Posted: April 20th, 2012 | Author: jordan | Filed under: Blog, Snow Leopard | Tags: external hard drives, ion, logged out, not logged in, snow leopard | No Comments »
This tip was graciously donated by my good friend Luis Giraldo from Fully Managed
Create:
/Library/Preferences/SystemConfiguration/autodiskmount.plist
Put the following contents in the plist file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutomountDisksWithoutUserLogin</key>
<true/>
</dict>
</plist>
Posted: May 16th, 2011 | Author: jordan | Filed under: Blog, DNS, Mac OS X Server, Networking, Snow Leopard | Tags: Apple, dns, Mac OS X, mac os x server, network, networking, snow leopard, snow leopard server | No Comments »
As you all probably know that using Apple’s DNS server can be challenging at times. If you make changes on the primary you usually have to wait some time before those changes propagate to the secondaries. However with the following commands you can force this propagation without having to nuke files or folders in /var/named
1. On the secondary server, run this command. (use whatever zone you want to transfer in place of lan.example.com
rndc -p 54 retransfer lan.example.com IN com.apple.ServerAdmin.DNS.public
2. Reload configuration
rndc -p 54 reload
3. Forcing client cache flush
dscacheutil -flushcache
The reason I think this is better in my opinion is it gets rid of the potential “oops” of deleting critical files in /var/named.
Posted: March 14th, 2011 | Author: jordan | Filed under: Mac OS X Server | Tags: leopard, mac os x server, Open Directory, snow leopard | No Comments »
Replicate boot drive to spare drive.
While this post title specifically says Mac Mini Server, this procedure will work with any Macintosh that has more than one hard drive.
- Open Disk Utility
One drive should be labelled “Server HD” and the other “Macintosh HD2” Remember which one is on top and which one is on bottom.
- Select the Hard Drive associated with Macintosh HD2, and then click Restore
- Drag Server HD in to the source and Macintosh HD2 into the destination
- Make it go
Build the spare drive into a RAID of one disk
- Open Disk Utility
- Select the Hard Drive associated with old “Macintosh HD2”, and then click RAID.
If you unsure as to which is which you can select the drive and note the mount point at the bottom of the window. Choose the one that DOES NOT have the mount point of “/”
- Set the following options
RAID Set Name: Server HD RAID
Format: Mac OS Extended (Case-Sensitive, Journaled)
RAID Type: Mirrored RAID Set
- Drag the spare Server HD from the list on the left into the box on the right.
- Select Options and enable “Automatically rebuild RAID mirror sets” Click OK then Enable
- Rename the newly built drive to Server RAID
- Go to System Preferences->Startup Disk and select the newly built RAID.
- Reboot
Integrate Other Drive into RAID
- Once the system is booted verify the RAID drive is the boot volume
To do this open Disk Utility again and select the Server RAID volume, make sure the mount point states “/”
- While in Disk Utility select the RAID device, which is located above “Server RAID” and click on the RAID tab
- Drag “Server HD” into the white box on the right to add it to the RAID
- Click Rebuild, it will take some time. Once done perform one more reboot and you’re finished!
Posted: January 11th, 2011 | Author: jordan | Filed under: Snow Leopard, SSL | Tags: leopard, Open Directory, snow leopard, ssl | No Comments »
As more services are introduced into your network and thus the more users you have, the need for security goes up. Maintaining your own certificate authority is a simple and free way to ensure the highest level of security while not breaking the bank.
1. Create the Certificate Authority
First we’re going to hop into a terminal on any Mac OS X Server box and navigate to `/etc/certificates` and create some directories
cd /etc/certificates/
sudo mkdir -p myCA/cert myCA/key
cd myCA
We need to create the CA signing certificate and key. After executing the first command you will be asked a series of questions. Enter them as needed.
homer:myCA jordan$ sudo openssl req -new -x509 -keyout key/myca.key -out cert/myca.crt -days 3650
Generating a 1024 bit RSA private key
.....++++++
............................................................++++++
writing new private key to 'key/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YAweb2.0CA LTD
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, YOUR name) []:yaweb20ca.ca
Email Address []:systems@yaweb20ca.ca
Two files are created:
cert/myca.crt – This is your CA’s certificate and can be publicly available and of course world readable. You will need to load this certificate into all the clients in your network.
key/myca.key – This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:
chmod 0400 /etc/certificates/myCA/key/myca.key
2. Create the Server Key
Next, go up one level to `/etc/certificates` We can now start creating SSL certificates for our various servers and services. Create a directory named hostname.domainname corresponding to the hostname for the computer or service you are creating the certificate for and enter the directory.
Next up on the list is to create a key that corresponds to our server. We will do that with this command:
openssl genrsa -des3 -out hostname.domainname.key 4096
Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later. Don’t forget to store the password somewhere safe, I suggest creating a new keychain on your Mac OS X server box.
Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?
3. Create a Certificate Signing Request
To create the CSR, we do this:
openssl req -new -key hostname.domainname.key -out hostname.domainname.csr
Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:â€. Fill out everything correctly. So for a wildcard cert enter, *.top.level.domain
4. Sign the Certificate
Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely and be valid for 10 years! What value!
The command we’re going to run looks like this:
openssl x509 -req -days 3650 -in hostname..csr -CA ../myCA/myCA.crt -CAkey ../myCA/myCA.key -set_serial XX -out hostname.domainname.crt
It will ask you for the password for the myCA.key file. Which is referenced at the top of this article. The set_serial switch is a two digit value to denote the certificate serial number. Every certificate you sign from this CA must have a unique serial number.
5. Create a Passwordless Certificate
Now, we have a little problem. Our hostname.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:
openssl rsa -in .domainname.key -out .domainname.key.insecure
* Enter the password that you entered when creating this key
mv hostname..key hostname.domainname.key.secure
mv hostname.domainname.key.insecure hostname.domainname.key
Then set permissions for the files
chmod 0600 hostname.key.secure hostname.key hostname.csr hostname.crt
6. Outcome
The final list of files and their purpose is as follows:
drwxr-xr-x 2 root root 4096 2008-06-02 13:54 .
drwx------ 10 root root 4096 2008-06-02 13:35 ..
-rw-r--r-- 1 root root 2049 2009-04-02 13:32 hostname.tld.crt [our server certificate]
-rw-r--r-- 1 root root 1748 2009-04-02 13:23 hostname.tld.csr [our server signing request]
-rw-r--r-- 1 root root 3243 2009-04-02 13:54 hostname.tld.key [our password-less server key]
-rw-r--r-- 1 root root 3311 2009-04-02 13:13 hostname.tld.key.secure [our passworded server key]
7. Don’t Forget
Don’t forget to load the myCA.crt file into your various Mac clients. This will allow the computer to verify the identity of the SSL certificates to the end user, mitigating the risk of a MITM (man in the middle) attack. To do so simply copy the file to all your workstations and double click the cert. Keychain manager should load and ask what security setting you would like, select Always Trust.
