Formscape CPU Affinity

On servers with more than 2 CPU cores, Formscape may fail to license and start properly until you restrict the service process to run on 2 or fewer CPUs.

To set the CPU affinity:

  • Open the Windows services window (Start -> Run -> services.msc)
  • Right-click on the “Eclipse Forms” service and select Properties
  • Select the General tab
  • Click on the Stop button to halt the FormScape service
  • In the Start Parameters field, enter: –a “0 1”
  • Click on the Start button and then on the OK button.

How to Configure the Android VPN Client for IPsec Shared Key VPN

To use an Android device to connect to a client-to-site IPsec VPN without having to import a certificate, use shared key authentication. Your device must use Android version 4.0 or above.

Configure the Android VPN Client

  1. On the Android device, tap Settings.
  2. In the Wireless & Networks section, tap More.
  3. Tap VPN.
  4. Add the VPN by tapping the plus sign (+) next to VPN.
  5. On the Edit VPN profile page, configure these settings:
    • Name – Enter a name for the VPN connection (e.g., IPsecWithSharedKeys).
    • Type – Select IPSec Xauth PSK.
    • Server address – Enter the network address for the VPN service (e.g., 62.99.0.51).
    • IPSec identifier – Enter the group policy name that you entered for the IPsec PSK VPN on the Barracuda Firewall (e.g., IPsecVPN).
    • IPSec pre-shared key – Enter the PSK.
      android_keys_01.png

Connect to the VPN with the Android Device

After configuring the Android device, you can connect to the IPsec VPN.

  1. On the device, navigate to the VPN screen.
  2. Tap the name of the VPN that you want to connect to (e.g., IPsecWithSharedKeys).
    android_keys_02.png
  3. Enter your Username and Password, and then tap Connect.
    IPsecPSKAndroidUserPasswordPrompt.png

How do I default or reset a Cisco router?

Please see the regular process to reset the password on 1841 Router below,

  • Connect the console cable to Router 1841
  • Use the power switch in order to turn off the router, and then turn the router back on
  • Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON
  • Type confreg 0x2142 at the rommon 1> prompt in order to boot from Flash

This step bypasses the startup configuration where the passwords are stored

  • Type reset at the rommon 2> prompt.

The router reboots, but ignores the saved configuration.

  • Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.
  • Type enable at the Router> prompt.
  • You are in enable mode and should see the Router# prompt
  • Type erase start at the Router> prompt.
  • Type configure terminal.
  • Type config-register #config-register 0x2102
  • Type write memory 
  • Type reload

– See more at: https://supportforums.cisco.com/discussion/11607366/how-reset-cisco-router-1841-password#sthash.keYSGsUX.dpuf

GHOST glibc Security Alert January 2015

Summary

Epicor has been made aware of a critical vulnerability in the glibc library, which has been assigned CVE-2015-0235 and is commonly referred to as ‘GHOST’. All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Checking Vulnerability

The easiest way to check for the vulnerability is to run the the Red Hat Access Lab’s “glibc (GHOST) Detector” script:

curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash

If the server is vulnerable, you will see output similar to:

Installed glibc version(s)
- glibc-2.5-42.i686: vulnerable
- glibc-2.5-42.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps

If the server is not vulnerable, you will see output similar to:

Installed glibc version(s)
- glibc-2.5-123.el5_11.1.x86_64: not vulnerable
- glibc-2.5-123.el5_11.1.i686: not vulnerable

Resolution

Update RHEL to patch the affected libraries:

yum -y update glibc nscd

Double-check that the patches have been applied by running the detection script again:

curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash

Reboot the server to finish applying the patches:

reboot

Troubleshooting

If you receive an error when attempting to run yum, it could be because your Red Hat subscription has expired. In this case, we’ve setup a package repository for you, which you can use by running the following commands:

curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo
yum -y update glibc nscd

If you receive an error similar to “Public key for glibc-headers-2.5-123.el5_11.1.x86_64.rpm is not installed”, then it means your Red Hat software is very much out of date, and you’ll need to first update some other packages:

curl -s -o /usr/share/rhn/RHNS-CA-CERT http://kb.eclipseinc.com/repo/RHNS-CA-CERT
curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo
yum --nogpgcheck -y update rhn*
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
yum -y update glibc nscd

Frequently Asked Questions

Q: I installed the patch, and now the script says my server is “not vulnerable”. Do I still need to reboot my server?
A: Yes.

POODLE SSLv3 Security Alert October 2014

Summary

Epicor has been keeping apprised of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected.

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

Because it’s a vulnerability in the protocol, not a bug in the implementation, there is no “patch,” so SSLv3 should be disabled in all client and server software.

Epicor’s Response

There are functions of the Eclipse server software that initiate HTTPS connections to external servers (e.g. for credit card processing). Those connections previously allowed SSLv3, so we have updated the code to explicitly require TLS connections. The patch (DNV616) can be applied manually, or it will be included by default in the customer’s next point upgrade.

We have also reviewed the Eclipse application server and confirmed that SSLv3 is already disabled in the release, which uses TLS by default.

Recommended Customer Actions

We recommend that customers request the patch or a point upgrade to a release of Eclipse with SSLv3 client functionality disabled.

We also recommend that any customers running external web servers (e.g. web commerce, mobile) disable SSLv3 on IIS using Microsoft’s “fix it” tool.

FAQ

Q. How can I verify that my Solar application server (or any other secure web service) is not vulnerable?
A. Run the command below:

openssl s_client -connect HOSTNAMEORIPADDRESS:PORT -ssl3

For example, the following output, run against a the Solar application server running on the local server, shows that the service is not vulnerable:

[root@rs6k ~]# openssl s_client -connect localhost:2443 -ssl3
CONNECTED(00000003)
25211:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284: