Friday, February 13, 2009

TVersity/Websphere Security

Working on my basement & trying to get the XBOX 360 as a usable media viewing platform for my wife. My goal is to have it be the central point of her living room, as I'm moving my main HTPC downstairs with me. :D I have my 500 movie collection ripped to a couple TB drives and encoded in various different formats. Since I don't want to re-rip them all to supported 360 formats (UGH! I've been looking into TVersity. ( I'm trying to get it up and running on my dedicated server. Here are a couple tech notes that pertain to getting this to work:

-As they state, disable SSDP and UPNP services inherent to Win2k8. The software has it's own UPNP code.
-If you have a multi homed box, make sure you use whatever interface your machine likes to dish out in ARP communications. This one is kinda odd.... I haven't figured out all the details yet, but my server makes ARP requests and dishes out the IP of it's secondary interface to communicate. I had to bind the TVersity server service to that IP specifically to get clients to connect reliably. Had to use wireshark to figure this one out.
-Your server needs a soundcard to build the graph to transcode videos. I believe this to be a OS limitation, as it uses the native windows codec priority to build graphs, and you can't build a transcoding graph without an audio out pin. This is disappointing, as the only sound card I have lying around is a creative card and I REALLY don't want to install a creative labs sound card on a server due to YEARS OLD DRIVER ISSUES CREATIVE IS HORRIBLE GAH WHY DO I STILL BUY THEIR PRODUCTS SOMETHING IS WRONG WITH MY BRAIN.... sorry that just spilled out.

Enough of that. From a more professional perspective, I've been trying to get real keystores working throughout an implementation of Websphere 6.0.2.x ND Application Server(s). After much trial and error, let me make the following recommendations as to how to pursue this:

1. Do Not: make a new repitoire. This is unfortunate, but IBM's implementation of repitoire management is lacking at best, horrible and unworkable at worst. Even if you go through the trouble to change all web container referance points to the new keys, you will still have to scour other config files manually (mainly server.xml files) to replace references. This is obviously prone to error. I reccomend instead replacing the default keystores and truststores (under websphere\appserver\profiles\\etc\dummy*.jks with your real keys.
2. Do: change the password on the default keystore after you update it. This won't cause issues with two exceptions... you will have to update the passwords in \websphere\appserver\profiles\\properties\sas.client.props and soap.client.props with the new passwords. Make sure to encrypt the files after you do so using IBM's encryption script.
3. Do: delete ALL "dummy" keys and expired certs from all stores. No reason to keep them, it's just a security risk.
4. Do: update the plugin keystore if you use a web server front-end. You just need to make sure that the keystore/truststore (this one should be shared) has your issuing CA chain. Note that this keystore is in CMS format and you'll need to use the GSK7 version of ikeyman to update it. If it doesn't launch properly make sure you have JAVA_HOME set to \websphere\appserver\java\ .

Anyhow, I'm going to try to update this more regularly (and my failure to do so will be for all to see...) to have a repository for "gotcha" info I haven't been able to find anywhere else on the internet. This will serve two purposes: 1. We go through so much I can't seem to remember this stuff later, so I'll have documentation of it... 2. Hopefully others will stumble across this info and find it useful since I haven't found it anywhere else.

On the music font, Coheed and Cambria is amazing. I can't stop listening to their 2k5 album release.

No comments: