Sun's PKCS#11 Bridge to access LunaSA HSM
Hi,
I'm working to access keys/certificates on LunaSA HSM through Sun's Java PKCS#11 Bridge. By
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
I can access credentials on the HSM, but only "part" of them -- Only the certificates that have keys also on the HSM can be identified by their aliases.
For example, if on the HSM are a trusted certificate, whose alias is 'trustedcert', a user certificate and its private key (whose aliases are 'mycert' and 'mykey'), by
ks.aliases();
I got 'mykey' and 'mycert' only, but not 'trustedcert'. I got the same problem when I tried with "keytool".
Is there a solution to this problem, or did I miss something? Thanks for your advice.
Doesn't even begin to look right. See the [Java PKCS#11 Reference Guide|http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config]:
- Valid values for operation are generate, import, and *. You have nothing.
- Valid values for keytype are CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, and CKO_SECRET_KEY. You have CKO_CERTIFICATE.
- Valid values for keyalgorithm are one of the CKK_xxx constants from the PKCS#11 specification, or * to match keys of any algorithm. You have nothing.
Similar Messages
-
Kssl configuration with Sun Software PKCS#11 softtoken
I need to understand what changed in Solaris 10 10/08 s10s_u6wos_07b SPARC with regard to the crypto framework.
I want to configure kernel SSL proxy (kssl) to use the certificate stored in the PKCS#11 keystore. First, I generated a certificate labelled "mycert" with the pktool command. Next I ran the ksslcfg command as follows:
ksslcfg create -f pkcs11 -C "mycert" -T "Sun Software PKCS#11 softtoken" -x 51000 -p /tmp/pwd 443
The service log indicated :
"no matching PKCS#11 token found"
I had to dig through the kssladm source code in OpenSolaris to find this piece:
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c?&r=898.
The code iterates through the list of tokens, then compares labels with the one provided by the user. Since I specified what the Sun documentation says "Sun Software PKCS#11 softtoken" I would expect it to find it, but it does not. Pktool indicates that the label is present:
% pktool tokens
Token Label Manuf ID Serial No PIN State
Sun Software PKCS#11 softtoken Sun Microsystem user set
I then ran the kssladm manually and specified the -v (verbose) option, so it would print the labels it actually found. It turned out that the only token it finds has a label "Sun Metaslot ".
My question is: is this now the recommended label to be used instead of the "Sun Software PKCS#11 softtoken"? If it is then why does pktool still shows it? Is this a bug in this particular Solaris release? Would appreciate any insight.
Thanks
LeontiYou need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
For example, you can write your config file like this --
name=NSS
nssSecmodDirectory=path_of_your_dbs
nssLibraryDirectory=path_of_dll_or_so
nssModule=trustanchors -
Pin for Sun Software PKCS#11 softtoken
Hello, I am studying the Solaris Security Essential SUN's book for university examination and I have a problem with pktool command in chapter 8. For example when I try to run the follows command:
$pktool list keystore=pkcs11 objtype=both
the command line asks me:
Enter pin for Sun Software PKCS#11 softtoken
end for all chapter exercise is required this pin.
but where i can find this pin?
thanksThanks - the only difference is this cert is a self signed one but its nothing fancy just used standard openssl commands to create it, it imports into ikeyman just fine and makes use of 3des which is supported by pktool.
Julian. -
Working key for Sun one 5 ME Early access???
Hi There,
Can anybody tell me how to make my Sun one 5 ME Early Access version of IDE to work for some more time??? It started giving warning saying my key will be expiring in 10 days, Any idea how to make it work for some more days as iam on my way to finish something??? I read long back in thins forum that some gentleman was giving a working key for this version of IDE. Can you give it to me too??? Thanks in advance.
Thank you,
ManasIt was me, please email me at the same address as before: peter.podsklan (at) sun.com. I'd be more than glad to give you the new number.
-
Is Sun's JDBC-ODBC Bridge on Access stable?
I need some opinion here.
Thanks
SetyaThanks,
I plan to build enterprise app using EJB with Oracle or MSSQLServer as the back end. Since our table structure does not always satisfy the table structure required for reporting (which sometimes is very complex), we plan to pull the data from the EJB first and then put it in the MSAccess temporary tables in stand alone client app (which satisfy the structure required for reporting) and from here we present the reports to users.
Any suggestion regarding this plan would be greatly appreciated.
Thanks
Setya -
Jdbc non-odbc-bridge for Access mdb database
I would like to have my Java program be able to use a MicroSoft Access-97 or Access-2000 mdb database. I don't want to use an odbc driver, but instead use a type-2 or 3 or 4 driver (preferrable type-4).
Does such a driver exist? This is for a freeware project, and I would prefer a free or very low cost driver.
I'm not sure I fully understand the differences between jdbc types. My impression is that an odbc-bridge driver requires that the end-user setup the odbc connection. I'd like to avoid that if possible.
My intent is to distribute the application with the MyApp.mdb database file, and have MyApp be able to use the database without user setup.
I suppose an alternative would be to programmatically create the odbc-bridge data source configuration. Is that possible from a java program, and, if so, how? I can do this with Visual C++, but not clear on how to do in JavaSearching the forums is always a good idea.
From one of the previous times I answered this.
http://forum.java.sun.com/thread.jsp?forum=48&thread=199027 -
Feed Bridge from Access or Excel speadsheet??
Hi -
This is a Bridge question so I hope I'm in the best forum for an answer.
I have a huge image database (3000+) in MS Access. My supervisor wants to customize it. By the time he was finished describing his wish list it sounded like he wanted to re-invent adobe Bridge. So I demonstrated how we can open the folders of images, display, make collections and keyword, etc. So far so good- until he reminds us that there are image attributes (column headings in an Access table) that we would have to enter by hand. Yikes!
