DISCLAIMER
Please use the method with discreet, I am not responsible for any damage caused by the method below:
Problem Description:
There's a issue of using 6Gb Ram on T410/T410i currently that results in screen
black flicker for a few seconds when using Lenovo supplied drivers v8.16.11.8955. It
normally happens on a 64bit Win7 Operating System, as far a I know the 32bit OS does
not have this issue.
The black flash/flicker usually happens when I am resizing any application window, or maximizing windows.
I check the windows event veiw, and I got the following error:
Log Name: Application
Source: Desktop Window Manager
Date: 7/24/2010 7:32:21 PM
Event ID: 9020
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
The Desktop Window Manager has encountered a fatal error (0x8007000e)
Error 7/24/2010 7:32:21 PM Desktop Window Manager 9020 None
Solution:
1. Download latest nvidia driver.
http://us.download.nvidia.com/Windows/257.21/257.21_notebook_winvista_win7_64bit_int
ernational_whql.exe
2. Double click it, You need to exit setup application when it launched for the
first time.
3. Modify file NVLT.inf.
Open C:\NVIDIA\DisplayDriver\257.21\WinVista_Win7_64\International\Display\NVLT.inf
file in notepad and change the following line (you can use Ctrl+F to find it)
located in [NVIDIA_SetA_Devices.NTamd64.6.1] section from:
%NVIDIA_DEV.0A6C.01% = Section054, PCI\VEN_10DE&DEV_0A6C&SUBSYS_21C017AA
to
%NVIDIA_DEV.0A6C.01% = Section054, PCI\VEN_10DE&DEV_0A6C&SUBSYS_214217AA
4. Disable Automatic Drive for Graphic card NVIDIA NVS 3100M
4.1 Go to Start–>Search type in gpedit.msc
4.2 Click the file to open the Local Group Policy Editor and show Windows who is in
control!!
4.3 You want to go here: Computer Configuration->Administrative Templates->System-
>Device Installation. Click on the subfolder Device Installation on the left and on
the right side you will see the possible restrictions.
4.4 Right Click on "Prevent Installation of Devices that matches any of the device IDs"
settings" and edit this option, set it on ENABLED.
4.5 Click "Show..." button from "Options" section below:
4.6 Add value "NVIDIA NVS 3100M", then click "OK" to save the value.
4.7 Click "OK" policy editing window.
5. Uninstall existing lenovo nvidia driver, it will ask you to reboot, then reboot.
6. After you startup your computer, revert all you have done in step 4 "Disable
Automatic Drive for Graphic card NVIDIA NVS 3100M", enable it back
7. Install Nvidia Driver.
Go to C:\NVIDIA\DisplayDriver\257.21\WinVista_Win7_64\International\Display
click "setup.exe" to start the installation, Click "yes" to accept the unsigned
driver when you see the unsign driver window.
8. Restart your computer.
9. Done. Everything is ok so far, and even the auto-brightness is working too.
Friday, July 23, 2010
Thursday, April 29, 2010
Configure SSL install CA root certificate to target AD server
Configuring Active Driectory LDAP SSL using Windows 2003 Enterprise CA
Overview
Requirements for an LDAPS certificate
•To enable LDAPS, you must install a certificate that meets the following requirements:
The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
•A private key that matches the certificate is present in the Local Computer's store and is correctly associated with thecertificate. The private key must not have strong private key protection enabled.
•The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (alsoknown as OID).
•The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
•The Common Name (CN) in the Subject field.
•DNS entry in the Subject Alternative Name extension.
•The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
•You must use the Schannel cryptographic service provider (CSP) to generate the key.
1. Create the .inf file. Following is an testdomain.inf file that can be used to create the
certificate request.
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=demo.testdomain.com" ; replace with the Full computer name of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------
Save it as a file named request.inf, then put this file to folder c:\certreq
2. Create Certificate Request
a). Login to the server that we want to configure SSL
b). Create a directory c:\certreq, and copy the request.inf to this directory.
c). open a command prompt, and type cd c:\certreq
d). Create certificate request,type the following command and then press Enter
certreq -new request.inf request.req
then a new file called request.req is created, this is a Base64-encoded request
file.
