Crystal – Login Denied

Here is an oldie that loves to surface every once in awhile.  I was fixing some Windows Process Schedulers today so that Crystal would work properly.  I was able to get DEMO working but when I went to one of the test environments I got a connection error, login was denied.  I always love how there are some crazy oddities to 3rd Party programs with PeopleSoft.  Firstly, Crystal is still a 32 bit application even though as of 8.53 PeopleTools all the PeopleSoft connections are 64 bit.  If you are wondering yes SQR is still 32 bit as well. 🙂

However, the login was being denied because there was multiple entries in the PSACCESSPRFL table, and several of them were invalid, and Crystal likes to “randomly”  pick an entry from the table as it does not have a where clause associated with its connection.  So in this case I simply changed all the symbolic ids to use the same accessid and password, however, if you really do need to have multiple accessids, make sure they have the right access.

Cisco Anywhere VPN – default URL

Okay, I have to say, a few things in this world drive me crazy, okay maybe a little more than a few.  Now I know this won’t apply to most people as they probably only have to ever VPN into one place, but for the folks in this world that VPN into multiple places, I often find that my Cisco Anywhere client tool often gets updated.  The problem I often find is that my default URL gets changed and the drop down never works, so I end up memorizing bizarre VPN urls for my various clients.

I just want to be able to have my most common client be first in the list and ideally have my other VPN urls in the drop down.  So I a fit of frustration I did a Google search yesterday and found how to change the default URL.  Look for the file preferences.xml which should be in your c:\users\{youruserid}\appdata\local\cisco\Cisco AnyConnect VPN Client\ folder, I had some issues finding this file as it might be in the roaming folder instead of local, and it might just be hidden.  In the file you can change the entry for:  DefaultHostName.

In order to get the drop down list to work properly, I found in my c:\programdata\cisco\Cisco AnyConnect Secure Mobility Client\Profile that there was an xml file that had my default profile in it.  In my trusty UltraEdit, I found the section for the ServerList and made a new HostEntry block for each of my VPN Servers.

<ServerList>
<HostEntry>
<HostName>{MyVPN-name-vpn1}</HostName>
<HostAddress>{MyVPN-address-vpn1}</HostAddress>
</HostEntry>
<HostEntry>
<HostName>{MyVPN-name-vpn2}</HostName>
<HostAddress>{MyVPN-address-vpn2}</HostAddress>
</HostEntry>
</ServerList>

Now my drop down box works.  Now I am a little bit happier. 🙂

SSL Certificate: Cannot convert identity certificate

Weblogic Web Server SSL Certificate:

Smart Panda - Secure HTTPSA client called today and said they needed to change their wildcard SSL certificate that they were using on one of the external web servers. This seemed like a simple enough request, so:

Step 1:

Get Client to send the new SSL Certificate in pfx format.

Step 2:

Using Portecle “a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more” – Load the PFX SSL Certificate

Step 3:

Convert the new keystore to JKS format.

Step 4:

Reset the password to the SSL Certificate and set the Alias name to the Alias already in use.

Step 5:

Export the PEM encoded certificate to a file and set the file extension to .CRT – This allows the SSL Certificate to be easily opened in Windows.

Step 6:

Export the intermediate and root certificates in base x.509 formats.

Step 7:

Import the intermediate and root trusted certificates (the ones just exported in Step 6) back into the keystore.

Step 8:

Take the SSL Certificate in PEM format and append the SSL Certificate Intermediate PEM format and then the SSL Certificate Root Certificate Authority (CA) in PEM format.  This basically creates a full certificate chain in PEM format.

Step 9:

In Portecle update the CA Reply of the Certificate with the Full Certificate Chain in PEM format.  This step is important so no certificate errors are reported with Firefox Browser.

Results:

The new JKS Keystore has 3 SSL Certificates in the keystore, the Full SSL Certificate private/public key combination, and the SSL Certificate Intermediate and SSL Certificate Root.

Install New SSL Certificate Keystore:

Log into the Weblogic Server and rename the existing SSL Certificate Keystore and upload the new SSL Certificate Keystore using the original SSL Certificate Keystore filename.

Restart the server, and………..

BOOOOOOOM!

ERROR:  <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Cannot convert identity certificate.>

Well, that’s new!  A quick investigation on Google, and some checking turns up that the new certificate was created using SHA256withRSA, while the old one used SHA1withRSA.

As it turns out, Weblogic prior to 10.3.4 cannot use certificates with SHA256withRSA encryption as it uses Certicom SSL implementation.  However, since the web server is version 10.3.6, JSSE SSL needs to be enabled.

Which is under the advanced options of the Weblogic console found under the SSL tab for the Server in question.  Once enabled and the web server restarted, the SSL Certificate & New Keystore worked!

Knowledge Reference:

Smart Panda - IdeaCheck out Wikipedia’s page on SHA-2 Encryption information.

Who is on my server

I got a notice today that my service provider needed to reboot my servers as there was a vulnerability that was exposed on the actual host that could cause problems and the only way to fix it was to reboot the entire host.  So I wanted to ensure that everybody was off the system and cleanly so that there was no  problems because this is rare that my entire server set would be going down at the same time.

On my windows machines I wanted to make sure that nobody was still connected via remote desktop connections.  To do this quickly, from a command prompt I issued the command:

qwinsta

Another option would be to use the SysInternals Suite of Tools which is available from Microsoft, there is one called PSLoggedOn that will give the information you are looking for.

On my RedHat 6.5 servers you can issue the command:

who -a

There is another one called “w”  that will give similar information but for a quick look the who command works great.

Server ‘myDBSERVER? is not configured for RPC for a Linked Server

As part of my post go-live procedures I was trying to do some comparisons from the pre-upgrade environment to the actual production environment.  Usually this is very straight forward and can be done using the Linked Server.  As it turned out the linked server was already configured however when I tried to do the sql lookup on the PSOPRDEFN table I got an error.

Msg 7411, Level 16, State 1, Line 1

Server ‘mvDBSERVER? is not configured for RPC

To re-enable the RCP commands for the linked server you can do it in the options GUI or from the query window:

exec sp_serveroption @server=’myDBSERVER?, @optname=’rpc’, @optvalue=’true’

exec sp_serveroption @server=’myDBSERVER?, @optname=’rpc out’, @optvalue=’true’

Now when I run [myDBSERVER].[PREUPGDB].[dbo].[PSOPRDEFN] I get the results I am looking for!