The Tech Journal

Renew Exchange 2010 Certificates – Event ID: 12017 & Event ID: 12018

Exchange Server, Microsoft 25 Responses »

Mar 102012

Wow, what a horrible weekend it has been dealing with all these certificate expirations (both clients, and my own). Ton’s of articles on the internet, however tons don’t cover what you do if you have your own certificate authority and DON’T want to use a self-signed certificate. Also, all the tutorials on the net use the Shell, I rather use the GUI…

When it comes time to renew your certificate, you’ll be seeing these in your Event Viewer:

Source: MSExchangeTransport
Category: TransportService
Event ID: 12018
User (If Applicable): N/A
Computer: server.domain.com Event Description: The STARTTLS certificate will expire soon: subject: server.domain.com, thumbprint: ZOMGZOMGZOMGZOMGZOMGZOMGZOMGZOMG, hours remaining: 664. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Source: MSExchangeTransport
Category: TransportService
Event ID: 12017
User (If Applicable): N/A
Computer: server.domain.com Event Description: An internal transport certificate will expire soon. ZOMGZOMGZOMGZOMGZOMGZOMGZOMGZOMG, hours remaining: 664 Event Log Name: Application Event Log Type: error

Anyways, first off, DO NOT use this tutorial if your running “Microsoft Small Business Server”, there is a better, easier, and more automated way to perform this on SBS (I won’t be covering that in this blog post, I will however make another one to explain the procedure). Depending on you’re environment, this may or may not be the best way or the right way to do this. In my environment, I have 1 server that acts as a Domain Controller and a Certificate authority, and a second server that is running Microsoft Exchange 2010.

You take your own risk if you perform the instruction in this blog post.

1) Start the renewal process

We need to generate a renewal request. Load up the Exchange Console, and select the “Server Configuration” on the left. It should load up your Exchange Certificates on the lower half of your screen. Look for your certificate that is about to expire. To get the details on the certificates, simply double click and it will load the info, if you’re unsure of which certificate it is, use the thumbprint provided in the Event viewer, and compare it to the Thumbprint on the “Details” tab of the certificate. Once you find it, highlight it and select “Renew Exchange Certificate…” on the action pain to the right.

Renew Exchange Certificate

2) Create renewal request Wizard

This will open the certificate renewal request wizard (as shown below):

Certificate Renewal Request Wizard

Simply choose a file name and location to save the request. It’s easiest just to save it on your desktop. After, hit “Renew”. This will generate the certificate renewal request.

3) Copy certificate request to clipboard

Locate the file you created above inside of Windows Explorer. Right click on this file and select “Open”, or “Open With”. When prompted, uncheck the “Always use the selected program to open this kind of file” option, and select “Notepad” as the program to open the file with. Example below:

Open with Notepad

This will open the certificate request. Now highlight all the text and copy it to your clipboard. Example below:

Certificate request in Notepad

4) Submit certificate request to certificate authority using web interface

Now we submit the request! Log on to your certificate authority web interface. On the first screen, we will select “Request a certificate”, as shown below:

Request

Then select “advanced certificate request”, as shown below:

Advanced certificate request

And now, choose “Submit a certificate request by using a base-64 encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”, again example below:

Finally, we are going to populate the request. Inside of the “Saved Request:” text box, paste your request from your clipboard (which we copied to your clipboard above), then for “Certificate Template:” choose “Web Server”. Example is below:

Now select Submit! On the next page that loads, simply select “Download certificate” and save it to a location you’ll remember.

5) Install certificate on Exchange

We now have a certificate that’s ready to be installed. Go back to the Exchange console where we left off. Inside of the certificate list, you should see an item that has a status that says something about a pending request. Highlight this request, and on the Action Pane, select “Complete request”. I could be wrong on what this says as I can’t remember and did not take screenshots.

A wizard should open up, in this wizard simply point it to the new certificate (the file we just saved at the end of step 4, shown above). Follow the instructions.

6) Assign Services to Certificate

Now that the certificate is installed, we need to assign which services will use it. The new certificate should also now be in the list of certificates inside of Exchange. Highlight the new certificate, right click, and select “Assign Services to Certificate”. Example below:

Assign Services to Certificate

Once the wizard opens up, follow through and when actually prompted for the services check everything except for “Unified Messaging”. Finish the wizard.

7) Delete old certificate

Now we are almost done. Go back to the certificate list inside of Exchange and look for the old certificate that is going to expire. Highlight it, right click, and select “Remove”.

You’re Done!

