Creating an easy to deploy SSL certificate in PEM format

When ordering a secure certificate, most often one has to deal with the following files:

  • certificate key file (aka private key): .key
  • certificate request file: .csr
  • primary certificate file (issued by the CA): .crt
  • certificate chain (aka intermediate certificate, or sf bundle): sf_bundle.crt

As a result, when deploying to a web server, it is necessary to configure 3 files: the key, the cert, and the trust chain. However, a little known fact is that these can be combined in a “pem” file that holds all three. One may even include the trusted root certificate optionally. Here is how:

  • download your certificates (your_domain_name.crt) from your NewPush Customer Portal.
  • paste the entire body of each certificate one by one into one text file in the following order:
    • domain.key
    • domain.crt
    • sf_bundle.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

The number of

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

sections will depend of the length of the certificate trust chain.


What is the difference between site to site and mobile VPN?

For most businesses, there are two types of VPN that apply:

  • site to site VPN: this is used to link sites, such as your office and the data center,
  • mobile VPN: this is used to link mobile or home users to a corporate site, or a data center.

The mobile VPN to your office is typically free, you just need to pay a one time setup fee and sometimes an extra license fee depending on the vendor. If your firewall is based on pfSense, there are no extra license fees.

The site to site VPN is typically priced on a per channel basis, to cover our bandwidth and virtual port costs on the terminating firewall in the data center. This is optional, and you can decide to sign up for that service once there is a clear business case for it.


Install Packages on OpenBSD 4.x and OpenBSD 5.x

To install binary packages on OpenBSD, the package manager needs to have the correct download URL.  This URL changes based on OpenBSD version and architecture.  Here is how to set it independently:

export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(machine -a)/

Once that is done, the pkg_add command will work. In fact all pkg_* commands will work.


Domino 8.5 SSL Key Import Into Keyring File

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

  • Create a kyr (keyring) file to hold the keys.
  • Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
  • Add the p12 (PKCS#12) file to the keyring.
  • Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:

openssl pkcs12 -export \
-in certificate-from-CA.crt \
-inkey certificate-key-file.key \
-certfile root-ca-bundle.crt \
-out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.

rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm
vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security

Add last provider to list:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.spi.IBMCMSProvider

remove conflicting jar file:

mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-

set environment:

set JAVA_HOME
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

  • Download and install IKEYMAN.
  • Open the kyr file in gsk5.
  • Import the p12 cert.
  • Save the new kyr file.

Domino Server SSL Key Management References

  • http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
  • http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
  • http://www.deadspace.de/?p=294
  • ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
  • https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
  • http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
  • http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.


Verifying SSL Certificates

Problem

You have a few SSL cert files on your server, but you are not sure which one is the newest, or the right cert to use.

Solution

Look at the contents of a CSR


openssl req -noout -text -in [domain_name].csr

Where [domain_name].csr is the name of the CSR file.

Look at the contents of a certificate


openssl x509 -noout -text -in [domain_name].crt

Look at the MD5 fingerprint of a certificate


openssl x509 -fingerprint -noout -in [domain_name].crt

Check the private key, the CSR, and the signed cert

To check that the private key, the CSR, and the signed cert belong to the same set, you need to compare the MD5 outputs:

openssl rsa -noout -modulus -in [domain_name].key |openssl md5
openssl req -noout -modulus -in [domain_name].csr |openssl md5
openssl x509 -noout -modulus -in [domain_name].crt |openssl md5


SMTP Server Testing with Authentication

Problem

You need to test manually an SMTP server that requires authentication.

Solution

The text you need to enter into a DOS or Unix command line is in typewriter typeface. Responses from the server are shown in italic.
telnet smtp-server.smtpdomain.com 25
Trying xxx.xxx.xxx.xxx…
Connected to smtp-server.smtpdomain.com.
Escape character is ‘^]’.
220 smtp-server.smtpdomain.com plus some other optional server greeting text

helo localhost
250 smtp-server.smtpdomain.com
auth login
You now need to enter your email and then your password encoded in BASE64. Do encode your password use the HCI Data Encoder
mail from: bnagy@newpush.com
250 Sender accepted.
rcpt to: bnagy@newpush.com
250 OK
data
354 End your message with a period.
Subject: test email

test content
.

