NEOSYS Technical Support Wiki - User contributions [en]

EXODUS Knowledge

2022-03-16T15:41:33Z

Steve: /* Single Patches */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

===Screens===
<pre>
0: /
Work regarding exodus server. i.e /etc/nagios or general networking or /var/log/mail.log

1: /root/exodus/
Exodus core is installed Contains build and make libraries here ./libexodus

2: /root/exodus/libexodus/exodus
Core exodus (libraries that emulate the AREV system e.g mv.h )

3: /root/exodus/cli/src
Exodus Command Line Interface e.g edir, edic, list, listfiles, delete, createdb

4: root/exodus/service
EXODUS core default host directory but also contains scripts that create/manage requirements of a service (create_service, create_db, create_site, backup_db, restore_db, start, stop, status)
One exception is NEOSYS www files are in ./www, which pulled from NEOSYS www git.

5: /root/exodus/service/src
Exodus core service programs (programs that are not related to NEOSYS agency operations and can be used to support other non-NEOSYS services) eg listen, usersubs, sendmail, openfile, select, sort, list,.

Extra info:
sql directory contains basic dictiorary files converted to sql instructions used when creating a EXODUS psql database
e.g dict_voc.sql is a file that describes what to expect in certain fields of the voc file.
TODO: compall currently throws few warnings. Read them and familiarise. In case new warnings appear, notify Steve.

6: /root/neosys
NEOSYS specific client installation management scripts e.g .doall, import_db and import_files (from AREV), ./run ./test (see below for these two commands)

7: /root/neosys/src
NEOSYS Agency programs (see section How AREV programs are distributed in EXODUS src/*.cpp
../ has .git

8: /root/hosts
client specific files e.g logs, images, (shared ./www -> root/exodus/service/www

9: /root/exodus/test/src
series of programs that test whether subroutines (specifically Exodus core libraries) work as they should eg for the var lib - "assert( var("11111").isnum());"

10: bash /bin/top
Monitor for NEOSYS client processes
Displays customised format: sorted by total time spend and by processor time.
Press "=" : to change to standard top format
Press shift + w : to save format settings, replacing the old customised top format
To go back to the customised format do:
Press "o"
Type "COMMAND=serve_agy"
shift + t : this sorts by total time spent
shift + p : this sorts by processor time
shift + w : to save this setting and enter 'y' to confirm

11: /var/log/syslog
Log of NEOSYS client requests

12: /root/exodus/service/quick
Displays the last time the svr file (in /root/hosts/<client>/data/<dbname>) was updated.
</pre>

==Object Code/Libraries==
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

==Dictionaries==
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

==Processes==
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

==Postgres==
Connect into postgres shell:
alias psql='sudo -u postgres psql'

Delete a database:
sudo -u postgres dropdb <dbcode>

==Debugging Exodus==

===Debugging Live/Test services===

./test <dbname> - execute test programs on _test database.

./run <dbname> - execute test programs on live database.

===Debugging var values===

Explanation of var flag value in gdb debug mode.

<pre>
(gdb) p varx
$2 = {var_str = "", var_int = 0, var_dbl = 0, var_typ = {flags_ = 2}}
</pre>

Each exodus var object contains 3 variables of type string, int and double.

All 3 may be unassigned or only the string be assigned or just the int and double e.t.

You can tell which variable type of a var object are set based on the var's flag value.

1 = Means the string is assigned
2 = Means the int is assigned
4 = Means the double is assigned

Example: If the flag is 7 (1+2+4), then all types are assigned.

===Process Hung or consuming +100% CPU===
If process is consuming +100% CPU then it is likely stuck in an infinite loop.

./doall <CLIENT> stop

./run <CLIENT>

./test <CLIENT>

Search through recent logs for <CLIENT> looking for requests that didn't return OK at the time nagios alerted of Hung process.

A user may also instigate the error again, so monitor the CLIENT's service CPU usage.

If cause found recreate it in test and once test process hit +100% break in test debugger.

If cause not found, you will have to continue checking logs for the request that caused it or hope a user recreates the issue in live debugged service.

Once you've broken in the debugged with the error, enter "n" and hold the enter key until you just seeing line repeat.

Pay attention to start of loops code. E.g WHILE or FOR. (there is likely an error is there)

==./doall==
====General====

~/neosys/doall [LIVE|TEST] <DBCODE|ALL> < ACTION [OPTIONS,..] | bash -- COMMAND ]

Example:
./doall TEST ALL create_site t-
Result:
Create site for ALL TEST databases, using domain name prefix option "t-".

Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)
*git ..

==Converting AREV programs to EXODUS==
===Decompile AREV to C++===

Do in Master AREV Installation Maintenance mode: (win7)

#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOM <prog1> <prog2>
#*ADECOMALL *all programs (CHECK FIRST)

Include the option "(V)" in the command to print the C++ to a notepad, which can easily be copy and pasted.

===Getting C++ program to Exodus Installation===

Two methods: (use the first for one off programs)

====Copy & Paste====

Compile program and open source code in notepad

ADECOM <programname> (V)

Find which directory the program belongs. e.g fin/med/job/sys e.t

find /cygdrive/d/exodus/pickos | grep <program name>

If cpp in SYS, the program belongs in ~/exodus/service/src OR if in MED JOB FIN GEN AGY the program belongs in ~/neosys/src

Copy the source code in the text file from the first command.

In Exodus, create a new .cpp (in correct directory) and paste the source code.

Compile & Test

====Rsync====

/d/exodus/arev/syncup.sh

If cpp in SYS then: ~/exodus/service/src ./getpickos

If cpp in MED JOB FIN GEN AGY then: *~/neosys/src

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

For example a record with key '''DEADLINE''' in a dat file '''dict.materials''' would be represented as an os text file '''dat/dict.materials/DEADLINE'''

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

===Location of dat files===

The development versions are stored in exodus and neosys src/dat dirs. They form part of the standard git repositories in parallel with cpp files.

The operational versions are stored in ~/dat and ~/live/dat alongside bin and lib dirs and are automatically installed into databases as database files on service startup. Any database functions embedded in the text files (pgsql) are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS service have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Copy all 'dat' files to ~/dat ====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src

./compall dat

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src

./compall dat

====Copy all programs and 'dat' files to ~/live/bin|lib|dat====

This should only be run after testing. It will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service

./copyall CONFIRM

==Upgrading Exodus==

#Develop patch in Dev system

===Single Patches===

#Insert patches into various files and compile if necessary
#If patch dat files then run neosys compall to get dat files into ~/dat
*If Patsalides:
*#SITE_DIR=ptcy ./test basic #requires /etc/systemd/system/agy_test@.service to have been patched like agy_live@.service
*#web login to BASIC_TEST to test
*If not patsalides
*#./test DBCODE
*#login to DBCODE and test
#If all ok
#./copyall
#CHECK what WILL be copied!
#Judge if really need to get people off (unlikely for typical patch) and request users to logout for 10 mins
#./copyall CONFIRM and CHECK what was copied is as per exceptions same as previous step
#./copyone could be used instead of copyall but it has no test mode and does not copy dat files

===Upgrading to new version===

Use when there are too many changes to do individually patches.

#Inform clients.
#*Client hosted - Schedule a planned upgrade with client.
#*NEOSYS hosted - Inform all clients/users of planned morning upgrade, 24hours in advanced. (TODO: 'What's New in NEOSYS') AND (emailallusers.cpp)
#If the morning's USB backup failed, do NOT continue upgrade procedure because if upgrade fails, we need a way to roll back system to last working state.
#Check upgrade works on test service using:/root/neosys/upgrade.all.sh test
#Check the latest patch is working.
#Run/root/neosys/upgrade.all.sh live
#Inform users their system has been upgraded and they can login.

===Roll Back Upgrade===

If for any reason the entire upgrade needs to be reverted (excludes clients database), follow steps below:

#Inform users that there is a problem and services need to be stopped.
#Stop all exodus processes.
#Restore the morning's USB backup by: (Note this backup contains: source/obj code, /etc, neosys scripts but not client data)
##Login into container's host and rsync the morning's usb backup to the container's /:
#*<pre>rsync --dry-run -avz -e 'ssh -p <C_SSHPORT>' /backups/usb/<C_CODE> <C_CODE>:/ (Example: rsync --dry-run -avz -e 'ssh -p 19582' /backups/usb/ad1 ad1:/</pre>)
#Quick sane check, the latest git commit is not the latest git commit in the remote repo.
#Inform users they can login.

==Configuring services to autostart during login==
For Ptcy.

#Create a file 'autostart.cfg' in the data folder

touch /root/hosts/<dbname>/data/autostart.cfg

This will autostart a database service as long as at least one database service in that directory is running.

For example, demo service will autostart during login if,
#/root/hosts/demo/data/autostart.cfg exists and
#demo_test service is running

==Speedup postgresql importing databases==

Can be sped up by a factor of 10 BUT may result in corrupt files in case of hard OS crash where the dirty memory is not flushed to storage.

Therefore it is advisable to use this feature only briefly and REMEMBER TO REMOVE IT!

Email to support@neosys.com whenever using it or use personal notes not memory.

nano /etc/postgresql/12/main/postgresql.conf

Uncomment or add a line
fsync = off
Restart postgres … will break any neosys/exodus running processes.
r postgresql
or reload postgres may also work

EXODUS Knowledge

2021-12-22T10:49:15Z

Steve: compall gets new option to skip compilation and only copy dat files

EXODUS Knowledge

2021-12-06T10:06:18Z

Steve: /* Install all 'dat' files in ~/dat */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

<pre>
SCREEN NAME STANDARD PATH PURPOSE
#ex1_root - /root - general usage
#exodus - /root/exodus -
#exodus src - /root/exodus/exodus/libexodus/exodus - LibExodus is the core EXODUS library source files (emulating AREV CRUD)
#exo cli - /root/exodus/cli/src - Core EXODUS program which can be executed from bash (clearfile, edir, edic, compile)
#service - /root/exodus/service - Default working environment for EXODUS only service, including EXODUS core www and data directories. Also used to keep NEOSYS database installation scripts.
#ser src - /root/exodus/service/src -
#neosys - /root/neosys - ./doall
#neo src - /root/neosys/src -
#hosts - /root/hosts -
#test src - /root/exodus/test/src -
#t10 - ~/ -
#t11 - ~/ -
#t12 - ~/ -
</pre>

===Object Code/Libraries===
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

===Dictionaries===
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

===Processes===
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

===Postgres===
Connect into postgres shell:
sudo -u postgres psql

List databases once in postgres shell:
\l

Delete a database:
sudo -u postgres dropdb <dbcode>

===./doall===

====General====
Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)

==Converting AREV to EXODUS==
===Decompile AREV to C++===
(Do in win10a Maintenance mode)

#Apply tested patch to win10a (master AREV Dev system)
#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOMALL *all programs (CHECK THIS FIRST)
#*ADECOM <prog1> <prog2> *(CHECK IF THIS WORKS)

===Send c++ files from win10a to nl19===
(Do in win10a Cygwin)

#/d/exodus/arev/syncup.sh

===Get c++ files from nl19 to exodus===
(Do in Exodus system)

#If cpp in SYS then: ~/exodus/service/src ./getpickos
#If cpp in MED JOB FIN GEN AGY then: *~/neosys/src ./getpickos
#Compile single cpp then: c <programname> e.g "c monitor2"
#Compile all cpp then: ./compall (PENDING WHICH/WHERE? many compall)

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===
WARNING

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Troubleshooting postfix emailing issues==

To view current configuration in main.cf
postconf -n

To update the value of a parameter
postconf relayhost=mailout.neosys.com:2500

To restart postfix service
service postfix restart

Send a test email using "mail" and watch the logs to verify
mail <email>
journalctl -f

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

For example a record with key '''DEADLINE''' in a dat file '''dict.materials''' would be represented as an os text file '''dat/dict.materials/DEADLINE'''

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

===Location of dat files===

The development versions are stored in exodus and neosys src/dat dirs. They form part of the standard git repositories in parallel with cpp files.

The operational versions are stored in ~/dat and ~/live/dat alongside bin and lib dirs and are automatically installed into databases as database files on service startup. Any database functions embedded in the text files (pgsql) are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Copy all programs and 'dat' files to ~/bin|lib|dat ====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src && ./compall

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src && ./compall

====Copy all programs and 'dat' files to ~/live/bin|lib|dat====

This will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service && ./copyall CONFIRM

EXODUS Knowledge

2021-12-06T10:05:41Z

Steve: /* Copy all programs and 'dat' files to live */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

<pre>
SCREEN NAME STANDARD PATH PURPOSE
#ex1_root - /root - general usage
#exodus - /root/exodus -
#exodus src - /root/exodus/exodus/libexodus/exodus - LibExodus is the core EXODUS library source files (emulating AREV CRUD)
#exo cli - /root/exodus/cli/src - Core EXODUS program which can be executed from bash (clearfile, edir, edic, compile)
#service - /root/exodus/service - Default working environment for EXODUS only service, including EXODUS core www and data directories. Also used to keep NEOSYS database installation scripts.
#ser src - /root/exodus/service/src -
#neosys - /root/neosys - ./doall
#neo src - /root/neosys/src -
#hosts - /root/hosts -
#test src - /root/exodus/test/src -
#t10 - ~/ -
#t11 - ~/ -
#t12 - ~/ -
</pre>

===Object Code/Libraries===
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

===Dictionaries===
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

===Processes===
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

===Postgres===
Connect into postgres shell:
sudo -u postgres psql

List databases once in postgres shell:
\l

Delete a database:
sudo -u postgres dropdb <dbcode>

===./doall===

====General====
Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)

==Converting AREV to EXODUS==
===Decompile AREV to C++===
(Do in win10a Maintenance mode)

#Apply tested patch to win10a (master AREV Dev system)
#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOMALL *all programs (CHECK THIS FIRST)
#*ADECOM <prog1> <prog2> *(CHECK IF THIS WORKS)

===Send c++ files from win10a to nl19===
(Do in win10a Cygwin)

#/d/exodus/arev/syncup.sh

===Get c++ files from nl19 to exodus===
(Do in Exodus system)

#If cpp in SYS then: ~/exodus/service/src ./getpickos
#If cpp in MED JOB FIN GEN AGY then: *~/neosys/src ./getpickos
#Compile single cpp then: c <programname> e.g "c monitor2"
#Compile all cpp then: ./compall (PENDING WHICH/WHERE? many compall)

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===
WARNING

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Troubleshooting postfix emailing issues==

To view current configuration in main.cf
postconf -n

To update the value of a parameter
postconf relayhost=mailout.neosys.com:2500

To restart postfix service
service postfix restart

Send a test email using "mail" and watch the logs to verify
mail <email>
journalctl -f

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

For example a record with key '''DEADLINE''' in a dat file '''dict.materials''' would be represented as an os text file '''dat/dict.materials/DEADLINE'''

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

===Location of dat files===

The development versions are stored in exodus and neosys src/dat dirs. They form part of the standard git repositories in parallel with cpp files.

The operational versions are stored in ~/dat and ~/live/dat alongside bin and lib dirs and are automatically installed into databases as database files on service startup. Any database functions embedded in the text files (pgsql) are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Install all 'dat' files in ~/dat ====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src && ./compall

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src && ./compall

====Copy all programs and 'dat' files to ~/live/bin|lib|dat====

This will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service && ./copyall CONFIRM

EXODUS Knowledge

2021-12-06T10:04:39Z

Steve: /* Install all 'dat' files */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

<pre>
SCREEN NAME STANDARD PATH PURPOSE
#ex1_root - /root - general usage
#exodus - /root/exodus -
#exodus src - /root/exodus/exodus/libexodus/exodus - LibExodus is the core EXODUS library source files (emulating AREV CRUD)
#exo cli - /root/exodus/cli/src - Core EXODUS program which can be executed from bash (clearfile, edir, edic, compile)
#service - /root/exodus/service - Default working environment for EXODUS only service, including EXODUS core www and data directories. Also used to keep NEOSYS database installation scripts.
#ser src - /root/exodus/service/src -
#neosys - /root/neosys - ./doall
#neo src - /root/neosys/src -
#hosts - /root/hosts -
#test src - /root/exodus/test/src -
#t10 - ~/ -
#t11 - ~/ -
#t12 - ~/ -
</pre>

===Object Code/Libraries===
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

===Dictionaries===
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

===Processes===
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

===Postgres===
Connect into postgres shell:
sudo -u postgres psql

List databases once in postgres shell:
\l

Delete a database:
sudo -u postgres dropdb <dbcode>

===./doall===

====General====
Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)

==Converting AREV to EXODUS==
===Decompile AREV to C++===
(Do in win10a Maintenance mode)

#Apply tested patch to win10a (master AREV Dev system)
#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOMALL *all programs (CHECK THIS FIRST)
#*ADECOM <prog1> <prog2> *(CHECK IF THIS WORKS)

===Send c++ files from win10a to nl19===
(Do in win10a Cygwin)

#/d/exodus/arev/syncup.sh

===Get c++ files from nl19 to exodus===
(Do in Exodus system)

#If cpp in SYS then: ~/exodus/service/src ./getpickos
#If cpp in MED JOB FIN GEN AGY then: *~/neosys/src ./getpickos
#Compile single cpp then: c <programname> e.g "c monitor2"
#Compile all cpp then: ./compall (PENDING WHICH/WHERE? many compall)

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===
WARNING

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Troubleshooting postfix emailing issues==

To view current configuration in main.cf
postconf -n

To update the value of a parameter
postconf relayhost=mailout.neosys.com:2500

To restart postfix service
service postfix restart

Send a test email using "mail" and watch the logs to verify
mail <email>
journalctl -f

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

For example a record with key '''DEADLINE''' in a dat file '''dict.materials''' would be represented as an os text file '''dat/dict.materials/DEADLINE'''

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

===Location of dat files===

The development versions are stored in exodus and neosys src/dat dirs. They form part of the standard git repositories in parallel with cpp files.

The operational versions are stored in ~/dat and ~/live/dat alongside bin and lib dirs and are automatically installed into databases as database files on service startup. Any database functions embedded in the text files (pgsql) are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Install all 'dat' files in ~/dat ====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src && ./compall

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src && ./compall

====Copy all programs and 'dat' files to live====

This will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service && ./copyall CONFIRM

EXODUS Knowledge

2021-12-06T10:03:15Z

Steve: /* 'dat' files */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

<pre>
SCREEN NAME STANDARD PATH PURPOSE
#ex1_root - /root - general usage
#exodus - /root/exodus -
#exodus src - /root/exodus/exodus/libexodus/exodus - LibExodus is the core EXODUS library source files (emulating AREV CRUD)
#exo cli - /root/exodus/cli/src - Core EXODUS program which can be executed from bash (clearfile, edir, edic, compile)
#service - /root/exodus/service - Default working environment for EXODUS only service, including EXODUS core www and data directories. Also used to keep NEOSYS database installation scripts.
#ser src - /root/exodus/service/src -
#neosys - /root/neosys - ./doall
#neo src - /root/neosys/src -
#hosts - /root/hosts -
#test src - /root/exodus/test/src -
#t10 - ~/ -
#t11 - ~/ -
#t12 - ~/ -
</pre>

===Object Code/Libraries===
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

===Dictionaries===
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

===Processes===
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

===Postgres===
Connect into postgres shell:
sudo -u postgres psql

List databases once in postgres shell:
\l

Delete a database:
sudo -u postgres dropdb <dbcode>

===./doall===

====General====
Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)

==Converting AREV to EXODUS==
===Decompile AREV to C++===
(Do in win10a Maintenance mode)

#Apply tested patch to win10a (master AREV Dev system)
#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOMALL *all programs (CHECK THIS FIRST)
#*ADECOM <prog1> <prog2> *(CHECK IF THIS WORKS)

===Send c++ files from win10a to nl19===
(Do in win10a Cygwin)

#/d/exodus/arev/syncup.sh

===Get c++ files from nl19 to exodus===
(Do in Exodus system)

#If cpp in SYS then: ~/exodus/service/src ./getpickos
#If cpp in MED JOB FIN GEN AGY then: *~/neosys/src ./getpickos
#Compile single cpp then: c <programname> e.g "c monitor2"
#Compile all cpp then: ./compall (PENDING WHICH/WHERE? many compall)

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===
WARNING

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Troubleshooting postfix emailing issues==

To view current configuration in main.cf
postconf -n

To update the value of a parameter
postconf relayhost=mailout.neosys.com:2500

To restart postfix service
service postfix restart

Send a test email using "mail" and watch the logs to verify
mail <email>
journalctl -f

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

For example a record with key '''DEADLINE''' in a dat file '''dict.materials''' would be represented as an os text file '''dat/dict.materials/DEADLINE'''

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

===Location of dat files===

The development versions are stored in exodus and neosys src/dat dirs. They form part of the standard git repositories in parallel with cpp files.

