ict.ken.be

by Paul Lemmers

Ok, this must have been the most confusing 44m of my IT life. I clearly do have almost no knowledge about certificates. (edit: finally starting to understand, and yes it is very important and also a total mess selfsll, opensll, bouncycastle, certutil, pvk2pfx, makecert, ...) and I actually wonder if there are people who really know this... let alone really understand the specifications.

Alice & Bob Story - Certificate is name of Alice + Public key signed with private key if self-signed.
Object Identifier (OID)
Certificate: Subject CN = name to trust, Issuer eg. Go Daddy, Valid from, Valid to, Public Key

Exclamation mark means it is a critical extension and client should only use it when they really know how.

Formats

• DER (binary format *.cer over network in ssl handshake)
• Base-64 (xml, email)
• Export with hierarchy of certificates can be included (.P7B)
• PKCS#12 : Export user certificate with private key. (.PFX)

MMC - Certificates
To make all stores visible, select Certificates in treeview > View - Options - Check Physical certificate stores. All hidden notes of trusted root certification authorities will be visible. Certificates that are at enterprise level will come back in your store after deletion if set in the group policy.

When using a machine for signing, you should always delete the private key on export.

Distinguished Name

E = foo@bar.com
CN = foo bar
CN = foo
DC = local

Subject Alternative Name

Other Name:
       Principal Name = foo@bar.com (upn name)
RFC822 Name = Foo@Bar.com (email name)

Key Usage (8bit field flags)
Enhanced Key Usage
SSL certificate should have Server Authentication as enhanced, Digital Signature and Key Encipherment as usage. Command name should be dns.

Where are the keys stored?

CSP - Cryptical Service Providers (eg. when using a smartcard to sign, the private key will 'never' leave the smart card) In the properties (all tasks - manage private keys) you can set which computer accounts should have access to the certificates.

certutil (eg. when using windows 2003)
certutil -dump -v abc.cer
certutil -url abc.cer
certutil -store My

• Windows - dir ProgramData /As - Microsoft - Crypt - RSA - MachineKeys
• Firefox - Tools - Options - Encryption - View Certificates
• Microsoft Active Directory Certificate Services - psResCA

IIS - Machine Name - Server Certificates
Create Domain Certificate (testing)
Create Certificate Request (from external)
Complete Certificate Request

Self-Signed Certificates
if key usage and enhanced key usage is not filled in you can use the certificate for anything
if you install a self-signed certificate of someone else in your trusted root store then they can do remote to your machine!

Certificate Revocation

Certificate - Details - CRL Distribution Point -> url -> Certificate Revocation List -> Serial number by date and reason. (eg. http://crl.godaddy.com/gds3-4.crl)

Authority Information Access (eg. http://ocsp.godaddy.com) will just return valid or not for this certificate instead of complete list of revoked certificates.

Certificate Chain building
Root Certificate then Issuer = Subject

Legal
When you create a CA you are changing the burden of proof (certificate policies)
Usage of certificates has legal consequences.

More

• Peter Gutmann
• Brian Komar - Windows Server® 2008 PKI and Certificate Security
• RFC5280 (PKIX Certificate and CRL Profile)

by David Chappell
http://www.davidchappell.com

Execution Models

Virtual Machines (IaaS)
VHDs from Gallery or User-Supplied (by the hour used or unused)
Azure Management Portal
Rest API for scripting and creating VMs in batch
One OS disk and one or more data disks (all stored as blobs)
You can move the image in and out the platform
eg. App + Sql cluster, Sharepoint farm, on demand vm for testing, disaster recovery
Only failed hardware will be fixed.
Requires the most management.

Web Sites
Shared IIS or Dedicated IIS
Static Websites
Popular Web Applications eg. Drupal, ...
Custom Web Applications eg. ASP.Net, Node.js, ...
Upload through ftp, WebDeploy, Repository (TFS, Git)

Cloud Services (PaaS)
Platform as a service
Web Roles - run iis
Worker Roles
The environment is created for you using code configuration
Detect failed applications and starts new one
So you can not store state in your VM file systems!
eg. app must be very reliable and very scalable
Low admin cost.
Needed when not possible with other options
eg. Admin access to VMs, to install arbitrary software
Background processing with workerroles
Connect to Azure Virtual Network
Combining technologies is possible.

