Keep External Drives Mounted in OS X when logged out

Posted: April 20th, 2012 | Author: | Filed under: Blog, Snow Leopard | Tags: , , , , | No Comments »

This tip was graciously donated by my good friend Luis Giraldo from Fully Managed
Put the following contents in the plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">


How to Force Propagation on Apple Secondary DNS Server

Posted: May 16th, 2011 | Author: | Filed under: Blog, DNS, Mac OS X Server, Networking, Snow Leopard | Tags: , , , , , , , | No Comments »

As you all probably know that using Apple’s DNS server can be challenging at times. If you make changes on the primary you usually have to wait some time before those changes propagate to the secondaries. However with the following commands you can force this propagation without having to nuke files or folders in /var/named

1. On the secondary server, run this command. (use whatever zone you want to transfer in place of
rndc -p 54 retransfer IN

2. Reload configuration
rndc -p 54 reload

3. Forcing client cache flush
dscacheutil -flushcache

The reason I think this is better in my opinion is it gets rid of the potential “oops” of deleting critical files in /var/named.

How To RAID Mac Mini Server without Reinstalling

Posted: March 14th, 2011 | Author: | Filed under: Mac OS X Server | Tags: , , , | No Comments »

Replicate boot drive to spare drive.

While this post title specifically says Mac Mini Server, this procedure will work with any Macintosh that has more than one hard drive.

  1. Open Disk Utility
      One drive should be labelled “Server HD” and the other “Macintosh HD2” Remember which one is on top and which one is on bottom.
  2. Select the Hard Drive associated with Macintosh HD2, and then click Restore
  3. Drag Server HD in to the source and Macintosh HD2 into the destination
  4. Make it go

Build the spare drive into a RAID of one disk

  1. Open Disk Utility
  2. Select the Hard Drive associated with old “Macintosh HD2”, and then click RAID.
      If you unsure as to which is which you can select the drive and note the mount point at the bottom of the window. Choose the one that DOES NOT have the mount point of “/”
  3. Set the following options
      RAID Set Name: Server HD RAID
      Format: Mac OS Extended (Case-Sensitive, Journaled)
      RAID Type: Mirrored RAID Set
  4. Drag the spare Server HD from the list on the left into the box on the right.
  5. Select Options and enable “Automatically rebuild RAID mirror sets” Click OK then Enable
  6. Rename the newly built drive to Server RAID
  7. Go to System Preferences->Startup Disk and select the newly built RAID.
  8. Reboot

Integrate Other Drive into RAID

  1. Once the system is booted verify the RAID drive is the boot volume
      To do this open Disk Utility again and select the Server RAID volume, make sure the mount point states “/”
  2. While in Disk Utility select the RAID device, which is located above “Server RAID” and click on the RAID tab
  3. Drag “Server HD” into the white box on the right to add it to the RAID
  4. Click Rebuild, it will take some time. Once done perform one more reboot and you’re finished!

Snow Leopard SSL Certificate Authority

Posted: January 11th, 2011 | Author: | Filed under: Snow Leopard, SSL | Tags: , , , | No Comments »

As more services are introduced into your network and thus the more users you have, the need for security goes up. Maintaining your own certificate authority is a simple and free way to ensure the highest level of security while not breaking the bank.

1. Create the Certificate Authority

First we’re going to hop into a terminal on any Mac OS X Server box and navigate to `/etc/certificates` and create some directories

cd /etc/certificates/
sudo mkdir -p myCA/cert myCA/key
cd myCA

We need to create the CA signing certificate and key. After executing the first command you will be asked a series of questions. Enter them as needed.

homer:myCA jordan$ sudo openssl req -new -x509 -keyout key/myca.key -out cert/myca.crt -days 3650
Generating a 1024 bit RSA private key
writing new private key to 'key/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YAweb2.0CA LTD
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, YOUR name) []
Email Address []

Two files are created:

  • cert/myca.crt – This is your CA’s certificate and can be publicly available and of course world readable. You will need to load this certificate into all the clients in your network.
  • key/myca.key – This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:

  • chmod 0400 /etc/certificates/myCA/key/myca.key

    2. Create the Server Key

    Next, go up one level to `/etc/certificates` We can now start creating SSL certificates for our various servers and services. Create a directory named hostname.domainname corresponding to the hostname for the computer or service you are creating the certificate for and enter the directory.

    Next up on the list is to create a key that corresponds to our server. We will do that with this command:

    openssl genrsa -des3 -out hostname.domainname.key 4096

    Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later. Don’t forget to store the password somewhere safe, I suggest creating a new keychain on your Mac OS X server box.

    Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?

    3. Create a Certificate Signing Request

    To create the CSR, we do this:

    openssl req -new -key hostname.domainname.key -out hostname.domainname.csr

    Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:”. Fill out everything correctly. So for a wildcard cert enter, *.top.level.domain

    4. Sign the Certificate

    Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely and be valid for 10 years! What value!

    The command we’re going to run looks like this:

    openssl x509 -req -days 3650 -in hostname..csr -CA ../myCA/myCA.crt -CAkey ../myCA/myCA.key -set_serial XX -out hostname.domainname.crt

    It will ask you for the password for the myCA.key file. Which is referenced at the top of this article. The set_serial switch is a two digit value to denote the certificate serial number. Every certificate you sign from this CA must have a unique serial number.

    5. Create a Passwordless Certificate

    Now, we have a little problem. Our hostname.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

    openssl rsa -in .domainname.key -out .domainname.key.insecure
    * Enter the password that you entered when creating this key
    mv hostname..key
    mv hostname.domainname.key.insecure hostname.domainname.key

    Then set permissions for the files

    chmod 0600 hostname.key hostname.csr hostname.crt

    6. Outcome

    The final list of files and their purpose is as follows:

    drwxr-xr-x 2 root root 4096 2008-06-02 13:54 .
    drwx------ 10 root root 4096 2008-06-02 13:35 ..
    -rw-r--r-- 1 root root 2049 2009-04-02 13:32 hostname.tld.crt [our server certificate]
    -rw-r--r-- 1 root root 1748 2009-04-02 13:23 hostname.tld.csr [our server signing request]
    -rw-r--r-- 1 root root 3243 2009-04-02 13:54 hostname.tld.key [our password-less server key]
    -rw-r--r-- 1 root root 3311 2009-04-02 13:13 [our passworded server key]

    7. Don’t Forget

    Don’t forget to load the myCA.crt file into your various Mac clients. This will allow the computer to verify the identity of the SSL certificates to the end user, mitigating the risk of a MITM (man in the middle) attack. To do so simply copy the file to all your workstations and double click the cert. Keychain manager should load and ask what security setting you would like, select Always Trust.