The operational versions are stored in ~/dat and ~/live/dat alongside bin and lib dirs and are automatically installed into databases as database files on service startup. Any database functions embedded in the text files (pgsql) are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Install all 'dat' files====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src && ./compall

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src && ./compall

====Copy all programs and 'dat' files to live====

This will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service && ./copyall CONFIRM

EXODUS Knowledge

2021-12-06T09:50:43Z

Steve: /* 'dat' files */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

<pre>
SCREEN NAME STANDARD PATH PURPOSE
#ex1_root - /root - general usage
#exodus - /root/exodus -
#exodus src - /root/exodus/exodus/libexodus/exodus - LibExodus is the core EXODUS library source files (emulating AREV CRUD)
#exo cli - /root/exodus/cli/src - Core EXODUS program which can be executed from bash (clearfile, edir, edic, compile)
#service - /root/exodus/service - Default working environment for EXODUS only service, including EXODUS core www and data directories. Also used to keep NEOSYS database installation scripts.
#ser src - /root/exodus/service/src -
#neosys - /root/neosys - ./doall
#neo src - /root/neosys/src -
#hosts - /root/hosts -
#test src - /root/exodus/test/src -
#t10 - ~/ -
#t11 - ~/ -
#t12 - ~/ -
</pre>

===Object Code/Libraries===
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

===Dictionaries===
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

===Processes===
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

===Postgres===
Connect into postgres shell:
sudo -u postgres psql

List databases once in postgres shell:
\l

Delete a database:
sudo -u postgres dropdb <dbcode>

===./doall===

====General====
Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)

==Converting AREV to EXODUS==
===Decompile AREV to C++===
(Do in win10a Maintenance mode)

#Apply tested patch to win10a (master AREV Dev system)
#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOMALL *all programs (CHECK THIS FIRST)
#*ADECOM <prog1> <prog2> *(CHECK IF THIS WORKS)

===Send c++ files from win10a to nl19===
(Do in win10a Cygwin)

#/d/exodus/arev/syncup.sh

===Get c++ files from nl19 to exodus===
(Do in Exodus system)

#If cpp in SYS then: ~/exodus/service/src ./getpickos
#If cpp in MED JOB FIN GEN AGY then: *~/neosys/src ./getpickos
#Compile single cpp then: c <programname> e.g "c monitor2"
#Compile all cpp then: ./compall (PENDING WHICH/WHERE? many compall)

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===
WARNING

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Troubleshooting postfix emailing issues==

To view current configuration in main.cf
postconf -n

To update the value of a parameter
postconf relayhost=mailout.neosys.com:2500

To restart postfix service
service postfix restart

Send a test email using "mail" and watch the logs to verify
mail <email>
journalctl -f

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

For example a record with key '''DEADLINE''' in a dat file '''dict.materials''' would be represented as an os text file '''dat/dict.materials/DEADLINE'''

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

The text files are automatically installed into databases as database files on service startup. Any database functions embedded in the text files, like pgsql, are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Install all 'dat' files====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src && ./compall

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src && ./compall

====Copy all programs and 'dat' files to live====

This will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service && ./copyall CONFIRM

EXODUS Knowledge

2021-12-06T07:23:39Z

Steve: /* Install all 'dat' files */

==TMUX Screens==

To create the EXODUS maintenance/programming environment
exodus#: ./tmux.exodus

<pre>
SCREEN NAME STANDARD PATH PURPOSE
#ex1_root - /root - general usage
#exodus - /root/exodus -
#exodus src - /root/exodus/exodus/libexodus/exodus - LibExodus is the core EXODUS library source files (emulating AREV CRUD)
#exo cli - /root/exodus/cli/src - Core EXODUS program which can be executed from bash (clearfile, edir, edic, compile)
#service - /root/exodus/service - Default working environment for EXODUS only service, including EXODUS core www and data directories. Also used to keep NEOSYS database installation scripts.
#ser src - /root/exodus/service/src -
#neosys - /root/neosys - ./doall
#neo src - /root/neosys/src -
#hosts - /root/hosts -
#test src - /root/exodus/test/src -
#t10 - ~/ -
#t11 - ~/ -
#t12 - ~/ -
</pre>

===Object Code/Libraries===
LIVE and TEST processes use different sets of object code.
TEST processes use libraries in ~/lib/, whereas LIVE processes use object code in ~/neo/lib

This means development & testing can be done stress free on TEST database, as opposed to testing on production databases.

When compiling using edic, the TEST object code is updated if the compilation is successful. (~/lib)
In order to apply a tested patch to LIVE see [[Update LIVE programs]].

===Dictionaries===
Dictionaries, the files used to describe the fields of a file's record.
Unlike in AREV, there is a copy of all dictionaries in each pgsql database (In AREV, updating a dictionary would affect all the databases).

===Processes===
The TEST process for all database use the same object code stored in /root/lib, whereas all LIVE process use the object code in /root/neo/.

===Postgres===
Connect into postgres shell:
sudo -u postgres psql

List databases once in postgres shell:
\l

Delete a database:
sudo -u postgres dropdb <dbcode>

===./doall===

====General====
Screen 6: ./doall script contains all the necessary information(codes) to setup an installation.
It includes scripts to backup, restore, create an Apache site, create/start/stop/status a service, import an AREV database into postgres and more.

====backup_db====

*Does a backup & restore of a LIVE database into the corresponding TEST database.
*Backup <dbcode>.sql file is written to /root/backups/sql; which is rsynced to nl19:/backups/current/exodus/
*Unlike AREV, postgres can perform a "backup" of a database whilst the system is in use.

==Git==

There are two repositories, one for EXODUS and the other for NEOSYS.

===Using git to make changes===

Before following steps you must have a tested updated to a program/file/script. Do not commit untested changes to avoid a messy git history of reverts.

Update your local repo before committing to local repo using the g alias for "git pull --ff-only ; git push && git status'":
<pre>g</pre>
Check which updates/files have not yet been staged and/or committed:
Add your updates to the staged area:
<pre>git add <filename></pre>
or if all the changes made need to be staged:
<pre>git add -a</pre>
Make a commit with a descriptive message on purpose of updates:
<pre>git commit -m <description n purpose of changes></pre>
Again use g alias:
<pre>g</pre>

===Other useful git cmds===

Do not use this commands unless you know what WILL happen.
*git pull - Instead use the safe "git pull --ff-only"
Stick to the alias "g" which does "git pull --ff-only ; git push && git status'"

*git log - display history of commits to master branch
*git diff - display the differences in files between working files and files in local repo.
*git status - display: which updated files are staged/not staged(tracked)
*git stash -
*git branch - switch to a new branch
*git branch <branchname> - will switch to this branch only if it exists
*git checkout - DESTROYS/Updates the state of local working directory with the state of the files in the local repo. (YOU WILL LOSE non staged updates)
*git restore <filename> - DESTROYS/Updates the file with the version in the local repo. (like with git checkout but for a specific file)
*git checkin -
*git revert <commitHash> - reverses a specific commit (use git log to get the chosen commit hash)

==Converting AREV to EXODUS==
===Decompile AREV to C++===
(Do in win10a Maintenance mode)

#Apply tested patch to win10a (master AREV Dev system)
#ATTACH ADECOMC
#*ADECOM <programname> *single program
#*ADECOMALL *all programs (CHECK THIS FIRST)
#*ADECOM <prog1> <prog2> *(CHECK IF THIS WORKS)

===Send c++ files from win10a to nl19===
(Do in win10a Cygwin)

#/d/exodus/arev/syncup.sh

===Get c++ files from nl19 to exodus===
(Do in Exodus system)

#If cpp in SYS then: ~/exodus/service/src ./getpickos
#If cpp in MED JOB FIN GEN AGY then: *~/neosys/src ./getpickos
#Compile single cpp then: c <programname> e.g "c monitor2"
#Compile all cpp then: ./compall (PENDING WHICH/WHERE? many compall)

===Compile C++ files to TEST system===

#*./test <DBNAME>
#*~/neosys ./doall TEST <DBNAME> restart #to get one service to start start using the new lib files
#*~/neosys ./doall TEST all restart #to get all the services to start start using the new lib files

===Install C++ files to LIVE System===
WARNING

#~/exodus/service/ ./copyall #to copy all the ~/lib and bin files to ~/live/lib and bin ... which is used by all exodus/live services

==Writing Standard Exodus Core Function/Method Testing==
Screen 9: ~/exodus/test/src/
There are a series of test programs that check whether methods/functions behave as intended.
They do this using the function, assert.. a 1 or more argument values produce one and only one output)

e.g test_multilang.cpp or test_sort.cpp

Two methods of running test programs:
*Screen 9: make test
*after compiling using edic/compile/c, enter test_prog_name. (Since compile has moved it to ~/bin)

Difference between the two methods is make calls gdb directly;
whereas ~/bin/test_prog_name uses exodus compile program
#~/neosys ./doall LIVE all restart

==Updating a pgsql function in an exodus dictionary==

PENDING

==Troubleshooting postfix emailing issues==

To view current configuration in main.cf
postconf -n

To update the value of a parameter
postconf relayhost=mailout.neosys.com:2500

To restart postfix service
service postfix restart

Send a test email using "mail" and watch the logs to verify
mail <email>
journalctl -f

==Development and deployment using 'dat' files==

===Rationale===

Part of system development is the creation of various data that is neither programs nor layout i.e. not cpp, h, html, js, php files etc.

For example:

*Dictionaries are data about data.
*Language files are data about text to use for various languages.
*“Change logs” are data about changes in the system.

Historically, in EXODUS and NEOSYS, the above data has been deployed in exodus database files using SQL text files. However SQL files are not convenient for development.

Therefore, 'dat' text files will be used now so that standard development tools including editors and git can be fully exploited.

==='dat' files===

Each database file is represented by an os directory of the same name.

Each record in the database file is represented by an os text file where filename is the primary key.

Each line in the os text file represents one field in the db record. In other words, db record FM characters are represented by new line characters in 'dat' files. Any actual new line characters required in the record, and any backslashes, are escaped and appear as '\n' and '\\' in 'dat' files. Other database field separator characters such as VM, SM, TM and STM are stored without any conversion.

The text files are automatically installed into databases as database files on service startup. Any database functions embedded in the text files, like pgsql, are also automatically installed at the same time.

===Editing and deploying a 'dat' file===

It is currently a three step process to edit and deploy such 'dat' files.

====Edit the 'dat' file====

Note that EXODUS service and NEOSYS have different src/dat folders.

Editing language items:

edir dat/alanguage/SCHEDULES*ARABIC

Editing a dictionary item:

edir dat/dict.materials/DEADLINE

Editing a pgsql function in a dictionary:

edir dat/dict.materials/DEADLINE 8

====Install all 'dat' files====

This step might be removed at a later date.

This will cause all test databases to immediately restart and load any 'dat' file changes into dictionaries and data files and also create any new or modified pgsql functions.

If any ~/neosys/src/dat files were edited:

cd ~/neosys/src && ./compall

and/or, if exodus/service/dat files were edited

cd ~/exodus/service/src && ./compall

====Copy all programs and 'dat' files to live====

This will cause all live databases to automatically restart and do the same as the test databases mentioned above.

cd ~/exodus/service && ./copyall CONFIRM

EXODUS Knowledge

2021-08-23T13:20:41Z

Steve: /* Git */

Handling Nagios Client Monitoring System

2021-06-06T05:07:08Z

Steve: /* UPDATE.xWG */

==Procedure to handle Nagios==

The procedure that support staff need to follow while handling Nagios is documented under [[Procedures#Handling_Nagios_Client_Monitoring_system| Procedures: Handling Nagios Client Monitoring System]]

Nagios is accessed via this link: http://monitor.neosys.com/nagios3

==Nagios services==

Nagios is configured to display information pertaining to all NEOSYS client's server statuses which include multiple services such as:

#HTTPS: Most of NEOSYS clients are configured to have external web access via secure HTTP protocol (port 4430) from outside office. Nagios is configured to check port 4430 on a regular interval of 10 minutes and display any issues in accessing the same.
#SSH: As part of the support contract, NEOSYS should have external secure access to the client server usually over port 19580. Nagios is configured to check this port on a regular interval of 10 minutes and display any issues in accessing the same.
#Ping: Nagios is also configured to ping the client router as a measure to check if router responds incase the NEOSYS server is down.
#NEOSYS: This service works in a reverse direction, and the NEOSYS installation on the client server sends information such as databases running, current backup status, internal and internet IP addressess etc to Nagios on a regular interval of 10 minutes.

Some key information about Nagios is as follows:

*Nagios is also configured to display information related to internal servers.
*Clients hosted on a NEOSYS cloud server might not have services such as SSH or PING as this is monitored as part of the internal server service.
*Nagios sends out email alerts to support2@neosys.com (which is forwarded to support@neosys.com) from 8 am to 12 midnight on all Dubai working days (Sun-Thu). No alerts are sent out on Fri and Sat, unless they are for NEOSYS internal servers.

Nagios Configuration files:

*Commands to check different services. ~/etc/nagios3/commands.cfg
*Contacts where support2@neosys.com is configured. Emails from nagios will be sent to the email ID configured here. /etc/nagios3/conf.d.backups/contacts.cfg
*For Oman Client. Unclear of purpose. /etc/nagios3/conf.d.backups/dtme.cfg
*Fully commented file of generic hostgroup definitions. /etc/nagios3/conf.d.backups/hostgroups_nagios2.cfg
*Host group definition. /etc/nagios3/conf.d.backups/linux.cfg
*Files where all the neosys hosts and hostgroups are defined. /etc/nagios3/conf.d.backups/neosysclients.cfg
*Config for monitor.neosys.com. /etc/nagios3/conf.d.backups/monitor.cfg

==How to handle a service error==

#Nagios Service Info - get there via various routes eg from Service Problems - then click on the service name (not the host name)
#Service Commands, Acknowledge this service problem (only services with status Warning or Critical have this option)
#Enter a note - explaining to yourself and your co-workers explaining how the problem is being handled and when to follow up

Notifications will be automatically resumed once the service becomes OK again.

The "Disable notifications" is not quite the same and shows as red on tactical summary screen.

====[[Backup_and_Restore#Updating_Nagios_incase_of_failures| Updating Nagios in case of backup failures]]====

====How to stop ALL notifications====

Useful to stop a massive number of alerts due to various causes.

#Nagios Process Info
#Enable/Disable notifications

====Speeding up Nagios web interface====

The usual F5 to refresh before the automatic 90 second refresh works but Ctrl+F5 doesnt.

====Speeding up NEOSYS process checkins====

You can force a neosys service checkin from NEOSYS maintenance mode (any process/database) press F5

MONITOR2

====[http://itwiki.neosys.com/index.php/Setting_up_monitoring_in_Nagios#Adding_a_new_NEOSYS_installation_.28new_client.29 Adding the client to Nagios]====

==Troubleshooting NAGIOS generally==
===Fixing “CRITICAL – Socket timeout after 10 secs” error message on NAGIOS===

====Error Message====

[[image:Vm3nagios.jpg]]

====Problem====

NAGIOS is not updating services like CPU Load, Drive Space C:, Drive Save D:,Explorer, Memory Usage etc.

====Solution====

Open Windows Task Manager and kill any nscp.exe process. Then, restart NSClient++ from the desktop or by going to Start> Programs> NSClient++
These steps can be carried out even when users are active.

===Fixing “NEOSYS has not checked in” error message===

====Error Message Explained====

Nagios reports this error when it is is not able to update the status of NEOSYS for a particular client server.

====Possible Causes & Solutions====

=====The maintenance window is left open=====

Make sure that there is no maintenance window left open in the server.

=====Hung process on server=====

Check if there are any hung processes on the server e.g. Fatal Error in Rev Restart. Follow steps in troubleshooting [[Troubleshooting_NEOSYS_Generally#Troubleshooting_Hung_processes| hung process]].

=====The NEOSYS process IS NOT running on the server=====

If there are no NEOSYS processes running, then start the NEOSYS process and wait for NEOSYS to check into Nagios, or force Nagios to re-check the status of NEOSYS service.

=====The NEOSYS process IS running on the server but still cannot connect to NAGIOS=====

NEOSYS connects to Nagios using http and automatically detects and uses any http proxy configuration configured in Internet Explorer.

If Internet Explorer in the server can reach the internet then NEOSYS should be able to update to NAGIOS via the same proxy.

Check if Internet Explorer can reach Nagios by using the below link. The check is successful if you get the Nagios login request shown in the image below.
https://monitor.hosts.neosys.com:4428

[[image:nagios_access.png]]

======If Internet Explorer CANNOT connect to Nagios======

The client's IT must enable outbound access preferably on all ports or at least 4428 to our NEOSYS server at monitor.hosts.neosys.com.

If outbound access to monitor.hosts.neosys.com on port 4428 has not been enabled, then Nagios will not be able to update the status of the host and will show the error "NEOSYS not checked in".

If port 4428 cannot be used, then Support can manually configure the network to use standard port 443 in the [http://userwiki.neosys.com/index.php/System_Configuration_File#Monitor_Port_No. system configuration file.]

This requires that the client's IP number is added to the list of allowed IP numbers on nl10r router since Nagios https server gets multiple probes a day on port 443 if it is left open to everyone.

======If Internet Explorer CAN connect to Nagios======

View the Internet Explorer proxy configuration as follows:

[[image:ieproxy.png]]

 Check if there is an issue with NEOSYS' http proxy server configuration as follows:

#Open the UPDATE.$WG or UPDATE.xWG file located in the neosys\neosys or hosts/xxxxxxxx/work folder.
#You should find a message similar to the following:
<pre>
Connecting to 192.168.100.145:8080 failed: No such file or directory.
</pre>
Where the above appears to be some non-functional http proxy server ip/port number and is not the expected nagios server ip number.
A windows proxy command shows the same ip and port:

On Windows 2003/XP

proxycfg

On Windows 2008/Win7

NetSH WinHTTP import Proxy ie

Output:

<pre>
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : 192.168.100.145:8080
Bypass List : 192.168.*.*;localhost;<local>

</pre>

'''Solution 1 - Remove the above setting to create a direct connection'''

#To remove the registry entries that ProxyCfg.exe creates,you must delete the WinHttpSettings value from the following registry key: <pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings</pre>
#After you do the above, confirm that the proxy details are deleted by running the proxycfg command 
#Next, restart the NEOSYS processes for the changes to be affected 

'''Solution 2 - Configure a functioning proxy ip/port number'''

#Use the proxycfg command to enter a working proxy ip/port number/exclusion list: http://msdn.microsoft.com/en-us/library/aa384069%28VS.85%29.aspx
#After you do the above, confirm that the new proxy details are working by running the proxycfg command again
#Next, restart the NEOSYS processes for the changes to be affected 

Note: Please refer to the following link before you restart NEOSYS processes: [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]

On the client server, look at the text of UPDATE.$WG or UPDATE.xWG and other UPDATE.* files in the client's NEOSYS installation neosys/neosys or hosts/xxxxxxxx/work folder for clues.

=====There is a problem with the USB media inserted for backup=====
Refer [[Troubleshooting_NEOSYS_Generally#Error_message:_.E2.80.9CAbort.2C_Retry.2C_Fail.E2.80.9D|here]]

=====NEOSYS thinks it sees a new neosys2.exe upgrade file on the location http://www.neosys.com/support/neosys2.exe and attempts to download it=====

Refer [[Troubleshooting_NEOSYS_Generally#NEOSYS_process_window_displays_message_.22Upgrade_Downloading.22 | here]]

===Fixing "Cannot make SSL connection" error===
====Error Message====
[[File:SSL.jpg]]

Users get the message "This page cannot be displayed" when they try to access the HTTPS website.
TODO Add screenshot

====Cause====
When there are multiple HTTPS sites on one server, any subsequent SSL self certifications seems to destroy all other sites with self certification where the export/REMOVE/import step is not done for some reason. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Export.2C_Remove_and_Import_Certificates Export, Remove and Import Step]

This issue is only evident after the server restart.

====Solution====
Re-install certificates. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Re-installing_Certificates Re-installing Certificates]

====Fixing "check_ssl_certificates" error====

=====Cause=====
This error appears when the current ssl certificate to which website binding is done is no longer valid.

=====Solution=====
Use the latest valid ssl certificate and redo website binding. Refer to link [[Setting_up_HTTPS|Setting up HTTPS]]

====Backup -> Impossible alert====
=====Possible Causes and Solutions=====
If there is an error "Backup->Impossible" on Nagios check if the USB is properly inserted and schedule downtime to Nagios for 2 hours.

====[[Backup_and_Restore#Interchange_backup_USB_mail_reminder| "Change Backup" alert]]====

===Troubleshooting Network Outages reflected in Nagios due to reassigning of router name or IP address===
Nagios displays errors if a router name or the ip address it is monitoring have been reassigned.

We can resolve this issue by trying to find the ISP router ip address just before the NEOSYS server.

