I know it is possible with APACHE using SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "Foo Net" and %{SSL_CLIENT_S_DN_OU } in {"Department of Department Creation"} )
Is there any similar capability with Glassfish ?
Thanks,
Dave
Related
Currently I'm using mysql_engine = sqlalchemy.create_engine() in my Python code to connect with a MySQL database, I did some reading online, it says that TLSv1.2 is the default connection version, but I want to find a way to verify this, can I do something like query something from the database and check the version it returns is v1.2 or not?
Here's what I triedby following this link:
I queried from MySQL workbench show variables like '%ssl%'; and it returns:
Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca xxx
ssl_capath
ssl_cert xxx
ssl_cipher xxxxxxxx
ssl_crl
ssl_crlpath
ssl_key xxx
This inspired me to try show variables like '%tls_version%'; and it returns:
Variable_name Value
tls_version TLSv1,TLSv1.1,TLSv1.2
I thought it will only return TLSv1.2, does anyone know why it returns three versions? Any help would be appreciated. Thanks.
Update: I read online we can use Wireshark to verify tlsv1.2, can someone point me in the direction of a comprehensive guide regarding how to achieve this with Wireshark in Python please?
I would like to integrate yubikey token details within freeipa's ldap 389 directory server
I'm trying to follow those instructions to extend ldap schema with yubikey information. Ldap's extensions don't work out of the box and i'm trying to correct them.
I have changes attributeTypes and objectClasses definition to
dn: cn=schema
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 X-ORIGIN 'Example' )
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) X-ORIGIN 'Example' )
With those modifications, ipa is able to restart but when i try to import a token id with the command
ipa user-mod --addattr="objectClass=yubiKeyUser" --addattr="yubiKeyID=ccccc1234567" user1
I'm getting the following error ipa: ERROR: yubiKeyId: value #0 invalid per syntax : invalid syntax.
I'm using:
CentOS: Linux release 7.5.1804
FreeIPA: VERSION: 4.5.4, API_VERSION: 2.228
Thank you for your help
There is a typo in the instructions you've choose to follow and the schema definition is incorrect.
Replace it with this one, and things should work.
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Example' )
Puppet version: 3.6.2
In order to simplify the management of ssl certificates, our puppet agents use the same certname, certname=agent.puppet.com
When puppet master gets request from agent(hostname: web00.xxx.com), it executes Enc script with certname as parameter.
node_terminus = exec
external_nodes = /home/ocean/puppet/conf/bce_puppet_bns
puppet.log:
2015-05-06 09:55:34 +0800 Puppet (debug): Executing '/home/ocean/puppet/conf/bce_puppet_bns agent.puppet.com'
How do I configure to make puppet master pass agent's real hostname/FQDN to Enc script like:
/home/ocean/puppet/conf/bce_puppet_bns web00.xxx.com
Or how can I get the agent's hostname/FQDN in Enc script ?
Don't.
Don't use any info other than $clientcert passed from the agent.
Don't share certificates among different agents.
There are deeply rooted assumptions in Puppet that each agent node has an individual certificate. You will wreak havoc in your infrastructure by trying such stunts.
For example, PuppetDB data is usually grouped by owning agents' certnames. This data will become inconsistent quickly with all agents calling themselves the same, but being quite different of course.
ensure puppetmaster says this
[master]
node_name = facter
alter auth.conf so that all the sections have the "agent.puppet.com" cert like this
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
allow agent.puppet.com
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
allow agent.puppet.com
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
allow agent.puppet.com
That's just puppetmaster <=> client, Felix is right that if you are using puppetdb that would have to be altered too
I want to explicitly enable certain cipher-suites on my WildFly application server.
Therefore I tried to edit the configuration in wildflys standalone.xml.
Let's assume I want to enable the AES128-GCM-SHA256 cipher (cipher suite names from: OpenSSL documentation).
I've edited the standalone.xml file of my WildFly server like this:
<https-listener name="listener" socket-binding="https" security-realm="ssl-realm" enabled-cipher-suites="AES128-GCM-SHA256"/>
The WildFly boots up normally but when I open the page in my browser an error message appears.
Chrome says:
ERR_SSL_PROTOCOL_ERROR
Firefox says:
ssl_error_internal_error_alert
I've tried this with WildFly 8.1 and 8.2.
Anybody out there who can give my an advice how to correctly enable certain cipher-suites?
Regards Tom
You have to add a attribute called "enabled-cipher-suites" to the "https-listener" found at "subsystem undertow" -> "server".
An example for this configuration can be found here.
Unfortunately this example is wrong when it comes to the value of this attribute. You must not name such things as "ALL:!MD5:!DHA" but instead some explicit cipher suites.
You have to call em by their SSL or TLS cipher suites names and not their OpenSSL names.
So instead of "AES128-GCM-SHA256" you have to write "TLS_RSA_WITH_AES_128_GCM_SHA256".
To make the confusion complete you have to use "," instead of ":" as delimiter if you want to name more than one suite.
Regards
Ben
I can confirm Ben's answer. The documentation for how to configure this is sparse. I would suggest the following ciphers to support:
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
in addition, the 'ALL' tag does not work and the best method is to list the ones that you wish to include and not the ones that you wish to exclude as that '!' marking does not appear to be supported.
I have a wildcard SSL from Godaddy. When I go here:
https://conciergelive.conciergeliveapp.com/users_session/new
Everything is fine. But when I go here:
https://es.conciergelive.conciergeliveapp.com/users_session/new
I get a security alert. I need the extra subdomain to determine locality. Any ideas why this does not work?
According to RFC 2818 Http Over SSL, section 3.1:
Names may contain the wildcard
character * which is considered to
match any single domain name component
or component fragment. E.g., *.a.com
matches foo.a.com but not
bar.foo.a.com
it explains why the name *.conciergeliveapp.com in the certifacte matches conciergelive.conciergeliveapp.com but not es.conciergelive.conciergeliveapp.com
Your SSL cert is really only good for *.conciergeliveapp.com, you will need another SSL cert for *.conciergelive.conciergeliveapp.com
You can reference the RFC-2818 http://www.ietf.org/rfc/rfc2818.txt
And checkout ServerFault for more detail:
https://serverfault.com/questions/104160/wildcard-ssl-certificate-for-second-level-subdomain