Search blog.ca

  • vCloud Director Replace Self Signed SSL Certificate with CA signed

    VMWare vCloud Director 5.1 and 5.5

    vmware-vcloud-hybrid-cloud-image
    vClouddirector_HowDoesItWork

    Replace Self-signed SSL certificate with CA Signed cert.

    As many of do, we get a solution working whether it's from vmware or other software of applciation vendors. When all is good and working, we then look to get rid of those certificate warning and errors caused and generated by using self signed certificates.

    This is a proceedure for replacing self signed certificates for VMWare vCloud Director 5.5 with CA signed SSL certificates.
    The source for this proceedure was derived from vmware's documentation. There are a few things I wanted to add to this as the information is missing from vmware's documentation.

    I hope others are able to find this post and save themselves some time. The more experinced people who are replacing the certifctae will probably be able to work their way around the small issues encountered as I did. This will help those who are more unsure. 

    Four things things I wanted to add.

      - Firstly, VMWare's process works. FOr those of you wrried about something bad happening or Director breaking because of the swap of certs, rest assured it will not (at least, it certainly did not for me) 
      -  VMware's documentation I suspect is recycled from earlier 5.1 or earlier SSL generating documentation. The reason for why I suspect this is that the generation of the certificate in the store is RSA and defaults to 1024 bit encryption. The certificate CA I used did not like this and wanted 2048. The keytool option for 2048 bit encryption is not shown in vmware's documentation.
      - Some CA authorities provide us not .cer files but .crt files. VMWare's documentation shows the import of .cer files however .crt file will work just as well for the root , intermediate and your SSL site certificate.
      - Confirmed, wildcard certs work without issue.
     
    Let's begin the change process

    You most likely have a certificates.ks file already located somewhere on the vcloud director server's file system. It was created when you created the self singed certificates. If you did not create slef signed certificates, that is okay too. A .ks (keystore file ) will be created when you follow this proceedure.

    I opted to create the keystore file in the /opt/vmware folder of the vClolud Director file system logged in as root.
    If there is already a .ks file there, rename it or move it out. It can get confusing if there is more than one file.

    Renaming it will not stop any services. The keystore file is used by the director configuration script then it's not touched after that unless the configuration script is run again.

    My vmware vdirector server operating system is CentOS 6.4 x64. I have installed GNOME desktop and have gedit package installed as well. I have two vmware vcloud director servers both with the same version of CentOS (yes, I did the certificate swap from self-signed to CA signed on both servers).

    Recall from the installation of vcloud director that you have two network interfaces; one for the http service (alias name http) and the other for the proxy service (alias name consoleproxy).

    - Log in as root.
    - start your linux desktop if you installed one (in my case startx gets it going) then open a terminal window to proceed.

    - change directory to /opt/vmware (#cd /opt/vmware)
    - confirm (#pwd )

    - check for other keystores (#ls -al). This proceedure creates a certificates.ks file. If one alredy exists rename it.

    1. Create an untrusted certificate in the new keystore for the HTTP service.

    This command creates an untrusted 2048 bit certificate in a keystore file named certificates.ks. Note that we are using a 2048 bit encryption key. vCloud director documentation does not include the -size option.

    keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -size 2048 -alias http

    2. Answer the organizational keytool questions.

    The keytool will ask for fist and last name, type the fully qualified domain name associated with the IP address you want to use for the HTTP service - for example vcloud.yourdomain.com (this should be resolvable from Internet but could be internal as well).

    3. For the remaining organization questions asked by the keytool, provide appropriate asnwers for your organization and location, as shown in this example.