Steps:-

#Login to Nagios
#Click on Tactical Overview -> Network Outages and click on Blocking Outages to view [[image:tracert-00.jpg]] 
#You will now see the host/ISP which is down. Click on the status map icon to identify the host associated with the ISP, as shown below: [[image:tracert-01.jpg]] 
#From the Network Map displayed, identify the host associated with the ISP. [[image:tracert-02.jpg]] 
#If you already know the ip address of the host then skip to next step else, in Nagios, click on Host Detail, then on the hostname identified earlier and From the Host Details shown, save the host url. [[image:tracert-03.jpg]] [[image:tracert-04.jpg]] 
#Log onto www.network-tools.com:
#*Select Trace
#*Enter the host's ip address if already known or host url
#*Click on Go [[image:tracert-05.jpg]] 
#The trace route should complete successfully revealing the IP address of the ISP just before the NEOSYS server. [[image:tracert-06.jpg]] 
#You can now login to zoneedit and update the ip address of the host.
#Check Nagios.

====Nagios reports a hung process====
=====Possible Causes and Solutions=====
Refer link [[Troubleshooting_NEOSYS_Generally#Error_message:_.22Read_error_in_the_operating_system_file.22|here]]

====Explorer.exe not running====
Nagios will display this error for only Win3 at the moment.

=====Possible Causes and Solutions=====
This error means that the server has (for whatever reasons) rebooted and stuck at the Windows login prompt for someone to enter the username & password. (More info on explorer.exe is available at http://en.wikipedia.org/wiki/Explorer.exe)

Solution to this problem would be to login via Tunnelier and open up Remote Desktop Connection.

==Configuring Sonicwall firewall to allow NEOSYS to update Nagios==
====Configuring Sonicwall firewall to allow NEOSYS to update Nagios====

This is documented at [[Sonicwall_Firewall_Configuration#Configuring_Sonicwall_firewall_to_allow_NEOSYS_to_update_Nagios|Configuring Sonicwall firewall to allow NEOSYS to update Nagios]]

==Counting current active users==

NEOSYS gives an estimate of the number of users currently active by counting how
many users have been seen to be active, even once, within the last hour.

This can give a sense of the processing requirements for an installation.

The numbers can be seen in nagios installations screen from support.htm

Example:

Users: 5/4/2 Max: 7/5/2

Users means:

*5 unique browser session ids seen in the last hour
*4 unique user codes seen in the last hour
*2 Unique IP Nos seen in the last hour (60 mins)

Max means the maximums of the above seen in any one of the last 24 hours.

In practice, the middle figure, count of unique user codes, is very
close to the real number of people active within an hour. However,
since the same user code can be used by different people, even on
different computers (although not at the same time) it could
technically be an underestimate.

The number of currently active users is usually much lower than the number of
registered users. This is because some registered users use the system
infrequently and many dont use the system all the time.

The total number of different user codes seen to be active over the
whole day is not shown. For that, you can see Usage Statistics.

Migrating to modern javascript

2020-03-22T00:20:07Z

Steve:

In 2015 the new "ES6" version of javascript introduced a many fundamental and routine improvements in the language.

The concept of "modules" allows the packaging up a group of associated functions so that they have their own module scope variables that do not interfere with the standard global variables. NEOSYS may be refactored to take advantage of the protection that this brings and it will allow the introduction of industry standard libraries without those libraries conflicting with NEOSYS scripts. NEOSYS currently does not use any libraries since it was created long before any javascript libraries existed.

On the routine programming side this page will contain a list of the possible improvements in programming style that can be used when adding new code to the NEOSYS javascript code base.

== Using map function instead of time honoured "for loop over array" ==
*The purpose of the new "map" function is to convert every element of an array by using a given function. map doesn't actually touch the old array but rather outputs a new array. If you immediately assign the output of the map function into the old array then the end result is a conversion, not a creation.

*The old ugly "for loop" syntax is replaced by the new beautiful "map" syntax. Both are equally incomprehensible in plain language.

*Think of the '''"acno => {"''' is the new style shorthand meaning "'''function anonymous(acno) {"'''

*"=>" is known as an "arrow function" in javascript. In the rest of the programming world they are known as "lamda" function or in plain language "anonymous functions" since they have no function name.
{| class="wikitable"
|+
!Old
!New
|-
|
<syntaxhighlight lang="javascript" style="white-space:nowrap">
for (var acnon = 0; acnon < acnos.length; ++acnon) {
var acno = acnos[acnon].split(sm)
if (acno[1])
acno = acno[1]
else if (acno[0]) {
//acno="."+acno[1]
acno = "." + acno[0]
} else {
acno = ''
}
acnos[acnon] = acno
}
</syntaxhighlight>
|
<syntaxhighlight lang="javascript" class="nowrap">
acnos = acnos.map(acno => {
const acno2 = acno.neosyssplit(sm)
if (acno2[1])
return acno2[1]
else if (acno2[0]) {
//return "."+acno2[1]
return "." + acno2[0]
} else {
return ''
}
})
</syntaxhighlight>

Migrating to modern javascript

2020-03-21T21:04:08Z

Steve:

In 2015 the new "ES6" version of javascript introduced a many fundamental and routine improvements in the language.

The concept of "modules" allows the packaging up a group of associated functions so that they have their own module scope variables that do not interfere with the standard global variables. NEOSYS may be refactored to take advantage of the protection that this brings and it will allow the introduction of industry standard libraries without those libraries conflicting with NEOSYS scripts. NEOSYS currently does not use any libraries since it was created long before any javascript libraries existed.

On the routine programming side this page will contain a list of the possible improvements in programming style that can be used when adding new code to the NEOSYS javascript code base.

== Using map function instead of time honoured "for loop over array" ==
*The purpose of the new "map" function is to convert every element of an array by using a given function. map doesn't actually touch the old array but rather outputs a new array. If you immediately assign the output of the map function into the old array then the end result is a conversion, not a creation.

*The old ugly "for loop" syntax is replaced by the new beautiful "map" syntax. Both are equally incomprehensible in plain language.

*Think of the '''"acno => {"''' is the new style shorthand meaning "'''function anonymous(acno) {"'''

*"=>" is known as an "arrow function" in javascript. In the rest of the programming world they are known as "lamda" function or in plain language "anonymous functions" since they have no function name.
{| class="wikitable"
|+
!Old
!New
|-
|
<syntaxhighlight lang="javascript" style="white-space:nowrap">
for (var acnon=0;acnon<acnos.length;++acnon) {
var acno=acnos[acnon].split(sm)
if (acno[1])
acno=acno[1]
else if (acno[0]) {
//acno="."+acno[1]
acno="."+acno[0]
} else {
acno=''
}
acnos[acnon]=acno
}
</syntaxhighlight>
|
<syntaxhighlight lang="javascript" class="nowrap">
acnos=acnos.map(acno => {
let acno=acno.neosyssplit(sm)
if (acno[1])
return acno[1]
else if (acno[0]) {
//acno="."+acno[1]
return "."+acno[0]
else {
return ''
}
})
</syntaxhighlight>

Migrating to modern javascript

2020-03-21T21:01:42Z

Steve:

In 2015 the new "ES6" version of javascript introduced a many fundamental and routine improvements in the language.

The concept of "modules" allows the packaging up a group of associated functions so that they have their own module scope variables that do not interfere with the standard global variables. NEOSYS may be refactored to take advantage of the protection that this brings and it will allow the introduction of industry standard libraries without those libraries conflicting with NEOSYS scripts. NEOSYS currently does not use any libraries since it was created long before any javascript libraries existed.

On the routine programming side this page will contain a list of the possible improvements in programming style that can be used when adding new code to the NEOSYS javascript code base.

== Using map function instead of time honoured "for loop over array" ==
*The purpose of the new "map" function is to convert every element of an array by using a given function. map doesn't actually touch the old array but rather outputs a new array. If you immediately assign the output of the map function into the old array then the end result is a conversion, not a creation.

*The old ugly "for loop" syntax is replaced by the new beautiful "map" syntax. Both are equally incomprehensible in plain language.

*Think of the '''"acno => {"''' is the new style shorthand meaning "'''function anonymous(acno) {"'''

*"=>" is known as an "arrow function" in javascript. In the rest of the programming world they are known as "lamda" function or in plain language "anonymous functions" since they have no function name.
{| class="wikitable"
|+
!Old
!New
|-
|
<syntaxhighlight lang="javascript" style="white-space:nowrap">
for (var acnon=0;acnon<acnos.length;++acnon) {
var acno=acnos[acnon].split(sm)
if (acno[1])
acno=acno[1]
else if (acno[0]) {
//acno="."+acno[1]
acno="."+acno[0]
} else {
acno=''
}
acnos[acnon]=acno
}
</syntaxhighlight>
|
<syntaxhighlight lang="javascript" class="nowrap">
acnos=acnos.map(acno => {
let acno=acno.neosyssplit(sm)
if (acno[1])
return acno[1]
else if (acno[0]) {
//acno="."+acno[1]
return "."+acno[0]
else {
return ''
}
})
</syntaxhighlight>
}

Migrating to modern javascript

2020-03-21T17:56:52Z

Steve: Created page with "In 2015 the new "ES6" version of javascript introduced a many fundamental and routine improvements in the language. The concept of "modules" allows the packaging up a group o..."

In 2015 the new "ES6" version of javascript introduced a many fundamental and routine improvements in the language.

The concept of "modules" allows the packaging up a group of associated functions so that they have their own module scope variables that do not interfere with the standard global variables. NEOSYS may be refactored to take advantage of the protection that this brings and it will allow the introduction of industry standard libraries without those libraries conflicting with NEOSYS scripts. NEOSYS currently does not use any libraries since it was created long before any javascript libraries existed.

On the routine programming side this page will contain a list of the possible improvements in programming style that can be used when adding new code to the NEOSYS javascript code base.
{| class="wikitable"
|+Using map function instead of time honoured "for loop over array"
!Old
!New
!Comments
|-
|for (var acnon=0;acnon<acnos.length;++acnon) {
var acno=acnos[acnon].split(sm)
if (acno[1])
acno=acno[1]
else if (acno[0]) {
//acno="."+acno[1]
acno="."+acno[0]
} else
acno=<nowiki>''</nowiki>
acnos[acnon]=acno
} 
|acnos=acnos.map(acno => {
acno=acno.neosyssplit(sm)
if (acno[1])
return acno[1]
else if (acno[0]) {
//acno="."+acno[1]
return "."+acno[0]
else
return <nowiki>''</nowiki>
})
|
* The purpose of the new "map" function is to convert every element of any array by using a function. map doesn't actually touch the old array but rather outputs a new array. Of course you are free to immediately replace the old array with the new array ... so the end result is a conversion, not a creation.

* The old ugly "for loop" syntax is replaced by the new beautiful "map" syntax. Both are equally incomprehensible in plain language.

* Think of the '''"acno => {"''' is the new style shorthand meaning "'''function anonymous(acno) {"'''

* "=>" is known as an "arrow function" in javascript. In the rest of the programming world they are known as "lamda" function or in plain language "anonymous functions" since they have no function
|-
|
|
|
|-
|
|
|
|}

Main Page

2020-03-21T17:07:24Z

Steve: /* Technical */

<big>'''This is the Technical Support NEOSYS Wiki.'''</big>

==Technical==
[[Installing NEOSYS]]

[[Upgrading NEOSYS]]

[[Testing NEOSYS]]

[[Configuring NEOSYS Generally]]

[[Configuring NEOSYS Finance System]]

[[Administering NEOSYS Server]]

[[Troubleshooting NEOSYS Generally]]

[[Troubleshooting NEOSYS Agency System]]

[[Troubleshooting NEOSYS Media System]]

[[Troubleshooting NEOSYS Finance System]]

[[Troubleshooting NEOSYS Jobs System]]

[[Moving and Uninstalling NEOSYS]]

[[Handling Nagios Client Monitoring System]]

[[Backup and Restore]]

[[Procedures]]

[[Checklists]]

[[Solution Unknown]]

[[NEOSYS DDNS Service]]

[[Activating/Reactivating Windows]]

[[Programming Knowledge]]

[[MIgrating to modern javascript|MIgrating to Modern Javascript]]

Troubleshooting NEOSYS Generally

2020-01-22T16:08:27Z

Steve: /* Investigating slow response in NEOSYS using NEOSYS logs */

==Solving failure to start a NEOSYS server due to disk failure message==
===Problem===
During a reboot process (which maybe due to a Windows update or even done by a support personnel) the NEOSYS server gets hung on the startup and shows a message "Boot Failure - Abort, Retry".

===Temporary solution===
This typically happens due to the USB being plugged into the server and the boot sequence being wrong - i.e. the server trying to boot from the USB first and fails. The immediate solution would be to unplug the USB and ask the client to reboot the server again and upon successfully rebooting the system, plug the USB back again.

===Permanent solution===
The above problem will occur every time the computer is rebooted, so you need to immediately talk to the IT Administrator of the client and ask them to rectify the boot sequence to make it boot first from the CD ROM, then the HDD and last the USB.
 Allowing "Boot from USB" causes a severe risk of infection by boot sector viruses since the first infected USB device inserted WILL infect the server immediately as anti-virus programs are not active during boot.

==Replicate options used & error using sysmsg Data:==

NEOSYS users will send screenshots with the error message which often blocks options used, slowing down the ability to replicate the problem.

NEOSYS when a user faces a system error, NEOSYS sends a email with the error information, including texted that cann be used to recreate the optioned used at the time.
Thus avoiding the need to ask the user to send another screenshot without the error message.

Find the form data in the raw text of the emailed error message.

[[image:Rawformdatapng.png]]

Sadly normal email view renders it useless by mangling it, treating ^ as formatting character superscript.

The form raw data will be something like this:

1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2

First prepare a command by inserting the above form data into the following command in place of %FORMDATA%. Do it anywhere you can cut and paste text.

form_setdefault('%FORMDATA%')

or in old versions of NEOSYS

gro.defaultrevstr=unescape('%FORMDATA%'.neosysconvert('`^]}\~',rm+fm+vm+sm+tm+stm))

Achieving the following command:

form_setdefault('1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2')

or in old versions of NEOSYS

gro.defaultrevstr=unescape('1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2'.neosysconvert('`^]}\~',rm+fm+vm+sm+tm+stm))

Once you have constructed the command, do the following:

#As NEOSYS user, get onto the exact same screen as the user was in when they got the message. (Using the screenshot they send)
#Press Ctrl+Shift+F12 - to get a NEOSYS javascript prompt
#Paste the command and Press Enter - to execute the command - it must confirm with "setdefaultform( ... ) = ok"
#Press Enter or click OK - to remove the confirmation
#Press Esc or click Cancel - to close the javascript prompt
#Press F8 or click Close - to refresh the form
#The form should now be filled in correctly including any hidden fields.

==[[Administering_NEOSYS_Server#Clearing_File_Locks| Troubleshooting "Document is being updated" message]]==

==Troubleshooting the "Database not available" error message==
===Problem explained===
This error appears when you try to login to NEOSYS after you enter your username and password and click the Login button.

[[image:database_unavailable.jpg]]

Error message :

Cannot login because :
Error : The (database code) database is not available right now.

If the error message appears post login i.e. when users are working on the system then check if processes are free to run user request.

[[image:not_available.jpg]]

===Solution explained===

#Determine if the processes are running. If they are running and you still get the same message that means that either the processes have [[Troubleshooting_NEOSYS_Generally#Troubleshooting_Hung_processes|hung]] and need to be [[Troubleshooting_NEOSYS_Generally#How_to_kill_hung_NEOSYS_processes|killed]].
#If the processes are not visible on the desktop, it is possible that they are running in the background and have hung for some reason. Check the windows task manager to see if any ‘ntvdm’ process is running and [[Troubleshooting_NEOSYS_Generally#If_NEOSYS_processes_are_not_visible_on_the_server_desktop|fix hung processes]].
#If not hung then the available processes may be busy running long reports and a new process needs to be started. Refer to [[Handling_Nagios_Client_Monitoring_System#Counting_current_active_users| counting current active users]] to get a sense of the processing requirements for an installation.
#If there are processes available which are not hung or busy running reports, then ensure that the URL is pointing to the correct IP address and not to a wrong one e.g. a backup server.
#If the process had not hung and no processes running, then the server might have restarted due to a power failure or a windows update and the administrator user had not logged in post the scheduled startup time of 6AM. To determine the cause of this, investigate in the Windows Event Viewer Log file.
#You can now start up the process by clicking on the respective desktop icons.
#Also check if the nightly backup took place successfully or not.
#Look into the logs at the date/time stated for the last transaction processed to investigate why process got hung. See [[Troubleshooting_NEOSYS_Generally#Inspecting_Database_LOGS_Folder| Inspecting logs]] for more information on logs.

==Fixing missing ADAGENCY.VOL==

The file contains database info required on Login Page and the directory paths of the NEOSYS programs and DATA required for maintenance mode.

===Problem===

When accessing NEOSYS Login Page: "Error: Cannot read D:\NEOSYS\NEOSYS\ADAGENCY.VOL".

This error will occur when the ADAGENCY.VOL file has been deleted (has previously happened after failed backup and after upgrading NEOSYS) or the file has become corrupt after a bad disk block was "fixed" by windows CHKDISK.

===Solution===

Manually recreate the file and its text contents (or if installation is on win3 use the nl13 snapshots).

In example below, only make changes to first line: (Maintenance mode login at dataset selection will display info)

Syntax: ZXC <DATASET NAME, DATASET CODE,,LAST BACKUP DATE>*..> (Separate each database's details with '*')

Example:
<pre>
ZXC TEST,TEST,,25 MAR 2019*XDEVTEST,XDEVTEST,,17 SEP 2018
.\ACCOUNTS
.\GENERAL
.\ADAGENCY
..\DATA\ZXC\GENERAL
..\DATA\ZXC\ACCOUNTS
..\DATA\ZXC\ADAGENCY
</pre>

==Troubleshooting "user not authorised to login from a location" error message==
[[image:IPerror.jpg]]

'''Error message:'''
xxx is not authorised to login form the location (IP Number. xx.xx.xx.xx)

'''Solution Explained:'''

Check the URL used and follow the steps below to check if it is correct and email the user accordingly.

#If the Client installation is hosted on NEOSYS server then users can use only https link to access NEOSYS.
#*Check with the client's management if this particular IP is their public IP.
#*Add IP on management confirmation (Refer to [[Procedures#Handling_User_Requests_to_add_an_IP_or_range_of_IPs_to_access_NEOSYS|Handling User Requests to add IP/IPs]] )
#In case of Client hosted server, users should access NEOSYS via LAN using the http link.
#*There can be exceptional cases where user needs to access NEOSYS outside the office Network e.g a client installation with two companies at different locations and NEOSYS installed at one. In this case Support will have to add the IP number of the second company so that users can access NEOSYS. But before you even suggest to add the IP, get the request from their management saying that the IP number is another office location and needs to be added. (Refer to [[Procedures#Handling_User_Requests_to_add_an_IP_or_range_of_IPs_to_access_NEOSYS|Handling User Requests to add IP/IPs]] )

==Handling damaged files==

[[Handling damaged files]]

===Checking for corrupt database files===
Login to NEOSYS Maintenance. This can be done when users are online.

Press F5

CHK.FILES

or

CHK.FILES filename

''' Sizelock while performing chk.files '''

Fixing sizelock errors should not be done while other users are online to the same database.

Sizelock errors are not critical and will be fixed automatically during the nightly backup.

Sizelock errors occur if a program or process that is selecting records from a file is aborted in some abnormal way.

Error message:

These Files/Tables have a Sizelock Value of 2 or greater.
Tag/Select the Files/Tables to be Fixed.
Press F9 to fix selected files

Press F9 to proceed with fixing the selected files or press ESC to continue with chk.files without fixing sizelock as it gets automatically fixed during the nightly backup.

Refer to the [http://techwiki.neosys.com/index.php/Backup_and_Restore#Error_Message:_Size_Lock Sizelock errors in backup emails] for more information.

[[file:sizelock.jpg]]

===Determining Database File Name from Operating System File Name===

To assess the potential damage and possible remedial measures you need to know the database file name. If the message only refers to the operating system file name you need to follow this procedure to determine the database file name.

Once you have the database file name you can use CHK.FILES XXXXXXX to check if corrupt or not and various other procedures to fix the corruption.

Remember that fixing the corrupt data does not solve the overall problem. The *cause* of the corruption must be identified and eliminated otherwise the problem may reoccur and in a more serious form perhaps with unrecoverable loss of data.

