I would like to run Corda Demo Bench on a windows machine without admin rights.
Is there anyway to do that ?
https://www.corda.net/develop/resources.html
The installer doesnt fail, but it requests for admin user/password, which I dont have since my user is a non privileged user
Based on your special case, I would suggest you to try to use the node-explorer (link: https://github.com/corda/node-explorer/releases) instead of the Demo bench.
The Corda DemoBench is used to demo Corda-finance app only, whereas the recent released node-explorer is capable of running whatever CorDapp of your choice.
It not only is a replacement of DemoBench, but also is a good tool to show case your PoC and not worry about developing a front end UI.
Video walkthrough at: https://www.youtube.com/watch?v=cn2lhS8pjRs&t=841s
Related
I am running a windows 2016 server, we are running IIs 10 on it and i need to be able to assert if there is an AppPool setup before i deploy a website. If it doesn't exist i need setup the AppPool with a specific user and password.
All of this is done using a release agent through Azure Devops.
The agent is running as a NON-ADMIN, and i all accounts involved are running as NON-ADMIN. I have no intention at all to run any admin accounts, for security reasons i want to give least privildges to all accounts involved.
when i try to set up a AppPool using appcmd.exe i get the error msg:
KeySet does not exist.
When running everything as admin it works (and i have absolutely no intention in running any of this as admin).
What i have tried:
i have added the non-admin account to the IIS_IUSRS group.
Made sure that the user has read permissions to the file: 76944fb33636aeddb9590521c2e8815a_GUID in the %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder.
i have tried everything here: Error when you change the identity of an application pool by using IIS Manager from a remote computer
anyone that actually knows the cause of this problem?
UPDATE:
Microsoft clearly recommends that agents should be run using service accounts, which i am doing and i have no interest in giving build agents administrative rights to 1000s of servers when they clearly don't need that kind of powers actually. I want to restrict their powers to only be allowed to do what they need to do. I can't believe that giving everything admin is apparently the norm.
After a lot of googling, and i mean A LOT. I managed to solve this. And let me say, that it baffles me that "least privileged accounts" is not common practice in the Microsoft and windows world.
I found this excellent post by InfoSecMike locking down azure devops pipelines.
And we both have the exact same requirements and opinions on this topic.
You CLEARLY don't need admin rights to update IIs configurations (because that would be insane, right!?). The IIs configuration API does not care what rights you have, what you do need is access to certain files. But this is not documented. Microsoft themselves, just for simplicity, tells you that you need to be admin, and buries all the details really deep in documentation when this should be best practice. Also what amazes me is that no one questions it.
What you need is the following:
full access to C:\Windows\System32\inetsrv\Config
full acccess to C:\inetpub
read access to three keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID (iisConfigurationKey)
d6d986f09a1ee04e24c949879fdb506c_GUID (NetFrameworkConfigurationKey)
76944fb33636aeddb9590521c2e8815a_GUID (iisWasKey)
The 2 first bullet points can be obtained if you make sure your service account is a member of the group IIS_IUSRS.
This group will not give you access to the keys. You need to manually give read permissions to these 3 keys to the agent user.
If you don't give access to these keys you will get the obscure error message
Keyset does not exist ( exception from HRESULT : 0x8009000D)
Which is an incorrect error if you ask me as it should be an IllegalAccessException with proper reason telling you that you don't have access to read the key because the keys are there, they do exist (nice code microsoft, maybe you should open source this so we can fix).
I'll leave with this quote from infosecmike.
The goal was to lock down the permissions of the Azure Pipeline Agent {...}. I started Googling, pretty sure I would find a way to achieve this goal. I didn’t. It’s surprising to not find an answer about this. It seems like the principle of least privilege does not apply anymore in a devops world.
This is why i prefer Linux over Windows. This is a simple task there.
I have a network version where I fixed a small bug in the .js file and added a function. I would like to redeploy the network (on the same version).
I stop/teardown Fabric and restart it. Delete the card and .bna file, then re-create the card and .bna file. After that I install and start the network. Last step is to start the REST server.
Even after all these steps, the REST server does not list my new function, indicating it has not been updated?
Do I have to change the version number if I modify the script.js and model.cto files?
As david_k points out in 'comments' above - you should use composer network upgrade to upgrade the business network (no need to 'teardown' your Fabric environment) as well as stop the REST server as you've done. See https://hyperledger.github.io/composer/latest/reference/composer.network.upgrade.html and example of it in use in the tutorials https://hyperledger.github.io/composer/latest/tutorials/queries . Once you've upgraded your business network successfully, and pinged it successfully, you can stop/remove the old dev-* business network containers as indicated. You would then start the REST server again, use the same business network card (eg. an admin card) when prompted / as a parameter to the start command. Then in a new browser session, you can test your REST APIs (or as suits). If you're not seeing the new function (or it errors), you should check your decorators/naming in your logic.js file to see the right transaction function is being called for a named transaction.