Note that make sure issue the command with in directory c:\certreq, otherwise
you won't find request.inf.
if we open request.req, we will see the similar like follows:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDrDCCAxUCAQAwga8xCzAJBgNVBAYTAk1ZMS8wLQYDVQQIHiYAVwBpAGwAYQB5
AGEAaABfAFAAZQByAHMAZQBrAHUAdAB1AGEAbjEQMA4GA1UEBxMHUmVkbW9uZDEQ
MA4GA1UEChMHQ29udG9zbzEQMA4GA1UECxMHU2VydmVyczEXMBUGA1UEAxMOdGVz
dGRvbWFpbi5jb20xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGNvbnRvc28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZVBtAuRmcpLgLIzhHBEYtqXIlt6CY
O4hZl+pByrSm5OgeT8ZF3NMhKeFBh4fKAyoAe39PbaStyabTsfYBbDML6pWooQSF
armmhRsnGw/afO+fO8134ko2Gty8E6yLsatX9br9tOoosBT2jsyV4Aizd/rMUfXK
1b0BR0YqBPKi3wIDAQABoIIBujAaBgorBgEEAYI3DQIDMQwWCjUuMi4zNzkwLjIw
SgYJKwYBBAGCNxUUMT0wOwIBAQwTZGVtby50ZXN0ZG9tYWluLmNvbQwYVEVTVERP
TUFJTlxBZG1pbmlzdHJhdG9yDAdjZXJ0cmVxMFAGCSqGSIb3DQEJDjFDMEEwHQYD
VR0OBBYEFJht4ESvBmzKPgeVA5GazOToBQrDMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MAsGA1UdDwQEAwIFoDCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIA
bwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQA
bwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADgYEA
ak5GUMARkeMtWYkJezIuia5WfslHPCBpFmm+YAfg8UUXW2XqCMcMgPNVwMTYWwW/
KHFjQcnl+Qxw0fKKUeSOU03nMctSeO4KjUpknXVbdQxubCNFRtRHo9a6Uk6C6HnZ
dp0M6guDMaP1yYQg+j98ZLf9o/JpBzA1/P+TaNjg4yk=
-----END NEW CERTIFICATE REQUEST-----
Alternatively, You can use the following command to View your request
certutil -dump request.req
you'll get the following result:
-----------------------------------------------------------------
PKCS10 Certificate Request:
Version: 1
Subject:
CN=demo.testdomain.com
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 a2 6c c5 27 30 ef 9c bb 3b
0010 d6 9b 76 4c 4b 1b 57 77 5f 2c 67 1f 1d 82 4b ac
0020 5b fa 4b 00 c8 c5 74 24 73 4d ea 74 9b 96 73 a0
0030 45 1f 5d 50 0d 1a ef 7b 26 de f1 06 d3 58 4d f0
0040 09 1c 9a b8 8d d0 04 fc 38 a2 12 60 fe 0c f5 a6
0050 f4 c1 a4 73 3d 6c 5e ff 05 38 9f 19 c5 34 20 14
0060 f8 7d 4a 2a 01 23 00 6d 3a d7 1f d1 62 00 f9 3e
0070 72 d2 d8 ae 06 ad 95 25 2e 10 e6 5e a8 28 ac 4a
0080 c4 c4 c6 f6 87 64 91 02 03 01 00 01
Request Attributes: 4
4 attributes:
Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.2.3790.2
Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
Value[1][0]:
Unknown Attribute type
Client Id: = 1
XECI_XENROLL -- 1
User: TESTDOMAIN\Administrator
Machine: demo.testdomain.com
Process: certreq
Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
ea 5c 6c 68 e5 9b 23 3b a5 8f ab 06 c9 85 d6 fc d4 6a ff fe
2.5.29.37: Flags = 0, Length = c
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
Value[3][0]:
Unknown Attribute type
CSP Provider Info
KeySpec = 1
Provider = Microsoft RSA SChannel Cryptographic Provider
Signature: UnusedBits=0
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Remaining 78 bytes are zero
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 4d 03 97 19 5e 3a 2f f9 2b 55 6b 40 e7 01 02 be
0010 c1 bf 11 88 c0 30 05 c4 59 4a 88 a9 04 bd 67 64
0020 2c 00 55 68 e4 93 39 d3 f7 9f 68 96 d4 8d 3d 4c
0030 c0 18 ae 08 6c 4a a3 c7 b4 33 97 3a a4 b2 a9 08
0040 f3 a9 a8 50 00 ae fc d2 e6 27 6c c8 85 92 e7 4b
0050 f0 3f f0 3a ad c1 12 23 39 85 a8 1c 4a 05 64 bf
0060 80 70 2f a1 8c f8 98 95 45 54 5c d2 9c 92 e9 f4
0070 0b 79 ad 0a a3 69 23 c1 78 95 b9 d3 23 5c 91 3c
Signature matches Public Key
Key Id Hash(sha1): ea 5c 6c 68 e5 9b 23 3b a5 8f ab 06 c9 85 d6 fc d4 6a ff fe
CertUtil: -dump command completed successfully.
---------------------------------------------------------------------------
Check the subject must be : CN=demo.testdomain.com
3.Submit the request to a CA.
We are going to submit the request to a Microsoft Windows 2003 Enterprise CA,
that we have installed in another server.
we still need command certreq.exe to complete this step.
a). Login to the server has CA installed
b). create a directory c:\certreq, and copy request.req to this directory
c). open a command prompt, and type cd c:\certreq
d). submit the certificate request using the command below:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req
You will be prompt to select a certificate authority, Click OK
If you see the following error:
-------------------------------------------------------------------------------------------
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila
ble and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added t
o the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
-------------------------------------------------------------------------------------------
Solution to this issue.
