Category: System Administration

August 19, 2025

PingFederate – OGNL Customization of AuthnContext

After a recent merger, we have added federated authentication in our PingFederate environment that allows the incoming company to continue to use their Entra (ADFS) logon process to authenticate through PingFederate. All of the IDs exist in our directory, and contract attributes are populated based on the local account. But the authentication is handled by their existing system. It’s really cool, and works for 99.9% of the applications. One, however, was not happy with the resultant attribute contract. It worked fine for me, logging in directly with PingFederate. Anyone who authenticated through Entra, however, got a very specific error:

AuthenticatingAuthority array contains a value which is not a wellformed absolute uri

And, yes, I concur – there is absolutely an element in the AuthenticatingAuthority array that is not a well-formed absolute URI

Luckily, there appears to be a solution. On the ACS URL tab, select “Show Advanced Customizations”

Use the drop-down to select the message type of “AssertionType” and the expression provided at https://support.pingidentity.com/s/article/OGNL-Examples-Message-Customization#rm-authauthority to remove authenticating authority values when multiple are present (which also works when only one is present)

Now I no longer have authenticating authorities but the AuthnContextClassRef is “urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony” … so, in the assertion creation, we need to add SAML_AUTHN_CTX to the attribute contract

In the attribute contract fulfillment, map this to a static TEXT string – I am using “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified” which is used as the default in PingFederate

Final Answer! I have an AuthnContext that does not contain any invalid URI strings and a AuthnContextClassRef that is expected.

July 7, 2025

Quickref: tmux

Our newer servers don’t have screen – and you cannot install it – so I’ve had to start using tmux:

# list running sessions
tmux ls

# Start a new session or reattach to an existing session named LJR
tmux new-session -A -s LJR

# In session, detach
ctrl+b d Detach

# attach to an existing session named LJR
tmux attach-session -t LJR

June 23, 2025

Did you know … you can import accounts into Cyberark?

Adding one account to CyberArk takes about a dozen clicks. Adding fourteen was going to take me half the day!

Luckily, I discovered that the “Add account” button is actually a drop-down menu that also offers the ability to Add accounts from file

Create a CSV file with the following columns:

userName	address	safeName	platformID	secret	automaticManagementEnabled	manualManagementReason	groupName	logonDomain
user1	server1	OURSAFE	Generic Unmanaged	abc123	FALSE	Platform does not support automatic password management
user2	server2	OURSAFE	Generic Unmanaged	bcd234	FALSE	Platform does not support automatic password management
user3	server3	OURSAFE	Generic Unmanaged	cde345	FALSE	Platform does not support automatic password management
user4	server4	OURSAFE	Generic Unmanaged	def456	FALSE	Platform does not support automatic password management
user5	server5	OURSAFE	Generic Unmanaged	efg567	FALSE	Platform does not support automatic password management

Then browse to select the CSV file. It will show you how many accounts are included in the file – 6 here

Click “Upload”. The accounts will be created, and you will see a banner at the top of the site

June 18, 2025

Did you know … you can view just your favorite accounts in CyberArk?

Is your CyberArk account view an overwhelming list of accounts? You are constantly using “Search for accounts” to find one of the three accounts you regularly use because they are buried somewhere in this list?

There’s a better way! The star at the left-hand side of each line allows you to mark an account as a “Favorite”. There’s a link under “Views” to just display your favorite accounts. Even better, though, if you click on the ellipsis button to the right of the “Favorites” link, you can select “Set as default”.

Now, when you log into CyberArk, you immediately see your curated list of accounts instead of all of them!

April 22, 2025

Authenticating WebLogic Admin Console with SAML 2.0 and PingID

Log into your console. Navigate to “Security Realms” and click on your admin console’s realm – here “myrealm”

From the first row of tabs, select “Providers”. On the second row of tabs, ensure you are on “Authentication”. Click “New” to create a new identity asserter.

Provide a name – here, it is called SAML_IA – and ensure the type is “SAML2IdentityAsserter”

Click OK to create the item. Then click the “New” button again to create a new SAML Authenticator

Restart the WebLogic server, then navigate to “Environment” => “Servers” and select the AdminServer

On the first row of tabs, select “Configuration”, on the second row of tabs, select “Federation Servies”, and on the third row of tabs select “SAML 2.0 General”

The published site URL will be your WebLogic host base followed by /saml2

Provide a unique entity ID that needs to match up with what we configure in PingID. Here, I used “LJRWebLogic”

Save the changes and then use the “Publish Metadata” button to save a metadata file that I will use with PingID. You will be saving an XML file

Now select the “SAML 2.0 Service Provider” tab on the third row of tabs. Click “Enabled” to enable the service provider. POST binding should be enabled, but we do not need Artifact binding enabled. Click “Save” to save the changes.

Navigate back to “Security Realms” and select your realm. On the first row of tabs, select “Providers”; on the second row of tabs, select “Authentication”. Click the hyperlink for “SAML_IA”

Click the “Management” tab

You will be provided a metadata file from PingID. Place that somewhere on your server (I used /tmp). Click “New” and then select “New Web Single Sign-On Identity Provider Partner”

Navigate to the metadata file and select it. Provide a name for the identity provider – here, I used PingID. Cilck “OK” to import the PingID details.

