Facing error while logging Entrust Authority Security manager - security

I am facing below error while logging into Entrust Authority Security manager server version 7.1.
"Unable to retrieve valid certification revocation list"
This installation was working properly before 1 year. Now when i tried to login we are getting the above error. Can anyone please help on this issue.
Thanks Santhosha K

This is becuase the OCSP server that is being run by the Certificate Authority cannot be accessed. It is very likely that their machine is down for maintenance, but it could be down or inaccessible for other reasons.
Like with any utility, call your CA and notify them of the problem.

When you will check in the event-viewer the error code 2658 would be reported for such case. This is basically because the workstation clock has been advanced intentionally or Security Manager application is not aware of the time change. Please start Entrust/Master Control to acknowledge the time change or correct your clock.
Do following and the login to Security Manager would be successful
Start Entrust/Master Control to acknowledge the time change or correct your clock. During the login process, a message is displayed indicating that Entrust/Master Control Time is not the same as the machine time. The user is asked whether or not they want Entrust/Master Control to put these changes into effect.
Click OK.
Start the Entrust/Authority services in Entrust/Master Control.

Related

Hitch behaves differently depending on client

I need some help troubleshooting - not sure where to begin looking for the problem.
I have an instance of Hitch on my company server. When I access the hitch endpoint via my desktop browser, it proxy's me to the service as expected. However, when I access the hitch endpoint via curl (on the same desktop), it fails. In the Hitch log I see the error:
Handshake failure: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Can anyone suggest a starting point for troubleshooting? (I've done update-ca-certificates on both machines already, but that's as far as my knowledge takes me...)
Any advice is welcome! Thanks!
Mark

fusioninventory, ITSM

to begin with, I have an internship with a trading company that has 15 points of sale. My mission is to manage its IT infrastructure with ITSM 9.1.6.
To discover its network, I use Fusioninventory 9.1+1.0.
I also have installed the latest Fusioninventory agent for Windows. My problem is that I only get response from only 10 points of sale. I didn't get my problem to solve it because the agent works well (for the 15 points of sale).
PS: it's not a problem of a firewall, I installed the netdiscovery, deploy, ESX and the other fusioninventory features
I don't have a good knowledge about ITSM neither about the Fusioninventory but I followed tutorials.
Soryy if I asked dummy questions but could any one help me please ?
You should check the logs to start debugging.
Enable logging by seting debug to 1 or 2. Open regedit and head to HKLM/Software/Fusioninventory/ find the debug key and edit it.
If you are running the agent as a service then restart it, otherwise just execute the fusioninventory-agent.bat script to launch a new inventory.
Check the logs. They are usually at %programfiles%\fusioninventory-agent\ although I think they are better at %programfiles%\fusioninventory-agent\var\. You can change where to store the log at the logfile key.
There you'll find what is stopping your inventory from reaching the server.

Setting allowed ciphers in Orion Application Server

Our company currently hosts a web application for a customer which runs on Orion Application Server. Unfortunately, support for OAS stopped about 10 years ago after Oracle acquired the source code and turned it into OC4J, as such there is very little documentation available, other than it's Wikipedia page.
The issue I am having is now that Chrome/Firefox/Opera are actively blocking insecure SSL connections, the site is inaccessible (Chrome gives the error: Server has a weak, ephemeral Diffie-Hellman public key).
I believe to fix this issue, I need to specify a list of acceptable ciphers that the server is allowed to use, but with no documentation available, I have no idea how/where to set this (if it is even possible).
Has anyone else had this issue and been able to resolve it?
It turned out updating to Java 8 resolved this issue for me; after the update, the server started using TLS 1.2 (though I couldn't work out which exact cipher it was using) and the website is now working in Chrome 45.