1). Click start->run, then key in command mmc
2). Click File in the mmc console, then select Add/Remove Snap-in...
3). Click Add... buton in the Add/Remove Snap dialog
4). Select Certificate Templates, Click Add
5). Close the window in step 4) available standalone snap-in window.
6). You will see "Certificate Templates", Click OK.
7). Find "Domain Controller Authentication" in "Console Root\Certificate Templates"
8). Double click "Domain Controller Authentication" to open it.
9). You can change the validity of a certificate in "Domain Controller Authentication
Properties" window,change it to 10, meaning this certificate will be valid for 10 years.
10). Select the "Subject Name" tab, then select "Supply in the request", click Apply
11). Select the "Security" tab, select "Authenticated Users", in the permissions for
authenticated users section, make sure "Allow" for Enroll. Click OK to close "Domain
Controller Authentication Properties" window.
12)
Re-submit the certificate request using the follwing command:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req
Note that make sure you are in directory c:\certreq
It will ask for which CA to use, select the first in the dialog.
Click OK
e). if no error was prompted in step d), certreq util will ask to to save the signed
certificate,
save it to desktop, named demo.testdomain.com.cer
-----------------------------------------------------------------------------
Note that for Windows 2000, Use the command below:
certreq -submit -attrib "CertificateTemplate: DomainController" request.req
-------------------------------------------------------------------------
4. Accept the certificate.
a). Login to the AD server that you want to install server certificate
b). copy the newly issued certificate to directory c:\certreq
c). open a command prompt, and navigate to c:\certreq
d). accept the server certificate, using the command below:
certreq -accept demo.testdomain.com.cer
if no error prompt that means we have installed server certificate successfully.
But the SSL communication is not yet enable, that's why we need next step:
5. Install CA root certificate to target AD server.
a). Copy CA root certificate "PortaldomCA.cer" to target AD server, directory c:\certreq
b). Click start->run, then key in command mmc
c). Click File in the mmc console, then select Add/Remove Snap-in...
d). Click Add... buton in the Add/Remove Snap dialog
e). Select Certificates from the available standalone snap-ins window, click add
f). Select Computer account from Certificate snap-in window, Click Finish.
g). close the window in step d) available standalone snap-in window.
h). "You'll see Certificate (Local Computer)" in the Add/Remove Snap-in Dialog,Click OK
i). Un-folder "Certificate (Local Computer)", then Maximize the Console Root to have
a better view.
j). Select "Trusted Root Certificate Authorities" -> "All Tasks" -> "Import..."
k). A certificate Import wizard will be prompted, Click Next>
l). Navigate to c:\certreq, and select PortaldomCA.cer, then click Open.
m). You'll see the root certificate path has been selected, click Next>
n). In the certificate store dialog, keep the default selection, then click Next>
o). Click Finish in the "Completing the Certificate Import Wizard" Dialog. Congratulations, you have successfully imported Root certificate.
p). Navigate to Personal -> Certificates, you'll see the certificate "demo.testdomain.com"
r). Double click to open it.
notice that on the bottom of the certificate window, you can see "You have a private key that corresponds to this certificate", this proves we have successfully installed certificate in step 4.
s). Click tab "Certificate Path", check on the certificate status, you'll see "This
certificate is OK.", meaning server certificate has been installed, and you are ready to communicate with this AD server via SSL.
Note there is no need to restart server.
Overview
Requirements for an LDAPS certificate
•To enable LDAPS, you must install a certificate that meets the following requirements:
The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
•A private key that matches the certificate is present in the Local Computer's store and is correctly associated with thecertificate. The private key must not have strong private key protection enabled.
•The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (alsoknown as OID).
•The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
•The Common Name (CN) in the Subject field.
•DNS entry in the Subject Alternative Name extension.
•The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
•You must use the Schannel cryptographic service provider (CSP) to generate the key.
1. Create the .inf file. Following is an testdomain.inf file that can be used to create the
certificate request.
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=demo.testdomain.com" ; replace with the Full computer name of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------
Save it as a file named request.inf, then put this file to folder c:\certreq
2. Create Certificate Request
a). Login to the server that we want to configure SSL
b). Create a directory c:\certreq, and copy the request.inf to this directory.
c). open a command prompt, and type cd c:\certreq
d). Create certificate request,type the following command and then press Enter
certreq -new request.inf request.req
then a new file called request.req is created, this is a Base64-encoded request
file.
