
| autodata | hmm, it is still failed: | 15:55 |
| autodata | The requested resource () is not available. | 15:55 |
| nowen | is that in catalina.out? | 15:56 |
| autodata | check | 15:56 |
| nowen | can you paste the whole error in http://pastebin.org | 15:56 |
| autodata | ok | 15:56 |
| autodata | summit the errors | 15:58 |
| autodata | can you see it? | 15:58 |
| nowen | and then post the new url here | 15:58 |
| autodata | http://172.16.130.18/WiKIDAdmin/ | 15:58 |
| nowen | no, I mean the pastebin url. after you submit, it redirects you to a new url, where I can see it | 15:59 |
| autodata | I have changed the server's hostname to sth other than localhost | 15:59 |
| nowen | did you set it when you ran wikidctl setup? | 15:59 |
| autodata | I didn't run that | 16:00 |
| nowen | ahh | 16:00 |
| nowen | that's the issue | 16:00 |
| autodata | oh.. | 16:00 |
| autodata | Shall I stop all: wikid and DB, and run that? | 16:01 |
| nowen | run that and re-run start | 16:01 |
| nowen | setup will stop everything | 16:01 |
| autodata | ok | 16:01 |
| autodata | port 80 has no response from that server | 16:04 |
| autodata | wait, have to start the wikid | 16:05 |
| autodata | same error, going to post that error to you | 16:07 |
| nowen | I can't even get to http://172.16.130.18/WiKIDAdmin/ | 16:09 |
| autodata | http://pastebin.com/9NczzKq1 | 16:09 |
| autodata | above is error report | 16:09 |
| autodata | no it is still on the LAN | 16:10 |
| nowen | can you run ' /opt/WiKID/conf/templates/wikid-firstboot.sh' | 16:11 |
| autodata | this is for? | 16:12 |
| nowen | it sets up the server - copies files to right place, etc. It should have run when you rebooted after install | 16:13 |
| autodata | Updating PostgreSQL configuration files for use with WiKID ... | 16:13 |
| autodata | I'll reboot now | 16:13 |
| nowen | you don't have to | 16:13 |
| nowen | just try to restart | 16:13 |
| nowen | wikid restart, that is | 16:13 |
| autodata | ok | 16:13 |
| autodata | catalina log still shows: | 16:15 |
| autodata | org.postgresql.util.PSQLException: FATAL: role "tomcat" does not exist | 16:15 |
| nowen | hmm | 16:15 |
| autodata | I'll be back | 16:16 |
| nowen | ok | 16:16 |
| nowen | autodata: I think the best bet is to start from scratch. Something went wrong in the install and it would be best to have a clean base | 16:25 |
| autodata | my question, 1. do you use apache, or only tomcat | 16:41 |
| nowen | only tomcat | 16:41 |
| autodata | 2. after clean install, can I setup the hostname, with kiwid serup? | 16:41 |
| autodata | in another word, setup the network setting through wikid setup? | 16:42 |
| autodata | instead of setup from the Linux | 16:42 |
| nowen | yes | 16:42 |
| autodata | 3. do I have to join this server to our domain controller? | 16:42 |
| autodata | this is important one | 16:43 |
| nowen | 3. no | 16:43 |
| autodata | oh.. ok | 16:43 |
| autodata | so follow up the instruction of, sorry can you give me the link again? | 16:43 |
| nowen | just stay here and let me walk you through it | 16:44 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/referencemanual-all-pages | 16:45 |
| autodata | yes, but this is not for ISO | 16:45 |
| nowen | once you reboot after the install, all you need to do is login with root/wikid and then follow these | 16:47 |
| autodata | ok, give me a sec, I want to start, have to install the sperehost first | 16:47 |
| autodata | thx | 16:48 |
| nowen | np | 16:50 |
| autodata | ok, start loading DVD for ISP now | 17:00 |
| nowen | ok | 17:01 |
| autodata | hi nowen, what is Use interface sit0? I don't need it, right? | 17:13 |
| nowen | correct, you don't need it. it is some virtual interface | 17:13 |
| autodata | oh, ok, thx | 17:14 |
