Tuesday, October 10, 2006

Installing Joomla on NetWare 6.5

Install apache2, php, mysql.

Download the zlib module for php. I used the 1.1.4 version with NetWare 6.5 Sp5
http://www.gknw.net/development/apache/libs/netware/
Extract the downloaded zlib package and place the modules from the zip into the sys:\php5\ext directory.

Enable php support in apache by uncommenting the include statement for mod_php in sys:\apache2\conf\httpd.conf
If the include statement doesn't exist, than you can create it by adding the following line to the bottom.
Include sys:\apache2\conf\mod_php.conf

If the include statement was remarked, be sure to stop and restart apache after removing the remark statement.

Test that apache has php support enabled by moving sys:\php5\scripts\info.php to sys:\apache2\htdocs then browse to http:\\server\info.php

You should have a nice looking page reporting the PHP version and compiled settings. Note! If you search the page for ZLIB, you should not find any hits. We will be fixing that.

Modify open_basedir = ".;sys:/apache2/htdocs" in sys:\php5\php.ini to reference the base directory of were joomla will be installed. Otherwise the include statements within joomla will not work. There are additional settings that may need to be tweaked in PHP.ini, like safe mode and such. Contact me if you need help with these. Add the extensions statement to php.ini to load zlib support. The line would look like this. extension=php_zlib.nlm (Note! This module exists in sys:\php5\ext

Restart apache2

Download and unzip the stable distribution from joomla.org
I unzipped the install into sys:\tmp and then made a copy to sys:\apache2\htdocs\joomla
Be sure that whatever directory you put joomla into, that your php.ini file matches this directory path. the include_path and open_basedir are set to met these needs.

I will leave the rest of the joomla configuration steps up to the joomla docs unless someone emails me and asks for more info.

Additional NetWare modules can be found here for apache, php, and such.
http://www.gknw.at/development/apache/

NetWare 6.5 Web Services

Today, I had the privilidge if working on a NetWare 6.5 box needed mysql, php, and several other vertual web hosts. I thought I would share some of my thoughts and techniques I used as it seems a lot of people struggle with these services.

Two main structures of apache are as follows
sys:\adminsrv
sys:\apache2

Load scripts for these two main apache instances are located in sys:\system
admsrvup and ap2webup. admsrvup loads the admin server instanced with ap2webup loading the default apache2 service instance.

The Administration Instance of Apache2 on Netware
The main configuration file is located in
sys:\adminsrv\conf\adminsrv.conf
This file controls ports 2200 and 2211
Not too much is done with this configuration. It generally runs out of the box and reinstalling the apache admin instance usually fixes it. Try to refrain from deleting the directory when reinstalling as there are some critical links contianed in the classes which are hard to restore.

The Apache 2 instance
This is the main apache2 service which can be used to run netstorage, ifolder, and other custom web pages as desired.
The main config file is located in sys:\apache2\conf\httpd.conf
Several load statements, listen statements and include statements are all located in this file.

Example real world situation
Customer wanted a regular web page listing on intranet.domain.com(ip x.x.x.10) and a iFolder webpage listening on ifolder.domain.com(ip x.x.x.11)

To accomplish this I created two start config files sys:\system\ap2webup.ncf and sys:\system\startifolder.ncf
ap2webup.ncf calls sys:\apach2\conf\httpd.conf and startifolder.ncf calls sys:\apach2\ifolder\server\ifolder_httpd.conf

The apache instance(ap2webup.ncf) loads into a protected address space because otherwise we would have a conflict between the copy of apache running for iFolder. Also the iFolder instance has to run in the OS address space as xsrv and ncpl need to be able to talk and those two modules have to run in the OS address space.

I made modifications to the apache2 (ap2webup) instance removing the load statements for netstorage, xsrv, and xtier. As these were not required for a normal web server operation. Also, removing these statements allowed the apache2 instance to run in protected memory.

I might post more details on this later.

Friday, October 06, 2006

Secure MiddleTier Communication

Communication between the ZENworks ZDM Management Agent and the MiddleTier (xTier Web Proxy Services) is handled by HTTP or HTTPS. Some business will want this traffic secure (https) as usernames and passwords do pass over this protocol.

The web service, whether apache or IIS, must be configured to use a minted certificate. This certificate can be provided by a trusted ROOT Certificate authority or your local Directory service (Active Directory or eDirectory). I will list the steps for IIS and using eDirectory as the trusted ROOT Certificate source.

Minting a Certificate on IIS
I am going to give a quick overview as full details are provided in the Novell Documentation.
  1. Generate a Certificate request from the IIS administration page.
  2. Going to Consoleone or iManager generate a certificate response
  3. IIS Administration page provide certificate response.
  4. Export the eDirectory ROOT CA (Security container, Self signed .DER file)
  5. Import the ROOT CA into the local workstation
  6. Import the certificate from the MiddleTier server into the workstation. (It is critical that the certificate be placed in the local Computer store. Do not let the certificate wizard place the certificate for you)
It's possible that the following registry change will be required if the ROOT CA is not trusted from like Thawte.

Middle Tier Authentication Troubleshooting

Learned some new tricks troubleshooting the Novell ZENworks MiddleTier authentication infrastructure.
I had forgotten about some logs in c:\windows\system32\log files which can be very useful.
The logs can at least show that connections are being made and what is being accessed via IIS. The logs are IIS generated and are not ZEN specific. XTIER does report some logs to this directory. You can control XTIER logging with these following keys.

(MT) ZENworks Middle Tier Server logging on Windows servers is enabled in the registry

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Novell\XTier\Configuration\XTLOG
Name: Log-Error
Name: Log-Warning
Name: Log-Informational
Name: Log-Success
Type: DWORD Value
Data: 0 (Debug log file will NOT be written to)
Data: 1 (A new debug log file will be created each time with a unique name)

Output: %System Root%\System32\LogFiles\Xtier

http://support.novell.com/cgi-bin/search/searchtid.cgi?10093312.htm


I also found that packet traces are a big asset.

