Re: OT: JOB UK : Senior Technical Support Technician
Somewhat along the same lines, I am curious to know how those p.i.t.a. rules that the customs agents are operating under are affecting those who do travel internationally. From the understanding that I have, they now have the authority to either scrutinize the contents of your laptop, MP3 player, cellphone, or other electronic device and to even confiscate it for a indeterminate amount of time - without stating a reason. How about Certificate of Registration for mobile equipment... Are they actually required? Robert, Jennifer what planet are you on? Anyone who has EVER traveled extensively internationally will tell you they hate dealing for immigration, ours, theirs or whatever. Getting a work permit from these folks just adds a new level of frustration, IMHO. FYI, having lived and worked in UK I can tell you that it was a royal pain to get a Work Permit. As a matter of fact, I could NOT be in UK while they processed the paperwork for the work permit. So if the sponsor doesn't have the ability to get the employee a work permit then good luck with that and let us all know. Funny thing was, once I got the work permit I was told that in a matter of time I could also apply for permanent residency/citizenship Tally Ho Quite honestly, while living and working in another country sounds exciting there are always issues. I have lived in and worked in several countries in Southeast Asia and UK. At the end of the day while I enjoyed experiencing new cultures the cost of living and living standards are not always the same. Pony up 17.5% VAT Tax on everything and focus on the US/Pound exchange and she might have a change of heart. BTW: The original request asked for a RAC, so I guess if you are a RAC or RSP then yes perhaps the employer would get you a work permit ? At the end of the day ALWAYS consult the country of destination's Immigration Dept. for answers: http://www.bia.homeoffice.gov.uk/workingintheuk/ Good Luck either way. Gidd _ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Robert Molenda Sent: Wednesday, May 07, 2008 9:44 AM To: arslist@ARSLIST.ORG Subject: Re: JOB UK : Senior Technical Support Technician ** I'm assuming that you have a United States Passport :) Depending upon the length of the job, you may or may-not require a VISA to work in the UK... You will definately need a Work Permit... Who ever is hiring you should arrange for the WP / Visa (if needed) - Then you must receive the WP and have your passport stamped, etc. This in itself can be a long process... I know, just got back from a UK assignment - in process of extending the WP so I can go back and continue with other development topics :) HTH On Wed, May 7, 2008 at 6:53 AM, Jennifer Meyer [EMAIL PROTECTED] wrote: ** Kathy, You don't need anybody's permission to work overseas. You find an employer who has an opening, buy a plane ticket and poof! you're working overseas. Your employer will get you through the visa requirements. Jennifer Meyer _ From: Kathy Morris Sent: Tue 06-May-08 18:37 To: arslist@ARSLIST.ORG Subject: Re: JOB UK : Senior Technical Support Technician Hello, I was wondering what is involved to get to work in the UK. I live in the United States however I would like to work in Europe. Who do I contact to get permission to work overseas. In a message dated 4/8/2008 7:22:30 A.M. Pacific Daylight Time, [EMAIL PROTECTED] writes: ** Good Afternoon List, I hope you are all well. I currently have role for a Senior Technical Support Technician to join a team in the UK. The role would be split between home, customer site and my clients offices when required. They are looking for RAC or ATS certification with strong IT architecture skills. The role is responsible for maintaining client IT Architecture and performing level 3 support. There is a full job specification available for interested individuals and I would be happy to discuss this and the remuneration package in more detail off-list. My contact details are below, but I can be contacted directly on +44 1256 885 982 or at [EMAIL PROTECTED] (mailto:[EMAIL PROTECTED]) . Please feel free to submit your CV for consideration. Thank you for your time and I look forward to hearing from you. Kind regards, Rachel Rachel Kerwick Account Manager Resource Management Solutions Ltd. DDI: +44 (0) 1256 885 982 Mobile: +44 (0) 7875 431 604 Tel: +44 (0) 870 803 4080 Fax: +44 (0) 870 803 4090 Email: _ __Platinum Sponsor: www.rmsportal.com http://www.rmsportal.com/ ARSlist: Where the Answers Are html___ -- If it were not for the gutter, my mind would be homeless! __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___
Re: OT: JOB UK : Senior Technical Support Technician
I am sure that they have! It's just that, well, with the way things are nowadays travel for work might make a journey such as this worth the hassle. If I were going to go on vacation, however, I'd almost ask myself if it were really worth it to bring along the gizmos... As always folks, I do appreciate the feedback... William, Customs officials have ALWAYS had that power. But today's process is such that it gets utilized more! On 5/7/08, Gidd [EMAIL PROTECTED] wrote: Robert, Jennifer what planet are you on? Anyone who has EVER traveled extensively internationally will tell you they hate dealing for immigration, ours, theirs or whatever. Getting a work permit from these folks just adds a new level of frustration, IMHO. FYI, having lived and worked in UK I can tell you that it was a royal pain to get a Work Permit. As a matter of fact, I could NOT be in UK while they processed the paperwork for the work permit. So if the sponsor doesn't have the ability to get the employee a work permit then good luck with that and let us all know. Funny thing was, once I got the work permit I was told that in a matter of time I could also apply for permanent residency/citizenship Tally Ho Quite honestly, while living and working in another country sounds exciting there are always issues. I have lived in and worked in several countries in Southeast Asia and UK. At the end of the day while I enjoyed experiencing new cultures the