Category: Windows

SSL for BI Publisher 10.1.3.4 Standalone

We have a old installation of Oracle Business Intelligence 10.1.3.4 which somehow has not been kept up to date – This happens through all businesses throughout the planet, the rule: If it works don’t touch it, applies to it.

So this server isn’t still running as HTTP, we needed to get it secured ASAP – 9 years late is better than never.

So how do you go about it?

Create a Java Keystore

For this you need to use the Keytool utility which comes with Java JDK / JRE on your server. See notes about this later on as this is a very outdated version of the Keytool utility.

Command to create a Java Keystore:

keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks

Enter a keystore password and remember it, I recommend that you use  Password Safe to generate and remember the password.

Create and Update secure-web-site.xml file

Make a copy of your existing file default-web-site.xml and name it secure-web-site.xml edit the new file and add secure=”true” to the end of the line as well as change your port, 9704 is HTTP as 9706 is the standard BI HTTPS port:

<web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/web-site-10_0.xsd" port="9706" display-name="OC4J 10g (10.1.3) Default Web Site" schema-major-version="10" schema-minor-version="0" secure="true">

Now add the line:

<ssl-config keystore="full_path_to_your_keystore.jks" keystore-password="your_keystore_password" />

Before the closing tag

Register secure-web-site.xml file in server.xml

Towards the bottom of your server.xml file add:

<web-site default="true" path="./secure-web-site.xml" />

Remove the line referencing the ./default-web-site.xml you no longer need HTTP access once you have HTTPS enabled. You’ll need to do something which I didn’t to have both HTTP and HTTPS URL’s accessible on a reboot the server will automatically delete the second

Add a local firewall rule for the new 9706 port

Use ‘Windows Firewall’ and look for an existing Inbound rule for 9704, copy this rule and change the port number to 9706.

Test if HTTPS URL is working

Save the changes and restart ‘Oracle BI EE OC4J‘ server in ‘Services’ to reflect the changes, that or reboot the server.

Browse to : https://:9706/xmlpserver/ using the servers available web browser or your local machine, as there could be corporate firewalls in the way still, these will not know about you new port 9706 so will need to be enabled.

A quick test from a command prompt on your local machine to see is:

Telnet YourServer 9706

Secure your new address with a certificate

Go back to where you created your mykeystore.jks file and delete the mykey from within it:

keytool -delete -alias mykey -keystore mykeystore.jks

Now follow the following steps:

  • Request your certificate from your certification authority
  • Complete your certificate request in IIS or elsewhere
  • Export your your certificate as a .PFX file
  • Extract from the PFX your Key and Pem files
openssl pkcs12 -in yourCertificate.pfx -out yourCertificate.pem
  • Convert yourCertificate.pem to .pkcs12 file
openssl pkcs12 -export -in yourCertificate.pem -out yourCertificate.pkcs12
  • Now and very importantly move the yourCertificate.pkcs12 file away from your Oracle BI server as this will have a very old version of Java Keytool on it, which does not support the -importkeystore command, mine was running JRE 1.4.2.
  • Also move the empty mykeystore.jks file to the same directory as the yourCertificate.pkcs12
  • Check your mykeystore.jks to check it is empty
keytool -v -list -keystore mykeystore.jks
  • On the server with JRE / JDK 1.6 or above, I ran this using JRE 1.8, run the following command to import yourCertificate.pkcs12 to the mykeystore.jks
"C:\Program Files (x86)\Java\jre1.8.0_131\bin\keytool.exe" -v -importkeystore -srckeystore yourCertificate.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore.jks -deststoretype JKS
  • Now check your mykeystore.jks again and you should now have the imported certificate
  • Move this mykeystore.jks to the Oracle BI server

Restart ‘Oracle BI EE OC4J‘ server in ‘Services’ to reload the application with the new certificate or reboot the server.

You should now have a lovely secured server, if at first it doesn’t show check it on a browser that you haven’t used yet or clear your cache.

Mailto subject / body in Android email client broken?

The following section of mailto: code wasn’t working on the default Android email client and Gmail client.

<div class="panel-body">
Please contact the <a href="mailto:it.helpline@random.com?Subject=No%20Tiles%20within%20Application&amp;Body=Please%20could%20you%20check%20my%20account%20@(Model.LoggedInUser.Id)%0D%0A%0D%0AMany%20Thanks" target="_top">IT Helpline</a></div>

The reason is down to a simple issue ?Subject and &Body both started with capital letters, replace these to be lowercase ?subject and &body and the following code works across all clients on all platforms.

<div class="panel-body">
Please contact the <a href="mailto:it.helpline@random.com?subject=No%20Tiles%20within%20Application&amp;body=Please%20could%20you%20check%20my%20account%20@(Model.LoggedInUser.Id)%0D%0A%0D%0AMany%20Thanks" target="_top">IT Helpline</a></div>

I’ve tested on :

Android : Default mail, Gmail, Nine

iOS : Safari, Gmail

Windows : Outlook, Gmail

Achieve ‘A’ rating on SSLABS server test using IIS 8.5 Windows 2012 R2

Do you want to reach the heights of having an A graded server on SSLABS server tests? 

First thing you need to do on a fresh install of Windows server 2012 R2 and IIS 8.5 is disable SSL3 functionality, this can be achieved by following this guide. Come back here once you have done this. Or if you trust me here’s my exported regedit key, which you can just import to your server.

