From paul.suh at ps-enable.com Tue Apr 15 00:14:31 2008 From: paul.suh at ps-enable.com (Paul Suh) Date: Tue Apr 15 00:14:47 2008 Subject: [Newsletter] Low Stress, Samba and Extended Attributes, Mail Relay Testing, Certificates in Java, Network Solutions and Sub-domains Message-ID: Folks, Short but lots of links this time. Desktop Support is a Low Stress Job -------------------------------------- Just for laughs -- I read it on the Internet so it must be true. Look at the last of the 8 careers! E-mail Relay Testing ---------------------- I've been doing a lot of work on e-mail servers, and I wanted to make sure that you know about a great resource to test if your mail server is an open relay. This free service performs a dozen different tests and gives you instant results. Note that it is not linked to from anywhere else on the abuse.net website. Certificates in Java -------------------- Did you know that Mac OS X has not one, not two, but THREE (or, depending on how you look at it, four) certificate stores?! If you need to install a new root certificate or intermediate certificate, you need to install them in the SystemRootsCertificates.keychain (Leopard) or X509Anchors (Tiger) keychain, the Java cacerts certificate store(s), and the /usr/share/curl/curl-ca-bundle.crt certificate store. I found this out when trying to import a new certificate that was created using GoDaddy. It turns out that GoDaddy's certificates aren't signed by their root certificate. Instead, they're signed by an intermediate certificate, which is in turn signed by the GoDaddy root certificate. As a result, I had import the intermediate certificate, but putting it into the X509Anchors, and wondering why a Java app still wasn't accepting the new certificate. It wasn't until I did some searching around that I found the Java cacerts file and keytool. This intermediate certificate is yet another reason I'm not very happy with GoDaddy, beyond their totally tasteless commercials. For the System keychain, the procedure is: 1) Make sure that the certificate file has a filename extension of .cer or .pem 2) Double-click on the file and Keychain Access.app will launch. 3) The dialog box will ask you which keychain to add it to -- select the SystemRoots or X509Anchors keychain (depending on which version of Mac OS X you're using) from the pop-up menu. 4) Enter your administrator username and password in the Authorization Services dialog box that comes up. The Java certificate store is located at /System/Library/Frameworks/ JavaVM.framework/Home/lib/security/cacerts. Note that there are *separate* stores for each version of the JVM, 1.4.2 vs. 1.5.0. You need to use the command line tool keytool (part of the Java tool set) to import the certificate. The command looks like (it should be all one *long* line). sudo keytool -import -alias "Certificate Authority Long Name" \ -file /path/to/certificate_file.pem -keystore \ /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts For the /usr/share/curl/curl-ca-bundle.crt store, you can use a text editor. Make sure the certificate is in pem format, and copy and paste in the lines that start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----" (including those two marker lines) at the bottom of the file. Network Solutions and Sub-domains -------------------------------------- Yet another evil behavior by Network Solutions. Remember a couple of years ago there was a big flap over Network Solutions, Inc. (who run the .com registry) diverting any domain that wasn't found to their own website for registering a domain? E.g., if you typed in "www.applw.com", NSI would divert your browser to a web page that would try to get you to register that domain with NSI. Most people considered that an abuse of their privileged position of running the .com registry, and NSI soon gave it up. It also caused many scripts to break, since DNS lookups are not used solely by web browsers. Well, it seems like they're up to the same no-good tricks again. If you have your DNS hosted through NSI and don't have a sub-domain or host explicitly registered, NSI is now diverting the sub-domain to one of their web pages. Yet another reason to *not* host your domain or DNS through NSI. --Paul Paul Suh http://www.ps-enable.com/ paul.suh@ps-enable.com (240) 672-4212 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2615 bytes Desc: not available Url : http://lists.ps-enable.com/pipermail/newsletter/attachments/20080415/88e8a87b/smime.bin