@ Wednesday, 10. Sep, 2014 – 17:47:43
@ Wednesday, 01. Jan, 2014 – 18:45:31
As many of do, we get a solution working whether it's from vmware or other software of applciation vendors. When all is good and working, we then look to get rid of those certificate warning and errors caused and generated by using self signed certificates.
This is a proceedure for replacing self signed certificates for VMWare vCloud Director 5.5 with CA signed SSL certificates.
The source for this proceedure was derived from vmware's documentation. There are a few things I wanted to add to this as the information is missing from vmware's documentation.
I hope others are able to find this post and save themselves some time. The more experinced people who are replacing the certifctae will probably be able to work their way around the small issues encountered as I did. This will help those who are more unsure.
Four things things I wanted to add.
- Firstly, VMWare's process works. FOr those of you wrried about something bad happening or Director breaking because of the swap of certs, rest assured it will not (at least, it certainly did not for me)
- VMware's documentation I suspect is recycled from earlier 5.1 or earlier SSL generating documentation. The reason for why I suspect this is that the generation of the certificate in the store is RSA and defaults to 1024 bit encryption. The certificate CA I used did not like this and wanted 2048. The keytool option for 2048 bit encryption is not shown in vmware's documentation.
- Some CA authorities provide us not .cer files but .crt files. VMWare's documentation shows the import of .cer files however .crt file will work just as well for the root , intermediate and your SSL site certificate.
- Confirmed, wildcard certs work without issue.
Let's begin the change process
You most likely have a certificates.ks file already located somewhere on the vcloud director server's file system. It was created when you created the self singed certificates. If you did not create slef signed certificates, that is okay too. A .ks (keystore file ) will be created when you follow this proceedure.
I opted to create the keystore file in the /opt/vmware folder of the vClolud Director file system logged in as root.
If there is already a .ks file there, rename it or move it out. It can get confusing if there is more than one file.
Renaming it will not stop any services. The keystore file is used by the director configuration script then it's not touched after that unless the configuration script is run again.
My vmware vdirector server operating system is CentOS 6.4 x64. I have installed GNOME desktop and have gedit package installed as well. I have two vmware vcloud director servers both with the same version of CentOS (yes, I did the certificate swap from self-signed to CA signed on both servers).
Recall from the installation of vcloud director that you have two network interfaces; one for the http service (alias name http) and the other for the proxy service (alias name consoleproxy).
- Log in as root.
- start your linux desktop if you installed one (in my case startx gets it going) then open a terminal window to proceed.
- change directory to /opt/vmware (#cd /opt/vmware)
- confirm (#pwd )
- check for other keystores (#ls -al). This proceedure creates a certificates.ks file. If one alredy exists rename it.
1. Create an untrusted certificate in the new keystore for the HTTP service.
This command creates an untrusted 2048 bit certificate in a keystore file named certificates.ks. Note that we are using a 2048 bit encryption key. vCloud director documentation does not include the -size option.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -size 2048 -alias http
2. Answer the organizational keytool questions.
The keytool will ask for fist and last name, type the fully qualified domain name associated with the IP address you want to use for the HTTP service - for example vcloud.yourdomain.com (this should be resolvable from Internet but could be internal as well).
3. For the remaining organization questions asked by the keytool, provide appropriate asnwers for your organization and location, as shown in this example.
What is your first and last name? [Unknown]:vcloud.yourdomain.com
What is the name of your organizational unit? [Unknown]:Cloud Engineering Dpt.
What is the name of your organization? [Unknown]: your company name
What is the name of your City or Locality? [Unknown]: your city
What is the name of your State or Province? [Unknown]: your state or province
What is the two-letter country code for this unit? [Unknown]: AU, or US, or UK, etc.
Is CN=vcloud.yourdomain.com, OU=Cloud Engineering Dpt., O="your company name", L="your city", ST=your state, C=AU
Enter key password for (RETURN if same as keystore password):
4. Create a certificate signing request for the HTTP service.
This command creates a certificate signing request in the file http.csr. The CSR data is what you will provide to the CA authority when requesting the certificate from them.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq -alias http -file http.csr
5. Create an untrusted certificate for the console proxy service.
This command adds an untrusted certificate to the keystore file created in Step 1. Again, note the -size 2048 option.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -size 2048 -alias consoleproxy
6. When keytool asks for your first and last name, type the fully-qualified domain name associated with the IP address you want to use for the console proxy service.
