Guide for configuring an ASA for two factor auth

Similar Messages

• Two factor auth for CRES portal

  This is a wishlist of mine which I hope would get into the plans for future enhancements to CRES service. Some form(s) of two factor authentication for access to CRES service would be very useful. I'm thinking of a low overhead approach for both internal (within the org) and external users such as out-of-band SMS OTP or a software token app on the device generating OTP (as opposed to hardware based form factors).
  Thanks,
  John
  Sent from Cisco Technical Support iPad App

  This, and improving the registration experience for mobile users, are both on the CRES roadmap. For two-factor auth, although I can't commit to anything, I'd agree that some sort of out-of-band communication of a one time password, by SMS or an alternate email address for example, would be the preferred approach.

• Need help with two-factor auth for windows logon using CSS

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

• Luks encrypted key file as key for luks partition (two-factor auth)

  I'm trying to implement "two-factor" authentication (possession of a keyfile and knowledge of a passphrase required) using dm-crypt in order to open an encrypted root filesystem. In the past I used gpg and later openssl to decrypt a keyfile using a passphrase, which then was used by cryptsetup using --key-file to decrypt the actual data device. I'd like to ditch gpg/openssl and use only cryptsetup.
  So the idea is to create a luksFormatted key file (loop device) which, when opened using a passphrase, will be used as the key (using --key-file) to open a luksFormatted hard drive partition.
  To illustrate:
  # create and luksFormat the key container file
  dd if=/dev/urandom of=key_container bs=1M count=4
  cryptsetup luksFormat key_container
  # open the container and create a random "key" by directly writing pseudo random data to it
  cryptsetup luksOpen key_container key_device
  dd if=/dev/urandom of=/dev/mapper/key_device
  # luksFormat the data device using the random data from the luks key device
  cryptsetup -d /dev/mapper/key luksFormat /dev/sda1
  # later, to open /dev/sda1
  cryptsetup -d /dev/mapper/key_device luksOpen /dev/sda1 encryptedfs
  My questions:
  1. Is this a valid approach or am I making a mistake/do you see a problem somewhere?
  2. How much data from the loop device will cryptsetup use as key to format/open the data device? Everything? Is there a limit?
  3. Is there a difference between doing a
  cat /dev/mapper/key | cryptsetup -d -
  and
  cryptsetup -d /dev/mapper/key?
  3. Assuming that the answer to 1 is "no mistake/problem" and 2 is "everything there is" or even "the first x bytes", is it possible that  the actual contents of the loop device may change in the future because of different loop device implementations or somethings else I didn't think of? I'd like  to avoid bad surprises in the future..
  4. What would you recommend as size for the key container file, knowing that the luks header requires some space too?
  Any feedback appreciated.
  Cheers,
  fabriceb

  I do the same ( https://wiki.gentoo.org/wiki/Custom_Ini … ed_Keyfile ).
  --key-file=- should be equivalent, but it's meant for grabbing a key from gpg output or whatever; since you can specify it directly here, no need to involve anything else like cat etc.
  without --key-file=- it would stop reading at newlines or something. this behaviour is quite dangerous as it may cause people who believe they're using a long random key, to use only a very short (or even empty) key instead. one way to avoid such ambiguousness is to make sure there are no newline bytes in your keyfile, so it would use the whole thing in either interpretation.
  as for the key length, a key is essentially a passphrase. So it does not have to be very long at all; 8 truly random bytes would require up to 256^8 tries to break after all and with LUKS, each try takes ~1 second per physical CPU... but the smallest unit that LUKS allows is 512 bytes (1 sector) so you could just as well use the whole thing. If you use 4096 bytes, you're confusing bytes with bits somewhere... and as for bits, even 128bit AES is still considered secure...
  You could save some bytes in the initrd.gz if you initialize the container file with zeroes instead of random, so it can be compressed. The key will still be random as the random cipher key will turn the zeroes to something else after all...

• Google two-factor auth and iPhone apps? ...

