首先生成私钥和证书请求:
openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
将req.pem发给CA,CA将返回证书文件cert.cer。
将私钥和证书合并成PKCS12并转换成pem文件:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12 -clcerts
openssl pkcs12 -in cert.p12 -out cert.pem
把这个cert.pem文件放到一个TFTP上,登陆WLC,选择MANAGEMENT – HTTP,勾选Download SSL Certificate,填入TFTP相关信息、证书文件路径和密码,点击Apply。点击Save And Reboot保存设置并重启WLC以便使新的证书生效。
运行C:\PROGRA~1\WCS\bin>keyadmin -newdn -csr genkey c:\wcs.csr填写相关信息生成证书请求文件,将CSR文件发给CA,从CA获取证书文件放在c:\wcs.cer下,运行C:\Program Files\WCS\bin>keyadmin importsignedcert c:\certnew.cer导入证书。或者在其它地方生成私钥和CSR并取得证书后,使用keyadmin importkey [keyFileName] [certFileName]一起导入私钥和证书。重启WCS新证书即可生效。
首先生成私钥和证书请求:
openssl genrsa -des3 -out ssl.key 2048
openssl req -new -key ssl.key -out ssl.csr
将ssl.csr发给CA,CA将返回证书文件ssl.cer。
将私钥和证书合并成PKCS12文件,chain.cer是证书链文件,所有的证书链必须都放在这个文件里:
openssl pkcs12 -export -inkey ssl.key -in ssl.cer -certfile chain.cer -out ssl.p12
进入ASDM – Configuration – Device Management – Certificate Management – Identity Cerificates,点Add,给这套证书取一个名字填入Trustpoint Name,选择Import the identity certificate from a file:,导入刚刚生成的ssl.p12并输入密码。
或者也可以选择Add a new identity certificate:,用ASA生成私钥和证书请求,这样就不需要用上面的openssl了。Key Pair为私钥,ASA默认为1024,建议点击New新生成一个2048位的私钥,填写相关信息用新的私钥生成一个证书请求文件,将这个csr文件发给CA,CA返回证书文件Install进去就好了。
完成以上步骤就已经导入了新的证书,下面还需要将该证书指定给某一个端口。在Device Management – Advanced – SSL Settings – Certificates,将刚刚导入证书的Trustpoint Name指定给需要的Interface即可。好了现在在登录SSL VPN就发现是新的证书了。
SSH到MARS后执行sslcert可重新产生ssl证书,CN必须输入MARS的域名或者IP,其它的都无所谓,这样再访问MARS的时候将证书安装到“受信任的根证书颁发机构”中,则以后访问MARS的时候就不会出现安全警告了。这样的证书是自签名的,如果想用其它CA来签名证书的话,估计只能用其它系统挂载MARS硬盘去修改/opt/janus/jboss/bin/ssl/的文件了。
当前Cisco MARS版本为6.0.6.3368,通过Web界面上传csmars-6.0.7.3404.zip升级失败,升级日志中错误一会是“Upgrade package acquisition error.”,一会是“Failed to pass the version dependency test.”,根本不知道到底什么错误。
SSH登陆到MARS后,使用命令行pnupgrade ftp://192.168.1.2/csmars-6.0.7.3404.zip升级,报错则很清晰了:
[Error][check_dependency/547]: minimal allowed version(6.0.6.3368.35) > current version(6.0.6.3368.34).
