Hash algorithms for passwords.
Hello!
I have those question.
When I store password in database I can use any hash algorithms.
But if I would use local database and start my application on another computer values after hashing will be the same or not?
For example :
string password = "admin";
int passwordToDb = password.GetHashCode(); // this value I save in db.
On another computer, when I will verify my password and calculate hash, it wouldn't be the same? I guess that not.
And what about SHA algorithms? Will I have such problem?
Use MD5 encryption :
/// <summary>
/// Hasher la chaîne en MD5
/// </summary>
/// <param name="chaine">La chaîne à hasher.</param>
/// <returns>La chaîne hashée.</returns>
public static String hashWithMD5(String chaine)
//L'objet MD5.
MD5 md5HashAlgo = MD5.Create();
//le résultat.
StringBuilder resultat = new StringBuilder();
//Tableau d'octes pour le hashage.
byte[] byteArrayToHash = Encoding.UTF8.GetBytes(chaine);
//Hasher la chaîne puis placer le résultat dans le tableau.
byte[] hashResult = md5HashAlgo.ComputeHash(byteArrayToHash);
//Parcourir le tableau pour le mettre dans le résultat.
for (int i = 0; i < hashResult.Length; i++)
//Afficher le Hash en hexadecimal.
resultat.Append(hashResult[i].ToString("X2"));
//Retourner le résultat.
return resultat.ToString();
Similar Messages
-
Linux Redhat RHAS 2.1 & 3.x /etc/shadow hash algorithm
We are trying to load the linux user passwords into our OID server.
The hash is not unix crypt.
We have other unix like the HPUX server's work fine as {CRYPT} but the linux shadow does not migrate.
What is the default hash algorithm for RH?
Has anybody done users & passwords from RH -to-> OID?That's what we all remember too. But it doesnt.
HPUX uses {CRYPT} syncs fine with OID userPassword field.
That same password value doesn't match with Linux.
So we tried {MD5} format. no luck.
I've created the user rp9999 rp9999 on several Linux systems. differnet value each time:
i tried this on my linux machine:
useradd rp9999 rp9999
passwd rp9999 (type password wrong twice: rp9999 rp9999)
/etc/shadow
rp9999:$1$YkjrvM53$gIyxjK8fLFuCmPjywPPXz/:13024:0:99999:7:::
Linux mach1 2.4.21-27.0.2.EL #1 Wed Jan 12 23:46:37 EST 2005 i686 i686 i386 GNU/Linux
so i went to a different machine - mach2:
rp9999:$1$d.DdubGw$Gqj.LxU8Fejq5yNFMSphC1:13024:0:99999:7:::
but from seperate DIFFERENT oid servers user=rp9999 & oidpasswd=rp9999:
authpassword;orclcommonpwd={MD5}XxXV8b0izcJsmcQJ23lmoQ==
userpassword: {MD5}XxXV8b0izcJsmcQJ23lmoQ==
What's going on with Linux /etc/shadow? -
I have a secure website behind an Cisco ACE20 using A2(3.2). Everything is working great. Only that now I need to renew my certificate. When creating the CSR and sending it to my CA I get this warning:
"Alert: Your CSR has been signed using the MD5 hashing algorithm. While the MD5 hashing algorithm is not optimal it will not prevent you from using this CSR to enroll for your SSL certificate. VeriSign best practices recommend that you use a different hashing algorithm for the signature. CSR Information"
Anybody know if it is possible to use SHA instead of MD5 or what can I do in this case?I dont think you can chnage the signing method for CSRs on the ACE directly. But i would use something like OpenSSL to generate the CSR for SHA.
http://gnuwin32.sourceforge.net/packages/openssl.htm
openssl req -out c:\CSR.csr -new -newkey rsa:2048 -nodes -keyout c:\privateKey.key -sha1
The above will load a wizard format questionare for your CSR parameters similar to the ACE.
You can then upload your key, and cert when you get it to the ACE afterwards.
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful -
Configuring AD LDS Password Hash Algorithm
Hello,
I have a client which has a requirement that the passwords in Active Directory should be stored using the Secure Hash Standard (SHS) standard. This could be SHA-1 or SHA-2.
Could you please tell me where can I check the current hashing algorithm and configure the new one?
Windows Server 2008 R2 Enterprise
Forest & Domain functional level: Windows Server 2008 R2
Thanks!Hi Levente,
I don’t think it is possible to specify algorithm to encrypt AD passwords. The password is computed by RSA MD-4 and MD-5 algorithm.