Data Management

Sql Database Service
Disks are stored as blogs
Multi tenant virtual servers
Automatic data replication (setup 5 min)
Limited to some hunderd of gigabytes, else you need Sql Federation.
An application can work with two or more federation members that can have separate dbs and schema
Sql Data Sync between different datacenters in cloud or on-premise (with some latency)

Table Storage - NoSql
Key Value storage
Across multiple machines
Tables are partitioned with entities
Entities have properties of various types
Entities have row keys unique in their partition
Partitions have keys
eg. simple, fast access to loosly structured data
eg. very large about of data (up to 100 terabyte)
Much cheaper then sql but no query options

Blob Storage
Named containers
Large amounts of data such as video
For backup eg. whole VHDs

Business Analytics

Sql reporting
BI Studio & RDL-Files

Hadoop
Open source
Big data analysis
Map reduce over different systems
Large amount of unstructured data
Assumes data is in blobs
hdfs data api
Hive (with excel import), Pig, ...
eg. Log files, sensors like RFID, clickstream data, ...

Networking

Virtual Network
Connect your on-premise network with cloud network of VMs
Setup a segment of VMs as VNET
VPN Gateway Device with IPsec Connection needed
eg. Single sign-on with active directory, Dev/Test environments

Connect
Direct connection from application to group of on-premise servers
Windows Azure ConnectSoftware with IPsec Connection
No need to setup a full VPN

Traffic Manager
Routes users to datacenters that are most close to them
1. User lookup application dns name
2. DNS server redirects the query
3. AWTM applies policies
3a. Performance: to closest
3b. Failover: to specific unless down
3c. Round Robin: spread equaly across datacenters
4. Return chosen datacenter
5. Access application in datacenter

Messaging

Queues
In cloud communication
Web role(front-end) instances to/from worker role(back-end) instances
1. Web role receives work
2. Web role sends message
3. Worker reads message
4. Worker does work
5. Worker delete message (or it will re-appear in the queue)

Service Bus
In cloud, on-premise, anywhere communication
Multi tenant, each user has its own namespace
Queues: one to one queued messaging (one way communication)
message with body and properties (key-value)
Topics: one to many publish and subscribe messaging using filters
Relays: two way bi-directional messaging (eg. servers behind firewalls)
each application opens outbound to relay, inbound communication is seen as incoming on outgoing tcp/ip
construction a stable ip

Caching

• Caching: on the VM or distributed on an array of VMs (supports MemCached api)
• CDN: Video stored in blob and distributed globally

Identity

• Active Directory
• Running Windows Server AD in Azure VMs eg. Sharepoint on a web farm
• Using Azure Active Directory eg. Saas (software as a service) apps 
• ACS for single sign on with FB, Google, ...

High-Performance Computing

• HPC Scheduler

Media

• Media Services
• Media Ingest - copy video into cloud blogs
• Encoding - translate formats
• Content Protection
• Ad Insertion
• Streaming
• Partner Components
• Using CDN to distribute if you feel like

Commerce

• Windows Azure Marketplace
• Sell your azure application in the cloud
• Selling datasets

SDKs

• .Net, Java, PHP, Python, Node.js, C++
• Commandline tools for deployment from and to Linux and Macintosh

by Steve Evans

1. IIS Setup

• Windows 2000/IIS 5 (sample page allowed code red to attack the machine)
• Windows 2003/IIS 6 (you had to activate on server)
• Windows 2008/IIS 7 (choose with bits you want to install)
• Windows 2008R2/IIS7.5

Server Manager - Roles - Add IIS

Web Platform Installer
Allows to install plugins like WordPress, Orchard CMS, MVC, IIS: FTP Publishing Service, IIS Smooth Streaming Client, ...

Remove default website

Keep binding IP address 'all unassigned' because webservers can have multiple ip addresses.

Remember to also bind www

SSL-Certificate
Root - Server Certificates
Create Certificate Request (for testing use self-signed certificate, issued to name of the box)
Add additional binding of type https
One ssl for one ip address, cause hostname is encrypted.
Browser will check that
Date is in range
Certificate created by authority it trusts
Does the hostname match what is in the certificate

Wildcard certificate (for testing make one with makecert.exe in windows SDK)
Root - Server Certificates - Import the pfx file (eg. issues to *.site2.com)
Bindings - Select certificate - Fill in subdomain host name (eg. www.site2.com)

Extended validation certificate is not available in wild card.