Below is the Cipher Key string that I put into the Local Group Policy Editor. To do so click the Windows icon and type in gpedit.msc and press enter to launch the Policy Editor.  Open on the left the folder titled ‘Administrative Templates / ‘Network’  / ‘SSL Configuration Settings’ & double click on ‘SSL Cipher Suite Order‘ to open. Now Enable the SSL Cipher Suites and copy and paste the below list in. Click OK and restart your server, now run the SSL server test again to see the result.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Cipher suite from above all on one line for copying into GPEDIT.MSC

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

The following 2 Cipher’s currently only work on Windows server 2016 & IIS 10

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

*Note: I’ve included ‘TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256‘ & ‘TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384‘ in a separate code block below the main cipher keys, although these do not currently work on Windows 2012 with IIS 8.5 – I’m hoping that a patch with come through from Microsoft soon which enables them, as these will take the ‘A’ to an ‘A+’ rating, as they do when using Windows Server 2016 IIS 10.

So if you are using IIS 10 on Windows Server 2016 then add these to the top and removed the bottom two as all keys will not fit within the cipher field.

Chrome updates disabled by Administrator?

You might run into this issue in a large corporation, where an overzealous Administrator thinks that they know better than Google and therefore try and stop your machine from staying up to date with the latest Google release.

Please note to edit your Registry you need to be a Local Administrator.

To ‘fix’ this issue, it might need to done using a batch script as your policies might get reset on each login or at a set time.

Run the Registry Editor, Start/Run: regedit

Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update

Double-click at the UpdateDefault or DefaultUpdate (depends on what version installed)

Change the 0 to a 1

Exit Registry Editor and return to the Help/About Google Chrome section,  your browser will then start to auto update!

Port opened? Telnet is your friend

Do you want to know if the problem you are having is a network \ firewall issue?

You can simply use Telnet to check if the port you are trying to connect to is open or not.

You can test any port using this simple method, not just connections open to telnet.

First off you need to install Telnet Client on your machine.

To do so, open a command prompt window. Click Start, type cmd in the Start Search box, and then press ENTER.

pkgmgr /iu:"TelnetClient"

Next step close the current command prompt and reopen it again, this is so the path to Telnet which you’ve just installed will work.

Now type the connection & port to test

telnet <server> <port>

Example

telnet google.co.uk 80

If it goes to a blank screen or a screen with funny characters then this means that port is open.

If you get :

Connecting To google.co.uk..Could not open connection to the host, on port 80:Connect failed

Then you’ll need to get onto your network team to open some firewall rules for the required port access or iptables if on unix servers.

Cisco VPN Windows 10

There’s lot of information out there on how to get Cisco VPN to connect to your work computer using Windows 10, but only one site I’ve found actually gives information that works:

5 Steps to make Cisco VPN work in Windows 10

I’ve summed this up below as it contains too much information, this is what worked for me, I was getting:

Error 433 Secure VPN Connection terminated locally by the Client. Reason 433: Reason not specified by peer.

snap shot of error

The likely reason is due to the DNE LightWeight Filter network client not being properly installed by the Cisco Systems VPN installer.

To solve this, please try to do the following

A) First, uninstall any Cisco VPN Client software you may have installed earlier
B) Reboot your computer.
C) Run winfix.exe, to ensure the DNE is properly cleaned up, as no doubt this isn’t your first attempt.
D) Reboot your computer again.
E) Download Sonic VPN software from here: 32-bit or 64-bit
F) Install the Sonic VPN software from above.
G) Reboot your computer.
H) Reinstall the Cisco VPN Client software again. (If you face a version not suitable for Windows 10 issue, run the msi file instead of the exe file)
I) Install the Cisco VPN Client Software: 32-bit Windows VPN Client (version 5.0.07) or 64-bit Windows VPN Client (version 5.0.07)
J)Reboot.
K)Make changes to the registry:
Open Registry editor regedit in Run prompt

Browse to the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

Select the Display Name to modify, and remove the leading characters from the value data value as shown below,

For x86 machine, shorten the string “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapterto just Cisco Systems VPN Adapter

Or for x64 machine, shorten the string”@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to just “Cisco Systems VPN Adapter for 64-bit Windows
L) Reboot your computer.
M) Your Cisco VPN Client should now work in Windows 10

Are you getting a 412 error?

cisco412

I was getting this when I was trying to connect from within my organisation, this isn’t allowed as your organisation is blocking the required UDP ports 4500/500

Solution, try connecting from somewhere external to your organisation.

If this doesn’t work for you then you’ll have to delve into the full site to work it out for your set-up.

Windows 10 Update Uninstalls “Cisco Systems VPN Adapter”

I noticed that a recent Windows 10 update kindly uninstalled my Cisco VPN Adapter! Why? I’m not sure. Apparently ‘removed due to incompatibility issues’ But if you want it back, you’ll need to uninstall ‘Cisco Systems VPN Client 5.0.07.0440 in Add or Remove programs then re-run the msi installer, this will FAIL, now jump to the unzipped directory ‘C:\Users\\AppData\Local\Temp‘ to find ‘vpnclient_setup.msi‘, run this, you might need to run it twice as it complains about failing to add itself to the Services. Then you need to re-edit the ‘Display Name‘ using the Registry key in Regedit, as above.

 

 

jQuery Highlight Table Row ID

Covering a couple of issues which I encountered.

  • How to Highlight a row in a Table on click using jQuery
  • How to Only use the above code on that Table

Code:
$(document).ready(function() {
$("table#SearchResultsTable").on('click', 'tr', function () {
var state = $(this).hasClass('highlighted');
$('.highlighted').removeClass('highlighted');
if (!state) {
$(this).addClass('highlighted');
}
});
});

Code to use just your desired Table:
$("table#SearchResultsTable")

Hope the above helps you on your travels.