thebackroomtech » DNS

Creating eDirectory SSL certificates with alternate names to use across round robin DNS load balanced web servers

admin — Tue, 14 Oct 2008 11:23:16 +0000

We have three internal Apache web servers that we use for Groupwise webaccess 7.0.3. Each server will be accessed acrossed our intranet via round robin DNS at https://webaccess/gw/webacc for email. When users currently access this URL they are getting Internet Explorer Security Alerts, stating:

The name on the security cerrtificate is invalid or does not match the name of the site. Do you want to proceed?

In order to fix this issue, I need to install SSL certificates on each individual server and configure Apache to use the new certificates. I also needed to configure my web browser to trust the issuing Certificate Authority.

I chose to use our existing Novell Organizational CA to issue the certificates rather than purchase one from Verisign or other Trusted Root Certification Authority since these sites would only be accessed across the corporate intranet.

We had one additional requirement – each server still needed to be accessed via https at https://servername for Novell Remote Manager and iManager. This meant the three servers had to have valid SSL certificates for multiple host names, i.e. both their actual name and the webaccess name.

The Environment

Three Netware 6.5.5 server running Apache 2.0.54 for Netware. Servers are named web1, web2, and web3
ConsoleOne 1.3.6f
Novell Certificate Server Snapin version 2.21 Build 28
Internet Explorer 6 web browser

Creating the server SSL certificates

1. Launch ConsoleOne

2. Browse to the OU that holds the servers you wish to create certificates for.

3. Right click on the server OU

4. Select New – Object – NDSPKI:Key Material – OK

5. Select the server name you want to create the certificate for, and give the certificate a meaningful name. I named mine intwebaccessweb1

6. Under Creation Method, select Custom – Next

7. Select Organizational Certificate Authority will sign this certificate – Next

8. Accept the defaults of 2048 bit key size, SSL or TLS type, and allow the private key to be exported – Next

9. This is an important part – The subject name must match how you will be accessing your server over https for iManager and NRM. Click the Edit button, then click the double arrow button to the right of the subject name. This will move the .CN= portion of the name to the left side of the box.

Replace everything from .CN= to .OU= (or .O=) with the name you will be accessing your server with.

Since I will be accessing my server at https://web1, I used .CN=web1.O=myOrg.

If you will be accessing your server for iManager, NRM, or other non-shared services at https://www.yourdomain.com you would enter .CN=www.yourdomain.com.O=yourOrg

10. Press OK to accept the subject name.

11. Change the validity period to what ever duration you would like your certificate to be valid for. I selected maximum, which will make it good until the certificate for my Organizational CA expires.

12. Press the Add Name button – here is where we specify our secondary name we want the SSL certificate to be valid for.

13. Highlight the existing Directory name and press Delete.

14. Click Create – DNS Name

15. Specify the host name you will be sharing amongst your web servers. This is sometimes referred to as a DNS Subject Alternate Name

I specified webaccess – OK – OK – Next. Again, if you will be accessing your shared web server at https://www.yourdomain.com, specify www.yourdomain.com as the DNS name.

16. Select to associate this server certificate with Your organization’s certificate – Next – Finish

I then repeated these steps for my other two web servers, replacing in steps 5 and 9 ‘web1′ with ‘web2′ and ‘web3′, which are the real host names of my other web servers. Step 15 remains the same, since this is the common name I want all three web servers to respond to.

Configuring Apache to use the new SSL certificates

1. On the first web server edit the sys:\Apache2\conf\httpd.conf file.

2. Replace the line reading

SecureListen 443 “SSL CertificateDNS”

with

SecureListen 443 “intwebaccessweb1″

where intwebaccessweb1 is the name of the web server you created in the section above. Note that the certificate object will be displayed in ConsoleOne as ‘intwebaccessweb1 – web1′. Do not include the hyphen and server name, i.e. ‘ – web1‘ in the SecureListen statement.

3. Save the httpd.conf file

4. On the web server console, run ap2webdn to unload Apache

5. On the web server console run tc4stop to stop Tomcat

6. On the web server console, run tckeygen to update the keystore data. Switch to the logger screen to verify the process completes before proceeding to the next step.

7. On the web server console, run tomcat4 to load Tomcat. Switch to the logger screen to verify the process completes before proceeding to the next step.

8. On the web server console, run ap2webup to load Apache.

9. Browse to the shared name of your web server, https://webaccess/gw/webacc in my case. Note that you will still receive the Security Alert pop-up until you install the Organizational CA certificate into your Trusted Root Certification Authorities store, which I’ll document tomorrow.

10. On the Security Alert pop-up, you should see the message stating The security certificate has a valid name matching the name of the page you are trying to view.

This means your SSL certificate is valid for the host name shared by the web servers.

