Cupfighter.net » Schuberg Philis

SNW europe, powering the cloud

Arjan Eriks — Wed, 02 Nov 2011 10:44:51 +0000

Powering the cloud. Multi marketing of course, but what is happening in the storage world? What does it mean for mission critical environments? These are the questions I am hoping to get answered today and tomorrow. Currently three sessions done. 1. Introduction to Data protection by Chriss Sop, 2. Optimizing storage in a cloudy, virtualized world by The 451 Group and 3. Enterprise Tiered Storage by John Locky.

First two sessions were somewhat low quality from a contect perspective. Too basic from on technology and on new innovations. Even for me as a non engineer. The difference between full backup, incrementals and differentials is not the thing we came here for. Although i must say that merging incrementals on the back end to always have full backups available sounds interesting. Curious to see this working in real life. How transprrent will that be? Lets ask Commvault later today. And if i can find them Quest as well. Would be nice to learn a bit on automated restore testing as well. Guaranteeing back ups remains an issue. Especially on tapes.

When i get answers, you’ll probably read more about it on cf.net or twitter.

What is a cupfighter?

Frank Breedijk — Mon, 30 May 2011 15:55:43 +0000

In order to better explain what a Cupfighter is, our employer Schuberg Philis created this video:

Click here to view the embedded video.

We are always looking for more Cupfighters.

CA will not start… What do you mean, cannot download CRL…

Frank Breedijk — Wed, 20 Jan 2010 22:50:05 +0000

As part of my work I was installing a Microsoft PKi infrastructure with two tiers. A root CA and an issuing CA.

Since the root CA is in another domain then the issuing CA, it took some fiddling and tweaking around with my CDP and AIA extensions, but that is another blogpost all together.

I knew I was in for some fun when when the following happened:

I installed my Issuing CA and generated the certificate request
I issued the request to my Root CA and generated the Issuing CA certificate
I tried to install the Issuing CA certificate and got the following error:

Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2168885613)

My first reaction was to call one of the network guest and notify him that I needed http access to the Issuing CA to the CDP location. But whil on the phone, I decided to try and to my surprise I was actually able to manually pull down the crl.

Intregued, I decided to check a few things:

I could download the CRL from both CDP locations with Internet Exporer
I could open the downloaded CRLs
I could telnet to port 80 of the both webservers
I could telnet to port 80 manually issue the GET /crl/CRLname.crl HTTP/1.0 command and get data back

O.K. what is going on here… Lets open PKI view, which is now included in Windows 2008 and Vista and can be downloaded for Windows 2000 and 2003.

It seemed that PKI view as in agreement, it too could not download the CRL from the CDP location

PKI view shows "Unable To Download" for both CDP locations

This did sent me on a wild goose chase:

Microsoft own documentation, clearly blames it on unavailability of the CDP location, something I, by now, had triple checked four times and refused to believe
This “Network Builders” forum and many others, simply suggest to turn off revocation checking, but that is clearly not a worthy solution either.
Apparently there is also an issue with serving delta CRLs threw IIS because the + sign at the end of the basename of a delta CRL file leads to so called “double escaping”. I could rule this out by looking at the IIS logs.
In the end this technet forum post, about OCSP reponders Brian Komar points out:

But, as stated, I would use certutil to get the “best” answer on how is my configuration.
Certutil -verify -urlfetch “certfile.cer” will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time” since it goes to the URLs immediately.
Brian

I exported the Issuing CA certificate from the certificate database of the Root CA and ran the command against is and this is what I found

E:\>certutil -verify -urlfetch .cer
Issuer:
CN=Root CA
Subject:
CN=Issuing CA
Cert Serial Number: 115d5f6400020000000b

—————- Certificate AIA —————-
Verified “Certificate (0)” Time: 0
[0.0] http://IIS1.domain1local/crl/Root-CA.crt

Verified “Certificate (0)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crt

—————- Certificate CDP —————-
Wrong Issuer “Base CRL (13)” Time: 0
[0.0] http://IIS1.domain1.local/crl/Root-CA.crl

Wrong Issuer “Base CRL (13)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crl

E:\>

So while PKI view and the other error messages I was getting all pointed to the most common cause, it actually turned out that the CRl did get downloaded, but was not cryptographically relevant to what the system believes is the Root CA certificate.