250 Accepted message …
quit
221 Good bye.
Connection closed by foreign host.


Planning for Storage, Server, and Network Infrastructure

Questions to ask when planning storage and server infrastructure

Storage Requirements

  • What our their current storage environment? (What technology do we use? NetApp, EMC, HP, Hitachi, Compellant?)
  • What is our current amount of usable storage?
  • What is our current data in GB / TB? How much of that data is deemed critical as opposed to 2nd tier, or even archivable?
  • What growth increase are we seeing from year to year? (25%? 30%? 40%? More?)
  • Is this our largest variable IT cost within our overall budget?

Server Infrastructure

  • How many servers do we have within our overall Infrastructure environment?
  • What percentage is comprised of Power, Linux or “Wintel”?
  • Do we have a vendor standard? (HP, Dell, IBM?)
  • What is our overall server utilization (7%? 10%? 20%? 50%? More?)
  • Do we utilize virtualization in our server infrastructure environment?
  • If so, what percentage of our environment is virtualized?
  • What version / type of virtualization do we use?
  • Are we looking to do a server consolidation project to help us save on additional software maintenance and energy costs?

Network Infrastructure

  • Do we have (primarily) our own data center or do we store all of our equipment at a co-location / managed services location? (and if so, whom?)
  • What is our current network environment (Cisco? Avaya?)
  • Do we standardize on a vendor?
  • How old / new is their network environment?
  • What kind of connectivity do they have? (T1? T3? DS?)

Security Solutions

  • Do we have a set standard for our security environment?
  • Do we do quarterly security assessments? (PCI and/or FFIEC Assessments?) (Who do we use?)
  • Are there areas we need to improve?

Software Maintenance

Do we have a goto partner we standardize on for software and hardware maintenance contracts?

Projects

  • What are there next three primary projects?
  • What is our IT budget?
  • What is our Calendar year? Jan – Dec? July – June? Etc.

For more information about planning for storage, servers, and network infrastructure, look at our data warehouse pages.


NetApp route add default gateway

NetApp SAN default gateway setup

DataOntap is a FreeBSD based operating system built by NetApp. However, most of the command line interface commands differ from the usual FreeBSD commands. When a new NetApp installation is performed, or a NetApp migration is needed, typically the IP address needs to be changed, as well as the default gateway. The first step before changing the network configuraiton is to check if the current configuration, and capture it in case you need to back out of the migration. The following paragraphs show how to check existing configuration, and how to set the new gateway. NetApp SAN

Show NetApp SAN network config

To print the current network config, run:
ifconfig -a

To set a new network IP, run:
ifconfig e0 192.168.1.2 netmask 255.255.255.0

Where e0 is your network interface name, and 192.168.1.2 is the new IP of the NetApp.

Show NetApp SAN route config

To print the current routes, run:
route -ns

Setup NetApp SAN default route

Delete NetApp SAN current default route

route delete default

Add NetApp SAN new default route

route add 0.0.0.0 IP_OF_DEFAULT_GW 1
For example, if the fedault gateway is 192.168.1.1:
route add 0.0.0.0 192.168.1.1 1
For more information about our SAN support, look at NetApp SAN.


Online fax service with SSL API

Problem

You need to create an online application that is capable of sending a FAX securely (PCI, HIPAA or other compliance).

Solution

After trying trustfax and eFax, neither of which has a secure API, Ralph found that Metro Fax has a SSL API for developers and the cost is reasonable.

The following SDK as well as some supporting documentation below will help you get started: WsfSDK

The MetroFax webservice gateway is available at:

https://wsf.metrofax.com/webservice.asmx

And there is supporting documentation (NDoc) available below:

https://wsf.metrofax.com/doc

The attached SDK contains sample implementations of numerous common methods.


Trouble shooting sendmail base configuration

There is a simple command that can be used to make sure that the basic configuration of sendmail is correct:
echo \$Z | sendmail -d0.1
The output of that command should look like:

Version 8.13.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = host-name
(canonical domain name) $j = host-name.domain.com
(subdomain name) $m = domain.com
(node name) $k = host-name
========================================================