cost of living and living standards are not always the same. Pony up 17.5% VAT Tax on everything and focus on the US/Pound exchange and she might have a change of heart. BTW: The original request asked for a RAC, so I guess if you are a RAC or RSP then yes perhaps the employer would get you a work permit ? At the end of the day ALWAYS consult the country of destination's Immigration Dept. for answers: http://www.bia.homeoffice.gov.uk/workingintheuk/ Good Luck either way. Gidd _ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Robert Molenda Sent: Wednesday, May 07, 2008 9:44 AM To: arslist@ARSLIST.ORG Subject: Re: JOB UK : Senior Technical Support Technician ** I'm assuming that you have a United States Passport :) Depending upon the length of the job, you may or may-not require a VISA to work in the UK... You will definately need a Work Permit... Who ever is hiring you should arrange for the WP / Visa (if needed) - Then you must receive the WP and have your passport stamped, etc. This in itself can be a long process... I know, just got back from a UK assignment - in process of extending the WP so I can go back and continue with other development topics :) HTH On Wed, May 7, 2008 at 6:53 AM, Jennifer Meyer [EMAIL PROTECTED] wrote: ** Kathy, You don't need anybody's permission to work overseas. You find an employer who has an opening, buy a plane ticket and poof! you're working overseas. Your employer will get you through the visa requirements. Jennifer Meyer _ From: Kathy Morris Sent: Tue 06-May-08 18:37 To: arslist@ARSLIST.ORG Subject: Re: JOB UK : Senior Technical Support Technician Hello, I was wondering what is involved to get to work in the UK. I live in the United States however I would like to work in Europe. Who do I contact to get permission to work overseas. In a message dated 4/8/2008 7:22:30 A.M. Pacific Daylight Time, [EMAIL PROTECTED] writes: ** Good Afternoon List, I hope you are all well. I currently have role for a Senior Technical Support Technician to join a team in the UK. The role would be split between home, customer site and my clients offices when required. They are looking for RAC or ATS certification with strong IT architecture skills. The role is responsible for maintaining client IT Architecture and performing level 3 support. There is a full job specification available for interested individuals and I would be happy to discuss this and the remuneration package in more detail off-list. My contact details are below, but I can be contacted directly on +44 1256 885 982 or at [EMAIL PROTECTED] (mailto:[EMAIL PROTECTED]) . Please feel free to submit your CV for consideration. Thank you for your time and I look forward to hearing from you. Kind regards, Rachel Rachel Kerwick Account Manager Resource Management Solutions Ltd. DDI: +44 (0) 1256 885 982 Mobile: +44 (0) 7875 431 604 Tel: +44 (0) 870 803 4080 Fax: +44 (0) 870 803 4090 Email: _ __Platinum Sponsor: www.rmsportal.com http://www.rmsportal.com/ ARSlist: Where the Answers Are html___ -- If it were not for the gutter, my mind would be homeless! __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___
Re: Remedy Integration Available ?
I dunno... Getting cuffed along side of the melon just plain smarts - unless, of course, you're Klingon and sharpen the fangs by hand because you think that pain is fun. :-p Now if you had mentioned something about chowing down an animal that went 'moo', optionally has grill marks and is preferably still bleeding a bit... Slapped could be good ;) FYI - MN people -- care to get together for a Sushi lunch some time - just for fun? Email me if interested. -John On Thu, May 1, 2008 at 3:28 PM, William Rentfrow [EMAIL PROTECTED] wrote: ** Asking a random secretary if they want to integrate MIGHT just get ya slapped :) PS - Hi, I hope all is well over there. I'm about 5 miles south of ya. -- *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *John Sundberg *Sent:* Thursday, May 01, 2008 2:59 PM *To:* arslist@ARSLIST.ORG *Subject:* Re: Remedy Integration Available ? ** Gidd, I don't have an integration for Lawson - but their headquarters are about 400 yards away -- I could go ask the receptionist :) -John On Thu, May 1, 2008 at 10:19 AM, Gidd [EMAIL PROTECTED] wrote: ** Listers: Anyone aware of integration tool(s) to Lawson Accounting application? Any advice, suggestions or integration issues would be appreciated. Regards Gidd *Glidden L. Calden* *BUOYANT SOLUTIONS, INC.* Keeping business afloat ...in a Sea of Solutions Office ( *916.334.0599* FAX 4 *916.265.0112* Web 8 *http://www.buoyantsolutions.net* E-mail + *mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]* This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ -- John David Sundberg 235 East 6th Street, Suite 400B St. Paul, MN 55101 (651) 556-0930-work (651) 247-6766-cell (651) 695-8577-fax [EMAIL PROTECTED] __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ -- John David Sundberg 235 East 6th Street, Suite 400B St. Paul, MN 55101 (651) 556-0930-work (651) 247-6766-cell (651) 695-8577-fax [EMAIL PROTECTED] ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: One company not able to recieve emails
There are a lot of things it could be. The logical thing to do is to take the same path that the message would. Open an ssh session over to the server that is sending the mail and 'su - name' to whatever account it is that the messages are being sent from. First, try to resolve the hostname via whois/host/dig or whatever tool it is that you can use to determine the IP address of the host. Does it match what it is supposed to? I've seen people try to plug a host name into a mail client, and then inadvertently hit the wrong server because the IP of the box had changed out due (fail over and cached records can be a pain. Yeah.. I know. It shouldn't happen, but...) If you are sure that you have the correct address and hostname, then try telnetting to the smtp port on the remote mail host. Something like this: telnet remote-host-name 25 should get you connected. Now, the remote server, depending on the mail package that is being used and how it is configured may or