If you can authenticate to https://serverip/oneNet/nsadmin then the zenworks ZDM agent should be able to authenticate also.


Comments more than welcome as I left a lot out.

Thursday, October 05, 2006

Creating Applications for Distribution

Registry Keys To Remove

I am asked all the time, "Which keys should I remeve" when creating applications for mass distribution. This question is usually raised when creating applications with ZENworks Snapshot utility.

It amazed me how easy it was to find information regarding the registry keys that are captured. Common, how hard can it be to use Google. Sure, there are WAY TO MANY "OOOOOO"s in the name. But still, bookmark it.profentially.

During a really boring day of creating application objects for a customer, I decided to find the answers. So with ever snapshot I created, I researched the registry keys that were captured. Soon I had this really nice list. I then realized that I had another need for a application. Sigh, now I have to decide which language I will write the application in.

Sure, I could write it with perl, ruby, etc. But right now I am working a lot with C# and want to get a good grasp of the language.
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICach

From reading through these entries, my understanding of this issue is that the values that you see under the MUICache key are not placed there by the executable, but by the shell (ie, Explorer.exe). Therefore, when a technical description of malware states that the executable "creates an entry under the MUICache key", this isn't technically correct. In fact, what's happening is that the shell is creating the entry when the malware is run.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed is a seed for a cryptographic random number.

Learn about MS Cryptography

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRUHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags

This is where MS Windows stores "window" positions.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams

Windows saves size and location information for up to 28 different windows. Each window's size and location parameters are stored in a subkey of the Streams key. The subkeys are assigned sequentially on a per-user basis. For example, when a new user logs on, the first window's parameters are stored in the subkey named 0. The second window's parameters are stored in a subkey named 1. After 28 subkeys have been created and a new window is opened, the parameters for the twenty-ninth window overwrite the parameters for one of the first 28 windows. When a window for which the parameters were overwritten is opened, the window opens with the default parameters for that window.

Windows stores the association for the Streams subkeys with a particular window in the following location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist

MRU's (Most Recently Used) and MFU's (Most Frequently Used) information for the current user.

Methodically Troubleshooting

Today I spent a great deal of time trying to track down a problem with what appeared to be a problem with Novell Identity Management. User passwords were not syncing between Active Directory and eDirectory, which I needed so that machines running only the Microsoft agent could use ZENworks Desktop Management. It was a real pain as is many times, there were multiple causes for the failure.

I was reminded how critical is to methodically troubleshoot issues. You want to verify each part is working before you go to the next connector or piece of the puzzle.

In this case, passwords that were being set on the AD site were not unnque enough for eDirectory, but we never saw an error for this. I easily could have manually set the same password in eDirectory and tested it and would have seen the problem instantly.

A self-signed certificate had become invalid on the second day of troubleshooting. It seems that one of the engineers revoked the certificate without reimporting the new certificate. This was as a trick to find as I wasn't looking for this type of error as the system had been connecting just fine.

Wednesday, October 04, 2006

Reporting ZENworks Last Inventory Date

Today I needed a script listing all workstations imported by ZENworks in eDirectory, reporting the last inventory scan date. With a few lines of code, this was accomplished.

Converting the inventoryscan date was the hardest part as this was something I hadn't done before. Here's the code I used to convert the date.

I first had to devide the value of the inventory scan date by 1000, then I could run getdate(builtin function) and then send the results to be echo'ed to a table.

function calc_time($z) {
global $tm_rslt;
$y = $z / (1000);
$tm_rslt=(getdate($y));
return($tm_rslt);
}

You can download the whole script here

OES Linux a Enterprise Server in your network

Last week I had the pleasure of configuring 4 OES Linux SLES Servers in a production environment. Normally this would be a average task for me with nothing exciting, except that additional goals existed.

The environment existed of ESX 2.5x a SAN and other existing NetWare ESX boxes. The goal was to consolidate the existing 13 NetWare file servers to a 4 node cluster and use SLES, which seems to handle memory better when running on ESX than NetWare. I was also to configure templates with the OES SLES configuration so that it would be easy for the customer to deploy additional servers as required with minimal cleanup.

I was able to configure SLES with very few tweaks in such a way that the admin could have a SLES server fully functional in 15 minutes. It was very beautiful.

Tuesday, October 03, 2006

You must understand what you support

It is a unrealistic idea that you as the admin can support products that you do not understand. Sure, that is a FAR LEFT comment, but it's true.

Sure we all have somewhere to start, but a good admin will at least scan the readme, install docs, and knowledge base before calling the product stupid. Generally products are as great as you know them.

I see this again and again, admins will become very frustrated with ZENworks because they have not taken the time to understand what they are doing. You must at least have a 10,000 ft view of the product and how it functions. Otherwise it is hopeless.

Novell Asset Management

Novell purchased Tally Systems a while back and I would like to say it's probably one of the best purchases they have done.
Tally, now Novell Asset Management, is one of the most powerful inventory systems available. The amount of information it records and how the information is made available is truly amazing.

I started posting content for ZAM on the Novell Wiki pages. You can view this content here.

Power of coding

I think programming has a bigger effect on ones life than many realize.

Step back a minute and use an example. Would you rather build than repair something. Wouldn't you rather have a new car than fix the old car.

Being a IT engineer or technician always fixing fires has an affect on your outlook of life. Compare that to programming, creating new things, designing, using your imagination

I have always dabbled in programming, C, PHP, and now C#. I jumped head-first in with Mono and love it. Concepts, examples, and understanding has been my life lately and I love it.