Apple OSX Server uses a code signing certificate that is used for Profile Manager.
Unfortunately you can't just use the inbuilt certificate interface panel that is built in to the OSX server GUI.
OS X server App will continually send you a reminder every day from 30 days prior to renewal.
Apple have an article on this at http://support.apple.com/kb/HT5358
However it fails to mention 2 very important points.
1) To renew the certificate Apple ask you to use in the terminal
However Apple have moved this command to :
2) When converting the serial number to Hexadecimal it MUST be in lower case.
If the serial number is left in upper case you will see the following error
"/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: XXXXXXXX"
Instructions to replace the code signing certificate as follows :
1. Open /Applications/Utilities/Keychain Access.app.
2. On the left under Keychains, select the System keychain.
3. Find your code signing certificate. It should be named in the format of "myserver.mydomain.com Code Signing Certificate" where "myserver.mydomain.com" will be the Fully Qualified Domain Name (FQDN) of your server. You should see two entries, where one is the private key and one is the actual certificate. Double click the certificate.
4. Under Details, locate the section named "Subject Name". In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3. Make note of the full name, including capitalization, spaces, and punctuation.
For me this was "server01.systemc.com.au Code Signing Certificate"
5. Looking at the same certificate details, locate the section titled "Issuer Name". Locate the Common Name field directly below that. The Issuer Common Name should be in the following format: "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server. Make note of the full name, including capitalization, spaces, and punctuation.
For me this was "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1"
6. Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field. Make note of the serial number, which is in decimal format.
7. Open /Applications/Calculator.app
8. In Calculator, choose View > Programmer to change to programmer mode.
9. Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16". Click the "10" button to make sure the Calculator is in decimal mode.
10. Enter the serial number you found in step 1, for me this was, "2790369765".
11. Click the "16" button to convert to hexadecimal. The resulting number will be in the format of "0xA651A9E5". Disregard the leading "0x" and make note of the rest of the number. (MAKING SURE you convert this number to lower case.
For me this was a651a9e5
12. Open /Applications/Utilities/Terminal.app.
13. Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "server01.systemc.com.au Code Signing Certificate" "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1" a651a9e5
Sub your details collected above in the same locations using mine as an example
For those with latest version of OSX server will need to sub this for
sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "server01.systemc.com.au Code Signing Certificate" "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1" a651a9e5
14. Open /Applications/Server.app.
15. Under Services, click Profile Manager.
16. Switch Profile Manager off.
17. Next to "Sign configuration profiles" click the Edit button.
18. From the Certificate list, select the certificate named "server01.systemc.com.au Code Signing Certificate - server01.systemc.com.au OD Intermediate CA" which should be the only listed certificate.
This name will change depending on your certificate name
19. Click OK.
20. Turn on Profile Manager.
I noticed that on some of my large clients servers, crash plan keeps crashing. Somewhat symbolic in it's name :)
This not only happened in the front end GUI but also the backend.
and normally if the server had very very big backup sets of a few TB or more.
I reviewed the log files and have found that when crash plan runs it tries to compile a list of changes that have been made. If this catalog was very big it would crash.
If you stop crash plan
$ sudo launchctl unload /Library/LaunchDaemons/com.crashplan.engine.plist
If you modify launchd item
$ sudo pico /Library/LaunchDaemons/com.crashplan.engine.plist
and modify the following string
<string>-Xmx512m</string> to <string>-Xmx3072m</string>
then restart the launchd item
$ sudo launchctl load /Library/LaunchDaemons/com.crashplan.engine.plist
The backups will now work. What we have now done is allocate 3GB of memory to the application v’s the 512MB that were allocated to it originally.
I should start this article by saying that if possible do not use PPTP VPN's and you should opt where possible for IPSEC vpn tunnels.
Security is a concern around PPTP vpn's and these can easily be cracked in minutes.
In fact there are now websites setup where people with no experience can pay others to crack the PPTP VPN password for you such as https://www.cloudcracker.com
The cyberoam UTM appliance can support Standard IPSEC VPN's that the Apple Mac iPhone and iPad and Desktop use and can even be configured to act as a Cisco VPN.
Establish an IPSec Connection Between Cyberoam and Cisco VPN Client
Configure Apple iPhone for Cyberoam L2TP VPN Connection
However if required you can enable the Cyberoam to allow PPTP vpn connections
Configure Cyberoam to Establish PPTP connection using MS Windows 7 VPN Client
With the default configuration of PPTP VPN on the Cyberoam, only CHAP authentication is set. The setup of PPTP on the Cyberoam UTM requires one hidden step to enable MS-CHAPv2 that is required for windows and Mac's to use a PPTP VPN connection.