may not display a banner for you to see. If it does, wonderful. If not, also wonderful because it means that the remote mail adminstrator did his homework and knows that the banner is one less piece of information to give the bad guys. Speak the SMTP protocol. It's simple: Introduce yourself to the server: HELO your-host-name The server, if it like you should respond with something like this: 250 Hello, your-host-name. I am pleased to meet you. Now, tell the server who the mail that your sending is from: MAIL FROM: [EMAIL PROTECTED] If you are allowed to send mail or rather the server has been configured to accept mail from your domain, it should respond with something like: 250 Sender OK. Next, tell the remote mail host who you are sending the message to: RCPT TO: [EMAIL PROTECTED] If there is nothing wrong with the remote mail box/account, and the account exists, it should say something like: 250 Recipient OK. Tell the server that we have a message to send: DATA The server should respond with: 250 Begin message. Send a . on a line by itself to close message. Now - enter a test message that should be received by the remote user or account. Subject: Mail Test This is a test. . At this point, the server should accept the message into the local mail queue on the server for delivery. If there are no issues, you should see something like this. 250 Message accepted for local delivery. Now, be a nice net person and close the connection the proper way. QUIT The server will close the connection. I am going from memory here so the error codes themselves might vary a little bit. Any error messages should be seen with a 500 code. If there are any Spam filters, of gray listing milters installed, they should show a message during your session (unless they have been configured to filter content later which - IMHO - is tacky). If all of this works, call the remote administrator and ask him to check his mail log. If anything wierd is happening, like the remote server is out of space on the mail or log volumne, it should show an error in there. If worse comes to worse, due what I like to do - go to the remote server with pair of crash paddles and hit it with 250,000,000,000,000 volts. Offered humbly. I just had a situation where a customer could receive email from my Outlook account but could not receive information sent directly from our Unix server (where ARS is running) through sendmail. He add to include our server in his safelist.Don't know what type of mail system or mail filtering system he is using. Dan Dan Wangler, Team Lead, STARS Group Phone: 214-567-8304; email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Client/Server Services, IT Operations Texas Instruments, Inc. 6500 Chase Oaks Blvd., MS 8401 Plano, Texas, 75023 From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Phil Murnane Sent: Thursday, April 24, 2008 10:46 AM To: arslist@ARSLIST.ORG Subject: Re: One company not able to recieve emails ** Chris: In the past, I've seen spam filtering cause organizations to not receive Remedy email alerts. It might be GroupWise itself or it may be some integrated security application (eg, Norton/Symantec). HTH, --Phil - Original Message From: Moore, Christopher Allen [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Thursday, April 24, 2008 6:14:05 AM Subject: One company not able to recieve emails ** Hey everyone- We support 27 different ¡companies¢ (state agencies) and the users for one of them is not receiving any email notifications from Remedy. Emails are being sent without errors from our end- as far as we¢re able to see they were successfully delivered. Other agencies are receiving emails. At this particular agency they don¢t use Exchange, they use Groupwise. I have never heard of
Re: Default Roles, System Privileges etc needed for aradmin user on Oracle
If you're installing on a *nix box, there should be a .sql or .ora file in the installation directory (or the package directory - it's been a while) that should contain the statements that are used to create the arsystem database. I am not sure, but I believe that the grant information might well be in there. Could anyone who has installed the AR System over Oracle, using the AR System installer to create the database on Oracle give me a list of all the Roles and System Privileges that are granted to the aradmin user by the installation script? Are there any other settings for the aradmin user besides the Roles and System Privileges that I must take care of before I start installing? I have already defaulted the ARSYSTEM table space and the ARTEMP space needed for this user. Thanks for all your responses.. Cheers Joe Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Creating a Remedy Sandbox
Wow... It sure would be nice if they had a developer subscription available, don't ya think? Read Oracle's Developer license agreement: http://www.oracle.com/technology/software/htdocs/devlic.html?url=/technology/software/products/ias/htdocs/101401.html BMC is in the business of making money. My inclination is that they won't sanction any activity unless it meets their business model. Axton On Fri, Apr 18, 2008 at 5:31 PM, Gary Lambert [EMAIL PROTECTED] wrote: ** Hello Listers, I am interested in creating a robust Remedy sandbox environment to train consultants remotely. I would like to avoid buying licenses from BMC Oracle to do this. I've heard some time ago that both Remedy and Oracle software with limited functionality is available for downloading gratis. Does anyone have any experience or info to share regarding sandbox building? I've also heard that a purchased license key may be required before obtaining a test version. Thanks! Gary Lambert Pacific Telematics, Inc. [EMAIL PROTECTED] (650) 218-8603 __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Releasing licenses from the users who are inactive in Remedy System
