Archive for March, 2013

Cool Tools 25: LAN Speed Test

Saturday, March 30th, 2013

Sometimes the coolest tools are the simplest ones.

Today’s Cool Tool is simply called LAN Speed Test, and the tool pretty much does just that – it tests the speed of various connections in your LAN. It does this by simply writing a 20MB file (configurable) to a file share, reading it back, and timing how long the transfers took.

lan-speed-test

The use case for this was pretty simple: our WCI Portal machine (with an alias of PT-PORTAL) was in a DMZ, and the back-end servers (in this case, PT-INTEGRATION and PT-COLLAB) were on a separate sub-net. The NT Crawler web service was acting very strangely, failing to serve up files through the portal, but serving them up locally just fine.

So, using LAN Speed Test, I was able to confirm (and prove to the network team) that the problem was in the switch/firewall connecting the devices. Notice in the above screen shot how PT-INTEGRATION was able to write and read a 20MB file to PT-COLLAB in about .24s and .28s respectively? And how writing the same data to PT-PORTAL was taking 20.6s and 2.2s, respectively?

Yeah, there’s the smoking gun…

Turn WebEdit OFF in IIS for WebCenter Interaction Collaboration Server

Monday, March 25th, 2013

We’ve had a good run with WebEdit functionality in the old Plumtree / ALUI / WebCenter Collaboration Server. There comes a time, though, when the pain/cost is increasing and the benefit/payback of fixing the issues is decreasing.

Such was the case at a client was getting this security prompt every time they tried to open an Office document that had been uploaded to Collaboration server through WCI:
office-security-prompt

It turns out that when Office 2010 opens a document from a web page, the first thing it tries to do after downloading the document is execute a WebDAV request (PROPFIND) to that server:
propfind
This makes all kinds of sense from Microsoft’s perspective – if a Word document is opened from a web site, first check to see if it’s a SHAREPOINT site, right? That way Office can enable all those neat WebEdit/WebDAV features automatically.

The problem was that IIS was choking on this request because Windows Integrated Authentication was prompting for the user’s domain credentials – and even if the proper user/pass was supplied to IIS, the portal still had no idea what to do with those WebDAV verbs.

The solution: just kill off WebDAV entirely in this portal instance. You do this by changing the verbs for the portal virtual directory (.pt extension) to only accept the verbs “GET,HEAD,POST”:

iis-verbs

This way, even if Office does try to check the WebDAV verbs, IIS is going to deny those requests before even letting them through to the portal, which probably wouldn’t know what to do with them anyway.

Using Host Files for UNC Paths

Friday, March 15th, 2013

Years ago I strongly advocated the use of host files for “better environment portability and mobility”. Over the years I’ve used this trick to simplify WCI patch installs, database migrations, and server upgrades.

But, one use of host files has always proven a bit troublesome – the UNC path for published content in WebCenter Interaction Publisher:
publisher-unc-path-alias

Specifically, in Windows Explorer, if you’re trying to access a share called “publish” on a machine called PROD-FILESERVER, you can type this in Windows Explorer:

\\PROD-FILESERVER\publish\

If you are back-filling your database from production to a development environment, this name is also synchronized, and you certainly don’t want your Dev environment connecting to your Prod file server. The solution would be to use the host name aliases we’ve already discussed, so you could use a name like this:

\\WCI-NAS\publish\

… and then have WCI-NAS resolve to the respective file server in each environment.

This tweak, though, doesn’t work unless you use the trick found here: Disable Strict Name Checking.

NETBIOS enforces “strict name checking”, so connecting to a machine by name that’s not the actual machine name is prohibited by default. But that’s exactly what we want – our Production, Development, and Staging environments all using \\WCI-NAS\publish\ as the file share. That way, when we sync the database between environments, we don’t have to change the UNC paths all over the place.

In other words, to make this host file aliasing work work with UNC paths, you can just add a DWORD with a value of 1 called DisableStrictNameChecking to HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ LanmanServer\ Parameters.

Confirming and Waiting for a Server Reboot

Tuesday, March 12th, 2013

Problem: you RDP into one of your servers, install Windows Updates, and reboot. But you don’t know a) that the server successfully shut down, and b) when the server comes back up.

Solution: ping -t <servername>

Admittedly, this is a pretty trivial issue because you can just keep trying to initiate a Remote Desktop (RDP) connection, but a quick trick I use is “ping -t”, which repeatedly pings a machine and displays the response time.

Here’s a ping of “wciapps01”. When the machine finally reboots and comes back up is instantly visible – no more guesswork:
ping-t

Cool Tools 24: SSLLabs.com

Sunday, March 10th, 2013

A couple months back, the security team at a client reported that they used a scanner to generate a security report of their SSL-enabled portal, and the results included this little gem:

The SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”.

I knew we were using SSL at the site, and because of that, we were infinitely more secure than our peers who weren’t using SSL. But, I never really focused on the fact that SSL is a complicated “beast”, and there are different grades of security. Enter Qualys SSL Labs’ Analysis Tool, which taught me more than I’d ever known about SSL certificates. It started by giving us a big fat “F”:

ssl-labs

A full analysis of WHY we were getting an “F” is beyond the scope of this post, but if you’re using SSL, I definitely suggest you check out SSL Labs to see how secure you are. The links and recommendations by SSL Lab’s report are phenomenal and it didn’t take much time at all to resolve all of the discovered issues.

In our case, two major things were counting against us:
Certificate Chain
We didn’t have the complete certificate chain installed. Using SSL Shopper’s SSL Checker, we could see where the chain was broken. Because it was a Verisign certificate, the path led use to Verisign’s Certificate Checker. The below screen shot shows a GoDaddy certificate with the proper chain installed.
ssl-checker

Weak Ciphers
Apparently not all SSL is created equally; there are different ciphers that can be used for encryption and transport. And because we were using the default BigIP configuration, we were supporting legacy ciphers that dated back to the IE6 days. By tweaking the Cipher configuration to exclude the less-secure ciphers, we were able to get that SSL Labs report back up to an “A” where it belongs…

big-ip-ssl

There’s an App For That 11: GroupViewer

Tuesday, March 5th, 2013

Today’s app selection is a pretty simple one, but one that several clients have found remarkably useful: the ability to manage group membership in a simple, AJAX-type portlet.

There aren’t many frills here; when the portlet loads, the list of groups populates on the left. You can further filter the list by entering a search term in the box. Clicking on a group lists the members on the right side, as well as details about those users – including what other groups they’re a member of. From there, admins can add and remove users from the group directly within the portlet, and even export the entire list to a CSV file.

groupviewer

groupviewer-adduser

As usual, drop us a line if you’re interested in checking it out!