Axis web service security work round

This is a bit of an old one, but might be useful to Domino people (or in fact anyone) out there that still are not using security on their web services who really should know better, I’m mainly thinking of large corporations that treat their internal network as some kind of safe playground, I don’t suggest this a permanent fix, it is just a good solution if you simply don’t have the time or resources to put proper security in place.

This example came about when a security review was done on a application which was built a few years ago when web services were first all the rage and were built using something like AXIS 1.X, multiple applications including domino are consuming a set of services based on apache. we want to limit this so that random people/computers cant just read and post what they like, thank fully this is easy for apache

First find your http.conf file and find your web service location, most likely in a directory tag such as:

<Directory “D:/Apache2.2/htdocs”>

You will most likely find an couple of lines like this

Order allow,deny

Allow from all

Change them (add them if they are not there) to

Order Deny,Allow
Deny from all

This will lock down your web service completely which is not that much use, so now, add a line below such as

Allow from 192.168.1.2 192.168.1.1

Here you can list the servers you want to allow access to the web service, you can add all servers in a sub net (if your company uses a static IP address sub net) by only putting in the subnet eg, 192.168.1, as well as FQDN’s, full documentation can be found Here

In a perfect world that should be all you need, but if you applying this to an existing web service, someone is sure to need access from a computer or program (such as soapUI) not on a static server, so you will have to add a backdoor to let them in,

So next add the lines

SetEnvif User-Agent “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

This means that if you set the “User-Agent Header” in programs like firefox and soapUI (its under file –> preferences) to “backdoor” the web services will start talking to you again ( yes I know it a security hole, but I’m trying to just make the best of a bad situation)

With some service clients this wont work as they dont allow the changing of the User-Agent, the most notable to me is Spring using CXF, as it uses an alternative web request header called “BrowserType” which set in the same way

SetEnvif BrowserType “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

Also on your spring config in the conduit settings you include the “BrowserType” as shown

<http-conf:conduit name=”http://mywebservice.ldc.com/.*”>
<http-conf:client ReceiveTimeout=”180000″ BrowserType=”backdoor” />
</http-conf:conduit>

and now that would work just fine again

There you go, a little fringe but hopefull usefull to someone.

Sharing a room at Lotusphere

Going to Lotusphere is not a cheap experience and in this current climate even less so, it makes sense to share a room, last year I shared with that wretch/neat freak/best man at my wedding, Ben Poole, alas the evil devil is not going this year, so I started asking around to find an alternative room mate, naturally I asked my colleges at LDC first and got the answers “good luck with that” and “id rather fly cattle class”, thanks guys..really….. thanks

So I ask further afield and thus enters a slightly grubby white night in the form of Bill Buchan who is happy to share a room to me, I’m honoured to accept, its like being asked to go for a quick horse ride with Genghis Kahn, fab brill, cool… what do you mean he snores, it cant be that loud….. seismic!!….. what has seismic got to do with snoring…… Oh…… great… I’m sharing a room with the greatest lotus party animal ever who also provides his own nocturnal drum and base, base beat

I’m packing plenty of happy hardcore and enough caffeine to give me a seizure, its going to be a good lotusphere

in Matt Whites defence I did ask for a quote

Old Comments

Brett H(27/12/2010 20:01:52 GMT)

The secret is coffee, strong and lots of it. Not for you but for your noisy nocturnal room mate. Give it to him, he’ll still be awake while you drift off to peaceful oblivion. Then when he finally dozes off and starts sawing logs you won’t notice ’cause you’ll already be asleep!

Duffbert(27/12/2010 01:57:41 GMT)

I suppose you could attempt to turn it to your advantage and see if you can get an ear plug company to sponsor part of your trip… 🙂

Mark Myers(29/12/2010 10:16:50 GMT)

@kevin i am starting to feel that the only solution is to get Bill to drink so much each night that he never makes it to the room, right im off to find the whisky tanker, i may have bitten off more than i can handle Emoticon

Mark Myers(27/12/2010 20:33:13 GMT)

@brett i will try your suggestion, but there are few chemicals that effect bill, i have heard that a line of coke 12 feet long made can make him “kind’a chipper”

Bill(27/12/2010 02:06:23 GMT)

In your colleagues defence, when they found out, they did all roll their eyes and ask me about my mental heath.

But apparently, you just nest on the floor, which might at least get you out of the direct line of the snoring.

Mr Mooney threw his room at me. Mr McD also snored, rubbed his feet and sang in his sleep (Einstein a-go-go), and latterly Mr Coates also employed ear defenders to great advantage.

I’ve shared with some of the most violent people in the bubble and survived – which only attests to the thickness of my skin and the shortness of the blades they tried to use Emoticon

Look on the bright side. We’ll have a fully stocked bar. Not, I hasten to add, a Mini-bar…

—* Bill

Nils(27/12/2010 12:35:06 GMT)

Another option is to stay at the Disney’s All Star Sports Resort. I did that a couple of years, the room is just 85$ , and the buses bring you to the SWan in no time at all.