  Who here has enabled Google two-factor authentication? Did it break anything on your phone?
  I tinkered with it yesterday, and then our family's shared Google calendar stopped working. My wife couldn't see new items I added (in either the iPhone calendar or Fantastical). I disabled TFA, and all was good again.
  Reading Google TFA page talked about how to use an additional app on the phone to create some additional passwords, but it wasn't clear to me where I would use them.
  I also use Mailbox for GMail, not sure what will happen to that.
  Anyone here doing Google TFA? Any words of wisdom?
  Thanks very much in advance,
  Chris

  I had to do this for yahoo after my account was hacked.
  It's a little tricky but you can enter the codes into your settings and get the stock app to work.
  How to set it up:
  http://www.imore.com/how-to-gmail-2-step-verification-mail--iphone--ipad-mac

• Two factor auth tied together?

  Hi all,
  I have an irritating problem dealing with the physical security staff in my datacenter. We have a requirement for certain areas to have "two factor authentication", and they've provided badge readers and fingerprint scanners, and consider this requirement solved.
  Unfortunately, the systems don't work together and you can use one person's badge, and someone else's fingerprint.
  My experience (and common sense) says that two factor means YOUR badge needs to only work with YOUR fingerprint, but our physical security team doesn't see it that way.
  They've asked for some sort of evidence that this is how it works... A government directive or other "proof" that they need to tie together.
  I thought that it would be a quick Google search away, but it turns out to be more difficult than I thought! All the definitions seem to leave the "tie in" to the imagination! They all say "password and token" or "badge and bio" but never explicitly say that those devices need to tie to the person who is authenticating.
  This seems like such a simple thing! Does anyone know of a document that clearly defines two factor as both factors required to be tied to the same person?

  I agree that tying them together would be better security but you may lose this one.
  In the bank card scenario, the unique item is the card, but the card and PIN can be used by anyone.
  Your situation is different in that the unique item is the fingerprint (since any card will do, thank you) AND it is physically tied to a single person (lopped off fingers aside).
  It's not as tight as it could be but it does qualify as two factor since you need both to enter.
  Since John's finger is scanned, John entered.
  JMTC
  Tom

• Using BOTH keyfile AND passphrase in dm-crypt. Two factor auth.

  How can the following setup be achieved. BOTH (not either) keyfile and a passphrase should be used in order to decrypt a device. So keyfile will be read from an SD-card/FLASH drive on boot and passphrase will be requested. That way, somebody who wants to access the system has to have something and know something to have access. In other words, this will be a two-factor authentication system.
  Ideally, multiple keyfiles and passphrases should be used. The reason is because if one keyfile A will be lost/stolen, then the slot can be killed and another keyfile B will be used as a back-up. Now if somebody have found the keyfile A and slot A was deleted, they can no longer use keyfile A, because it will be no longer valid. Multiple passphrases are there to ensure that if one is forgotten another can be used as a back-up.
  Is it possible and how should I approach this? The wiki seems to be focusing on one factor authentication systems (where only a keyphrase OR a passphrase is used to decrypt the drive, while in this case BOTH a keyfile and a passphrase should be required).

  I did not try it by myself but it reads like what you want to achieve:
  Using GPG or OpenSSL Encrypted Keyfiles:
  The following forum posts give instructions to use two factor authentication

• When will CC support Two Factor Auth?

  As the title says -- I'd like to not worry so much about the next breach Adobe will face.
  I'd personally prefer Google Authenticator support, but I'd grudgingly accept SMS.

  Could you provide more detials on how do you use _Adobe.JSXInterface?
  This is a simple exmaple to show how to use _Adobe.JSXInterface:
  1. Place a jsx file like f.jsx in assets folder. The function f is defined as below in this file:
  function f(a, b)
      return a + b;
  2. The JavaScript below in HTML widget will show the return value:
  <button onClick="_Adobe.includeJSXFile('f.jsx'); alert(_Adobe.JSXInterface.call('f', 5, 4));">Return result</button>
  "9" will be popped up if click this button. Make sure invoke _Adobe.includeJSXFile('f.jsx'); to call the functions defined in f.jsx via _Adobe.JSXInterface.call().