Jegan: As far as I am aware, a fixed license is exactly what the name implies: it's fixed to that user - period. If you were to remove that license automatically, and then assign it to another user, and than swap it back to the original user when needed, well - IMHO - that road may take you someplace where you really don't want to be. There is a reason why floating licenses were invented. Yes. They are more expensive and there is a very good reason for that: the licenses are shared between a pool of users and time out after a certain amount of time. Just remember to establish a baseline, if you will, between the number of users and the number of licenses. 4 to 1 seems a safe number (four users per floating license with a reasonable timeout set on the server). Personally, I'd recommend that you lay out to the powers that be to consider getting some of them, rather than attempting to circumvent a licensing characteristic. Pursuing the later will almost certainly raise an eyebrow or two in the event that you get audited. We have more inactive people in Remedy system but with licenses allocated to them (Fixed). In the process of optimizing the allocation of licenses, is there any work around available in Remedy to free up those licenses automatically? Have gone through few documents but couldn't trace it out. Any help would be appreciated. Thanks in advance Jegan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Releasing licenses from the users who are inactive in Remedy System
It sounds like your user cache is not in sync with the data that is contained in the form. Try running an arreload for the users to see if the issue clears up. I am taking an educated guess here, so your milage may vary from the posted norms. On a related subject. I am running Remedy 6.3 and I currently see a difference of 5 licenses between the Allocated Fixed Licenses and the Purchased Licenses. Does anyone know how I can reclaim them. When I try to assign one of them I receive an error that there are no licenses available. Thanks in Advance, Dan -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of William H. Will Du Chene Sent: Wednesday, April 16, 2008 1:45 PM To: arslist@ARSLIST.ORG Subject: Re: Releasing licenses from the users who are inactive in Remedy System Jegan: As far as I am aware, a fixed license is exactly what the name implies: it's fixed to that user - period. If you were to remove that license automatically, and then assign it to another user, and than swap it back to the original user when needed, well - IMHO - that road may take you someplace where you really don't want to be. There is a reason why floating licenses were invented. Yes. They are more expensive and there is a very good reason for that: the licenses are shared between a pool of users and time out after a certain amount of time. Just remember to establish a baseline, if you will, between the number of users and the number of licenses. 4 to 1 seems a safe number (four users per floating license with a reasonable timeout set on the server). Personally, I'd recommend that you lay out to the powers that be to consider getting some of them, rather than attempting to circumvent a licensing characteristic. Pursuing the later will almost certainly raise an eyebrow or two in the event that you get audited. We have more inactive people in Remedy system but with licenses allocated to them (Fixed). In the process of optimizing the allocation of licenses, is there any work around available in Remedy to free up those licenses automatically? Have gone through few documents but couldn't trace it out. Any help would be appreciated. Thanks in advance Jegan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Implementing SSL on Tomcat on Windows servers
Try swapping the connector port from 8443 to just 443 and recycle the service to see if it connects. Any great ideas out there?? Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing IT Center http://itsm.unt.edu/ -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Implementing SSL on Tomcat on Windows servers
Just out of curiousity, are there any error messages in your logs that
might narrow down what might be happening? :-)
I am not sure if this will help or not, but I just did some digging around
in the tomcat docs, and it seems that there is a different syntax for the
connector that can be used.
The alternative syntax - from the documentation - looks like this:
Connector port=443 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
SSLEngine=on
SSLCertificateFile=${catalina.base}/conf/localhost.crt
SSLCertificateKeyFile=${catalina.base}/conf/localhost.key /
Most of the attributes for the connector are the same. There are some
notable additions, however. The port has changed, and there are now
SSLEngine, SSLCertificateFile and SSLCertificateKeyFile properties.
GeoTrust finally came up with a kb article just last week that solves
the problem where you have a certificate for your IIS server but want to
run mid-tier on tomcat/catalina instead of IIS, and need to move the
certificate over. This may help some of you, too.
https://knowledge.geotrust.com/support/knowledge-base/index?page=content
id=S:SO8019actp=searchsearchid=1204671504729
Now if I could just figure out how to get tomcat 5.5.26 to recognize the
code block where you turn on SSL in the config.xml file - it works in
5.5.17 and 5.5.20, but not .26. Today support had me install 5.5.26 to
solve some problems with the 7.1.00.002 mid-tier, and the only thing
that didn't get better was the ability to implement SSL. This code
block works on 5.5.17 and 5.5.20 but not 5.5.26. Huh??
Connector port=8443 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25
maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=false sslProtocol=TLS
keystoreFile=C:\certfile.pfx
keystorePass=password keystoreType=PKCS12 /
After activating the 8443 port with this (or a faked certificate like
Will sent me instructions for), I can access http://localhost:8443/ but
not https://localhost:8443/ - the browser times out on the latter. One
step forward, two steps back!
Any great ideas out there??
Christopher Strauss, Ph.D.
Call Tracking Administration Manager
University of North Texas Computing IT Center
http://itsm.unt.edu/
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
-
Will Du Chene
-
[EMAIL PROTECTED]
http://www.myspace.com/wduchene
-
...you're an anti-Microsoft zealot...