Kevin Pettitt(28/12/2010 15:42:42 GMT)

A very good pair of unobtrusive (i.e. you don’t feel them when you roll over) earphones and the Android app “Relax and Sleep” would be my recommendations. Plays all kinds of white noise and nature combinations to drown out the “ambient” noises. If those earphones are noise canceling all the better.

Disclaimer: I have only experienced Bill’s snoring from the floor below behind a closed door, so it’s possible these defenses will be insufficient in closer proximity. Emoticon

Bil(27/12/2010 02:23:56 GMT)

@Duff, let he who is without sin cast the first stone.

I recall the rather palatial Casa Mooney, where you kept the entire house awake with your snoring. Mine didn’t even form a harmonic backing to your earth shattering patella fluttering!

—* Bill

Vitor Pereira(27/12/2010 10:02:51 GMT)

Well, having both of you in the same room will definitely make things easier for Disney security Emoticon

Chris Miller(27/12/2010 16:56:15 GMT)

As a recent victim of sharing a room with Bill, I am still recovering from shock and awe. Both in forms of audio and visual Emoticon

Mark Myers(27/12/2010 12:51:50 GMT)

@nils yeah I did that the first year, and missed soo much that was going on that i swore not to do it again, the missing stuff might change if what i have heard about IBM putting their staff in the all-star this year is true, but a lot of my best mates are in the swan/dolphin

Mark Myers(27/12/2010 11:11:50 GMT)

@Bill, I am really looking forward it, nesting is the correct way to occupy ANY room, it allows for easy defence in case of wolf (or even 3 wolf t-shirt) attack

@victor, we are getting the social outcast discount room rate from Disney

@Duff I was rather hoping a whiskey or vodka company would sponsor it Emoticon

Mark Myers(27/12/2010 17:09:05 GMT)

@chris oh now your adding a visual element to it, am I going to need eye bleach?

It’s a small Lotus world (part 3)

In the continuing promo of the very good cause the Children’s Cancer Association, here is the 3rd low resolution part of the “It’s a small Lotus world” drawn by Army of Trolls, the item revealed this time is “ye olde Codestore” one of the original domino bloggers (especially in the UK), and a continuing stalwart of great domino code give away’s for many years (personally if Jake would come to one of the lugs I for one would stand him a few well earned pints)

Remember a posh full sized version of the art is one of the prizes at the UK Night at Lotusphere (on the Monday night), with all funds raised going to Children’s Cancer Association (you can buy tickets off Bruce, Gayle, Matt white, Julian Woodward or myself at lotusphere, or donate direct below)

 

 

Private VPNs

As a contractor and part of LDC I have multiple clients on the go at once, one of the problems with that is sometimes their needs overlap or one has a crisis when your on site with another, mostly you can just explain to the client your on site with, not bill for 30mins and go stand in a stairwell to talk them thought it, however often it is far quicker to just log in to a remote server and fix the problem directly.

Quite reasonably clients firewalls don’t normally allow this kind of behaviour and block most of the ports you need to fix such things (SSH, RDP and NOTES), the first response would be to just use a 3G card (and indeed I have one that works rather well and has let me fix client issues in the strangest locations ) but at large clients I always seem to be stuck in a basement or some other no-signal zone.

This preamble is by way of introduction/justification to a private VPN service I am now using, I had a good look round before picking one, needing it to both support on Linux AND not be one designed for anonymous P2P (I DO NOT want a client thinking I am using P2P on there network), the one I picked is http://www.witopia.net/ who provide a very quick professional service with good support (I waited 15 mins for a support responses) and have a great wiki http://wiki.witopia.net/wiki/Main_Page

If you want it for the same usage as me then you want a certain configuration else your not going to get out of the firewalls

1) You will need the “personalVPN – SSL (openVPN) ” product http://www.witopia.net/index.php/products/
2) You will need to swap to alternative ports (443) http://wiki.witopia.net/wiki/Alternate_Ports
3) If your on Linux (ubuntu 10.04 + ) and have followed the wiki instructions, you will also need to alter the advanced setting on the VPN configuration as below (this is not on the wiki)

solves a lot of problems for me.

The BBC model B computer and lesson in life

When I was but a nipper my parents bought me a BBC computer, which became unpopular in the market place within hours of me receiving it (every one else had Amiga, or Atari or what ever), since then I was a mite paranoid of being on a loosing side, and felt like jumping ship as soon as some twit says that something is ‘dead’ , thankfully I have since met good and sane(ish) people, who have taught me otherwise, I am not a domino developer, a flex developer, a Java developer, a web developer, a domino admin, an exchange admin, a 3rd line server support, a storage specialist, these are just roles, I am just a tech, I do the job my clients want in the way I think will bring them the most long term gain and waste the least money

I have few strong opinions (except when it comes to happy hardcore, energy drinks and dark perversion), but peoples big dramatic gestures are one of them, they make no sense in a career path such as IT where you cycle your skill set every 2 years or less, there is no need to say anything is dead, or beat the old chest or unleash attack kittens, just be good at what you do, enjoy it and keep as up to date at time allows