Root cause

Inspection of the CRLs generated and the Root certificates installed showed what had caused the problem. In order to test the CDP extensions I had reissued the Root CA certificate, causing the Root CA to have three active certificates. Each with a different key.

This CA has three CA certificates

When validating the Issuing CA certificate, validation would end at the last certificate issued, however the CA still signs its CRLs with the key pair of the first certificate.

I guess for me there is nothing left but to reinstall the entire chain.

TECHED Berlin 2009

Ane van Straten — Thu, 12 Nov 2009 06:13:24 +0000

Schuberg Philis has sent me and 4 colleagues to Berlin to attend the TECH-ED over there.

Together with another 7000 techies, this is a week of planning, running, eating, experiencing all kinds of (new) technologies presented by Microsoft guys.

Feeling some blisters already, because I’m not used to running so much on a day, especially with a Lenovo T500 on my shoulder. The Berlin Messe is a huge place. But the overall sense of the MCE’s is that we are enjoying the sessions. Not all session are that good, but for instance Mark Minasi is good fun to watch and hear. The food and beverages (very important) are good and plenty.
Technically we are not always that challenged, in many occasions the depth is lacking, but then again, it is a mass-event and not everybody is a (potential) MCE.

On Monday MS presented a Keynote, and all of us were very disappointed. Nothing new, lots of marketing blabla. Cloud computing (Azure) was the keyword here. (Literally, we counted over 100 times them using the word “cloud”.)
Reading back this sounds a bit negative, but in fact, we are having a good time. Discussing a lot about the statements made in the session, exchanging the different sessions we’ve attended, thus learning a lot. Even writing the blogs is a good learning curve. We are all cupfighters, and don’t want to blog rumors and rubbish, so for each post we do a thorough background check.
Berlin sightseeing is mainly done via U and S-bahn, ample time to discover the city (this is in case our bosses are reading this post .

We’re looking forward to the Country drink on Thursday, organized by our employer together with Microsoft (http://www.schubergphilis.com/countrydrink).

If you’re Dutch IT-pro, come and join us there. You will find the Schuberg Philis style of organizing a party is an experience not to be missed!

Next couple of days more sessions, and we’ll keep you posted if we hear some nice things.

TechEd Europe 2009 – East West Thuis Best

Cupfighter — Thu, 05 Nov 2009 18:07:24 +0000

Some cupfighters are going to TechEd Europe 2009. In fact the company we work for, Schuberg Philis, organizes the dutch country drink together with Microsoft.

We will blog during this event, and try to post major announcements, being made during TechEd, on this site as fast as we can. So keep an eye on this site or twitter!

http://www.schubergphilis.com/countrydrink

Now switch to dutch:

Country Drink? Natuurlijk!

TechEd 2009 Berlijn is niet compleet zonder Country Drink. Daarom organiseert Microsoft partner Schuberg Philis speciaal voor de Nederlandse Microsoft IT Pros en Developers een oerhollandse avond.

Donderdag 12 november ben je vanaf 18.00 uur van harte welkom in Club Restaurant Dante: midden in Berlijn en heel goed bereikbaar vanaf de TechEd.

Een Hollandse avond is niet compleet zonder een goede hap en biertjes die je bij onze meegereisde hostesses gewoon in het Nederlands kunt bestellen. Ook meezingers mogen niet ontbreken. Daarom komt Peter Beense, de enige echte Amsterdamse volkszanger, speciaal voor deze Country Drink naar Berlijn om een spetterend optreden te geven.

Het eerste deel van de avond is exclusief voor ons. DJ ENO-C en VJ Ed-Art zorgen voor een relaxte sfeer, zodat je lekker kunt napraten over de afgelopen dagen. Vanaf 23.00 uur, na het optreden van Peter Beense, pakken ENO-C en Ed-Art de draad weer op en stroomt het Berlijnse nachtleven binnen.

En jawel, deze avond krijg je het Microsoft TechEd 2009 t-shirt, hoogstpersoonlijk overhandigd door Tony Krijnen en Daniel van Soest.

