I have a need to upload a PEM certificate from a SALT minion to the master. I've got the upload working, but I need to figure out how to make the master automatically import the cert into a Java trust store. I know the keytool command to use.
I've found this comment on a SaltStack GitHub issue: https://github.com/saltstack/salt/issues/42330#issuecomment-315796095
But I'm such a SALT noob that there isn't nearly enough information here to help me figure out how to do the inotify and reactor parts. Saltstack (like OpenStack) is documented for people that have already read and assimilated 98% of the documentation -- even the tutorials assume way too much.
Can anyone point me to some resources on these sub-systems that can help me figure out how to automate the trust store import after the upload completes?
Related
I am trying to migrate the credentials from one Jenkins to another but usernames/passwords are hashed in ${JENKINS_HOME}/credentials.xml
I found this answer, but the problem is it doesn't explain where would someone find the encryption key in order to successfully migrate credentials.
Any help is greatly appreciated!
EDIT: More information.. my ${JENKINS_HOME} is on a separate volume which I detach and re-attach onto the new VM, and it still doesn't work with me.
I found this analysis (link is dead as of June 2020, archived here) very helpful. In a nutshell:
Jenkins uses the master.key to encrypt the key hudson.util.Secret.
This key is then used to encrypt the password in credentials.xml.
When I need to bootstrap new Jenkins instances with some default passwords, I use a template directory tree that contains
secrets/hudson.util.Secret and
secrets/master.key
This works fine.
Regarding JENKINS migration, I recently experienced this situation and after few testings, my workaround worked for me.
Here is what I did:
I moved below files and folders from Source Jenkins to target:
$JENKINS_HOME/secret.key
$JENKINS_HOME/secrets
$JENKINS-HOME/users
$JENKINS_HOME/credentials.xml
Please note: These files are not required to move:
$JENKINS_HOME/identity.key.enc
$JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY
otherwise you will see below error after starting Jenkins:
java.lang.AssertionError: InstanceIdentity is missing its singleton
Jenkins will automatically generate those two files. Once started, you should be good.
This is a noobe question. I am trying to clone a Drupal website on WAMP to test some local development. The current website is maintained on Aegir. With the owners' knowledge but for reasons that I don't know, I have not been able to get information directly from whomever is managing the website.
I have been able to scp the platform [profiles, modules, files etc]. My current puzzle is how to obtain a copy of the database so that I can import it into WAMP.
One of the files that I have copied is called database.sql and is a healthy size (35MB). I have looked around the web and no one outright says this is a readable form of the MySQL database.
My attempts to import it into a database of the same name and username failed with a suggestion the size was too large. (password unknown - have several versions looking at the documentation and cannot tell which one is which).
Working from the MySQL console: mysql -u usernamenewdatabase -p newdatabasename < C:/path/database.sql
Also failed.
Can anyone cut through this muddle for me? Am I even on the right track?
Thanks
Jo
Thanks for jogging me along. WAMP just replies with a suggestion that the file is too big.
I have solved it in the meantime.
Yes - database.sql in Aegir is a straightforward .sql file
To get it into WAMP in particular, the solution is to edit this line of config.inc.php file in the wamp/apps/phpAdmin folder
$cfg['UploadDir'] = 'upload';
by inserting upload beween the ''
And then add a subdirectory to phpAdmin called upload.
Put the big file in the upload directory and import it into a clean database from the phpAdmin screen.
Ridiculously easy when we know how.
Thanks Clive - I appreciate the support.
I'm getting a lot of troubles trying to publish a .war package containing a Web Start application with commons-configuration-1.3.jar in the build path (com.sun.deploy.net.JARSigningException).
I have already tried to clean the javaws cache, reinstall the application, even reinstalling java (1.6.0_24).
This is a stretch of my NetBeans IDE 6.8 (Build 200912041610) output while creating a JNLP application:
Warning:
The signer certificate will expire within six months.
Signing JAR: D:\Java\workspace\OTP\DeskOTP\atual\build\cluster\modules\ext\commons-configuration-1.3.jar to D:\Java\workspace\OTP\DeskOTP\atual\build\jnlp\app\br-com-petrobras-ep-gedig-gedigdesktoplibrary\ext-commons-configuration-1.3.jar as jnlp
However, when trying to run I got a JARSigningException for this jar.
So, I decide to solve this disabling this verification. I believe I can decide and tell jvm not to verify my jars (my responsibility).
Is there anyway to tell jvm or javaws to NEVER verify non signed jars?
As a first reaction, I'd say to try java -noverify -jar your_file.jar.