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :list FILES WITH ALL CONTAINING 'REV76481' │
│ │
╘════════════════════════════════════════════════════════════════════════════╛
</pre>

[[File:DBfilenamefromOSfilename.jpg]]

==Finding out when and by whom a record was deleted==

In most cases, NEOSYS does not allow users to delete records and instead keeps a record of everything. In some cases however, things are deleted and the only way to get full details about the deletion is to search the logs. This is cumbersome, but there is a quick way to find out when, and by whom, a record was deleted. Prior to NEOSYS software versions dated Mar 2014, and deletions done before the same date, this procedure will only tell you when the record was deleted - but not who deleted it. Knowing exactly when it was deleted will nevertheless help you to search the logs for full details.

In maintenance mode F5

ED SHADOW DELETED*filename*key

For example:

ED SHADOW DELETED*BATCHES*L*JOU*2*U

Journals are stored in the BATCHES file. The key of an unposted batch is x*y*999*U where x is the company code, y is the journal type code, 999 is UNPOSTED batch number and U is just U to indicate unposted batches. Note that unposted batches are normally deleted at the time they are posted - ie converted to posted batches.
<pre>
╔══════════════════════════┤DELETED*BATCHES*L*JOU*2*U├═════════════════════════╗
║16831.60706 ║
║BRUCEL ║
║╒═══════════════════════════════════TCL - 6══════════════════════════════════╕║
║│ │║
║│ :EVAL PRINT 16831.60706 '[DATETIME]' │║
║│ │║
║╘════════════════════════════════════════════════════════════════════════════╛║
║ ║
║ ║
</pre>

Once you see the number (in this case 16831.60706) you can convert it to a time and date by typing something like

PRINT 16831.60706 '[DATETIME]'

Using this date and time you can search the logs more effectively to find out who did the deletion and in what circumstances.

==How to find the physical disk space occupied by logical files==
Running the following command in NEOSYS maintenance mode will identify disk space used per file, largest files first.
LIST FILES BY-DSND SIZE
or on old versions of NEOSYS
LIST FILES BY-DSND SIZE ACCOUNT SIZE FILE.HANDLE

This will include all files not just those in the actual dataset in DATA\* folders.

The file handle column shows the name of an .LK file however every .LK file has its .OV (overflow file) which is often larger than the .LK file.

[[File:Physical file sizes.png]]

==Fixing slow speed==
===[[Benchmarking NEOSYS]]===
===Investigating slow response in NEOSYS using NEOSYS logs===
Firstly remember that users are highly prone to claiming that the system is "slow" when what is really happening is that the system is hanging and freezing due to some system or network failure ... and there is no actual "speed" issue at whatsoever.

If users complain about slow speed, but the server CPU performance looks normal, then support MUST investigate NEOSYS request logs to confirm that NEOSYS was in fact slow at the time when the client complained about slow response. Then check what requests took time to respond and investigate the delay. Remember that request logs report the elapsed time that the NEOSYS database takes, it does not cover web server or network time, although those are usually negligable.

Search NEOSYS log entries around the time that the user complained about slow response and look for log entries with high response time. Make a note of what requests took long to respond. If multiple users were simultaneously requesting long reports from NEOSYS, then NEOSYS can be expected to respond slowly for other smaller requests that were processed at that time.

Also refer to [http://userwiki.neosys.com/index.php/General_FAQ#Why_is_NEOSYS_taking_a_long_time_to_generate_a_report.3F why is NEOSYS taking a long time to generate a report].

===Investigating CPU 100% using Windows Task Manager===
Email, to support, a screen-shot of task manager APPLICATIONS, PROCESSES and PERFORMANCE screens MAXIMIZED TO SHOW AS MUCH AS POSSIBLE.

(Sort the processes to show ntvdm, waiting.exe and high cpu% processes clearly)

'''Steps:'''

#Right Click on Windows Taskbar and click on Start Task Manager [[image:starttaskmanager.jpg]] 
#Click on Processes and then click on CPU '''Note - The HIGH cpu% processes which should usually be the "process" called "System Idle Process" ''' [[image:cpu100percent1.jpg]] 
#Click on the Performance Tab '''Note - PF Usage should typically be much less than Physical Memory otherwise there is insufficient real memory in the server to handle the load''' [[image:cpu100percent3.jpg]] 
#Click on Application Tab then Right Click on a NEOSYS Process and Click on Bring to Front '''See what the NEOSYS Process is doing [[image:cpu100percent2.jpg]] '''
#Right Click on a NEOSYS Process and Click on Go to Processes '''Note the cpu% ntvdm process [[image:cpu100percent2_2.jpg]] '''
#Normally NEOSYS application screens say "LISTENING" in the bottom line and those applications should have very low cpu% [[image:normalneosysprocess.jpg]] 
#Look at the difference between the screen of running NEOSYS processes (applications actually) which are idle (listening for requests) and active (processing a request from a user)
#Note the number of cpus or cpu threads in the server from the performance screen graphics [[image:performance-taskmgr-cputhread.jpg]] 
#Take screen-shots of any and ALL hung or long running processes (NEOSYS application screens) and email them to support. Even small details on the screens and user names, the user names may give clues to what problem caused the hanging.A Typical Hung NEOSYS process will look like this: [[image:hungneosysprocess.jpg]] 
#Once all hung/long processes are closed then CPU should be low and not near 100%. If it is still 100% then check all high cpu% processes and send a screen-shot of processes sorted to show the high cpu% process names to support.

===Solving server CPU% is 100 and all users are extremely slow/stopped===

Get the screenshots of Task Manager and ALL processes on the server, the objective is to assess the true issue. No need to get the screens not in use obviously but you can send a parallel screen shot for them if you want to be pedantic or even a comment will do.

====Too few CPUs/threads for the number of users====
In Windows task manager normally, you should see one ntvdm.exe and one waiting.exe process per NEOSYS process (application). A standard installation has three NEOSYS processes per main database and plus one per test database. This is configured in Support Menu, Configuration File.

If there are MORE ntvdm processes than you expect from the configuration file, then perhaps NEOSYS is auto starting new NEOSYS processes to try and cater for a high number of concurrent users.

If the number of concurrent NEOSYS processes significantly exceeds the number of cpus/hyperthreads available in the server then processing for everybody can become so slow for everybody and almost no work gets done.

====Solution====
Stop NEOSYS creating new NEOSYS processes automatically. Create a text file with the first and only line as AUTOSTART=NO in the neosys\neosys folder something like this.

notepad d:\neosys\neosys\NET.CFG

AUTOSTART=NO

==How do I troubleshoot email not received?==

[[Troubleshooting email not received]]

==Fixing permissions errors while logging in==

===Problem===

While logging in, you get the following error message:
[[Image:login_error_message.jpg]]

===Solution===

Add the internet guest account to the security list of the data folder with the default permission of list/read/write

Make sure the read&execute permission is removed
[[Image:permissions_on_data.jpg]]

==Fixing the 'HTTP Error 500.0 - Internal Server Error' while logging in on IE on a Windows Vista system==

===Problem===
After configuring IIS on Windows Vista you will get this error message while trying to login into NEOSYS from Internet Explorer:

HTTP Error 500.0 - Internal Server Error
Description: This application is running in an application pool that uses the Integrated .NET
mode. This is the preferred mode for running ASP.NET applications on the current and future
version of IIS.

In this mode, the application using client impersonation configured with <identity
impersonate="true" /> may not behave correctly. Client impersonation is not available in early
ASP.NET request processing stages and may lead modules in those stages to execute with process
identity instead.

===Solution===

You can move the application to an application pool that uses the Classic .NET mode by using the following from a command line window (the window must be running as Administrator)

%systemroot%\system32\inetsrv\APPCMD.EXE set app "Default Web Site/neosys" /applicationPool:"Classic .NET AppPool"

Alternatively, you can use any other application pool on your system that is running in the Classic .NET mode. You can also use the IIS Administration tool to move this application to another application pool.

==Fixing the 'Class Not Registered' error message while logging in==

===Problem===
While logging into NEOSYS, you will get a popup window giving an error message saying 'Class Not Registered - Server Error'. Typically, you will encounter this error with XP Pro IIS 5.1. As usual, there's way to solve it, however the root cause of this is still unknown.

Anyway, you will get the proper message in the event log:

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 36
Description: The server failed to load application '/LM/W3SVC/1/ROOT/NEOSYS.
The error was 'Class not registered'.

===Solution===
So, what do you do ? This problem is related to Component Services, and when you open Component Services MMC, you will most probably get Error Code 8004E00F COM + was unable to talk to Microsoft Distributed Transaction Coordinator. So, fix the COM+ services first by using the following KB from Microsoft (PRB: Cannot Expand "My Computer" in Component Services MMC Snap-In http://support.microsoft.com/?id=301919):

To resolve this problem, reinstall Component Services as follows: WARNING:

#Open registry editor, locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3, and then delete this key.
#From the Start menu, point to Settings, click Control Panel, and then click Add/Remove Programs.
#Click Add/Remove Windows Components.
#Proceed through the wizard, and accept all of the defaults (including IIS)
#Restart the computer.

If the above didn't solve it, and you still receive the 'Class not registered' error message, then you need to recreate the IIS packages in COM+, try

#Delete IIS related package in Component Services MMC
#IIS In-Process Applications
#IIS Out-of-Process Pooled Applications
#IIS Utilities

Next, if you still get the message, try following before re-install IIS if you can't find Distributed Transaction Coordinator in your Services console.

Launch command prompt and run the following command.

#msdtc -install
#net start msdtc

Then try re-install IIS.

This should solve the problem

==Enabling File Security option on Win XP Professional==

===Problem===

In the Properties of any folders, the Security option does not show, hence you cannot modify the Read, Write options.

===Solution===

The solution would be to untick the 'Simple File Sharing' option from Tools > Folder Options > View:
[[Image:simplefilesharingoff.jpg]]

==%00%00%00%00 Errors==

===Error Message===
<pre>
SYSTEM ERROR in line 162. Amount "-2698.00AED" or base "%00%00%00%00" has been wrongly generated
GET NEOSYS SUPPORT. DO NOT ATTEMPT TO CORRECT MANUALLY
</pre>
===Solution===
%00%00%00%00 indicates an internal error that NEOSYS programmer has to fix. It is usually random and can be hard to replicate unlike almost all other NEOSYS errors which usually replicate reliably once you find the cause.

==B703 Errors==

The B703 error is usually always related to something too big for NEOSYS to handle.

These are the only B errors that NEOSYS cant always permanently prevent by fixing the software.

For more information, check [[Troubleshooting_NEOSYS_Media_System#B703_Errors|B703 errors]]

==Internet Explorer Menu, View, Text Size doesnt change font size as expected==

Cause: This is because the font size is now user definable in NEOSYS and View, Text Size does not override predefined font sizes.

Solution: If you are using Internet Explorer 7 you can scale the screen (including the font size using ctrl + and ctrl - keyboard shortcuts or the font size button on the bottom right hand side of the window.

You can adjust the font size on the User Details form when you login although this permanently applies to all forms not just the one that you are on.

==Uploaded jpg files fail to display in internet explorer==

Some large jpg files > 2Mb cannot be viewed in internet explorer despite being viewable in image preview, ms paint and other viewers/editors. It is not an issue caused by uploading or downloading the files.

These file appear to have been created on Photoshop CS Macintosh and may be a special type of uncompressed jpg used for production quality files.

===Partial solution===
Before uploading the files, open them in some editor like MS Paint (right click, edit) and save them. However this results in a loss of quality. Perhaps there is some program that can convert these files to a format understandable by Internet explorer without any loss of quality.

=="This document is currently read only"==

===Cause===
The user attempting to modify this document does not have the authorization key to do so.

===Solution===
Inform the user that he is not authorised to modify the document and give him the list of users within his company who are authorised to do so.

=="You have attempted to write to a read-only file"==

===Message===

Error while writing data.
You have attempted to write to a read-only file.
- or -
access to the file has been denied by the operating system.
(operating system file name: "..\DATA\ADLINEC\ADAGENCY\REV76467.OV00012618")

===Cause===

It is almost certainly due to some third party backup or other maintenance software opening the NEOSYS database files when it shouldn't e.g. badly configured third party backup scheduled to backup NEOSYS while NEOSYS is still running. Note that the exact filename varies each time.

===Solution===

This can be a serious error that causes damaged files in NEOSYS especially if the filename ends in .OV. Use the usual methods of checking for damaged files e.g. do a backup which also looks for damaged files BUT DO NOT OVERWRITE THE LATEST BACKUP SINCE IT MAY BE REQUIRED for restoration. Then fix the damaged files using the usual methods e.g. by rebuilding/using
FIXFILE or restoring databases. For more info check [[Handling damaged files|Handling damaged files]]

===Prevention===

Remove the third party backup or other maintenance software or reschedule it to run at a time that NEOSYS is shutdown. Removal of software may require hunting through the windows process list for unexpected programs running.

==Troubleshooting Hung processes==

===Investigating hung NEOSYS processes===

To find out if a process is hung, check the time on the last line of the process which would be frozen since the time it first hung. This time can be cross-referenced with the current server time and you will notice the difference in time b/w the server and the hung process. You can also find the duration of hung processes in Nagios.

Step 1

Gather all the useful and necessary information about the current state of the system by taking screenshots of the NEOSYS process windows, server time and date, process list in Task Manager etc.

Always remember to take screenshots of the whole screen, since every little detail is useful for investigation.

Send an e-mail to Support with all the investigated details.

Step 2

Request a shutdown of all NEOSYS processes, which would leave only the hung processes open.

Close the hung process/es.

Step 3

Process explorer can be installed from Microsoft Sysinternals and for a deeper inspection of the problem with a view to resolving it, should be used to gain information about what files are open.

If already installed, procexp.exe can be found on the Desktop or from Start Menu-> Programs.

In process explorer, Find -> Handle -> type d:\

Submit the complete list (maybe more than one page) to support for records.

[[Image:invhungprocess.jpg]]

===[[Troubleshooting_NEOSYS_Generally#Investigating_CPU_100.25_using_Windows_Task_Manager|Investigating CPU 100% using Windows Task Manager]]===

===[[Troubleshooting_NEOSYS_Generally#Solving_server_CPU.25_is_100_and_all_users_are_extremely_slow.2Fstopped|Solving server CPU% is 100 and all users are extremely slow/stopped]]===

===Error message: "Fatal Error in Rev Restart"===

[[image:fatal.jpg]]

===Error message: “Abort, Retry, Fail”===
====Problem====
The following messages may come on older versions of NEOSYS if there is a problem with the USB media inserted for backup.

[[image:usberror.jpg]]

This results in “NEOSYS has not checked in” message on Nagios since it hangs during the monitoring update and locks all other processes from monitoring too.

General failure writing drive F
Abort, Retry, Fail?

Not read reading drive F
Abort, Retry, Fail?

Pressing A or F results in the problem happening again in about a minute, perhaps on a different process.

====Solution====
Temporary solution is to do “Safely remove hardware” from the windows notification area. Using “Eject” from My Computer will not work.

Permanent solution is to replace the defective USB memory stick. Sometime reformatting is sufficient.

Upgrading NEOSYS will probably stop the defective media from causing NEOSYS to hang but the USB will still be useless for backup.

===Error message: "Read error in the operating system file"===
====Problem====
Nagios reports a hung process and on the server a process has the following message popup.

Read error in the operating system file "..\DATA\PT0833\ACCOUNTS\REV20049
The file does not exist or the filename is
not valid for the operating system.

[[Image:readerrorintheoperatingsystemfile.png]]

====Cause====
Some non-NEOSYS program is directly accessing the NEOSYS database files while NEOSYS processes are running and using the files as well.

*Client IT staff using a backup program to perform backup without ensuring that NEOSYS processes are shutdown.
*A NEOSYS rsync process taking longer than expected due to new USB.

====Solution====
Kill the NEOSYS process eg with the X button. It is advisable NOT to let it run further while it cannot properly access one of its files.

====Prevention====
Remove the third party program or arrange for it to operate only while NEOSYS processes are shutdown eg from 3am-6am.

===Error message: "Not enough string space - Out of Memory"===

====Message====

‘RTP27’ Line 1. [B29] Not enough string space – Out of Memory.

Not enough memory to execute Debugger; current program aborted.
Press any key to continue

[[Image:out_of_memory.jpg]]

====Cause====
Unknown perhaps related to some large document or report

====Solution====
Ask users for any hanging transactions.
None other than closing and starting another process.

Also refer [[Troubleshooting NEOSYS Generally#Enabling EMS memory on Window 2003|Enabling EMS memory on Window 2003]]

===Error message: B521===

[[Image:B521.jpg]]

Another user is currently updating indexes.
Waiting to make your updates...
If you interrupt this process,
you may have to rebuild all the indexes

B521 message is usually temporary and goes away by itself. If it does not then, as the text of the B521 message makes clear, some OTHER process is holding up the system, preventing the process with B521 message from continuing.

B521 message is a symptom of other problem so it does not itself have some one simple solution. You must find which other process or issue is causing the hold up and solve whatever problem is causing the hold up, which could be anything.

===Error message: " NTVDM encountered a hard error "===

The following error message appears:

[[Image:ntvdm.jpg]]

NTVDM encountered a hard error

====Solution====

This error is caused by missing or corrupt Windows system files (i.e. command.com, autoexec.nt and config.nt). The solution is to run a program called XP FIX which will reinstall these missing files. You can download it form http://www.visualtour.com/downloads/xp_fix.exe

Sometimes even after running the XP FIX program the error still appears. Then you need to copy all the files under C:/windows/repair to C:/windows/system32 and in the autoexec.nt and config.nt put REM before any lines there which don't have it.

====Possible fix for some NTVDM errors====

=====Error message=====

[[Image:Ntvdm1.jpg]]

NTVDM has encountered a System error.
The system cannot find the file specified.
Choose close to terminate the application.

=====Possible solution=====

#Change the TEMP and TMP environment variables to C:\WINDOWS\TEMP. This should be for the user that runs NEOSYS processes - normally administrator.
#Close all NEOSYS processes
#Logout/Login again
#Restart NEOSYS processes

[[image:Ntvdmsoln.png]]

=====Check solution done properly=====

You can check that by typing ECHO %TEMP% and ECHO %TMP% at a console prompt after logging out and in again.

Note that windows will actually set the windows environment variables to something like C:\WINDOWS\TEMP\2 for some unknown reason.

<pre>
d:\hosts>ECHO %temp%
C:\WINDOWS\TEMP\2

d:\hosts>ECHO %tmp%
C:\WINDOWS\TEMP\2
</pre>

===Error message: [[Troubleshooting_NEOSYS_Generally#Troubleshooting_the_.22Database_not_available.22_error_message|"Database not available" post login]]===

===Error message: [[Backup_and_Restore#Error_Message:_.22Cannot_backup.2Frestore_because_PROCESS1_PROCESS2_.28etc.29_is.2Fare_online.22_message|"Cannot backup/restore because PROCESS1 PROCESS2 (etc) is/are online"]]===

===How to kill hung NEOSYS processes===

NOTE WELL: If you kill actively working NEOSYS processes (those which are "listening" and not hung/crashed) there is a reasonable chance that the database will be damaged and might need a restore losing possibly large amounts of work.

====If NEOSYS processes are visible on the server desktop====

Look for processes which don't have "Listening ..." on the last but one line. The times on the left hand side are frozen as at the time of the hang.

You can then click the X to kill the process and confirm that this is OK.

Example of a NEOSYS process that has hung due to a software error resulting in a failure to handle a complex query with a lot of brand codes.

[[Image:hungprocess.jpg]]

====If NEOSYS processes are not visible on the server desktop====

NEOSYS processes are most of the time visible on the desktop (i.e. the black dos windows) in Windows 2003 OS, except in the case that the process has been scheduled to start on computer restart and no one has logged into the server. In this case it would be running in the background. TODO

You can check if there are any hung processes from the NEOSYS Support Menu, List of Database Processes.
[[Image:databaseprocesseslist.jpg]]

In this case you should follow the below instructions - however all of them need to be done within 30 seconds of starting the first instruction to avoid inconvenience to the users. It is recommend that you keep relevant windows open before proceeding with the same:

#Shutdown NEOSYS by TEMPORARILY putting a file called GLOBAL.END in the parent directory of NEOSYS (if there is already a GLOBAL.END.TEMP file then rename it to GLOBAL.END). Leaving the file there would prevent NEOSYS from starting up again. Shutting down NEOSYS from the Support menu will not work because of the hung processes.
#Use Windows Task Manager to kill all the NTVDM processes - assuming that you have closed all the visible NEOSYS processes, then the NTVDM processes in the task manager would be the hung one.
#Delete GLOBAL.END or rename it to GLOBAL.END.TEMP
#Restart the processes back again. If there are many datasets then you need to restart them all well within the 30 seconds period. Restarting a process will not be noticed by users, if started immediately.
#*Create a [[Configuring_STARTALL.cmd_command_to_auto_start_all_processess | STARTALL.cmd]] file for future cases, where you may need to quickly start many processes for clients with multiple datasets.