Is there a way to automate Bridge so that these attributes are filled in as keywords to their respective images?
I can get Access to output the table as Excel spreadsheet or CSV list. Will that help?
Am I on track or does Bridge lack the functionality to handle being fed by a db or spreadsheet?
TIA some input.
JLTo run scripts for bridge, there are a couple of ways.
1. Run the script from ExtendScript Toolkit, this gets installed at the same time as Photoshop and can be found:-
C:\Program Files\Adobe\Adobe Utilities
2. Run the script from Bridge itself, the problem here is that the script must be written so that it has a menu element scripted within it else the script will just run every time Bridge is opened.
To install a script in Bridge:-
Edit - Preferences - Startup Scripts
At the bottom click the "Reveal Button" this will open the folder where the script should be saved.
Close and restart Bridge.
Accept the new script. -
Hi,
I have a simple question. Using the SunPKCS11 it is possible access to the public certificate (or other public objects) in the smartcard without the user PIN?
Thank�s.At the PKCS#11 standard (PKCS#11 v2.20, Cryptografic Token Interface Standard), the attribute used to specify if a object present in the token is o not public is the CKA_PRIVATE attribute.
I am testing diferent PKCS#11 implementations (SafeSign-GYD (aetpkss1.dll), Siemens-CardOS (CardOS_PKCS#11.dll), etc), and when I access to the diferent tokens using PKCS#11 API, I read the public certificates open a read session.
This is the information I get opening a read session on the smartcard:
Enter user-PIN or press [return] to list just public objects:
listing all public objects on token using session:
State: Read-Only Public Session
Device Error: 0x0
Read/Write Session: false
Serial Session: true
Object with handle: 1
Object Class: Certificate
Token: true
Private: false
Modifiable: true
Label: EDUARDO
Certificate Type: X.509 Public Key
Trusted: false
Subject (DER, hex): 3081a4310b3009060...204d415254494e455a
ID (hex): 14224f159a27f5063c11f114a57152e730dd2d10
Issuer (DER, hex): 30820131310b30090603...845432d4944436174
Serial Number (DER, hex): 2994
Value (BER, hex): 3082081b30820703a003...dadd1fa56622a990
................................................................................ -
How do I get the SUN jdbc-odbc bridge to work?
Hi,
I'm trying to us the SUN 1.2 jdbc-odbc bridge on Oracle 8.
I have installed the ODBC driver from www.intersolv.com
(Merant) and have successfully tested it.
I have SUN 1.2 installed and verified that
the sun JdbdOdbcDriver is in my CLASSPATH.
My driver path is:
sun.jdbc.odbc.JdbcOdbcDriver
My url is
jdbc:odbc:Oracle8
my odbc.ini is correct, and my ODBCINI is set.
when I try to connect I get "No suitable driver".
The SUN documentation indicates this error means
my shared libraries aren't correct, but I have
verified my ODBC setup with a odbc demo app.
Any suggestions on how to form my url?
Has anyone used the bridge on Solaris?
nullThe display is just too dim. I tried the brightness and backlight settings and these do not work. This has been like this since I bought it. Never bothered to deal with it before and just made do with reading a very dim menu.
-
I'm trying to automate my Sun Java 1.6.0_11 (jre-6u11-windows-i586-p.exe) installation through the use of an MST transform (though previously was just using public properties passed on the command line). Every time I install I am being prompted to log into my corporate proxy to access a webpage. In the log file, it stops after PostInstallComplete to access the internet, and continues when I cancel or enter my information. This is a problem because I need to distribute this install via SMS and can't have any user interaction.
I have tried setting the following properties to disable this:
OPENJAVAHELP=False
LAUNCHBROWSER=False
NEEDIERESTART=0
FIREFOXRESTART=0
SDKSILENT=1
Addtionally, passing all of the above with /qb-! does nothing to suppress this. I can provide logfiles and more details if anyone thinks they may have an idea as to how to stop this. Also curious to hear if anyone else has run into this problem.
Windows XP SP2
No previous versions installed
Running from EXE (tried extracting MSI but requires Data1.cab which does not seem to be anywhere in the extracted files)In my case I do not want to delete or stop the threads. I want to create one but the threadgroup in which it should be created is allready disposed.
I suppose this is because the way we used the applet was more a hack than a proper implementation. The moment you leave the page with the applet the applet destroys itself. Before version1.6.0-10 it did continue working (because of our suspicious sleep we build in the applet). This 'hack' left our applet alive even when the page where it was started was changed.
In your case I suppose it is better to close your threads, like close all windows and leave :-). I suppose your threads are still running when the applet leave and destroys his main threads. Your still running threads crash after the main one closes. I thought that the main thread kills all his childs but that is not allways the case. I am no so strong in that thread thingy so be carefull with my assumptions. That is also why I ask a little explanation of how it to understand what we did wrong.
Thx for the update -
Any insights to this problem would be greatly appreciated:
I had developed an application that reads from a text file consisting of millions of INSERT statements and writing them into an Access database. The application uses the JdbcOdbc Bridge. I know that I should be using a more trustworthy DB and JDBC Driver, but assume that I'm just stuck with what I have and can't really do anything about the environment. So anyway the problem I'm experiencing is a memory issue. I'm reading from a text file that is almost .5 Gig (the content are all INSERT and other Update statements), writing the results to a text file which will equal to the size of the read file, then doing the DB transactions. Assume that I properly closed all of my statements, resultsets, connections, would their be anything in the JdbcOdbc driver that could cause a memory leak due to the sheer number of DB inserts? It certainly isn't the writing of the results to a text file as I wrote a separate test that wrote over a gig of data without a memory problem. And it isn't opening the .5 gig file for reading as I also tested that separately without any problems.
