Drifter104's questions

I currently have Shib SP (v3) running to protect a website lets call it site1.example.com. Lets say example.com uses an IDP called example1_auth and it is up and running as expected. I have other websites on the same server, they are completely separate from example.com they have different subdomains, different purposes they just share the resources of the server (Lets call the server server1)

I now need to configure Shib SP to protect one of these other websites lets call this other site site2.example.com and it will use example2_auth as its IDP

My question is how do I protect the additional site, what changes are required to the shibboleth2.xml file and attribute-map.xml

From what I understand I need to do at least the following Add an additional site to the <InProcess> section

<InProcess>
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="5" name="site1.example.com" scheme="https" port="443"/>
        <Site id="15" name="site2.example.com" scheme="https" port="443"/> <!--New-->
    </ISAPI>
</InProcess>

Add an additional host to the <RequestMapper> section, so that would look something like this

<RequestMapper type="Native">
    <RequestMap>
        <Host name="site1.example.com" port="443" scheme="https">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
        <!--New-->
        <Host name="site2.example.com" port="443" scheme="https">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>

Assuming those parts are correct. What changes are required here?

<ApplicationDefaults entityID="https://site1.example.com/Shibboleth"
    REMOTE_USER="eppn subject-id pairwise-id persistent-id"
    cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
    <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false" cookieProps="; HttpOnly; path=/; secure" >
        <SSO entityID="site1_auth">
    SAML2 SAML1
    </SSO>
        <Logout>SAML2 Local</Logout>
        <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
    </Sessions>

    <MetadataProvider type="XML" validate="true" path="C:\opt\SSO_Metadata\site1.xml"/>
    <MetadataProvider type="XML" validate="true" path="C:\opt\SSO_Metadata\site2.xml"/>

    <!-- Map to extract attributes from SAML assertions. -->
    <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
    
    <!-- Default filtering policy for recognized attributes, lets other data pass. -->
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <!-- Simple file-based resolvers for separate signing/encryption keys. -->
    <CredentialResolver type="File" use="signing"
        key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
    <CredentialResolver type="File" use="encryption"
        key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
    

I think I need to add an <ApplicationOverride> section within this part but I'm not sure that's right, but the documentation points to a better way but never really full explains fully what that might be, or at least from what I've seen. I find the confluence documentation lacks fully fledge examples to go from.

Apologies for the long post

I have a network with Live, User Acceptance, staging and development servers (In this case windows mainly 2012r2, all Hyper-V guests). Each of these parts of the network has a frontend and backend server. The backend servers contain proportionally large amounts of data. Across the User Acceptance, staging and development servers this data does not change (apart from the occasional refresh from live) and it rarely accessed outside the development cycle.

In this type of environment how do you minimise storage consumption and avoid wasting storage space on static and rarely accessed data. The data consists of 1000's of files such as pdf, json, dwgs and pngs.

Things I've considered.

Deleting servers while not in use - Not a great option as sometimes the time to restore these servers out weighs the time developers are going to use them. Our backup solution is MS Data Protection manager.

Deleting data discs while not in use - Slightly better than above but again time is factor.

Moving data discs between servers - As they are Hyper-V guests I could just attach the data discs as required, however there are times where more than one environment is in use at the same time.

I have the following very simple PowerShell snippet that just won't work.

The following works

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -PageSize 5000 `
    -SenderAddress [email protected] `
    | where {$_.RecipientAddress -like "*example.com*"} `
    | Select-Object SenderAddress, RecipientAddress, Subject 

While the following does not work

$dateStart = "03/20/2017"
$dateEnd = "03/27/2017"

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -PageSize 5000 `
    -SenderAddress [email protected] `
    | where {$_.RecipientAddress -like "*example.com*"} `
    | Select-Object SenderAddress, RecipientAddress, Subject 

Even if I replace the $dateStart and $dateEnd with various formats such as MM/dd/yyyy hh:mm:ss.

There is no error, just no results returned, however I've used where patterns that I know should return something. I've also ran the above (example that doesn't work) using today's date (which is the default when -startdate and -enddate are not specified) and that also doesn't work. Even though that is what the working example is effectively using.

So I've narrowed it down to the date but I can't see the problem. If I put in a date string that is wrong that at least gives and error, otherwise nothing. Any pointers?

I'm in the process of converting the last few on my XenServer VMs over to Hyper-V.

The majority of them have been Windows machines and I've done a backup and restore using Windows Backup. For some of the windows boxes I've used the XenServer export process to create and XVA file and I've then converted that to the VHDs that I could then use in Hyper-V.

Both ways have worked perfectly but when I attempted to the export and convert process for the a few linux boxes it didn't work as well.

I created the XVA, I used Xenconvert to convert and create the VHDs but when I attached these to a Hyper-V VM I just got a flashing cursor. Having done some research I believe it is because of the way the HDDs are named differently. For example the original machine in /dev/ will show xvda, xvda1..... but in Hyper-V I believe these will be sda, sda1......

This is where I'm a little lost.... I booted one of the machines to the boot menu on a converted machine and looked at the menu and arguements options but I could see no reference to a xvda. So either my assumptions are wrong above or I'm looking in the wrong place or both?

Any help would be appreciated, even if the suggestion is to do this in a totally different way.

EDIT1: (Adding boot menu information)
If I select the first item on the boot menu and press e I'm presented with the following

root (hd0,0)  
kernel /vmlinuz-2.6.32-573.12.1.e16.x86_64 ro root=dev/mapper/VolGroup-lv_root rd_NOLUKS LANG=en_US.UTF-8 rd_NO_MD console=hvc0 KEYTABLE=us rd_LVM_LV=VolGroup/lv_swap SYSFONT=latacyrheb-sun16 rhgb crashkernel=auto quiet rd_LVM_LV=VolGroup/lv_root rd_NO_DM
initrd /initramfs-2.6.32-573.12.1.e16.x86_64.img

EDIT2: (Linux Version and fstab)

The Linux Version is Centos 6.7

copy of /etc/fstab (I took a stab and tried changing the UUID to the UUID of the new disk but that didn't seem to work

I have a 5 node Hyper-V cluster running.

All 5 servers are running Server 2012 R2, each node is attached two devices using iSCSI. The device I'm having problems with had a single volume that was used as a CSV. This was presented to the servers under c:\clusterstorage\volume2

I have gone through the process of moving all VM storage on to a new device, the new CSVs are up and running and nodes are connected. Everything for the new device is working correctly.

I then tried to remove the old device as a shared storage device by doing the following. I used PowerShell to get the paths of all VHDs on the cluster and none are pointing at c:\clusterstorage\volume2 I checked the configuration paths are not pointing at c:\clusterstorage\volume2 I also checked that the snapshot paths are not pointing at c:\clusterstorage\volume2

I started removing the iSCSI target on 4 of the nodes (The 4 the storage resources was not currently 'assigned' to) and this was successful. I then went to Failover Cluster Manager and set the CSV to offline. Instantly 2 of the VMs went into a saved state (luckily not critical servers). I brought the resource back online and started the machines. I inspected the settings page for each VM and there was no reference to c:\clusterstorage\volume2\ on either. I then went looking for the configuration files just to manually ensure something wasn't different between them and the settings page. I first looked in c:\clusterstorage\volume2\ the folder for either VM was not present here. I looked in the new locations c:\clusterstorage\volume5\ and c:\clusterstorage\volume6\ the folder for each VM was here. I checked the configuration files and they were exactly as they should be and didn't contain any reference to c:\clusterstorage\volume2\ I checked the C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines where I found the shortcuts for each VM pointing at the new volume locations.

In short nothing I can find points to c:\clusterstorage\volume2\ but if I take that CSV offline the two machines go into a saved state.

Even stranger I tried this again while writing this and yes the two machines went into a Saved State but I was able to start them again even though the CSV remained in a offline state. I now have two VMs where on the resource tab for each the storage shows as offline, but they are 'working'

So can anyone point me at a possible fix for this, perhaps a configuration file I've not found? Or would my best course of action be to delete the VMs while preserving VHDs and create a new VM and attach the original VHDs.

Sorry for the wall of text.

I'm trying to get the OS version of a selection of the computers on my domain. I created a powershell command that does this but it is missing the computer name on the output.

This is the command
Get-ADComputer -Filter {name -Like "test"} | select "name" | foreach {$_.name} {Get-WmiObject -Class Win32_OperatingSystem -ComputerName $_.name} | Select-Object Description, Caption,SevicePackMajorVersion | out-gridview

I've tried adding addtional select-objects but they are all blank. I'm thinking this is because this wmiobject simply doesn't contain the machine name.

So my question is, as I'm piping in the name with $_.name is it possible it can be part of the output as well. I've tried using variations of ($_.name) in the select-object command but to no avail.

I have Nginx running purely as a proxy to a various number of web servers. One of our clients has asked us to use client certificates and has provided us 3 certificates for the 3 different machines that will connect to a webservice running on one of the proxied servers.

Having never done this before I found the relevant nginx settings and created a site config (relevant part below)

      server {
        listen                  443 ssl; 
        server_name             service.domain.com;
        ssl_certificate         /etc/nginx/ssl/wildcard/server.crt; 
        ssl_certificate_key     /etc/nginx/ssl/wildcard/server.key; 
        ssl_client_certificate  /etc/nginx/ssl/client.certificates/client_package.cer;
        ssl_verify_client on;

I concatenated the 3 client certificates plus a certificate created by a developer (this one was self signed) who needed to access the site during development into the single file mentioned above.

The client has now tried to access the site but is unable to do so. As a test of the config I removed the developer cert from the concatenated certificate file and confirmed he was unable to access the site. Once I added his cert back in to the concatenated file he (developer) was able to access the site correctly again.

I turned on debug level access on the error log and when the client tried to connect I got the following error.

2015/08/13 11:57:41 [info] 27601#0: *1963 client sent no required SSL certificate while processing SPDY, client: 1x.xx.xx.xx, server: service.domain.com, request: "GET /test.cfm HTTP/1.1", host: "service.domain.com"

As you can see from the configuration above I don't have SPDY enabled (but I do on other sites), and the client ensures me they are sending the client certificates. As this is the first time I've done this I want to make sure that before I go back and say my logs say you aren't sending a client certificate, I've got everything correct this end.

With regards to the certificates that were sent to me: All 3 are signed by the same public certificate authority. I don't however have the whole chain in concatenated file. What guides I've found on-line mention having the root ca as well, but they all talking about self-signed which none of these are. So I'm not sure that applies.

To clarify as well I'm not trying to pass the client certificate to the proxied server either.

nginx version: nginx/1.8.0
openssl version: OpenSSL 1.0.1k 8 Jan 2015

If there is any more information needed please let me know

I have a new requirement to encrypt the data inside an sql database while it is at rest.

So far I've looked at Bitlocker (see below), and other commercial products (I won't name because I'm not looking for this product is best answers). I've also looked at SQL Transparent Data Encryption.

TDE seems to be the fairly easy option, but given the pricing for sql is very high when looking at using 6 cores. I've been asked to find other options.

The primary question I have is regarding Bitlocker and its use inside a hyper-v guest and on the hyper-v host.

Firstly can Bitlocker be used inside a hyper-v guest, 50% of posts I've found say it isn't supported the others say it is?

Also should I use it at the hyper-v host level? Here is where things get a little fuzzy for me. If I enable on the boot volume then yes the host can't be booted without a start up password (one option) but that doesn't encrypt the data on the shared storage, and I assume I can't encrypt the iSCSI volumes because they are shared between multiple nodes in our hyper-v cluster. Which then makes it pointless because if someone steals the storage device they can read the data.