More information for you:
Help: How to configure encryption/hashing policies on Active Directory 2008 LDS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/04591e6e-22d3-4251-ab55-b778a479465e/help-how-to-configure-encryptionhashing-policies-on-active-directory-2008-lds?forum=winserverDS
View Password hash in Active Directory
http://social.technet.microsoft.com/Forums/windowsserver/en-US/63e3cf2d-f186-418e-bc85-58bdc1861aae/view-password-hash-in-active-directory?forum=winserverfiles
Active Directory hashing algorithms used?
http://social.technet.microsoft.com/forums/windowsserver/en-US/7fbc0669-2ccb-4c24-9f08-24241e30d72b/active-directory-hashing-algorithms-used
Md5 passwords in Active Directory
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5bed809e-3e04-4917-b940-47d3c758987f/md5-passwords-in-active-directory
Best Regards,
Amy -
Is there a way to change the type of hash for passwords in active direcroty?
I would like to know what type of hash used for active directory passwords and if there is a way to change the type of hash.
Hi,
Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates
both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password.
You can configure the type to only store the stronger NT hash of your password.
How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
http://support.microsoft.com/kb/299656/en-us
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Help: Algorithm for Load File Data Block Hash?
Hi guys
I would like to understand the algorithm of a field in INSTALL for LOAD command. It is "Load File Data Block Hash". I'm concerning about it in JCOP tool + Eclipse
(All I want to to is designing the new INSTALL for LOAD command, and I want to imitate JCOP tool)
Can I use DES algorithm for this field?
Thanks in advance.The load file data block hash is described in GP Card Spec v2.1.1 sections 6.7.6.1, 7.7.7 and C.2 all titled Load File Data Block Hash.
The hash is a SHA-1 hash of the load file data block.
Cheers,
Shane -
OID And Java Hash Algorithm Output Differences?
Hi,
Can anyone tell me why I am not able to recreate the OID ldap password hash algorithm? Or can anyone tell me why I get these subtle differences between my Java created message digest and the one that is read directly from the oracle ldap hint password field? They are both based on the same original word "test".
OID Hint Password from ldap ==> {SHA}zrFqbho8VPUOnVvtyUb4c+RWF+k=
Hash created based on input ==> {SHA}zrFqbho8VPUOP1vtyUb4c+RWF+k=
Here is a little background. I am working on developing a custom forgot password feature for my web site using OID 10g R2 and Java. I am able to retrieve the oracle hint password from OID using Java JNDI as the orcladmin. This ldap password is a SHA message digest, or hash, that is base 64 encoded. Since it is a one way algorithm I can not decrypt. So instead I take the clear text password string provided by the user and create a message digest(SHA) and then encode in base 64 using Java 1.4.2 like so;
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(clearTextPassword.getBytes());
String userSuppliedPassword = new String(md.digest());
BASE64Encoder base64encoder = new BASE64Encoder();
String output = "{SHA}" + base64encoder.encode(userSuppliedPassword.getBytes());
By the way, I have been able to work around this issue by performing the compare using JNDI search but was curious why this was happening. Thanks!Hi
I am having similar issue. I have to save passwords in encrypted form to LDAP. But not working. I am prepending the encrypted password {SHA} so OID should not convert further.
Any help is appreciated
Thanks -
What are the advantages/disadvantages of crypt vs. SHA for password encryption?
Both crypt and SHA are one-way hashing algorithms.
The crypt algorithm is provided for compatibility with Unix passwords. It accepts the first 8 characters of a password and the output is always 13 characters long and includes only the characters A-Z, a-z, 0-9, ., and /. It is generally weak and can be broken.
SHA provides a 160 bit hash, is more secure, and is recommended by iPlanet.
Regards,
Craig -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
Using SHA1 for passwords in Solaris 10
Does any know how to use SHA1 encryption for passwords on Solaris 10? I know I'd need to modify crypt.conf, but I don't know where to get the .so to go along with that.
I'm moving some users from Mac OS X, and their passwords are SHA1 hashes.
Thanks!
Mike VanHorn
[email protected]yes, no and maybe :-)
There is a command in /usr/platform/SUNW,Sun-Fire-V210/sbin which allows you to control the LOM, the name of this command is "scadm", the LOM packages on the supplemental CD are for different (older) types of LOM and doesn't to anything useful at all on a SunFire V210.
However, even though the scadm command let you administer the LOM, it won't display the temprature, but you can use the prtdiag -v command to display information about fans, tempratures and friends.
Happy Easter.
//Magnus -
How to enable SHA-2 hashing algorithm support on windows 7
Hello All,
Please suggest how to invalidate SHA-1 and MD5 algorithm on windows 7 and how to enable SHA-2.
As suggested by Microsoft, regarding the availability of SHA-2 hashing algorithm, security update KB2949927 is installed on windows 7.
Thank YouHi,
Please check if you have installed the below mentioned update:
http://support.microsoft.com/kb/2973337/en-us
After installing this update, SHA512 is enabled for TLSv1.2.
IE shall also be using TLS internally. Hope that should resolve your problem.