I've tried executing the statements that I read from the text file as batches, and it didn't solve the problem. I've tried to manually garbage collect every so often, and that didn't solve the problem. So I decided to use JProbe to help out, but the results didn't show any significant memory usage on my part (or application). Then I decided painstakingly monitor the memory usage via Windows Performance monitor from the Task Manager. It seems that the java.exe (my application) doesn't change much in its memory usage (Processes Tab), but yet the Physical Memory Availability under the Performance Tab steadily decreases as time passes.
So the my hypothesis on the problem rest on the JdbcOdbc Bridge driver and how it might mishandle memory usage. Can anyone help confirm that the JdbcOdbc bridge is not capable of handling such a large amount of database transactions?
Thanks in advance,
MengInteresting problem. One of the unique aspects of using Access as a database is that when you using the JDBC-ODBC bridge, it must start and use the Access (Jet) database engine in order to read/write to and from the database. There is an excellent chance that the Access/Jet work is being done on the same computer that's running your Java program. I would suggest that since you have ruled out the other components of your architecture, I think you are left with the possibility that Access is eating up the memory.
You mention writing out transactions, but I am curious what you mean by that. When running a batch style program, you need to make a decsion how many updates make up a transaction, where a transaction is defined as all the updates prior to a commit. It wouldn't be abnormal to have 100+ updates per commit. So a question: What is the frequency of your commit? If it's too low, you create inefficiences, if it is to high, you risk running out of memory, or on failure having a very slow recovery / backout process.
Are you using PreparedStatements to do the inserts? This is faster, and uses less resources.
Try not to reuse JDBC objects when using the JDBC-ODBC bridge, or delete and recreate the objects on every commit. I have had problems with the JDBC-ODBC bridge when reusing objects.
Good luck!
Joel -
Bridge to bridge and bridge to access-point via wireless is it possible.
here;s my topology i am trying to configure. i have a router whose ethernet is connected to a bridge.this bridge 1 is connected to a bridge 2 via wireless. now i am trying to connect a access-point via wireless to this bridge2. is it possible for bridge 2 to support connectivity to the bridge1 and the access-point both of them via wireless.
can someone pls help me on this.
waiting for someone to reply.
regards
sebastanYou can set up each radio in the access point for different functionality. Considering the scenario, this can be done by setting up the SSID for the G radio and another SSID for the A radio. Then, set the role in the radio network parameter for the G radio to access point and for the A radio to the root bridge role.
ou can prevent unauthorized users from reconfiguring your access point/bridge and viewing configuration information. Typically, you want network administrators to have access to the access point/bridge while you restrict access to users who connect through a terminal or workstation from within the local network.
To prevent unauthorized access to your access point/bridge, you should configure one of these security features:
Username and password pairs, which are locally stored on the access point/bridge. These pairs authenticate each user before that user can access the access point/bridge. You can also assign a specific privilege level (read only or read/write) to each username and password pair.
http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804ed6d4.html -
Bridge to bridge and bridge to access-point is it possible
here;s my topology i am trying to configure. i have a router whose ethernet is connected to a bridge.this bridge 1 is connected to a bridge 2 via wireless. now i am trying to connect a access-point via wireless to this bridge2. is it possible for bridge 2 to support connectivity to the bridge1 and the access-point both of them via wireless.
can someone pls help me on this.
waiting for someone to reply.
regardsTake a look at my suggested config below. The first accesspoint will broadcast a SSID for clients and use a different SSID for the bridge. This setup has no 802.1x mechanism yet, but you can add that later. For the topology see PtoPLinkExample.gif posted earlier.
----- Accesspoint 1 --------------
dot11 ssid bridge
authentication open
dot11 ssid WiFiNet
authentication open
guest-mode
interface Dot11Radio0
ssid bridge
ssid WiFiNet
----- Accesspoint 2 --------------
dot11 ssid bridge
authentication open
interface Dot11Radio0
parent 1
ssid bridge
station-role workgroup-bridge
----- Accesspoint 3 --------------
dot11 ssid WiFiNet
authentication open
guest-mode
interface Dot11Radio0
ssid WiFiNet -
[script] create_ap: Create a NATed or Bridged WiFi Access Point
This script use hostapd + dnsmasq + iptables to create a NATed Access Point OR hostapd + brctl + dhclient to create a bridged Access Point.
The default behavior is a NATed Access Point.
updated script will be here: https://github.com/oblique/create_ap and http://git.2f30.org/create_ap/
Examples
No passphrase (open network):
./create_ap wlan0 eth0 MyAccessPoint
OR
echo -e "MyAccessPoint" | ./create_ap wlan0 eth0
WPA + WPA2 passphrase:
./create_ap wlan0 eth0 MyAccessPoint MyPassPhrase
OR
echo -e "MyAccessPoint\nMyPassPhrase" | ./create_ap wlan0 eth0
AP without Internet sharing:
./create_ap -n wlan0 MyAccessPoint MyPassPhrase
Bridged Internet sharing:
./create_ap -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase
Internet sharing from the same WiFi interface:
./create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase
Usage
Usage: create_ap [options] <wifi-interface> [<interface-with-internet>] [<access-point-name> [<passphrase>]]
Options:
-h, --help Show this help
-c <channel> Channel number (default: 1)
-w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)
-n Disable Internet sharing (if you use this, don't pass
the <interface-with-internet> argument)
-m <method> Method for Internet sharing.
Use: 'nat' for NAT (default)
'bridge' for bridging
'none' for no Internet sharing (equivalent to -n)
--hidden Make the Access Point hidden (do not broadcast the SSID)
--ieee80211n Enable IEEE 802.11n (HT)
--ht_capab <HT> HT capabilities (default: [HT40+])
--driver Choose your WiFi adapter driver (default: nl80211)
--no-virt Do not create virtual interface
Non-Bridging Options:
-g <gateway> IPv4 Gateway for the Access Point (default: 192.168.12.1)
-d DNS server will take into account /etc/hosts
Useful informations:
* If you're not using the --no-virt option, then you can create an AP with the same
interface you are getting your Internet connection.
