Category: Certificates

API, Box, C#, Certificates, Web, XML

How To Use the Box API To Adjust User Properties and Make Read-Only in Bulk (w/example)

Jared Meredith
  • Get up to date on the APIs you need for users @ https://developer.box.com/v2.0/reference
  • Sign up for your developer account at your enterprise @ https://yourenterprise.app.box.com/developers/console (replace with your enterprise application name in the link above)
  • Create your Box app & API Key – link here and here
  • Pull down the Box Windows SDK @ – https://github.com/box/box-windows-sdk-v2
  • Update the pem file with your actual pem information from the app you created
    • in case you’re wondering it should contain the —–BEGIN ENCRYPTED PRIVATE KEY—– and —–END ENCRYPTED PRIVATE KEY—–
  • Update the properties appropriately in the app.config
  <appSettings>
    <add key="boxClientId" value="uniquestringhere" />
    <add key="boxClientSecret" value="uniquestringheretoo" />
    <add key="boxEnterpriseId" value="1234567" />
    <add key="boxPrivateKeyPassword" value="uniquestringhereforpassword" />
    <add key="boxPublicKeyId" value="uniquepublickeyid" />
    <add key="ClientSettingsProvider.ServiceUri" value="useifneeded" />
  </appSettings>
  • From there you can update your Main runner in the program.cs appropriately. In the case of my sample below I am getting authorized, retrieving my users and looping through everyone but the main admin account and making them read-only. I’m also writing the information out to a file so I’ll have the logs of who was set / not set.
 
            var privateKey = File.ReadAllText("private_key.pem");

            var boxConfig = new BoxConfig(CLIENT_ID, CLIENT_SECRET, ENTERPRISE_ID, privateKey, JWT_PRIVATE_KEY_PASSWORD, JWT_PUBLIC_KEY_ID);
            var boxJWT = new BoxJWTAuth(boxConfig);

            var adminToken = boxJWT.AdminToken();
            Console.WriteLine("Admin Token: " + adminToken);
            Console.WriteLine();

            var adminClient = boxJWT.AdminClient(adminToken);

            var items = await adminClient.UsersManager.GetEnterpriseUsersAsync("", 0, 1000);
            items.Entries.ForEach(async i =>
            {
                if (i.Login != "myspecialadminaccount@domain.com")
                {
                    BoxUserRequest userRequest = new BoxUserRequest()
                    {
                        Id = i.Id,
                        Status = "cannot_delete_edit_upload"
                    };
                    System.Console.WriteLine("\t{0}", i.Name);
                    System.Console.WriteLine("\t{0}", i.Id);
                    System.Console.WriteLine("\t{0}", i.Login);
                    System.Console.WriteLine("\t{0}", i.Type);
                    System.Console.WriteLine(" ");
                    // Turn on for prod
                    BoxUser user = await adminClient.UsersManager.UpdateUserInformationAsync(userRequest);
                    Console.WriteLine(userRequest.Name + "updated to read-only");
                    System.Threading.Thread.Sleep(2000);
                    stringtext = i.Name.ToString() + " - " + i.Id.ToString() + " - " + i.Login.ToString() + " - " + i.Type.ToString() + " - updated to readonly" + Environment.NewLine;
                    System.Console.WriteLine(" ");
                    
                }
                else
                {
                    BoxUserRequest userRequest = new BoxUserRequest()
                    {
                        Id = i.Id
                    };
                    System.Console.WriteLine("\t{0}", i.Name);
                    System.Console.WriteLine("\t{0}", i.Id);
                    System.Console.WriteLine("\t{0}", i.Login);
                    System.Console.WriteLine("\t{0}", i.Type);
                    System.Console.WriteLine(" ");
                    Console.WriteLine(userRequest.Name + " NOT updated to read-only");
                    System.Threading.Thread.Sleep(2000);
                    stringtext = i.Name.ToString() + " - " + i.Id.ToString() + " - " + i.Login.ToString() + " - " + i.Type.ToString() + " - NOT updated to readonly" + Environment.NewLine;
                    System.Console.WriteLine(" ");
                    
                }
            });
            File.AppendAllText("C:\\Temp\\" + "log.txt", stringtext);
  • Enable your box application to your enterprise accounts – link here
  • Run your app (In TEST with test accounts! Then, with approval, prod.)
    • If the app won’t run…check:
      • code syntax errors
      • certificate pem
      • values in the app config
      • authorization status in the admin Console on Box
      • that your app is enabled and still available on the enterprise developer site

Hope this helps! I can send the source out on request if needed (just let me know).

Certificates, IIS, Security, SSL, Troubleshooting, Web

Dealing with SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Jared Meredith

A lot of you may be getting emails from your sys admins telling you about needing to protect yourself from the POODLE vulnerability. I wanted to post my response back to what I did to bring my servers into compliance.

I used a tool called IISCrypto to place the server in best practice template from the command line. You can do it to be in PCI, PCI31 or FIPS140 compliance as well.

Here’s what I ran for what got fixed:

ss1

They also offer a GUI that you can run to see exactly what’s being used. Here’s the box after I applied the command ran above to confirm the removal of PCT 1.0 & SSL 2.0/3.0:ss2

My recommendation would be to deploy the command line version of the tool and execute the best practice template, let it apply the best practice template and restart the box.