However, this will only work for local jarfiles. It will not work from a web source, which is what is sounds like you're trying to do. Is that right?
You can always download the jar from the web, manually remove the signature sections on the manifest and it should work. If the jar happens to be dynamically downloaded from the web as #Riking mentioned in the other reply, then you might be able to get around by proxying the URL to a different server.
Now, if you have access to the deployment build status and is having trouble with expired signatures on artifacts, one alternative might be to re-sign the jar using your company's (Petrobras?) signing certificates. That will allow you to work around expired issues, provided that the build knows it's supposed to pull your version of the artifact instead of the original commons-configuration.
I am currently working on a project where i need to store few files and folders in encrypted manner. This project will be platform independent and hence will be written in Java.
Instead of encrypting individual file and folder, we have been thinking of using some virtual file-system where a single container file will hold complete file-system.
Most of the open source virtual encrypted file-system tools we studied work on following principle.
mount the virtual file system (using secure password)
use this filesystem
finally dismount it
But the main problem here we face is that anyone who has access of the PC (e.g. network admin) will be able to see decrypted files when virtual drive is mounted. We want to restrict access to encrypted file system at process level. No one else in same OS session should be able to see the contents, hence no drive mounting, etc.
So we are looking for some open source tool which will provided some some APIs using which we will be able to access files in encrypted container without mounting it.
can anyone point us to any such library?
This thing I'd normally say was pretty cool.
http://www.pismotechnic.com/pfm/
But I've recently accidently copied a sub-repository in a mercurial repository to another folder and when that happened a lot of files got magically messed up. If you don't mind possible issues like that (eg. keeping backups) this could be a solution for you.
I've stumbled upon this question while hunting for an alternative because corrupted files are definitely not on my requirement list.
(y/N)
Edit: Read-only access is fine.
I haven't tried this yet, but I think I've found a workaround.
Adobe AIR cannot write to Windows Registry, but you can, however, launch a native process in AIR 2. Here's a blog post that shows how to do that: http://www.adobe.com/devnet/air/flex/quickstart/articles/interacting_with_native_process.html
Now, on Windows, you are able to modify the Windows registry with .reg files. .reg files are just plain text files that's read by regedit.exe. So in theory, you can write a .reg file to the file system, then launch regedit.exe with the .reg file passed in and...TADA! You just modified Windows registry from your AIR app!
To read value, you can use regedit's export function to write to a reg file and read from the reg file. Details to regedit's options: http://www.robvanderwoude.com/regedit.php
Here are some additional resources:
.reg file syntax: http://support.microsoft.com/kb/310516
write to file with AIR: http://www.adobe.com/devnet/air/flex/articles/exploring_file_capabilities.html
If your willing to force the user to also install another application, you could write a small C# or C++ windows service that simply opens a Socket that provides some kind of protocol for accessing the registry. Then in AIR you can use the Socket class to send messages to/from the C# service that would return results to the AIR app.
When the app loads you can try to connect to the Socket, and if the connection is rejected you could prompt the user to download/install the service.
As for direct access to the registry I am pretty sure Adobe wouldn't allow that from AIR.
If you can I'd be horrified.
Why would you be horrified?
Air is a desktop platform, and having access to the OS's APIs (such as registry access) makes plenty of sense.
That being said, it isn't supported now (and as Adobe seem to be very Mac-centric, I doubt it will ever be added).
I have settled on grabbing the users name from the name of the user directory
Using File.userDirectory.name will work in most cases, but it seems like a very fragile implementation, it relies on the OS maintaining the convention of having the username as their directory. I can think of a few possible things that might break it (playing with TweakUI etc).
Here is a sample of modifying Windows Registry in Adobe Air using NativeProcess and Python. So you can Add, Delete or Read keys by only a single line of code !!
Download: Adobe Air Registry Modifier on Github
Are you trying to determine if the user is an administrator or not?
If so you could grad the username by with "File.userDirectory.name".
And I think to figure out if the user is an administrator you could probably try to access a file that requires administrator privileges (maybe try writing a file to Windows/System32). If the file access fails you could probably assume that the user is under a Limited account.
A bit late, but I got a wish from a client to read some values from the registry when the project was almost finished. If there were more of these types of wishes, I would have never choosen AIR. But I found a nice extension from FluorineFx, and by extending it, I can now read string and dword values from the registry. Windows only: http://aperture.fluorinefx.com/
You could theoretically modify the actual registry files, but I would highly discourage that idea.
Be very careful if you decide to create a socket server that listens for registry commands. You are potentially creating a security hole and users' personal firewalls may get in the way in terms of usability.