| autodata | basic setup is completed, I'll run wikid start now | 17:16 |
| nowen | ok | 17:17 |
| autodata | it's done, then system prompts that thr DB is not configured, asking to run load_db.sh | 17:18 |
| nowen | hmm | 17:18 |
| nowen | that may not be a problem | 17:19 |
| nowen | did wikid start? | 17:19 |
| autodata | it asks to run /opt/WiKID/sbin/load_db.sh | 17:19 |
| autodata | shall I run it? | 17:19 |
| nowen | go ahead and run it | 17:19 |
| autodata | yes. wikid starts successfully | 17:20 |
| nowen | if you can login as admin, then no need to run load_db | 17:20 |
| nowen | what type of environment is this? | 17:20 |
| autodata | VM | 17:20 |
| nowen | WMWare? | 17:20 |
| autodata | yes | 17:21 |
| autodata | I have run it already | 17:21 |
| autodata | Hi nowen, I tried admin page, it edns up with the same error | 17:22 |
| nowen | ok, stop WiKID and run the load_db script | 17:22 |
| nowen | when you setup the server in vmware, what OS did you specify? | 17:23 |
| autodata | Centos, it's our standard | 17:23 |
| nowen | 32 bit? | 17:23 |
| autodata | 64 bit | 17:24 |
| nowen | our iso is 32 bit | 17:24 |
| autodata | but now is is rteplaced by ISO, right? | 17:24 |
| nowen | you want centos/rhel 32 bit | 17:25 |
| autodata | with ISO install, it erased all contents from the VMware | 17:25 |
| nowen | right, but then when you create the vm, you have to tell vmware what type of iso it is, right? | 17:25 |
| autodata | now the bit length is | 17:26 |
| autodata | Linux ln-co-vpnauth1.london.autodata.net 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 i686 i386 GNU/Linux | 17:26 |
| autodata | 32 bit | 17:26 |
| autodata | yes, but do you think it is matter? 32bit can be run on the 64 bit platform | 17:27 |
| nowen | I'm not sure what is going on. | 17:28 |
| nowen | try running the load_db.sh script | 17:28 |
| autodata | just did it, and run wikid start again, now I check the catalina log | 17:28 |
| autodata | Hey nowen, finally I can login to the admin page, there is no error in tomcat log | 17:32 |
| nowen | nice! | 17:36 |
| autodata | hey nowen, sorry to bug you again, I generate the CSR, and paste it install the intermidiate cert. but once I click submit, there is no system prompt saying the cert is installed successfully | 17:59 |
| autodata | did I do anything wrong? | 17:59 |
| nowen | did you get the pop up window? | 18:00 |
| autodata | no | 18:00 |
| autodata | I might need IE instead of FF | 18:00 |
| nowen | no | 18:00 |
| nowen | you never, ever need IE! ;) | 18:00 |
| autodata | ok | 18:00 |
| nowen | there is a link to a pop-up window on the page that has the CSR | 18:01 |
| autodata | Go to Install Intermediate Certificate function when you receive your cert. | 18:01 |
| autodata | this is the link I get | 18:01 |
| nowen | above the box | 18:01 |
| autodata | https://ca.wikidsystems.com/wikid/newcertreq.jsp | 18:01 |
| nowen | yes | 18:02 |
| autodata | so yes, the Wikid inter cert is generated, I will receive the email, I guess? | 18:03 |
| nowen | it should be presented in that same page | 18:03 |
| nowen | but I can forward it to you too | 18:04 |
| autodata | ok, saw that | 18:04 |
| nowen | on its way | 18:04 |
| autodata | thx, so that means I get the only inter cert? | 18:05 |
| autodata | then what I shall do? | 18:05 |
| nowen | you paste into the install page | 18:05 |
| nowen | Install Intermediate Certificate | 18:05 |
| autodata | ok | 18:06 |
| nowen | then create the localhost cert | 18:07 |
| autodata | ok, it's installed, now go for localhost | 18:08 |
| autodata | nowen, what is this? | 18:09 |
| autodata | Client PKCS12 Passphrase | 18:09 |
| autodata | is it something I need to make it? | 18:09 |
| nowen | it is the passphrase that protects the localhost cert | 18:10 |
