niedziela, 26 maja 2013

Running ASDM 5.0 for Cisco PIX 515E under Linux/Ubuntu

Cisco ASDM (Adaptive Security Device Manager) is graphical user interface which can be found in Cisco PIX firewalls familiy. ASDM 5.0 is Java application.

Oracle Java (or "Sun Java" in IT prehistory) is not a part of Ubuntu distribution and out-of-the-box installation of Firefox lacks of Java plug-in also.

Additionaly, ASDM 5.0 has compatibility issues with newer JRE editions. Security exceptions are thrown onto Java Console and application refuses to open.

If you have to work with older devices you may find some issues with running their management software. It's not always possible or cost effective to update the firmware (IOS and ASDM) to resolve issues that way.

Here's a complete receipt to install older Java, install ASDM and run it up on Ubuntu system. I guess the receipt is not so distribution specific - so you may try it on other Linux distributions too. Some steps are also common for Windows environment - I'll cover Windows installation on next post.

Environment details

  • Cisco PIX 515E firewall
    • PIX Version 7.0(4)
    • ASDM Version 5.0(4)
  • Ubuntu 13.04 (AMD64)

Let's do it

Prepare working directory

Make a workspace. Let's say - create folder named "pix" under home directory.

mkdir ~/pix

..so you can access it by:

cd ~/pix

(I know it's obvious, sorry.)

Get ASDM

Here is - how to get ASDM in "windows" way. Not sure if there is "linux" way (If you know it - leave a comment).

You may get ASDM installation by loging into PIX page. Assuming your PIX is under 192.168.1.254 open URL https://192.168.1.254. Then log into with admin password.

You should see a screen like that (in fact this is Windows screenshot).


Click on "Download ASDM Launcher.." to get MSI file. MSI is of course MS Windows installation package but inside there is a Java application.

If you have got a problem with downloading MSI file (because this is in fact Windows example or your browser lacks of Java plug-in) you may download MSI file using windows machine and then transfer it onto linux machne OR use a "wget". Assuming your PIX is accessible under 192.168.1.254 and your admin account is "admin".

cd ~/pix
wget --no-check --user=admin --ask-password https://192.168.1.254/admin/asdm50-install.msi

Get Java Runtime

You should proceed to Oracle site (not "java.com"). As it was described at the very beginning ADSM has compatibility issues and cannot work with Java Runtime 1.7. Also Java 1.6 is not perfect.

I found those Java JRE editions to work with ASDM 5.0(4) properly:
With JRE 6.0 Update 10 ASDM starts but refuses to load configuration from PIX. With higher updates main window does not appear after login dialog.
 
I recommend to download ".bin" linux edition. This is self-extracting binnary file which installs into current working directory and does not make any modification to the system. Why this one? First, Oracle does not publish ".deb" packets (only ".rpm"). Second, I guess you don't want to integrate old Java with system.

Please, download jre-1_5_0_22-linux-amd64.bin (assuming you've got 64-bit system).

Get 7zip

We'll need to extract MSI package. It's possible with 7zip. If you have got no 7zip installed, do it so with following command:

sudo apt-get install p7zip-full

Checkpoint

At this point you should have working directory called ~/pix with files inside:
  • asdm50-install.msi
  • jre-1_5_0_22-linux-amd64.bin

Extract ASDM MSI package

cd ~/pix
7z x -oasdm asdm50-install.msi *.jar

This will extract JAR files from MSI package into asdm output subfolder.

Extract / install JRE

At first bin file needs to get execute flag. Then you may run it. Accept the license and Java will extract to subfolder of working directory.

cd ~/pix
chmod a+x jre-1_5_0_22-linux-amd64.bin
./jre-1_5_0_22-linux-amd64.bin

Tip: Press "q" to skip to the end of license. Type "yes" to accept.

Time to run ASDM

How NOT to do it

Java -jar switch won't work. You'll get "Failed to load Main-Class manifest attribute" error.

Fastest way

You need to export CLASSPATH and then run java pointing a main class of ASDM.

cd ~/pix/asdm
export CLASSPATH=`pwd`/asdm-launcher.jar:`pwd`/jploader.jar

You may check your CLASSPATH by:

set | grep CLASSPATH=

Run Java pointing a main class of ASDM

cd ~/pix/jre1.5.0_22/bin
./java com.cisco.pdm.launcher.Launcher &

Congratulations! You've got Cisco PIX ASDM working on Ubuntu.



Script way


Create run-asdm.sh file..

#!/bin/sh
export CLASSPATH=$HOME/pix/asdm/asdm_launcher.jar:$HOME/pix/asdm/jploader.jar
~/pix/jre1.5.0_22/bin/java -classpath $CLASSPATH com.cisco.pdm.launcher.Launcher &

Set execute flag on script..

cd ~/pix
chmod a+x run-asdm.sh

Run it..

cd ~/pix
./run-asdm.sh

Open Champagne! ;)

poniedziałek, 6 maja 2013

BACKUP SERVICE MASTER KEY with date in file name

A service master key is created when SQL Server instance is run for the first time. And it's regeneratred every time you change service account or its password. You should protect it with backup.

Syntax for BACKUP SERVICE MASTER KEY is described here:
http://msdn.microsoft.com/en-us/library/ms190337.aspx

Important notice is it does not allow to overwrite previous file. So you have to delete it before executing statement or use unique file names for every day backup.

This is my simple script to have BACKUP SERVICE MASTER KEY done with date in file name (so it's unique per day). It's compatible with SQL Server 2008 and above (older releases does not allow to set value while declaring variable).

Feel free to use it!


DECLARE @tsql NVARCHAR(512)
DECLARE @holder NVARCHAR(16) = '{DATE}'
DECLARE @path_to_file NVARCHAR(256) = 'D:\sqlbackup\keys\service_master_key_{DATE}.bak'
DECLARE @password NVARCHAR(16) = 'mysecretpassword'
DECLARE @current_day_string NCHAR(8) = CONVERT(NCHAR(8),GETDATE(),112)

SET @path_to_file = REPLACE(@path_to_file, @holder, @current_day_string)
SET @tsql = 'BACKUP SERVICE MASTER KEY TO FILE = '''+@path_to_file+''' ENCRYPTION BY PASSWORD = '''+@password+''''

EXECUTE sp_executesql @tsql

"Could not obtain information about Windows NT group/user 'DOMAIN\user', error code 0x5" in SQL Agent

Problem:

You login into SQL Server instance using Windows Auth. You're sysadmin. You've created job in SQL Agent - you're the job owner - but you get an error every time you try to run it. You've noticed that changing owner to SQL login with SQL Server auth is workaround.

Details:

Job owner is SQL login with Windows authentication, created for windows domain user. This login is sysadmin (or has enough priviledges to run the job).

You get error:

Unable to determine if the owner of job SYSTEM has server access (reason: Could not obtain information about Windows NT group/user 'DOMAIN\user', error code 0x5. [SQLSTATE 42000] (Error 15404)).

Solution:

It seems something blocks SQL Server to query Active Directory controller for DOMAIN\user details.

Determine windows user who runs SQL Server instance - if you don't know it (you should!).

  1. Run Sql Server Configuration Manager.
  2. Display SQL Server Services section.
  3. Highlight "SQL Server (Your Instance)" and read user name from "Log On As" column.
Open Active Directory Users And Computers app, find this user, open Properties.

I guess that "Password never expires" was not checked. Just check it and apply. Re-run your job.