Step 1 – Enable PPTP
1. In the GUI interface, go to VPN -> PPTP
Step 2 – Set Encryption and Authentication Methods
2. Now use the following syntax to set the encryption and authentication:
3. you can review the settings with the following command:
Step 3 – Grant Users Logon access via PPTP
There are a few places to grant access to users:
Review Users/Groups with PPTP access:
Diagnostics and Logging:
1. In CLI -
2. In GUI - Go to LOGS & REPORTS -> LOG VIEWER
VMare vSphere Hypervisor (ESXi) is a free fully functional hypervisor that lets you virtualize your servers and run your applications in virtual machines. More info at http://www.vmware.com/products/vsphere-hypervisor/overview.html and documentation at http://pubs.vmware.com/vsphere-50/index.jsp
This blog is about creating a bootable Installer of ESXi that you can use to install on a computer. If you wish to install ESXi directly on USB thumb stick and boot from that then check out one of the following
At the time of this blog version 5.0 of ESXI was available and I created this on a Apple Mac running Operating system 10.7.
For a hardware compatibility guide check out http://www.vmware.com/resources/compatibility/search.php?action=base&deviceCategory=server
At the time of writing this the Apple servers running the Xeon 55xx processors are officially supported. Seems to be strong rumors that the new mac mini's will be officially supported with version 5.1 of esxi. Uu-officially it seems the i5 and i7 and Core 2 Duo apple hardware also seems to be working. There are some issues with old apple hardware with usb keyboard and mouse drivers. For the new mac mini you will need a custom Ethernet driver.
There is a nice write up installing this on a Apple Mac mini using a custom Ethernet driver at http://paraguin.com/2012/01/10/the-mac-mini-vmware-esxi-5-server-part-2-installation/
Steps to create a Standard USB thumb stick ESXi Installer
Step 1 : Insert a USB thumb stick you want to use as your installer disk. You will loose ALL data on this USB thumb stick and it does not have to be very large 500MB will be fine.
Step 2: Download the installer http://www.vmware.com/go/get-free-esxi.
At the time of this blog the file I downloaded was called VMware-VMvisor-Installer-5.0.0.update01-623860.x86_64
Step 3 : Download UNetbootin from http://unetbootin.sourceforge.net. This is a great app that is available for Apple Mac, Windows and Linux and will save you lots of time
Step 4 : Launch the UNetbootin application downloaded in Step 3. Select Diskimage (ISO) and select your .iso file you downloaded in Step 2.
Step 4 : Choose type of USB Drive and select the USB thumb stick you inserted in Step 1
Step 5: Click OK and watch the bar move across your screen for a few minutes
That's it you are done. On some hardware platforms that you want to boot from a USB thumb stick you may need to modify the BIOS to boot from USB, this is refereed to as "UEFI" on some systems.
Note : if you get a message "override menu.c32" when running this then at the error prompt select no and it will drop into the shell "boot=" prompt. From here type "mboot" and it will work
I recently came across a strange issue with a computer running Apple 10.7 backing up to time machine running on a Apple 10.6 server
The machine when trying to backup always gave an error type 10.
Time Machine could not complete the backup
The backup disk image “/Volumes/TimeMachine/xxxxxxxx.sparsebundle” could not be created (error 10)
1) Mount the time machine backup volume on your computer
2) Go to System Preferences on your Mac > Sharing and note down the COMPUTER-NAME
3) Open Applications / Utilities / Terminal program and type in:
ifconfig en0 | grep ether
Note down the MAC-ADDRESS, Example 01:4a:d4:35:6c
4) Open Applications / Utilities / Disk Utility
5) Select the "New Image" option to create you new disk image and save it to your Desktop (sometimes Disk Utility does not like saving to a server so save to your desktop) and set the settings as
* Name : Backup
* Size : 100MB
* Format : Mac OS Extended (Case-sensitive, Journaled)
* Encryption : None
* Partitions : No partition map
* Image Format : sparse bundle disk image
* Where : Desktop
6) Choose "Save As" name as the "COMPUTER-NAME_MAC-ADDRESS.sparesebundle" using infor from point 2 and 3 above. For me it was "Laptop_014ad4356c"
7) Click Create and close Disk Utility
8) Now copy the newly created COMPUTER-NAME_MAC-ADDRESS.sparesebundle file to the time machine backup folder that you mounted in step 1 and re-run time machine backups
9) If the file already exists in this location by the name of COMPUTER-NAME or COMPUTER-NAME_MAC-ADDRESS you will need to delete the old one first. Note:// you are about to delete any old time machine backup
When I run this the first time 10.7 time machine actually renamed the file name from COMPUTER-NAME_MAC-ADDRESS to just COMPUTER-NAME.
