Securing an HP LaserJet printer with LetsEncrypt

Installing a TLS (or SSL) certificate on a HP LaserJet printer

The fantastic and free Let’s Encrypt service lets you issue TLS (SSL) certificates to as many devices as you want. It’s perfect for a home or small office environment.

The Let’s Encrypt service needs to validate that you are in control of the device you’ve requested a certificate for. Most of the time, it’s fine to serve up a single file from your server. What if you can’t actually serve arbitrary files from your device?

There is a way around this – you can use a TXT (text) record in DNS to authenticate the device, and that’s what I did.

Photo by Alex Furr from FreeImages

I’ve used certbot to generate my certificate:

certbot -d host.example.com --manual --preferred-challenges dns certonly

Note down the TXT record that appears and add it to your DNS server, and you’re done.

My printer wants the certificate and private key in a PKCS#12 bundle, a bit like a ‘zip’ or ‘tar’ archive. This isn’t obvious, but it can be done with this command:

openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem

You’ll be asked for a passphrase, and the key and certificate will be in certificiate.pfx.  You can load this in to the printer by hand, or automatically with a single command.

Ubuntu 16.04LTS

I will freely admit that I’ve been putting off upgrading my Ubuntu 14.04LTS boxes to 16.04LTS. In a previous post, I wrote about my battle with getting the Ubuntu desktop to be usable in the way I wanted it. Having tried this out on 16.04LTS, I realised that I’d have to change the way I work.
I am two weeks in to running the new upgraded system and I wish I’d gone through the pain earlier. Making the Unity Launcher smaller, getting used to the menu bar in the top row of windows, and the close, minimise and maximise buttons landing in the top left of the screen when maximised – none of those took particularly long to get past.
On previous installs, I’ve wanted shortcuts to the common applications at the top of the screen by the clock, but I’ve locked these in to the Unity Launcher – and there’s more space for them.
The only irritation that’s still there is resizing terminal windows. It takes a while to re-learn that I don’t have to be precise with the cursor positioning to change the window size. And that’s it.
Ubuntu 16.04LTS, you are forgiven – I thought you were going to be a nightmare, but you’re lovely. And when I unplug one of my monitors from the graphics card, you put everything back on the screen still plugged in. That’s awesome!

Citrix Receiver and CA support

On installing an Ubuntu 16.04 desktop from scratch and putting Citrix Receiver on it, I found I couldn’t connect to one of the servers that I need to for work. The strange error suggested that the Citrix client doesn’t trust the VeriSign Class 3 Public Primary Certification Authority – G5.
This seemed confusing at first – I have the CA certificate in /usr/share/ca-certificates/mozilla. A quick look at where Citrix Receiver installed itself quickly found what was going on.
Citrix Receiver only has a handful of CA certificates installed in /opt/Citrix/ICAClient/keystore/cacerts, so if you’re connecting to a server with an SSL certificate other than the dozen or so in here, simply copy the .crt or .pem file and you’re sorted.

On mainframes and freedom

Last week, CIO Magazine reported on the shortfall in mainframe skills.

It reminded me of a situation I faced a couple of years ago. My team was preparing to write software which integrated with an IBM z/OS system, and we knew literally nothing about it. I didn’t need to know all the details, but I wanted to be able to talk to the system programmers coherently and be taken seriously. I didn’t know much about CICS, nor RACF, and I’d not even heard of RACF. I wanted to learn.

I am a self-starter, and I want to get my hands on the technology I’m going to use in my work life. From learning perl, PHP and SQL in the late 1990s so I could capture ISDN call log data over RADIUS, to buying a bunch of older Cisco equipment to bring me up to speed on VoIP, it’s worked stunningly well. I wanted to do the same with z/OS – not to become an overnight expert, but to be able to bridge the gap between Java developers and the people who ran the mainframe we were going to be using. It would make the whole project happen with much less friction.

After no more than an hour or so’s research, I found IBM wanted $900-or-so a year, on top of buying dedicated PC hardware just so I could run z/OS and spend a bit of time becoming familiar with it. But why? I can download any number of GNU/Linux distributions without charge, or evaluate most Microsoft products for several months without any hassle. Why can’t I do that with z/OS? There were several sites offering TSO and CICS access, but that was only from a user’s perspective. I wanted to peer inside and see what made it tick.

Luckily, the project succeeded and I learnt a fair amount about z/OS in the process, but it wasn’t as quick or easy as if I’d been able to spend some of my own time learning. In fact, when I was given access to a non-production CICS region with the software on the other side of our interface, I spent several hours of after-work time getting to know it, and came away being able to help our developers write an even better product than if I’d stayed in my pure consultancy role.

If IBM want to change the perception that mainframes are an enigma understood only by the balding and bearded stalwarts at large companies, they need to get people hooked. Make the latest release of z/OS and a suitable emulator available for download, and let the world see how great your software is.