    What is your first and last name? [Unknown]:vcloud.yourdomain.com
    What is the name of your organizational unit? [Unknown]:Cloud Engineering Dpt.
    What is the name of your organization? [Unknown]: your company name
    What is the name of your City or Locality? [Unknown]: your city
    What is the name of your State or Province? [Unknown]: your state or province
    What is the two-letter country code for this unit? [Unknown]: AU, or US, or UK, etc.
    Is CN=vcloud.yourdomain.com, OU=Cloud Engineering Dpt., O="your company name", L="your city", ST=your state, C=AU

    correct?[no]:yes
    Enter key password for (RETURN if same as keystore password):

    4. Create a certificate signing request for the HTTP service.

    This command creates a certificate signing request in the file http.csr. The CSR data is what you will provide to the CA authority when requesting the certificate from them.

         keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq -alias http -file http.csr

    5. Create an untrusted certificate for the console proxy service.

    This command adds an untrusted certificate to the keystore file created in Step 1. Again, note the -size 2048 option.

         keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -size 2048 -alias consoleproxy

    6. When keytool asks for your first and last name, type the fully-qualified domain name associated with the IP address you want to use for the console proxy service.

    7. For the remaining questions, provide answers appropriate for your organization and location, as shown in the example in Step 3.

    8. Create a certificate signing request for the console proxy service.

    This command creates a certificate signing request in the file consoleproxy.csr.

         keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq -alias consoleproxy -file consoleproxy.csr

    9. Send the certificate signing requests to your Certification Authority.

    If your certification authority requires you to specify a Web server type, use Jakarta Tomcat. In my case, the certificate authority did not have Jakarta Tomcat as an option. They had only Tomcat.

    10. The CA will provide you with the signed certificates. For simplicity of this proceedure, svae the files i nthe same folder /opt/vmware then import them into the keystore file using the following command.In addition to your SSL certificate generated by your CSR data, you will need to import your CA's root and Intermediate certificates into the store. Recall that the keystore file is new and started empty. The only things in it are what we are putting into it. Well, we need to add the CA's certs to complete the chain to our cert.

    Import the Certification Authority's root certificate into the keystore file.

     .crt or .cer Certificate File Type Can be Imported into vCloud Director 

    The following command imports the CA's root certificate from the root.cer file to the certificates.ks keystore file.

    Using a .crt Certificate File for vCloud Director

    If you were provided a .crt file, use that file. You don't have to convert it or rename it to another extension. If the name of the root certificate is not root.cer or root.crt then change the command below to use the name provided or rename your file to root.cer or root.crt to match the command for simple copy and paste.

         keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias root -file root.cer

    b (Optional) If you received intermediate certificates, import them into the keystore file.

    This command imports intermediate certificates from the intermediate.cer or intermediate.crt file to the certificates.ks keystore file.

         keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias intermediate -file intermediate.cer

    c Import the certificate for the HTTP service.

    Now it's time to import your SSL certificate for vmware vcloud director http service to use.

    This command imports the certificate from the http.cer file to the certificates.ks keystore file. If you were provided a .crt file, that is fine to use.

         keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias http -file http.cer

    d Import the certificate for the console proxy service.

    This command imports the certificate from the consoleproxy.cer file to the certificates.ks keystore file. Again, a .crt file is fine.

         keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias consoleproxy -file consoleproxy.cer

    11. To verify that all the certificates are imported, list the contents of the keystore file.

         keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

    You wil lsee the root , intermediate and your two certificates. If you are using a wildcart certificate, you will not see the FQDN names. You will see *.yourdomain.com.

    Rerun the "configure" script for director.

  • Error ENTERPRISE DOMAIN CONTROLLERS Replicating Directory Changes Access

    ENTERPRISE-DOMAIN-CONTROLLERS-doesnt-have-replicating-directory-changes

    Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context

    If you do not have RODC, read only domain controllers in your domain, this error is safe to ignore. If you will have RODC Active Directory domain controllers in your domain, run adprep /rodcprep from the Windows 2008 R2 installation media. If running adprep on a Windows 2003 or 2000 domain controller, use adprep32 /rodcprep from the Windows 2008 R2 installation media.

  • Right Click Computer Icon Choose Manage Nothing Happens

    right-click-my-computer-fix-2008-server-windows-7

    Right clicking on computer icon on the desktop or through explorer to start computer manager and nothing happens.

    The problem can be fixed with a registry change for what action occurs when right-clicking the computer and selecting manage computer.

    Go to this key in the registry:
    [HKEY_CLASSES_ROOTCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}shellManagecommand]

    Change the program that is already there. By default it is %SystemRoot%system32CompMgmtLauncher.exe .