| nowen | it is required | 18:10 |
| autodata | so it is different than the one for inter cert? | 18:10 |
| nowen | it is different, but you can use the same one if you like. | 18:10 |
| autodata | ok, then what is this:Server Keystore Passphrase? | 18:11 |
| nowen | that is the passphrase used to secure the intermediate CA | 18:11 |
| nowen | you use that when you start the server | 18:11 |
| autodata | so this is the separate one | 18:11 |
| nowen | correct | 18:12 |
| nowen | i'm scheduled to go give blood. | 18:14 |
| nowen | I should be back in an hour | 18:14 |
| *** nowen has quit (Quit: Leaving.) | 18:15 | |
| autodata | sure, thx | 18:16 |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 19:07 | |
| nowen | autodata: how goes it? | 19:07 |
| autodata | HI nowen: I get the confusion at this point after install the cert. | 19:37 |
| nowen | ok - so you installed the cert and created the localhost | 19:37 |
| nowen | did you enable radius as a protocol? | 19:38 |
| autodata | So what shall I do for the next, I'd like to integrate our LDAP to the WIKID | 19:38 |
| nowen | why ldap? | 19:38 |
| nowen | or: what are you trying to add two-factor authentication to? | 19:39 |
| autodata | well, this where I confused, how does this work? I know I will setup the authentication server, but I should also to integrate the ladap so that we can serve the users | 19:47 |
| nowen | are you protecting a VPN?\ | 19:47 |
| autodata | yes for sure | 19:47 |
| nowen | so, you want to validate that the users are in AD and do two-factor auth. The answer is to use radius. | 19:48 |
| autodata | yes, I have CIsco ACS as the Radius server, is that OK? | 19:49 |
| nowen | sure | 19:49 |
| nowen | the cisco ACS can probably do lots of cool stuff | 19:50 |
| autodata | So WIKID only serve as the authentication server? | 19:50 |
| nowen | correct | 19:50 |
| autodata | How do I start then, I an in the clud ... | 19:51 |
| nowen | so, the way most people do this is to have the cisco talk radius to AD via the MS radius plugin, NPS | 19:51 |
| nowen | NPS then proxies the auth request to WiKID | 19:51 |
| autodata | I don't understand why we have to use NPS? ACS should do the all tasks? | 19:52 |
| nowen | it might | 19:52 |
| nowen | I don't know | 19:52 |
| nowen | can ACS check AD and then send a radius request to WiKID? | 19:52 |
| autodata | check... | 19:53 |
| autodata | not 100% sure yet, but what is the authentication process, I want to make it clear so that I can check | 19:56 |
| autodata | so the client first try to login through VPN, then it gets through to the ACS for authentication? | 19:57 |
| nowen | yes, in my suggestion: VPN >> ACS >> AD/NPS >> WiKDI | 19:58 |
| nowen | or if you can chain it, then VPN >> ACS >> AD >> ACS >> WiKID | 19:58 |
| autodata | so from NPS to WiKID, that is the second factor of authentication? | 19:58 |
| nowen | no, that is different. That is possession of private key embedded in the token and knowledge of the PIN | 19:59 |
| nowen | that process check occurs before login. The user logs in with their username and a WiKID OTP | 20:00 |
| autodata | so first of all, user login VPN with username and OTP, and this get processed in WiKID | 20:01 |
| nowen | no, they log in with their username and OTP and the username is authorized by AD, then the username/OTP pair is authenticated by WiKDI | 20:02 |
| autodata | how to get the OTP ? | 20:03 |
| nowen | via one of our token clients | 20:03 |
| autodata | oh.. | 20:03 |
| autodata | So Wikid server has to be accessible through the Internet? | 20:05 |
| nowen | yes, port 80 | 20:05 |
| autodata | Do you have the detail doc explainig hwo to setup the Radius proxy, so it can send the request to Wikid? | 20:06 |
| nowen | for NPS, yes | 20:07 |