Enterprise IT Onboarding

I’ve worked at many organisations, from educational establishments up to multinational banks and corporations. My gripe with all of them is they never make the Enterprise IT on-boarding process slick.

The Enterprise IT adoption cycle visualised
Graphic ©2012 Simon Wardley and CC BY-SA 3.0

Some of the smaller companies I’ve worked for are different. I had to wait a week to get a building pass once because the only badge printer was faulty, and at another company, they’d actually run out of access cards and simply stuck a white sticker over somebody else’s card and told me to use that. Security let me through and in to the building with a quick flash of a piece of plastic with the company’s logo on it and nothing more.

That’s small companies – but in large companies, people join all the time and it really should be a business-as-usual (BAU) process.

Last week, I went to a new a customer site last week to collect a building access card and get set up on their email system.  I was in and out of the building within 30 minutes.  I had an ID card and building access sorted immediately by the security team, which let me go up to the floor I’d be working on and get email access.

My manager gave me a piece of paper with my username and temporary password, and on logging on to the nearest thin client, I had access to everything I needed. Remote access was a breeze – the first email in my Inbox contained instructions on how to get access to my virtual desktop remotely using Citrix and Google Authenticator.

Why can’t everyone’s on-boarding process be like this slick?

Novell RPL Boot under VirtualBox

One of my recent retrocomputing projects was to set up a Novell NetWare 4.11 server and boot clients from it. Remote boot, or Remote Initial Program Load, was a common method for booting network clients over the LAN before IP became commonplace.
RPL requires a boot ROM on the network card which finds a nearby server, connects to it and downloads a disk image which it then executes. By today’s standards, it’s trivial – but by late 1990s standards, it was anything but.

I spent a few hours trying to get VirtualBox to do RPL boot. Etherboot doesn’t appear to support RPL, so I tracked down a ROM image on Intel’s website. There isn’t much demand for RPL and Intel deprecated it in 2005. Luckily, they’ve kept an old version of their drivers available which contains a boot ROM image supporting RPL.

The executable, PRORPL.EXE, will uncompress using 7z and produce two interesting looking files with the extension FLB. One of these is 63,488 bytes, and the other is 139,264 bytes.

Installing these in a VirtualBox machine is straightforward but unfortunately undocumented:

vboxmanage setextradata "vmName" VBoxInternal/Devices/pcbios/0/Config/LanBootRom romLocation

After booting the virtual machine from cold, VirtualBox didn’t complain, but also didn’t use the ROM. Looking in the Log Viewer showed the vague message rc=VERR_TOO_MUCH_DATA.

The vital piece of information I forgot is that boot ROMs must be smaller than 64 kilobytes. The Intel image is very close to that size. Back to the drawing board!

With some further searching, I found a Generic BootRom Utility on AMD’s website which contains a 16kb file. This file, RBOOT.ROM, is a working RPL boot ROM for AMD PCnet network cards. Coincidentally, the VirtualBox machine I’m using has an AMD PCnet-FAST III card. Result!

Re-running the vboxmanage command above with the path to the newly discovered boot ROM works a treat. I can boot a virtual machine straight off a virtual Novell NetWare server. By today’s standards, the process is quite cumbersome but I’ll leave a description of that for another time.

The curious case of the IP Alias

Trying to log on to Skype earlier in the week on my MacBook Pro didn’t work. For some reason it simply wouldn’t connect – it just timed out. Everything else worked absolutely fine, no issues.
Figuring it was an IPv6 issue, I unbound IPv6 from en0 and tried again. Nothing. It wasn’t my Cisco ASA firewall playing games either, although logging on to it showed a vast number of packets dropped from 192.168.1.x on its inside interface (reverse path check, I don’t use 192.168.1.x internally). How could this be?
It turns out that I had a 192.168.1.x bound to en0 from when I was testing out some locally connected kit. Skype saw this as the first IP address it could use and bound to it – whereas everything else worked fine letting the OS choose. Unbinding this address made Skype leap in to action.

Cleanweb, February 2015

Last night, I gave a talk on Open Rail Data at Cleanweb.

I wanted to stay longer – there were plenty of discussions to be had, but after a busy Open Data Day on Saturday, bed won over the pub.

Missed the presentation? I’ve uploaded the slides and they’re available PDF format.

If you want to continue the discussion, join the openraildata-talk mailing list and come chat to like-minded people!

The end is near…

It doesn’t seem like five years, but it is. Five years since I wanted the API to National Rail Enquiries’ Live Departure Board web service to be available for everyone so they can innovate and do great things.
We’ve come a heck of a long way in those five years – as from this week, you can sign up for the Open Live Departure Boards Web Services. A round of applause, please!
So, is that the end? Unfortunately not – there’s even more data to unlock, even more value to be created and stories to be told – but I think it’s been demonstrated that open and permissive trumps closed and expensive.
I get the feeling it’s going to be a smoother ride from here on.