    Change it to
    mmc %SystemRoot%system32compmgmt.msc as shown in the image.

    Right click on Computer icon and choose manage, computer management will now open.

    Computer Manager Doesn't Open on Right Click

    The solution above works every time for this problem unless the issue is more serious. The screen capture was taken from a computer, a server actually in this case, that was having the described issue - Computer Management Console was not opening.


    Share/Save/Bookmark


    __________________________________________________________

    Support Services - Microsoft RDP, Terminal Services RDS

     

    Remote Desktop Connection (Remote Desktop Protocol)

    Without Citrix and prior to RDS on 2008 R2 server, remote desktop protocol was a client connection application and for remote access for support of servers it was and still one of the most widely used applications for remote control access of servers. Built-into Microsoft server and professional level of desktop operating systems, it was a common default method for getting remote access and control of servers for remote administration and server and desktop support. On desktops this remote access and control feature was not normally turned on by default for remote control with the installation of the desktop operating system, however with a few clicks it could be and was enabled, even remotely by using remote registry access.
    The default colors allowed for an RDP session with the earlier clients was often limited by default to a maximum of 24 bit color. This was not a technical limitation but a default settings in the system's registry of the target computer. It was set to the maximum color 24 bit depth to reduce bandwidth requirements. With a quick registry change on the remote computer however, the color limit can be increased to true color (32 bit). In later releases of the operating system like Windows 7, Windows 8, Vista, Server 2008 Standard, R2 and later, increasing the color depth does not require system registry changes.

     


    Help and Assist computer users worldwide

    A Useful Way to Provide Tech Support

    Supporting computers and servers over long distances is difficult and challenging at times but with the use of software that enables remote access support over the internet, small companies can become global companies without requiring a remote office in each remote distant location.

  • Enable Remote Desktop Connection in Windows 7 using Regedit Remotely

    Enable RDP (Remote Desktop Connection) in Windows 7 Remotely using The Registry Editor - Regedit

    Connect to the Remote Windows 7 Computer Using Regedit

    First connect to the remote Windows 7 desktop over the network using windows regedit. Run regedit by clicking o nthe Start button then entering regedit in the search flield and hit enter.  Do this on the lcoal computer that will be used to connect to the remote Windows 7 computer.

     

     

    Enable Remote Desktop in Windows 7 Remotely

    Modify the Registry key for terminal server RDP remote connections . Once you ahve accessed the remote windows 7 computer's registry, navigate to the key fDenyTSConnections . It is found by navigating to HKLM Hive  -> System -> CurrentControlSet -> Control -> Terminal Server

     

    Remotely edit registry settings in windows

    Enable RDP on a Windows 7 Computer Remotely

    Open and modify the fDenyTSConnections setting to 1 from 0.  Do this by double-clicking the fDenyTSConnections in the right window pane of the registry editor. The value is a DWORD value. 

    Remotely Modify Windows Registry to Enable Remote Access


    Share/Save/Bookmark


    Windows 2008 RDP for Server Support

    Windows 2008 RDP for Server Support

  • Exchange 2003 Exchange 2010 Migration Coexistence NO Email Flow

    Exchange-2003-Exchange-2010-migration-coexistance-email-routing-group-connector_new-routing-group_4

    This was an Exchange 2003 to Exchange 2010 migration. IIt is a swing migration as both servers will coexist and have have active mailboxes on both of them. There will be a migration of mailboxes and then the Exchange 2003 server will be de-comitioned and removed from the organization. In the end , there will be a single exchange 2010 email server.

    No Email between Exchange 2003 And Exchange 2010 Servers

    The problem with this install is that there was no email flow between the servers. No email worked beween the servers local mailbox to mailbox. The solution was to configure a routing group connector that would route mail between the two servers. This routing group connector for whatever reason was not added during the installation of exchange 2010.

    The image in this post is from a real exchange 2010 server that had the New-RoutingGroupConnector run in the exchange management shell . It has to be done from the exchange 2010 server. The two routing groups , first administrative group and the default one created for the exchange 2010 transport can be seen  on the exchange 2003 server but you cannot add this conenctor to route email between the two server from the 2003 server.