When you go to run an Adobe Application such as CS5 on your new 10.7 client it will not run and will ask you to install JAVA Runtime.
Adobe have a article about this http://kb2.adobe.com/cps/909/cpsid_90908.html
The catch is the on some company networks that use a software update server this update may not be available yet
Solution : Download this directly from Apple. As of 9th January 2012 it was available from here.
I would suggest checking if a more recent JAVA runtime (JRE) is available if using this link in the future
So about now you have had no choice as that mac mini server you got will not run anything but 10.7 server and kicking and screaming you enter the world of 10.7 lion server.
Straight off the bat, if you don't have to run 10.7 server, don't ! There are major issue's and of this post "10.7.2 was out" so many things were not fit for production, not to mention the fact 10.7 server no longer does print services, ftp, pptp vpn, mysql, tomcat, axis, or QTSS, Work around's for some of these perhaps in another post, but almost all require a high level of command line experience.
But I will concentrate on one of the shortfalls you will face. Apache which is the built in web service built into 10.7 lion server. The catch here is it is ALWAYS on. Even if you turn off web sharing in the server tools going to https://127.0.0.1 or http://127.0.0.1 will still give you a simple webpage.
The issue here is that no matter what you do ports 80 and 443 are still in use. This becomes a very big issue when installing 3rd party programs on the server that need these ports. Examples include Filemaker Server with web-hosting or Kerio Connect that uses these ports for active-sync and webmail. These programs will not operate correctly as they will complain that the port is already in use.
Kerio have release a Knowledge base article at http://kb.kerio.com/article/cannot-start-http-services-on-os-x-lion-server-636.html that tells you how to get around the problem
Simply put as of 10.7.2 server the only options you really have is to turn off the apache server on lion server via the terminal so that other programs will work that need these ports.
In the terminal program type
sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
From that point on the pre-installed version on apache will no longer load at boot.
There are some big downside to this. Wiki's will no longer work, profile manager will not work, and you can't run any other websites on the server using Apples built in web service
If you ever need to reverse what you have done, in the terminal type
sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist
There are other ways you can approach this, be no "real" solution
* Change the ports on the filemaker server or kerio mail server to a non standard port. But that means manually defining the ports when checking email or loading a website. Example Https to 8843
* Change the ports as above coupled with inbound port mapping on the firewall. Example, map port 443 on firewall to 8443 on the lion server. This has some drawbacks if your firewall can't do mapped IP's. That is if your firewall is using NAT to forward an port from the external IP of your firewall to the internal IP of your server and you can't type inside your network the external IP of the firewall and reach the internal IP being mapped to this will cause you issues. The end result may be external people can reach the mail server at https://203.5.xxx.xxx but internal people on the local network can't so have to use https:/192.168.1.1:8443. This is not ideal at all as you don't want to reconfigure your mail program each time you leave the office
* Look at setting up a proxy server that forwards requests. This is actually a nice solution when you need apple's services to run as well, but it is not 100% working solution. Example includes Entourage that has issues sending email using port 443 behind a proxy. Someone has already created a nice how to guide here https://grahamgilbert.com/2011/11/kerio-connect-vs-web-servies-in-lion-server/
* Manually modify the apache configs in lion and discontinue the use of any gui. See http://support.apple.com/kb/HT4813
Quick synopsis :
Currently you really only have 2 choices if you want to run 3rd party services such as Kerio Connect and won't it to 100% work
1) Turn off Apple's web service and no longer use Apple's services
2) Start brushing up on your hard core command lines and no longer use Apple's GUI interface and do everything from hand
If anyone else thinks it's strange that a server product that is far cheaper to purchase now and was meant to be pitched at the entry level mum and dad market share is now actually harder to setup and requires a far greater understanding of the way servers work, you are not alone :)
If your iphone running OS5 is not allowing you to do internet tethering "AKA" Personal Hotspot
you will need to go to
then select Reset all Settings
Your iPhone will then reboot and the Personal Hotspot will now re-appear in General / Network
Note : you will loose all network settings and you will need to re-add any saved VPN or wifi settings
------ Update ------
Looks like the latest build of IOS for the iphone now fixed this problem
------ Finish update ------
There is an issue for iphone's running version 5 software on them, that drains the battery power of the iphone
Currently the software is leaving the location tracking services running in the background constantly and draining your battery
To stop this
* Click on "Settings"
* Click on "Services"
* Scroll to the bottom and select "System Services"
* Un-tick "Settings Time Zone" and turn if off (see pic)
Hopefully Apple should fix this in version 5.1
With this disabled if you travel into a different time zone you will have to manually change the date and time / time zone on your phone
How do I setup DHCP redundancy / load balancing so in the event of a Failure of one server the other one can do the job ?