2. IIS Configuration

If not default document is defined you will get a 403.14 - Forbidden if the web server is configured to not list the contents of the directory.

web.config (can have other copies in subfolders)
<configuration>
  <defaultDocument>
    <files>
      <clear /> -> will break inheritance of parent folder
      <remove value="Default.htm" />
      <add value="Home.htm" />
   </files>
  </defaultDocument>
</configuration>

Feature Delegation
If you put on read only the developer will see the setting but not be able to change it in the web.config
Will throw a 500.19 if you keep the settings in the web.config
Remember to set them in IIS or you will get 403.14 again.
When going from read only to write it is best to revert to parent to avoid inconsistencies.

Application Pools (worker processes)
In production environment put the 'Idle Time-out' to 0.
Define your web garden by adjusting the maximum worker processes.
Ping enable will check if your application pool is healthy and if not recycle.
By default application gets recycled

• idle timeout of 20min
• every 29hours (you can add specific times instead)
• whenever an unhandled exception occurs
• whenever a ping gives an unhealthy response
• whenever configuration changes

You can set the application pool defaults.
It is best to have only one site per application pool, unless very limited resources.
You can put part of a site in a separated application pool. (right-click folder, convert to application)

3. Manage IIS

Root - Worker Processes - Select pool and you will see all request that run longer then 0 seconds.

Server Manager - Add Role - Health - Tracing
Failed request tracing rules - Add
eg. trace requests that take longer than 30 seconds
eg. all pages that return a 500
Edit Site Tracing - Location where to store - open xml for report

Microsoft Log Parser: http://www.microsoft.com/en-us/download/details.aspx?id=24659

Log Parser Lizard: http://www.lizard-labs.net/log_parser_lizard.aspx

SELECT TOP 100 * 
FROM D:\Backups\date_libertinus_eu_logfiles_20121101\W3SVC4\*.log

SELECT cs-uri-stem, count(*) 
FROM D:\Backups\date_libertinus_eu_logfiles_20121101\W3SVC4\*.log
WHERE sc-status = 404 AND date > '2012-10-01'
GROUP BY cs-uri-stem

Windows PowerShell will treat iis as a drive.

cd iis:\\
dir
cd .\AppPools
cd ..
cd sites

New-Item iis:\Sites\site3.com
-bindings @{protocol="http";bindingInformation="*:80:site3.com"}
-physicalPath C:\inetpub\site3.com

New-ItemProperty iis:\sites\site3.com
-name bindings
-value @{protocol="http";bindingInformation="*:80:www.site3.com"}

Web Deployment Tool 2.1

msdeploy 
-verb:sync 
-source:webServer 
-dest:webServer,computerName=xyz,username=rst,password=abc

-whatif
-presync:runcommand="%windir%\system32\inetsrv\appcmd stop apppool site2.com"

msdeploy
-verb:sync
-source:iisApp=site2.com
-dest:archiveDir=c:\temp

visual studio under administrator
right-click - publish - web deploy

4. IIS Extensions

http://iis.net - download
Media Services
URL Rewrite
You can specify user-friendly-urls and map them to old url.
You can also redirect, return custom response, ...

5. IIS Express

MyDocuments - IISExpress - Logs
MMC - Add certificate snap in - Computer Account - Personal Certificates - Copy certificate to trusted root certificates

6. IIS8 for 2012

Choose on which set of servers you want to install this. (so you can install on all your servers in the same time)

Application Initialisation Mode (app warmup)
IIs will perform the first request for you.
Application Pool - Advanced Settings - Start Mode - AlwaysRunning
Site - Advanced Settings - Preload Enabled - True

<applicationInitialization remapManagedRequestsTo="startup.htm" skipManagedModules="true">
    <add initializationPage="/default.aspx"/>
</applicationInitialization>

SNI - Server Name Indication
Allows multiple ssl certificates on one IP
Not support in Internet Explorer on windows XP !