Click on the new entry to configure it

Click “Enabled” to enable the Identity Provider. The redirect URIs should be /console/*

Finally, on the WebLogic Server Admin Console, navigate to the domain name -> [Configuration] -> [General] and expand the [Advanced] link

Update cookie name in WLS admin console to be JSESSIONID.

Save the changes and restart the WebLogic server. Navigating to the console, here https://docker.rushworth.us:7001/console, will direct the user to PingID for authentication and then redirect the user’s browser back to the WebLogic server. Looking in the upper right corner of the screen, they will see they are logged in with their directory ID.

Note: You can still access the local authentication dialog by navigating directly to console/login/LoginForm.jsp – e.g. http://docker.rushworth.us:7001/console/login/LoginForm.jsp — but the “normal” URL will redirect users to PingID

Note Also: There needs to be some step here to map PingID users to a role in WebLogic

Failing to do so, you will complete the PingID authentication but be denied access to the WebLogic Admin Console:

April 21, 2025

Enabling SSL on the WebLogic Server Administration Console

Prior to enabling SAML authentication, please ensure your WebLogic Admin Console is using SSL. You will need a JKS keystore with your public/private key pair.

If you have a base64 encoded public/private key pair, create a JKS file as follows:

openssl pkcs12 -export -out docker.p12 -inkey docker.rushworth.us.key -in docker.rushworth.us.cer -name docker_rushworth_us -password pass:IChangedIt

keytool -importkeystore -srckeystore docker.p12 -srcstoretype PKCS12 -destkeystore docker.jks -deststoretype JKS -deststorepass IChangedIt -srcstorepass IChangedIt

List the keystore contents to confirm your certificate is present using:

keytool -list -keystore docker.jks -storepass IChangedIt

The certificate’s alias will be needed to configure SSL on the console. In this example, my certificate’s alias is docker_rushworth_us

Once there is a JKS file with your keypair located on the server, configure WebLogic to use it. On the WebLogic Admin Console, navigate to [domain]->Environment->Servers and select the system you want to configure. Here, AdminServer(admin)

On the “Configuration” tab, select the “General” sub-tab. Check the box for “SSL Listen Port Enabled” and supply a port number.

On the Keystores sub-tab, click “Change” to change the keystore being used.

Select “Custom Identity and Java Standard Trust”. Enter the path to your JKS file. The keystore type is jks. Enter and confirm the password you used to create the keystore. Enter the password for the cacerts file (java default is changeit)

On the SSL sub-tab, input the alias of the certificate. Also enter and confirm the key passphrase.

April 2, 2025

Linux Disk Utilization (du) Without Mount Points or /proc

I frequently use du -sh to determine what is using all the space on my Linux box … but mounting a data volume makes that simple command really suck (also, the mount point isn’t the problem for my local storage!). And all the /proc errors are just annoying — so pass in exclusions!

du -sh --exclude='/mnt/*' --exclude='/proc/*' /*

January 29, 2025

KRDP Fails to Start

Scott has been trying to set up KRDP recently, and continued to get a lot of strange errors attempting to start the server. Through the GUI, it would fall over. From the command line, it output a lot of text. But they all seemed to indicate something couldn’t load. The log file had shared libraries (although ldd said all dependencies were met). The command line said things were found but could not run.

Had him run netstat to see if something else was bound to the port … and it was, but instead of printing the pid and binary name, it said off … which was a new one to me. Fortunately, lsof didshow us what was listening on the port. Stopped xrdp and, voila, krdp starts and runs.

[lisa@fedora01 ~/]# netstat -nap | grep 3389
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN off...

[lisa@fedora01 ~/]# lsof -i TCP:3389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xrdp 1855 root 13u IPv4 39470 0t0 TCP *:ms-wbt-server (LISTEN)

In retrospect, it does tell you what the problem is. ‘Unable to listen for connections on QHostAddress(“”) 0’ means “unable to bind to ip:port

Jan 29 06:49:14 fedora01 systemd[10239]: Started plasma-krdp_server.service - KRDP Server.
Jan 29 06:49:16 fedora01 krdpserver[11054]: libEGL warning: egl: failed to create dri2 screen
Jan 29 06:49:16 fedora01 krdpserver[11054]: libEGL warning: egl: failed to create dri2 screen
Jan 29 06:49:17 fedora01 krdpserver[11054]: org.kde.krdp: Unable to listen for connections on QHostAddress("") 0
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "/org/freedesktop/portal/desktop" interface "org.freedesktop.portal.Re moteDesktop" member "NotifyKeyboardKeycode": Marshalling failed: Invalid object path passed in arguments
Jan 29 06:49:17 fedora01 krdpserver[11054]: qt.dbus.integration: QDBusConnection: error: could not send message to service "org.freedesktop.portal.Desktop" path "" interface "org.freedesktop.portal.Session" member "Close": Object p ath cannot be empty
Jan 29 06:49:17 fedora01 systemd[10239]: plasma-krdp_server.service: Main process exited, code=exited, status=255/EXCEPTION
Jan 29 06:49:17 fedora01 systemd[10239]: plasma-krdp_server.service: Failed with result 'exit-code'.