- Norm Kaiser
-
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Implementing SSL on Tomcat on Windows servers
Did it work, Chris? The curiosity is killin' me... I'm still loitering around the cubicle... Just out of curiousity, are there any error messages in your logs that might narrow down what might be happening? :-) I am not sure if this will help or not, but I just did some digging around in the tomcat docs, and it seems that there is a different syntax for the connector that can be used. The alternative syntax - from the documentation - looks like this: -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Two quick port questions
A port is more or less like a cell phone. Most of us carry one for use, and likewise, each of us prefer to have our own. When we have to share them with others, the situation that it creates is somewhat awkward. The very same thing is true communications ports. First question - yes. The AR System server and the plug in server cannot share the same port. There is nothing that says that they cannot be one port up from each other, however. Second question - No. The AR System server should be able to connect to it locally provided that it knows what port the server is on. Interestingly enough, I am not sure if a remote address can connect to a plugin server like that. I've never tried. Just for the sake of curiousity, it would be neat if someone could try it and post the answer. HTH. William, Others will let me know if I am wrong, but I think internal unless you are using some code (api) to talk to the plugin from out side the box. hbr On Thu, Feb 28, 2008 at 2:44 PM, William Rentfrow [EMAIL PROTECTED] wrote: ** AR Server 7.1 patch 001 on Solaris - SLM 7.1/IM 7.03 Does the plugin server port have to be different than the ar server port if you are not using portmapper? I believe so...but nothing explicitly says so in the docs for 7.1 Also, let's assume the arserver is on port 7800 and the plugin-port is configured to be 7801. Does port 7801 have to be open to the outside world? Or does it just communicate with the arserver? William Rentfrow, Principal Consultant [EMAIL PROTECTED] C 701-306-6157 O 952-432-0227 __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ -- Howard Richter ITIL Foundation Certified Red Hat Certified Technician CompTIA Linux+ Certified [EMAIL PROTECTED] Resume = http://hotjobs.yahoo.com/resumes/hrichter_1/masterresume20(2) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Interview questions
Speaking of which, does anyone have a .PST file of the archives, or an MBOX that I could get a copy of? TIA. Look in the archives. Axton Grams -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Interview questions
Bah! If I am interviewing someone (and there have been a few choice occurances of this in the past which were against my will and my manager had to drag me from my console sessions, kicking, screaming, and clawing cube walls the entire distance to the conference room) I am not looking for what they have done in the past, what books they read, what animals might be on the cover of books, or what degree the person has. When you think about it, these criteria are positively useless. Using the above, the interviewee might well 1.) have seen the books in passing and be able to identify them, 2.) might copy someone elses design concept (what if it is patented, or confidential?), or 3.) have a degree (or not have one at all) in one field, but have been subverted into working with the platform of choice at some point and been doing so for some time. (I once knew a talented AR System developer who was nuts about the product and was darn good with it, but had a Phd in Theoretical Mathmatics. He'd teach an occasional class at a college when time permitted as well. Go figure.) So - you see, most of the criteria that get used so often are - IMHO - bunkus. An ideal candidate is one that is a passionate person; who is not just fond of a platform or a technology, but rather is obsessed with it. A candidate must be willing to learn; to go to bed at night with the technical manual and wake up in the morning with the zipper-like seam across their forehead because they fell asleep face-first on the manual. I don't want someone that is able to recite back what they learning sitting in a classroom at some training center and thinks that it's cool because they now have a cute little cert sitting in a frame on their cube wall. If I were to pick, I'd want the person that gets a smile on their face about the technology, the one that one legs starts jumping up and down when they're talking about the platform, and the one that the heart rate starts to pick up when you show them the latest version of the software. The whole point is not what you know - it's what you can do with that which you do know. I'd hire the person that has notes scribbled all over the manuals, and keeps crib notes stashed in his/her pocket written on napkins and bubble-gum wrappers or a code book (a book where random ideas about system design are sketched out), and I would more than likely file-thirteen the resume of the canidate that has all of the certs, and a zillion years of experience with whatever it is that your working on. Why you may ask? Simple. There is no room in a small cube for an ego that has been developed to such an extent, nor is there an allowance in a budget for the salary that is demanded. Most really good developers are forged in the fires of code, learning, and tribulation - not stamped from a mold, prepackaged and shrink-wrapped for sale. C'mon, you know that this is a fact... How many of us got up one day when were kids and said, I wanna grow up to be an AR System developer? I'd wager that the answer is - ahem - none. We all got drafted. If you're hiring for a position, more than likely you want someone that is going to do the job (maybe the candidate might not be able to at first, and would require some training or getting their hands wet with the technology first), someone who will be obsessed about it, and not someone who is going to cost you a few hundred an hour with perks and travel expenses. You want someone that you can drop into the desert of a server room one day, and the next day when you check on 'em, you can see that they are dug in, got a suntan, a water reservoir, and have some sort of meat cooking over a BBQ spit, rather than finding that your million dollar candidate is parched from calling for room service and looking for the butler. Hire ninjas with very little or nothing to lose, not samurai that come from the court with vast tracts of assets. Just my thoughts... Offered humbly... Best question I ever got as a developer was a request for me to design a Car Of course the interviewer was looking to see if I'd ask questions about the type of Car, Usage, etc If I had just designed it as I wanted, I'd be back in Ohio! Warren -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Apache vs IIS