Note that make sure issue the command with in directory c:\certreq, otherwise
you won't find request.inf.
if we open request.req, we will see the similar like follows:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDrDCCAxUCAQAwga8xCzAJBgNVBAYTAk1ZMS8wLQYDVQQIHiYAVwBpAGwAYQB5
AGEAaABfAFAAZQByAHMAZQBrAHUAdAB1AGEAbjEQMA4GA1UEBxMHUmVkbW9uZDEQ
MA4GA1UEChMHQ29udG9zbzEQMA4GA1UECxMHU2VydmVyczEXMBUGA1UEAxMOdGVz
dGRvbWFpbi5jb20xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGNvbnRvc28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZVBtAuRmcpLgLIzhHBEYtqXIlt6CY
O4hZl+pByrSm5OgeT8ZF3NMhKeFBh4fKAyoAe39PbaStyabTsfYBbDML6pWooQSF
armmhRsnGw/afO+fO8134ko2Gty8E6yLsatX9br9tOoosBT2jsyV4Aizd/rMUfXK
1b0BR0YqBPKi3wIDAQABoIIBujAaBgorBgEEAYI3DQIDMQwWCjUuMi4zNzkwLjIw
SgYJKwYBBAGCNxUUMT0wOwIBAQwTZGVtby50ZXN0ZG9tYWluLmNvbQwYVEVTVERP
TUFJTlxBZG1pbmlzdHJhdG9yDAdjZXJ0cmVxMFAGCSqGSIb3DQEJDjFDMEEwHQYD
VR0OBBYEFJht4ESvBmzKPgeVA5GazOToBQrDMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MAsGA1UdDwQEAwIFoDCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIA
bwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQA
bwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADgYEA
ak5GUMARkeMtWYkJezIuia5WfslHPCBpFmm+YAfg8UUXW2XqCMcMgPNVwMTYWwW/
KHFjQcnl+Qxw0fKKUeSOU03nMctSeO4KjUpknXVbdQxubCNFRtRHo9a6Uk6C6HnZ
dp0M6guDMaP1yYQg+j98ZLf9o/JpBzA1/P+TaNjg4yk=
-----END NEW CERTIFICATE REQUEST-----
Alternatively, You can use the following command to View your request
certutil -dump request.req
you'll get the following result:
-----------------------------------------------------------------
PKCS10 Certificate Request:
Version: 1
Subject:
CN=demo.testdomain.com
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 a2 6c c5 27 30 ef 9c bb 3b
0010 d6 9b 76 4c 4b 1b 57 77 5f 2c 67 1f 1d 82 4b ac
0020 5b fa 4b 00 c8 c5 74 24 73 4d ea 74 9b 96 73 a0
0030 45 1f 5d 50 0d 1a ef 7b 26 de f1 06 d3 58 4d f0
0040 09 1c 9a b8 8d d0 04 fc 38 a2 12 60 fe 0c f5 a6
0050 f4 c1 a4 73 3d 6c 5e ff 05 38 9f 19 c5 34 20 14
0060 f8 7d 4a 2a 01 23 00 6d 3a d7 1f d1 62 00 f9 3e
0070 72 d2 d8 ae 06 ad 95 25 2e 10 e6 5e a8 28 ac 4a
0080 c4 c4 c6 f6 87 64 91 02 03 01 00 01
Request Attributes: 4
4 attributes:
Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.2.3790.2
Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
Value[1][0]:
Unknown Attribute type
Client Id: = 1
XECI_XENROLL -- 1
User: TESTDOMAIN\Administrator
Machine: demo.testdomain.com
Process: certreq
Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
ea 5c 6c 68 e5 9b 23 3b a5 8f ab 06 c9 85 d6 fc d4 6a ff fe
2.5.29.37: Flags = 0, Length = c
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
Value[3][0]:
Unknown Attribute type
CSP Provider Info
KeySpec = 1
Provider = Microsoft RSA SChannel Cryptographic Provider
Signature: UnusedBits=0
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Remaining 78 bytes are zero
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 4d 03 97 19 5e 3a 2f f9 2b 55 6b 40 e7 01 02 be
0010 c1 bf 11 88 c0 30 05 c4 59 4a 88 a9 04 bd 67 64
0020 2c 00 55 68 e4 93 39 d3 f7 9f 68 96 d4 8d 3d 4c
0030 c0 18 ae 08 6c 4a a3 c7 b4 33 97 3a a4 b2 a9 08
0040 f3 a9 a8 50 00 ae fc d2 e6 27 6c c8 85 92 e7 4b
0050 f0 3f f0 3a ad c1 12 23 39 85 a8 1c 4a 05 64 bf
0060 80 70 2f a1 8c f8 98 95 45 54 5c d2 9c 92 e9 f4
0070 0b 79 ad 0a a3 69 23 c1 78 95 b9 d3 23 5c 91 3c
Signature matches Public Key
Key Id Hash(sha1): ea 5c 6c 68 e5 9b 23 3b a5 8f ab 06 c9 85 d6 fc d4 6a ff fe
CertUtil: -dump command completed successfully.