SSL Management: Centralized Certificates for web farms with lots of certificates.
CPU ThrottleUnderLoad, allows to specify a percentage when others are also using else max possible.
Web Sockets support by adding WebSocket Protocol

Funny way to finally remember all of these, the boring text version of http status codes you can find here.

1xx Informational

• 100 Continue
• 101 Switching Protocols

2xx Successful

• 200 OK : should be used to indicate a non-specific success
• 201 Created : must be used to indicate successful resource creation
• 202 Accepted : must be used to indicate a succesful start of an asynchronous action and should only be send by controllers
• 203 Non-Authoritative Information
• 204 No Content : should be used when the response body is intentionally empty
• 205 Reset Content
• 206 Partial Content

3xx Redirection

• 300 Multiple Choices
• 301 Moved Permanently : should be used to relocate resources
• 302 Found : should only redirect automatically when it was a get or head request
• 303 See Other : should be used to refer the client to a different uri, so sending a reference to a client without forcing it to download it's state
• 304 Not Modified : should be used to preserve bandwidth and the response body must be empty
• 305 Use Proxy
• 306 (Unused)
• 307 Temporary Redirect : should be used to tell clients to resubmit the request to another uri
• 308 Permanent Redirect : does not allow to change the method

4xx Client Error

• 400 Bad Request : may be used to indicate non-specific failure
• 401 Unauthorized : must be used when there is a problem with the clients credentials
• 402 Payment Required
• 403 Forbidden : should be used to forbid access regardless of authorization state, so for any requests outside the clients permitted scope
• 404 Not Found : must be used when a client uri cannnot be mapped to a resource
• 405 Method Not Allowed : must be used when the http method is not supported, for example using a PUT on a read-only resource (must include the allow header in response)
• 406 Not Acceptable : must be used when requested media type cannot be served (accept request header)
• 407 Proxy Authentication Required
• 408 Request Timeout
• 409 Conflict : should be used to indicate a violation of resource state, for example a client tries to delete a non empty store
• 410 Gone
• 411 Length Required
• 412 Precondition Failed
• 413 Request Entity Too Large
• 414 Request-URI Too Long
• 415 Unsupported Media Type : must be used when the media type of a requests payload cannot be processed (content type header)
• 416 Requested Range Not Satisfiable
• 417 Expectation Failed
• 418 I'm a teapot (RFC 2324)
• 419 Authentication Timeout
• 420 Enhance Your Calm (use 429 instead)
• 421 Bad mapping
• 422 Unprocessable Entity
• 423 Locked
• 424 Failed Dependency
• 425 Unordered Collection
• 426 Upgrade Required
• 427 Soap action required (in case your api is dirty)
• 428 Precondition Required (RFC 6585)
• 429 Too Many Requests (RFC 6585)
• 430 (not used ?? sometimes misused for 431)
• 431 Request Header Fields Too Large (RFC 6585)

5xx Server Error

• 500 Internal Server Error
• 501 Not Implemented
• 502 Bad Gateway
• 503 Service Unavailable
• 504 Gateway Timeout
• 505 HTTP Version Not Supported

5xx Server Error

• 500 Internal Server Error
• 501 Not Implemented
• 502 Bad Gateway
• 503 Service Unavailable
• 504 Gateway Timeout
• 505 HTTP Version Not Supported
• 520 Origin Error
• 521 Web server is down
• 522 Connection timed out
• 523 Proxy Declined Request
• 524 A timeout occured