I never said easy to administer. What I did say was simple to configure. Obviously, there is some room for interpretation there. ...how the @()[EMAIL PROTECTED] do you get the damn thing to do SSL.. Fair question. It deserves a fair answer. Here is a tutorial that took me all of about 20 minutes to put together. Tomcat + SSL Tutorial *Tomcat Install* 1. Download the installer from http://tomcat.apache.org. 2. Run the installer. 3. Agree to the license. 4. Choose your options. 5. Select an installation directory. 6. Select a connector port, username and password. (Add a password, accept default port.) 7. Select path to the correct JRE. 8. Press the install button. 9. Leave the Run Apache Tomcat option selected. 10. Press the finish button. 11. The service will start once the installer is closed. 12. Download the administration interface package. *SSL Keys* 1. Download and install the Java SDK - not the JRE. 2. Add the JDK /bin path to your path. (set PATH=C:\Program Files\Java\jdk1.6.0_04\bin;%PATH) 3. Issue the command keytool -genkey -alias kameno -keypass password -keystore kameno.bin -storepass password 4. Answer the following questions, or accept the defaults: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes 5. Copy the kameno.bin file that was created and place it into the tomcat/webapps directory. 6. Open server.xml (tomcat/conf directory) in an editor. 7. Search for the connector description that sits on port 8443. It should be commented out. 8. Uncomment it by removing the !-- and the -- which preceed and follow it. 9. Add the following lines to the description: keystoreFile=/webapps/kameno.bin keystorePass=password 10. Save the file and close it. 11. Stop Tomcat Restart it. 12. Verify connectivity by pointing your web browser at https://localhost:8443. /Tomcat + SSL Tutorial That was easy, yes? ...Plus everything you need for BMC ITSM installation wants to install its own instance of Tomcat... ...Then they all fight over the JVM... Well, there I am not sure that I can help you. BMC has not gotten around to offering a - to borrow your term - @#*@#*# - developer-only version of their products yet, so trying to provide any practical assistance is out of the question. Not being able to play with the technology and learn from it without working for someone that already has it - bites. My gut instinct, however, says that there has to be a way to make it work. Sorry, I know that is not too much help. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Apache vs IIS
If I had my choice, I'd run with Apache - each and every single time. There are a number of reasons for that, not the least of which is that the web server itself has been time tested and beaten to death repeatedly on web servers all over the internet. It has seen the best and worst that can be offered by end users. It is the web server that can be thought of in the same category as a work truck. It's good, solid, and gets the job done. Configuration is also very simple. No. There isn't an 'explorer' to do the job with eye candy and mouse clicks. There is a configuration file, and a text editor. Really that is all that is needed. If you've got something in front of you that says otherwise, watch out. Someone is selling something again. Shake their hand, complain of a meeting, give them a boot in the wazoo and close the door. Apache is also cross platform, so your architecture has the ability to expand and change platforms if your situation changes at some point in the future. Likewise, there are enough modules and methods of customization for it which give it a significant amount of flexibility. Yes. You probably saw this one coming, but - if you want to - the source code is available for review and not locked away in someone's internal source server because it 'represents a source of IP,' or because 'they want to ensure a significant return on their investment for the shareholders.' (Jeez... Just typing that makes me feel the need for a shower.) Likewise, and this is probably my biggest single gripe against IIS, is that the bleep web server is *not* divorced from the operating system that it sits upon. Thus, there is no single installer or package available in which you can install something like IIS 6 or IIS 7 on top of an older operating system such as NT4. If you could, there would be one less reason to upgrade, right? In the same train of thought, paint my hair blond and call me silly but why, ohh, why should an operating system patch affect a web server so that it causes it to crash because both file system permissions have been changed and the internet guest account gets messed up? We had that happen with a couple of our intranet servers a couple of patch cycles ago. Positively crap-tastic. (Yes. I actually maintain several IIS servers for a living as part of my job - and I hate it.) An Apache/Tomcat combination is a beautiful thing. Why break them up and try to install something like Atlanta in there anyway? Apache is best suited to serve static content, such as images and regular files, html docs and the like. Tomcat is best for JSP. The connector that bridges them together is conceptually a work of art. All major implementations which I have been a part always use this combination. IIS and Atlanta are left to, well, smaller installations and I honestly sometimes consider them - ahem - toys. (When something goes wrong, I can be seen headed into the IIS server room with baby whipes, a warm bottle and a diaper, or a 40 mega-joule crash cart depending...) Similarly, running Tomcat withouth Apache in front of it just seems, well, wrong... but that is a whole other topic and I digress In the end, setting my obvious opinion aside for a moment, you may not have the choice in the end. Your environment will most likely dictate which platform to use, simply by the ability that is present to support it. If you have a few good *nix people running around, chances are you could make an Apache/Tomcat combination work just fine. Even if it is on a Windows platform, supporting the application is similar enough that the skillset can be used. By the same token, if the current terrain in which you find yourself is dominated by funny-lookin', primary colored flags on everything and people with a strange fixation on blue polo shirts and khackis, well, IIS Atlanta may be your only choice because the point-and-click crowd is 'in the house' (Hey, did I get the reference right that time?). Hello everyone, If you have to choose between IIS and Apache which one would you opt for? I mean in term of ease of administration, performance, security .. we are planning to install this in a clustered environment with load balancing software and would like to know if you had issues if any with running Mid-Tier against IIS or Apache? Many thanks frexpopo -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Apache vs IIS