7. For the remaining questions, provide answers appropriate for your organization and location, as shown in the example in Step 3.
8. Create a certificate signing request for the console proxy service.
This command creates a certificate signing request in the file consoleproxy.csr.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq -alias consoleproxy -file consoleproxy.csr
9. Send the certificate signing requests to your Certification Authority.
If your certification authority requires you to specify a Web server type, use Jakarta Tomcat. In my case, the certificate authority did not have Jakarta Tomcat as an option. They had only Tomcat.
10. The CA will provide you with the signed certificates. For simplicity of this proceedure, svae the files i nthe same folder /opt/vmware then import them into the keystore file using the following command.In addition to your SSL certificate generated by your CSR data, you will need to import your CA's root and Intermediate certificates into the store. Recall that the keystore file is new and started empty. The only things in it are what we are putting into it. Well, we need to add the CA's certs to complete the chain to our cert.
Import the Certification Authority's root certificate into the keystore file.
.crt or .cer Certificate File Type Can be Imported into vCloud Director
The following command imports the CA's root certificate from the root.cer file to the certificates.ks keystore file.
Using a .crt Certificate File for vCloud Director
If you were provided a .crt file, use that file. You don't have to convert it or rename it to another extension. If the name of the root certificate is not root.cer or root.crt then change the command below to use the name provided or rename your file to root.cer or root.crt to match the command for simple copy and paste.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias root -file root.cer
b (Optional) If you received intermediate certificates, import them into the keystore file.
This command imports intermediate certificates from the intermediate.cer or intermediate.crt file to the certificates.ks keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias intermediate -file intermediate.cer
c Import the certificate for the HTTP service.
Now it's time to import your SSL certificate for vmware vcloud director http service to use.
This command imports the certificate from the http.cer file to the certificates.ks keystore file. If you were provided a .crt file, that is fine to use.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias http -file http.cer
d Import the certificate for the console proxy service.
This command imports the certificate from the consoleproxy.cer file to the certificates.ks keystore file. Again, a .crt file is fine.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias consoleproxy -file consoleproxy.cer
11. To verify that all the certificates are imported, list the contents of the keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
You wil lsee the root , intermediate and your two certificates. If you are using a wildcart certificate, you will not see the FQDN names. You will see *.yourdomain.com.
Rerun the "configure" script for director.
@ Thursday, 03. May, 2012 – 15:58:10
Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context
If you do not have RODC, read only domain controllers in your domain, this error is safe to ignore. If you will have RODC Active Directory domain controllers in your domain, run adprep /rodcprep from the Windows 2008 R2 installation media. If running adprep on a Windows 2003 or 2000 domain controller, use adprep32 /rodcprep from the Windows 2008 R2 installation media.
@ Monday, 09. Apr, 2012 – 18:49:08
Right clicking on computer icon on the desktop or through explorer to start computer manager and nothing happens.
The problem can be fixed with a registry change for what action occurs when right-clicking the computer and selecting manage computer.
Go to this key in the registry:
Change the program that is already there. By default it is %SystemRoot%system32CompMgmtLauncher.exe .
Change it to
mmc %SystemRoot%system32compmgmt.msc as shown in the image.
Right click on Computer icon and choose manage, computer management will now open.
Computer Manager Doesn't Open on Right Click
The solution above works every time for this problem unless the issue is more serious. The screen capture was taken from a computer, a server actually in this case, that was having the described issue - Computer Management Console was not opening.
Support Services - Microsoft RDP, Terminal Services RDS
Remote Desktop Connection (Remote Desktop Protocol)
Without Citrix and prior to RDS on 2008 R2 server, remote desktop protocol was a client connection application and for remote access for support of servers it was and still one of the most widely used applications for remote control access of servers. Built-into Microsoft server and professional level of desktop operating systems, it was a common default method for getting remote access and control of servers for remote administration and server and desktop support. On desktops this remote access and control feature was not normally turned on by default for remote control with the installation of the desktop operating system, however with a few clicks it could be and was enabled, even remotely by using remote registry access.