Configure Cisco/Linksys SPA3102 for Trixbox or FreePBX FXS and FXO

FreePBX, Trixbox, VoIP 12 Responses »

Mar 022012

Well, today I was cleaning up and found an old Linksys SPA-3102 device that I purchased 3-4 years ago. I originally purchased this device to connect my Trixbox (Asterisk) PBX to my land line at my house.

The SPA-3102 is a device manufactured by Linksys/Cisco that provides one FXS terminal, and one FXO terminal. This device can connect your PSTN phone line to your VoIP PBX, and it can also allow you to connect a standard phone to your VoIP PBX as an extension, all at the same time.

While I wasn’t to happy with performance of the solution, nonetheless I figured it out and got it running. I decided to write up a little blog post as a How-To get the SPA-3102 working with Trixbox. This solution is mostly just a bunch of config, so excuse the lack of How-To and the bulk of config dumps:

Update (2017): This also works on new versions of FreePBX Asterisk Linux Distro. I can confirm T.38 faxing works on the FXO line, but have not been able to get it working on the FXS PSTN line (fails to re-negotiate).

1) Configure the Asterisk extension (this configures the line you hook up to a phone on the SPA-3102):

Create a extension inside of Trixbox or FreePBX. Leave everything default except:

Display Name: Fax Machine (change this to whatever you want)

Extension: 199

secret: password (choose you password)

canreinvite: yes

host: dynamic

type: friend

nat: yes

qualify: yes

2) Configure the Asterisk Trunk for the SPA-3102

Go to the Trunk Menu inside of Trixbox or FreePBX PBX configuration. Add a new SIP Trunk. Leave settings default except:

Outbound Caller ID: 1234567890 (Change the number to your PSTN line, if the number doesn’t match, it could break things)

Trunk Name: spa3102

PEER Details:

username=spa3102
type=friend
secret=P4SSw0rdz (replace with your password)
qualify=yes
port=5062
nat=no
host=dynamic
dtmfmode=rfc2833
context=from-trunk
canreinvite=yes

3) Configure Outbound and Inbound Routes

The configuration for the Outbound route is normal and doesn’t require any special configuration other than the normal outbound route you’d normally create for a trunk. However, the Inbound route does require special attention. When creating the Inbound route, make sure that the DID Number value exactly matches the 10 digit number you configure for the PSTN. This is how it will recognize this and categorize the incoming call under that specific inbound route.

4) Now for the SPA-3102 Configuration

There’s no way I’m writing all the config out for the SPA-3102, so instead I took screenshots for each tab that requires configuration.

And Voila!

You now have your SPA-3102 configured to both act as an extension and a gateway to the PSTN. If anyone has any better configuration please write a comment, I’d love to update this article, and I’d like to get this working better than it currently is of possible. One additional note: When the SPA3102 is factory reset, it’s default settings are optimized for the North America region.

Windows on ARM Architecture – “Building Windows for the ARM processor architecture”

Microsoft, SBC (Single Board Computer) No Responses »

Feb 102012

This morning I came across an article on the MSDN blog. I thought I’d share it with all my readers:

http://blogs.msdn.com/b/b8/archive/2012/02/09/building-windows-for-the-arm-processor-architecture.aspx

This article goes in to detail about “Building Windows for the ARM processor architecture” and provides some interesting information. I’m really excited to see this both on development devices, and polished retail devices.

There’s also a few screenshots of a test debug build of windows running on ARM running on some of MS’s development devices, also some pictures of Windows on ARM development systems. Pretty cool stuff!

Install Ubuntu over PXE netboot (headless using serial terminal) on a Soekris Net4801

Linux, net4801, SBC (Single Board Computer), Soekris No Responses »

Jan 262012

In this “how to” we will go over installing Ubuntu 10.04 TLS on a Soekris Net4801 SBC (Single board computer).

To accomplish this, we will be network booting the Net4801 since it does not have any installation type storage (no cd-rom, and USB ports are not bootable), also since the Net4801 does not have a video card, or keyboard, we will be performing the installation over a serial console.

You can use this guide to perform the same function on other SBCs or other devices (even a standard server). The methods in the guide to both network boot, and provide a serial console are not mutual specific and can be done on their own (example, you don’t need to network boot to install using a serial console, or vice versa).

In this how to, we are using the Soekris Net4801 since it’s a small, interesting little computer which is designed as a somewhat open platform for router, wireless, and numerous other types of development and production type uses. The Net4801 specifications are available here: http://soekris.com/products/net4801.html.

The instructions I provide are using software and systems I have available to myself. Your environment may be different so remember that Google is your friend. The concepts will be the same.

Requirements

To get started, we need:

1 X Soekris Net4801
1 X Computer with a serial port
1 X Serial DB-9 Null Modem Cable
1 X Linux or Windows computer running TFTP server and web server

When network booting the Ubuntu installer, you can either install directly off the internet (which requires simply networking booting, and following the installation instructions) or you can provide the installer the installation files which may speed things up if you are on a slow connection. For the purpose of enlightening whoever is reading this, we are going to provide the installer the files.

How to Install Ubuntu over PXE netboot

1) Install a TFTP Server

The first thing we have to do is create the environment necessary to network boot the Net4801. In my case I have a CentOS 6 server. I installed the tftp server by issuing “yum install tftp-server*”. After this is complete we open up /etc/xinetd.d/tftp and change the disable value to no. Go ahead and restart xinetd by typing “/etc/init.d/xinetd restart”.

We now have a TFTP server providing everything inside of /var/lib/tftpboot.

2) Configure the DHCP Server to provide PXE boot info to PXE clients

In my case, I have a Windows Server 2008 R2 box providing DHCP to my network. I simply log on to the server, and open the DHCP Server GUI. I browse to my network scope, and right click on “Scope Options” and hit “Configure Options”. We need to specify two options: First is “066 Boot Server Host Name” which we set to the IP address of the TFTP Server, and second “067 Bootfile Name” which we set to “pxelinux.0”. That’s it! When the PXE client boots it will receive this information.

3) Configure netboot files

If you have the Ubuntu alternative CD, you can copy over everything inside of the install/netboot directory to /var/lib/tftpboot.

If you don’t have the Ubuntu CD, change your working directory to /var/lib/tftpboot, and type “wget ftp://ubuntu.arcticnetwork.ca/pub/ubuntu/ubuntu/dists/lucid/main/installer-i386/current/images/netboot/netboot.tar.gz”. After this, type “tar zxvf netboot.tar.gz”. This will extract the netboot components to the directory.

When this is completed, this will provide the network installer for Ubuntu. Since we are using a serial terminal to install Ubuntu on the Net4801, we now have to configure the bootloader, and installer to use the serial console.

Inside of the /var/lib/tftpboot directory, open pxelinux.cfg/default using your favorite editor. Add these two lines to the top of the file:

console 0
serial 0 19200 0

Save and close. We have just instructed the bootloader to use the first serial port on the system to provide console. Next we need to configure the kernel to input/output to the serial port aswell.

Open ubuntu-installer/i386/boot-screens/text.cfg in your editor. We are going to remove and add a few things to the “append” line under the “install label”. We are going to remove the word quiet, and replace it with console=ttyS0,19200. After completed it should look like this:

default install
label install
menu label ^Install
menu default
kernel ubuntu-installer/i386/linux
append vga=normal initrd=ubuntu-installer/i386/initrd.gz -- console=ttyS0,19200 earlyprint=serial,ttyS0,19200

Now that this is complete, the kernel will now input/output to the serial console.

4) Install sources (you can skip this, but please read)

If you are installing from the internet, you can simply skip this step. If you have the Ubuntu alternative CD, or CD Image, and want to install from those sources, this is what we need to do. In my case, I had the ubuntu .iso file.

On my CentOS server, I have Apache httpd installed. I have the .iso file in /root/. I type “mkdir /var/www/html/mount” to create a directory called mount inside of the web root. I then make sure I’m in /root/ when typing “mount cd-image-name.iso /var/www/html/mount -o loop” which mounts the CD Image to the mount directory.

We have now successfully mounted the CD image to the web server.

5) Network Boot the Soekris Net4801 via PXE

We now have the environment configured, it’s finally time to network boot the Net4801. Keep in mind, with a serial connection, one of the only problems you’ll run into is a) configuring software (ie. Linux, Grub, Bootloders) to use it, and b) speed settings. We’ve addressed the first issue already with configuration files, however we need to setup speed values on both the BIOS for the Net4801, and speed value for the client (in my case PuTTY). While you can use a whole range, I like to use 19200. It’s friendly, and I never have any issues 🙂

Hook up the Net4801 to your computer’s serial port using your Null Modem Serial cable. Open up PuTTY, and instead of using SSH, use Serial, and set the speed to 19200. I beleive this is the default for a fresh out of the box Net4801, and start the connection. Power on the Net4801 and you should see the startup text.

So right now, the connection is working, but I thought I’d go over a few things. Hit Ctrl + P while the BIOS is posting, and type show.

These are variables you can configure on the Net4801. A few to remember are: a) ConSpeed – Serial port speed, has to match on both sides b) Flash – Either Primary or Secondary, this specifies whether it is Master or Slave on the IDE Channel, just like traditional older IDE based computers. c) BootDrive – This is standard booting order, 80 = IDE Master, 81 = IDE Slave, F0 = PXE Network boot.