There are a multiple ways to achieve this goal including setting up a
* DHCP Cluster, see http://technet.microsoft.com/en-us/library/ee405263(WS.10).aspx
* DHCP split scope, see http://technet.microsoft.com/en-us/library/cc770535.aspx
* Use "failover peer" support in DHCP failover using RFC 3074 http://tools.ietf.org/html/rfc3074
Yes I refered to microsoft above, get the info where it lies I say.
The easiest and cheapest solution that I would recommend is to setup a DHCP split scope. It does not require complex configurations or DHCP Cluster designs and you can do everything from the GUI with Apple OSX Server
Microsoft recommend a 80/20 rule for this, meaning one server distributes 80% of the DHCP pool and the other server distributes 20% of the DHCP pool.
My recommendation is a 100/100 rule ! Seriously why would you design your network so that in the event of a failure of the primary DHCP server only 20% of your machine can get on the network. Internal IP ranges are free. It does not cost you any more to setup a 10.0.0.1/24 IP range as it does to setup a 10.0.0.1/23 or even a 10.0.0.1/8 network
What that means is rather than your network having 254 IP's that it can use, configure it to be able to use 510 IP's all the way up to 16,777,214 IP's :)
This is really simple to do. Just configure 2 different servers to provide 2 completely different but complimentary IP ranges on the same network.
That's it !
When a computer on the network requests an IP address, whichever is the first DHCP server to respond back provides the IP for that machine. If one Server is slow to respond or under load or has used all it's available IP pool or has failed, the other server's response will be used instead.
The catch here is to make sure that no matter what server responds back the computer requesting the info will be able to see the whole network. So each server MUST provide identical information in every way from DNS servers to Routers to DHCP Options, even reserved IP addresses. The only difference will be the DHCP pool address are different and will NOT use the same IP ranges in them.
An example of a small network
Lets pretend you have 100 computers / devices you want to provide an IP for at any one time on a network and have a small IP block free for server / printers etc.. that you want to be manually configure. We could use a 10.0.0.1/24 scope here
Router : 10.0.0.1
Subnet : 255.255.255.0
DHCP Server 1 : 10.0.0.2
DHCP Server 2 : 10.0.0.3
Servers / printers etc.. : 10.0.4 to 10.0.52
DHCP Pool for computers : 10.0.0.53 to 10.0.0.254
In the above network example just have DHCP Server 1 setup with a DHCP pool of 10.0.0.53 to 10.0.0.153 and DHCP Server 2 with a DHCP pool of 10.0.0.154 to 10.0.0.254. Keep the router and the DNS entries and name server etc.. the same
That's it.. Nice and simple
Now in a larger network you may want double that with the increase of wifi devices etc.. In most organisation's you would budget 4 IP's for every staff. Work phone, mobile phone, computer wifi and computer ethernet port all may ask for an IP at the same time.
There is no difference here as above except to extend the available IP range and make it a /23 and make it 200 IP ranges per server
Router : 10.0.0.1
Subnet : 255.255.254.0
DHCP Server 1 : 10.0.0.2
DHCP Server 2 : 10.0.0.3
Servers / printers : 10.0.4 to 10.0.53
Servers / printers : 10.1.1 to 10.1.53
DHCP Pool, 10.0.0.54 to 10.0.0.54 and 10.0.1.54 to 10.0.1.254
In the above network example just have DHCP Server 1 setup with a DHCP pool of 10.0.0.54 to 10.0.0.254 and DHCP Server 2 with a DHCP pool of 10.0.1.54 to 10.0.1.254.
Want to increase it more than 200 IP's ? No problems you can go all the way to a /8 if you want and give yourself 16,777,214 IP's to play with :)
Remember that if you are running a VPN server and it is providing an IP address in the same IP subnet, you will want to make sure that that IP range is not being distributed via either DHCP server
Generally you would setup your IP phones on your network to be under a different VLAN for QOS = Different IP range again. So you may want to deploy the same setup here as well
For more info on DHCP read