So as a follow up to my post Adding a SSL Certificate to a Vykon AX Web Supervisor the way WorkPlace N4 web supervisors imports a certificate is slightly different. Mainly the key needs to be in a unencrypted RSA format which was tripping me up. So if you need to do this first read that prior post and then the only real change is for exporting out your key use this command:
openssl pkcs12 -in CertExport.pfx -nocerts -nodes -passin pass:YourPassword | openssl rsa -out key.pem
You will find the key will be exported and have a “RSA” tag in the headers now. Follow the same instructions from the other post to make your pem file (key, cert, intermediate, root) and it should import into a N4 supervisor just fine.
Recently we changed out a bunch of rarely used training PC’s, Dell Inspiron 1501’s, for newer models. The Dells were definitely past their prime but I’d hate to throw them out since they all looked good and had almost no wear. From previous memory ad hard drive upgrades I had a stack of DDR2 memory and some decent mechanical drives so I decided to upgrade all of them as much as possible and find a OS that would run on them.
The best I could muster was 1.5Gb of RAM each and some 160Gb 7200 RPM drives. After a quick search it looked like Ubuntu 14 was my best bet (16 has a 2Gb memory minimum). I created a Ubuntu 14 USB drive using Universal USB Installer (http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/), hooked up the ethernet cord, and booted it. At the install screen I selected the option to download updates and also to isntall third party software. Little did I know that third party software checkbox was going to cause me lost of headaches.
Turns out some firmware for the Broadcom cards is installed by that option which renders the wired and wireless connection in these laptops dead. After lots and lots of searching I found someone that posted how to remove it. Unfortunately there steps didn’t work for me but eventually I found ones that did.
Before I fixed the wireless/wired issue I found that these machines freeze during a shutdown or reboot. Some searching for that issue led me to here http://askubuntu.com/questions/523638/why-does-ubuntu-freeze-during-reboot-14-04-lts and editing the grub config file (CTRL+ALT+T for terminal) with:
sudo gedit /etc/default/grub
And changing these two lines as listed:
GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash reboot=acpi”
Once thats fixed run the following to remove the current Broadcom stuff which doesn’t seem to work on this model (or others around the same vintage):
sudo apt-get remove –purge bcmwl-kernel-source
Reboot and the wired connect should be working again. It might not reboot because the above grub changes aren’t yet in effect so let it sit for a minute on the shutdown screen then hard power it off and back on. Now to get the firmware for the wireless card and then reboot again:
sudo apt-get install firmware-b43-installer
sudo apt-get install linux-firmware-nonfree
Now both the wired and wireless should work. And I have decent working Ubuntu machines that we can give to someones kinds to mash on instead of throwing them in the garbage.
Recently I was on a quest to disable the Dropbox program from running on company owned (domain joined) machines. There were lots of hacks to make it work but finally I found a solution, although it was worded relatively cryptically, on Experts Exchange by a McKnife (http://tinyurl.com/gr3f9ar). Long story short you can use Software Restriction Policies (https://technet.microsoft.com/en-us/library/bb457006.aspx) to do this but his solution was more elegant as it blocked Dropbox programs based on the certificate used to sign them as opposed to the file path or things that might change often. This not only blocks the Dropbox program if it’s already installed but also prevents a user from installing it in the first place. Here is my expanded version of his instructions.
First download the Dropbox installer. Right click it and select Properties then go to Digital Signatures. Select the first one (SHA1) and click “Details”. Click “View Certificate” then the Details tab then “Copy to File…”. This lets you export out the certificate. Click Next then “Base-64 encoded X.509 (.CER)” and next again. Save the certificate as something like “Dropbox SHA1 Cert.CER”. Once that one is exported repeat the procedure for the SHA256 certificate.
Once you have both certificates open up Group Policy Management and if you already have a software restrictions policy edit it. If not I suggest you create a new one. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules. Right click and create a “New Certificate Rule”. Browse for the SHA cert and make sure the Security Level is set to Disallow. Give it a description such as “Dropbox SHA Certificate”. When you click OK, if you didn’t have any certificate rules before, it will prompt you to turn them on and display the “Enforcement Properties” page. At the bottom “Enforce certificate rules” then “OK”. Repeat for the SHA256 certificate.