* You can pass your SSID and password through pipe or through arguments (see examples).
Examples:
create_ap wlan0 eth0 MyAccessPoint MyPassPhrase
echo -e 'MyAccessPoint\nMyPassPhrase' | create_ap wlan0 eth0
create_ap wlan0 eth0 MyAccessPoint
echo 'MyAccessPoint' | create_ap wlan0 eth0
create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase
create_ap -n wlan0 MyAccessPoint MyPassPhrase
create_ap -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase
create_ap --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase
Code
#!/bin/bash
# general dependencies:
# bash (to run this script)
# util-linux (for getopt)
# hostapd
# iproute2
# iw
# iwconfig (you only need this if 'iw' can not recognize your adapter)
# haveged (optional)
# dependencies for 'nat' or 'none' Internet sharing method
# dnsmasq
# iptables
# dependencies for 'bridge' Internet sharing method
# bridge-utils
usage() {
echo "Usage: $(basename $0) [options] <wifi-interface> [<interface-with-internet>] [<access-point-name> [<passphrase>]]"
echo
echo "Options:"
echo " -h, --help Show this help"
echo " -c <channel> Channel number (default: 1)"
echo " -w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)"
echo " -n Disable Internet sharing (if you use this, don't pass"
echo " the <interface-with-internet> argument)"
echo " -m <method> Method for Internet sharing."
echo " Use: 'nat' for NAT (default)"
echo " 'bridge' for bridging"
echo " 'none' for no Internet sharing (equivalent to -n)"
echo " --hidden Make the Access Point hidden (do not broadcast the SSID)"
echo " --ieee80211n Enable IEEE 802.11n (HT)"
echo " --ht_capab <HT> HT capabilities (default: [HT40+])"
echo " --driver Choose your WiFi adapter driver (default: nl80211)"
echo " --no-virt Do not create virtual interface"
echo
echo "Non-Bridging Options:"
echo " -g <gateway> IPv4 Gateway for the Access Point (default: 192.168.12.1)"
echo " -d DNS server will take into account /etc/hosts"
echo
echo "Useful informations:"
echo " * If you're not using the --no-virt option, then you can create an AP with the same"
echo " interface you are getting your Internet connection."
echo " * You can pass your SSID and password through pipe or through arguments (see examples)."
echo
echo "Examples:"
echo " $(basename $0) wlan0 eth0 MyAccessPoint MyPassPhrase"
echo " echo -e 'MyAccessPoint\nMyPassPhrase' | $(basename $0) wlan0 eth0"
echo " $(basename $0) wlan0 eth0 MyAccessPoint"
echo " echo 'MyAccessPoint' | $(basename $0) wlan0 eth0"
echo " $(basename $0) wlan0 wlan0 MyAccessPoint MyPassPhrase"
echo " $(basename $0) -n wlan0 MyAccessPoint MyPassPhrase"
echo " $(basename $0) -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase"
echo " $(basename $0) --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase"
# it takes 2 arguments
# returns:
# 0 if v1 (1st argument) and v2 (2nd argument) are the same
# 1 if v1 is less than v2
# 2 if v1 is greater than v2
version_cmp() {
[[ ! $1 =~ ^[0-9]+(\.[0-9]+)*$ ]] && die "Wrong version format!"
[[ ! $2 =~ ^[0-9]+(\.[0-9]+)*$ ]] && die "Wrong version format!"
V1=( $(echo $1 | tr '.' ' ') )
V2=( $(echo $2 | tr '.' ' ') )
VN=${#V1[@]}
[[ $VN -lt ${#V2[@]} ]] && VN=${#V2[@]}
for ((x = 0; x < $VN; x++)); do
[[ ${V1[x]} -lt ${V2[x]} ]] && return 1
[[ ${V1[x]} -gt ${V2[x]} ]] && return 2
done
return 0
USE_IWCONFIG=0
is_wifi_interface() {
which iw > /dev/null 2>&1 && iw dev $1 info > /dev/null 2>&1 && return 0
if which iwconfig > /dev/null 2>&1 && iwconfig $1 > /dev/null 2>&1; then
USE_IWCONFIG=1
return 0
fi
return 1
get_phy_device() {
for x in /sys/class/ieee80211/*; do
[[ ! -d "$x" ]] && continue
if [[ "${x##*/}" = "$1" ]]; then
echo $1
return 0
elif [[ -e "$x/device/net/$1" ]]; then
echo ${x##*/}
return 0
elif [[ -e "$x/device/net:$1" ]]; then
echo ${x##*/}
return 0
fi
done
echo "Failed to get phy interface" >&2
return 1
get_adapter_info() {
PHY=$(get_phy_device "$1")
[[ $? -ne 0 ]] && return 1
iw phy $PHY info
can_have_sta_and_ap() {
# iwconfig does not provide this information, assume false
[[ $USE_IWCONFIG -eq 1 ]] && return 1
get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0
get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0
return 1
can_have_ap() {
# iwconfig does not provide this information, assume true
[[ $USE_IWCONFIG -eq 1 ]] && return 0
get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0
return 1
can_transmit_to_channel() {
IFACE=$1
CHANNEL=$2
if [[ $USE_IWCONFIG -eq 0 ]]; then
CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep "MHz \[${CHANNEL}\]")
[[ -z "${CHANNEL_INFO}" ]] && return 1