In case of Patsalides, where we have a thousand datasets which start "on demand" i.e. usually on login; all you need to do is start one dataset which will restart all the other datasets "on demand". If there is no response within 30 seconds then one of the running datasets will start it up so there appears to be a 30 second delay when you login to one of the thousand datasets the first time on any one day.

===Temporary workarounds for hung NEOSYS processes===
Until the error in the software is fixed users can often get their results by simplifying their requirements. For example select individual clients instead of selecting all the brands for a particular client. If the user has repeated his request (in forlorn hope that it would work finally) then the number of working NEOSYS processes will drop causing severe slowdown for other users and complete stop if all the NEOSYS processes hang.

==Fixing " You do not have sufficient privilege to access this file "==

This error message may come up while NEOSYS processes start up at the same time.

Error message on:
16 bit MS-DOS Subsystem
D:\hosts\Client_nam\NEOSYS\AREV.EXE
C:\Windows\SYSTEM32\CONFIG.NT. Error Code 0x20. You do not have sufficient privilige to access this file. See your system administrator. Choose 'Close' to terminate the application.

Close the error message window and look for NEOSYS processes for that client. In case there is no process, start the NEOSYS process.

[[image:Errormsg.jpg]]

==Fixing wrong default program assigned to open a file type==

The NEOSYS process (cmd file) might open up in a notepad, instead of the usual black colour DOS window. This may happen if a JavaScript file is opened using notepad. Support MUST be very CAREFUL when accessing .JS and .JSE files and double check that the default program remains wscript.exe and not changed to notepad/wordpad. The issue can be fixed by the following:

#Check if Windows Script 5.6/5.7 is installed, IF NOT download and install it from the Microsoft Website.
#Go to Control Panel -> Default Programs -> Associate a file type or protocol with a program and then change the default program for .JS and .JSE to "Microsoft Windows Based Script Host"

For file types that must not have any default program to open them (e.g. .vol file type):

#Right click the concerned file (e.g. ADAGENCY.vol) > Open with > Choose another app > More apps
#Select "Always use this app to open XXXX files"
#Click "Look for another app on this PC"
#Locate and select the concerned file (ADAGENCY.vol in this example). An error should appear "This app can't be run on your PC". Click OK.

==Fixing a 'Could not start' error on Scheduled Tasks in Windows Server 2000 SP4==

This error occurs because of a change that is made to the data that is stored in the credentials database when you install Windows 2000 SP4. Hence installing SP4 causes the the data that is stored in the credentials database to get converted to an SP4-compatible format. A registry key is configured to indicate that the data has been converted to the SP4 format.

Hence the Scheduled Tasks do not work sometimes. However the Scheduled Tasks works fine sometimes, but when you uninstall SP4, it does not work.

The best solution is to:

#Incase Scheduled Tasks do not work after installing SP4, then uninstall SP4 and it should be fine.
#Incase Scheduled Tasks works after installing SP4, and later after uninstalling SP4, it does not work, then install SP4 and it should be fine.

==Checking for server or NEOSYS crashes==

#NEOSYS Maintenance Mode
#General Menu, Setup, Processes
#Select the dates and the option Detailed

This report shows a list of dates and times that NEOSYS logged in but did not log out properly.

Ignore the very latest entries since they represent the current NEOSYS processes. For example, if you have four NEOSYS processes running at the time that you get the report (including any in maintenance mode) then you can ignore the last four entries.

The date and time shows for each process that has failed to shutdown correctly when the process logged in. Versions of NEOSYS from January 2008 will also show the date and time that each crashed NEOSYS process was last active (heartbeat) so that the time of failure can be known.

If you see a bunch of NEOSYS processes all started up at around the same time but all failed to shutdown correctly then the cause will be a server failure - usually power failure.

Isolated one-off failures will be related to individual NEOSYS process crashes - most commonly caused by one of the following:

#NEOSYS hanging to due to software failure
#Manually exiting a NEOSYS process on the server either by pressing Ctrl+Alt+Del or clicking the "X" close icon/box and ignoring the warning
#Random server failures eg memory, disk etc

Example:

LOGIN 22/12/2007 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:00 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:01 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:52 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:52 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:53 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:00 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:01 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 13:51 NEOSYS SERVER NEOSYS Current user session

Interpretation:

The first four entries indicate that all four NEOSYS processes started at 06am were suddenly killed probably by power failure

The next four entries indicate that NEOSYS was restarted at around 08:52 and all these processes were AGAIN killed probably by power failure

The last four entries can be ignored because there were four NEOSYS processes running at the time that the report was generated

==Searching for word/number in the database files using maintenance mode==

You can search for any word/number in the database files of NEOSYS, using the following command line:

F5
FIND FILENAME WORDWITHOUTANYSPACES

For eg:
FIND CURRENCIES 1.1
(here you are searching for the number 1.1 in the currencies file) You CANNOT search for a phrase ie include spaces like this.

Or you can also type:
FIND FILENAME <enter>
and it will ask you what you want do to search. You can enter an exact phrase with spaces.

Incase you do not know the filenames, you can enter the following command to see all the filenames in the system:

F5
LF

==Troubleshooting a Service Unavailable message on Internet Explorer when opening up NEOSYS==

===Error Message===

The following error message appears in Internet Explorer when you try to open up NEOSYS:

Service Unavailable

===Solution===

Open the IIS Manager, right click Web Sites and select properties:
[[Image:serviceunavailable1.jpg]]

Switch to the Service Tab and tick the "Run WWW Service in IIS 5.0 Isolation Mode".
[[Image:serviceunavailable2.jpg]]

You will be asked for Restart of IIS. Click yes to restart IIS. If you are not asked just restart IIS.

==Inspecting IIS log files==

At a windows command prompt:

c:
cd \Windows\system32\LogFiles\W3SVC1

or

%SystemDrive%
cd %SystemRoot%
cd system32\LogFiles\W3SVC1

then (substituting the ip number you are interested in)

find "192.168.1.55" *|sort>temp.log

Open temp.log in Excel and use Tools, Data, Text to Columns to split into columns using options "Delimited" and check split on Space.

Autowidth all columns by clicking on the top left box just outside the data to the left of column A and above column 1 then double click the column separator to the right of column "A"

Note that times and dates are in UTC/GMT so you have to add/subtract your timezone offset to get local times.

==Inspecting Database LOGS Folder==
NEOSYS log files e.g. 15123103.xml are created by the database processes and contain user requests to the NEOSYS database. Each XML file represents commands executed by each NEOSYS process.

If the database is not available according to the website then no entry will appear in that log. (The request will appear in the IIS website log but that log is nothing to do with database processes)

It is often quicker and easier to do a preliminary search for database requests using the Request Log in NEOSYS UI, although more specific details such as Session No, Host IP, Filename and DataOut/In are only available in the XML logs.

Find log files in neosys/LOGS. The file naming format is yymmdd(log created by process No.) E.g 18060402 = 4th of July 2018 process02.

Use simple text editor to view the log files.

Details found in XML log files: 
Message: Date, Time, User, Filename, WorkstationIP, HostIP, HTTP and Session. 
Request: Req1, Req2, Req.. 
Response: ProcessingSecs 
DataOut/DataIn:

===Understanding Log Entries===
Inspecting and searching through Logs file allows NEOSYS staff to answer clients queries like "Who deleted schedule XXXX" etc.

To read and understand the log file with more ease, copy the portion of the log file required to be analysed into another text editor.

While going through the log file you may come across a request "EXECUTE GENERAL GETTASKS NOT", this request is concerned with getting a list of tasks that the user is *not* allowed to do.

To read and understand the log file with more ease, copy the portion of the log file required to be analysed into another text editor.

The text that appears as %FE, %FC, %FD, etc. are basically separators. Replace %FE, %FD, %FC, etc. with a separator like "--".

Once replacing all these characters is done, the log file will be more easily readable and vital information will be clearer.

In the log file, you may find numbers like 17290, 17195, etc. These numbers denote dates selected or entered by the NEOSYS user. These are basically the number of days from 31st December 1967 till the date chosen by the user. For example, to convert 17290 to actual date, 31/12/1967 + 17290 = 3/5/2015. So the actual date is 3rd May 2015.

To convert these numbers to dates using maintenance mode, refer to the article [http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Finding_out_when_and_by_whom_a_record_was_deleted Finding out when and by whom a record was deleted]

[[image:NEOSYS Logs.jpg]]

==Fixing NEOSYS processes that do not auto start / Recovering from incorrect advanced date or time==
This solution is applicable to live database processes only. Test database processes don’t auto-start any other processes.

===Problem explained===
After starting up the 1st process, the rest of the processes don't start up.

===Solution===

The possible cause for this could be that the system date/time might have been changed - either manually or by the auto synchronization. Do the following checks in the sequence of order:

#Check for any *.$* files (* after dollar sign should show a number, the highest being the latest one). If it shows OK, then proceed ahead.
#Check for any .end files and delete it to rename to .end.temp
#Check the System Event Viewer log for any 520 or 577 error message (refer http://128.175.24.251/forensics/timechange.htm). Also check for any out of sequence / ahead of today date or time.
#In case of no 520 or 577 error message, go to Administrative Tools > Local Security Policy > Local Policies > Audit Policy > Audit Privilege use - make sure that Success and Failure are selected under this (this will ensure that future changes to the date/time are recorded in the System Log).
#In NEOSYS maintenance mode - F5 ED PROCESSES %UPDATE% - and see what it says, incase of any text (only text, not numbers) there, that means that for sure the system date has been changed. To fix this, exit the editor by pressing the ESCAPE key and then type DELETE PROCESSES "%UPDATE%"

==Fixing starting issues with NEOSYS processes or Maintenance Mode==

===Fixing "UNABLE TO OPEN BOOT MEDIA MAP" error===

Opening NEOSYS process or maintenance mode just opens and closes the window instantly.

Running ADAGENCY.BAT from a windows CMD shows an error message

Unable to open boot media map.

Cause:

AREV.EXE is unable to access the REVMEDIA.LK file.

Possibly due to windows permissions problems. For example after using CYGWIN RSYNC without the --no-perms option.

Solution:

If cygwin rsync has screwed up the permissions you can reset the permissions for all files on the D: disk

D: disk properties, security tab, Advanced button

#Owner: change to administrator
#Check "Replace owner on subcontainers and objects"
#Check "Replace all child object permission entries with ... "
#Apply and confirm all questions
#Repeat and change BACK to Owner: SYSTEM

[[Image:Unableopenbootmediamap.png]]

===Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately===

Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately.

#Check if a file with the name global.end exists in the root directory of the NEOSYS installation. Eg D:\global.end . If you find such a file, rename it to global.end.temp - for more information on global.end and what it does, refer to [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]
#If the above didn't fix the problem and NEOSYS still does not start, do a windows search for the entire NEOSYS folder for *.end (i.e. any file ending with .end extension). You may find a (databasecode).end file in D:\neosys\neosys folder which is created by the NEOSYS program during backup at 1 am and later on removed automatically. In this case NEOSYS program might have crashed during the backup and left this file behind. (databasecode).end files prevent other other NEOSYS processes starting up on the database while exclusive processes (like backup) are being done.

Or try: Delete the read-only file REVBOOT file (under d:/neosys/neosys folder). REVBOOT file is recreated when you start maintenance mode.

In case the above didn't fix the problem then escalate to the programmer immediately.

==Recognising and Solving Low Memory Problems==

Quick Note: Installing a server class operating system on a workstation class computer with the intention of NEOSYS serving a heavy load is likely to cause problems with low memory.

Quick Fix: Disable *ALL* non-essential features in the power-on setup menu.

===Effects===

It is speculated but not proven that low memory may cause NEOSYS to fail by hanging, causing damaged files etc.

===Checking===

F5
MEMORY

On server class machines it should say somewhere around 350Kb to 370Kb Free

Some server class machines have around 330Kb and sometimes even less with no reported problems

The actual effect of low memory is supposed to make NEOSYS slower and perhaps cause hanging and damaged files however this has not been proven in an specific case so far.

On workstation class machines it may often say around 280Kb to 300Kb.

===Cause===

Although there is plenty of real memory in virtually all computers now, NEOSYS runs in the legacy 16 bit virtual memory space of a windows mode called NTVDM. This is limited to 1Mb plus 4Mb of EMS memory.

The 1Mb memory space is shared with:

#Various non-essential windows drivers which NEOSYS automatically disables them in autoexec.nt
#Various plug and play hardware device drivers for the various adapters in the computer like video, network adapters and various other items that NEOSYS is unable to disable.

In a server class computer the hardware device drivers are usually minimally present in the 1Mb base memory and do not therefore DOESNT a low memory situation for NEOSYS.

In workstation class computers there are often many hardware device drivers present in the 1Mb base memory and this DOES causes a low memory situation for NEOSYS.

When NEOSYS is installed on workstation class computers with XP there is usually not a heavy load expectation and therefore the low memory does not cause a problem.

If Windows Server OS is installed on a workstation class computer NEOSYS may well be expected to serve a heavy load with limited amounts of memory.

Workstation class computers: hardware drivers present and EMS is installed in low memory (0000-9FFF) causing low memory for NEOSYS and possible inability to

Server class computers: Usually few hardware drivers are present in high part (A000-FFFF) of the 1Mb base memory and EMS is able to occupy the high memory leaving the low part (0000-9FFFF) of the 1Mb memory free for NEOSYS. You can find out how much memory is available to NEOSYS and whether EMS is occuping high or low memory using the following sections.

===Fixing Low Memory===

Start, Run, notepad c:\windows\system32\autoexec.nt

Every time NEOSYS starts it tries to make some changes as follow:

#replaces all lines in C:/WINDOWS/SYSTEM32/AUTOEXEC.NT starting with 'lh ' to start with 'rem NEOSYS LH ' instead.
#changes the line in C:/WINDOWS/SYSTEM32/CONFIG.NT "files=..." to "FILES=200"

The replacement is case sensitive triggered on 'lh' and 'files' so if you manually edit the files and remove the rem or change the number of files and leave the LH and FILES in uppercase then NEOSYS will NOT make further changes. This allows you to do manual amendments to the files without NEOSYS overwriting them.

Check that NEOSYS has successfully disabled all the drivers in the lines starting with LH.

They should be commented out (prefixed) with REM or REM NEOSYS as follows.

After making changes reopen NEOSYS in maintenance mode to use the MEMORY and WHO commands again.

<pre>
REM Install CD ROM extensions
REM NEOSYS LH %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
REM NEOSYS LH %SystemRoot%\system32\redir

REM Install DPMI support
REM NEOSYS LH %SYSTEMROOT%\SYSTEM32\DOSX
</pre>

Low Memory Issues in Windows 2003 server can be fixed using instructions mentioned at [http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Enabling_EMS_memory_on_Window_2003 Fixing Low Memory in Windows 2003 Server]

===Allowing DOS programs that require DOSX to run on the same computer as NEOSYS===

The automatic commenting out DOSX by NEOSYS will prevent some other DOS-like programs from running. If NEOSYS is on dedicated server then there should be no other such programs to fail. However, if you must allow DOS-like programs to work as well as NEOSYS you can do the following configuration:

#leave or restore the original AUTOEXEC.NT and CONFIG.NT files where they are
#copy them to another folder eg neosys folder
#make the necessary REM changes there by hand
#right click the NEOSYS\NEOSYS\AREV.PIF and select properties
#change the location of the AUTOEXEC.NT and CONFIG.NT files in the following location

[[image:pifsettings.jpg]]

===Checking EMS Memory Configuration===

====Inspection====

F5
WHO

press the up arrow to get to the last part/page

=====Example of Typical Server EMS Memory=====
[[image:serveremm.jpg]]

=====Example of Typical Workstation EMS Memory=====
[[image:workstationemm.jpg]]

====Correction====

No easy way

Removal of hardware adapters designed for workstations instead of servers eg graphics cards and network cards.

Many of the devices may be located on the motherboard and not relocatable except possibly by BIOS configuration or special manufacturer information.

Use windows device manager, View: Resources by Connection, Open the Memory item and look for items between 000A0000 up to 000FFFFF that might give you a clue as to what hardware could be removed or reconfigured. Actually only 000C0000 to 000FFFFF is candidate for EMS memory since 000A000-000BFFFF is mandatory video memory in all systems.

[[image:devicemanager.jpg]]

==Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately==

#Find if a file with the name global.end exists in the root directory of the NEOSYS installation. Eg D:\global.end . If you find such a file, rename it to global.end.temp - for more information on global.end and what it does refer to [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]
#If the above didn't fix the problem and NEOSYS still does not start, do a windows search for the entire NEOSYS folder for *.end (i.e. any file ending with .end extension). You may find a (databasecode).end file in D:\neosys\neosys folder which is created by the NEOSYS program during backup at 1 am and later on removed automatically. In this case NEOSYS program might have crashed during the backup and left this file behind. (databasecode).end files prevent other other NEOSYS processes starting up on the database while exclusive processes (like backup) are being done.

In case the above didn't fix the problem then escalate to the programmer immediately.

===Solving "Control Record" error in maintenance mode===

If processes dont start after you log into maintenance mode and you get an error message
<pre>
╔════[FS152]═══════════════════════════════════════╗
║ The control record "RECORDS" ║
║ is too long to be saved. ║
║ The current record length is 65539 characters. ║
║ ║
║ < Press any key > ║
╚══════════════════════════════════════════════════╝
</pre>
[[File:Record1.jpg]]

'''1'''. Press space to get rid of the error message and you should then get this menu

[[File:Record2.jpg]]

'''2'''. Press F5 and run this command (case sensitive)

DICT DEFINITIONS

or Press Alt+S and run this command (case sensitive)

EXECUTE DICT DEFINITIONS

[[File:Record3.jpg]]

'''3'''. Press Shift+F3 to get the following message
<pre>
╔══[B202]══════════════════════════════════╗
║ "DEFINITIONS" has ║
║ "QUICKDEX" installed ║
║ ║
║ Do you want to remove "QUICKDEX"? [Y/N] ║
║ ║
║ <Y >║
╚══════════════════════════════════════════╝
</pre>

Do you want to remove "QUICKDEX"? [Y/N]

'''4'''. Press Enter to choose Yes.

[[File:Record4.jpg]]

'''5.'''Restart NEOSYS to see if the problem has been solved

==Solving “page not found” or "HTTP Error 404.3 - Not Found" when downloading some file types after uploading them successfully==

A user gets this error message when trying to download a file that has been uploaded into NEOSYS.

Windows web server will not download file types that it is unaware of. You can enable the download of new file types.

===Adding Mime Types in Windows Sever 2003===

====One by One====

Follow below steps to enable the download of new file types one by one.

This process is tedious and error-prone if you have to add many types.

#Computer Management
#Services and Applications
#IIS properties
#Mime Types
#Add

The added Mime type will not take effect unless IIS is restarted. This should be done only when users are offline because restarting IIS kills login sessions and therefore forces users to login again.

Open command prompt and enter the following command
iisreset

====Many====

Window Server 2003 is unaware of all the Office 2007+ file types. To add all Office 2007+ file types at once do the following:

Stop IIS

iisreset /stop

Open the list of mime types

*Start, Run, notepad C:\WINDOWS\system32\inetsrv\MetaBase.xml

Search the file for “xlsx” and quit the editor if already inserted.

Otherwise, find the following line,

.xml,text/xml

and insert after that line the following lines. They do not need to be indented.

<pre>
.docm,application/vnd.ms-word.document.macroEnabled.12
.docx,application/vnd.openxmlformats-officedocument.wordprocessingml.document
.dotm,application/vnd.ms-word.template.macroEnabled.12
.dotx,application/vnd.openxmlformats-officedocument.wordprocessingml.template
.potm,application/vnd.ms-powerpoint.template.macroEnabled.12
.potx,application/vnd.openxmlformats-officedocument.presentationml.template
.ppam,application/vnd.ms-powerpoint.addin.macroEnabled.12
.ppsm,application/vnd.ms-powerpoint.slideshow.macroEnabled.12
.ppsx,application/vnd.openxmlformats-officedocument.presentationml.slideshow
.pptm,application/vnd.ms-powerpoint.presentation.macroEnabled.12
.pptx,application/vnd.openxmlformats-officedocument.presentationml.presentation
.xlam,application/vnd.ms-excel.addin.macroEnabled.12
.xlsb,application/vnd.ms-excel.sheet.binary.macroEnabled.12
.xlsm,application/vnd.ms-excel.sheet.macroEnabled.12
.xlsx,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
.xltm,application/vnd.ms-excel.template.macroEnabled.12
.xltx,application/vnd.openxmlformats-officedocument.spreadsheetml.template
</pre>

Save the file with File and Exit

Restart IIS

===Adding Mime Types in Windows Server 2008===

"The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map."

[[file:mime2008.jpg]]

This message shows when a user attempts to download a file that has been uploaded into NEOSYS and the file extension is not configured in IIS server Mime Maps.

