• Home
  • Support
  • OnTime for Microsoft
  • FAQ
  • Administration

Administration

Enabling digest password on Tomcat

By default the OnTime Group Calendar for Microsoft bootstrap, administator, password is saved in clear text. If you wish you may enable digest passwords so passwords are not stored in clear text. To enable this feature follow the below steps on your OnTime Group Calendar for Microsoft server:

If your OnTime calendar is above or equal 2.5.0 do point 1. else continue to point 7.

 

  1. Open a Command Prompt
  2. Navigate to the directory where you installed OnTime Group Calendar for Microsoft e.g. "C:\Program Files\IntraVision\OnTimeMS-2.5.0"
  3. List the files using the "dir" command and note the name of the Java runtime directory (e.g. "jdk1.8.0_121-otd") and the Tomcat directory ("apache-tomcat-8.5.8-otd")
  4. Set the JRE_HOME variable by running the following commands using the Java runtime directory name from above:
    SET JRE_HOME=C:\Program Files\IntraVision\OnTimeMS-2.5.0\jdk1.8.0_121-otd/jre
  5. Change into the Apache Tomcat bin-directory using the Tomcat directory from above:
    cd apache-tomcat-8.0.8-otd\bin
  6. Continue to point 14.
  7. Open a Command Prompt
  8. Navigate to the directory where you installed OnTime Group Calendar for Microsoft e.g. "C:\Program Files\IntraVision\OnTimeMS-1.2.0.4"
  9. List the files using the "dir" command and note the name of the Java runtime directory (e.g. "otd-jdk1.8.0_25") and the Tomcat directory ("otd-apache-tomcat-8.0.14")
  10. Set the JAVA_HOME variable by running the following commands using the Java runtime directory name from above:
  11. SET JAVA_HOME=C:\Program Files\IntraVision\OnTimeMS-1.2.0.4\otd-jdk1.8.0_25
  12. Change into the Apache Tomcat bin-directory using the Tomcat directory from above:
  13. cd otd-apache-tomcat-8.0.14\bin
  14. Execute the digest.bat file specifying the administrator password of your choosing on the command line like so:

    digest.bat -a sha-256 <password>
    e.g. 
    digest.bat -a sha-256 MyFunkyPassword

    The command returns the plaintext password and the digest password separated by a colon as shown below. Note the value returned and copy the returned value after the colon.
    MyFunkyPassword:0e722296bb198829bbc031abe5e011fd047a1c15200364ef5ea94cfd58b26901
  15. Navigate to the conf-directory
  16. cd ..\conf
  17. Edit the tomcat-users.xml file
    notepad tomcat-users.xml
  18. Replace the value of the password attribute for the admin-user with the digest password you copied above. Save and close the file.
  19. Edit the server.xmlfile
    notepad server.xml
  20. Locate the Realm-tag referencing "UserDatabase" and change it from
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" /> 
    to:
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha-256" />
  21. Save and close the file.
  22. Restart the Apache Tomcat service.

 

You should now be able to login using the chosen password without the password being stored as plaintext.

 

Unable to connect to Load Balancer/Exchange Server using self-signed certificate

Symptom

Stacktrace in ontigms.0.0.log containing something like
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Fix

Import Root and intermediate certificates into the Java keystore used for on OnTime for Microsoft solution. The below example is based on OnTime for Microsoft v. 1.1.0.6 but the solution is the same for other releases although the paths below will have to be modified slightly depending on the version deployed.

  1. Backup C:\Program Files\IntraVision\OnTimeMS-1.1.0.6\otd-jdk1.8.0_25\jre\lib\security\cacerts
  2. Export the root and any intermediate certificates by using copy to file for each using PEM/CER (Base64  encoded) format. This may be done using a web browser. Here we are using *.cer.
  3. Copy the *.cer files to C:\Program Files\IntraVision\OnTimeMS-1.1.0.6\otd-jdk1.8.0_25\jre\lib\security\
  4. Using password "changeit" (unless manually changed) install the root certificate 
    ..\..\..\bin\keytool -import -trustcacerts -alias root -file root.cer -keystore cacerts
    Using password "changeit" (unless manually changed) install the intermediate certificates
    ..\..\..\bin\keytool -import -trustcacerts -alias intermediateXX -file intermediateXX.cer -keystore cacerts

Restart OnTime for Microsoft.

Domain (SSO) login fails with 400 Bad Request RequestUri/Field To Long

Symptom

When accessing OnTime for Microsoft with domain(SSO) login enabled the server reports "HttpStatus Code 400 Bad Request – RequestUrl/Field to Long" during the domain logon redirect

On the OnTime Server the C:\Windows\System32\LogFiles\HTTPERR\httperr1.log shows
2015-12-10 12:51:43 10.41.32.152 62489 10.41.40.35 80 HTTP/1.1 GET /ontime/auth.html?redirect=http://ch-s-0008355:8080/ontimegcms/ 400 - RequestLength -

Fix

Using regedit add the following values

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
Key, DWORD(Decimal value)
MaxFieldLength 65534
MaxRequestBytes 65534
MaxTokenSize 65535
Stop the OnTimeMSAuth NT Service

Restart the HTTP service

From an elevated command prompt

>net stop http

>net start http

Start the OnTimeMSAuth NT Service.

How to determine the USERDOMAIN for a license key

 

The license for OnTime requires the USERDOMAIN name of the Windows server on which the OnTime server runs. This is true for both trial and production environments.

You can find the USERDOMAIN by executing a 'Set' command from a Command prompt. The machine you run the set command on, must be part of the same domain as your future OnTime server. Please make sure that you do not select the USERDNSDOMAIN)". Please see the example below.