[[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1
[[ "${CHANNEL_INFO}" == *disabled* ]] && return 1
return 0
else
CHANNEL=$(printf '%02d' ${CHANNEL})
CHANNEL_INFO=$(iwlist ${IFACE} channel | grep "Channel ${CHANNEL} :")
[[ -z "${CHANNEL_INFO}" ]] && return 1
return 0
fi
is_wifi_connected() {
if [[ $USE_IWCONFIG -eq 0 ]]; then
iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0
else
iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0
fi
return 1
get_macaddr() {
ip link show "$1" | grep ether | grep -Eo '([0-9a-f]{2}:){5}[0-9a-f]{2}[[:space:]]' | tr -d '[[:space:]]'
get_avail_bridge() {
for i in {0..100}; do
curr_bridge=$(brctl show | grep "br$i" | cut -s -f1)
if [[ -z $curr_bridge ]]; then
echo "br$i"
return
fi
done
get_new_macaddr() {
OLDMAC=$(get_macaddr "$1")
for i in {20..255}; do
NEWMAC="${OLDMAC%:*}:$(printf %02x $i)"
(ip link | grep "ether ${NEWMAC}" > /dev/null 2>&1) || break
done
echo $NEWMAC
ADDED_UNMANAGED=0
NETWORKMANAGER_CONF=/etc/NetworkManager/NetworkManager.conf
NM_OLDER_VERSION=1
networkmanager_exists() {
which nmcli > /dev/null 2>&1 || return 1
NM_VER=$(nmcli -v | grep -m1 -oE '[0-9]+(\.[0-9]+)*\.[0-9]+')
version_cmp $NM_VER 0.9.10
if [[ $? -eq 1 ]]; then
NM_OLDER_VERSION=1
else
NM_OLDER_VERSION=0
fi
return 0
networkmanager_is_running() {
networkmanager_exists || return 1
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
NMCLI_OUT=$(nmcli -t -f RUNNING nm)
else
NMCLI_OUT=$(nmcli -t -f RUNNING g)
fi
[[ "$NMCLI_OUT" == "running" ]]
networkmanager_iface_is_unmanaged() {
nmcli -t -f DEVICE,STATE d | grep -E "^$1:unmanaged$" > /dev/null 2>&1
ADDED_UNMANAGED=
networkmanager_add_unmanaged() {
networkmanager_exists || return 1
[[ -d ${NETWORKMANAGER_CONF%/*} ]] || mkdir -p ${NETWORKMANAGER_CONF%/*}
[[ -f ${NETWORKMANAGER_CONF} ]] || touch ${NETWORKMANAGER_CONF}
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
if [[ -z "$2" ]]; then
MAC=$(get_macaddr "$1")
else
MAC="$2"
fi
[[ -z "$MAC" ]] && return 1
fi
UNMANAGED=$(grep -m1 -Eo '^unmanaged-devices=[[:alnum:]:;,-]*' /etc/NetworkManager/NetworkManager.conf | sed 's/unmanaged-devices=//' | tr ';,' ' ')
WAS_EMPTY=0
[[ -z "$UNMANAGED" ]] && WAS_EMPTY=1
for x in $UNMANAGED; do
[[ $x == "mac:${MAC}" ]] && return 2
[[ $NM_OLDER_VERSION -eq 0 && $x == "interface-name:${1}" ]] && return 2
done
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
UNMANAGED="${UNMANAGED} mac:${MAC}"
else
UNMANAGED="${UNMANAGED} interface-name:${1}"
fi
UNMANAGED=$(echo $UNMANAGED | sed -e 's/^ //')
UNMANAGED="${UNMANAGED// /;}"
UNMANAGED="unmanaged-devices=${UNMANAGED}"
if ! grep -E '^\[keyfile\]' ${NETWORKMANAGER_CONF} > /dev/null 2>&1; then
echo -e "\n\n[keyfile]\n${UNMANAGED}" >> ${NETWORKMANAGER_CONF}
elif [[ $WAS_EMPTY -eq 1 ]]; then
sed -e "s/^\(\[keyfile\].*\)$/\1\n${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
else
sed -e "s/^unmanaged-devices=.*/${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
fi
ADDED_UNMANAGED="${ADDED_UNMANAGED} ${1} "
return 0
networkmanager_rm_unmanaged() {
networkmanager_exists || return 1
[[ ! -f ${NETWORKMANAGER_CONF} ]] && return 1
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
if [[ -z "$2" ]]; then
MAC=$(get_macaddr "$1")
else
MAC="$2"
fi
[[ -z "$MAC" ]] && return 1
fi
UNMANAGED=$(grep -m1 -Eo '^unmanaged-devices=[[:alnum:]:;,-]*' /etc/NetworkManager/NetworkManager.conf | sed 's/unmanaged-devices=//' | tr ';,' ' ')
[[ -z "$UNMANAGED" ]] && return 1
[[ -n "$MAC" ]] && UNMANAGED=$(echo $UNMANAGED | sed -e "s/mac:${MAC}\( \|$\)//g")
UNMANAGED=$(echo $UNMANAGED | sed -e "s/interface-name:${1}\( \|$\)//g")
UNMANAGED=$(echo $UNMANAGED | sed -e 's/ $//')
if [[ -z "$UNMANAGED" ]]; then
sed -e "/^unmanaged-devices=.*/d" -i ${NETWORKMANAGER_CONF}
else
UNMANAGED="${UNMANAGED// /;}"
UNMANAGED="unmanaged-devices=${UNMANAGED}"
sed -e "s/^unmanaged-devices=.*/${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
fi
ADDED_UNMANAGED="${ADDED_UNMANAGED/ ${1} /}"
return 0
networkmanager_rm_unmanaged_if_needed() {
[[ $ADDED_UNMANAGED =~ .*\ ${1}\ .* ]] && networkmanager_rm_unmanaged ${1}
networkmanager_wait_until_unmanaged() {
networkmanager_is_running || return 1
while ! networkmanager_iface_is_unmanaged "$1"; do
sleep 1
done
sleep 2
return 0
CHANNEL=1
GATEWAY=192.168.12.1
WPA_VERSION=1+2
ETC_HOSTS=0
HIDDEN=0
SHARE_METHOD=nat
IEEE80211N=0
HT_CAPAB='[HT40+]'
DRIVER=nl80211
NO_VIRT=0
CONFDIR=
WIFI_IFACE=
VWIFI_IFACE=
INTERNET_IFACE=
BRIDGE_IFACE=
OLD_IP_FORWARD=
OLD_BRIDGE_IPTABLES=
OLD_MACADDR=
cleanup() {
trap "" SIGINT
echo
echo "Doing cleanup..."