Not quite... But that last one was so good, I added it to my sig file. I love it, is it Friday yet? Axton On Feb 7, 2008 9:55 AM, Kaiser Norm E CIV USAF 96 CS/SCCE [EMAIL PROTECTED] wrote: So let me summarize: If you're an anti-Microsoft zealot, use Apache (or whatever the open source/competing product is) each and every time. But if you're not really concerned about all those politics, IIS is a fine choice for Windows operating systems. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Apache vs IIS
Hhrrmm... That's a new one. I've personally never tried importing certs into the keystore like that. I did some quick digging around on the net, and discovered a couple of pages. I am not sure if these will help or not, but: http://www.agentbob.info/agentbob/79-AB.html Make sure to check the last comment about a code change. Comments are on the bottom of the page. errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Apache vs IIS
I just checked over the page and realized that the commands listed there are for *nox boxes. If you need a hand converting them into a windows version, shoot me an email and I can lend a hand. Likwise, there is a version of openssl for windows available from http://www.devhood.com/Tools/tool_details.aspx?tool_id=277. If that one is not available, there is another download site at http://www.stunnel.org/download/binaries.html. -- - Will Du Chene - [EMAIL PROTECTED] http://www.myspace.com/wduchene - ...you're an anti-Microsoft zealot... - Norm Kaiser - ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Company Dropping Remedy
What about this scenario: BMC may have control over whom they want to transfer support to while the contract is in effect for the amount of the term. It's sort of like if you and I sat down at the table and hammered out an agreement that you would purchase my services for a month. I'd expect that you would be honor your side of the agreement for the duration. I'd venture a guess that most would agree, yes? After the month is up, who cares? I am not a lawyer (and I don't even play one on television!), but it would seem to me that there is a very simple solution: wait until your support contract is up, and DO NOT renew it with BMC. Once your term is up, then you should be able to renew it with the VAR of your choice. If your term is up, then the contract language might not apply. It would be prudent to contact your legal department for confirmation first, however, just to be on the safe side. Just an idle thought - offered humbly. -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Ping
Either way, there was no getting around it. It's a de facto standard that a child process inherits the same level of permissions - and the profile - of whatever the parent process is. Without that behavior on the platform, we would really have issues. Axton made an excellent catch and I am grateful for it. Knowing that there are alternative functions out there which can be used is a very good thing. I didn't read the page close enough, so I am curious to know if these functions are present on all platforms. Many of the open source applications which I have had to tear apart and rewrite components of - such as HtDig - make use of popen to process the results from the sort utility that it uses. Unfortunately, implementations very here and there and this is something that I ran into when I ported the search engine over to windows. Basically all that says is whatever is run under popen runs as the caller. In this case ARS, which should not have those privileges - and if they are running as root they deserve all they get :-) Calling something that uses popen from ARS is no better or worse than invoking any other command with a run process. -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Ping
Why not circumvent the entire issue, and use popen and the existing ping binary? It's in stdio.h. That would eliminate the need for a shell script wrapper, allow for the development of a plugin within C, and make use of the existing ping binary which has already been designed to do the job... Best part - no root-ski required. -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Ping
Why not... 1.) Develop a form that contains the ip address, or host name of the machine that you want to ping. 2.) Develop a view form with a table field that queries the host form. 3.) Develop a simple Perl script and place it on your server to be run via an escalation every X minutes. The Perl script would then use the ARSPerl module to open up the host form within the AR System and retrieve a list of the hosts that it needs to contact. It would then cycle through each of the servers therein, and update the corrosponding server's host record within the AR System. The Perl script could use either one of the Net modules, or simply be a wrapper for the ping utility. Maybe you could even do something a bit more classy, such as open a connection to the any of the services that might be on the server and verify that they are available (for example, if this server is an IMAP server, your script could access an account, or if the server is a database server, it could create a row in a test table database) and collect the delta for the amount of time that the operation took and place that into the host record. From your control panel form, use an active link that updates every X time period. The idea being that any servers that are down, or services that would be unavailable would be visible within the control panel. Of course, the accuracy is limited by the delta in time that is present between the last run time of the script and the refresh on the control panel, but it should work fine for the average stuff. Besides, if it's a major network or service outage, the customers will be on the phone anyway... Just a thought... -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Incoming emails on Solaris + Exchange