• MacBook/iMac and two Factor trusted device

  Hi Guys,
  Is it possible to have a MacBook Pro as a trusted device for two factor authentication?
  I am signed into iCloud and 'Find my Mac' on my MBP, however it is not displaying along side my iPad and iPhone as a potential trusted device.
  Googled about can't find anything confirming?
  Thanks,
  Regards,
  John

  Unfortunately, I don't think so.  It has to be an iOS device with Find My iDevice enabled, or a device capable of receiving SMS messages to be a trusted device.  At the present time, Macs using Find My Mac are not included (although I'm not sure why).

• Configuration guide for ASA Ipsec.

  Ho guys.
  I need configuration guide for ASA Ipsec using Cli.
  Thank you.
  Sent from Cisco Technical Support iPad App

  Hi,
  please check the below link
  http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml?referring_site=smartnavRD
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Thanks and Regards,
          ROHAN 

• NO internet in the network except for two computers after installing ASA 5505

  Hi Guys,,,
  I dont know if any of you guys had a problem like this... I installed a CISCO ASA5505 with 50 user license  to my network as the gateway firewall. So ASA is acting as the gaeway router which is connected to a fibre circuit and also it gives DHCP to the network. The strange thing is that except for two computers rest does not have internet. I also have an asterisk phone system which works fine..
  I tried everything.... static IP's DHCP, DNS nothing worked. But strange enough two computers works fine and have internet.. but are no special computers. One is Win XP and the other one is Win7. When I troubleshoot the problem in win 7 on one of the computers it says
  "The remote device or resource won't accept the connection"
  I have no idea now... any help would be great...
  Thanks in advance

  Hello Amal.
  I hope the gateway of the comupters are configured as ASA.. Are you able to ping your gateway from the PC where you dont have access to internet and also check whether the translation is happening on ASA when you are trying to access the internet ( show xlate  | i 'local ip'
  It would be great if you could share the ASA config as well
  regards
  Harish.

• Configuration guide for drop shipments

  Hello all,
  Pl. post any link/documents/Configuration guide for configuring the drop shipment process in SAP.
  Thanks,
  Maxx

  Maxx,
  I assume when you say "Drop shipments", you are referring to the process where a customer orders product from your company; you procure the product from a Vendor, the Vendor ships the product directly to the Customer; and you invoice the customer. SAP calls this Third party order processing.  SAP has two Best Practices, Here are the Business Process docs, and configuration guides.
  Third party order processing w/Ship notification
  http://help.sap.com/bp_bl604/BBLibrary/Documentation/107_BPP_EN_US.doc
  http://help.sap.com/bp_bl604/BBLibrary/Documentation/107_BB_ConfigGuide_EN_US.doc
  Third party order processing without Ship notification
  http://help.sap.com/bp_bl604/BBLibrary/Documentation/114_BPP_EN_US.doc
  http://help.sap.com/bp_bl604/BBLibrary/Documentation/114_BB_ConfigGuide_EN_US.doc
  Rgds,
  DB49