# exiting
for x in $CONFDIR/*.pid; do
# even if the $CONFDIR is empty, the for loop will assign
# a value in $x. so we need to check if the value is a file
[[ -f $x ]] && kill -9 $(cat $x)
done
rm -rf $CONFDIR
if [[ "$SHARE_METHOD" != "none" ]]; then
if [[ "$SHARE_METHOD" == "nat" ]]; then
iptables -t nat -D POSTROUTING -o ${INTERNET_IFACE} -j MASQUERADE > /dev/null 2>&1
iptables -D FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT > /dev/null 2>&1
iptables -D FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT > /dev/null 2>&1
[[ -n $OLD_IP_FORWARD ]] && echo $OLD_IP_FORWARD > /proc/sys/net/ipv4/ip_forward
elif [[ "$SHARE_METHOD" == "bridge" ]]; then
ip link set down $BRIDGE_IFACE
brctl delbr $BRIDGE_IFACE
[[ -n $OLD_BRIDGE_IPTABLES ]] && echo $OLD_BRIDGE_IPTABLES > /proc/sys/net/bridge/bridge-nf-call-iptables
fi
fi
if [[ "$SHARE_METHOD" != "bridge" ]]; then
iptables -D INPUT -p tcp -m tcp --dport 53 -j ACCEPT > /dev/null 2>&1
iptables -D INPUT -p udp -m udp --dport 53 -j ACCEPT > /dev/null 2>&1
iptables -D INPUT -p udp -m udp --dport 67 -j ACCEPT > /dev/null 2>&1
fi
if [[ $NO_VIRT -eq 0 ]]; then
if [[ -n $VWIFI_IFACE ]]; then
ip link set down dev ${VWIFI_IFACE}
ip addr flush ${VWIFI_IFACE}
networkmanager_rm_unmanaged_if_needed ${VWIFI_IFACE} ${OLD_MACADDR}
iw dev ${VWIFI_IFACE} del
fi
else
ip link set down dev ${WIFI_IFACE}
ip addr flush ${WIFI_IFACE}
networkmanager_rm_unmanaged_if_needed ${WIFI_IFACE}
fi
die() {
[[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2
cleanup
exit 1
clean_exit() {
cleanup
exit 0
# if the user press ctrl+c then execute die()
trap "die" SIGINT
ARGS=$(getopt -o hc:w:g:dnm: -l "help","hidden","ieee80211n","ht_capab:","driver:","no-virt" -n $(basename $0) -- "$@")
[[ $? -ne 0 ]] && exit 1
eval set -- "$ARGS"
while :; do
case "$1" in
-h|--help)
usage >&2
exit 1
--hidden)
shift
HIDDEN=1
-c)
shift
CHANNEL="$1"
shift
-w)
shift
WPA_VERSION="$1"
shift
-g)
shift
GATEWAY="$1"
shift
-d)
shift
ETC_HOSTS=1
-n)
shift
SHARE_METHOD=none
-m)
shift
SHARE_METHOD="$1"
shift
--ieee80211n)
shift
IEEE80211N=1
--ht_capab)
shift
HT_CAPAB="$1"
shift
--driver)
shift
DRIVER="$1"
shift
--no-virt)
shift
NO_VIRT=1
shift
break
esac
done
if [[ $# -lt 1 ]]; then
usage >&2
exit 1
fi
if [[ $(id -u) -ne 0 ]]; then
echo "You must run it as root." >&2
exit 1
fi
WIFI_IFACE=$1
if ! is_wifi_interface ${WIFI_IFACE}; then
echo "ERROR: '${WIFI_IFACE}' is not a WiFi interface" >&2
exit 1
fi
if ! can_have_ap ${WIFI_IFACE}; then
echo "ERROR: Your adapter does not support AP (master) mode" >&2
exit 1
fi
if ! can_have_sta_and_ap ${WIFI_IFACE}; then
if is_wifi_connected ${WIFI_IFACE}; then
echo "ERROR: Your adapter can not be connected to an AP and at the same time transmit as an AP" >&2
exit 1
elif [[ $NO_VIRT -eq 0 ]]; then
echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2
NO_VIRT=1
fi
fi
if [[ "$SHARE_METHOD" != "nat" && "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "none" ]]; then
echo "ERROR: Wrong Internet sharing method" >&2
echo
usage >&2
exit 1
fi
if [[ "$SHARE_METHOD" == "bridge" ]]; then
OLD_BRIDGE_IPTABLES=$(cat /proc/sys/net/bridge/bridge-nf-call-iptables)
BRIDGE_IFACE=$(get_avail_bridge)
if [[ -z $BRIDGE_IFACE ]]; then
echo "ERROR: No availabe bridges < br100" >&2
exit 1
fi
elif [[ "$SHARE_METHOD" == "nat" ]]; then
OLD_IP_FORWARD=$(cat /proc/sys/net/ipv4/ip_forward)
fi
if [[ "$SHARE_METHOD" != "none" ]]; then
MIN_REQUIRED_ARGS=2
else
MIN_REQUIRED_ARGS=1
fi
if [[ $# -gt $MIN_REQUIRED_ARGS ]]; then
if [[ "$SHARE_METHOD" != "none" ]]; then
if [[ $# -ne 3 && $# -ne 4 ]]; then
usage >&2
exit 1
fi
INTERNET_IFACE=$2
SSID=$3
PASSPHRASE=$4
else
if [[ $# -ne 2 && $# -ne 3 ]]; then
usage >&2
exit 1
fi
SSID=$2
PASSPHRASE=$3
fi
else
if [[ "$SHARE_METHOD" != "none" ]]; then
if [[ $# -ne 2 ]]; then
usage >&2
exit 1
fi
INTERNET_IFACE=$2
fi
if tty -s; then
read -p "SSID: " SSID
while :; do
read -p "Passphrase: " -s PASSPHRASE
echo
read -p "Retype passphrase: " -s PASSPHRASE2
echo
if [[ "$PASSPHRASE" != "$PASSPHRASE2" ]]; then
echo "Passphrases do not match."