The default colors allowed for an RDP session with the earlier clients was often limited by default to a maximum of 24 bit color. This was not a technical limitation but a default settings in the system's registry of the target computer. It was set to the maximum color 24 bit depth to reduce bandwidth requirements. With a quick registry change on the remote computer however, the color limit can be increased to true color (32 bit). In later releases of the operating system like Windows 7, Windows 8, Vista, Server 2008 Standard, R2 and later, increasing the color depth does not require system registry changes.
Supporting computers and servers over long distances is difficult and challenging at times but with the use of software that enables remote access support over the internet, small companies can become global companies without requiring a remote office in each remote distant location.
@ Saturday, 07. Apr, 2012 – 20:11:23
Enable RDP (Remote Desktop Connection) in Windows 7 Remotely using The Registry Editor - Regedit
Connect to the Remote Windows 7 Computer Using Regedit
First connect to the remote Windows 7 desktop over the network using windows regedit. Run regedit by clicking o nthe Start button then entering regedit in the search flield and hit enter. Do this on the lcoal computer that will be used to connect to the remote Windows 7 computer.
Enable Remote Desktop in Windows 7 Remotely
Modify the Registry key for terminal server RDP remote connections . Once you ahve accessed the remote windows 7 computer's registry, navigate to the key fDenyTSConnections . It is found by navigating to HKLM Hive -> System -> CurrentControlSet -> Control -> Terminal Server
Enable RDP on a Windows 7 Computer Remotely
Open and modify the fDenyTSConnections setting to 1 from 0. Do this by double-clicking the fDenyTSConnections in the right window pane of the registry editor. The value is a DWORD value.
Microsoft RDP for PC Tech Support
Microsoft RDP is used by many for providing tech support of desktops and servers. Although RDP is a protocol built into most Microsoft Windows Operating systems except home editions, it does not provide the capability of screen sharing. Also, it is turned off by default or limits the users that can connect by default. RDP or RDC connection when used, permits remote control access of the remote desktop or server for tech-support or users to use their desktop remotely. It permits local files access and remote file access of document on network shares. It also permits local and remote printer access and access to all applications on the remote computer. It allows users to access their desktops form remote locations.
@ Sunday, 15. Jan, 2012 – 01:23:15
This was an Exchange 2003 to Exchange 2010 migration. IIt is a swing migration as both servers will coexist and have have active mailboxes on both of them. There will be a migration of mailboxes and then the Exchange 2003 server will be de-comitioned and removed from the organization. In the end , there will be a single exchange 2010 email server.
No Email between Exchange 2003 And Exchange 2010 Servers
The problem with this install is that there was no email flow between the servers. No email worked beween the servers local mailbox to mailbox. The solution was to configure a routing group connector that would route mail between the two servers. This routing group connector for whatever reason was not added during the installation of exchange 2010.
The image in this post is from a real exchange 2010 server that had the New-RoutingGroupConnector run in the exchange management shell . It has to be done from the exchange 2010 server. The two routing groups , first administrative group and the default one created for the exchange 2010 transport can be seen on the exchange 2003 server but you cannot add this conenctor to route email between the two server from the 2003 server.
This is the command that was run only the server names have been changed:
[PS] C:>New-RoutingGroupConnector -Name "Interop RGC" -SourceTransportServers "exchange 2010 server name" -TargetTransportServers "exchange 2003 server name" -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true
The above command worked perfectly.
You may have to start the Exchange shell as administrator.
@ Sunday, 08. Jan, 2012 – 16:21:21
Provide support of computers and servers through the web with remote control software that works through firewalls and over all sorts of network. Networks including wireless, broadband like 3G and 4G, also older technologies like T1 circuits and other leased lines cna be used to provide useful remote tech-support. VPS also permit access for remote support and remote access control.
@ Wednesday, 04. Jan, 2012 – 04:25:29
Telnet Client Missing in Windows Server 2008 Windows 7
client, Windows 7, telnet, 2008 Server, 2008 R2, Windows 8, 2012 Server
How to Add Telnet Client
Sadly, after many years of telnet being included with the default installation of Windows, it was stopped in Vista and Windows 7, and Windows Server 2008 and Windows Server 2008 R2.
Telnet client is not part of the operating system any more, it has to be installed as a "feature" in Windows Vista and later. Not a big deal except if when you are in a hurry trying to resolve a problem and need to use telnet to aide in the problem resolution just to find it's not available by default and you get the error message as displayed in the image included in this post stating the telnet is not recognized.
