| *** vladdy has quit (Read error: Operation timed out) | 08:00 | |
| *** vladdy (~vladdy@194.242.5.47) has joined #wikid | 08:10 | |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 12:42 | |
| laszlof | morning nick | 13:07 |
|---|---|---|
| nowen | morning | 13:07 |
| laszlof | still not able to get a token client registered on the beta server :( | 13:08 |
| nowen | hmm | 13:09 |
| laszlof | I see the traffic hitting it with tcpdump on 443 | 13:09 |
| laszlof | but its kicking back an error | 13:09 |
| nowen | what's the error? | 13:09 |
| laszlof | The domainID X@X is not available on this server | 13:10 |
| laszlof | something simular in the logs in the wikid admin | 13:10 |
| nowen | hmm | 13:10 |
| laszlof | how do you enable debug logging in the admin? | 13:10 |
| nowen | not there yet | 13:10 |
| laszlof | anything from command line? | 13:10 |
| nowen | you can look in /var/WiKID/logs | 13:11 |
| laszlof | yeah, just the same error I see in the admin | 13:11 |
| laszlof | ==> server.log <== | 13:12 |
| laszlof | 2012-05-31 13:11:54,583 WARN [RestToken:initToken] - [{}] New token registration initialized | 13:12 |
| laszlof | 2012-05-31 13:11:54,611 WARN [RestToken:initToken] - [{}] Token client requested invalid Domain ID: client@wikid.franksworld.org | 13:12 |
| laszlof | you know what | 13:13 |
| laszlof | i think I know what it is | 13:13 |
| laszlof | standby | 13:13 |
| laszlof | hah, yeah | 13:13 |
| nowen | ? | 13:13 |
| laszlof | "Domain Name" shouldnt be called "Domain Name" | 13:13 |
| laszlof | it should be called "Unique Identifier" | 13:14 |
| laszlof | I tried "wikid.franksworld.org@wikid.franksworld.org" for the domain ID | 13:14 |
| laszlof | and it worked | 13:14 |
| nowen | ahh | 13:14 |
| laszlof | is there an API function to create a domain? | 13:18 |
| laszlof | create/edit/delete | 13:18 |
| nowen | to be honest, I'm not sure of the status of the api, but it should all be there. | 13:19 |
| laszlof | downloading of client keystore's also doesnt work | 13:24 |
| nowen | yeah, it's probably too early to play with this. | 13:25 |
| laszlof | apparently :) | 13:25 |
| nowen | well, the real problem is that we have had to circle back and do some work on 3.x | 13:25 |
| nowen | so, I have a bunch of 3.x machines up for testing etc and nothing up for this | 13:26 |
| laszlof | can you wipe my CA again for 3.x | 13:44 |
| nowen | yes | 13:47 |
| nowen | done | 13:47 |
| laszlof | thanks | 13:48 |
| nowen | brb - haircut time | 13:49 |
| laszlof | I'm gettin good at these reinstalls | 13:51 |
| nowen | ;_ | 14:17 |
| nowen | :) | 14:17 |
| laszlof | Hey nick, any chance you could get one of your devs send me a 100% updated version of http://www.wikidsystems.com/support/wikid-support-center/manual/wikid-network-client-wclient-api-manual/referencemanual-all-pages | 14:33 |
| nowen | I can update it, but I think the only thing missing is the delete a device function | 14:35 |
| laszlof | I was looking for stuff for creating a domain | 14:37 |
| nowen | oh | 14:37 |
| nowen | did I say that was possible? | 14:37 |
| laszlof | I think you said "it should be in there" | 14:38 |
| laszlof | but didnt really confirm/deny it | 14:38 |
| nowen | hmm, because I don't think it should be. | 14:38 |
| laszlof | i didnt see it in the doc, but its going to be something I need for this project. | 14:39 |
| nowen | we'll have to think about that - I'm not sure a network client, which requires a domain to exist can create a domain | 14:40 |
| laszlof | Yeah, didnt think about that. Cant create a new network client without assigning it to a domain | 14:42 |
| laszlof | I mean, I supposed I could create a network client for each "client". But I'd rather have a single client to do all tasks | 14:42 |
| laszlof | might need some custom coding on the wikid server itself to handle it either way | 14:43 |
| laszlof | maybe some kind of "global" network client that has the ability to create domains | 14:43 |
| laszlof | i cant think of any other way to handle it other than having a separate domain for each user on the site | 14:44 |
| laszlof | in fact, I'm pretty sure its going to have to work that way, to avoid both username conflicts and userA being able to login to userB's resources using their token | 14:45 |
| nowen | yeah | 14:46 |
| laszlof | I'm building the API class right now that will interface with wikid. I can use that on both on my main website, and also for the client side API I plan on using | 14:48 |
| *** Troy (4b47ae94@gateway/web/freenode/ip.75.71.174.148) has joined #wikid | 14:55 | |
| nowen | hey Troy | 14:55 |
| nowen | sorry for the issues | 14:55 |
| nowen | Can you tell me what the application that is accessing the DB is doing? | 14:56 |
| Troy | no problem | 14:56 |
| Troy | i'm trying to find that information out | 14:56 |
| nowen | and is this on a VM? | 14:57 |
| Troy | that is from that connection showing the messages log? | 14:57 |
| nowen | yeah, and the fact that it was only registrations | 14:58 |
| nowen | smells like a db error | 14:58 |
| Troy | yes.. it's on a VM | 15:00 |
| Troy | hold a sec.. trying to find out more information from the db admins | 15:00 |
| Troy | i know we have some backend processing to keep users provisioned correctly in WiKID | 15:01 |
| nowen | I got an email from Carlos Andonaegui asking about accessing the db, if that helps | 15:03 |
| Troy | ok.. i'll investigate a bit because I don't think that server should be making connections to the db | 15:06 |
| nowen | and I wonder if there is some connection to the registration process | 15:07 |
| Troy | FYI.. the DNS failover check is now changed to port 80 instead of 8388 | 15:09 |
| Troy | the cert validation error will vanish | 15:09 |
| nowen | cool, that should cut the log size :) | 15:10 |
| Troy | yes.. that was annoying | 15:10 |
| *** Mark_ (470e15da@gateway/web/freenode/ip.71.14.21.218) has joined #wikid | 15:17 | |
| Mark_ | hi Troy and Nick | 15:17 |
| nowen | hi | 15:18 |
| Troy | Hi Mark | 15:19 |
| nowen | so it does look like if you hit the 'submit PIN' button more than once you get that error | 15:19 |
| nowen | but it didn't lock up my server | 15:20 |
| Mark_ | I know i missed some of this conversation any suggestions on our end | 15:53 |
| Mark_ | to determine why it locked us up? | 15:53 |
| nowen | Mark_: it seems like a database issue. | 15:54 |
| nowen | that's why I wanted to find out what the app that is accessing the database is trying to do | 15:54 |
| nowen | carlos indicated it had something to do with AD and so I wondered if it also had something to do with registration | 15:55 |
| *** Mark_ has quit (Ping timeout: 245 seconds) | 15:58 | |
| *** Mark_ (470e15da@gateway/web/freenode/ip.71.14.21.218) has joined #wikid | 17:03 | |
| Mark_ | okay i am back | 17:03 |
| nowen | any word on that app? | 17:03 |
| Mark_ | okay the only app we have accessing the DB | 17:05 |
| Mark_ | does not come from the server that crashed it before | 17:05 |
| Mark_ | we are not sure why that server is accessing our wikid server | 17:05 |
| Mark_ | but | 17:05 |
| Mark_ | the app allows our HD personnel to enable or disable a user from AD without accessing wikid | 17:07 |
| Mark_ | doing some testing if i drop I will be back | 17:11 |
| nowen | ok | 17:12 |
| *** Mark_ has quit (Ping timeout: 245 seconds) | 17:18 | |
| Troy | Mark is telling me that when he hits the submit pin button multiple times it creates multiple domain names for the same domain | 17:30 |
| Troy | he is also telling me that the only DB manipulation that Carlos did was for Russ's tool | 17:33 |
| nowen | yeah, the extra IP hitting the db is a possibility - also a big security question mark | 17:33 |
| nowen | we can do some work on the token to make sure the user doesn't submit the pin twice | 17:34 |
| Troy | ok | 17:39 |
| nowen | that shouldn't cause a lock up though | 17:40 |
| Troy | yea.. Mark hasn't been able to get it to lock it up yet | 17:49 |
| nowen | yes, it is a tricky little bugger | 17:52 |
| *** Mark_ (470e15da@gateway/web/freenode/ip.71.14.21.218) has joined #wikid | 18:04 | |
| Mark_ | okay | 18:04 |
| nowen | find something? | 18:04 |
| Mark_ | no | 18:05 |
| Mark_ | unable to reproduce on test | 18:05 |
| Mark_ | got plenty of the 08 errors | 18:05 |
| Mark_ | but never got it to freeze up | 18:05 |
| nowen | 08 errors? | 18:05 |
| nowen | duplicate devices? | 18:05 |
| Mark_ | Pin has already been established for this device | 18:06 |
| nowen | gotcha | 18:06 |
| Mark_ | talked to our programmer | 18:06 |
| Mark_ | he stated the only ties to the database were for the tool that allows our HD to enable or disable accounts | 18:06 |
| Mark_ | nothing on the registration | 18:07 |
| nowen | where there any of those just before the freeze? | 18:07 |
| Mark_ | no they are not using the tool yet | 18:08 |
| nowen | ok | 18:08 |
| nowen | what about the extra IP hitting the DB? | 18:08 |
| Mark_ | no idea why it is hitting it but I do not think it showed up during this last issue | 18:08 |
| nowen | yeah, that's true. | 18:09 |
| nowen | you should track it down just for security | 18:09 |
| nowen | and/or block it at the fw | 18:09 |
| Mark_ | we are | 18:09 |
| Mark_ | verifying if access is needed | 18:09 |
| nowen | ok | 18:10 |
| nowen | I am running more stress tests on replicated servers running 3.4.87 b1216 | 18:10 |
| Mark_ | so no smoking guns in the logs we sent you | 18:10 |
| nowen | no, but still looking | 18:11 |
| nowen | Mark_: can you or Troy run 'rpm -qa | grep postgres' for me | 18:47 |
| Troy | yes. hold a sec | 18:57 |
| nowen | ok | 18:59 |
| Troy | -bash-3.2$ sudo rpm -qa | grep postgres postgresql-jdbc-8.1.407-1jpp.4 postgresql-libs-8.1.23-1.el5_6.1 postgresql-server-8.1.23-1.el5_6.1 postgresql-pl-8.1.23-1.el5_6.1 postgresql84-libs-8.4.7-1.el5_6.1 postgresql-python-8.1.23-1.el5_6.1 postgresql-8.1.23-1.el5_6.1 | 18:59 |
| *** Troy_ (4b47ae94@gateway/web/freenode/ip.75.71.174.148) has joined #wikid | 19:44 | |
| *** Troy has quit (Ping timeout: 245 seconds) | 19:46 | |
| Mark_ | any updates? | 19:48 |
| nowen | still banging away. I have upgraded to the same postgres version as you | 19:49 |
| Mark_ | okay | 19:56 |
| nowen | Mark_: Troy_ are there any yum updates to do? | 20:13 |
| nowen | especially for postgres? | 20:17 |
| Troy_ | i have not checked for updates yet.. i can have Steve check as I don't think i have the rights to run yum | 20:37 |
| nowen | it's ok | 20:38 |
| nowen | i have a bit more testing to do | 20:38 |
| Troy_ | while you test, we can look at updating the lab servers | 20:41 |
| nowen | ok | 20:42 |
| *** axisys (~axisys@unaffiliated/axisys) has joined #wikid | 20:43 | |
| axisys | is there any hardware token that comes with wikid 20 seat license? | 20:44 |
| axisys | we are currently using rsa for two factor auth | 20:44 |
| nowen | axisys: sorry no hardware tokens at al | 20:45 |
| nowen | l | 20:45 |
| nowen | axisys: sorry to hear that ;) | 20:46 |
| axisys | nowen: :-) | 20:46 |
| axisys | nowen: the software token works with linux as well or is it OS agnostic ? | 20:47 |
| nowen | linux, mac, windows | 20:47 |
| axisys | cool! | 20:47 |
| nowen | iphone, android, win mobitle | 20:47 |
| nowen | mobile | 20:47 |
| axisys | hmm.. sounds like java app ? | 20:48 |
| axisys | cool | 20:48 |
| nowen | blackberry if you still have any of those | 20:48 |
| axisys | lol | 20:48 |
| nowen | yes, java gets all that | 20:48 |
| axisys | i have blackberry jelly only :-( | 20:48 |
| nowen | again, I am sorry for you ;) | 20:48 |
| axisys | anyways.. so i guess i will need to evalute a little.. | 20:49 |
| nowen | sure, download and install it | 20:49 |
| axisys | i see there is a virtual box iso .. nice | 20:49 |
| joevano | axisys: we just implimented to replace hardware tokens... works great | 20:49 |
| axisys | we use rsa securid server and use its radius auth .. wikid has something similar? | 20:51 |
| nowen | yep, radius | 20:51 |
| axisys | ok | 20:51 |
| axisys | rsa uses a propreitory radius built by juniper | 20:52 |
| nowen | your testing should be easy - just use radius to push some people to wikid instead | 20:52 |
| axisys | nowen: is it opensource? | 20:52 |
| nowen | we have two versions | 20:52 |
| nowen | http://www.wikidsystems.com/community-version/front-page/support/wikid-support-center/faq/whats-the-difference-between-the-community-release-and-enterprise-release/?searchterm=what%20is%20the%20difference | 20:53 |
| nowen | if you are using radius, Enterprise | 20:53 |
| axisys | we have thousands of accounts and rsa backend is oracle.. i am guessing your app can handle it too and only depend on the hardware and memory to back it ? | 20:55 |
| nowen | how many tokens do you have? | 20:55 |
| nowen | thousands? | 20:56 |
| axisys | I have to estimate.. | 20:56 |
| axisys | I would say may be 10000+ ?! | 20:56 |
| nowen | that should be fine | 20:56 |