else
break
fi
done
else
read SSID
read PASSPHRASE
fi
fi
if [[ $NO_VIRT -eq 1 && "$WIFI_IFACE" == "$INTERNET_IFACE" ]]; then
echo -n "ERROR: You can not share your connection from the same" >&2
echo " interface if you are using --no-virt option." >&2
exit 1
fi
CONFDIR=$(mktemp -d /tmp/create_ap.${WIFI_IFACE}.conf.XXXXXXXX)
echo "Config dir: $CONFDIR"
if [[ $NO_VIRT -eq 0 ]]; then
VWIFI_IFACE=${WIFI_IFACE}ap
# in NetworkManager 0.9.10 and above we can set the interface as unmanaged without
# the need of MAC address, so we set it before we create the virtual interface.
if networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]]; then
echo -n "Network Manager found, set $1 as unmanaged device... "
networkmanager_add_unmanaged ${VWIFI_IFACE}
# do not call networkmanager_wait_until_unmanaged because interface does not
# exist yet
echo "DONE"
fi
WIFI_IFACE_CHANNEL=$(iw dev ${WIFI_IFACE} info | grep channel | awk '{print $2}')
if [[ -n $WIFI_IFACE_CHANNEL && $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then
echo "hostapd will fail to use channel $CHANNEL because $WIFI_IFACE is already set to channel $WIFI_IFACE_CHANNEL, fallback to channel $WIFI_IFACE_CHANNEL."
CHANNEL=$WIFI_IFACE_CHANNEL
fi
VIRTDIEMSG="Maybe your WiFi adapter does not fully support virtual interfaces.
Try again with --no-virt."
echo -n "Creating a virtual WiFi interface... "
iw dev ${VWIFI_IFACE} del > /dev/null 2>&1
if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
# now we can call networkmanager_wait_until_unmanaged
networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]] && networkmanager_wait_until_unmanaged ${VWIFI_IFACE}
echo "${VWIFI_IFACE} created."
else
VWIFI_IFACE=
die "$VIRTDIEMSG"
fi
OLD_MACADDR=$(get_macaddr ${VWIFI_IFACE})
[[ ${OLD_MACADDR} == $(get_macaddr ${WIFI_IFACE}) ]] && NEW_MACADDR=$(get_new_macaddr ${VWIFI_IFACE})
WIFI_IFACE=${VWIFI_IFACE}
fi
can_transmit_to_channel ${WIFI_IFACE} ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}."
if networkmanager_is_running && ! networkmanager_iface_is_unmanaged ${WIFI_IFACE}; then
echo -n "Network Manager found, set $1 as unmanaged device... "
networkmanager_add_unmanaged ${WIFI_IFACE}
networkmanager_wait_until_unmanaged ${WIFI_IFACE}
echo "DONE"
fi
[[ $HIDDEN -eq 1 ]] && echo "Access Point's SSID is hidden!"
# hostapd config
cat << EOF > $CONFDIR/hostapd.conf
ssid=${SSID}
interface=${WIFI_IFACE}
driver=${DRIVER}
hw_mode=g
channel=${CHANNEL}
ctrl_interface=$CONFDIR/hostapd_ctrl
ctrl_interface_group=0
ignore_broadcast_ssid=$HIDDEN
EOF
if [[ $IEEE80211N -eq 1 ]]; then
cat << EOF >> $CONFDIR/hostapd.conf
ieee80211n=1
wmm_enabled=1
ht_capab=${HT_CAPAB}
EOF
fi
if [[ -n "$PASSPHRASE" ]]; then
[[ "$WPA_VERSION" == "1+2" || "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=3
cat << EOF >> $CONFDIR/hostapd.conf
wpa=${WPA_VERSION}
wpa_passphrase=$PASSPHRASE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
EOF
fi
if [[ "$SHARE_METHOD" == "bridge" ]]; then
echo "bridge=${BRIDGE_IFACE}" >> $CONFDIR/hostapd.conf
else
# dnsmasq config (dhcp + dns)
DNSMASQ_VER=$(dnsmasq -v | grep -m1 -oE '[0-9]+(\.[0-9]+)*\.[0-9]+')
version_cmp $DNSMASQ_VER 2.63
if [[ $? -eq 1 ]]; then
DNSMASQ_BIND=bind-interfaces
else
DNSMASQ_BIND=bind-dynamic
fi
cat << EOF > $CONFDIR/dnsmasq.conf
interface=${WIFI_IFACE}
${DNSMASQ_BIND}
dhcp-range=${GATEWAY%.*}.1,${GATEWAY%.*}.254,255.255.255.0,24h
dhcp-option=option:router,${GATEWAY}
EOF
[[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> $CONFDIR/dnsmasq.conf
fi
# initialize WiFi interface
if [[ $NO_VIRT -eq 0 && -n "$NEW_MACADDR" ]]; then
ip link set dev ${WIFI_IFACE} address ${NEW_MACADDR} || die "$VIRTDIEMSG"
fi
ip link set down dev ${WIFI_IFACE} || die "$VIRTDIEMSG"
ip addr flush ${WIFI_IFACE} || die "$VIRTDIEMSG"
if [[ "$SHARE_METHOD" != "bridge" ]]; then
ip link set up dev ${WIFI_IFACE} || die "$VIRTDIEMSG"
ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${WIFI_IFACE} || die "$VIRTDIEMSG"
fi
# enable Internet sharing
if [[ "$SHARE_METHOD" != "none" ]]; then
echo "Sharing Internet using method: $SHARE_METHOD"
if [[ "$SHARE_METHOD" == "nat" ]]; then
iptables -t nat -I POSTROUTING -o ${INTERNET_IFACE} -j MASQUERADE || die
iptables -I FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptables -I FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
echo 1 > /proc/sys/net/ipv4/ip_forward || die
elif [[ "$SHARE_METHOD" == "bridge" ]]; then
# disable iptables rules for bridged interfaces
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables || die
# create and initialize bridged interface
brctl addbr ${BRIDGE_IFACE} || die
brctl addif ${BRIDGE_IFACE} ${INTERNET_IFACE} || die
ip link set dev ${BRIDGE_IFACE} up || die
fi
else