• How to do Apache configuration for two different domains

  Hi ,
  I was just trying out some clustering workshop on weblogic. I faced a issue..here is the scenario :
  I have two clusters :
  Cluster1 : 3 managed servers (server1,server2,server3)
  Cluster2 : 2managed servers (server4,server5)
  I have two sample applications which i have deployed on these two clusters i.e app1 on cluster1 and app2 on cluster2.
  These two aplications are deployed successsfully as i am able to open these applicatons from browser by calling the individual port of the managed server like : http://localhost:7003/app1.
  Now i have installed a apache server on my laptop and configured the http.conf file.
  Issue : I am not able to call both the application from apache. If there is only one cluster then it is working fine and for two application only one cluster (application) is working that too whose port is defined in the last.
  Here are the contents of my httpd.conf file :
  # This is the main Apache HTTP server configuration file. It contains the
  # configuration directives that give the server its instructions.
  # See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
  # In particular, see
  # <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
  # for a discussion of each configuration directive.
  # Do NOT simply read the instructions in here without understanding
  # what they do. They're here only as hints or reminders. If you are unsure
  # consult the online docs. You have been warned.
  # Configuration and logfile names: If the filenames you specify for many
  # of the server's control files begin with "/" (or "drive:/" for Win32), the
  # server will use that explicit path. If the filenames do not begin
  # with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
  # with ServerRoot set to "C:/Program Files/Apache Software Foundation/Apache2.2" will be interpreted by the
  # server as "C:/Program Files/Apache Software Foundation/Apache2.2/logs/foo.log".
  # NOTE: Where filenames are specified, you must use forward slashes
  # instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
  # If a drive letter is omitted, the drive on which httpd.exe is located
  # will be used by default. It is recommended that you always supply
  # an explicit drive letter in absolute paths to avoid confusion.
  # ServerRoot: The top of the directory tree under which the server's
  # configuration, error, and log files are kept.
  # Do not add a slash at the end of the directory path. If you point
  # ServerRoot at a non-local disk, be sure to point the LockFile directive
  # at a local disk. If you wish to share the same ServerRoot for multiple
  # httpd daemons, you will need to change at least LockFile and PidFile.
  ServerRoot "C:/Program Files/Apache Software Foundation/Apache2.2"
  # Listen: Allows you to bind Apache to specific IP addresses and/or
  # ports, instead of the default. See also the <VirtualHost>
  # directive.
  # Change this to Listen on specific IP addresses as shown below to
  # prevent Apache from glomming onto all bound IP addresses.
  #Listen 12.34.56.78:80
  Listen 80
  # Dynamic Shared Object (DSO) Support
  # To be able to use the functionality of a module which was built as a DSO you
  # have to place corresponding `LoadModule' lines at this location so the
  # directives contained in it are actually available before they are used.
  # Statically compiled modules (those listed by `httpd -l') do not need
  # to be loaded here.
  # Example:
  # LoadModule foo_module modules/mod_foo.so
  LoadModule actions_module modules/mod_actions.so
  LoadModule alias_module modules/mod_alias.so
  LoadModule asis_module modules/mod_asis.so
  LoadModule auth_basic_module modules/mod_auth_basic.so
  #LoadModule auth_digest_module modules/mod_auth_digest.so
  #LoadModule authn_alias_module modules/mod_authn_alias.so
  #LoadModule authn_anon_module modules/mod_authn_anon.so
  #LoadModule authn_dbd_module modules/mod_authn_dbd.so
  #LoadModule authn_dbm_module modules/mod_authn_dbm.so
  LoadModule authn_default_module modules/mod_authn_default.so
  LoadModule authn_file_module modules/mod_authn_file.so
  #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
  #LoadModule authz_dbm_module modules/mod_authz_dbm.so
  LoadModule authz_default_module modules/mod_authz_default.so
  LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
  LoadModule authz_host_module modules/mod_authz_host.so
  #LoadModule authz_owner_module modules/mod_authz_owner.so
  LoadModule authz_user_module modules/mod_authz_user.so
  LoadModule autoindex_module modules/mod_autoindex.so
  #LoadModule cache_module modules/mod_cache.so
  #LoadModule cern_meta_module modules/mod_cern_meta.so
  LoadModule cgi_module modules/mod_cgi.so
  #LoadModule charset_lite_module modules/mod_charset_lite.so
  #LoadModule dav_module modules/mod_dav.so
  #LoadModule dav_fs_module modules/mod_dav_fs.so
  #LoadModule dav_lock_module modules/mod_dav_lock.so
  #LoadModule dbd_module modules/mod_dbd.so
  #LoadModule deflate_module modules/mod_deflate.so
  LoadModule dir_module modules/mod_dir.so
  #LoadModule disk_cache_module modules/mod_disk_cache.so
  #LoadModule dumpio_module modules/mod_dumpio.so
  LoadModule env_module modules/mod_env.so
  #LoadModule expires_module modules/mod_expires.so
  #LoadModule ext_filter_module modules/mod_ext_filter.so
  #LoadModule file_cache_module modules/mod_file_cache.so
  #LoadModule filter_module modules/mod_filter.so
  #LoadModule headers_module modules/mod_headers.so
  #LoadModule ident_module modules/mod_ident.so
  #LoadModule imagemap_module modules/mod_imagemap.so
  LoadModule include_module modules/mod_include.so
  #LoadModule info_module modules/mod_info.so
  LoadModule isapi_module modules/mod_isapi.so
  #LoadModule ldap_module modules/mod_ldap.so
  #LoadModule logio_module modules/mod_logio.so
  LoadModule log_config_module modules/mod_log_config.so
  #LoadModule log_forensic_module modules/mod_log_forensic.so
  #LoadModule mem_cache_module modules/mod_mem_cache.so
  LoadModule mime_module modules/mod_mime.so
  #LoadModule mime_magic_module modules/mod_mime_magic.so
  LoadModule negotiation_module modules/mod_negotiation.so