    This is the command that was run only the server names have been changed:

    [PS] C:>New-RoutingGroupConnector -Name "Interop RGC" -SourceTransportServers "exchange 2010 server name" -TargetTransportServers "exchange 2003 server name" -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

    The above command worked perfectly.

    You may have to start the Exchange shell as administrator.



    Share/Save/Bookmark



  • 2B9EJN5JNGB2

    2B9EJN5JNGB2

    PCTech Go Computer, Server, Software, Data Network Posts

    Provide support of computers and servers through the web with remote control software that works through firewalls and over all sorts of network. Networks including wireless, broadband like 3G and 4G, also older technologies like T1 circuits and other leased lines cna be used to provide useful remote tech-support. VPS also permit access for remote support and remote access control.

  • Telnet Client Missing in Windows Server 2008 Windows 7

    Telnet Client Missing in Windows Server 2008 Windows 7

    client, windows 7, telnet, 2008 server, 2008 R2

    telnet-is-not-recognized-as-an-internal-or-external-command-windows-7

    Sadly, after many years of telnet being included with the default installation of Windows, it was stopped in Vista and Windows 7, and Windows Server 2008 and Windows Server 2008 R2.
    Telnet client is not part of the operating system any more, it has to be installed as a "feature" in Windows Vista and later. Not a big deal except if when you are in a hurry trying to resolve a problem and need to use telnet to aide in the problem resolution just to find it's not available by default and you get the error message as displayed in the image included in this post stating the telnet is not recognized.

    • Adding telnet client to windows 7, windows 2008 server

    It is easy enough to add to both Windows 7 and Windows Server 2008. On windows 7 go to programs and features and for windows server start-up server manager and go to features in the left window pane then click add features on the right window pane. Select telnet client (not telnet server). No reboot is required for neither Windows 2008 server or Windows 7 (or even Vista).


    Share/Save/Bookmark


  • Axialis Icon WorkShop 6.6

    Create icons for Windows, Macintosh, iPhone, Android with Axialis Icon WorkShop.
    IconWorkshop permits the creation of icons for Windows up to 256x256 for Vista, Windows 7 and Apple Mac OS systems up to 512x512 for OSX Leopard version. The software features instant conversions of icons and supports Mac's Binary format for easy transfers. You also have the option to create PNG icon images for Androids and iPhone projects. You can make your very own icons for all types platforms today with IconWorkshop.

    There is a plug-in for Visual Studio 2005, 2008, 2010 that helps you work efficiently and a developer will especially appreciate this handy feature which permits working efficiently with Visual Studio.

    I've worked with older version of Axialis software years ago and the software worked just great. I've not used this latest version but for my next project I'm pretty certain Alialis will be my pick for the project. Their feature list and reliability could have only improved exponentially over the years.

  • Set Default Program for Viewing images on XenApp and RDS 2008

     

    Set Default Program for Viewing images on XenApp and Windows RDS 2008 Server

    One of the changes that Microsoft incorporated in Windows 2008 server and windows 2008 R2 server editions that was the same for many years on previous versions of the operating system was how an admin can set what program opens specific file types for all users.

    The answer to that question is that it's not accomplished the same way it used to be done on Windows Server 2000 or 2003 Terminal Server where an administrator of the server just had to logon and set for the admin account what program is to be used to open or view an image file like a jpeg (.jpg). With windows 2008 Terminal Server (RDS - Remote Desktop Connection) . Every user has their own preference or choice. A better way of describing the difference is tha

    With Windows 2003, Windows 2000 server and previous versions with terminal  server installed, the setting was machine or computer level. Now with windows 2008 server the setting is per user level.

    Configure 2008 RDS Terminal Server to Open JPG files with IE per user

    I found a relatively easy way to accomplish the task. This solution may or may not be suitable for your environement. It works but some location or customer specific differeneces may make the solution not be a fit for you.

    It is done by using a the logon script that was already in use to merge a few settings into the registry for the user when they logon to the windows 2008 terminal server or windows 2008 terminal server with citrix xenapp 6.