11. Browse to https://web1, which is the host name of one of your web servers defined in step 9 of Creating the server SSL certificates.

Again, you’ll still receive the Security Alert until you install the Organizational CA certificate into your Trusted Root Certification Authorities store, but you should see The security certificate has a valid name matching the name of the page you are trying to view. This means your SSL certificate is valid for the host name for this specific web server.

Here are the instructions for installing the Organizational CA certificate into your browser’s Trusted Root Certification Authorities store, which is the final thing we’ll need to do to rid ourselves of the Internet Explorer’s Security Alerts.

CMU announces free Firefox add-on to increase browser security against DNS flaw and digital signature problems

admin — Tue, 26 Aug 2008 08:32:45 +0000

Carnegie-Mellon University is making available a free add-on for Firefox 3.0 that’s intended to increase browser security.

The Firefox add-on was developed at the university’s School of Computer Science and College of Engineering and is available for free download. The Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed software flawin the DNS, but it also defends against some digital certificate problems.

The extension provides two primary benefits:

If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

Because of the API used, the code only works in Firefox 3.x, not Firefox 2.x.

How it works, from the CMU web page:

“Perspectives is a new approach to help clients securely identify Internet servers in order to avoid “man-in-the-middle” attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by “network notaries” located in multiple vantage points across the Internet.”

Original Source: networkworld.com

Novell has released patches for DNS cache poisoning vulnerability

admin — Wed, 30 Jul 2008 12:45:14 +0000

Novell has released patches for novell-bind on OES2 and named.nlm on Netware that address the deficiencies in the DNS protocol and common DNS implementations that facilitate DNS cache poisoning attacks described in CVE-2008-1447.

Patches for bind running on SuSE Enterprise Linux Server (SLES) 9 and 10, plus openSUSE 10.2, 10.3, and 11.0 were released previously.

See TID 7000912 for details. Security patches are available from the Novell download site.

These patches should be applied as soon as possible. Metasploit exploits of this vulnerability are already available.

Multivendor DNS Flaw auditing tool

admin — Thu, 17 Jul 2008 05:47:41 +0000

Earlier I discussed the multivendor DNS flaw and linked to Dan’s web page that contains a tool you can run to see if your DNS servers are vulnerable to cache poisioning.

Jose has developed a basic open source tool called CacheAudit that can be used to determine if the cache on your DNS server has been poisoned. He describes the tool’s operation as:

“The overall concept was to take periodic dumps of the in-memory cache from the recursive server, validate these dumps against the authoritative name servers, and peer recursive name servers, alerting when something could not be validated.”

You can also view his presentation on Recursive DNS cache auditing.

Test for Multivendor DNS Flaw

admin — Fri, 11 Jul 2008 10:15:48 +0000

By now, everyone on the Internet is aware of the fundamental flaw in DNS that all major vendors released security patches for this week. Dan Kaminsky, the security researcher who discovered the cache poisoning bug, has developed a test for this flaw that you can find at his web site.

Many people have downplayed this flaw, saying it’s not as serious as some speculate, since only recursive DNS servers are at risk. Maybe that’s true, but who uses these DNS servers? All DNS clients, from workstations to servers to routers. And if the DNS servers have their caches poisoned, they can redirect these unsuspecting clients to potentially malicious web sites.

Dan, who is an expert in all things DNS, has this advice for network administrators:

“If it recurses, patch it. I don’t care if it’s firewalled. Patch it, or kill it.”

Dan has purposely not released details on the DNS vulnerability so that users will hopefully have time to patch their systems prior to exploits being developed. Dan is scheduled to reveal all the details at Blackhat on August 7th, so stay tuned. For more details, see the CERT vulnerability notes for VU#800113. Dan was also interviewed by Rich at the Network Security Podcast, where he goes into more detail on the issues.

Also note that the ISC has put out a temporary patch for BIND 8, but because of legacy issues, they are suggesting BIND 8 be retired. The ISC has some nice documentation on the BIND 8 to BIND 9 migration process.

Mark’s Windows 2008 DNS Server Command Line Cheat Sheet

admin — Mon, 24 Mar 2008 10:03:01 +0000

If you’re a command line type administrator like myself you’ll want to check out Mark’s Mark’s DNS Server command line cheat sheet. He’s summarized the Windows Server 2008 CLI commands relating to DNS administration.