We verheugen ons op je komst!

http://www.schubergphilis.com/countrydrink voor meer informatie!

stress/load testing a Java-enabled web site with jMeter

Anton Opgenoort — Sun, 18 Oct 2009 11:52:49 +0000

jMeter is a great tool to perform several load and stress tests on websites, ftp servers, database servers and more. I use it to see how much end-users can log in to their banking environment and check their current account details, to validate how much inserts/sec can be handled by a database, the maximum amount of ldap lookups, etc.

During testing, the most interesting things usually happen during the load test. It’s funny to see how a site behaves (or dies) when the system is running out of resources. My ultimate goal is not to find the moment where the site breaks, but to tune the site to a level where it actually never breaks, but only becoming slow, without collapsing via some snowball effect on system resources. I’d rather have a slow web site where 8 web servers are running at 95% cpu, than a collapsed farm because end-users hit the F5 button after receiving a system error.

In one of my last assignments to benchmark a site, the site turned out to use java classes, with browser-based functions to create an encrypted password which in turn was sent to the web site for authentication.

There I was, with a need for executing a custom java class, and a clear FAQ on the jMeter site telling me explicitely “Does JMeter process dynamic pages (e.g. Javascript and applets): No. JMeter does not process Javascript or applets embedded in HTML pages.”.

But jMeter does support a way to execute JavaScript functions, via the “BSF assertion”. And here’s the trick: JavaScript provides a bridging function towards java libraries, via the Packages method. If you have a custom class in a JAR file provided by the website, the regular path to that class would be com.Company.Custom.Classname, and the function can be called “FunctionName”. Using this function from within JavaScript is can be done by calling the function with it’s full path, and by adding “Packages.” in front of it.

Example java class function use within jMeter, e.g. by using a class file to encrypt a username/password combination by using a custom java function:

download the website’s JAR file, and put it in the jMeter java classpath
Create your regular jMeter test
Add a “user definded variable” test component, and add a field called “PASSWORD” with variable “secret”, and an empty field “HASHEDPASSWORD”.
Add the “BSF sampler” to the HTTP request sampler containing the username/password login page
Put “javascript” in the “script language” field of the BSF assertion

This is how the JavaScript code within the BSF assertion could look like:

//Get the jMeter variable and put it in a Javascript variable

var password = vars.get(‘PASSWORD’);

//the actual magic: the calling of a Java class function from within JavaScript
//This is not an actual password encryption, only an example by help of a jMeter class available
//You can find this class in ~jmeter/lib/soap.jar
var hashedpassword = Packages.org.apache.soap.Utils.cleanString(password);

//Put the result back into a jMeter variable for further processing
vars.put(‘HASHEDPASSWORD’,hashedpassword);

//and since we’re not testing anything in this “BSF assertion”, we will always call it a success:
AssertionResult.setFailure(false);

And that’s it!

Full example, tested with Jmeter 2.3.2 (copy this into a test.jmx text file):

      false
      false








          false
          1

        1
        0
        1230116483000
        1230116483000
        false
        stoptest







              PASSWORD
              <secret>
              =


              HASHEDPASSWORD
              ThisShouldBeGoneWIthTheSecondHTTPRequest
              =








          www.cupfighter.net

          http

          /
          GET
          false
          true
          true
          false



          false






            //Get the jMeter variable and put it in a Javascript variable
        var password = vars.get('PASSWORD');
�
//the actual magic: the calling of a Java class function from within JavaScript
        //This is not an actual password encryption, only an example by help of a jMeter class available
        //You can find this class in ~jmeter/lib/soap.jar
        var hashedpassword = Packages.org.apache.soap.Utils.cleanString(password);

//Put the result back into a jMeter variable for further processing
vars.put('HASHEDPASSWORD',hashedpassword);
�
//and since we're not testing anything in this "BSF assertion", we will always call it a success:
AssertionResult.setFailure(false);

            javascript







                false
                ${HASHEDPASSWORD}
                =
                true
                Password


                false
                Cupfighter
                =
                true
                Username



          www.cupfighter.net

          http

          /
          POST
          false
          true
          true
          false



          false

          using variable processed by Java's cleanString function in BSF assertion




        false

          saveConfig

            true
            true
            true
            true
            true
            true
            true
            true
            true
            false
            true
            true
            false
            false
            true
            false
            false
            false
            false
            false
            0
            true