  #LoadModule proxy_module modules/mod_proxy.so
  #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
  #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
  #LoadModule proxy_connect_module modules/mod_proxy_connect.so
  #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
  #LoadModule proxy_http_module modules/mod_proxy_http.so
  #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
  #LoadModule reqtimeout_module modules/mod_reqtimeout.so
  #LoadModule rewrite_module modules/mod_rewrite.so
  LoadModule setenvif_module modules/mod_setenvif.so
  #LoadModule speling_module modules/mod_speling.so
  #LoadModule ssl_module modules/mod_ssl.so
  #LoadModule status_module modules/mod_status.so
  #LoadModule substitute_module modules/mod_substitute.so
  #LoadModule unique_id_module modules/mod_unique_id.so
  #LoadModule userdir_module modules/mod_userdir.so
  #LoadModule usertrack_module modules/mod_usertrack.so
  #LoadModule version_module modules/mod_version.so
  #LoadModule vhost_alias_module modules/mod_vhost_alias.so
  LoadModule weblogic_module modules/mod_wl.so
  *<IfModule mod_weblogic.c>*
  WebLogicCluster 127.0.0.1:7005,127.0.0.1:7007,127.0.0.1:7003,127.0.0.1:7103,127.0.0.1:7104
  MatchExpression /app1
  *</IfModule>*
  *<Location /weblogic>*
  SetHandler weblogic-handler
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007,127.0.0.1:7103,127.0.0.1:7104
  DebugConfigInfo ON
  PathTrim /weblogic
  *</Location>*
  *<IfModule mod_weblogic.c>*
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007
  MatchExpression /app2
  *</IfModule>*
  *<Location /weblogic>*
  SetHandler weblogic-handler
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007
  DebugConfigInfo ON
  PathTrim /weblogic
  *</Location>*
  <IfModule !mpm_netware_module>
  <IfModule !mpm_winnt_module>
  # If you wish httpd to run as a different user or group, you must run
  # httpd as root initially and it will switch.
  # User/Group: The name (or #number) of the user/group to run httpd as.
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  User daemon
  Group daemon
  </IfModule>
  </IfModule>
  # 'Main' server configuration
  # The directives in this section set up the values used by the 'main'
  # server, which responds to any requests that aren't handled by a
  # <VirtualHost> definition. These values also provide defaults for
  # any <VirtualHost> containers you may define later in the file.
  # All of these directives may appear inside <VirtualHost> containers,
  # in which case these default settings will be overridden for the
  # virtual host being defined.
  # ServerAdmin: Your address, where problems with the server should be
  # e-mailed. This address appears on some server-generated pages, such
  # as error documents. e.g. [email protected]
  ServerAdmin <adminurl>
  # ServerName gives the name and port that the server uses to identify itself.
  # This can often be determined automatically, but we recommend you specify
  # it explicitly to prevent problems during startup.
  # If your host doesn't have a registered DNS name, enter its IP address here.
  #ServerName <servername>
  # DocumentRoot: The directory out of which you will serve your
  # documents. By default, all requests are taken from this directory, but
  # symbolic links and aliases may be used to point to other locations.
  DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
  # Each directory to which Apache has access can be configured with respect
  # to which services and features are allowed and/or disabled in that
  # directory (and its subdirectories).
  # First, we configure the "default" to be a very restrictive set of
  # features.
  <Directory />
  Options FollowSymLinks
  AllowOverride None
  Order deny,allow
  Deny from all
  </Directory>
  # Note that from this point forward you must specifically allow
  # particular features to be enabled - so if something's not working as
  # you might expect, make sure that you have specifically enabled it
  # below.
  # This should be changed to whatever you set DocumentRoot to.
  <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
  # Possible values for the Options directive are "None", "All",
  # or any combination of:
  # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  # Note that "MultiViews" must be named explicitly --- "Options All"
  # doesn't give it to you.
  # The Options directive is both complicated and important. Please see
  # http://httpd.apache.org/docs/2.2/mod/core.html#options
  # for more information.
  Options Indexes FollowSymLinks
  # AllowOverride controls what directives may be placed in .htaccess files.
  # It can be "All", "None", or any combination of the keywords:
  # Options FileInfo AuthConfig Limit
  AllowOverride None
  # Controls who can get stuff from this server.
  Order allow,deny
  Allow from all
  </Directory>
  # DirectoryIndex: sets the file that Apache will serve if a directory
  # is requested.
  <IfModule dir_module>
  DirectoryIndex index.html
  </IfModule>
  # The following lines prevent .htaccess and .htpasswd files from being
  # viewed by Web clients.
  <FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
  </FilesMatch>
  # ErrorLog: The location of the error log file.
  # If you do not specify an ErrorLog directive within a <VirtualHost>
  # container, error messages relating to that virtual host will be
  # logged here. If you do define an error logfile for a <VirtualHost>
  # container, that host's errors will be logged there and not here.
  ErrorLog "logs/error.log"
  # LogLevel: Control the number of messages logged to the error_log.
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  <IfModule log_config_module>
  # The following directives define some format nicknames for use with
  # a CustomLog directive (see below).
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  <IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
  </IfModule>
  # The location and format of the access logfile (Common Logfile Format).
  # If you do not define any access logfiles within a <VirtualHost>
  # container, they will be logged here. Contrariwise, if you do
  # define per-<VirtualHost> access logfiles, transactions will be
  # logged therein and not in this file.
  CustomLog "logs/access.log" common
