Securing your Apache webserver with a certificate from godaddy.com

Most of you people probably run a webserver for example a webaccess server. Apache default uses a self-singed SSL certificate who is created during installation of Apache.
Disadvantage is that when people access you secure website they get a error that the certificate cannot be validated because of a untrusted Certificate Authority (CA). This does not mean the site isn’t secure, you know that, I know that, but for normal users it looks that you company doesn’t have a secure site.
In Internet Explorer 8 there is a new security feature who is enabled by default that for every new windows what is opened the user has to accept the certificate. This is really annoying with for example a webaccess where you open a Email in a new Window. By the way with Firefox you don’t have this problem after you ones accepted the certificate during a session.

So how can we solve this? Simple by getting a valid SSL certificate. So I looked how to implement a certificate provided from Godaddy.com.
I chose a so called “Standard (Turbo) SSL for 1 Year who costs around 27 dollars a year.

In this post I assumed you all ready have a working Apache with a self-signed SSL certificate who we are going to replace.

Step 1 is to create a certificate request from the webserver. Log in a root and give the command:

openssl genrsa -des3 -out server.key 2048

You are asked for a pass phrase. This is to encrypted this private certificate.

Step 2 is to create a request file who you are going to use to get a valid certificate. Give the command:

openssl req -new -key server.key -out server.csr

You are asked a couple of questions, make sure that where Common Name is asked you provide the FDN for your website.

#openssl req -new -key blog.wilmsenit.nl -out blog.wilmsenit.nl.csr
Enter pass phrase for blog.wilmsenit.nl:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:NB
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WilmsenIT
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, YOUR name) []:blog.wilmsenit.nl
Email Address []:info@wilmsenit.nl

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:WilmsenIT

Now you have a so called .csr file who we are going to use for the request of our certificate.

Go to the Godaddy website a buy the certificate. When you have bought the certificate you can go to the SSL page and click on the certificate. Now you are asked for the the content of the csr file we created. Just do a cat of the file and copy paste the content into the screen. After this follow the instructions on the screen.

Now your request is pending. After a while (this can take 2 until 24 hours) a email will be sent to the administrator of the domain where we requested the SSL certificate for. You can check this on every WHOIS database. In this Email a validation link is provided. If you click on that link you accepted the request for the certificate.
After validation you can download the certificate file. When doing so, you are asked where you want to use this certificate. In our case Apache.
In the zip file we have downloaded are to files:

• server.crt
• gd_bundle.crt

Copy these files to /etc/apache2/ssl.crt
We also have to copy the server.key file we created earlier to /etc/apache2/ssl.key
Now we have to adjust the vhost-ssl.conf file in /etc/apache2/vhost.d for using these files.
Make sure the following lines look like:

• SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
• SSLCertificateChainFile /etc/apach2/ssl.crt/gd_bundle.crt
• SSLCertificateFile /etc/apache2/ssl.crt/server.crt

Save the file and restart your apache by /etc/init.d/apache2 restart

You are asked for the pass phrase we entered earlier in this section. This is because of security reasons. If you don’t want to provide this pass phrase do the following:

1. Go to /etc/apache2/ssl.key directory
2. save the original file: cp server.key server.key.org
3. Give the command: openssl rsa -in server.key.org -out server.key
4. restart your apache

Now you don’t have to provided the pass phrase any more.

Single Sign On Novell Client for VMware View

If you use the Novell on a Widows Virtual Machine that’s going to be used for VMware View, you don’t want your user to login twice.
First for VMware View and after that for the Novell Client. If you only use a Windows Client this is done by VMware View. For Novell we have to make some registry changes.

This is taken from the Novell Client  Documentation pages:

1. Click the Start button, then type regedit.exe in the Start Search field.
2. Press Enter to open the Registry Editor.

3. Navigate to HKEY_LOCAL_MACHINESOFTWARENovellLogin, then add the following:

• Value Type=REG_SZ, Name=TSClientAutoAdminLogon, Data=1
• Value Type=REG_SZ, Name=DefaultLoginProfile, Data=name of profile to use Typically, the profile policy name is Default.

4. Close the Registry Editor.

In Novell menu:

Advanced Login:
Computer Only Logon Default: Never
Login Windows password synchronisation: Off
Login with Non-Novell Credential Provier: On
Novell Logon: On
Prompt for Novell login during Windows AutoAdminLogon

LDAP Contextless Login:
Enable LDAP Contextless Login: On
Trees: [TREE NAME]
Servers: [SERVER NAME]

Groupwise 8.0 SP1 HP1 avaliable

Just a quick post:

Novell Release HP1 for Groupwise 8.0 SP1.