        Check the request tab, on the POST data to see if the <secret> was changed to <secret&gt

My Security Justice interview

Frank Breedijk — Wed, 07 Oct 2009 08:22:05 +0000

One month ago we blogged about my interview for Security Justice. Yesterday I got a tweet from Security Justice that the recording of my interview is now available.

To my surprise the interview turned out a lot better then I remembered it.

Security Justice will feature Cupfighter.net author Frank Breedijk

Cupfighter — Mon, 07 Sep 2009 07:42:02 +0000

This afternoon/evening, Security Justice will hold their 1st Annual International Podcast BBQ to celebrate US labor day.

The BBQ will feature our Schuberg Philis colleague Frank Breedijk as blogger for cupfighter.net and author of AutoNessus

At 15:00 EST (20:00 GMT) they will kick off by firing up the grill and opening the (probably not first) beers. After this there will be a series of interviews:

16:00 EST (21:00 GMT) – Our own Frank Breedijk (@autonessus)
17:00 EST (22:00 GMT) – Chris John Riley (@ChrisJohnRiley) and Robin Wood (@digininja)
18:00 EST (23:00 GMT) – James Arlen (@myrcurial)
19:00 EST (00:00 GMT) – Nick Owen (@wikidsystems)
20:00 EST (01:00 GMT) – Clean-up and the usual banter…

The podcast will be streamed live via hak5radio.com and IRC: irc.freenode.net #securityjustice will be used for audience participation.

Schuberg Philis hosts CAcert Assurer Training Event Amsterdam

Frank Breedijk — Mon, 15 Jun 2009 16:11:14 +0000

From: http://blog.cacert.org/2009/05/388.html

Much has happened during the past year. A list of up till now mostly “orally transmitted” rules have been cast in policies. New procedures (e.g. the Assurer Challenge) and obligations (e.g. in the CAcert Community Agreement) have been decided. The Assurer Training Events try to bring all this informations to “the people”:
- To what, does the CCA protect every CAcert-Community-Member and as such also you?
- Can you recount the 5 statements of the “Purpose of Assurance”?
- Can you at least recount 10 security marks of the Dutch passport/Identity card?
Answers to these and following questions are given at the Assurer Training Events (ATE’s).
Participation in the events is free, Contributions are however appreciated.Amsterdam:
—————
The ATE-Amsterdam takes place on:
- Monday, June 15th from 20:00 till 22:00
- at SCHUBERG PHILIS
Star Parc
Boeing Avenue 271
1119 PD Schiphol-Rijk
—————
The ATE-Eemnes takes place on:
- Saturday, June 20th from 10:30 till 12:30, followed by normal assurances till 15:30
- in de Hilt
Hasselaarlaan 1c
3755 AV Eemnes
The Event-Team is already excited about your participation.
Registration ATE-Amsterdam
Registration ATE-Eemnes
contact: events@cacert.org

Christ; is it that late already !? :-)

Dennis Silva — Thu, 11 Jun 2009 00:17:33 +0000

We’re working our butts off on a technical proposal for an RFP from a large financial institution. We already have them in our data center, and they are asking us to do more… sure why not!?

Our proposal has to be delivered to them before the weekend. But we still have several hours of quality time ahead of us.

I’d love to share all the details, but erhm, since this is all hush-hush stuff I can’t.

But to give a general idea: DTAP hosting platform for enterprise application, internal use only, user population (>5,000 employees) located around the globe, highly confidential and secure, twin versus dual data center setup located in Amsterdam area, partially virtualized in network and server layers, internet as well as Corporate connectivity, authenticated against corporate user repositories, Windows based, maximum data loss of 1hr (RPO), 10TByte data, IDS/IPS, the lot.

And then suddenly find myself working > 2am. Geeh. Time to take a nap and kick ass again tomorrow.

Grtz,