Wednesday, November 7, 2012

Small Business Server 2008 and free SSL certificates for remote access

Introduction

Whilst looking for a free SSL certificate to do some testing against the self signed cert's that SBS2008 generate I bumped into https://www.startssl.com/ who will give you for free at no cost, a basic domain verified cert that last's for 1 year. This means your users no longer have to click ok, to accept the self signed cert anymore.
The reason I was looking is because the SBS remote access portal showed the following error when users were attempting to RDP to their desktops.
"This computer can't verify the identity of the RD Gateway 'your.domain.name'. it's not safe to connect to servers that can't be identified. Contact your network administrator for assitance."
RDP error
by changing the cert to a verified one from startssl this error is resolved! you will still get another prompt due to the RD gateway still using the self signed cert, you cannot avoid this by applying the public verified cert since the RD gateway will use the netbios hostname which will not match either the public root verified cert nor the selfsigned cert. A public cert will also save your users from the annoyance of this;

SSL certificate error page

Certificate Details




Step by step guide


Generate CSR: IIS 7 Microsoft Windows Server 2008

Follow these instructions to generate a certificate request (CSR).
  1. Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
  2. In the IIS Manager, select the server node on the top left under Connections
  • In the Features pane (the middle pane), double-click the Server Certificates option located under the IIS or Security heading (depending on your current group-by view).
  • From the Actions pane on the top right, select Create Certificate Request. The Distinguished Name Properties dialog box opens.
  • You will be asked for several pieces of info which will be used by GeoTrust to create your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization, country, key bit length, etc. Use the CSR Legend in the right-hand column of this page to guide you when asked for this information. The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
  • THIS IS THE MOST IMPORTANT STEP! Enter your site's Common Name. The Common Name is the fully-qualified-domain name for your web site or mail server. What ever your end-user will see in their browser's address bar is what you should put in here. Do not include http://
  • nor https://. Refer to the CSR legend in the right-hand column of this page for examples. If this is wrong, your certificate will not work properly.
  • Enter your Organization (e.g., My Great Company Ltd) and Organizational Unit (e.g., Sales). Click Next.
  • Enter the rest of the fields using the CSR Legend on the right right-hand column of this page for guidance and examples.
  • Click Next to continue.
  • The next screen of the wizard asks you to choose cryptography options. The default Microsoft RSA SChannel Cryptography Provider is fine and a key bit-length of 2048.
  • Click Next to continue.
  • Finally, specify a file name for the certificate request. It doesn't matter what you call it or where you save it as long as you know where to find it. You'll need it in the next step. We recommend calling it certreq.txt.
  • Click Finish to complete the certificate request (CSR) Wizard.
  • Now, from a simple text editor such as Notepad (do not use Word), open the CSR file you just created at c:\certreq.txt (your path/filename may be different). You will need to copy-and-paste the contents of this file, including the top and bottom lines, into the relevant box during the certificate processing.

     

    Signing up and processing startssl CSR 

    Signup
    1. Firstly browse to http://startssl.com click on sign up and fill in the mandortary details.
    2. You will sent an verification code to the email address you registered with. copy and paste this over and click continue.
    3. They will verify your address etc and send another code, copy and paste this over after opening their link, click continue.
    4. you'll be asked to generate a private key leave it as medium grade, click continue.
    5. you'll be prompted to install the certificate to your browser, click yes (I was using internet explorer). This cert is to log you onto your control panel. you may need to click the install button on their website again.
    6. Now I suggest you export the private key to a secure backed up place, open internet options > content tab > click certificates. highlight cert just installed and click export. Click next, select 'yes, export private key' and click next, tick 'include all certificates in the certificate path if possible' and 'export all extended properties' then click next, type in a password and click next, browse to where you want to save the file name it etc and click next, click finish.
    7. back on the website click continue.
     Validate Domain
    1. you may need to refresh the page to show the control panel wizard tabs, first we need to run through a validation wizard to add a new domain.
    2. From the type field select domain name validation and click continue.
    3. fill out the domain name and click continue.
    4. they will want to verify by email so choose the address that will get through and you can access, I used postmaster@mydomain, click continue.
    5. Check your email copy and paste the verification code back over to the website and click continue and then finish.
     Sign Request
    1. Now you can sign a CSR for that domain. click on the certificates wizard,
    2. change certificate target to 'web server ssl/tls certificate' and click continue, click skip since we will copy and paste the contents of the CSR over and click continue.
    3. click continue again, select the correct domain and click continue.
    4. enter www for the subdomain and click continue and then continue again.
    5. You should normally see a page displaying the signed certificate contents from which you can copy and paste to your server, but on this occassion my request had to be manually checked!

    Import Certificate Windows 2008

    There are some general steps below to import a certificate:
    1. Import the SSL certificate into IIS. Run IIS Manager, select the ServerName (left side Connections).
    2. Under the IIS Features view (middle section), open Server Certificates, import the SSL certificate here (right side actions).
    3. Select the Web site (left side Connections), open Bindings (on the right side Actions) and associate/bind the wildcard cert with the appropriate https,host,port(443).
    4. Remote Desktop Session Host Configuration, If you want to change the certifcate, open properties on 'RDP-Tcp' at the bottom of the 'General' tab click select and choose the certifcate needed, if you want to change back to the self signed cert click default.