Once GPO updates Dropbox will no longer start and executing the exe or installer directly will give you a nice error message:
Side note: Once this policy is in place you will also not be able to uninstall Dropbox since the same certificate is being used on the uninstall. Keep that in mind…you would have to disable enforcing certificates temporarily to get it uninstalled.
A couple years ago I helps setup a SSL certificate for a AX Supervisor, a product that is used as a web interface front end to a automation product called a JACE, usually. The software was installed on a Microsoft Server 2008 R2 system and was serving up the information through a B2B VPN and the other company, even though the traffic was “internal”, requested a SSL. No biggie I thought, I’ve installed SSLs many times. So I installed the certificate on the server but the AX software didn’t see it. I went into the software’s platform and into the Certificate Management section to import a certificate. It only accepted pem files so I converted my Windows certificate over but it didn’t like that either. So I started reading the only guide I could find on the subject titled “NiagaraAX SSL Connectivity Guide”. Ironically it has page after page of how a SSL works and how to generate a self signed certificate then export it out and import it onto all of the computers accessing the system but nothing on importing a existing certificate as a pem file. Long story short the way a AX Supervisor wants the pem is to have it include the key, the certificate, the intermediate certificate, and the root certificate in that order all in one file. So for the 9 people in the universe that will actually need to do this sometime in their life and can’t figure it out here is what I had to do.
First I downloaded the Windows 32 bit binaries of OpenSSL ( from https://slproweb.com/products/Win32OpenSSL.html ) and installed them. I copied my pfx file that I exported out of my server (with key/password) and put it in the same directory as openssl.exe (the bin folder usually). I opened up a command prompt, navigated to the bin directory, and ran the first command to get my private key:
openssl pkcs12 -in CertExport.pfx -nocerts -nodes -out key.pem
Then another command to export out my certificate:
openssl pkcs12 -in CertExport.pfx -nokeys -out cert.pem
I now needed my intermediate and root certificates which since I was using GoDaddy were downloadable from their site ( https://certs.godaddy.com/repository ). I imagine its the same for any other certificate authority. I created a new text file and first took the contents of the key.pem file (minus the headers keeping the begin and end tags) then followed it with the contents of my cert.pem file (again no headers) then, and this is important, followed those with the intermediate then the root. I saved this as MYFullCert.pem and that imported right in without a issue. I was then able to use that for both the Platform SSL certificate and for the Stations WebService certificate. Rebooted the server and everything looked good.
Note: This applies to a AX 3.7. I have found the certificate will not import into 3.8 using the same instructions. What does work however is importing it into 3.7 then exporting it out. The exported file appears to have a extra line added which does work on 3.8.
So something I was recently tasked with was finding a “could” service for our technicians to easily share files with each other. We also have multiple people using things like DropBox, Google Drive, Microsoft’s OneDrive, etc with our companies data and no way to really secure it which is a problem. So I started looking into business version of these services and what I found was they were ridiculously expensive.
And that’s kinda where it stopped. It just didn’t make sense for a company that already has it’s own server infrastructure. To that end I decided to do it in house and started researching alternatives of which I found two main ones, ownCloud and Pydio. I did some beta tests with both and in the end found that Pydios overall interface was the winner: Fast, “pretty”, and pretty intuitive. The problem was getting it to run on Server 2012 R2 / IIS 8.5 was not easy and none of the guides online had everything needed to get it to function. So long story short after a couple days of playing I wrote my own which is now posted on the Pydio website:
Hopefully if someone else is looking for a DIY cloud storage system it will help them out.
Update: I have been asked by multiple people to upload my web.config files for the root and public directories as the copy and paste from the tutorial aren’t working real good. Here they are: WebConfigRoot WebConfigPublic
Also the guide as a PDF: Installing Pydio on Windows Server 2012 R2