RPC command to initiate a software install

I was recently working with a product from Symantech called Norton EndPoint protection. It consists of a server console application and a deployment application and I would like to incorporate their deployment method into a future version of one of my products.
The deployment application allows you to select computer workstations running Win2K, WinXP, or Win7. The selection of workstations is provided from either AD (Active Directory) or NT Domain (WINs/DNS NetBIOS lookup). From the list, one can click and choose which workstations to deploy the end point software which is Symantech's virus & spyware protection suite.
Then, after selecting which workstations should receive the package, the software copies the setup.exe program to each workstation (presumable over the administrative share \pcname\c$) and then commands the workstation to execute setup.exe resulting in the workstation installing the software.
I really like how their product works but not sure what they are doing to accomplish all the steps. I've not done any deep investigations into this such as sniffing the network, etc... and wanted to check here to see if anyone is familiar with what I'm talking about and if you know how it's accomplished or have ideas how it could be accomplished.
My thinking is that they are using the admin share to copy the software to the selected workstations and then issuing an RPC call to command the workstation to do the install.
What's interesting is that the workstations do this without any of the logged in users knowing what's going on until the very end where a reboot is necessary. At which point, the user gets a pop-up asking to reboot now or later, etc... My hunch is that the setup.exe program is popping this message.
To the point: I'm looking to find out the mechanism by which one Windows based machine can tell another to do some action or run some program.
My programming language is C/C++
Any thoughts/suggestions appreciated.
I was also looking into this, since I too want to remote deploy software. I chose to packet sniff pstools since it has proven itself quite reliable in such remote admin tasks.
I must admit I was definitely over-thinking this challenge. You have probably done your packet sniff by now and discovered the same things I have. I hope by leaving this post behind we can assist other developers.
This is how pstools accomplishes execution of arbitrary code:
It copies a system service executable to \\server\admin$ (you either have to already have local admin on the remote machine, or supply credentials). Once the file is copied, it uses the Service Control Manager API to make the copied file a system service and start it.
Obviously, this system service can now do whatever it wants, including binding to an RPC named pipe. In our case, the system service would install an msi. To get confirmation of successful installation you could either remote poll a registry key, or an rpc function. Either way, you should remove the system service when you are done and delete the file (psexec does not do this, I guess they don't want it to be used surreptitiously, and in that case leaving the service behind would at least give an admin a fighting chance of realizing someone had compromised their box.) This method does not require any preconfiguration of the remote machine, simply that you have admin creds and that file sharing and rpc are open in the firewall.
I've seen demos in C# using WMI, but I don't like those solutions. File sharing and RPC are most likely to be open in firewalls. If they aren't, file sharing and remote MMC management of the remote server wouldn't work. WMI can be blocked and still leave these functional.
I've worked with a lot of software that does remote installations, and a lot of them are not as reliable as pstools. My guess is that this is because those developers are using other methods that are not as likely to be open at the firewall level.
The simple solution is often the most elusive. As always, my hat is off to the SysInternals folks. They are true hackers in the positive, old school meaning of the word!
This sort of functionality is also available with products LANDesk and Altiris. You need a daemonized listener on the client side that will listen for instructions/connections from the server. Once a connection is made any number of things can happen: you can transfer files, kick on installation scripts, etc. usually transparently to any users on that box.
I've used the Twisted Framework (http://twistedmatrix.com) to do this with a small handful of Linux machines. It's Python and Linux, not Windows, but the premise is the same: a listening client accepts instructions from a server and executes them. Very simple.
This functionality can also be accomplished with VB/Powershell scripts in a Windows-based domain.

linux gedit: I always get "GConf Error: failed to contact configuration server ..."

How come I always get
"GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.)"
when I start 'gedit' from a shell from my superuser account?
I've been using GUI apps as a logged-in user and as a secondary user for 15+ years on various UNIX machines. There's plenty of good reasons to do so (remote shell, testing of configuration files, running multiple sessions of programs that only allow one instance per user, etc).
There's a bug at launchpad that explains how to eliminate this message by setting the following environment variable.
export DBUS_SESSION_BUS_ADDRESS=""
The technical answer is that gedit is a Gtk+/Gnome program, and expects to find a current gconf session for its configuration. But running it as a separate user who isn't logged in on the desktop, you don't find it. So it spits out a warning, telling you. The failure should be benign though, and the editor will still run.
The real answer is: don't do that. You don't want to be running GUI apps as anything but the logged-in user, in general. And you never want to be running any GUI app as root, ever.
For some (RHEL, CentOS) you may need to install the dbus-x11 package ...
sudo yum install dbus-x11
Additional details here.
Setting and exporting DBUS_SESSION_BUS_ADDRESS to "" fixed the problem for me. I only had to do this once and the problem was permanently solved. However, if you have a problem with your umask setting, as I did, then the GUI applications you are trying to run may not be able to properly create the directories and files they need to function correctly.
I suggest creating (or, have created) a new user account solely for test purposes. Then you can see if you still have the problem when logged in to the new user account.
I ran into this issue myself on several different servers. It I tried all of the suggestions listed here: made sure ~/.dbus had proper ownership, service messagbus restart, etc.
I turns out that my ~/.dbus was mode 755 and the problem went away when I changed the mode to 700. I found this when comparing known working servers with servers showing this error.
I understand there are several different answers to this problem, as I have been trying to solve this for 3 days.
The one that worked for me was to
rm -r .gconf
rm -r .gconfd
in my home directory. Hope this helps somebody.

Resources