---------------------------------------------------------------------------
Check the subject must be : CN=demo.testdomain.com
3.Submit the request to a CA.
We are going to submit the request to a Microsoft Windows 2003 Enterprise CA,
that we have installed in another server.
we still need command certreq.exe to complete this step.
a). Login to the server has CA installed
b). create a directory c:\certreq, and copy request.req to this directory
c). open a command prompt, and type cd c:\certreq
d). submit the certificate request using the command below:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req
You will be prompt to select a certificate authority, Click OK
If you see the following error:
-------------------------------------------------------------------------------------------
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila
ble and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added t
o the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
-------------------------------------------------------------------------------------------
Solution to this issue.
1). Click start->run, then key in command mmc
2). Click File in the mmc console, then select Add/Remove Snap-in...
3). Click Add... buton in the Add/Remove Snap dialog
4). Select Certificate Templates, Click Add
5). Close the window in step 4) available standalone snap-in window.
6). You will see "Certificate Templates", Click OK.
7). Find "Domain Controller Authentication" in "Console Root\Certificate Templates"
8). Double click "Domain Controller Authentication" to open it.
9). You can change the validity of a certificate in "Domain Controller Authentication
Properties" window,change it to 10, meaning this certificate will be valid for 10 years.
10). Select the "Subject Name" tab, then select "Supply in the request", click Apply
11). Select the "Security" tab, select "Authenticated Users", in the permissions for
authenticated users section, make sure "Allow" for Enroll. Click OK to close "Domain
Controller Authentication Properties" window.
12)
Re-submit the certificate request using the follwing command:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req
Note that make sure you are in directory c:\certreq
It will ask for which CA to use, select the first in the dialog.
Click OK
e). if no error was prompted in step d), certreq util will ask to to save the signed
certificate,
save it to desktop, named demo.testdomain.com.cer
-----------------------------------------------------------------------------
Note that for Windows 2000, Use the command below:
certreq -submit -attrib "CertificateTemplate: DomainController" request.req
-------------------------------------------------------------------------
4. Accept the certificate.
a). Login to the AD server that you want to install server certificate
b). copy the newly issued certificate to directory c:\certreq
c). open a command prompt, and navigate to c:\certreq
d). accept the server certificate, using the command below:
certreq -accept demo.testdomain.com.cer
if no error prompt that means we have installed server certificate successfully.
But the SSL communication is not yet enable, that's why we need next step:
5. Install CA root certificate to target AD server.
a). Copy CA root certificate "PortaldomCA.cer" to target AD server, directory c:\certreq
b). Click start->run, then key in command mmc
c). Click File in the mmc console, then select Add/Remove Snap-in...
d). Click Add... buton in the Add/Remove Snap dialog
e). Select Certificates from the available standalone snap-ins window, click add
f). Select Computer account from Certificate snap-in window, Click Finish.
g). close the window in step d) available standalone snap-in window.
h). "You'll see Certificate (Local Computer)" in the Add/Remove Snap-in Dialog,Click OK
i). Un-folder "Certificate (Local Computer)", then Maximize the Console Root to have
a better view.
j). Select "Trusted Root Certificate Authorities" -> "All Tasks" -> "Import..."
k). A certificate Import wizard will be prompted, Click Next>
l). Navigate to c:\certreq, and select PortaldomCA.cer, then click Open.
m). You'll see the root certificate path has been selected, click Next>
n). In the certificate store dialog, keep the default selection, then click Next>
o). Click Finish in the "Completing the Certificate Import Wizard" Dialog. Congratulations, you have successfully imported Root certificate.
p). Navigate to Personal -> Certificates, you'll see the certificate "demo.testdomain.com"
r). Double click to open it.
notice that on the bottom of the certificate window, you can see "You have a private key that corresponds to this certificate", this proves we have successfully installed certificate in step 4.
s). Click tab "Certificate Path", check on the certificate status, you'll see "This
certificate is OK.", meaning server certificate has been installed, and you are ready to communicate with this AD server via SSL.
Note there is no need to restart server.
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila ble and cannot be added to the Subject Alternate name. 0x8009480f
I am configuring Active Driectory LDAP SSL using Windows 2003 Enterprise CA, however,
I received the following error while I submit my certificate signing request to Microsoft 2003 Enterprise CA
-----------------------------------------------------------------------
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila
ble and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added t
o the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
-----------------------------------------------------------------------
Solution to this issue.
1). Click start->run, then key in command mmc
2). Click File in the mmc console, then select Add/Remove Snap-in...
3). Click Add... buton in the Add/Remove Snap dialog
4). Select Certificate Templates, Click Add
5). Close the window in step 4) available standalone snap-in window.
6). You will see "Certificate Templates", Click OK.
7). Find "Domain Controller Authentication" in "Console Root\Certificate Templates"
8). Double click "Domain Controller Authentication" to open it.