The user may also get the below error message:

"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

[[file:mimetype.jpg]]

Solution:

Add mime mappings in IIS. Use the GUI or the servers command line.
The exact solution depends on the file type. Example for .msg files:

C:\windows\System32\inetsrv\appcmd set config /section:staticContent /+"[fileExtension='.msg',mimeType='application/vnd.ms-outlook']"

The bit that varies in the above example is:

*.msg

*application/vnd.ms-outlook

Other mime types can be found on the web eg https://www.thoughtco.com/file-extensions-and-mime-types-3469109

Getting the 2nd part right enables the user to have the downloaded file open automatically in the right application for the file extension, but only if they have the right application installed.

==Handling Neosys Automatic Upgrade Error Messages==

===Error Message===
We will receive an email from the NEOSYS client installation with the following message:

'''"UPGRADEN.EXE" does not have expected exe MZ signature'''

===Solution===
This message is a note that the NEOSYS automatic update procedure failed to download an upgrade file correctly.
This happens sometimes due to network issues but can be ignored because the file will be probably be correctly downloaded on the next automatic update check.

'''Note:''' This message is only informative to help with any problem with the automatic upgrade procedure and may be removed in a later version of neosys (currently Oct 2012)

==Handling Duplicate Login Error E-mails==

===Explanation===
When a user starts a new session on NEOSYS, any existing session is lost. If a user then tries to go back and work on the old session, they will receive a Duplicate Login Error email.

This is because any user can have only one active session to work on. For example, if a user account is logged into NEOSYS from two different browsers or two different workstations at the same time, the user will receive this error e-mail.

===Error E-mail===
[[File:dup-login.png]]

===Solution===
To avoid the Duplicate Login error e-mail, you must always logout from your active NEOSYS session before starting a new session elsewhere.

==Testing https connection==

The following procedure tests that the https server is operational and not blocked by firewall etc. It does not detect certificate errors.

From a windows command prompt use the following telnet command:
<pre>
telnet clientname.hosts.neosys.com 4430
</pre>

#4430 is the usual NEOSYS http port but replace it by whatever port is actually used for NEOSYS https on the system being tested. If there are multiple https installations on a particular server then different ports are probably used
#Replace clientname.hosts.neosys.com with the normal https login domain name of the client for whom we want to check the https service

Normal behavior is that it should open a black screen. Pressing Enter or any key returns the _ character. (Close the window using the [X] since there is no keyboard command to do so)

Hanging means that there is some connectivity issue (firewall/ip/server not running/https not installed etc)

==Troubleshooting "page not found" error while using https==

'''Problem:'''

#The https service stops working and gives "Page not found" error.
#The https connection tests fine using telnet (see article above)

'''Solution:'''

#Reinstall https using the usual procedure (currently using selfssl)
#Email clients, requesting to reinstall the new security certificate by following the instructions for [http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Generally#Fixing_HTTPS_certificate_error_when_logging_in_from_an_external_link_using_IE8.2C_IE9_and_IE10 Internet Explorer] or [http://userwiki.neosys.com/index.php/Configuring_Safari_for_MAC_OS#Fixing_HTTPS_certificate_error_when_logging_in_using_an_external_link_using_MAC_Operating_System Safari] browser.

==Installing "QUICKDEX" on some files==
"Quickdex" is a type of index that keeps an alphabetical order on small files. In some maintenance procedures you may be asked to "install Quickdex".

For example to add a quickdex to the UNITS file.

Maintenance mode press F5

DICT UNITS

<pre>
г=================Dictionary=================┐
│ │
│ File name UNITS │
│ Field name ......................... │
│ │
│ Dict type │
│ Single/Multi │
│ Data type │
│ Output format │
│ Validation patterns │
│ │
│ Position Key part │
│ │
│ Column heading │
│ │
│ │
│ Justification Display length │
│ Description │
│ │
│ │
L============================================-
</pre>

Press Shift+F3.

If it says "Do you want to remove ..." then Quickdex has already been installed and you should not continue. Press Esc to cancel, then Esc to quit.

<pre>
г=[B202]==================================┐
│ │
│ "UNITS" has │
│ "QUICKDEX" installed. │
│ │
│ Do you want to remove "QUICKDEX"? [Y/N] │
│ │
│<Y >│
L=========================================-
</pre>

Otherwise it should say "Do you want to install ...". Press Enter to accept.

<pre>
г=[W963]============================┐
│ │
│ Do you want to install a │
│ Quickdex or Rightdex index? [Q/R] │
│ │
│<Q >│
L===================================-
</pre>

It should then say "Do you want to update ...". Press Enter to accept.

<pre>
г=[W901]========================================┐
│ │
│ The "UNITS" file has had │
│ the "QUICKDEX" modifying filing system added. │
│ There are 0 records in "UNITS". │
│ │
│ Do you want to update "QUICKDEX"? [Y/N] │
│ │
│<Y >│
L===============================================-
</pre>

Afterwards it should return to the initial screen. Press Esc to quit.

==Solving NEOSYS smtp server failure==
In case the neosys smtp server fails then we can just use the client's smtp server.

The following information is required from the client's smtp server configuration:

#hostname
#username
#password
#port no. (most likely = 25)

These details should be entered in the '''System Configuration File''':

[[image:SYSCFGFILE-SMTP.jpg]]

==Strange characters in maintenance mode==
While in Maintenance mode, pressing keys on keyboard gives strange characters. Even Enter and Esc don’t work.

This problem has been seen using RDP on:

*Window Server 2003 Web Edition
*Windows Server 2003 R2 SP2

[[image:strangecharmaint.jpg]]

Solution:

#Go to Windows -> control panel
#Go to Regional and Language Options
#Click on Languages tab then click on Details [[image:lang1.jpg]] 
#Click on Settings Tab and Change default input language to English (United States) (or perhaps something else depending on rdp keyboard) [[image:lang2.jpg]] 

==NEOSYS processes do not start after Windows Update==

===Problem===
Scheduled Task to start the NEOSYS processes fail on Servers with Windows 2008 after Windows update. Support will have to log into the server to start the processes manually
Message on the Schedule Task displays " The operation being requested was not performed because the user has not logged on to the network. The specified service does not exit ".

[[image:sti.jpg]]

===Solution===

For clients who cannot tolerate manual intervention after server reboots for any reason (e.g.need to start work before NEOSYS support is available or on NEOSYS support weekends), tick "highest privileges" and "run whether the user is logged in or not". This approach means that NEOSYS processes which are started by the windows scheduled task are not visible on the desktop and run hidden in the background and only listed in task manager, so avoid this approach on small clients (only few users). Avoiding this approach will also serve to act as an indicator of server restarts.

==Troubleshooting NEOSYS remote support port forwarding==
This assumes that you have already “port forwarded” tcp port 19580 from your public internet router to the NEOSYS server.

===Tst 0 - Check if SSH is working on the NEOSYS Server===
Type in the following command in command prompt:
telnet 127.0.0.1 19580

IF ALL OK you will see the following:

[[image:tr-pf-03.jpg]]

===Test 1 - Check if SSH is basically working on NEOSYS server over the LAN===
You must know and use the NEOSYS SERVER LAN IP to do this.

telnet ???.???.???.??? 19580

[[image:tr-pf-01.jpg]]

If you have the WRONG SERVER LAN IP or NEOSYS server SSH is NOT working then it will hang for about 15 seconds and then say “Could not open connection to host …”

[[image:tr-pf-02.jpg]]

OR IF ALL OK you will see the following:

[[image:tr-pf-03.jpg]]

Press Enter to Exit

[[image:tr-pf-04.jpg]]

===Test 2 - Check if can connect to the NEOSYS ssh from OUTSIDE the office===
From any internet connected computer OUTSIDE the office test if you can connect to NEOSYS ssh service. You cannot do this test from inside the office.

You need to know the public ip or domain name of the router. If the router IP is dynamic then NEOSYS sets up dynamic name server so instead of a static ip number you will have a domain name something like clientxyz.redirectme.net.

Enter the command .. using YOUR public internet IP number (NOT the LAN ip number) or the dynamic domain name.

[[image:tr-pf-05.jpg]]

If everything is working OK you will get a black screen as follows. You will NOT get the “SSH-2.0-OpenSSH-4.7” banner” because NEOSYS ssh remote support is restricted to connect ONLY from LAN ip nos and NEOSYS office ip nos.

[[image:tr-pf-06.jpg]]

If you press Enter a few times then the cursor will just go down. You have click the [X] to close the window.

[[image:tr-pf-07.jpg]]

===Test 3 - Check that the ssh connection from step 2 was rejected===
On the NEOSYS server, check the Windows Application log to verify that an SSH connection was rejected.

The rejected ip number will be of the system outside the office that you performed the test from.

[[image:tr-pf-08.jpg]]

===Sample Email: Solving port 19580 port forwarding issues===

Some IT people know how to troubleshoot port forwarding issues but others are mostly just power users who can configure a home router. If the IT person is in the second category then it is quicker for NEOSYS support to offer to configure their router from the NEOSYS server using Teamviewer. Ideally NEOSYS should not be doing client IT work but if client IT allows NEOSYS access to their router then NEOSYS support can make a brief attempt to do the configuration. If the issue is still unresolved then request the client to get a professional IT network expert to do the job and inform them that NEOSYS will not be able to provide them any support till connectivity is fixed. Below is a letter advising a more skilled person to check connections using telnet which is a low level test.

You can usually determine the NEOSYS server LAN IP number from Nagios. If so then adjust the email text appropriately.
<pre>
Dear XYZ,

It is highly critical to fix the connectivity with the NEOSYS server because NEOSYS will not be able to provide any support until connectivity is fixed. User support issues will be delayed and remain unresolved if you do not fix this issue URGENTLY.

At the moment there is no connection from the internet via your router to the NEOSYS server and when we do the following, we get no connection.

telnet CLIENTNAME.hosts.neosys.com 19580

Normally it should connect and presents a black screen (saying SSH something after pressing Enter) which we close.

Please check that you can connect to the NEOSYS server internally by using the NEOSYS server IP address in the following command on any computer in your LAN.

telnet 192.168.?.? 19580

If you can connect to the NEOSYS server internally then please check port forwarding.

Additionally check the following:
1. Has your router IP changed? The IP we have is x.x.x.x
2. Has your server’s LAN IP changed and are you forwarding to the correct LAN IP?
3. Is the configuration really correct?
4. Check router logs for clues
5. Check NAT settings in the router

If you still cannot see the problem, do "telnet CLIENTNAME.hosts.neosys.com 19580" command from OUTSIDE your network to replicate the problem we are facing.

For troubleshooting steps refer Troubleshooting NEOSYS remote support
http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding

If the problem still persists, please get a professional IT network expert to fix the issue.

Best Regards,

</pre>

===Port mapping restricted by Source IP===

On NEOSYS router, port forwarding has been setup only for specific source IP addresses. This means you will not be able to establish a TCP connection to NEOSYS server unless your server's outbound IP is mapped to the NEOSYS router. In other words unless the outbound i.e source IP/port of your server has been granted access on the NEOSYS router for all incoming connections you will not be able to make connections to NEOSYS server.

Outbound IP is used whenever a server tries to make a connection to another server outside its network. On the other hand a server receives all incoming connections using it's Inbound IP.

Therefore to setup ssh connection from a new Client server to NEOSYS server we need to grant access to its outbound IP on the NEOSYS router. See [[Troubleshooting_NEOSYS_Generally#If_Telnet_does_not_work | link]] to find the outbound server IP/ports of the server.

==Solving “Cant login … INVALID DATA PATH … permission denied”==
===Error Message===

[[image:error-invalid-data-path-1.jpg]]

'''Error Text:'''

Cannot login because:
ERROR: INVALID DATA PATH
“D:\HOSTS\HOSTNAME\DATA\HOSTNAME\~8746345.1$” Permission Denied

===Problem Explained===
When installing NEOSYS on an existing “non-clean” Windows installation, the standard NEOSYS installation procedure can result in failure to login if the standard windows folder permissions have been modified.

===Solution===
The solution is to grant IIS permission to write in the \neosys\DATA folder and subfolders as follows:

#First add the IUSR_XXXXXXX user to the list of users. (XXXXXXXX is the server name and therefore varies per server) as follows:
#*Right Click on DATA Folder and click on Properties
#*Click on Security Tab -> Add -> Advanced
#*Click on Find Now, Select the IUSR_XXXXXXX user and Click on OK [[image:error-invalid-data-path-2.jpg]] [[image:error-invalid-data-path-3.jpg]] 
#Second, for the newly added IUSR (IIS user) change the permissions as follows:
#*'''REMOVE''' the read and execute permission (for security, IIS should be unable to execute things that it might have uploaded)
#*'''ADD''' the write permission [[image:error-invalid-data-path-4.jpg]] 
#Login should now be possible.

==NEOSYS process window displays message "Upgrade Downloading"==

[[image:upgradedownloading.jpg]]

===Problem Explained===
NEOSYS thinks it sees an new neosys2.exe upgrade file on the location http://www.neosys.com/support/neosys2.exe which is accessed by http so attempts to download it.

Http proxies and various internet issues can cause incorrect info to be sent and there is actually no upgrade available. In this case, eventually it realizes that it cant find an appropriate and it stops.

You don’t have to worry about this case.

==Enabling EMS memory on Window 2003==

Normally EMS memory is provided by Windows 2003 but this can vary depending on the server hardware/bios configuration

If you get the following messages on Windows 2003

#Backup File Size is 0
#RTP27. [B28] Not enough String Space – Out of Memory

===Cause===

On servers that had no problem previously, the problem is caused by a windows update in Oct 2012 that disables standard Windows EMS memory.

The patch is issued by Microsoft on 9 Oct 2012 but the installation date in the server depends on when the update was actually installed.

http://support.microsoft.com/kb/2724197

===Solution 1 - maximum performance===

To re-enable standard windows EMS on older slower servers or servers where NEOSYS performance must be maximized.

The following link contains instructions how to remove the offending windows update

It also shows how to prevent it being reinstalled automatically by Windows.

http://www.columbia.edu/~em36/wpdos/emsxp.html

Don't forget to prevent it being reinstalled again automatically

===Solution 2 – ease of installation===

This option can also be used if Window 2003 is unable to provide EMS memory for example when the server hardware/bios configuration prevents it.

Install EMSMAGIC in the same way as for Windows server 2008

EMSMAGIC has higher memory consumption and makes NEOSYS processes slower so it is better to use Solution 1 above if NEOSYS performance is an issue.

==Fixing no output file in XXX YYY Issue==

===Error Message===

[[File:Nooutputfile.jpg]]

===Problem Explained===

The message “No output file in XXX YYY” can appear at several instances in NEOSYS, most often when generating reports or documents.

This problem is usually caused by software error and it indicates that the NEOSYS server responded without any output and without any message.

===Solution===

*Find proof to check if the data required for the report actually exists. This way we can eliminate lack of data as a cause for this error.
*Check to see if a similar issue has been fixed in latest version of NEOSYS.
*Document HOW and WHERE the problem can be duplicated by NEOSYS programmers to identify and correct the software.

==Fixing "Units file is missing" error==

[[Image:unitsfile.png]]

===Solution===

As the message mentions, the 'Units' file is missing. This error can be fixed by copying the file from any other installation, since the Units file is the same in all installations.

The Units file is found in the 'General' folder. Path : neosys/NEOSYS/DATA/DATABASE/GENERAL/

==Troubleshooting Internet Connections==

===Cannot Connect===

While investigating as to why users are not able to access NEOSYS or http://www.neosys.com/ , you can check which ISP the connection issue is on.

<pre>whois ipno</pre>

Inspect very carefully to get clues as to which ISP and which AREA of the ISP the problematic ip numbers are and which do NOT have problems

Doing tracert on windows command prompt on the user's computer may help locate which point on the route between the user and the server is blocking access

tracert xxxx.hosts.neosys.com

where "xxxx" is the client name. In this example, the output will be something like shown below:

<pre>Tracing route to xxxx.hosts.neosys.com [37.48.81.101]
over a maximum of 30 hops:

1 2 ms 1 ms 3 ms ukr.sb.com [192.168.2.1]
2 10 ms 10 ms 11 ms losubs.subs.bng2.th-lon.zen.net.uk [62.3.80.21]
3 12 ms 10 ms 67 ms ae1-182.cr1.th-lon.zen.net.uk [62.3.86.80]
4 10 ms 11 ms 11 ms ae0-0.br2.th-lon.zen.net.uk [62.3.80.42]
5 13 ms 14 ms 14 ms peering.thn.lon.leaseweb.net [195.66.225.56]
6 23 ms 23 ms 24 ms te-0-10-0-19.bb01.ams-01.leaseweb.net [31.31.32.71]
7 22 ms 22 ms 23 ms xe-11-2-3.br01.ams-01.nl.leaseweb.net [31.31.38.89]
8 25 ms 28 ms 26 ms be-10.cr02.ams-01.nl.leaseweb.net [81.17.34.21]
9 24 ms 20 ms 25 ms po-1002.ce02.ams-01.nl.leaseweb.net [37.48.95.195]
10 24 ms 22 ms 22 ms nl10r.neosys.com [37.48.81.101]</pre>

===Troubleshooting TCP/IP Connections===

====Telnet check====
telnet <hostname> 19580

If success then host is on web and port is open.
Otherwise if error: "Connection refused," then either an intermediate firewall is blocking access or the port is closed on host machine.
Action: check with client if office firewall(s) allow connection on that port and if the port is open on the host server.

====If Telnet does not work====
In case telnet does not work, login to the remote host server to investigate the issue. Run the following command simultaneously while doing Telnet from client server to the remote host to check if the TCP packets are reaching the Remote server.
<pre>
tcpdump -v 'src host client-domain-name/ip'
tcpdump -v portno
</pre>

To check if packets are sent from the client server to the remote host, you can run the following command simultaneously while trying to ssh to the remote server.
<pre>netstat -an </pre>

You can also check if the outbound ports are open from which you are trying to establish the TCP connection to the remote server.
<pre>telnet portquiz.net portno </pre>

The outbound IP addresses at times can be different from the public IP of the Client server so be sure that the public IP of the client server is the same as its source IP (which represents an incoming connection from Client to Remote server). One way to find the source IP of the Client server is sending an email from Client server to "support@neosys.com". On receiving the email in Thunderbird, select the email and press Ctrl+u. A new window Opens giving full details of the email received. The third "Received :from" gives the IP of the source.

===Troubleshooting DNS failure===

NEOSYS clients routers are usually configured to use their ISP DNS service and the ISP DNS service is supposed to contact one of NEOSYS's DNS servers to convert server names like hosts.neosys.com into IP numbers. Misconfiguration of clients routers or problems in the ISP DNS server may cause CANNOT CONNECT problems. Often the connect fails quickly and immediately since if a name cannot be converted to an ip number then the connection cannot even be attempted and therefore there is little or no timeout to wait through.

NEOSYS.COM name servers are listed publically and obtained by whois command.

whois neosys.com

Name Server: DNS1.EASYDNS.COM
Name Server: DNS2.EASYDNS.NET
Name Server: DNS3.EASYDNS.ORG
Name Server: NS12.ZONEEDIT.COM
Name Server: NS18.ZONEEDIT.COM

In order to contact NEOSYS DNS servers the ISP's have to use a global DNS to obtain the ip addresses of NEOSYS DNS servers given the host names of NEOSYS DNS servers given in the whois info

Here is an example of DU testing NEOSYS DNS servers. The NEOSYS DNS server ip addresses are listed in the Destination column.

[[File:internet.png]]

If one DNS server is down or unreachable REGARDLESS OF REASON, the ISP is supposed to use the other DNS servers. It is impossible for all NEOSYS DNS servers to be unreachable except in gross disconnection from the internet of the ISP since it is effectively impossible that all NEOSYS DNS servers which are carefully spread around the internet, to be unreachable.

In the above test one of the NEOSYS DNS servers is unreachable but all the others are reachable therefore DU should have no problem providing DNS service to its clients.

ISP are often worse at providing DNS server than the famous GOOGLE DNS servers, so re configuring client router to use GOOGLE DNS servers is a way to prove that the problem lies with the ISP's DNS service

===Additional test for troubleshooting problems with uploading===

====Verifying that upload.dll can run====

This isnt a complete test of everything. It just checks if the upload program can be run by the web server. It doesnt check if uploads work or the image directory is correctly configured with the right permissions and uploads can actually be done.

=====Error Message=====

... to be added when discovered ...

=====Test=====

Test HTTP if accessible by LAN; Test HTTPS is accessible by Internet; Test both if both are available.

On the server type the following into a browser

LAN/HTTP:

http://localhost/neosys/neosys/dll/upload.dll

WAN/HTTPS:

https://localhost:9999/neosys/dll/upload.dll

=====Expected Result=====

<pre>
Upload Error. !
Please call me from a form !!!
The first param must be Filename= name of the uploaded file, TYPE=TEXT
The second param must be Filedata= uploaded file, TYPE=FILE
The third param is optional PathData= path to uploaded file, default c:\temp\, TYPE=HIDDEN
The forth param is optional RedirectPage= name of asp who receive the results, TYPE=HIDDEN
Add others params at the end with INPUT tag.
</pre>

[[image:Uerror.jpg]]

==Patching a NEOSYS program==

Patches done to NEOSYS programs are not affected by live to test database copy, since the programs are on installation level and not database level.

The patch provided will tell you the program name and contain either a whole replacement program text or just some changed lines which you will have to find and edit.

For older versions of NEOSYS, you will need to know the file name which may be provided along with the patch or you can find it using the following code in maintenance mode:

ED VOC programname

ED VOC XYZ tells you what program name is executed and from what file, when you type the command XYZ. Normally the program name is the same as the command.

The file name will normally be BP for agency programs, GBP for general programs or ABP for finance programs.

NEOSYS programs are stored in files just like records of ordinary database files. You can edit either with "ED filename programname" or "TED filename programname". TED is better for editing source code as it opens the the code in a text editor, whereas ED opens the code in the same maintenance window.

To test patches immediately, Support may have to clear cache by pressing CTRL+F5. Refer to [[Configuring_IIS#IIS_web_page_caching|Web Caching]] for more information.

===Installing patch in live database===

In the rare case that the programmer asks Support to install the patch directly on LIVE dataset, start by typing the following command in maintenance mode before commencing:

UTIL

Follow the instructions mentioned in the [[Troubleshooting_NEOSYS_Generally#Installing_patch_in_test_database| next section]], but skip the instruction to TEST the patched program in test dataset.

The instruction to INSTALL the patched program MUST be followed BEFORE testing the patch in live dataset. Otherwise the changes will not get reflected.

===Installing patch in test database===

1. EDIT the program source code.

TED programname

If you have to edit or patch a program that starts with the word DICT. and the remainder of the program name is the same as a real file name e.g DICT.INVOICES, then you cannot omit and must type the actual source file name - in this case, "BP".

Otherwise, if you just type "ED DICT.INVOICES" hoping to edit the DICT.INVOICES program in the BP file, then you will end up editing the dictionary of INVOICES, which is not what you are trying to do. Use the command below to edit such type of programs:

ED BP DICT.INVOICES

If you want to patch line 8, i.e. the source code, of an S type dictionary then you can use TED for easier editing.

TED DICT.filename itemname

Next either cut and paste to modify the whole program or edit the program text according to the patch/instructions provided.

Save and close the program source code.

2. COMPILE it. If you get errors then check your edits are correct and recompile otherwise return the patch to programming.

In newer versions of NEOSYS, versions in and after April 2018, use the below command for compiling.

CO programname

In older versions of NEOSYS, you will have to include the filename.

COMPILE filename programname

3. TEST it. Ensure the patched program now works in TEST database.

4. INSTALL the patched program in the LIVE database.

For newer versions of NEOSYS, versions in and after April 2018, use the below command to copy from test to live.

COPYBP programname

For older versions of NEOSYS, depending on the filename that you patched, one of the following commands will have to be used.

COPYGBP programname
COPYABP programname
COPYBP programname

==Patching NEOSYS dictionaries==

A patch to a dictionary applies immediately when you save it and to all datasets regardless of which dataset you work in.

You need:

#the file name eg INVOICES
#the item name (column name) eg DATETIME_AMENDED
#10 lines of data similar to the example below.
#if the item is an S type dictionary, then either the whole, or only the amended part, of the source code of the dictionary.

ED DICT INVOICES DATETIME_AMENDED

TYPE everything below exactly on the corresponding line numbers except lines 3 and very commonly line 8, as these lines may contain multiple values separated by a superscript 2 (²). Line numbers in the below screen are only for illustrative purpose.

<pre>
╔═══════════════════════════┤DATETIME_AMENDED├═════════════════════════╗
1║S ║
2║ ║
3║DateTime²Amended ║
4║S ║
5║ ║
6║ ║
7║[DATETIME] ║
8║updated=@record<28>²created=@record<31,1>²@ans=''²if created and num(c║..actually this line continues off the screen to the right
9║R ║
10║10 ║
11║ ║
: :
: :
╚══════════════════════════════════════════════════════════════════════╝
</pre>

Press Ctrl+E on lines 3 or 8 in order to enter sub-lines.

The multiple values (on line 3 and 8) separated by a superscript 2 (²) automatically appear when sub-lines are entered.

For line 8, you will need to cut and paste the lines of below program to the Ctrl+E screen:

<pre>
╔═════════════════════════┤Field 8 of DATETIME_AMENDED├════════════════════════╗
║updated=@record<28> ║
║created=@record<31,1> ║
║@ans='' ║
║if created and num(created) and num(updated) then ║
║ createdsecs=field(created,'.',1)*86400+field(created,'.',2) ║
║ updatedsecs=field(updated,'.',1)*86400+field(updated,'.',2) ║
║ if abs(updatedsecs-createdsecs)>120 then ║
║ @ans=updated ║
║ end ║
║ end ║
║ ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
</pre>

After you save and exit the Ctrl+E screen, you will see the sublines separated by superscript 2 appear in one line in the ED screen.

Similarly, for line 3, you need to enter its sub-lines in Ctrl+E screen.

To ensure indenting remains nice (although indenting is not important and can be messed up without causing any problem) then copy the double bars at the front of the lines (if available, otherwise insert some char in position 1 of each line perhaps) and then remove them after you paste ... or just edit until the indenting is correct if you really want to.

Press F9 and/or Esc to save and/or exit from Ctrl+E screen

Press F9 and/or Esc to save and/or exit from ED

==Linux Commands==

This section is aimed teaching support, new to the Linux environment, how to navigate and use the most common useful commands.

Use google or "man <programName>" to get the manual of a program. E.g "man man" gives you the MANual for the Manual program.

"|" use the pipe command to take output of one command and input into another. E.g Cmd: " Echo "ABC" | removeA | removeC ". Output = "B"

Typically commands assume you mean the current directory, if you don't specify which directory you want the command to perform in/on.

Strings with spaces have to be wrapped in double quotation "May 14 01:30:55" before use as input to most commands.

Follow this convention in wiki to understand the syntax (structure) of the Linux commands and options.

Input wrapped in "<...>" is mandatory.

Input wrapped in "[...]" is optional.

===Searching for strings in one or many files using grep===

Using the GUI with Ctrl + F is laborious and less powerful.

Use grep command in Linux or Cygwin to search files especially when you are doing deep inspection of NEOSYS Logs.

Use the following command to search for a string in any file or directory

grep <string> [path to file OR filename] [-r]

Where "string" is the text to be searched and "-r" means recursive - check all files in all sub directories.

grep -i -a string path/file

where "file" is the type of file you are looking for and "path" is the path of the directory you are looking into. Use "" when having spaces in your string.

"-i" means ignore upper/lower case characters in the string and "-a" means treat the file type as text and display the matching text)

e.g when searching in NEOSYS logs the year/month/date is specified in the file name, so if you are looking for a file in year 2016 in the month of Feb, use

grep XXXX path/1602*

In the above command * (asterisk) is a wildcard "means replace * with any thing" and is used when you don't know what that part of the command could be.

E.g "*.jpg" means any file names that end with ".jpg"

Sample below of grep command and its output where it is searching for "Dior" in 2016 march logs.

$ grep -i Dior /cygdrive/d/hosts/test/logs/test/2016/1603*
Binary file path/16030301.XML matches

Using * (asterisk), a string can also be searched globally across all installations on the server.

Below example will search all files whose file names begin with "NEOS00", in all client installation folders inside the "hosts" folder, for log entries containing text "5th June 2016".
$ grep -a "2016 JUN 05" /cygdrive/d/hosts/*/logs/NEOS00*|less

Use the commands below to display the search string and required number of lines that come either after or before the search string, depending on what you enter in your command. It helps to get more information from files especially when you only know few words and the other information around the searched string also gets displayed.

grep -A<NUM> string file

Above command will display the line where the searched string was found, and also display NUM lines after the searched text

grep -B<NUM> string file

Above command will display the line where the searched string was found, and also display NUM lines before the searched text

See the examples and their respective outputs below:

$ grep -A2 -i "Dior" 1603*
Binary file 16032101.XML matches
Binary file 16032901.XML matches

$ grep -A2 -a "Dior" 1603*
16030301.XML:<DataOut>DIOR%FEPOI%FE'''Dior''' Poison%FE%FE%FE%FE%FEDubai, UAE%FE%FE%FE%FEN%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEN%FE%FE%FE17584.43592%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FENEOSYS%FE17584.43592%FE94_200_49_146%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEpaulson</DataOut></Message>
--
16030301.XML:<DataOut>DIOR%FEPOI%FE'''Dior''' Poison%FE%FE%FE%FE%FEDubai, UAE%FE%FE%FE%FEN%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEN%FE%FE%FE17584.43592%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FENEOSYS%FE17584.43592%FE94_200_49_146%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEpaulson</DataOut></Message>

Some more examples of grep below:

Use the command below when searching for more than one string 
grep -a string1 *|grep string2

Use the below command to omit the lines containing specific strings in your search:
grep -B2 -a Processing 160329*|grep -v DataIn|grep -v Message|less 
Above command will display lines containing string "Processing" and exclude lines containing string "DataIn" and "Message", |"less" displays the output in a new screen.

Use "zgrep" command to search in zip files:
zgrep string1 /path |zgrep string2 |less

===FIND===

Use this find command to list all files/directories modified after a certain date.

find [path, if omitted means = current directory] [-type f,d] [-newermt 'MM/DD/YYYY HH:MM:SS']

Or use a filename instead of date:

find -newer filename

==Managing the queue of reports being delivered by email==

In maintenance mode.

===Listing===

LIST DOCUMENTS WITH SCHEDULED_ONCE

===Clearing===

SELECT DOCUMENTS WITH SCHEDULED_ONCE
DELETE DOCUMENTS

==Reduce used disk space on NEOSYS or client hosted servers==
Non essential files getting accumulated over time can take up a lot of space on the hard disk resulting in low free space on the server. NEOSYS Client Monitoring system alerts about low free space for win3 server as it monitors the Disk Space of both C & D drive. To fix it Support team will have to create free space on the server.

Making space on the server is time taking and requires patience as you need to go through all the files/folders looking for non-essential files. Do not make any assumptions for not looking into a folder.

Non-essential files are the ones without which we can work properly and will continue to work in future.

Support team should keep in mind the below points while creating space on the server:

#Look into the drive for which nagios is alerting and dig into all the folders.
#Right click Folder > Properties > Size on Disk, to find out the size of a folder.
#On d drive majority of the space is taken by d:\hosts and d:\data.bak folder and on c drive it's taken up by the important windows/cygwin folders.
#The space distribution will give you an idea about which folders to target that can free up a good amount of space on clean up.
#Following are the non essential files/folders which can create a lot of space on removal. Use your intelligence and presence of mind while deleting files/folders because once deleted the information is lost forever.
#*Folder: d\data.bak. Check for stopped clients' backups and delete if present.
#*Folder: d\hosts\clientname\logs (where clientname stands for all the client folders in hosts) Look into logs prior to the current year and the year before and delete them. In the recent versions of NEOSYS, log folders are compressed and take up a lot less space on disk than presented as their size. You can see the difference in their properties.
#*Folder: d\hosts\clientname\downloads. This folder might contain lot of old versions of neosys.exe files. Keep the two latest versions and delete the rest. Do this for all client folders except test installation because Support maintains all the old versions of neosys.exe in it.
#*Folder: d\hosts\old. In this folder, delete all client folders that are older than 1 year.
#*Apart from above folders look for random backup.zip files present in c/d drive. This happens when Support restores data from a zip file and forgets to delete it after the restore.

To quickly get an idea of which directories consume the largest space, SSH onto server and use the "du" command along with various options, combined with command "sort".

"du" Disk Usage is used to estimate file space usage under a particular directory. Look up "sort" and "head".

Use this to find the estimate disk usage of each sub directory of every log directory in /hosts and then sort -n umerically and -r everse sort from high to low:

du /*/LOGS/*/20* --time | sort -n -r

Go to /hosts or D:/NEOSYS folder. Use command to get the estimate disk usage for all sub directories excluding directories where you know for certain files cannot be deleted.
(sort the directories by highest to lowest estimated disk usage in kb and then shows the top 20)

du --exclude={*/NEOSYS,*/neosys.net,*path/to/another/dir/that/cannot/be/deleted} --time | sort -r -n | head -n 20

===Reduce used disk space on backup servers===

If a server is scheduled to daily delete backup files older than 30 days, then there may be random files that are left behind for longer than 30 days, which are:

*any xx/xx/31 files on months than are followed by months with only 30 days, since the backup procedure deletes the previous month's file on the same day and day 31 does not exist in all months and
*any "same day last month" files that were not deleted by the backup procedure because it did not run or did not complete.

Use "crontab -l" to list all scheduled tasks, to find the how old a file must be before it is deleted.

==Troubleshooting Scripting Disabled error message on browser==
Error: NEOSYS requires You have
1. Internet Explorer 6+
or Safari 3.1+
or Firefox 3+
or Chrome 8.0+
2. Scripting enabled Scripting disabled
3. Cookies enabled Unknown

[[image:IEtrb1.jpg]]

Follow steps in given link to fix Script disable error on browsers : https://wmich.edu/helpdesk/internetenablecookies

==[[Configuring_IIS#Solving_.22Service_unavailable.22_error_due_to_disabled_application_pool | Handling 'Service Unavailable' on browser due to IIS issue]]==

==Searching for users with a particular email address==

In maintenance mode

FIND USERS XX@YY.COM

Troubleshooting NEOSYS Generally

2020-01-17T23:29:14Z

Steve: /* How to find the physical disk space occupied by logical files */

==Solving failure to start a NEOSYS server due to disk failure message==
===Problem===
During a reboot process (which maybe due to a Windows update or even done by a support personnel) the NEOSYS server gets hung on the startup and shows a message "Boot Failure - Abort, Retry".

===Temporary solution===
This typically happens due to the USB being plugged into the server and the boot sequence being wrong - i.e. the server trying to boot from the USB first and fails. The immediate solution would be to unplug the USB and ask the client to reboot the server again and upon successfully rebooting the system, plug the USB back again.

===Permanent solution===
The above problem will occur every time the computer is rebooted, so you need to immediately talk to the IT Administrator of the client and ask them to rectify the boot sequence to make it boot first from the CD ROM, then the HDD and last the USB.
 Allowing "Boot from USB" causes a severe risk of infection by boot sector viruses since the first infected USB device inserted WILL infect the server immediately as anti-virus programs are not active during boot.

==Replicate options used & error using sysmsg Data:==

NEOSYS users will send screenshots with the error message which often blocks options used, slowing down the ability to replicate the problem.

NEOSYS when a user faces a system error, NEOSYS sends a email with the error information, including texted that cann be used to recreate the optioned used at the time.
Thus avoiding the need to ask the user to send another screenshot without the error message.

Find the form data in the raw text of the emailed error message.

[[image:Rawformdatapng.png]]

Sadly normal email view renders it useless by mangling it, treating ^ as formatting character superscript.

The form raw data will be something like this:

1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2

First prepare a command by inserting the above form data into the following command in place of %FORMDATA%. Do it anywhere you can cut and paste text.

form_setdefault('%FORMDATA%')

or in old versions of NEOSYS

gro.defaultrevstr=unescape('%FORMDATA%'.neosysconvert('`^]}\~',rm+fm+vm+sm+tm+stm))

Achieving the following command:

form_setdefault('1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2')

or in old versions of NEOSYS

gro.defaultrevstr=unescape('1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2'.neosysconvert('`^]}\~',rm+fm+vm+sm+tm+stm))

Once you have constructed the command, do the following:

#As NEOSYS user, get onto the exact same screen as the user was in when they got the message. (Using the screenshot they send)
#Press Ctrl+Shift+F12 - to get a NEOSYS javascript prompt
#Paste the command and Press Enter - to execute the command - it must confirm with "setdefaultform( ... ) = ok"
#Press Enter or click OK - to remove the confirmation
#Press Esc or click Cancel - to close the javascript prompt
#Press F8 or click Close - to refresh the form
#The form should now be filled in correctly including any hidden fields.

==[[Administering_NEOSYS_Server#Clearing_File_Locks| Troubleshooting "Document is being updated" message]]==

==Troubleshooting the "Database not available" error message==
===Problem explained===
This error appears when you try to login to NEOSYS after you enter your username and password and click the Login button.

[[image:database_unavailable.jpg]]

Error message :

Cannot login because :
Error : The (database code) database is not available right now.

If the error message appears post login i.e. when users are working on the system then check if processes are free to run user request.

[[image:not_available.jpg]]

===Solution explained===

#Determine if the processes are running. If they are running and you still get the same message that means that either the processes have [[Troubleshooting_NEOSYS_Generally#Troubleshooting_Hung_processes|hung]] and need to be [[Troubleshooting_NEOSYS_Generally#How_to_kill_hung_NEOSYS_processes|killed]].
#If the processes are not visible on the desktop, it is possible that they are running in the background and have hung for some reason. Check the windows task manager to see if any ‘ntvdm’ process is running and [[Troubleshooting_NEOSYS_Generally#If_NEOSYS_processes_are_not_visible_on_the_server_desktop|fix hung processes]].
#If not hung then the available processes may be busy running long reports and a new process needs to be started. Refer to [[Handling_Nagios_Client_Monitoring_System#Counting_current_active_users| counting current active users]] to get a sense of the processing requirements for an installation.
#If there are processes available which are not hung or busy running reports, then ensure that the URL is pointing to the correct IP address and not to a wrong one e.g. a backup server.
#If the process had not hung and no processes running, then the server might have restarted due to a power failure or a windows update and the administrator user had not logged in post the scheduled startup time of 6AM. To determine the cause of this, investigate in the Windows Event Viewer Log file.
#You can now start up the process by clicking on the respective desktop icons.
#Also check if the nightly backup took place successfully or not.
#Look into the logs at the date/time stated for the last transaction processed to investigate why process got hung. See [[Troubleshooting_NEOSYS_Generally#Inspecting_Database_LOGS_Folder| Inspecting logs]] for more information on logs.

==Fixing missing ADAGENCY.VOL==

The file contains database info required on Login Page and the directory paths of the NEOSYS programs and DATA required for maintenance mode.

===Problem===

When accessing NEOSYS Login Page: "Error: Cannot read D:\NEOSYS\NEOSYS\ADAGENCY.VOL".

This error will occur when the ADAGENCY.VOL file has been deleted (has previously happened after failed backup and after upgrading NEOSYS) or the file has become corrupt after a bad disk block was "fixed" by windows CHKDISK.

===Solution===

Manually recreate the file and its text contents (or if installation is on win3 use the nl13 snapshots).

In example below, only make changes to first line: (Maintenance mode login at dataset selection will display info)

Syntax: ZXC <DATASET NAME, DATASET CODE,,LAST BACKUP DATE>*..> (Separate each database's details with '*')

Example:
<pre>
ZXC TEST,TEST,,25 MAR 2019*XDEVTEST,XDEVTEST,,17 SEP 2018
.\ACCOUNTS
.\GENERAL
.\ADAGENCY
..\DATA\ZXC\GENERAL
..\DATA\ZXC\ACCOUNTS
..\DATA\ZXC\ADAGENCY
</pre>

==Troubleshooting "user not authorised to login from a location" error message==
[[image:IPerror.jpg]]

'''Error message:'''
xxx is not authorised to login form the location (IP Number. xx.xx.xx.xx)

'''Solution Explained:'''

Check the URL used and follow the steps below to check if it is correct and email the user accordingly.

#If the Client installation is hosted on NEOSYS server then users can use only https link to access NEOSYS.
#*Check with the client's management if this particular IP is their public IP.
#*Add IP on management confirmation (Refer to [[Procedures#Handling_User_Requests_to_add_an_IP_or_range_of_IPs_to_access_NEOSYS|Handling User Requests to add IP/IPs]] )
#In case of Client hosted server, users should access NEOSYS via LAN using the http link.
#*There can be exceptional cases where user needs to access NEOSYS outside the office Network e.g a client installation with two companies at different locations and NEOSYS installed at one. In this case Support will have to add the IP number of the second company so that users can access NEOSYS. But before you even suggest to add the IP, get the request from their management saying that the IP number is another office location and needs to be added. (Refer to [[Procedures#Handling_User_Requests_to_add_an_IP_or_range_of_IPs_to_access_NEOSYS|Handling User Requests to add IP/IPs]] )

==Handling damaged files==

[[Handling damaged files]]

===Checking for corrupt database files===
Login to NEOSYS Maintenance. This can be done when users are online.

Press F5

CHK.FILES

or

CHK.FILES filename

''' Sizelock while performing chk.files '''

Fixing sizelock errors should not be done while other users are online to the same database.

