There is a issue with the Citrix Client on Linux with some certificates providers. If the client doesn’t recognize the certificate, you get this error when you try to launch an app:

“You have chosen not to trust the “CA PROVIDER” the issuer of the server security certificate”

and then the app won’t start. It’s likely because the CA hierarchy is not correct. The solution to go round this issue is to place the the missing bits (the CROSS certificate and the SSL ICA certificate) under the certificate folder of the client situated here:

/usr/lib/ICAClient/keystore/cacerts

Now it should be all sorted!

I was looking at a way to change the IP address of a HP Web JetAdmin server and if it was possible to create ACLs based on Active Directory users when I come across a website presenting article to “hack” your network printer. It’s basically more of a compilation of useful things to know than hacking properly said but it could be quite useful and sometime fun. Anyway, it’s worth to check it out.

network printer hacking

On the other site, if for any reason you need to change the IP address of your web JetAdmin server, here is how to do it:

You first need to backup your settings. You can find the backup tool here if WJA is installed on the default path:

c:\Program Files\Hewlett-Packard\HP Web Jetadmin 10\WJABackupRestore

note that if you have a non standard install path, you will have to edit the location of ’set OSQL’ inside the script.

Once the backup is finished, open the file ‘HP.Imaging.Wjp.Core.WebServer.config.xml‘ in the Settings\WjaService\config folder and replace the IP address with the new one.

you should find something like that:

<property name=”HostIPv4Address”>
<type>HP.Imaging.Wjp.Sdk.Core.Framework.ConfigurationItemString</type>
<value>your.IP.address</value>
</property>

Run the restore script and allow it to overwrite the existing database.

You should now have a fully working HP Web JetAdmin!

if you are like me and you have a photo gallery to share your photo to your friends and family and other people, you may have come across the problem of resizing your photos. With a camera taking 4MB photos, I don’t want people to wait 1mn between each photo they look at so I resize them. You could say that I could use picassa or anything else like that but those services and other look-a-like don’t completely suit me.

Anyway, if you want to do that in a couple of secondes  on your favourite Linux distro, you need ImageMagick. It’s a very good command line tool that will allow you to script (or just manipulate)  your photo. Very useful  when you come back from a Safari with 2000 photos :)

you can usually find ImageMagick packaged for every distro but I’ll show you here how to get it for Debian (or any other distro using apt-get …)

sudo apt-get install imagemagick
cd ~/photos/myphotos/
mkdir resized
cp *.jpg resized
cd resized

ImageMagick doesn’t create a new photo smaller but actually resize it so that’s why you should keep a copy of your photos if you want to keep them in the original size.
The command to use is mogrify. It’s always good to have a look at the man page but you basically just need to do as follow to resize a photo -

To resize all the photo with a max height or weight:

mogrify -resize 1920 *.jpg

Or to give a fix size:

mogrify -resize 1024×786! *.jpg

You can do much more with ImageMagick so have a look by yourself!!!

This post is for my French fellow as it’s about a french web TV so I’ll continue in French :)

Si vous aimez vous tenir informés sur le monde de l’open source et que vous voulez quelque chose d’un peu plus interactif qu’un site comme Linuxfr, je vous conseil de jetter un oeuil sur http://www.intelli-n.tv/

Ce site assez recement demarré est plein d’info sur différents sujets, en general pas trop technique, toujours interessants :)

Il y a un JT chaque jours et bien d’autre chose a voire comme parole d’expers, …

le contenue est plutot orienté metier que geeky techy mais encore une fois, sa vaut definitivement d’aller getter un oeuil!
intelli-n.tv

I’m pretty sure everyone how works on networking stuff had to trace packets, monitor a port on a switch and things like that.
If you need to see what’s going through a specific port on a Cisco switch, the solution is the port spanning.
It allows you to reproduce the traffic of a port on to another one!

I could have done a post describing some basic configuration of a span but quite often, Cisco has a good page on their site to explain in details what it is and how to configure it.

