I'm quite confused :S
scenario:
I m trying to add a certificate to my domain serverName. com.
I create a active directory sercer (DC) with ad.servername. com and cms.servername. com for Alfresco page.
and as far as I know, because it's alfresco bundle, it already has a tomcat with java and a Alfresco certificate configured (expire 2112).
then i generated my own .cer with microsoft certificate services with "servername. com" and imported to my java keystore (alfresco/java/jre/lib/security/cacert) expires 2014
later I decide to try a free trial third-party CA startssl. com and I generated for "servername. com" but they asked me to put an alternative, so I put cms.servername.com and I also imported to my alfresco/java key store (expire 2013)
now, whenever I put https://servername:8443/myApp or https://cms.servername:8443 browser shows using Alfresco certificate. did I mess up with certificates or java or something is just selecting the older expiring date certificate to use?
Hi did you put the right certificates and keys etc. in the right directory?
Like alf_data/keystore and in the tomcat config the 8443 points to the alfresco keys.
Related
I am trying to get multiple microservices to run on a single app engine of a single project. I am following this official documentation from GCP
https://cloud.google.com/appengine/docs/standard/python3/mapping-custom-domains
When I try to create a wild card mapping like this
gcloud app domain-mappings create '*.example.com'
So that GCP backend engines can match the request accordingly:
[VERSION_ID].[SERVICE_ID].example.com
I get the following error
ERROR: (gcloud.app.domain-mappings.create) INVALID_ARGUMENT: A managed certificate cannot be created on a wildcard domain mapping. Set `ssl_management_type` to `MANUAL` and retry the domain mapping creation. You can manually create an SSL certificate with `AuthorizedCertificates.CREATE` and map it to this domain mapping with `AuthorizedCertificates.UPDATE`.
Could anyone help with this?
It looks like by default the command attempts to configure managed SSL certificates, which aren't compatible with wildcard domain mappings. From Wildcard mappings:
**Note**: Wildcard mappings are not supported for managed SSL certificates.
As the error message suggests you can disable that with an option. From gcloud beta app domain-mappings create:
--certificate-management=CERTIFICATE_MANAGEMENT
Type of certificate management. 'automatic' will provision an SSL
certificate automatically while 'manual' requires the user to provide
a certificate id to provision. CERTIFICATE_MANAGEMENT must be one
of: automatic, manual.
So just try instead:
gcloud app domain-mappings create '*.example.com' --certificate-management=manual
I see a discrepancy: the error message mentions the ssl_management_type option while the doc page shows certificate-management. Try both if needed - it may be just an error or it may be a renamed option (which may or may not still be supported under the hood).
Of course, if you want SSL, you'd have to manage the SSL certificate(s) yourself (maybe using the --certificate-id option, documented on the same page?). In that case also check out the related Google App Engine custom subdomain mapping for a specific version for potential implications of variable domain nesting.
Currently we have our Active Directory (LDAP) domain controller defined in the ConnectionStrings.config file. Is it possible to configure a second domain controller, as a fail-over option?
For example, recently Domain Controller 1 failed, and I had to manually change the connection string to point to Domain Controller 2 - but the website was generating errors in the mean-time (for several hours of down-time).
We are running Sitecore version 6.5
(Sitecore.NET 6.5.0 (rev. 120706) )
No, it's not possible to configure a fail-over partner.
You could put a loadbalancer in between the two domain controllers.
You could actually do that. There are options with the AD module that allow for connecting to multiple domains and/or using multipe providers. All pipelines in Sitecore are extendable, so there's nothing to stop you from setting this up. You could easily do some custom coding to catch exceptions during login and switch to a different provider. The trick is just doing the custom coding.
I am using the variables to configure the same "connection string" between two applications, since the two do access the same database of users.
Can I set the same SQL Server (Nano 10GB) in more than one application to use transformation for web.config?
This is not currently possible since there is no way to have the connectionsstring injected into other applications than the one that has the add-on provisioned. Feel free to add this as a feedback suggestion.
It is possible, but requires some legwork. Basically you need to have one app with a known location (URL is fine) that the others can ask for the Connection String. The hard part is doing it securely enough. I'm partway there...
I've rigged up a system where you have a password that both of your Apps know in AppSettings, and then have the Secondary Website send a Public Key to the Primary Website with the password. Who then encodes the connection string, and sends it back.
The password CAN be injected by Appharbor when it does a deploy. And the connection string is also setup on the deploy. Ideally you'd use SSL but I don't have that setup and it makes life hard when working locally.