    Friday, September 7, 2012

    Sheeva Plug Basic Loading Fedora Arm 17

    This is a rough post i'll tidy up later!!

    basically you will be writing an image to usb or sdcard on your laptop/pc.
    then on the plug you setup uboot variable.
    then you boot the media in  the plug.
    then consoled onto the plug you setup your software.
    ----------------------------------------------------------

    Uboot settings are below for either sdcard or usb

    #boot from usb
    printenv
    set bootargs 'console=ttyS0,115200 root=/dev/sda2 rootdelay=5'
    set loadInitrd 'fatload usb 0:1 0x7400000 uInitrd-kirkwood'
    set loadImage 'fatload usb 0:1 0x6400000 uImage-kirkwood'
    set bootcmd 'usb start; ${loadImage}; ${loadInitrd} ; bootm 0x6400000 0x7400000; reset'
    saveenv

    #boot from sdcard
    setenv bootargs_console 'console=ttyS0,115200, root=/dev/mmcblk0p2 rootdelay=5'
    setenv bootcmd_mmc 'mmcinit; fatload mmc 0:1 0x6400000 uImage-kirkwood; fatload mmc 0:1 0x7400000 uInitrd-kirkwood'
    setenv bootcmd 'setenv bootargs $(bootargs_console); run bootcmd_mmc; bootm 0x6400000 0x7400000'
    saveenv

    --------------------------------------------------------
    Do this stuff from your laptop

    #howto write an image to raw device! note the fedora image will resize upon boot.
    xzcat (imagename eg>)f17arm-latest-arm-rpi-xfce-mmcblk0.img.xz |sudo dd bs=1M of=/dev/sdb(or other device)

    #howto open terminal quickly to catch boot interupt
    sudo chown uucp /dev/ttyUSB0; sudo cu -s 115200 -l /dev/ttyUSB0

    ------------------------------------------------------------
    now put your stick in your plug and boot up!

    initial root passwd for fedora is fedoraarm, do change the password

    setup network
    For static IP configuration you need to edit the following files using a text editor such as vi. Edit /etc/sysconfig/network as follows, enter:
    # cat /etc/sysconfig/network
    Sample static ip configuration:


    NETWORKING=yes
    HOSTNAME=fedoraArm
    GATEWAY=10.4.50.5


    Edit /etc/sysconfig/network-scripts/ifcfg-eth0, enter:
    # cat /etc/sysconfig/network-scripts/ifcfg-eth0
    Sample static ip configuration:


    # Intel Corporation 82573E Gigabit Ethernet Controller (Copper)
    DEVICE=eth0
    BOOTPROTO=static
    DNS1=208.67.220.220
    DHCPCLASS=
    HWADDR=00:50:43:01:c1:e6
    IPADDR=10.4.50.30
    NETMASK=255.255.255.0
    ONBOOT=yes


    Edit /etc/resolv.conf and setup DNS servers note you can't, it set by script


    Finally, you need to restart the networking service, enter:
    # /etc/init.d/network restart
    To verify new static ip configuration for eth0, enter:
    # ifconfig eth0
    # route -n
    # ping 192.168.1.254
    # ping google.com


    #To enable routing etc on laptop for allowing sheeva plug through my laptop over wireless. set eth0 to static 10.4.50.5
    sudo sysctl -w net.ipv4.ip_forward=1
    sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    #change password for root
    passwd

    #setup dev tools to build cgminer
    yum groupinstall 'Development Tools'
    yum install libusb libudev openssl-* ncurses-* libcurl-devel

    mkdir /root/src
    cd /root/src

    #compile cgminer
    wget http://ck.kolivas.org/apps/cgminer/cgminer-2.7.5.tar.bz2
    tar -xvjf cgminer-2.7.5.tar.bz2
    cd cgminer-2.7.5
    CFLAGS="-O2 -Wall -march=native" ./configure --enable-bitforce
    make
    make install


    #compile bfgminer
    cd /root/src
    wget http://luke.dashjr.org/programs/bitcoin/files/bfgminer/2.7.5/bfgminer-2.7.5.tbz2
    tar -xvjf bfgminer-2.7.5.tbz2
    cd bfgminer-2.7.5
    ./configure
    make
    make install

    Friday, June 1, 2012

    Tesla Coils, Magnifying Transmitter

    Whilst I was looking into amateur radio I stumbled upon Tesla coils being used to transmit longitudal waves via a scalar field. It's a very different use from the popular use such as playing music and giving amazing light show

    PLEASE NOTE ELECTRICITY CAN BE DANGEROUS DO SO AT YOUR OWN RISK I AM NOT RESPONSIBLE FOR ANYTHING YOU DO!


    And with modern solid state circuit we can now use this effect at safer power levels, which is very different from when Nikola Tesla used spark gaps and very high voltage to produce this effect!
    The great thing about scalar fields is you can communicate globally without creating radiation either via transverse waves employed in current radio technology or electromagnetic waves produced by wifi and microwave ovens. The trick is to find the resonant frequency of the coils you've wound. Now the expensive part is buying a function generator that can cover a wide frequency band.

    The other option is to replicate the work of others which has the benefit of narrowing down the frequency band you need to scan to find the resonant frequency. A lot more information on the open source project can be found here I have to say that the manual seemed a little vague on some sections.

    I've started my own build based off the information in the open source manual however I have used the materials i've had to hand or were easily accessible.

    The ball shape is actually from a dome lamp made of glass, I covered it in foil and used aluminum tape to keep the flapping bits down. you could use zinc primer paint used in welding which is 90% zinc when dry!

    The coil is made from approx 4mm copper tube, I will have to check the gauge later, The secondary (inner coil) has 18 windings and the primary has 5. The base board was made from scraps of wood I had left over. I fitted an M12 zinc threaded rod into a 10mm hole with bolts either side. I had to grind the top into a hex shape to screw it fully through the board.


    Here is a rubber bung stuck on top to rest the glass domes on, I think they came out of a new washing machine (the restrainers for transit)

    I totally changed tack and remade a set of coils more closely to the open source manual. Heres some photo's/screenshots from that setup. And as you will see I have a higher voltage on the receiver at two certain frequency ranges. Anything outside of that gives a lower reading than the transmitter!