    Registry-location-for-jpg-files-open-with-setting-windows-2008-R2-xenapp-06-2
    Copy the following text into a notepad file, save it with the name of your choice but be sure to give it the extension of .reg. The reg settings were exported from a windows 2008 R2 server with xenapp 6 installed on it. If you're not using xenapp, it doesn't matter as the reg setting is no different. I gave my file the descriptive name of open-jpeg-with-userchoice-of-ie.reg :

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.jpg]

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.jpgOpenWithList]
    "a"="mspaint.exe"
    "MRUList"="cba"
    "b"="WORDPAD.EXE"
    "c"="iexplore.exe"

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.jpgOpenWithProgids]
    "jpegfile"=hex(0):

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.jpgUserChoice]
    "Progid"="Applications\iexplore.exe"

    Save the file of course and place it from where it can be accessed by the logon script when it executes. The script I was using was a simple batch file in the NETLOGON folder. Add the line in the batch file (logon script):

    regedit.exe /s open-jpeg-with-userchoice-of-ie.reg

    Now, the next time your users logon to the xenapp server or plain terminal server (Remote Desktop Services Server), jpegfiles will open with Internet explorer and not with another image viewing program.

    Online Remote Support Software

    Remote support software is desktop or server remote control for access of servers or desktop through the web for on-demand remote control and support. Remote support software enables corporate information technology tech support departments and help-desk staff to support their company's users either locally or through the Internet. Although internally on local networks their are more options for providing support. Users can initiate sessions on a per-incident basis. web based desktop support software sessions can be conducted over the Internet or on local LAN or Private WAN networks such as MPLS and VPNs.
    Connections to remote systems such as desktops, servers, laptops, etc., are by default to remain connected without timing out. Optionally remote connections can be configured to reconnect even if there are network connectivity issue. The remote desktop will continue re-connecting to the viewer without requiring any input from a remote user.

  • XenApp Plug-in 12 Mouse and Keyboard Delay on Docking Station

     

     

    PCTech, Citrix, XenApp

    XenApp Plugin 12 Mouse and Keyboard Delay on Docking Station

    Recently had an issue that when a laptop was reconnected to a docking station with a published app open the keyboard and mouse would not work for approximately 20 to 30 seconds.
    The laptop was not frozen, and there was not problem with the published application. There was just a delay before the mouse and keyboard responded when the laptop was reconnected to the docking station. Performing the reverse triggered no problem. When the laptop was disconnected from the docking station the track-pad and keyboard were functional and responding without any delay.

    Slow Mouse and Keyboard after re-connecting to docking station

    The solution to the problem of the keyboard and mouse not being responsive when reconnecting to the the docking station had to do of course with plug-in play. I opened the computer management devices application on Xp and watched the plug-in play devices get re-established.

    In version 12 of the full Citrix plug-in there is an adm file that can be used on the local policy of the computer. The usual method of importing the adm template file can be used. open gpedit.msc and go to administrative templates and import. The template file is icaclient.adm. Have it downloaded and saved to an accessible location before starting gpedit.msc. Import the administrative template file into the local policy of the computer. Under Citrix while in local group policy, disable the USB plug and play feature on the local system. That solved the issue.

     

     


    Share/Save/Bookmark

    Online PC Remote Support Software

    Online web based remote support software is desktop computer or server remote access for on-demand remote control for support. Online PC remote support software enables Information Technology support companies, such as those that provide managed services, to provide and have remote access of remote client computers for providing "on the fly" technical support abilities initiated on a per-call instance. Web based remote desktop support software sessions can be attenuated over the Internet or on local area networks or corporate private WAN networks including but not limited to MPLS, VPNs, dedicated MLC or SLC fiber links. Just as Citrix's ICA protocol can work well other low bandwidth connections.

    There are many options in regards to services for providing tech support through the web and for managing many computers, servers, user desktops. There are even support options for many thin client for cloud computing solutions. Although zero thin clients, those essentially have no operating system, are usually managed with a specialized client management solution as are those that have a small built-in OS like Wyse Thin client s with Windows embedded. Tech support can be provided at the thin hardware level using remote control initiated through the management software natively. With admin mode, other software for remote access can be added for providing computer support internally and through the web.

Footer:

The content of this website belongs to a private person, blog.ca is not responsible for the content of this website.