最后的那个小版本号Cisco的网站上根本不标注的。从Cisco下载最新的 csmars-6.0.6.3368.zip再用pnupgrade ftp://192.168.1.2/csmars-6.0.6.3368.zip升级成功,看到输出信息真是无语啊!csmars-6.0.6.3368.zip更新了Cisco也不说明。
Upgrade………………[MARS]
From……………..[6.0.6.3368.34]
To……………….[6.0.6.3368.35]
……
Current Version……….[6.0.6.3368.34]
Package Version……….[6.0.6.3368.35]
IBM DS3000 系列磁盘阵列,在使用单控制器且刷的单控NVSRAM的情况下仍然会出现写入缓存失效的问题。查看Logical Drives配置如下:
Read cache: Enabled
Write cache: Enabled (currently suspended)
Write cache without batteries: Disabled
Write cache with mirroring: Enabled (currently suspended)
Flush write cache after (in seconds): 10.00
Dynamic cache read prefetch: Enabled
在双控制器的情况下,为了在一个控制器失效时不丢失数据,两个控制器的写缓存需互为镜像,防止丢失写缓存内容。但是在单控制器的情况下,显然是不需要写缓存镜像的,但是控制器却由于无法完成写缓存镜像因此暂停了写缓存,这会导致性能的巨大损失。使用命令“set allLogicalDrives mirrorEnabled=false;”可禁止写缓存镜像,运行后查看Logical Drives配置如下:
Read cache: Enabled
Write cache: Enabled
Write cache without batteries: Disabled
Write cache with mirroring: Disabled
Flush write cache after (in seconds): 10.00
Dynamic cache read prefetch: Enabled
mod_ifsession:Directory不能放在If…里面
1.3.2时
<IfUser yaoge>
MaxHostsPerUser 1
MaxClientsPerUser 3
<Directory /ftp>
<Limit DIRS READ WRITE>
AllowAll
</Limit>
</Directory>
</IfUser>
1.3.3需改为
<IfUser yaoge>
MaxHostsPerUser 1
MaxClientsPerUser 3
</IfUser>
<Directory /ftp>
<Limit DIRS READ WRITE>
AllowUser OR yaoge
</Limit>
</Directory>
mod_tls:需添加 TLSOptions NoSessionReuseRequired
ProFTPD 1.3.2e的配置文件,1.3.3版本则需要进行一些修改,
ServerName “yaoge123 FTP Server”
ServerType standalone
DefaultServer on
ScoreboardFile /var/run/proftpd/proftpd.scoreboard
Port 21
UseIPv6 on
Umask 022
MaxInstances 100
MaxConnectionsPerHost 10
CommandBufferSize 512
UseReverseDNS off
IdentLookups off
ServerIdent on “Welcome to yaoge123 FTP Server”
User nobody
Group nogroup
DefaultRoot ~
AllowOverwrite off
requirevalidshell off
AllowForeignAddress on
AllowRetrieveRestart on
DirFakeUser on yaoge123
DirFakeGroup on yaoge123
DirFakeMode 0000
TimeoutLogin 30
TimeoutIdle 300
SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog
WtmpLog on
AdminControlsEngine on
AdminControlsACLs all allow user root
BanEngine on
BanControlsACLs all allow user root
BanOnEvent ClientConnectRate 10/00:01:00 01:00:00 “Stop connecting frequently”
BanTable /var/run/proftpd/ban.tab
BanLog /var/log/proftpd-ban.log
BanMessage “%a OR %u has been banned”
#AuthOrder mod_auth_file.c mod_sql.c mod_auth_unix.c
#AuthUserFile /usr/local/etc/proftpd/ftpd.passwd
#AuthGroupFile /usr/local/etc/proftpd/ftpd.group
AuthOrder mod_sql.c
SQLAuthenticate users
SQLAuthTypes crypt plaintext
SQLConnectInfo proftpd@localhost username password
SQLUserInfo users user password userid usergroupid homedir NULL
SQLLogFile /var/log/proftpd-sql.log
SQLLog PASS counter
SQLNamedQuery counter UPDATE “lastloginip=’%a’, lastlogin=now(), logincount=logincount+1 WHERE user=’%u'” users
SQLLog EXIT time_logout
SQLNamedQuery time_logout UPDATE “lastlogout=now() WHERE user=’%u'” users
SQLLog RETR,ERR_RETR download
SQLNamedQuery download UPDATE “downloadbytes=downloadbytes+%b, downloadfiles=downloadfiles+1 WHERE user=’%u'” users
SQLLog STOR,ERR_STOR,APPE,ERR_APPE,STOU,ERR_STOU upload
SQLNamedQuery upload UPDATE “uploadbytes=uploadbytes+%b, uploadfiles=uploadfiles+1 WHERE user=’%u'” users
SQLNamedQuery logincount SELECT “logincount from users where user=’%u'”
SQLNamedQuery lastlogin SELECT “lastlogin from users where user=’%u'”
SQLNamedQuery lastloginip SELECT “lastloginip from users where user=’%u'”
