Friday, August 10, 2012

Cisco WLC and OpenSSL Madness

I was trying to convert a PFX file to be used for webauth on a Cisco WLC running the latest 7.x code. I've done this several times before in past lives and expected no resistance, but I could not get the WLC to accept the PEM certificate converted by OpenSSL 1.0 from a CentOS 6.3 server.

The WLC kept reporting a "private key decode failed".

However, one stroke of luck I found this post:

The forum member recommended using OpenSSL for windows at a version <1.0. One attempt and it went beautifully, the WLC accepted the certificate!

Does anyone have any ideas? Hopefully this helps someone else.

Thursday, August 2, 2012

IPv6 Application Support in a state of Flux

Lots of people go on and on about IPv6. Some heralding its arrival (see World IPv6 Launch Day) and some gnashing their teeth (every server admin out there who loves doing everything by address). I'm not going to get into that. Its coming, and it will be a great thing once it gets here, but he growing pains are going to hurt.

I'm going to talk through two recent headaches caused by having IPv6 enabled.

First, Windows Server 2008 R2. IPv6 is enabled by default, and when recently building a new domain controller, having IPv6 on (and more importantly, what it does by default) gave me a world of hurt.

By default, the IPv6 stack is preferred over IPv4. This means that for any outbound connection, if the system thinks it can use IPv6, it will (try to) do so. Additionally, by default, the IPv6 stack uses the ::1 IPv6 loopback address as its default nameserver on my Windows 2008 R2 server. (I can't find any documentation as to why or if this is normal)

Microsoft themselves say never to configure a DC running the DNS role to use itself as the first/primary DNS server, it can lead to a race condition of sorts.

So the combination of these two default behaviors gave me a killer headache when adding the AD DS and DNS roles to a 2008 R2 server. The AD DS was unable to replicate the AD databases, including the DNS zones, due to failed DNS lookups against an empty server. I was only able to find this by nslookup defaulting to ::1 as the nameserver to search against when I was troubleshooting.

Secondly, like Windows 2008 and Windows 7, Java 7 also prefers IPv6 over IPv4. However, poor little Java has no indication service to know if the IPv6 stack is functioning properly or not. (Windows 7/2008, outside of Java, does this quite well, Java should pay attention to how MS tracks it). So if you are having issues (like me) running Java Applications or launching Web Starts, this blog points out the ever-so-graceful solution in Windows. You can also try adding these to the startup arguements to the java command line calling your jnlp or jar files, but I don't recommend it for Java Web Start applications, they are usually meant to be launched on-demand from a browser.

PS, if you are running AnyConnect like the blogger was, you must sign out of your current session and reconnect before the change is picked up.