Proof Of Concept: https://bitbucket.org/Rangoric/database-coordination/overview
It does work, just start both of the website projects in there, and go to http://localhost:4002/Database and you will see what is in the connection String of the Primary website.
EDIT: I just realized that since you can piggyback the SSL Cert of appharbor with the free subdomain they give you, you can use that URL for added security if you don't have your own SSL cert.
I followed the installation guide for an Apache Web Policy Agent, but it always results in an endless redirect loop between web and application server. Firefox says "The page isn't redirecting properly" and Chrome thinks that "This webpage has a redirect loop". The setup is an Apache 2 on port 80 with a small demo app and a Web Policy Agent, and a Tomcat 7 server on port 8080 with an OpenAM server (the former OpenSSO from Sun):
App URL http://hostname.example.com:80/ (App and Agent, running on Apache 2.2.16)
OpenAM Server URL http://hostname.example.com:8080/openam (running on Tomcat 7.0.12)
The Live HTTP Header Firefox plugin shows that the policy agent and the OpenAM server (i.e. the Apache and Tomcat servers) redirect to each other, although the server sets the SSO Token Cookie correctly. The name of the SSO Token Cookie has the default value "iPlanetDirectoryPro". Any idea how to solve the problem?
After a whole week I finally figured it out, with the help of Stackoverflow and the OpenAM Mailing list. There were two main problems: missing log files and missing cookie domains. Installing the OpenAM server and the Web Policy Agent is difficult, there are a lot of log files and many different configuration options. If you select the wrong options, it won't work. It is impossible to make it work without knowing what is going on, which can only be determined by a suitable log file.
Missing Log for Web Policy Agent : The log level must be set in the "Java properties" files. There are two "Java Properties" files for the Web Policy Agent, OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties. The log and debug level which is named com.sun.identity.agents.config.debug.level can and must be defined in both (!) files, and it should be set to the high level, all:4 or all:5. The format is important. Even if you do this, the AgentConfiguration.properties file is only used when the agent is not working in centralized config mode. The profile must be set to "local".
Missing Cookie Domain: Do not forget to enter the right Cookie Domain during the setup of the OpenAM server in the beginning, or add it afterwards if it is missing. On the OpenAM server, go to Configuration > System > Platform and change the Cookie Domain Value to your domain (for instace .example.com) if it is missing. Otherwise the browser will lose your cookie during the redirect process. Somehow I had an empty entry for the cookie domain at the OpenAM server, I guess a forgot a dot (example.com instead of .example.com) so that it was invalid (or something like that).
This troubleshooting site was helpful to locate the problem.
#0x4a6f4672, Your post was absolutely helpful . Some more to add to your answer. The following changes is what i had to do in the config to make it running, at-least getting it running it for alfresco.
com.sun.identity.agents.config.user.mapping.mode=USER_ID(Dont use HTTP_HEADER)
com.sun.identity.agents.config.user.attribute.name=uid
com.sun.identity.agents.config.user.principal=true(Dont use false)
com.sun.identity.agents.config.user.token=SsoUserHeader(Keep it as per what is specified in you application- in my case alfresco)
Now you are not running the Agent in centralised mode but in local mode the setting which is specified for profile attribute can be only set via property file so add the following.
com.sun.identity.agents.config.profile.attribute.fetch.mode=HTTP_HEADER
com.sun.identity.agents.config.profile.attribute.mapping[uid]=SsoUserHeader(whatever you want the header to come in browser as)
As told by 0x4a6f4672, it is difficult to debug and unless you are in local mode , so switch to local mode immediately and start tracing the logs and make the property changes accordingly.
We have a MS Enterprise 2003 CA. I am trying to issue a certificate for a PKCS#10 CSR which is generated without a certificate template. I am getting the following error
The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request doesnot contain a certificate template extension or the Certificate template request attribute
Is there a work around to enhance interoperability of our CA so that we can issue certificates for CSR's without a certificate template?
There is a post by MS in See HERE. This is not pointing to any solution even they talk about resolution. This article discusses about some web interface. Can you please shed some light on this web interface?
Thanks
Raj
I found the solution for my query.
certreq allows you to issue certificates for a PKCS#10 request without templates. Templates including custom templates can be specified according to the security policies of the Enterprise 2003 CA.
Please see below for syntax
certreq -submit -attrib "CertificateTemplate:<Template Name>" <CertificateRequest.req>
More information on this can be found at MS technet
Thanks
Raj