SQLNamedQuery downloadbytes SELECT “ROUND(downloadbytes/1048576) from users where user=’%u'”
SQLNamedQuery downloadfiles SELECT “downloadfiles from users where user=’%u'”
SQLNamedQuery uploadbytes SELECT “ROUND(uploadbytes/1048576) from users where user=’%u'”
SQLNamedQuery uploadfiles SELECT “uploadfiles from users where user=’%u'”
SQLShowInfo PASS “230” “You’ve logged on %{logincount} times”
SQLShowInfo PASS “230” “*** Last login at %{lastlogin}”
SQLShowInfo PASS “230” “*** Last login from %{lastloginip}”
SQLShowInfo PASS “230” “*** Downloaded %{downloadbytes} MB in %{downloadfiles} files”
SQLShowInfo PASS “230” “*** Uploaded %{uploadbytes} MB in %{uploadfiles} files”
<Limit SITE_CHMOD>
DenyAll
</Limit>
<Directory />
<Limit ALL>
DenyAll
</Limit>
<Limit PROT>
AllowAll
</Limit>
</Directory>
TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol SSLv23
TLSRSACertificateFile /usr/local/etc/proftpd/ftpd.cert.pem
TLSRSACertificateKeyFile /usr/local/etc/proftpd/ftpd.key.pem
TLSCACertificateFile /usr/local/etc/proftpd/ftpdca.cert.pem
TLSVerifyClient off
TLSRenegotiate required off
<Anonymous /ftp/anonymous>
User anonymous
Group anonymous
UserAlias guest anonymous
MaxClients 10
MaxClientsPerHost 1
TransferRate RETR 512
<Limit LOGIN>
Allow from 172.16.,172.20,172.21
DenyAll
</Limit>
<Limit ALL>
DenyAll
</Limit>
<Limit FEAT DIRS READ>
AllowAll
</Limit>
</Anonymous>
<IfUser OR friend1,friend2>
<Directory /ftp/friend>
<Limit FEAT DIRS READ>
AllowAll
</Limit>
</Directory>
</IfUser>
<IfUser regex @yaoge123$>
DisplayLogin .welcome.msg
MaxHostsPerUser 1
MaxClientsPerUser 3
<Directory /ftp/yaoge123>
HideFiles ^\.
<Limit FEAT DIRS READ>
AllowAll
</Limit>
</Directory>
</IfUser>
sql中的表
CREATE TABLE `users` (
`user` varchar(50) NOT NULL default ”,
`password` varchar(50) NOT NULL default ”,
`username` varchar(50) NOT NULL default ”,
`userid` int(10) unsigned NOT NULL default ‘10000’,
`usergroupid` int(10) unsigned NOT NULL default ‘10000’,
`lastloginip` varchar(22) NOT NULL default ”,
`logincount` int(16) unsigned NOT NULL default ‘0’,
`lastlogin` datetime NOT NULL default ‘0000-00-00 00:00:00’,
`lastlogout` datetime NOT NULL default ‘0000-00-00 00:00:00’,
`downloadbytes` bigint unsigned NOT NULL default ‘0’,
`downloadfiles` int unsigned NOT NULL default ‘0’,
`uploadbytes` bigint unsigned NOT NULL default ‘0’,
`uploadfiles` int unsigned NOT NULL default ‘0’,
`homedir` varchar(50) NOT NULL default ”,
`mark` varchar(10) NOT NULL default ”,
PRIMARY KEY (`userid`)
) ;
下载脚本 http://www.castaglia.org/openssl/contrib/cert-tool ,修改cert-tool中openssl的路径,用这个脚本调用OpenSSL自签名颁发一个证书
cert-tool --create-ca=serverca --signing-ca=self
cert-tool --create-cert=server --signing-ca=serverca.cert.pem --signing-key=serverca.key.pem
修改proftpd.conf,增加TLS配置
TLSEngine on #开启TLS
TLSLog /var/log/proftpd-tls.log #TLS日志
TLSProtocol SSLv23 #允许使用SSLv3和TLSv1
TLSRSACertificateFile /usr/local/etc/server.cert.pem #cert-tool生成的证书
TLSRSACertificateKeyFile /usr/local/etc/server.key.pem #cert-tool生成的key
TLSCACertificateFile /usr/local/etc/serverca.cert.pem #cert-tool生成的CA证书
TLSVerifyClient off #不验证客户端证书。如要启用客户端证书验证,则需要用TLSCACertificateFile这个CA来颁发客户端证书
TLSRenegotiate required off #不强制要求重协商
另外加密传输需要使用FTP命令PROT,如果Deny ALL过,需要Allow
编辑 /etc/login.conf 增加一个language
enutf8|enutf8 Users Accounts:\
:charset=UTF-8:\
:lang=en_US.UTF-8:\
:tc=default:
vipw 编辑ssh登录的用户,在gid后面增加这个language
yaoge123:$1$***:1001:1001:enutf8:0:0:User &:/home/yaoge123:/bin/sh