Please refer to the below link for a similar discussion and its solution posted there:
https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
(Please mark as answer if it resolves your issue. Please upvote if it is helpful.)
Regards,
Rajesh -
Is it possible to change the hash algorithm when I renew the Root CA
My Root CA is installed on a Windows Server 2008. The Hash algorithm of Root CA in my environment is MD5. I would like to renew the Root CA and change the Hash algorithm to SHA1. Is it possible to change it?
Regards,
Terry | My Blog: http://terrytlslau.tls1.ccHi,
The hashing
algorithm chosen during the setup of a Certificate Authority determines how the certificates that the CA issues are digitally signed. It is a one
algorithm per CA scenario, so if your environment requires multiple algorithms for compatibility, then you will need multiple PKI hierarchies (one for each
algorithm.) Prior to Windows 2008, you had to rebuild the CA and decommision the entire PKI hierarchy to
change the signing algorithm used. In Windows 2008 and 2008 R2, we allow you to
change the algorithm and from that point forward it will digitally sign all new certificates with the updated
algorithm.
The
Certificate
Services Enhancements in Longhorn Server Whitepaper describing these steps can be found under the section
Configuring the Cryptographic Algorithms used by the CA.
Step 1: Verify the configuration of the CRL and AIA paths. Sometimes users will manually
change these paths to not include the crl name suffix variable that distinguish multiple certificates on a CA. This is important because the process of changing the
algorithm requires the renewal of the private key and results in administration of multiple CA certificates. When we publish multiple crt and crls, they will be identified as CAName and CAName(1.) You can verify these paths
include the variables by checking the registry keys below:
[HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}
CRLPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10"
CACertPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
Step 2: Modify the CSP parameters to specify the new
algorithm. The CSP may use the original CryptoAPI or Cryptography API:Next Generation - you can verify this by looking in the registry key
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}\CSP.
If you have the regvalues
CNGPublicKeyAlgorithm and CNGHashAlgorithm then your CSP is using Next Generation.
Change the
algorithm from MD5 to SHA1 and was using Cryptography API: Next Generation. The original registry value was:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008003
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="MD5"
"MachineKeyset"=dword:00000001
we changed it to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"MachineKeyset"=dword:00000001
Step 3: Restart the CA service. You can do this in the CA MMC. Right Click on the
CA and choose "Stop Service" and "Start Service".
Step 4: Renew the CA certificate with new Private Key. Right click on the CA and
choose "Renew CA certificate". Choose to renew the public and private key pair. On completion, this will result in the CA having two certificates. You will see that the old one has the MD5 for the Signature
Hash Algorithm and that the new certificate uses SHA1.
Hope this helps!
Best Regards
Elytis Cheng
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Elytis Cheng
TechNet Community Support -
Calculating hash values for really big files
I am using the following code to calculate the hash values of files
public static String hash(File f, String algorithm)
throws IOException, NoSuchAlgorithmException {
if (!f.isFile()) {
throw new IOException("Not a file");
RandomAccessFile raf = new RandomAccessFile(f, "r");
byte b[] = new byte[(int) raf.length()];
raf.readFully(b);
raf.close();
MessageDigest messageDigest = MessageDigest.getInstance(algorithm);
messageDigest.update(b);
return toHexString(messageDigest.digest());
}Now the problem is, for really big files, 100 MB or over, I get an OutOfMemoryError.
I have used the -Xms and -Xms options to increase the JVM heap size, and untimately made it to work. However, I think this is lame and there is also a limit to the -Xmx option.
Is there any other way I can calculate the hash values of these really big files?
Thanks a lot in advance.why do u open the file the way u do ?
why to u upload ALL the file AT ONCE into the memory ?
i would do it like this:
FileInputStream fis = new FileInputStream (f);
int fileSize = f.available();
byte buffer[] = new byte[1000];
MessageDigest messageDigest = MessageDigest.getInstance(algorithm);
for(int read = 0;read < fileSize;read +=1000;)
if(fis.available() > 1000)
fis.read(buffer, read, 1000);
else if(fis.available() > 0)
fis.read(buffer, read, fis.available());
else
break;
messageDigest.update(b);
fis.close();
return toHexString(messageDigest.digest()); -
Load-balancing Algorithm for NX-OS Port Channels
Hi, all
I do not understand description of port-channel load-balance ethernet command.
switch(config)# port-channel load-balance ethernet ?
destination-ip Destination IP address
destination-mac Destination MAC address
destination-port Destination TCP/UDP port
source-dest-ip Source & Destination IP address (includes l2)
source-dest-ip-only Source & Destination IP addresses only
source-dest-mac Source & Destination MAC address
source-dest-port Source & Destination TCP/UDP port (includes l2 and l3)
source-dest-port-only Source & Destination TCP/UDP port only
source-ip Source IP address
source-mac Source MAC address
source-port Source TCP/UDP port
Please tell me what the following descriptions mean.