I love domino (the fact I’m paying to go to Lotusphere out of my own pocket I feel is proof enough), and it has paid the bills in a lot of ways for a lot of my working life, but I’m not going to pass up a job just because it does not have domino in it, and you know what, that attitude has helped me bring more life to domino that you could imagine, as each none domino project gives me extra skills I can glue back on the strange Swiss army nice we call Lotus Notes. 🙂

Prepping for Lotusphere 2011 ten things – Part 1

This is my third lotusphere and the first one where im paying for every last bit myself, no freebe ticket for both babeing this year, im also there as part of LDC, so I am going to squeese every drops worth of value from the trip, but just like the rest of the comunity stuff we do, you have to put in the effort yourself to get value out, to this end i compiled a list of tasks to do before, before during and after lotusphere, anyone going to join me?

10 things to learn/do before you go there.

1) Ensure you have a LotusLive account and have had a good look around.

2) Ensure you have the latest version of Notes installed, and have played with its new features.

3) Subscribe to the podcasts, and keep up-to-date. (DONE)

4) Make a list of questions you want answered, get your pet peeves in a row, so you can voice them to Lotus in person.

5) Sign up to a cloud service and TRULY understand what “cloud” is rather than just the hype. (DONE)

6a) If you’re an admin, have the latest version of Domino installed on the most up-to-date OS it supports.

6d) If you’re a developer, ensure that you have the latest version of Eclipse installed and set up correctly. (DONE)

7) Learn about the competitors: get accounts with at least two direct Notes competitors (salesforce.com, Google apps, a free Sharepoint account) and explore their features.

8) Learn about the symbiotic Notes products, play with at least two of these (Sametime, Quickr, Connections, etc.). Can these be of value to you, do you need to find out more from a guru when you have them to hand?

9) Tell your clients and ask your boss whether there’s anything THEY want to know. Get them involved: what do your clients / boss want in the next 12 months?

10) Get your business card printed.

Old Comments

Mitch Cohen(10/12/2010 02:03:09 GMT)

Some good ideas….. See you in Orlando

Mark Myers(10/12/2010 09:21:56 GMT)

cool, yup see you there!

rsync backup

This was something I should have got round to doing ages ago but I finally set up my laptop to backup to my NAS using rsync, and I figured a proper step by step guide might help others, there are lots of rsync guides out there but few that don’t assume loads, so here’s a simple one

GOAL: I want to backup nearly everything in my home directory onto a windows (or samba) share, I want it to be one click, not to do certain places and files and on subsequent runs only back up new stuff, I also don’t want it to inherit any fancy permissions as if I have a disaster I might need to access it without out any rights on a new machine.

I am assuming you are using ubuntu or a common version of Linux, most of this will work on the mac I suspect (I know rsync does)

SO, first thing I need is a mount or drive mapping to backup too,

1) Run “gksudo nautilus” to get a all powerful file manager and create your folder that is going to be your mount point, I created “/media/backup”

2) Next ensure you have samba file sharing utilities installed (smbfs), you can do this on a terminal prompt with “sudo apt-get install smbfs”

3) See if you can now mount your share with “sudo mount -t smbfs //192.168.0.XXX/myshare/backup/ -o username=stickfight,password=password”
This assumes that I am backing up to the “myshare” share on the IP address 192.168.0.XXX and into the “backup” folder that already exists, also that you have to log-on to your share to be able to write to it, if you don’t, just miss out the “-o username=stickfight,password=password” bit

4) Next you want to figure out which files and folders you DONT want to backup, in my case, I don’t want any big media files or to backup the cache folder, so I create a text file called “backupexclude.txt” save it into my home directory and type the following into it (making sure that items are on separate lines)

*.mkv
*.avi
*.ogm
*.mp4
.cache

The paths are relative so instead if /home/stickfight/.cache , as I’m backing all of /home/stickfight/ I just put “.cache”

5) install rsync “apt-get install rsync ”

6) Now in the terminal window you want to enter “sudo rsync -r -u –exclude-from ‘/home/stickfight/backupexclude.txt’ –progress /home/stickfight /media/backup/home”

let me break it up first

“-r” = copies all the sub directories and file, normally you would use “-a” but that copies the file permissions as well which in this case I don’t want.
“-u” = Update, means it only copies only new or recently changed files.
“–exclude-from ‘/home/stickfight/backupexclude.txt’ ” = loads the exclude file we just made.
“–progress” = makes the terminal output far more readable and tells you how far it gets now.
“/home/stickfight /media/backup/home” = source and target directories.

7) run this and make sure it does what you expect, rsync has tons of options, so alter it as you see fit, once you have it working, copy both lines into a text file and save it as backup.sh (or whatever)

8) you can now run it form a icon with “sudo sh /home/stickfight/backup.sh”

there we go , job done

P.S. you might notice a lot of “sudo” going on, perhaps this is not correct from a security point of view, but I’m stripping out the security anyway and I just want it to work, without complaining