So here is the link to a Cisco article about SPAN.
Switched Port Analyzer

And here the PDF

As I’m working on a project related to our new network infrastructure, I’ll post some of the stuff I’m doing here so the next few post will likely be all related to Cisco, security, VPN and other things like that.

Here I’ll just quickly show how to configure ssh on a Cisco PIX. If you need to configure a switch or a router, you first have to make sure that your IOS support it, but then, the config will be slightly different.

pix(config)#hostname pix
pix(config)#domain-name mydomain.co.uk
pix(config)#passwd securePassword
pix(config)#ca gen rsa key 2048
pix(config)#ssh 10.20.128.128 255.255.255.255 inside
pix(config)#ssh timeout 60
pix(config)#ca save all

The 3 fist lines are not specific to an SSH configuration, you probably already have that configured as its usually one of the fist things you change!

The ca gen will generate the key, you can choose something smaller that 2048 but is the standard now (and also the maximum on a PIX)

The line after that is a specific access list that say only 10.20.128.128 can establish an SSH connection from the inside interface. Should you want to get your PIX accessible from everywhere (which is a bit silly but good for testing), here is what you need:

pix(config)#ssh 0.0.0.0 0.0.0.0 outside

Just to clarify one little thing, if you arrive from a site-to-site VPN connection, you’ll hit the inside connection… so if your remote network is say 10.21.0.0 255.255.255.0 and you want to SSH your PIX from there, you should have something like that:

pix(config)#ssh 10.21.0.0 255.255.255.0 inside

As this is a SSH connection, you need to provide a login and a password. The default login is “pix”

so from a linux client you would do

ssh pix@ip_addr_pix

if you want to add some more user, you have to proceed that way:

! add user
user name password *x!7&@a4
!
pix(config)#aaa authentication ssh console LOCAL

Of course you can also authenticate your ssh session against a TACACS or a Radius server but aaa authentication is not covered here

This is a very quick post to explain how to update your ASA firewall. Nothing big as it’s very easy but since I had to put together the info to get that documented for my colleagues, I thought I could post it here too.

1. Copy the file on a FTP (CI33024)
2. Logon to the firewall
3. Issue the following commands:
en
copy ftp://[ipaddress]/[filename] disk0:[filename]

You‘ll have to confirm the parameters and then you should see something like that:
Accessing tftp://172.16.31.1/asa722-k8.bin...!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa722-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
8312832 bytes copied in 163.350 secs (50998 bytes/sec)

4. Chech that the file has been copied correctly

show disk0:

You should see something similar:
-#- --length-- -----date/time------ path
6 5124096 Jan 01 2003 00:06:22 asa702-k8.bin
7 5623108 Feb 12 2010 00:23:48 asdm-631.bin
10 5539756 Feb 12 2007 00:14:18 asdm-521.bin
11 8294400 Dec 07 2006 05:47:20 asa721-24-k8.bin
12 6002680 Dec 21 2006 03:58:30 asdm-52034.bin
13 8312832 Feb 12 2010 22:46:30 asa831-k8.bin

23949312 bytes available (38932480 bytes used)

5. Go to the configuration mode (conf t) and type the following command:
boot system disk0:/asa831-k8.bin

This will replace the path of the image the firewall boot on.
If you update de asdm, the command is slightly different.

asdm image disk0:/asdm-631.bin

6. Save the config:
write memory

7. Reload the config:
reload

Last week I came across a very strange error. I needed to create a new VLAN on our core switch. no problem to create a layer2 VLAN, but impossible to create a layer3…

here is the error that pop up

********(config)#in vlan 299
%Cannot create a VLAN interface
Maximum allowed interfaces reached
^
% Invalid input detected at '^' marker.