What I currently have is the following
EC2x2 Instance in Tokyo (1 Proxy 1 Application)
EC2x2 Instance in Singapore (1 Proxy 1 Application)

With another another provider we have geo dns, so Tokyo users go to Tokyo instance and Singapore to Singapore.

I'm looking at moving to Route53 (I already have other DNS zones with Amazon) because I'd like to take advantage of the failover with Health Check. Having looked at the examples of how to configure it, I'm still unsure how to configure what I want, which is as follows.

I've configured 2 health checks one for each location, and these are working.
I've configured 2 DNS entries both called proxy.domain.com each with a routing policy of GeoLocation and selected Japan and Singapore and add the relevant EC2 IP to each.
I'm now trying to configure the cname site.domain.com so that if either location is unavailable users will fail over to the other instance.

However what seems to happen is what I also expect to happen. Even when the DNS fails over because the secondary target is the same DNS name as the primary target, the location of the user always wins and the other instance IP is never returned. Example

Japan ip: 1.1.1.1 Singapore ip: 2.2.2.2

From Singapore Ping site.domain.com > 2.2.2.2
Turn off Singapore (Health check confirms unhealthy)
Waiting for TTLs to expire, flushdns.
From Singapore Ping site.domain.com > 2.2.2.2 (At this point I want this to return 1.1.1.1)

I'm writing a small script that needs at one point to connect to a machine that is not a domain member. The machine the script is run from will always be a domain member.

I've found that using the following works

cd WSMan:\localhost\Client    
Set-Item .\TrustedHosts -Value "*" -Force

but I'm looking for an alternative because to use the above commands powershell has to be "run as administrator" and it is only effective during that PS session.

I'm using nginx as a reverse proxy and I'm trying to turn off sslv3 support.
I have found various answers both on here and other various sites. They all suggest all I need to do is add something like the following to the default http block in my nginx.conf

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4";
ssl_prefer_server_ciphers   on;

I've done that and have even tried this full config from https://cipherli.st/

ssl_ciphers "AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;  

I still only get a 'C' rating on SSL Labs (regardless of any change I make), with the following reasons

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server accepts the RC4 cipher, which is weak. Grade capped to B.

I have also restarted the server so I know the configuration changes have been applied.

nginx -v
nginx version: nginx/1.9.0

/etc/issue
Ubuntu 14.04.2 LTS \n \l

openssl version -a
OpenSSL 1.0.1f 6 Jan 2014 built on: Thu Mar 19 15:12:02 UTC 2015 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"

Any suggestions?

I have a strange issue with a trailing /

I'm using nginx and it is functioning correctly with one small exception.
I have the following site config

    server {
listen         80;
return         301 https://$server_name$request_uri/;
server_name    sub1.sub2.domain.com;
}
    server {
 listen              443 ssl; # The ssl directive tells NGINX to decrypt
                              # the traffic
 server_name         sub1.sub2.domain.com;
 ssl_certificate     /etc/nginx/ssl/sub1.sub2.domain.com/server.crt; # This is the certificate file
 ssl_certificate_key /etc/nginx/ssl/sub1.sub2.domain.com/server.key; # This is the private key file
 location / {
            proxy_pass http://1.1.1.1:8880;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    
    }
}

I have an offsite authentication service running and securing a subfolder called secure, so if a request for either /secure or /secure/ is requested they are sent to the off-site authentication service. Once they are authenticated they are redirected back to the whatever url they initial requested. If after authentication they happen to request /secure/ everything works perfectly. If they type /secure (no trailing /) nginx does a 301 redirect after authentication and replaces the https with http, so they get to http://sub1.sub2.domain.com/secure and then go through another redirect back to https

From what I've read here http://nginx.org/en/docs/http/ngx_http_core_module.html#location this is the correct behaviour, but the solution to define /secure/ and /secure as seperate location files doesn't seem to work, and it also doesn't mention anything in that example about the https to http change. Any help would be greatly appreciated.