  # If you prefer a logfile with access, agent, and referer information
  # (Combined Logfile Format) you can use the following directive.
  #CustomLog "logs/access.log" combined
  </IfModule>
  <IfModule alias_module>
  # Redirect: Allows you to tell clients about documents that used to
  # exist in your server's namespace, but do not anymore. The client
  # will make a new request for the document at its new location.
  # Example:
  # Redirect permanent /foo http://<url>/bar
  # Alias: Maps web paths into filesystem paths and is used to
  # access content that does not live under the DocumentRoot.
  # Example:
  # Alias /webpath /full/filesystem/path
  # If you include a trailing / on /webpath then the server will
  # require it to be present in the URL. You will also likely
  # need to provide a <Directory> section to allow access to
  # the filesystem path.
  # ScriptAlias: This controls which directories contain server scripts.
  # ScriptAliases are essentially the same as Aliases, except that
  # documents in the target directory are treated as applications and
  # run by the server when requested rather than as documents sent to the
  # client. The same rules about trailing "/" apply to ScriptAlias
  # directives as to Alias.
  ScriptAlias /cgi-bin/ "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin/"
  </IfModule>
  <IfModule cgid_module>
  # ScriptSock: On threaded servers, designate the path to the UNIX
  # socket used to communicate with the CGI daemon of mod_cgid.
  #Scriptsock logs/cgisock
  </IfModule>
  # "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin" should be changed to whatever your ScriptAliased
  # CGI directory exists, if you have that configured.
  <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all
  </Directory>
  # DefaultType: the default MIME type the server will use for a document
  # if it cannot otherwise determine one, such as from filename extensions.
  # If your server contains mostly text or HTML documents, "text/plain" is
  # a good value. If most of your content is binary, such as applications
  # or images, you may want to use "application/octet-stream" instead to
  # keep browsers from trying to display binary files as though they are
  # text.
  DefaultType text/plain
  <IfModule mime_module>
  # TypesConfig points to the file containing the list of mappings from
  # filename extension to MIME-type.
  TypesConfig conf/mime.types
  # AddType allows you to add to or override the MIME configuration
  # file specified in TypesConfig for specific file types.
  #AddType application/x-gzip .tgz
  # AddEncoding allows you to have certain browsers uncompress
  # information on the fly. Note: Not all browsers support this.
  #AddEncoding x-compress .Z
  #AddEncoding x-gzip .gz .tgz
  # If the AddEncoding directives above are commented-out, then you
  # probably should define those extensions to indicate media types:
  AddType application/x-compress .Z
  AddType application/x-gzip .gz .tgz
  # AddHandler allows you to map certain file extensions to "handlers":
  # actions unrelated to filetype. These can be either built into the server
  # or added with the Action directive (see below)
  # To use CGI scripts outside of ScriptAliased directories:
  # (You will also need to add "ExecCGI" to the "Options" directive.)
  #AddHandler cgi-script .cgi
  # For type maps (negotiated resources):
  #AddHandler type-map var
  # Filters allow you to process content before it is sent to the client.
  # To parse .shtml files for server-side includes (SSI):
  # (You will also need to add "Includes" to the "Options" directive.)
  #AddType text/html .shtml
  #AddOutputFilter INCLUDES .shtml
  </IfModule>
  # The mod_mime_magic module allows the server to use various hints from the
  # contents of the file itself to determine its type. The MIMEMagicFile
  # directive tells the module where the hint definitions are located.
  #MIMEMagicFile conf/magic
  # Customizable error responses come in three flavors:
  # 1) plain text 2) local redirects 3) external redirects
  # Some examples:
  #ErrorDocument 500 "The server made a boo boo."
  #ErrorDocument 404 /missing.html
  #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
  #ErrorDocument 402<url>/subscription_info.html
  # EnableMMAP and EnableSendfile: On systems that support it,
  # memory-mapping or the sendfile syscall is used to deliver
  # files. This usually improves server performance, but must
  # be turned off when serving from networked-mounted
  # filesystems or if support for these functions is otherwise
  # broken on your system.
  #EnableMMAP off
  #EnableSendfile off
  # Supplemental configuration
  # The configuration files in the conf/extra/ directory can be
  # included to add extra features or to modify the default configuration of
  # the server, or you may simply copy their contents here and change as
  # necessary.
  # Server-pool management (MPM specific)
  #Include conf/extra/httpd-mpm.conf
  # Multi-language error messages
  #Include conf/extra/httpd-multilang-errordoc.conf
  # Fancy directory listings
  #Include conf/extra/httpd-autoindex.conf
  # Language settings
  #Include conf/extra/httpd-languages.conf
  # User home directories
  #Include conf/extra/httpd-userdir.conf
  # Real-time info on requests and configuration
  #Include conf/extra/httpd-info.conf
  # Virtual hosts
  #Include conf/extra/httpd-vhosts.conf
  # Local access to the Apache HTTP Server Manual
  #Include conf/extra/httpd-manual.conf
  # Distributed authoring and versioning (WebDAV)
  #Include conf/extra/httpd-dav.conf
  # Various default settings
  #Include conf/extra/httpd-default.conf
  # Secure (SSL/TLS) connections
  #Include conf/extra/httpd-ssl.conf
  # Note: The following must must be present to support
  # starting without SSL on platforms with no /dev/random equivalent
  # but a statically compiled-in mod_ssl.
  <IfModule ssl_module>
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  </IfModule>
  So here for the above configuration only app2 i am able to call and for app1 its saying "404 page not found".
  Can soomebody help me in cofiguring apache so that i can call both the applications.
  Thanks,
  Ankit