| nowen | you can split them across servers if you like | 20:57 |
| axisys | cool! how about failover and sync between servers.. | 20:57 |
| nowen | currently it is master/slave. we are working on a version that would be master-master with real-time replication | 20:57 |
| axisys | ok.. we point to two different appliances .. and they are always in sync .. so that would be something we will be interested in | 20:58 |
| nowen | what is your time frame? | 20:59 |
| axisys | for start I can leave without it. I will probably the one setting them up and initially we may start with a small list of accounts | 20:59 |
| axisys | so I have no info on time frame | 21:00 |
| axisys | but.. my manager will ask one thing.. | 21:00 |
| axisys | why would I pick wikid over RSA .. besides the cost (I am only assuming cost is a win factor with wikid) | 21:01 |
| nowen | it is. I would say that it is more elegant solution. we use asymmetric keys generated on the devices, so there are no seeds here for the Chinese | 21:01 |
| nowen | each user can have more than one token without sharing more secrets | 21:02 |
| nowen | and each server can handle multiple WiKID domains | 21:02 |
| nowen | I think you will find the server a breeze compared to RSA | 21:02 |
| nowen | we can validate an ssl cert for the end user http://www.wikidsystems.com/learn-more/technology/mutual_authentication | 21:03 |
| nowen | and users can reg themselves: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-let-users-add-themselves-using-ad-credentials | 21:04 |
| nowen | and we have an api that is pretty simple to use | 21:04 |
| axisys | i am already excited.. hehe.. downloading your iso | 21:05 |
| axisys | so when the account gets locked user can go to a internal site to unlock them or do they need to install a client to talk to some api ? | 21:06 |
| nowen | ok - do you want long docs with pictures or short without? | 21:06 |
| axisys | nowen: i usually read complete docs.. (looser ;-) ) | 21:07 |
| axisys | nowen: so long doc with picture would be perfect | 21:07 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server | 21:07 |
| nowen | I won | 21:07 |
| *** Mark_ has quit (Ping timeout: 245 seconds) | 21:07 | |
| nowen | 't send you an email | 21:08 |
| nowen | irc is better any way ;) | 21:08 |
| axisys | email is fine too | 21:08 |
| nowen | mine is nowen@wikidsystems.com if I am not here | 21:08 |
| axisys | noted | 21:08 |
| nowen | I got yours from the web form ;) | 21:09 |
| axisys | cool! | 21:09 |
| axisys | gotta run.. but i will give it a whirl soon | 21:09 |
| nowen | ok - enjoy | 21:09 |
| Troy_ | @nowen There is an update to Progresql that will bring us to 8-1.23-4 from 8-1.23.1 | 21:17 |
| nowen | yeah, hold on a sec | 21:17 |
| Troy_ | Should we try installing this update in our lab env? | 21:17 |
| nowen | I just replicated a freeze under your current version | 21:17 |
| nowen | I'm upgrading to .4 to see if it fixes it | 21:17 |
| nowen | you can certainly test the upgrade in the lab | 21:18 |
| Troy_ | ok.. we'll give the upgrade a whirl | 21:19 |
| *** Mark_ (470e15da@gateway/web/freenode/ip.71.14.21.218) has joined #wikid | 21:25 | |
| Mark_ | hello | 21:26 |
| nowen | hi | 21:26 |
| Mark_ | can you tell us how you replicated it? | 21:27 |
| nowen | using our stress tester | 21:27 |
| nowen | but otherwise, no. i didn't happen before | 21:27 |
| Mark_ | ok | 21:28 |
| Mark_ | do you know what caused the issue | 21:29 |
| nowen | still can't pinpoint that. | 21:29 |
| Mark_ | ok | 22:14 |
| Mark_ | calling it a day will see you tomorrow | 22:42 |
| *** wtfnom (~wtfnom@66.150.156.1) has joined #wikid | 22:43 | |
| wtfnom | hey nick | 22:43 |
| wtfnom | you there? | 22:43 |
| laszlof | om nom nom nom | 22:43 |
| wtfnom | :-P | 22:44 |
| *** Mark_ has quit (Ping timeout: 245 seconds) | 22:47 | |
| *** Troy_ has parted #wikid (None) | 23:05 | |
| nowen | wtfnom: sorta | 23:17 |
| nowen | hosting an owasp meeting here | 23:17 |
| *** nowen is now known as nowen_away | 23:23 | |
| wtfnom | If i want to host the wikid server on a public IP address, from what I'm reading online, the only port I need to open up to the internet is port 80? | 23:28 |
| nowen_away | wtfnom: correct | 23:40 |
| nowen_away | and you can proxy it too if you want | 23:40 |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!