Function	DNSCMD option	Example	Comments
Do any dnscmd command on a remote system	dnscmd servername command	dnscmd main.bigfirm.com /zoneprint bigfirm.com
Create a primary zone	dnscmd /zoneadd zonename /primary	dnscmd /zoneadd bigfirm.com /primary
Create a secondary zone	dnscmd /zoneadd zonename /secondary master IP address	dnscmd /zoneadd bigfirm.com /secondary 192.168.1.1
Host a zone on a server based on an existing (perhaps restored) zone file	dnscmd /zoneadd zonename /primary /file filename /load	dnscmd /zoneadd bigfirm.com /primary /file bigfirm.com.dns /load
Delete a zone from a server	dnscmd /zonedelete zonename [/f]	dnscmd /zonedelete bigfirm.com /f	(without the /f, dnscmd asks you if you really want to delete the zone)
Show all of the zones on a DNS server	dnscmd /enumzones	dnscmd /enumzones
Dump (almost) all of the records in a zone	dnscmd /zoneprint zonename	dnscmd /zoneprint bigfirm.com	Doesn’t show glue records.
Add an A record to a zone	dnscmd /recordadd zonename hostname A ipaddress	dnscmd /recordadd bigfirm.com mypc A 192.168.1.33
Add an NS record to a zone	dnscmd /recordadd zonename @ NS servername	dnscmd /recordadd bigfirm.com @ A dns3.bigfirm.com
Delegate a new child domain, naming its first DNS server	dnscmd /recordadd zonename childname NS dnsservername	dnscmd /recordadd bigfirm.com test NS main.bigfirm.com	This would create the “test.bigfirm.com” DNS child domain unter the bigfirm.com DNS domain
Add an MX record to a zone	dnscmd /recordadd zonename @ MX priority servername	dnscmd /recordadd bigfirm.com @ MX 10 mail.bigfirm.com
Add a PTR record to a reverse lookup zone	dnscmd /recordadd zonename lowIP PTR FQDN	dnscmd /recordadd 1.168.192.in-addr.arpa 3 A pc1.bigfirm.com	This is the PTR record for a system with IP address 192.168.1.3
Modify a zone’s SOA record	dnscmd /recordadd zonename @ SOA primaryDNSservername responsibleemailipaddress serialnumber refreshinterval retryinterval expireinterval defaultTTL	dnscmd /recordadd bigfirm.com @ SOA winserver.bigfirm.com mark.bigfirm.com 41 1800 60 2592000 7200	Ignores the serial number if it’s not greater than the current serial number
Delete a resource record	dnscmd /recorddelete zonename recordinfo [/f]	dnscmd /recorddelete bigfirm.com @ NS main.bigfirm.com /f	Again, “/f” means “don’t annoy me with a confirmation request, just do it.”
Create a resource record and incorporate a nonstandard TTL	dnscmd /recordadd zonename leftmostpartofrecord TTL restofrecord	dnscmd /recordadd bigfirm.com pc34 3200 A 192.168.1.4
Reload a zone from its zone file in \windows\system32\dns	dnscmd /zonereload zonename	dnscmd /zonereload bigfirm.com	Really only useful on primary DNS servers
Force DNS server to flush DNS data to zone file	dnscmd /zonewriteback zonename	dnscmd /zonewriteback bigfirm.com
Tell a primary whom to allow zone transfers to	dnscmd /zoneresetsecondaries zonename /nonsecure\|securens	dnscmd /zoneresetsecondaries bigfirm.com /nonsecure	That example says to allow anyone who asks to get a zone transfer
Enable/disable DNS NOTIFY	dnscmd /zoneresetsecondaries zonename /notify\|/nonotify	dnscmd /zoneresetsecondaries bigfirm.com /nonotify	Example disables DNS notification, which is contrary to the default settings.
Tell a secondary DNS server to request any updates from the primary	dnscmd /zonerefresh zonename	dnscmd /zonerefresh bigfirm.com
Enable or disable dynamic DNS on a zone	dnscmd /config zonename /allowupdate 1\|0	1 enables, 0 disables, 0 is default
Stop the DNS service	Either net stop dns or sc stop dns		(No dnscmd command for this)
Start the DNS service	Either net start dns or sc start dns		(No dnscmd command for this)
Install the DNS service on a 2008 full install system	servermanagercmd -install dns
Install the DNS service on a 2008 Server Core system	ocsetup DNS-Server-Core-Role		Case matters — ocsetup dns-server-core-role would fail
Uninstall the DNS service on a 2008 Server full install system	servermanagercmd -remove dns
Uninstall the DNS service on a 2008 Server Core system	ocsetup /uninstall DNS-Server-Core-Role

You’ll need to become intimately familiar with administering DNS via the command line if you’re running the Server Core version of Windows 2008.

thebackroomtech » DNS

Creating eDirectory SSL certificates with alternate names to use across round robin DNS load balanced web servers

Related Posts

CMU announces free Firefox add-on to increase browser security against DNS flaw and digital signature problems

Related Posts

Novell has released patches for DNS cache poisoning vulnerability

Related Posts

Multivendor DNS Flaw auditing tool

Related Posts

Test for Multivendor DNS Flaw

Related Posts

Mark’s Windows 2008 DNS Server Command Line Cheat Sheet

Related Posts