Set up automatic updates for Brew on Mac OS X

Automated updates for the core OS has been available for several years now on Macs, and Apple has added the ability to update automatically apps you have added from the AppStore as well. However, if you have installed open source apps with Brew, chances are that you may forget to update them regularly. This is likely to create vulnerabilities on your system, allowing attackers to get in undetected by most antiviral and anti-malware software.

To close this loop, a very simple tool can be installed, similar to the auto-update function at the OS level. Here is the “cookbook recipe” to follow:

brew update
brew upgrade
brew install terminal-notifier
brew tap domt4/autoupdate
brew autoupdate –start –upgrade –enable-notification

These commands will

  • update the brew repository,
  • upgrade all the existing apps,
  • install the terminal notifier incase you don’t have it yet
  • install the autoupdate script
  • start the autoupdate to run on a regular basis

Don’t be like the picture below ? (Curtesy of xkcd.com)


How to uninstall IBM Lotus Notes client from the Macintosh on OS X

You can uninstall IBM® Lotus® Notes® by dragging Notes.app from /Applications to the trash. This preserves user data.

You can also uninstall Notes using the uninstaller application supplied with the Notes install media. This preserves user data as well.

You can also uninstall Notes by dragging the following items to the Apple® Mac OS X® trash bin:

  • Notes.app
  • ~/Library/Application Support/Lotus Notes Data folder (“~” = user’s home directory)
  • ~/Library/Preferences/Notes Preferences
  • /Library/Receipts/Lotus Notes Installer.pkg
  • /Library/Receipts/Lotus Notes Installer_English.pkg
  • /Library/Receipts/xpdcoreinstaller.pkg

via IBM How to uninstall Notes client from the Macintosh – United States.


Creating an easy to deploy SSL certificate in PEM format

When ordering a secure certificate, most often one has to deal with the following files:

  • certificate key file (aka private key): .key
  • certificate request file: .csr
  • primary certificate file (issued by the CA): .crt
  • certificate chain (aka intermediate certificate, or sf bundle): sf_bundle.crt

As a result, when deploying to a web server, it is necessary to configure 3 files: the key, the cert, and the trust chain. However, a little known fact is that these can be combined in a “pem” file that holds all three. One may even include the trusted root certificate optionally. Here is how:

  • download your certificates (your_domain_name.crt) from your NewPush Customer Portal.
  • paste the entire body of each certificate one by one into one text file in the following order:
    • domain.key
    • domain.crt
    • sf_bundle.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

The number of

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

sections will depend of the length of the certificate trust chain.


Domino 8.5 SSL Key Import Into Keyring File

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

  • Create a kyr (keyring) file to hold the keys.
  • Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
  • Add the p12 (PKCS#12) file to the keyring.
  • Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:

openssl pkcs12 -export \
-in certificate-from-CA.crt \
-inkey certificate-key-file.key \
-certfile root-ca-bundle.crt \
-out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.

rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm
vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security

Add last provider to list:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.spi.IBMCMSProvider

remove conflicting jar file:

mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-

set environment:

set JAVA_HOME
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

  • Download and install IKEYMAN.
  • Open the kyr file in gsk5.
  • Import the p12 cert.
  • Save the new kyr file.

Domino Server SSL Key Management References

  • http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
  • http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
  • http://www.deadspace.de/?p=294
  • ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
  • https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
  • http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
  • http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.


Verifying SSL Certificates

Problem

You have a few SSL cert files on your server, but you are not sure which one is the newest, or the right cert to use.

Solution

Look at the contents of a CSR


openssl req -noout -text -in [domain_name].csr

Where [domain_name].csr is the name of the CSR file.

Look at the contents of a certificate


openssl x509 -noout -text -in [domain_name].crt

Look at the MD5 fingerprint of a certificate


openssl x509 -fingerprint -noout -in [domain_name].crt

Check the private key, the CSR, and the signed cert

To check that the private key, the CSR, and the signed cert belong to the same set, you need to compare the MD5 outputs:

openssl rsa -noout -modulus -in [domain_name].key |openssl md5
openssl req -noout -modulus -in [domain_name].csr |openssl md5
openssl x509 -noout -modulus -in [domain_name].crt |openssl md5


SMTP Server Testing with Authentication

Problem

You need to test manually an SMTP server that requires authentication.

Solution

The text you need to enter into a DOS or Unix command line is in typewriter typeface. Responses from the server are shown in italic.
telnet smtp-server.smtpdomain.com 25
Trying xxx.xxx.xxx.xxx…
Connected to smtp-server.smtpdomain.com.
Escape character is ‘^]’.
220 smtp-server.smtpdomain.com plus some other optional server greeting text

helo localhost
250 smtp-server.smtpdomain.com
auth login
You now need to enter your email and then your password encoded in BASE64. Do encode your password use the HCI Data Encoder
mail from: [email protected]
250 Sender accepted.
rcpt to: [email protected]
250 OK
data
354 End your message with a period.
Subject: test email

test content
.

250 Accepted message …
quit
221 Good bye.
Connection closed by foreign host.


Migrating Data Between DB2 Servers

DB2 Support for Data Migration

When it is time to upgrade from DB2 on Intel to DB2 on Power for example, taking a backup/restore approach isn’t possible as DB2’s backups are platform dependent. The solution is to use a DB2 command called db2move.

Basics of db2move

db2move allows to export data from DB2 at different levels of granularity. It also has a very simple syntax to allow exporting all of the data and structure of a database.

Exmaple of db2move


su - db2inst1
mkdir /tmp/db2export
cd /tmp/db2export
db2move sample export

Where db2inst1 is the db2 instance owner, /tmp/db2export is where the DB2 data and structures are being exported, and sample is the database name.

For more DB2 Support hints, please visit our DB2 category.


NetApp downgrade firmware

Downgrading firmware on a NetApp SAN

If you have just reclaimed a shelf from a NetApp SAN that you would like to use with an older head, you will notice that the drives are not recognized. This is due the the fact that DataOntap upgrades the drives automatically when you plug them in to an updated shelf, but it won’t downgrade or even recognize correctly drives that come from an higher level revision.

Downgrading drives while keeping the contents is actually impossible.

Actually downgrating the firmware on NetApp SAN drives

Chances are that you don’t really need to downgrade the firmware on the drives, and you can just skip to the next section.

If you are sure you need to downgrade the drives, here are the basic steps:

  • Get a linux box, with a qlogic HBA, and cables that can attach to the shelf that has the drives to downgrade
  • Make sure only the drives that you want to downgrade are in the shelf
  • Make sure the proper disk qualification package is on the filer (if not, download the Disk Qualification Package as a zip file from: http://now.netapp.com/NOW/download/tools/diskqual/ and extract it to the /etc directory of the NetApp)
  • Download all current disk firmware from http://now.netapp.com/NOW/download/tools/diskfw/
  • Get the right firmware for your disk (the new you just downloaded, or an old one, if you need to downgrade) — the old firmware is already on the root volume of the netapp
  • Use the proper firmware upgrade tool from your manufacturer to flash the firmware from the Linux box

Wiping labels on NetApp SAN drives

If you simply can’t get the old filer head to recognize the drives that had new labels, the only viable solution to get the drives to work is to reconnect the shelf to the old filer head that was running a newer firmware.

Erasing labels on NetApp SAN drives

  • Boot into maintenance mode (CTRL+C at boot and then Option 5)
  • list the drives: label summary
  • erase the labels: label wipe 4.23 where 4.23 is the drive number to wipe
  • exit maintenance mode: halt

Chances are that this will still not allow the older filer to see the drives properly. The next step always works: zero the drives.

Zeroing spares on NetApp filer

  • Boot into maintenance mode (CTRL+C at boot and then Option 5)
  • list the drives: label summary
  • force the drives to become spares: label makespare 4.23 where 4.23 is the drive number
  • exit maintenance mode and boot:
    > halt
    ok boot
  • zero the spare drives: drive zero spares
  • remove the shelf or the drives from the new filer, and you can now put them back into the old filer, as they will be recognized just fine.

For more information about our SAN support, look at NetApp SAN.


NetApp route add default gateway

NetApp SAN default gateway setup

DataOntap is a FreeBSD based operating system built by NetApp. However, most of the command line interface commands differ from the usual FreeBSD commands. When a new NetApp installation is performed, or a NetApp migration is needed, typically the IP address needs to be changed, as well as the default gateway. The first step before changing the network configuraiton is to check if the current configuration, and capture it in case you need to back out of the migration. The following paragraphs show how to check existing configuration, and how to set the new gateway. NetApp SAN

Show NetApp SAN network config

To print the current network config, run:
ifconfig -a

To set a new network IP, run:
ifconfig e0 192.168.1.2 netmask 255.255.255.0

Where e0 is your network interface name, and 192.168.1.2 is the new IP of the NetApp.

Show NetApp SAN route config

To print the current routes, run:
route -ns

Setup NetApp SAN default route

Delete NetApp SAN current default route

route delete default

Add NetApp SAN new default route

route add 0.0.0.0 IP_OF_DEFAULT_GW 1
For example, if the fedault gateway is 192.168.1.1:
route add 0.0.0.0 192.168.1.1 1
For more information about our SAN support, look at NetApp SAN.


Online fax service with SSL API

Problem

You need to create an online application that is capable of sending a FAX securely (PCI, HIPAA or other compliance).

Solution

After trying trustfax and eFax, neither of which has a secure API, Ralph found that Metro Fax has a SSL API for developers and the cost is reasonable.

The following SDK as well as some supporting documentation below will help you get started: WsfSDK

The MetroFax webservice gateway is available at:

https://wsf.metrofax.com/webservice.asmx

And there is supporting documentation (NDoc) available below:

https://wsf.metrofax.com/doc

The attached SDK contains sample implementations of numerous common methods.