9). You can change the validity of a certificate in "Domain Controller Authentication
Properties" window,change it to 10, meaning this certificate will be valid for 10 years.
10). Select the "Subject Name" tab, then select "Supply in the request", click Apply
11). Select the "Security" tab, select "Authenticated Users", in the permissions for
authenticated users section, make sure "Allow" for Enroll. Click OK to close "Domain
Controller Authentication Properties" window.
12)
Re-submit the certificate request using the follwing command:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req
I received the following error while I submit my certificate signing request to Microsoft 2003 Enterprise CA
-----------------------------------------------------------------------
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila
ble and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added t
o the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
-----------------------------------------------------------------------
Solution to this issue.
1). Click start->run, then key in command mmc
2). Click File in the mmc console, then select Add/Remove Snap-in...
3). Click Add... buton in the Add/Remove Snap dialog
4). Select Certificate Templates, Click Add
5). Close the window in step 4) available standalone snap-in window.
6). You will see "Certificate Templates", Click OK.
7). Find "Domain Controller Authentication" in "Console Root\Certificate Templates"
8). Double click "Domain Controller Authentication" to open it.
9). You can change the validity of a certificate in "Domain Controller Authentication
Properties" window,change it to 10, meaning this certificate will be valid for 10 years.
10). Select the "Subject Name" tab, then select "Supply in the request", click Apply
11). Select the "Security" tab, select "Authenticated Users", in the permissions for
authenticated users section, make sure "Allow" for Enroll. Click OK to close "Domain
Controller Authentication Properties" window.
12)
Re-submit the certificate request using the follwing command:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req
The request contains no certificate template information. 0x80094801
I am configuring Active Driectory LDAP SSL using Windows 2003 Enterprise CA, however,
I received the following error while I submit my certificate signing request to Microsoft 2003 Enterprise CA
===================================================================================
The request contains no certificate template information. 0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, the request does not contain a certificate template
extension or the Certificate Template request attribute.
==================================================================================
I checked the Microsoft Helps, got the following explanation:
==============================================================================
The message indicates that there is no certificate template information in the request.
However, there is no option in the Certification Authority MMC snap-in to select a certificate template.
Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.
=================================================================================
Solution:
Perfom the following steps:
1). Start->Administrative Tools->Certificate Authority
2). Expand the intended certificate authority node on the left pane.
3). Select "Certificate Templates", Check if the following templates available:
* Domain Controller Authentication -------- For Windows 2003
* Domain Controller ----------------------- For Windows 2000
If they are not there, perform step 4)
4). Highlight "Certificate Tempates" on the left pane, and right click it, select
"new", then click "certificate to issue".
5). An "Enable Certificate Templates" dialog popup, Press "Ctrl" key and select the following
Certificate Templates, then click "OK".
* Domain Controller Authentication
* Domain Controller
6). Restart the certificate Authority by select it on the left pane, then click the black
square on the tool bar to stop it, then click the black triangle to start it.
7). Congratulations, you have enabled the certificate template needed to issue Domain
Certificate.
I received the following error while I submit my certificate signing request to Microsoft 2003 Enterprise CA
===================================================================================
The request contains no certificate template information. 0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, the request does not contain a certificate template
extension or the Certificate Template request attribute.
==================================================================================
I checked the Microsoft Helps, got the following explanation:
==============================================================================
The message indicates that there is no certificate template information in the request.
However, there is no option in the Certification Authority MMC snap-in to select a certificate template.
Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.
=================================================================================
Solution:
Perfom the following steps:
1). Start->Administrative Tools->Certificate Authority
2). Expand the intended certificate authority node on the left pane.
3). Select "Certificate Templates", Check if the following templates available:
* Domain Controller Authentication -------- For Windows 2003
* Domain Controller ----------------------- For Windows 2000
If they are not there, perform step 4)
4). Highlight "Certificate Tempates" on the left pane, and right click it, select
"new", then click "certificate to issue".
5). An "Enable Certificate Templates" dialog popup, Press "Ctrl" key and select the following
Certificate Templates, then click "OK".
* Domain Controller Authentication
* Domain Controller
6). Restart the certificate Authority by select it on the left pane, then click the black
square on the tool bar to stop it, then click the black triangle to start it.
7). Congratulations, you have enabled the certificate template needed to issue Domain
Certificate.
Wednesday, January 20, 2010
Test SyntaxHighlighter
Navigate to Blogger -> Layout -> Edit HTML to Edit Template of Your Google Blog.