Please don't take this the wrong way, for it is meant in the best possible sense, but would anyone really want MAPI on a *nix box? I dunno, maybe it is just me, but there has to be something wrong in the Universe when they come out with that implementation. Up will be down. Right will be wrong. Taxes will give you money back... I dunno... Besides, considering what MAPI is, the number of Windows internals that it is tied to, and the modes in which Exchange operates (internet vs. workgroup) I doubt that they would be able to port it - and if they did it might not work exactly as expected. I'd much rather have that standard mbox file anyway. The mail data is text based. The contents of the file can be parsed with scripts. A Perl script can be used to load the contents into the mail form with ARSPerl and the mbox contents can be parsed with anyone of the parser packages that are available. Mime encoded attachments are fairly easy to work with as there are packages available for them as well. Life is a cool place. The only thing that is a pain is the parsing of attachments out of it - and that is only if your clients are using a Microsoft Outlook client to send the messages to the machine because Microsoft decided to encapsulate the attachment data with their own - say the word with me - proprietary format called TNEF (transport neutral encapsulation/encoding format). This why mail sent from an Outlook client when viewed on a *nix box have that cute little .dat file... Oddly enough, Outlook Express, Thunderbird, Pine, Netscape Mail, most web mail based system, Eudora/Penelope - and the list goes on - mail clients don't use the format, which makes Outlook seem somewhat well I do agree with you, however. It is a pain. Maybe the wizards could bless the application suite with an import utility specifically for mail that could be used for this. That way they would be addressing the need while still keeping all right with the cosmos. In all fairness I don't see this as solely BMC Remedy issue even though it's a huge pain in the neck for me in terms of the compatibility. Microsoft engineered MAPI to be used natively on Windows (which they sell of course) and supports POP3 and IMAP4 - but they don't push these other protocols. In fact, to get all the bells and whistles out of Exchange and Outlook you need MAPI. Remedy is engineered to be compatible with all of them IF the platform allows it. Remedy does a pretty good job of being OS compatible IMHO but the cross platform issues are just as much a Microsoft issue as anyone else's. The MAPI connector should be universal in this fairly mature enterprise market. Microsoft knows that true enterprise systems rarely use windows servers - and they also know a LOT of automated incoming and outgoing email products exist for all platforms out there. My customer in this case uses exchange - and because of that choice they have limitations when it comes to interfacing with Remedy servers designed for thousands of users and literally tens of millions of customers. -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Grooms, Frederick W Sent: Wednesday, January 30, 2008 1:48 PM To: arslist@ARSLIST.ORG Subject: Re: Incoming emails on Solaris + Exchange The other question to ask: Is the protocol even available on Unix? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Carey Matthew Black Sent: Wednesday, January 30, 2008 12:35 PM To: arslist@ARSLIST.ORG Subject: Re: Incoming emails on Solaris + Exchange Ray, I am not challenging or questioning any of those ideas or perspectives. (Mostly because I think you are right on the mark.) However... Can you indicate any preferred protocols that should be supported by BMC for E-Mail with ARS? Have you already submitted RFE (Request for Enhancements) for support of those protocols? ( Just trying to light a candle, not a religious war over platforms/standards/security. :) ) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap Pick two. On Jan 30, 2008 1:22 PM, Ray Gellenbeck [EMAIL PROTECTED] wrote: ** Folks, remember that a big sector of Remedy useage is Uncle Sam, both govt and military. I can only speak for our project in that both POP3 and IMAP4 are forbidden by security. This makes like really rough for someone operating on Solaris as MBOX becomes your only protocol left for incoming email (MAPI is Exchange/Winblows). (begin soapbox) This is a heartache we have with Remedy as we re-evaluate ITSM platform selection in the future. BMC's attitude is increasingly just get a windows box for more and more of their solutions or sub-features with ARS. We're getting tired of hearing oh, we haven't
Re: Run Process in AL to execute a Perl script - Help!
I know that I am coming into the conversation a bit late, but after reading the thread, I thought that I would offer up a few comments for consideration. Running scripts and applications as the 'root' user on any *nix platform is just plain poor policy. First, the script or application is violating the 'minimal priviledge' rule, in which applications are given only what they absolutely need to do what they have to do. Secondly, if applications and scripts are installed and run with elevated permissions in 'system' directories, such as /usr, /opt or /lib, then the person who did the installation really needs to take a moment of pause and rethink what they are doing. Now there are some very good reasons for this, not the least of which is maintainability and system recovery. Basically, this practices makes maintaining a server a bear because the directories are not - well - 'pure' as they should be. The box - and this can be argued until blue in the face - becomes a sandbox with junk in places where it should not be. Simliarly, there are other issues. For example, what happens if your AR System server is running as root, and a developer or contracter that is leaked-off at the organization decides to run a script that modifies something in /etc or perhaps delete some sort of other application? I've busted people for changing file permissions like that in the past. Likwise, sometimes admins - and I don't know what they are thinking when they do this because it doesn't seem to make sense - place passwords into environmentals that the application uses. Getting a password for an account is as simple as '/bin/set /tmp/env.txt.' Finally, all non-standard applications on a *nix box should be run as a non-priviledged user, in a non-standard, non-system group. There is no need to allow anything else, especially when considering that 'sudo' is available if you need it. (Swap out ports lower than 1024 and your fine.) Using sudo keeps the password (if your using password authentication) from being transmitted in the clear over the network, and is means or recording who uses it for documentation and audit purposes. The bottom line is that any installation of any non-standard application on a *nix box should be into a non-system directory (I usually recommend /apps or /orgname) and have any logs that they generate written to some directory there under (/apps/logs, or /orgname/logs) if possible. Likewise, there should be nothing - except symlinks if required in the /etc directory (where the AR System likes dumping its configs). Installations which follow those simple rules are very easy to backup and restore, can be installed on a non-local disk (san, nas, or just plain ol' NFS mount) and are vastly easier to recover because no special directories are used, nor are permissions. Offered up constructively... -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