Anyways, that’s that. So now we want to network boot. While in the ComBios command console, type in “Boot F0”. This will initiate the network boot. Things might look a bit weird at first, however eventually it will prompt you for something, simply type “install” and hit enter. After the kernel boots, the Ubuntu text installation should start. Now it’s easy and normal.

FINAL NOTES

The Soekris Net4801’s processor is a i586 class processor. Ubuntu dropped support for i586 as of 10.10 and later. This is why I chose 10.04 LTS.

There are issues with the installer on the Net4801. Issue being, after specifying network configuration, once it starts to download the initial installer components, the installer will freeze. Usually the screen goes blank for up to 45 minutes when it is working, however when this issue occurs, it will permanently freeze. 10 Months ago I narrowed down what was causing this, however have forgotten. I think it has something to do with just having a IDE drive connected to the Soekris, I think it started working when switching to Compact Flash for internal storage.

POST-INSTALL CONFIGURATION

After installing, I noticed a bunch of weird things like ureadahead and plymouth crashing on startup (due to lack of resources). Also, some things were not showing up on the serial console which I wanted to (this is because everyone want’s GUI’s these days).

Few recommendations on cleaning up your install:

1) Disable AppArmor – It’s a waste of resources

Type “sudo update-rc.d -f apparmor remove”

2) Configure GRUB – Get the proper stuff going to the console

Open /etc/default/grub in your favorite editor, remove everything and paste this:

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=3
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="noplymouth text nosplash"
GRUB_CMDLINE_LINUX="console=ttyS0,19200 earlyprint=serial,ttyS0,19200"
GRUB_TERMINAL=console
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=19200 --stop=1"

That disables plymouth, configures a text console, and shows GRUB on boot. After this is done, run “update-grub” and “update-initramfs -u”.

3) Set time – I don’t know why but my system lost it’s time, maybe my battery is going, for some reason this wasn’t automatic.

Type “ntpdate time.windows.com”

4) Compiler and Building stuff – If you’re going to compile anything, run this, or skip this

Type “apt-get install fakeroot build-essential libncurses5 libncurses5-dev libelf-dev asciidoc binutils-dev”

Have any questions, feel free to leave a comment.

Lio-Target running on Soekris Net4801

net4801, SBC (Single Board Computer), Soekris, Storage 2 Responses »

Jan 262012

Well, did it. I finally got Ubuntu 10.04 LTS installed and running on my Net4801 (via PXE netboot install and serial console), and got Lio-Target running on it:

root@net4801:~# cat /proc/cpuinfo
processor       : 0
vendor_id       : Geode by NSC
cpu family      : 5
model           : 9
model name      : Unknown
stepping        : 1
cpu MHz         : 266.670
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu tsc msr cx8 cmov mmx cxmmx up
bogomips        : 533.34
clflush size    : 32
cache_alignment : 32
address sizes   : 32 bits physical, 32 bits virtual
power management:

root@net4801:~# /etc/init.d/target status
[—————————] TCM/ConfigFS Status [—————————-]
\——> iblock_0
HBA Index: 1 plugin: iblock version: v3.5.3
\——-> lun0
Status: ACTIVATED Execute/Left/Max Queue Depth: 0/32/32 SectorSize: 512 MaxSectors: 240
iBlock device: sdc
Major: 8 Minor: 32 CLAIMED: IBLOCK
udev_path: /dev/sdc

[—————————] LIO-Target Status [—————————-]
\——> iqn.2010.com.digitallyaccurate.net4801:lun0
\——-> tpgt_1 TargetAlias: LIO Target
TPG Status: ENABLED
TPG Network Portals:
\——-> xxx.xxx.xxx.xxx:3260
TPG Logical Units:
\——-> lun_0/iscsi00 -> target/core/iblock_0/lun0

Target Engine Core ConfigFS Infrastructure v3.5.3 on Linux/i586 on 2.6.32-38-386
Linux-iSCSI.org Target v3.5.3 on Linux/i586 on 2.6.32-38-386
root@net4801:~#

(IP removed from TPG)

Ubuntu is running off the Compact Flash card. There is a hard drive inside the Net4801 which was used as a block device for the iSCSI target, note the net4801 IDE channel only runs UDMA/33. After testing this, I popped in a USB 2.0 PCI card, and attached a 500GB USB drive. Please see a pic below:

Tests:

Writing around 1.6MB/sec (CPU utilization ~40%)

Reading around 2.5MB/sec (CPU utilization ~80%)

Please Note:

The test numbers are not exactly correct due to caching Windows performs.

Older Entries Newer Entries