  >
  <IfModule mod_weblogic.c>
  WebLogicCluster 127.0.0.1:7005,127.0.0.1:7007,127.0.0.1:7003,127.0.0.1:7103,127.0.0.1:7104
  MatchExpression /app1
  </IfModule>
  <Location /weblogic>
  SetHandler weblogic-handler
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007,127.0.0.1:7103,127.0.0.1:7104
  DebugConfigInfo ON
  PathTrim /weblogic
  </Location>
  <IfModule mod_weblogic.c>
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007
  MatchExpression /app2
  </IfModule>
  <Location /weblogic>
  SetHandler weblogic-handler
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007
  DebugConfigInfo ON
  PathTrim /weblogic
  </Location>
  >
  This configuration is weird little bit. There is MatchExpression /app1 and MatchExpression /app2 and at the same time two <Location /weblogic> sections. Are you sure you understand what that configuration stands for?
  Try something like this ...
  <Location /app1>
  SetHandler weblogic-handler
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007,127.0.0.1:7103,127.0.0.1:7104
  DebugConfigInfo ON
  </Location>
  <Location /app2>
  SetHandler weblogic-handler
  WebLogicCluster 127.0.0.1:7003,127.0.0.1:7005,127.0.0.1:7007
  DebugConfigInfo ON
  </Location>
  where /app1 and /app2 are contexts of your weblogic applications.
  http://download.oracle.com/docs/cd/E11035_01/wls100/plugins/apache.html
  http://httpd.apache.org/docs/2.0/mod/core.html#location