Source & Destination IP address (includes l2)
Source & Destination TCP/UDP port (includes l2 and l3)
What are the meaning of "includes l2" and "includes l2 and l3" ?
Thank you for your cooperation in advance.Hi Satoru,
On the Nexus 5000/6000 platforms, all FEXs will inherit the global hashing algorithm from the parent device.
On the Nexus 7000 platform, hashing algorithms can be assigned on a per FEX basis (all load balancing changes must be made from the Admin VDC):
N7K-A(config)# port-channel load-balance src-dst ip-l4port fex 134
Any FEX without a hashing algorithm configured with inherit the global hash. Making changes to the modular/global hash will not alter FEX specific hashing algorithms.
To verify the configuration applied you can use this command:
N5K_A# show port-channel load-balance
On the Nexus 7000, the per FEX algorithm can be checked by appending the ‘fex <#>’ to the end of the command in the Admin VDC or the FEX’s respective VDC:
N7K-A(config)# show port-channel load-balance fex 134
Regards,
Richard -
While starting managed servers asks for password of localhost
We have a clustered environment and we are using Virtual IPs for the Managed servers. The managed servers in the forst node is not starting.
The problem I have narrowed down is that there are startup.properties file for the managed servers.
It has argument like -Dtangosol.coherence.localhost\=xgsoapd5v1.ea.com (for SOA1)
While SOA1 it is asking for password for the above host and the managed server is not starting.
Now SOA2 has the similar argument -Dtangosol.coherence.localhost\=xgsoapd5v2.ea.com (for SOA2), but it is not asking for any password and so the SOA2 managed server is sta! rting.
Similarly the while starting BAM1 it is asking for a password , but for BAM2 it is not asking for password and it is starting.
I could not yet figure out why it is behaving differently in the first node.
This is a copy of production with a chnage in the network. That means only the IP addresses are changed. xgsoapd5v1.ea.com and xgsoapd5v2.ea.com are the hostnames
It works perfectly in production environment.Hi
Under your domain root folder say in the main machine where you have the AdminServer, you should have a folder structure something like this:
../user_projects/domains/yourBPMDomain1/servers. Under the servers folder you can see list of each server. On the main machine you will see one AdminServer folder. Under this there should be a sub-folder named security with one file named boot.properties. This boot.properties file will have encrypted username and password for the weblogic domain.
If this security/boot.properties exist under the each server folder, then when you start the managed server, it will NOT prompt for the username/password. If it DO NOT exist, it will ask for the credentials.
Solution is go to each Machine where you the ManagedServers (SOA Server or BAM Server does not matter). Go to each server and under that create a folder named security and create a file named boot.properties and in this file enter plain text username and password something like this and save the file. Now restart all those servers.
username=domainadminusername
password=doaminadminpassword
When you start the servers, server should start taking the above information. AND server will automatically ENCRYPT the above plain text data into hash codes.
In a nut shell, go to each Server folder across all the remote machines and under that particular managed server create a folder security with one file boot.properties.
Exmaple locations:
On Machine1 - user_projects/domains/bpmDomain1/servers/soa_server1/security/boot.properties
On Machine2 - user_projects/domains/bpmDomain1/servers/bam_server1/security/boot.properties
You DO NEED the admin username and password in plain text for one time to put in boot.properties. Later on it will get encrypted, so there is no threat for any security loop holes.
Thanks
Ravi Jegga
Maybe you are looking for
-
Web Template with two dataproviders ! Provided in url !
Hello, I would like to create a standard web template more or less according to the 0ANALYSIS_PATTERN (Web Analyzer) with some standard features like Buttons, Charts and Table-View, etc. In the 0ANALYSIS_PATTERN (when you execute your query from the
-
IRecovery: who is it for? how to use it?
Is this something that jailbreaks your phone? I've tried downloading the downloads that it says to for a windows computer but when i go to open them to "unzip" them it asks for which program to use. What do i do?
-
6.0.1 upgrade disabled iTunesU library
The 6.0.1 upgrade disabled the my iPod Touch iTunesU library. The library "bookshelf" opens fine, and individual course lectures appear, but when I tap on a lecture, the whole library closes and the screen goes back to home screen, the one that show
-
Exchange 2010 Online Archiving - Folder Structure Incorrect
Greetings, We have recently been enabling Exchange Archiving for various users with great success. I have one particular user that we have enabled it on, and it appears the Online Archive folder structure is not being generated when items are proces
-
Setting The Printer For Reverse Or Mirror Image
Hello, IM trying to create some T-Shirt Transfers, but I Would Like To Know How To Set The Printer For Reverse Or Mirror Image? Thanks!