echo "No Internet sharing"
fi
# boost low-entropy
if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then
which haveged > /dev/null 2>&1 && {
haveged -w 1024 -p $CONFDIR/haveged.pid
fi
# start dns + dhcp server
if [[ "$SHARE_METHOD" != "bridge" ]]; then
iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT || die
iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT || die
iptables -I INPUT -p udp -m udp --dport 67 -j ACCEPT || die
dnsmasq -C $CONFDIR/dnsmasq.conf -x $CONFDIR/dnsmasq.pid || die
fi
# start access point
echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"
# from now on we exit with 0 on SIGINT
trap "clean_exit" SIGINT
if ! hostapd $CONFDIR/hostapd.conf; then
echo -e "\nError: Failed to run hostapd, maybe a program is interfering." >&2
if networkmanager_is_running; then
echo "If an error like 'n80211: Could not configure driver mode' was thrown" >&2
echo "try running the following before starting create_ap:" >&2
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
echo " nmcli nm wifi off" >&2
else
echo " nmcli r wifi off" >&2
fi
echo " rfkill unblock wlan" >&2
fi
die
fi
clean_exit
Last edited by OBLiQUE (2014-09-02 20:26:22)adam777 wrote:
Thank, just what I was looking for.
Unfortunately, it seems that currently my Intel 5300 card (using the iwlwifi driver), does not support AP mode.
From what I understand, hostapd can be used in bridge mode as well, which should have no compatibility problems.
Can some one point me in the right direction?
* EDIT *
After more attempts, I think I got it wrong and AP mode is indeed required.
Sorry for the late reply, I didn't noticed your message.. Did you got any errors? I have Intel 6205 and it works.
Also if you use NetworkManager, then you have to say to NetworkManager to stop using your interface.
You can do it by editing the /etc/NetworkManager/NetworkManager.conf file and put the following (without the <>):
[keyfile]
unmanaged-devices=mac:<interface's mac address here>
and restart your NetworkManager. Ofcourse after you finish, you have to remove it in order to get your wifi back to working with NetworkManager. -
Cisco 1532E autonomous mode (Bridging + Client access)
Hello all.
I need to connect two locations that are separated by 300 meters and I also need to provide wireless client access.
My ideia is to use two Cisco 1532 (in standalone mode) with 5Ghz directional antennas for bridging and omnidirectional 2,4Ghz antennas for wireless clients at both locations.
My problem is that the deployment guide does not make reference to this implementation (autonomous+bridging+wireless clients); the deployment guide can be found in the following link http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/b_1532_dg/b_1532_dg_chapter_01.html#topic_5C2E00D8A63A462AAC6F0A0DC629FBDF
Can anyone confirm if this is a supported scenario?
Thanks,
João Carvalho.Each radio is configured separate from one another, so you would configure the 5ghz as bridge and the 2.4ghz as station role root, which is client access. You can reference any autonomous configuration guide for bridge (root and non-root) and client access.
Here is one older doc you can reference:
https://supportforums.cisco.com/document/61936/autonomous-ap-and-bridge-basic-configuration-template
Scott
Maybe you are looking for
-
I wished to view a .pdf file of a vehicle brochure. Mozilla found the brochure ok, but would not let me view it or save it. I ended up having to use IE to download and then view the file. How do I enable Mozilla to allow me to view .pdf files< I have
-
Nvidia GeForce 8600M GT question
Is anyone running Vista 32 bit using Bootcamp on their SR MBP with the Nvidia GeForce 8600M GT? I ran a vista compatibility scan on the MBP and it said that the card would not work in Vista. I am curious whether this is true or whether others with th
-
FireFox doesn't display special characters!
I'm sure this has been talked about before but I can't find any related posts... Basically I have a flash app that will take a text variable through the querystring and disaply, the problem is it needs to take 11 different languages which works fine
-
Acquisition HDV 4 canaux audio avec Adobe Première CS6 ??
Bonjour, Je possède une caméra Sony 270 permettant l'enregistrement HDV avec 4 canaux audio distincts, mais je n'arrive pas à faire l'acquisition de mes rushes. Les options de réglages d'acquisition CS6 ne permettent que la prise en compte des canaux
-
A couple of years ago, I set up some Distiller profiles to fully embed fonts into my PDFs. No subsetting allowed. Since then, I've been using Indesign's PDF Presets, which used my created profiles, to create these same pdfs. Now that I have an issue