Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » geeklog

This is an old revision of the document!

October, 21th

Firefox Protocol Handling

In order to have Firefox launch a gnome-terminal for url which begin in ssh/telnet, I wrote a little script and made some changes in about:config

prefs.js 

user_pref("network.protocol-handler.app.telnet", "/home/asyd/bin/firefox-handler.zsh");
user_pref("network.protocol-handler.external.telnet", "/home/asyd/bin/firefox-handler.zsh");

firefox-handler.zsh 

#!/bin/zsh
 
url=$1
 
proto=${url//:*/}
data=${${url//*:\/\//}%/}
 
/usr/bin/gnome-terminal -e "$proto $data"

October, 18th

Certificates

Now I found a very good PKI free software, I try to use it everywhere I need certificates. My first difficult task was with IOS. You can find here some notes.

EJBCA and IOS

Here my IOS config related to my CA : 

!
crypto ca trustpoint FMSCA
 enrollment url http://pki.intranet.fimasys.fr:8080/ejbca/publicweb/apply/scep
 serial-number
 source interface Ethernet0
 auto-enroll regenerate
!

Description / Notes

  • The enrollment line tell how (the method, here an url → http) to contact the PKI software. Note: you must omit the pkiclient.exe filename at the end which is automagically add by IOS.
  • serial-number tell to IOS to include the serial number
  • The name of the trustpoint you use MUST MATCH exactly the shortname of your CA in ejbca

One you have that, use the command : 

# crypto ca authenticate FMSCA

to fetch the CA certificate. Then, set the password enrollment with the command : 

# crypto ca enroll FMSCA

Then, login to EJBCA, and create a new entity profile looks like :

ios-profile.jpg

Check your ejbca logs, you shoud see something like : 

ERROR [PKCS10RequestMessage] No CN in DN: SN=12013150+unstructuredName=saroumane.nanthrax.net
ERROR [Log4jLogDevice] October 19, 2005 9:48:33 AM CEST, CAId : 0, CA, EVENT_ERROR_USERAUTHENTICATION, Administrator : PUBLICWEBUSER, IP Address : 192.168.134.1, User : 12013150, Certificate : No Certificate Involved, Comment : Got request for nonexisting user: 12013150

So, you know you must add an entity using the serial Number as username, the password you define in IOS, and serialNumber / unstructuredNamed as subject DN fields. 

saroumane#sh crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 426FA96340F5D2CA
  Certificate Usage: General Purpose
  Issuer:
    c=FR
    o=Fimasys
    cn=Fimasys Security CA
  Subject:
    Name: saroumane.nanthrax.net
    Serial Number: 12013150
    serialNumber=12013150
    hostname=saroumane.nanthrax.net
  Validity Date:
    start date: 08:58:28 CET Oct 19 2005
    end   date: 09:08:28 CET Oct 19 2007
  Associated Trustpoints: FMSCA

CA Certificate
  Status: Available
  Certificate Serial Number: 7AA2B9942CD0D362
  Certificate Usage: Signature
  Issuer:
    c=FR
    o=Fimasys
    cn=Fimasys Security CA
  Subject:
    c=FR
    o=Fimasys
    cn=Fimasys Security CA
  Validity Date:
    start date: 07:29:35 CET Oct 17 2005
    end   date: 07:39:35 CET Oct 15 2015
  Associated Trustpoints: FMSCA

Comments

September, 30th

About AIX

Now I have a “good” a SNMP, I want that all my server are SNMP aware, and for all interesting MIB, like HOST-RESOURCES, which allow me to check CPU and memory utilization, etc.. That's why I tried to configure the AIX snmp agent correctly. After spent few minutes to read snmpd.conf and mib.defs, I was able to query the host-resources MIB OID (take a look in aix). But, there is funny bug in the AIX version I use for my server, just look : 

% snmpwalk -v1 -c public 192.168.1.48 .1.3.6.1.2.1.25.3.3.1.2
HOST-RESOURCES-MIB::hrProcessorLoad.1 = INTEGER: -2147483648
HOST-RESOURCES-MIB::hrProcessorLoad.2 = INTEGER: -2147483648

Very funny, isn't it ? Funny, but annoying too. So, I look for why I had such values : it's a bug. Well, I really can't understand why such things like snmp can be bugged. Seem we are only few system administrator who use SNMP… Anyway, it's a good way to learn more about AIX (I'm a noob with this OS), specially about patch management.

20050930

September, 28th

Cisco and multicast

Since I create few VLAN at work, the servers and (NOC) workstations are no longer in the same IP subnet (I don't even understand how the previous sys/net admin can leave servers and workstations in the same LAN). So, a java admin ask me why he can't setup a weblogic cluster with one node in our LAN (the NOC one), and one node in the LAN server. I just told him “hold on few mintes”. Well, ok, few hours after, it still doesn't working… But It's now ok, I use the following config : 

!
interface Vlan1
 ip address 192.168.1.4 255.255.255.0
 ip pim dense-mode
 ip igmp join-group 232.168.34.65
 ip igmp join-group 237.0.0.9
 ntp multicast key 1
end
!
interface Vlan34
 ip address 192.168.34.1 255.255.255.0
 ip helper-address 192.168.1.6
 ip pim dense-mode
 ip igmp join-group 232.168.34.65
 ip igmp join-group 237.0.0.9
 ntp multicast key 1
end
!
ip multicasting-routing
!

But the more important point is the TTL which is set by the multicast application. IT MUST BE GREATER than one (1) if you want forwarding multicast.

Example : 

% sudo udp-sender  --file docs/CompilingBinaryFilesUsingACompiler.pdf --mcast-all-addr 232.168.34.65 --ttl 64
Udp-sender 2004-05-31
Using mcast address 232.168.34.65
UDP sender for docs/CompilingBinaryFilesUsingACompiler.pdf at 192.168.34.65 on eth0
Broadcasting control to 232.168.34.65
New connection from 192.168.1.50  (#0) 00000019
Ready. Press any key to start sending data.
Starting transfer: 00000019
bytes=         67 278 re-xmits=000000 (  0.0%) slice=0202          67 278 -   0
Transfer complete.
Disconnecting #0 (192.168.1.50)

% sudo udp-receiver --ttl 64 --mcast-all-addr 232.168.34.65 --file /tmp/output
Udp-receiver 2004-05-31
UDP receiver for /tmp/output at 192.168.1.50 on eth0
received message, cap=00000019
Connected as #0 to 192.168.34.65
Listening to multicast on 232.168.34.65
Press any key to start receiving data!
Sending go signal 1 Success 0
bytes=         67 278  (  1.05 Mbps)         67 278
Transfer complete.

As you can notice, I use udp-receiver / udp-sender - available here, or maybe with your distrib (Debian include it) - to test the multicast.

I just wondering why it doesn't work if the Cisco is not a member of the group, I probably need to check docs again and again.

OpenLDAP

Well, by mischance, I need to use OpenLDAP.. So I begin to put all my notes about this (crappy) software. Their will available here.

Comments

September, 19th

Small useful applications

  • Brack is a small php application which help to manage rack, it have interesting features (like a Service tag field for Dell hardware), and can be easily hack.
  • Colour Cisco's shapes for Dia (I don't understand why this package is not include in the upstream)

Here a little patch to Brack's CSS to ensure all racks have the same size : (replace td.space with the following one) 

td.space {
   font-size: small;
   font-family: sans-serif;
   padding: 0 5px;
   background-color: white;
   border-style: solid none none none; border-width: thin
}

(Very thanks to Cesar for his help)

Comments