• How to configure time synchronization for two NTP servers

  We have IOSXR 4.2.1 on routers CRS3 and ASR9K with all recomended SMUs; we need to configure the time synchronization for two NTP servers with the configuration below, but the routers became unstable; synchronize with one NTP servers for some time, then switch to other NTP server, and keep doing this. Anyone know why this behavior?
  ntp
  authentication-key 1 md5 encrypted 01070F074F0A05
  authenticate
  trusted-key 1
  server 10.192.32.32 prefer
  server 10.192.32.33
  source Loopback50
  update-calendar
  RP/0/RP0/CPU0:DFCRSDTC1#sh log | i ntp
  Wed Jul 10 09:37:04.621 BRSPO
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:29:27 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:31:36 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:40:11 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 21:59:26 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 6->2.
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.

  Hi Claudio, that ddts is pretty generic to be honest but yes it is filed to address sync issues in the XR NTP algo.
  The thing is that XR ntp clock selection is a bit different then iOS and follows the specs very closely which results in this erroneous loss behavior.
  For instance, you could also see this issue with a sync loss if the update time is only 500msec off what it was before and that will result in a ntp sync loss rather then adjusting to it.
  Also I wanted to mention that the ntp prefer is a bit of a misnomer in XR (since it follows the specs differently then IOS) and this knob was taken over from IOS really.
  You might get some joy if you set it to one server only and see if that helps?
  regards
  xander

• Dynamic Configuration for two file adapters communication channels

  Hello Experts!!!!!!
       In one of the interface in my landscape, I am using two file adapters for creating two files with different names and at two different destination on F.T.P.
  However the receiver service for both the communication channel are same.
  In message mapping I am using multi mapping to create two files out a single message.
  Now i have a requirement of changing file path and file name using dynamic configuration for both the comm channel.
  When i doing dynamic coniguration for both the comm. channel. My interface is creating two files but with same name and on same destination which is set for second communication channel through dynamic configuration.
  Here, I guess the second dynamic configuration is over writing the first dynamic configuration and hence creating two files with same name and at same destination.    
  Please suggest, if separate dynamic configuration for separate communication channel of same receiver service can be done?
  Thanks & Regards,
  Amol

  Thanks for your prompt responses!!!!!
      Is there any way, By which in dynamic configuration I can find out the communication channel name and then change its parameter.
  I mean if iam using say comm. channel A and B.
  Then in dynamic configuration for A, I will first take communication channel A by calling it and then change its path/file name.
  and then do samething for comm. channel B in its dynamic conf.
  Regards,
  Amol