Insert the follwing code above </head> or </body>
Code:
Samples:
1. Html Code
Code:
<pre name="code" class="html">
<!-- code here -->
</pre>
Result:
2. Python Code
Code:
<pre name="code" class="python">
<!-- code here -->
</pre>
Result:
3. Java Code
Code:
<pre name="code" class="java">
import java.io.Serializable;
class Dog implements Serializable {
private Collar theCollar;
private int dogSize;
public Dog(Collar collar, int size) {
theCollar = collar;
dogSize = size;
}
public Collar getCollar() { return theCollar; }
}
class Collar implements Serializable {
private int collarSize;
public Collar( int size ) { collarSize = size; }
public int getCollarSize() {return collarSize; }
}
</pre>
Result:
For lates information about SyntaxHighlighter, please refer to: http://alexgorbatchev.com/wiki/SyntaxHighlighter
Insert the follwing code above </head> or </body>
Code:
<link href='http://alexgorbatchev.com/pub/sh/1.5.1/styles/SyntaxHighlighter.css' rel='stylesheet' type='text/css'/>
Samples:
1. Html Code
Code:
<pre name="code" class="html">
<!-- code here -->
</pre>
Result:
2. Python Code
Code:
<pre name="code" class="python">
<!-- code here -->
</pre>
Result:
# code here
3. Java Code
Code:
<pre name="code" class="java">
import java.io.Serializable;
class Dog implements Serializable {
private Collar theCollar;
private int dogSize;
public Dog(Collar collar, int size) {
theCollar = collar;
dogSize = size;
}
public Collar getCollar() { return theCollar; }
}
class Collar implements Serializable {
private int collarSize;
public Collar( int size ) { collarSize = size; }
public int getCollarSize() {return collarSize; }
}
</pre>
Result:
import java.io.Serializable;
class Dog implements Serializable {
private Collar theCollar;
private int dogSize;
public Dog(Collar collar, int size) {
theCollar = collar;
dogSize = size;
}
public Collar getCollar() { return theCollar; }
}
class Collar implements Serializable {
private int collarSize;
public Collar( int size ) { collarSize = size; }
public int getCollarSize() {return collarSize; }
}
For lates information about SyntaxHighlighter, please refer to: http://alexgorbatchev.com/wiki/SyntaxHighlighter
Tuesday, January 19, 2010
Migrate OIM Database from one server to another using dump file
Let's say we want to move OIM Server A's data to Server B.
A and B have both configured and running its own application
properly, but somehow we need to discard B server's data, and
replace it with A server's data.
1. The following files needs to be copy from A server to B Server
OIM_HOME/xellerate/config/...
a). .xldatabasekey
b). .xlkeystore
c). configkey.key
2. Make a full dump of server A
Use the followng script:
DBLoginID=SYSTEM
DBLoginPassword=admin123
Backup_Home="/oracle/app/oracle/DatabaseBackup/OIM_UAT"
BackupOwner="xladm_uat"
BackupComment="_backupComment"
BackupFileName="/xladm_20100119_0338${BackupComment}.dmp"
exp ${DBLoginID}/${DBLoginPassword}@orcl owner=${BackupOwner} file=${Backup_Home ${BackupFileName}
------------- xladm_uat is the schema used by A server.
3. Import the dump to B Server
Use the following script:
DBLoginID=SYSTEM
DBLoginPassword=admin123
Backup_Home="/oracle/app/oracle/DatabaseBackup/OIM_UAT" RestoreFileName="/backupFileName.dmp"
imp ${DBLoginID}/${DBLoginPassword}@orcl fromuser=xladm_uat touser=xladm file=${Backup_Home}${RestoreFileName}
note: xladm is the schema used by B server
4). Edit xlconfig.xml file on B server.
a) Open B server's xlconfig.xml file, and replace all the password
string with the one in A server's xlconfig.xml.
The following section need to be edited:
(1) configuration for DB connection
<DirectDB>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>jdbc:oracle:thin:@192.168.19.38:1521:orcl</url>
<username>xladm</username>
<password encrypted="true">HjHsMmK0gQqrfyHKRCEfEg==</password>
<maxconnections>5</maxconnections>
<idletimeout>360</idletimeout>
<checkouttimeout>1200</checkouttimeout>
<maxcheckout>1000</maxcheckout>
</DirectDB>
(2) configuration for PKI
<Security>
<XLPKIProvider>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
<Keys>
<PrivateKey>
<Alias>xell</Alias>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
</PrivateKey>
</Keys>
<SignatureAlgorithm>SHA1withDSA</SignatureAlgorithm>
<SignatureProvider>sun.security.provider.Sun</SignatureProvider>
<VerifySigner>true</VerifySigner>
</XLPKIProvider>
<XLSymmetricProvider>
<KeyStore>
<Location>.xldatabasekey</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JCEKS</Type>
<Provider>com.sun.crypto.provider.SunJCE</Provider>
</KeyStore>
<Keys>
<DBSecretKey>
<Alias>DataBaseKey</Alias>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<BlockMode>CBC</BlockMode>
</DBSecretKey>
<JMSKey>
<Alias>DataBaseKey</Alias>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<BlockMode>CBC</BlockMode>
</JMSKey>
</Keys>
</XLSymmetricProvider>
</Security>
(3) Configuration for remote manager
<RMSecurity>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
<TrustStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</TrustStore>
<RMIOverSSL>true</RMIOverSSL>
<SSLPort>44434</SSLPort>
<SSLContextAlgorithm>TLS</SSLContextAlgorithm>
<KeyManagerFactory>SunX509</KeyManagerFactory>
<BindingPort>44444</BindingPort>
<ServiceName>RManager</ServiceName>
<LoggerConfigFilePath>D:/Proj/OIM/910x/xlserver/xellerate/config/log.properties</LoggerConfigFilePath>
<ClientAuth>false</ClientAuth>
</RMSecurity>
5. Config B server's Design console
a). Duplicate the whole Design Console Folder of A server, called
xlclient2.