7xx Developer Error

• 70x - Inexcusable
• 701 - Meh
• 702 - Emacs
• 703 - Explosion
• 704 - Goto Fail
• 705 - I wrote the code and missed the necessary validation by an oversight (see 795)
• 71x - Novelty Implementations
• 710 - PHP
• 711 - Convenience Store
• 712 - NoSQL
• 719 - I am not a teapot
• 72x - Edge Cases
• 720 - Unpossible
• 721 - Known Unknowns
• 722 - Unknown Unknowns
• 723 - Tricky
• 724 - This line should be unreachable
• 725 - It works on my machine
• 726 - It's a feature, not a bug
• 727 - 32 bits is plenty
• 73x - F*cking
• 731 - F*cking Rubygems
• 732 - F*cking Unic💩de
• 733 - F*cking Deadlocks
• 734 - F*cking Deferreds
• 735 - F*cking IE
• 736 - F*cking Race Conditions
• 737 - F*ckThreadsing
• 738 - F*cking Bundler
• 739 - F*cking Windows
• 74x - Meme Driven
• 740 - Computer says no
• 741 - Compiling
• 742 - A kitten dies
• 743 - I thought I knew regular expressions
• 744 - Y U NO write integration tests?
• 745 - I don't always test my code, but when I do I do it in production
• 746 - Missed Ballmer Peak
• 747 - Motherf*cking Snakes on the Motherf*cking Plane
• 748 - Confounded by Ponies
• 749 - Reserved for Chuck Norris
• 75x - Syntax Errors
• 750 - Didn't bother to compile it
• 753 - Syntax Error
• 754 - Too many semi-colons
• 755 - Not enough semi-colons
• 756 - Insufficiently polite
• 757 - Excessively polite
• 759 - Unexpected T_PAAMAYIM_NEKUDOTAYIM
• 76x - Substance-Affected Developer
• 761 - Hungover
• 762 - Stoned
• 763 - Under-Caffeinated
• 764 - Over-Caffeinated
• 765 - Railscamp
• 766 - Sober
• 767 - Drunk
• 768 - Accidentally Took Sleeping Pills Instead Of Migraine Pills During Crunch Week
• 769 - Questionable Maturity Level
• 77x - Predictable Problems
• 771 - Cached for too long
• 772 - Not cached long enough
• 773 - Not cached at all
• 774 - Why was this cached?
• 776 - Error on the Exception
• 777 - Coincidence
• 778 - Off By One Error
• 779 - Off By Too Many To Count Error
• 78x - Somebody Else's Problem
• 780 - Project owner not responding
• 781 - Operations
• 782 - QA
• 783 - It was a customer request, honestly
• 784 - Management, obviously
• 785 - TPS Cover Sheet not attached
• 786 - Try it now
• 787 - Further Funding Required
• 79x - Internet crashed
• 791 - The Internet shut down due to copyright restrictions.
• 792 - Climate change driven catastrophic weather event
• 793 - Zombie Apocalypse
• 794 - Someone let PG near a REPL
• 795 - #heartbleed (see 705)
• 797 - This is the last page of the Internet. Go back
• 799 - End of the world

Still need more?

• http://www.w3.org/Protocols/
• http://tools.ietf.org/html/rfc6585

Why Rich Data ?

Because UX (user experience) is king, and because we do so much more in real applications then getting data and displaying it.

What is Rich Data ?

• Client caching is possible becuse of using a DataContext on the client
• Change tracking on the entities
• Queries both local and from servers by using OData filters
• Extend the models, cause some thing we do not need to persist to the server.
• Object graphs cause we all have Customer, Orders, OrderDetails (or we are not making money) and we would love to associate then when we allready know about them on the client.

Some notes about rich data from LIDNUG live meeting

• Reduced javascript data handling code 1200 lines to about 170 lines with more functionality.
• Upshotjs is no longer in active development.
• With BreezeJs, AmplifyJs is no longer needed for local storage.
• Validation is possible but you can also use knockout validation.
• Was using a lot of knockout mapping before, but not anymore.

var query = EntityQuery.from('Speakers').orderBy('lastName, firstName');
return manager.executeQuery(query).then(querySucceeded).fail(queryFailed);
function querySucceeded(data) {
	speakers(data.results);
}

• The http://www.asp.net/vnext/overview/fall-2012-update update build of asp.net includes a single page application template, but does not yet include rich data. (select mvc4 first and then you will see the SPA template, else use devenv.exe /InstallVSTemplates)
• Best is to try to load as much data at first load, but only if it is common used data.
• On the roadmap are using Breezejs together with SignalR, so we can broadcast to the clients to refresh.
• SPA for applications with more then 200 views ? Is this possible? Maybe better to split them up in smaller applications.
• For stock applications and more 5000 operations per second you need signalr with sockets!
• John Papa will release a tutorial on Typescript early december.
• Likes knockout templates, only the others if really a lot of elements. Using mustache for speed.
• http://www.youtube.com/user/lidnug