I am trying to use h2o steam (running on localhost) to deploy a model. After importing the model from h2o flow, clicking the "deploy model" option in the "models" section of the project, filling out the resulting dialog box, and clicking the "deploy" button, the following messages are displayed:
At first I thought that it was because maybe I needed to start up the service builder on my own, so I started it up following the docs here, but still got the same error. Any suggestions would be appreciated. Thanks :)
Just make sure jetty HTTP server is running locally by executing the following in your shell:
java -jar var/master/assets/jetty-runner.jar var/master/assets/ROOT.war
Looking here, it seems like I would need to "override" some kind of default browser restriction for accessing localhost:8080 (which is what I assume steam is trying to do to launch the service builder (I don't know much about networking related stuff)). I got around this by launching steam with the command:
$ ./steam serve master --prediction-service-host=localhost --prediction-service-port-range=12345:22345
where the ports are some arbitrary range between (1025, 65535) which I got by word-searching the a page of the steam source code (line 182 as of the date of this posting).
Doing this lets me deploy the models through the steam dialog without any error messages. Again, I don't know much about networking related stuff, so if anyone has a better way to solve this problem (ie. allow access of localhost:8080) please post or comment. Thanks.
I have installed OEM 13c and deployed a couple of agents and want to test out the Log File Monitoring utility. I have enabled it and added a log file to monitor.
When I go and test it out, it does not show any alerts when they are put into the Log File. On the agent server, I have tailed the file and see the messages coming into the log file.
Does anyone have experience adding log files to OEM? I could have configured it wrong. Or is there any troubleshooting steps that I can follow to see if the server is even contacting the agent for reading the log file. Status of the agent is good with no incidents.
Without access to the system, it would be difficult to tell you the exact cause of this issue. However, I can list a few potential causes of this issue that I have experienced personally:
Permissions. The Oracle Enterprise Manager Agent is very convoluted when it comes to system permissions within a remote server. The agent can be owned and run as any number of users but during metric evaluation, may also need sudo or pam-authentication permissions to access certain entities on the server. Depending on the authentication profiles on that server, this could be the cause of your issue. There are ways to grant the agent access through the PAM stack if that is necessary.
Syntax. The wildcard syntax in the OEM GUI can be a little confusing as well. I would play with the wildcard elements a bit on the "String" component to ensure that it isn't as simple as adding wildcards to the beginning and end of the string. Without diving into the binaries of the agent plugins, it is difficult to assess exactly how the agent is evaluating this particular metric
One suggestion I would have is to go through the agent commands. There are specific commands you can run to manually force an agent to evaluate a particular metric for a particular target. This can allow you to manually trigger the metric collection locally on the server and evaluate what exactly is being performed at the agent level.
On the system I was running (12c) the command was as follows:
emctl control agent runCollection <hostname>:host host_storage
I have a line of code that I can run locally as part of a service that works perfectly fine.
sReportPath = objCrystalUtils.ExportReportToPDF("Report Name", iReportInfoID)
This code is run as a part of a service, and when I unit test it by feeding it data, it ultimately builds the report and prints it.
When I run the exact same piece of code inside an .ashx from an ajax call. The reports are generated (I can see the pdf files being created on disk) but the printing is not happening.
oRpt.PrintToPrinter(objReport.DefaultAutoPrint, True, 0, 0)
In both scenarios the same code is used to print the report. (objReport.DefaultAutoPrint = 0 in both cases)
My only thought is that the location of the code that is calling this method is in a different spot relative to the location of the bills themselves.
The printer that I'm trying to print to is a network printer intalled on my machine, and I'm running Windows 7 IIS 6.1
Any thoughts?
Edit:
Here is a thought... if I'm running one as a unit test locally and im running the other through a web app that is running via IIS, is there a difference in user id and user access to the default printer?
Edit:
So I added my local ASP, IUSR and SYSTEM users to the printer security and allowed them to print... no dice. So I checked the EVERYONE user and it is set to access and NO users are denied... so I think that kinda kills that line of reasoning.
Edit:
I changed the name of this post since I no longer think that the issue is ajax related since If I try to do the same process in code bebehind from a post back instead of running it from an ajax call i still get the same problem.
Patrick, for me it is a known issue of crystal reports, printing a certain report from a running application via IIS.
I got the same issue before, and upon our search for that issue, we got the following;
Report to be generated, exported, and then to be downloaded to client machine,
so user can print it locally (say, report will be exported as PDf file,
user can use print option of PDF reader).
It's not Crystal Reports or other third party app's problem. It's usually the IIS_IUSER's permission problem because it has no access to any network printers. A possible solution is in Process.Start doesn't work in IIS