However, if you don’t prefer a 3rd party tool then you can follow the Microsoft suggested actions to update the registry entries and build a .reg script to run.

Hope this helps.

Certificates, Web, Wordpress

Redirect All HTTP to HTTPS in WordPress with .htaccess

Jared Meredith

I recently had a request from a client to transfer all web traffic on some WordPress site (www or no www) to all be forced over HTTPS. And with all of the up and coming security issues that stem from HTTP-only traffic it is a must. Why you ask? Well, unless you are explicitly doing this already users may able to browse and intercept traffic from your site with no encryption. If you have a SSL certificate but have not done this to your WordPress site then please do so!

Edit your .htaccess file and append this somewhere at the bottom (and change your website URL to the URL that is associated with the SSL certificate):

RewriteCond %{HTTPS} !^on$
RewriteRule (.*) https://www.example.com/$1 [R,L]

After this you should see all browsing of HTTP to your site to be automatically redirected to HTTPS. Note: in some cases you will have to update all the links and content of your site to use links that are HTTPS also. There are useful plugins out there that can assist with doing a bulk conversion of this. Otherwise you users will not get the padlock icon on the page (or even cases where the page will not render entirely). Happy securing! Hope this helps, questions are always welcome.

Certificates, OpenSSL, Windows

Create .pem/.key/.crt Files from a .pfx Certificate Using OpenSSL on Windows

Jared Meredith
  1. First off, go and get OpenSSL:

Now that you are installed and ready to go you should now have a browsable file path to OpenSSL (i.e. C:\OpenSSL)

2. Obtain your PFX file and (for simplicity) place your PFX file in your OpenSSL directory.

(In this example we will assume we have a .pfx file called mycertificate.pfx and your OpenSSL directory is C:\OpenSSL)

3. Run this in command prompt (in your OpenSSL directory) to get the .pem file:

 
openssl pkcs12 -in mycertificate.pfx -out mypemfile.pem

You should now have a .pem file generated from your PFX file.

4. Run this in command prompt (in your OpenSSL directory) to extract the encrypted private key:

 
openssl pkcs12 -in mypemfile.pem -out myencryptedkey.key

You should now have the extracted encrypted private key out of the .pem file.

5. Run this in command prompt (in your OpenSSL directory) to create a decrypted private key from the encrypted version

 
openssl rsa -in myencryptedkey.key -out mydecryptedkey.key

You should now have the decrypted private key from your encrypted version.

6. Run this in command prompt (in your OpenSSL directory) to extract a .crt file from your PFX file:

 
openssl pkcs12 -in mycertificate.pfx -clcerts -nokeys -out certificate.crt

You should now an extracted .crt file from the PFX file.

That’s it! You should now have encrypted/decrypted keys as well as your .pem and .crt versions of your original PFX files. Happy certificating (I need to coin that term). Questions are always welcome.

Active Directory, ADFS, Certificates, Troubleshooting, WAP, Web

Getting Event ID 144 On Your Web Application Proxy When Trying To Connect To ADFS?

Jared Meredith

Perhaps as you were setting up your brand new shiny 2012 R2 Web Application Proxy (WAP) to connect to your 2012 R2 Active Directory Federation Services (ADFS 3.0) server you ran into a 404 error in the web browser followed by this error message in the event viewer logs when trying to do your idpinitiated sign on test from the internet using the WAP DNS URL:

Event ID 144

The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching endpoint registered at the proxy.

Huh?!?!? Okay, so here is one of the reasons why it is generating: the root part of your DNS you use at the proxy must match the DNS you have on your internal ADFS server.

For example, if you configured your internal federation service name to be different (adfs.internaldomain.com) than the web application proxy name (adfs.yourexternalweb.com) then when the proxy tries to interpret the request it sees the mismatching DNS as an illegitimate request, thus blocking it. And while the WAP will publish various web applications that have different DNS this does not cover the initial configuration of the WAP when it is initially pointed to the internal ADFS server.

So what’s the solution?

Get a DNS entry on your internal domain to point to your internal ADFS server using what you used for the web application proxy. These names MUST match for the WAP to work. If you cannot get a DNS entry on your internal domain to match the DNS on the external domain then my recommendation would be to use your etc/hosts file to point your proxy to your ADFS server.

Once you have the DNS entry or etc/hosts entry in place for your WAP and ADFS server then do the following:

1. Put the adfs.yourexternalweb.com public cert (with private key) on the ADFS server to be used for communications.
2. (Assuming ADFS has already been configured) Remove the adfs role from the ADFS server and do not save the databases and reboot.
4. Install the ADFS role with the new matching Federation Service name (adfs.yourexternalweb.com). Make sure to point to the newly installed certificate. Do not utilize old database information. Create a new WID database.
5. Remove the WAP role from the WAP server.
6. Reboot.
7. Reinstall WAP role and Configure. Once post deployment has completed successfully do NOT create an app for ADFS as it is automatically publishing ADFS as a proxy under the covers.

Hope this helps. Questions are welcome.