You can download the files at http://download.novell.com

Here are changes:

Admin

510213 – DBCopy -i switch is not working properly.
553048 – Properties of distribution lists are not visible using German 8.01 snap-ins
555339 – Admin API Issue – New return values added for get_AddressFormat and get_AllowedAddressFormat.
559998 – ConsoleOne crashes on SLES 11 when the GWIA and WebAccess gateways object properties are selected.
560338 – Users created by IDM Driver do not replicate to primary domain

Calendar Publisher

554220 – Calendar Publishing will not install if the ip address of the server is a 10.x.x.x address
552375 – Published calendar shows appointments both 1 hour and 2 hours ahead
554311 – Published calendar does not show Notes

Linux Client

552364 – Having multiple subscribed Ical Calendars will not load all. Only 1 or 2 will load.
552392 – Subscribed Calendars are not working in Linux & Mac
554231 – GWCheck script is still looking for GW client JRE in the old “client/jre” to “client/java” dir

Mac Client

554672 – GWCheck will not run on Mac 10.6 (Snow Leopard)
562263 – Java for Mac OS X 10.5 Update 6 breaks + click functionality in GW 8.0.1

Windows Client

540061 – Client crashes intermittently in gwxplt1.dll
550436 – WIP folder shows that there are messages in there when the folder is empty
550445 – WIP count erroneously increment or reduce the count until the poll comes through and fixes it.
552198 – Crash in the client engine
552358 – Not all of the users mail is downloading to caching.
552360 – Password change not saving with Notify running with LDAP Authentication.
552367 – Dialog box focus problem when opening Excel or Word documents.
552372 – GetIntegrationState error with GW8 SP1
552373 – In the calendar view, the option for MORE on categories is missing
553038 – Refresh problem when resolving a stub
553044 – Client crashes while searching Calender items
554206 – Sequence number is incorrect on rule delegation of appointments
554221 – Can not save documents in any library other then user’s default library
554224 – Compose control uses ATL interface that has security vulnerability
554229 – 9202 Bad Parameter errors when opening HTML messages or attachments
554346 – Plain text view moves carriage returns around in signatures
554351 – Send to | Mail Recipient deletes the origional file from the hard drive
554353 – Crash using ItemSaveInfo token
554356 – Ical VEVENT ending with a SEQUENCE property will not import properly
554602 – Using non-english spell check causes client to crash
554639 – Creating a new group in Online mode from Contacts folder and selecting users from SAB will save an empty group
555103 – Forwarding on an embedded item and then changing the “Send User” to a Proxy user will crash the client
555105 – HTML email print as text when using File | Print if the email has an attachment
555494 – The Hours strip in the Appointment area of Calendar doesn’t include the am/pm by the hour
556342 – Crash cutting and pasting from the header control
556345 – Spell checker doesn’t recognize quote message
556350 – Crash occurs when printing multiple attachments while proxied.
556362 – Close item event is not generated
556365 – “Error occurs when signing message.” while trying to sign and encrypt the mail
556376 – Problem resolving the stubs when the account name contains German characters
556381 – Create registry key to use older version of RTF editor
557356 – Reply problem when client sends out user addresses with U.P.D format when cutting and pasting names
557478 – Client crashes with Entrust certificates
557487 – Modifying information in busy search not working
558099 – LDAP password change generates D019, but still changes the password
558217 – Speller is crashing in Chinese T and S , Japanese, Hebrew
559761 – Buffer overrun in autosave
559762 – Custom fields will not import properly from a 7.0x export
559763 – Random Crashes on a Windows XP SP3
559939 – Opening the properties of a user of a distribution list in the addressbook results in an error
559945 – Unable to add a user in a group within PAB if addressing is set to F.L or L.F.
561017 – A number of Find results windows are diplayed when do a Find by “In all folder” option
561720 – Crash trying to create a group
566828 – Reply tokens fail
568910 – Choosing to “Add to Frequent Contacts ” address book from new email with user in System Address Book but not in Frequent Contact will crash

Document Viewer Agent (DVA)

552203 – Webconsole will not enable for document viewer agent
552384 – GWDVA taking 100% CPU Utilization

Engine

552388 – Problem with syncing caching mailbox
554217 – Failed LDAP password change can set connection into a bad state
556357 – CPU hog abend in Server.nlm

GroupWise High Availability Agent (GWHA)

552357 – GWHA starts multiple instances of MTA/POA when healthy agents are already running

GroupWise Internet Agent (GWIA)