- Adding Telnet Client to Windows 7
- Adding Telnet Client to Windows 2008 Server
- Adding Telnet Client to Windows 8
It is easy enough to add to both Windows 7 and Windows Server 2008. On windows 7 go to programs and features and for windows server start-up server manager and go to features in the left window pane then click add features on the right window pane. Select telnet client (not telnet server). No reboot is required for neither Windows 2008 server or Windows 7 (or even Vista).
Add Telnet Client using Command Line On Windows 7, 8 and Windows Server
Add Telnet Client using Command Line
Open a command prompt and run the following command:
c:\> pkgmgr /iu:"TelnetClient"
There will not be a progress indicator. When the command prompt comes back (starts flashing again) the installation is complete. Type Telnet and hit enter and you willll see the Telnet Client is not available with no error of "command not found".
@ Tuesday, 27. Dec, 2011 – 23:20:54
Create icons for Windows, Macintosh, iPhone, Android with Axialis Icon WorkShop.
IconWorkshop permits the creation of icons for Windows up to 256x256 for Vista, Windows 7 and Apple Mac OS systems up to 512x512 for OSX Leopard version. The software features instant conversions of icons and supports Mac's Binary format for easy transfers. You also have the option to create PNG icon images for Androids and iPhone projects. You can make your very own icons for all types platforms today with IconWorkshop.
There is a plug-in for Visual Studio 2005, 2008, 2010 that helps you work efficiently and a developer will especially appreciate this handy feature which permits working efficiently with Visual Studio.
I've worked with older version of Axialis software years ago and the software worked just great. I've not used this latest version but for my next project I'm pretty certain Alialis will be my pick for the project. Their feature list and reliability could have only improved exponentially over the years.
@ Saturday, 17. Dec, 2011 – 18:35:32
One of the changes that Microsoft incorporated in Windows 2008 server and windows 2008 R2 server editions that was the same for many years on previous versions of the operating system was how an admin can set what program opens specific file types for all users.
The answer to that question is that it's not accomplished the same way it used to be done on Windows Server 2000 or 2003 Terminal Server where an administrator of the server just had to logon and set for the admin account what program is to be used to open or view an image file like a jpeg (.jpg). With windows 2008 Terminal Server (RDS - Remote Desktop Connection) . Every user has their own preference or choice. A better way of describing the difference is tha
With Windows 2003, Windows 2000 server and previous versions with terminal server installed, the setting was machine or computer level. Now with windows 2008 server the setting is per user level.
I found a relatively easy way to accomplish the task. This solution may or may not be suitable for your environement. It works but some location or customer specific differeneces may make the solution not be a fit for you.
It is done by using a the logon script that was already in use to merge a few settings into the registry for the user when they logon to the windows 2008 terminal server or windows 2008 terminal server with citrix xenapp 6.
Copy the following text into a notepad file, save it with the name of your choice but be sure to give it the extension of .reg. The reg settings were exported from a windows 2008 R2 server with xenapp 6 installed on it. If you're not using xenapp, it doesn't matter as the reg setting is no different. I gave my file the descriptive name of open-jpeg-with-userchoice-of-ie.reg :
Windows Registry Editor Version 5.00
Save the file of course and place it from where it can be accessed by the logon script when it executes. The script I was using was a simple batch file in the NETLOGON folder. Add the line in the batch file (logon script):
regedit.exe /s open-jpeg-with-userchoice-of-ie.reg
Now, the next time your users logon to the xenapp server or plain terminal server (Remote Desktop Services Server), jpegfiles will open with Internet explorer and not with another image viewing program.
Remote support software is desktop or server remote control for access of servers or desktop through the web for on-demand remote control and support. Remote support software enables corporate information technology tech support departments and help-desk staff to support their company's users either locally or through the Internet. Although internally on local networks their are more options for providing support. Users can initiate sessions on a per-incident basis. web based desktop support software sessions can be conducted over the Internet or on local LAN or Private WAN networks such as MPLS and VPNs.
Connections to remote systems such as desktops, servers, laptops, etc., are by default to remain connected without timing out. Optionally remote connections can be configured to reconnect even if there are network connectivity issue. The remote desktop will continue re-connecting to the viewer without requiring any input from a remote user.