We don’t have thousands and thousands of VLAN so it was obviously something else. Is there a much smaller limit on layer 3 VLAN than on layer 2 ? Yes, but the smaller cisco devices can support 4000 interfaces (including vlans and other virtual interfaces) . And our switch has got a limit of 12000…

Goggling this error won’t give you much information and I have to say that the error point you easily in the wrong direction. This is only when you have a look at the logs that you can see something a bit more interesting.

entry number 215 : INTERFACE_API-1-NOMORESWIDB
No more SWIDB can be allocated, maximum allowed 12000

Here is some theory to get a better understanding of what an IDB is:

SWIDB stand for “Software for Interface Descriptor Block”. you have two type of IDBs, SW (software) and HW (hardware). Cisco website describe an IDB as following:

An Interface Descriptor Block (IDB) is a special control structure internal to the Cisco IOS software that contains information such as the IP address, interface state, and packet statistics. Cisco IOS software maintains one IDB for each interface present on a platform and one IDB for each subinterface.

A HWIDB represents a physical interface, which includes physical ports and channelized interface definitions. A SWIDB represents a logical sub-interface (Permanent Virtual Circuit (PVC) or virtual LAN (VLAN)), or a Layer 2 encapsulation (Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC), and so forth).

Each physical interface on the router consumes a minimum of two IDBs:

• One HWIDB for the physical port
• One SWIDB for the Layer 2 encapsulation

A channelized port consumes N+1 HWIDBs, where N is the number of channels within the physical port, plus a minimum of N SWIDBs (Level 2 encapsulation per channel). Any sub-interfaces that you define each add another SWIDB.

Each tunnel interface definition, such as Universal Transport Interface (UTI), Generic Routing Encapsulation (GRE), Multiprotocol Label Switching Traffic Engineering (MPLS TE), or Any Transport over MPLS (AToM) consumes an HWIDB plus one SWIDB per tunnel, plus an additional SWIDB for each additional sub-interface, for example, a Frame Relay PVC, that is tunneled. The tunnel IDBs are in addition to the original interface(s) that are tunneled.

You can have a look at your IDB used with the command:

sh idb

So my problem is that I actually reached 12000 interfaces? Impossible! Unfortunately it is!

when I saw the output of that command I directly understood what’s happened…

A couple of week before, we installed a new blade chassis. But a error on the configuration created some kind of loop and as a consequence, new  interfaces keep registering themselves on the core switch until the IDB limit is reached. something you don’t realize until you need to configure a new interface…

What is the fix then?

unfortunately, there is no easy fix or I should say there is only one and very quick fix, reloading the IOS… just crazy on a prod switch, even more knowing its the core switch… but unfortunately, even a fail-over of the modules does not resolve this issue! (according to Cisco)

this issue just amaze me because you can clear all sort of things on the cisco IOS, but not a table of IDBs… I suppose it doesn’t get full every day but still, I don’t understand why there is not another way to clean this table.

If you’re like me, you forget everything if you don’t have a reminder and you are really glad that your phone has got a calendar feature. Problem, you’d like to get your calendar sync between all your devices! That’s no more a problem as it’s quite easy now to sync stuff between say a Google account and your outlook at work, your phone, or your Thunderbird at home. But like me, you may want to sync more than 1 calendar though! And its here that you get a problem. Perfectly fine with Thunderbird/Other email client but on outlook, since its not possible to write on an internet calendar -_-’ and you can only sync your main calendar with google sync… You either have to choose to update your ‘others calendars’ from somewhere else, or create the appointment on your main outlook calendar to get it sync. On the wrong one, but at least its synced.

You recently started to find tools to update more than one calendar but none of them where free. but luckily I finally found one! It’s called calgoo hub, very well hidden, but you can download it from here: www.calgoo.com.

With this tool you’ll be able to sync many calendars on one or more outlook calendars! it’s a pretty good software, much better than Google sync!It’s pretty easy to use so I won’t describe how to do it but you basically just have to click on open a remote calendar, put the address on it (the .ics address you get from the options on Google for example.), pick a calendar on the list of outlook calendar and there you are, they are syncing!

So now I can finally update my personal calendar from my outlook client, and that’s pretty good because it was a real pain before that!!

I found an interesting article on LinuxPlanet about OpenOffice.org. There is 2 pages in case you do not notice.

Some of those Add-ons seems very good, like the one fore the presentation and the one to integrate Google docs onto OOO.

Here is the link:

Linuxplanet