551173 – IMAP: attachment name changed if contains Polish characters
551179 – Message file will not get processed through gwia
552363 – POP threads hanging
554214 – GWIA abend running process RecvConvert Process
554216 – ICal files show in client as mail message
554225 – IMAP high CPU when downloading mail that includes invalid recipients
556379 – Crash on corrupt message
559297 – Core during IMAP write buffer cleanup
560546 – Users in DL not showing up in TO: field, only one user does

GWCheck

554249 – GWCheck gives error 0xDF0A on analyze/fix specific library

GWTSA

552394 – GWTSAFS.NLM abends the server, when running the Backupexec Agent

Install

555962 – Installation fails when eDir Admin users context contain Country & Location
561581 – Installation fails when admin user does not exist in same container as the domain object

Message Transfer Agent (MTA)

552370 – Abend on certain messages
553432 – MTA not doing a DNS refresh when a link is down
554627 – MTA not doing a DNS refresh when a link is down (additional code needed)
555112 – MTA fails to start http port if it is marked bind exclusive

Post Office Agent (POA)

538703 – POA running on Windows crash
542866 – POA running IMAP on Windows crash
551232 – SOAP thread gets blocked when trying to sync an addressbook entry
551454 – Crash on Windows 2003 Server
552374 – 820A error on POA
552380 – SOAP Abend
552381 – POA performance issues
552382 – GWDCA on Linux crash
552390 – Current Physical Connections exceed the Maximum Physical connections
552393 – CloseScreen called with a screen that is still being used – Cluster timing issue
553033 – SOAP callback restarts protected memory
554748 – A601 error when opening cocuments – Not a valid error
555086 – POA Physical Connections is exceeding maximum allowed
557873 – POA Crash When Users Proxy Using Evolution Client
558169 – SOAP core in NgwItem::gwtAttachment
558174 – POA crashes if started up before the MTA
559948 – GWPOA abend on GWSOAP process
564470 – High utilization/Server abends on SOAP threads
567556 – POA crash

Protocol

507827 – Evolution: Reports that a getQuickMessage id is incorrectly formatted
550592 – Add logic to get an embedded item as a mime
551182 – A space in a domain name causes EA01 error streaming attachments during GMS sync
552371 – Memory leak in converting to unicode strings
552386 – Passing an empty view in getItemRequest will not return the default view
552387 – A recurrent request via WS using an rrule w/o an until date will fail
552577 – Can’t send large emails from a device
552585 – Performance problem getting items
554207 – IMAP rfc822.size command performance enhancement for emails with an existing mime.822 attachment
554211 – IMAP folder NoSelect flag missing
554213 – Incomplete IMAP SEARCH response on empty folders
554227 – IMAP APPEND command is not indexing the x-fields
554349 – SOAP doesn’t return the folder tree
555108 – XML parsing exception in getting distribution list members
555153 – GetFolderList returns back the Display Settings
556487 – getItemsRequest on a recurrent item will fail if an “until” date is present
556682 – SOAP Thread in POA abended the server
559672 – Subject searches should be substring searches, not word match searches
559734 – Can’t create a folder under the mailbox

SDK

556352 – Lose message body using AddExistingItem
556609 – Name completion ActiveX truncating characters
559209 – Crash when updating contact fields
559797 – Attachment.add fails on GW8

WebAccess

552362 – Core in gwinter
552376 – Replies to some messages using Safari browser sends blank message body
553028 – Abend in GWINTER
554421 – Abend in Gwinter -2
555116 – Cores in gwinter
557079 – Webaccess Agent Core -2
557352 – Work In Progress always prompts with “you have unsaved messages”
559682 – Double clicking to view mail in webaccess opens two windows instead of one

Brainshare Amsterdam

A couple of months ago I blogged that Brainshare was comming to Amsterdam.

Now, Novell has launched the Novell Brainshare Amsterdam website where you can find a lot (and in the future more) information about this event.
The date for Brainshare is from 18-21 may 2010 and the location is the Passenger Terminal Amsterdam.
The early birth price is at EUR 695,- and will soon be availible (a little birth told me at the end of January). Early birth will end at 16 april 2010.

Last monday I was at Novell in Utrecht for Novellcongres.nl and I spoke to a Novell employee about Brainshare.
She told me that Novell expects around 750 people and that Amsterdam has been chosen as a location because of Schiphol Airport and that Novell expect the most visitors from the UK, Denmark, Germany and of course Holland!

Rumor is also that at Brainshare Salt Lake ZENworks Configuration Management 11 beta 1 will be launched and at Brainshare Amsterdam beta 2! I’m curious to see that the improvements will be.