| nowen | it is not detailed, though. for details, you would need to talk to Cisco or MS | 20:07 |
| autodata | and the whole 2 factor process flow chart | 20:07 |
| nowen | I don't have a flowchart | 20:08 |
| nowen | other than: VPN >> ACS >> AD/NPS >> WiKID | 20:08 |
| autodata | sure, I'd like to know the work process for this 2 factor authentication, because now I have not that clear | 20:08 |
| autodata | for example, what s the exact NPS does to Wikid? | 20:09 |
| autodata | send username and OTP pair to Wikid? | 20:10 |
| nowen | NPS is a radius server like ACS. It will validate that the user is active in AD and if so proxy the request to WiKID | 20:10 |
| nowen | yes | 20:10 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 20:10 |
| autodata | So in your standard architect, it looks like this chain: | 20:15 |
| autodata | VPN --> NPS --> WiKid | 20:15 |
| nowen | that is the way a lot of our customers do it | 20:16 |
| nowen | but not all have an ACS | 20:16 |
| autodata | This doc helps a bit, it says: | 20:16 |
| autodata | your VPN or application is a RADIUS client to NPS and NPS is a RADIUS server to the VPN/application. In turn, WiKID is a RADIUS server to NPS and NPS is a Network Client to WiKID. | 20:16 |
| autodata | so that makes sense | 20:17 |
| autodata | I probably will use ACS to replce the NPS | 20:17 |
| nowen | sure | 20:25 |
| autodata | Hi nowen, with this architect, it seems I have to enable thr Redius in the Wikid server? | 20:31 |
| nowen | correct | 20:31 |
| autodata | ok, thx | 20:31 |
| nowen | I recommend you enable radius, but not ldap. ldap uses a lot of memory | 20:31 |
| autodata | oh | 20:31 |
| autodata | any service should be always enabled on localhost, not the IP. right? | 20:39 |
| nowen | you mean, like radius on the WiKID server? | 20:41 |
| autodata | yes | 20:45 |
| nowen | yes, those services run on the localhost | 20:45 |
| autodata | ok | 20:45 |
| autodata | nowen, about the link you sent to me:How to add two-factor authentication to NPS | 20:47 |
| nowen | yes? | 20:47 |
| autodata | there are 3 IPs appear: | 20:47 |
| autodata | one is the VPN server: 192.168.1.10 | 20:47 |
| autodata | second one is WIKID server 192.168.1.200 | 20:48 |
| autodata | I don't get the third one, what is that IP for? 192.168.1.100? | 20:48 |
| autodata | it says it is NASIPv4Address , why do we need this one, I thought Wikid address should be sufficient | 20:50 |
| nowen | I think that is a typo. should be .10 | 20:51 |
| autodata | haha... that make sense then... | 20:52 |
| autodata | Hey nowen, my last one for today, what proper token clients I should use? | 21:03 |
| nowen | you can use any of them. if your server is on the lan, though, your smartphone tokens will need to be too | 21:03 |
| autodata | any reason I have to use smartphone token? This is just for VPN client | 21:05 |
| nowen | up to you. some people like the fact that it is not on the same device as the vpn client | 21:05 |
| autodata | oh, OK, I guess that can be tested later on | 21:06 |
| nowen | the PC token is quite nice for testing | 21:06 |
| autodata | is this the one you mentioned? | 21:08 |
| autodata | wikidtoken-3.1.21-bundle-installer.exe - Windows WiKID software token installer (28 meg) | 21:08 |
| nowen | yes | 21:08 |
| autodata | cool, I'll start from this one. | 21:08 |
| autodata | thnaks for the help today nowen. I will continuce on my ACS test first | 21:09 |
| nowen | good luck! | 21:09 |
| autodata | thanks again | 21:09 |
| nowen | no problem! | 21:09 |
| *** autodata has quit (Ping timeout: 245 seconds) | 21:20 | |
| nowen | time for me to check out. later | 22:17 |
| *** nowen has quit (Quit: Leaving.) | 22:17 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!