adsaf

January 15, 2025

Finding Active Directory Global Catalog Servers

… or domain controllers, or kerberos, or …

Back when I managed the Active Directory environment, I’d have developers ask where they should direct traffic. Now, since it was all LDAP, I did the right thing and got a load balanced virtual IP built out so they had “ad.example.com” on port 636 & all of my DCs had SAN’s on their SSL certs so ad.example.com was valid. But! It’s not always that easy — especially if you are looking for something like the global catalog servers. Or no such VIP exists. Luckily, the fact people are logging into the domain tells you that you can ask the internal DNS servers to give you all of this good info. Because domain controllers register service records in DNS.

These are the registrations for all servers regardless of associated site.

_ldap: The LDAP service record is used for locating domain controllers that provide directory services over LDAP.
_ldap._tcp.example.com

_kerberos: This record is used for locating domain controllers that provide Kerberos authentication services.
_kerberos._tcp.example.com

_kpasswd: The kpasswd service record is used for finding domain controllers that can handle Kerberos principal password changes.
_kpasswd._tcp.example.com

_gc: The Global Catalog service record is used for locating domain controllers that have the Global Catalog role.
_gc._tcp._tcp.example.com

_ldap._tcp.pdc: If you need to identify which domain controller holds the PDC emulator operations master role.
_ldap._tcp.pdc._msdcs.example.com

You can also find global catalog, Kerberos, and LDAP service records registered in individual sites. For all servers specific to a site, you need to use _tcp.SiteName._sites.example.com instead.

Example — return all GC’s specific to the site named “SiteXYZ”:
dig _gc._tcp.SiteXYZ._sites.example.com SRV

If you are using Windows, first enter “set type=SRV” to return service records and then query for the specific service record you want to view:

C:\Users\lisa>nslookup
Default Server: dns123.example.com
Address: 10.237.123.123

> set type=SRV
> _gc._tcp.SiteXYZ._sites.example.com
Server:  dns123.example.com
Address:  10.23.123.123

_gc._tcp.SiteXYZ._sites.example.com SRV service location:
          priority       = 0
          weight         = 100
          port           = 3268
          svr hostname   = addc032.example.com

January 8, 2025

Sumo Logic: Creating Roles via API

This script creates very basic roles with no extra capabilities and restricts the role to viewing only the indicated source category’s data.

################################################################################
# This script reads an Excel file containing role data, then uses the Sumo Logic
# API to create roles based on the data. It checks each row for a role name and
# uses the source category to set data filters. The script requires a config.py
# file with access credentials.
################################################################################
import pandas as pd
import requests
import json
from config import access_id, access_key  # Import credentials from config.py

# Path to Excel file
excel_file_path = 'NewRoles.xlsx'

# Base URL for Sumo Logic API
base_url = 'https://api.sumologic.com/api/v1'

################################################################################
# Function to create a new role using the Sumo Logic API.
# 
# Args:
#     role_name (str): The name of the role to create.
#     role_description (str): The description of the role.
#     source_category (str): The source category to restrict the role to.
# 
# Returns:
#     None. Prints the status of the API call.
################################################################################
def create_role(role_name, role_description, source_category):
    
    url = f'{base_url}/roles'

    # Role payload
    data_filter = f'_sourceCategory={source_category}'
    payload = {
        'name': role_name,
        'description': role_description,
        'logAnalyticsDataFilter': data_filter,
        'auditDataFilter': data_filter,
        'securityDataFilter': data_filter
    }

    # Headers for the request
    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }

    # Debugging line
    print(f"Attempting to create role: '{role_name}' with description: '{role_description}' and filter: '{data_filter}'")

    # Make the POST request to create a new role
    response = requests.post(url, auth=(access_id, access_key), headers=headers, data=json.dumps(payload))

    # Check the response
    if response.status_code == 201:
        print(f'Role {role_name} created successfully.')
    else:
        print(f'Failed to create role {role_name}. Status Code: {response.status_code}')
        print('Response:', response.json())

################################################################################
# Reads an Excel file and processes each row to extract role information and
# create roles using the Sumo Logic API.
# 
# Args:
#     file_path (str): The path to the Excel file containing role data.
# 
# Returns:
#     None. Processes the file and attempts to create roles based on the data.
################################################################################
def process_excel(file_path):
    # Load the spreadsheet
    df = pd.read_excel(file_path, engine='openpyxl')

    # Print column names to help debug and find correct ones
    print("Columns found in Excel:", df.columns)

    # Iterate over each row in the DataFrame
    for index, row in df.iterrows():
        role_name = row['Role Name']  # Correct column name for role name
        source_category = row['Source Category']  # Correct column name for source category to which role is restricted

        # Only create a role if the role name is not null
        if pd.notnull(role_name):
            role_description = f'Provides access to source category {source_category}'
            create_role(role_name, role_description, source_category)


# Process the Excel file
process_excel(excel_file_path)