b). Copy all the files in directory /xlclient/Config/ from B
server's original design console folder to the newly duplicated one
- xlclient2
6) Start OIM Server
7) Start Design Console
A and B have both configured and running its own application
properly, but somehow we need to discard B server's data, and
replace it with A server's data.
1. The following files needs to be copy from A server to B Server
OIM_HOME/xellerate/config/...
a). .xldatabasekey
b). .xlkeystore
c). configkey.key
2. Make a full dump of server A
Use the followng script:
DBLoginID=SYSTEM
DBLoginPassword=admin123
Backup_Home="/oracle/app/oracle/DatabaseBackup/OIM_UAT"
BackupOwner="xladm_uat"
BackupComment="_backupComment"
BackupFileName="/xladm_20100119_0338${BackupComment}.dmp"
exp ${DBLoginID}/${DBLoginPassword}@orcl owner=${BackupOwner} file=${Backup_Home ${BackupFileName}
------------- xladm_uat is the schema used by A server.
3. Import the dump to B Server
Use the following script:
DBLoginID=SYSTEM
DBLoginPassword=admin123
Backup_Home="/oracle/app/oracle/DatabaseBackup/OIM_UAT" RestoreFileName="/backupFileName.dmp"
imp ${DBLoginID}/${DBLoginPassword}@orcl fromuser=xladm_uat touser=xladm file=${Backup_Home}${RestoreFileName}
note: xladm is the schema used by B server
4). Edit xlconfig.xml file on B server.
a) Open B server's xlconfig.xml file, and replace all the password
string with the one in A server's xlconfig.xml.
The following section need to be edited:
(1) configuration for DB connection
<DirectDB>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>jdbc:oracle:thin:@192.168.19.38:1521:orcl</url>
<username>xladm</username>
<password encrypted="true">HjHsMmK0gQqrfyHKRCEfEg==</password>
<maxconnections>5</maxconnections>
<idletimeout>360</idletimeout>
<checkouttimeout>1200</checkouttimeout>
<maxcheckout>1000</maxcheckout>
</DirectDB>
(2) configuration for PKI
<Security>
<XLPKIProvider>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
<Keys>
<PrivateKey>
<Alias>xell</Alias>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
</PrivateKey>
</Keys>
<SignatureAlgorithm>SHA1withDSA</SignatureAlgorithm>
<SignatureProvider>sun.security.provider.Sun</SignatureProvider>
<VerifySigner>true</VerifySigner>
</XLPKIProvider>
<XLSymmetricProvider>
<KeyStore>
<Location>.xldatabasekey</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JCEKS</Type>
<Provider>com.sun.crypto.provider.SunJCE</Provider>
</KeyStore>
<Keys>
<DBSecretKey>
<Alias>DataBaseKey</Alias>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<BlockMode>CBC</BlockMode>
</DBSecretKey>
<JMSKey>
<Alias>DataBaseKey</Alias>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<BlockMode>CBC</BlockMode>
</JMSKey>
</Keys>
</XLSymmetricProvider>
</Security>
(3) Configuration for remote manager
<RMSecurity>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
<TrustStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">VPqfO+o717lgbuSpumj3+g==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</TrustStore>
<RMIOverSSL>true</RMIOverSSL>
<SSLPort>44434</SSLPort>
<SSLContextAlgorithm>TLS</SSLContextAlgorithm>
<KeyManagerFactory>SunX509</KeyManagerFactory>
<BindingPort>44444</BindingPort>
<ServiceName>RManager</ServiceName>
<LoggerConfigFilePath>D:/Proj/OIM/910x/xlserver/xellerate/config/log.properties</LoggerConfigFilePath>
<ClientAuth>false</ClientAuth>
</RMSecurity>
5. Config B server's Design console
a). Duplicate the whole Design Console Folder of A server, called
xlclient2.
b). Copy all the files in directory /xlclient/Config/ from B
server's original design console folder to the newly duplicated one
- xlclient2
6) Start OIM Server
7) Start Design Console
Subscribe to:
Posts (Atom)