Sizelock errors are not critical and will be fixed automatically during the nightly backup.

Sizelock errors occur if a program or process that is selecting records from a file is aborted in some abnormal way.

Error message:

These Files/Tables have a Sizelock Value of 2 or greater.
Tag/Select the Files/Tables to be Fixed.
Press F9 to fix selected files

Press F9 to proceed with fixing the selected files or press ESC to continue with chk.files without fixing sizelock as it gets automatically fixed during the nightly backup.

Refer to the [http://techwiki.neosys.com/index.php/Backup_and_Restore#Error_Message:_Size_Lock Sizelock errors in backup emails] for more information.

[[file:sizelock.jpg]]

===Determining Database File Name from Operating System File Name===

To assess the potential damage and possible remedial measures you need to know the database file name. If the message only refers to the operating system file name you need to follow this procedure to determine the database file name.

Once you have the database file name you can use CHK.FILES XXXXXXX to check if corrupt or not and various other procedures to fix the corruption.

Remember that fixing the corrupt data does not solve the overall problem. The *cause* of the corruption must be identified and eliminated otherwise the problem may reoccur and in a more serious form perhaps with unrecoverable loss of data.

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :list FILES WITH ALL CONTAINING 'REV76481' │
│ │
╘════════════════════════════════════════════════════════════════════════════╛
</pre>

[[File:DBfilenamefromOSfilename.jpg]]

==Finding out when and by whom a record was deleted==

In most cases, NEOSYS does not allow users to delete records and instead keeps a record of everything. In some cases however, things are deleted and the only way to get full details about the deletion is to search the logs. This is cumbersome, but there is a quick way to find out when, and by whom, a record was deleted. Prior to NEOSYS software versions dated Mar 2014, and deletions done before the same date, this procedure will only tell you when the record was deleted - but not who deleted it. Knowing exactly when it was deleted will nevertheless help you to search the logs for full details.

In maintenance mode F5

ED SHADOW DELETED*filename*key

For example:

ED SHADOW DELETED*BATCHES*L*JOU*2*U

Journals are stored in the BATCHES file. The key of an unposted batch is x*y*999*U where x is the company code, y is the journal type code, 999 is UNPOSTED batch number and U is just U to indicate unposted batches. Note that unposted batches are normally deleted at the time they are posted - ie converted to posted batches.
<pre>
╔══════════════════════════┤DELETED*BATCHES*L*JOU*2*U├═════════════════════════╗
║16831.60706 ║
║BRUCEL ║
║╒═══════════════════════════════════TCL - 6══════════════════════════════════╕║
║│ │║
║│ :EVAL PRINT 16831.60706 '[DATETIME]' │║
║│ │║
║╘════════════════════════════════════════════════════════════════════════════╛║
║ ║
║ ║
</pre>

Once you see the number (in this case 16831.60706) you can convert it to a time and date by typing something like

PRINT 16831.60706 '[DATETIME]'

Using this date and time you can search the logs more effectively to find out who did the deletion and in what circumstances.

==How to find the physical disk space occupied by logical files==
Running the following command in NEOSYS maintenance mode will identify disk space used per file, largest files first.
LIST FILES BY-DSND SIZE
or on old versions of NEOSYS
LIST FILES BY-DSND SIZE ACCOUNT SIZE FILE.HANDLE

This will include all files not just those in the actual dataset in DATA\* folders.

The file handle column shows the name of an .LK file however every .LK file has its .OV (overflow file) which is often larger than the .LK file.

[[File:Physical file sizes.png]]

==Fixing slow speed==
===[[Benchmarking NEOSYS]]===
===Investigating slow response in NEOSYS using NEOSYS logs===
If users complain about slow speed, but the server CPU performance looks normal, then support MUST investigate NEOSYS logs to find out why NEOSYS was slow at the time when the client complained about slow response.

Search NEOSYS log entries around the time that the user complained about slow response and look for log entries with high response time. Make a note of what requests took long to respond. If multiple users were simultaneously requesting long reports from NEOSYS, then NEOSYS can be expected to respond slowly for other smaller requests that were processed at that time.

Also refer to [http://userwiki.neosys.com/index.php/General_FAQ#Why_is_NEOSYS_taking_a_long_time_to_generate_a_report.3F why is NEOSYS taking a long time to generate a report].

===Investigating CPU 100% using Windows Task Manager===
Email, to support, a screen-shot of task manager APPLICATIONS, PROCESSES and PERFORMANCE screens MAXIMIZED TO SHOW AS MUCH AS POSSIBLE.

(Sort the processes to show ntvdm, waiting.exe and high cpu% processes clearly)

'''Steps:'''

#Right Click on Windows Taskbar and click on Start Task Manager [[image:starttaskmanager.jpg]] 
#Click on Processes and then click on CPU '''Note - The HIGH cpu% processes which should usually be the "process" called "System Idle Process" ''' [[image:cpu100percent1.jpg]] 
#Click on the Performance Tab '''Note - PF Usage should typically be much less than Physical Memory otherwise there is insufficient real memory in the server to handle the load''' [[image:cpu100percent3.jpg]] 
#Click on Application Tab then Right Click on a NEOSYS Process and Click on Bring to Front '''See what the NEOSYS Process is doing [[image:cpu100percent2.jpg]] '''
#Right Click on a NEOSYS Process and Click on Go to Processes '''Note the cpu% ntvdm process [[image:cpu100percent2_2.jpg]] '''
#Normally NEOSYS application screens say "LISTENING" in the bottom line and those applications should have very low cpu% [[image:normalneosysprocess.jpg]] 
#Look at the difference between the screen of running NEOSYS processes (applications actually) which are idle (listening for requests) and active (processing a request from a user)
#Note the number of cpus or cpu threads in the server from the performance screen graphics [[image:performance-taskmgr-cputhread.jpg]] 
#Take screen-shots of any and ALL hung or long running processes (NEOSYS application screens) and email them to support. Even small details on the screens and user names, the user names may give clues to what problem caused the hanging.A Typical Hung NEOSYS process will look like this: [[image:hungneosysprocess.jpg]] 
#Once all hung/long processes are closed then CPU should be low and not near 100%. If it is still 100% then check all high cpu% processes and send a screen-shot of processes sorted to show the high cpu% process names to support.

===Solving server CPU% is 100 and all users are extremely slow/stopped===

Get the screenshots of Task Manager and ALL processes on the server, the objective is to assess the true issue. No need to get the screens not in use obviously but you can send a parallel screen shot for them if you want to be pedantic or even a comment will do.

====Too few CPUs/threads for the number of users====
In Windows task manager normally, you should see one ntvdm.exe and one waiting.exe process per NEOSYS process (application). A standard installation has three NEOSYS processes per main database and plus one per test database. This is configured in Support Menu, Configuration File.

If there are MORE ntvdm processes than you expect from the configuration file, then perhaps NEOSYS is auto starting new NEOSYS processes to try and cater for a high number of concurrent users.

If the number of concurrent NEOSYS processes significantly exceeds the number of cpus/hyperthreads available in the server then processing for everybody can become so slow for everybody and almost no work gets done.

====Solution====
Stop NEOSYS creating new NEOSYS processes automatically. Create a text file with the first and only line as AUTOSTART=NO in the neosys\neosys folder something like this.

notepad d:\neosys\neosys\NET.CFG

AUTOSTART=NO

==How do I troubleshoot email not received?==

[[Troubleshooting email not received]]

==Fixing permissions errors while logging in==

===Problem===

While logging in, you get the following error message:
[[Image:login_error_message.jpg]]

===Solution===

Add the internet guest account to the security list of the data folder with the default permission of list/read/write

Make sure the read&execute permission is removed
[[Image:permissions_on_data.jpg]]

==Fixing the 'HTTP Error 500.0 - Internal Server Error' while logging in on IE on a Windows Vista system==

===Problem===
After configuring IIS on Windows Vista you will get this error message while trying to login into NEOSYS from Internet Explorer:

HTTP Error 500.0 - Internal Server Error
Description: This application is running in an application pool that uses the Integrated .NET
mode. This is the preferred mode for running ASP.NET applications on the current and future
version of IIS.

In this mode, the application using client impersonation configured with <identity
impersonate="true" /> may not behave correctly. Client impersonation is not available in early
ASP.NET request processing stages and may lead modules in those stages to execute with process
identity instead.

===Solution===

You can move the application to an application pool that uses the Classic .NET mode by using the following from a command line window (the window must be running as Administrator)

%systemroot%\system32\inetsrv\APPCMD.EXE set app "Default Web Site/neosys" /applicationPool:"Classic .NET AppPool"

Alternatively, you can use any other application pool on your system that is running in the Classic .NET mode. You can also use the IIS Administration tool to move this application to another application pool.

==Fixing the 'Class Not Registered' error message while logging in==

===Problem===
While logging into NEOSYS, you will get a popup window giving an error message saying 'Class Not Registered - Server Error'. Typically, you will encounter this error with XP Pro IIS 5.1. As usual, there's way to solve it, however the root cause of this is still unknown.

Anyway, you will get the proper message in the event log:

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 36
Description: The server failed to load application '/LM/W3SVC/1/ROOT/NEOSYS.
The error was 'Class not registered'.

===Solution===
So, what do you do ? This problem is related to Component Services, and when you open Component Services MMC, you will most probably get Error Code 8004E00F COM + was unable to talk to Microsoft Distributed Transaction Coordinator. So, fix the COM+ services first by using the following KB from Microsoft (PRB: Cannot Expand "My Computer" in Component Services MMC Snap-In http://support.microsoft.com/?id=301919):

To resolve this problem, reinstall Component Services as follows: WARNING:

#Open registry editor, locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3, and then delete this key.
#From the Start menu, point to Settings, click Control Panel, and then click Add/Remove Programs.
#Click Add/Remove Windows Components.
#Proceed through the wizard, and accept all of the defaults (including IIS)
#Restart the computer.

If the above didn't solve it, and you still receive the 'Class not registered' error message, then you need to recreate the IIS packages in COM+, try

#Delete IIS related package in Component Services MMC
#IIS In-Process Applications
#IIS Out-of-Process Pooled Applications
#IIS Utilities

Next, if you still get the message, try following before re-install IIS if you can't find Distributed Transaction Coordinator in your Services console.

Launch command prompt and run the following command.

#msdtc -install
#net start msdtc

Then try re-install IIS.

This should solve the problem

==Enabling File Security option on Win XP Professional==

===Problem===

In the Properties of any folders, the Security option does not show, hence you cannot modify the Read, Write options.

===Solution===

The solution would be to untick the 'Simple File Sharing' option from Tools > Folder Options > View:
[[Image:simplefilesharingoff.jpg]]

==%00%00%00%00 Errors==

===Error Message===
<pre>
SYSTEM ERROR in line 162. Amount "-2698.00AED" or base "%00%00%00%00" has been wrongly generated
GET NEOSYS SUPPORT. DO NOT ATTEMPT TO CORRECT MANUALLY
</pre>
===Solution===
%00%00%00%00 indicates an internal error that NEOSYS programmer has to fix. It is usually random and can be hard to replicate unlike almost all other NEOSYS errors which usually replicate reliably once you find the cause.

==B703 Errors==

The B703 error is usually always related to something too big for NEOSYS to handle.

These are the only B errors that NEOSYS cant always permanently prevent by fixing the software.

For more information, check [[Troubleshooting_NEOSYS_Media_System#B703_Errors|B703 errors]]

==Internet Explorer Menu, View, Text Size doesnt change font size as expected==

Cause: This is because the font size is now user definable in NEOSYS and View, Text Size does not override predefined font sizes.

Solution: If you are using Internet Explorer 7 you can scale the screen (including the font size using ctrl + and ctrl - keyboard shortcuts or the font size button on the bottom right hand side of the window.

You can adjust the font size on the User Details form when you login although this permanently applies to all forms not just the one that you are on.

==Uploaded jpg files fail to display in internet explorer==

Some large jpg files > 2Mb cannot be viewed in internet explorer despite being viewable in image preview, ms paint and other viewers/editors. It is not an issue caused by uploading or downloading the files.

These file appear to have been created on Photoshop CS Macintosh and may be a special type of uncompressed jpg used for production quality files.

===Partial solution===
Before uploading the files, open them in some editor like MS Paint (right click, edit) and save them. However this results in a loss of quality. Perhaps there is some program that can convert these files to a format understandable by Internet explorer without any loss of quality.

=="This document is currently read only"==

===Cause===
The user attempting to modify this document does not have the authorization key to do so.

===Solution===
Inform the user that he is not authorised to modify the document and give him the list of users within his company who are authorised to do so.

=="You have attempted to write to a read-only file"==

===Message===

Error while writing data.
You have attempted to write to a read-only file.
- or -
access to the file has been denied by the operating system.
(operating system file name: "..\DATA\ADLINEC\ADAGENCY\REV76467.OV00012618")

===Cause===

It is almost certainly due to some third party backup or other maintenance software opening the NEOSYS database files when it shouldn't e.g. badly configured third party backup scheduled to backup NEOSYS while NEOSYS is still running. Note that the exact filename varies each time.

===Solution===

This can be a serious error that causes damaged files in NEOSYS especially if the filename ends in .OV. Use the usual methods of checking for damaged files e.g. do a backup which also looks for damaged files BUT DO NOT OVERWRITE THE LATEST BACKUP SINCE IT MAY BE REQUIRED for restoration. Then fix the damaged files using the usual methods e.g. by rebuilding/using
FIXFILE or restoring databases. For more info check [[Handling damaged files|Handling damaged files]]

===Prevention===

Remove the third party backup or other maintenance software or reschedule it to run at a time that NEOSYS is shutdown. Removal of software may require hunting through the windows process list for unexpected programs running.

==Troubleshooting Hung processes==

===Investigating hung NEOSYS processes===

To find out if a process is hung, check the time on the last line of the process which would be frozen since the time it first hung. This time can be cross-referenced with the current server time and you will notice the difference in time b/w the server and the hung process. You can also find the duration of hung processes in Nagios.

Step 1

Gather all the useful and necessary information about the current state of the system by taking screenshots of the NEOSYS process windows, server time and date, process list in Task Manager etc.

Always remember to take screenshots of the whole screen, since every little detail is useful for investigation.

Send an e-mail to Support with all the investigated details.

Step 2

Request a shutdown of all NEOSYS processes, which would leave only the hung processes open.

Close the hung process/es.

Step 3

Process explorer can be installed from Microsoft Sysinternals and for a deeper inspection of the problem with a view to resolving it, should be used to gain information about what files are open.

If already installed, procexp.exe can be found on the Desktop or from Start Menu-> Programs.

In process explorer, Find -> Handle -> type d:\

Submit the complete list (maybe more than one page) to support for records.

[[Image:invhungprocess.jpg]]

===[[Troubleshooting_NEOSYS_Generally#Investigating_CPU_100.25_using_Windows_Task_Manager|Investigating CPU 100% using Windows Task Manager]]===

===[[Troubleshooting_NEOSYS_Generally#Solving_server_CPU.25_is_100_and_all_users_are_extremely_slow.2Fstopped|Solving server CPU% is 100 and all users are extremely slow/stopped]]===

===Error message: "Fatal Error in Rev Restart"===

[[image:fatal.jpg]]

===Error message: “Abort, Retry, Fail”===
====Problem====
The following messages may come on older versions of NEOSYS if there is a problem with the USB media inserted for backup.

[[image:usberror.jpg]]

This results in “NEOSYS has not checked in” message on Nagios since it hangs during the monitoring update and locks all other processes from monitoring too.

General failure writing drive F
Abort, Retry, Fail?

Not read reading drive F
Abort, Retry, Fail?

Pressing A or F results in the problem happening again in about a minute, perhaps on a different process.

====Solution====
Temporary solution is to do “Safely remove hardware” from the windows notification area. Using “Eject” from My Computer will not work.

Permanent solution is to replace the defective USB memory stick. Sometime reformatting is sufficient.

Upgrading NEOSYS will probably stop the defective media from causing NEOSYS to hang but the USB will still be useless for backup.

===Error message: "Read error in the operating system file"===
====Problem====
Nagios reports a hung process and on the server a process has the following message popup.

Read error in the operating system file "..\DATA\PT0833\ACCOUNTS\REV20049
The file does not exist or the filename is
not valid for the operating system.

[[Image:readerrorintheoperatingsystemfile.png]]

====Cause====
Some non-NEOSYS program is directly accessing the NEOSYS database files while NEOSYS processes are running and using the files as well.

*Client IT staff using a backup program to perform backup without ensuring that NEOSYS processes are shutdown.
*A NEOSYS rsync process taking longer than expected due to new USB.

====Solution====
Kill the NEOSYS process eg with the X button. It is advisable NOT to let it run further while it cannot properly access one of its files.

====Prevention====
Remove the third party program or arrange for it to operate only while NEOSYS processes are shutdown eg from 3am-6am.

===Error message: "Not enough string space - Out of Memory"===

====Message====

‘RTP27’ Line 1. [B29] Not enough string space – Out of Memory.

Not enough memory to execute Debugger; current program aborted.
Press any key to continue

[[Image:out_of_memory.jpg]]

====Cause====
Unknown perhaps related to some large document or report

====Solution====
Ask users for any hanging transactions.
None other than closing and starting another process.

Also refer [[Troubleshooting NEOSYS Generally#Enabling EMS memory on Window 2003|Enabling EMS memory on Window 2003]]

===Error message: B521===

[[Image:B521.jpg]]

Another user is currently updating indexes.
Waiting to make your updates...
If you interrupt this process,
you may have to rebuild all the indexes

B521 message is usually temporary and goes away by itself. If it does not then, as the text of the B521 message makes clear, some OTHER process is holding up the system, preventing the process with B521 message from continuing.

B521 message is a symptom of other problem so it does not itself have some one simple solution. You must find which other process or issue is causing the hold up and solve whatever problem is causing the hold up, which could be anything.

===Error message: " NTVDM encountered a hard error "===

The following error message appears:

[[Image:ntvdm.jpg]]

NTVDM encountered a hard error

====Solution====

This error is caused by missing or corrupt Windows system files (i.e. command.com, autoexec.nt and config.nt). The solution is to run a program called XP FIX which will reinstall these missing files. You can download it form http://www.visualtour.com/downloads/xp_fix.exe

Sometimes even after running the XP FIX program the error still appears. Then you need to copy all the files under C:/windows/repair to C:/windows/system32 and in the autoexec.nt and config.nt put REM before any lines there which don't have it.

====Possible fix for some NTVDM errors====

=====Error message=====

[[Image:Ntvdm1.jpg]]

NTVDM has encountered a System error.
The system cannot find the file specified.
Choose close to terminate the application.

=====Possible solution=====

#Change the TEMP and TMP environment variables to C:\WINDOWS\TEMP. This should be for the user that runs NEOSYS processes - normally administrator.
#Close all NEOSYS processes
#Logout/Login again
#Restart NEOSYS processes

[[image:Ntvdmsoln.png]]

=====Check solution done properly=====

You can check that by typing ECHO %TEMP% and ECHO %TMP% at a console prompt after logging out and in again.

Note that windows will actually set the windows environment variables to something like C:\WINDOWS\TEMP\2 for some unknown reason.

<pre>
d:\hosts>ECHO %temp%
C:\WINDOWS\TEMP\2

d:\hosts>ECHO %tmp%
C:\WINDOWS\TEMP\2
</pre>

===Error message: [[Troubleshooting_NEOSYS_Generally#Troubleshooting_the_.22Database_not_available.22_error_message|"Database not available" post login]]===

===Error message: [[Backup_and_Restore#Error_Message:_.22Cannot_backup.2Frestore_because_PROCESS1_PROCESS2_.28etc.29_is.2Fare_online.22_message|"Cannot backup/restore because PROCESS1 PROCESS2 (etc) is/are online"]]===

===How to kill hung NEOSYS processes===

NOTE WELL: If you kill actively working NEOSYS processes (those which are "listening" and not hung/crashed) there is a reasonable chance that the database will be damaged and might need a restore losing possibly large amounts of work.

====If NEOSYS processes are visible on the server desktop====

Look for processes which don't have "Listening ..." on the last but one line. The times on the left hand side are frozen as at the time of the hang.

You can then click the X to kill the process and confirm that this is OK.

Example of a NEOSYS process that has hung due to a software error resulting in a failure to handle a complex query with a lot of brand codes.

[[Image:hungprocess.jpg]]

====If NEOSYS processes are not visible on the server desktop====

NEOSYS processes are most of the time visible on the desktop (i.e. the black dos windows) in Windows 2003 OS, except in the case that the process has been scheduled to start on computer restart and no one has logged into the server. In this case it would be running in the background. TODO

You can check if there are any hung processes from the NEOSYS Support Menu, List of Database Processes.
[[Image:databaseprocesseslist.jpg]]

In this case you should follow the below instructions - however all of them need to be done within 30 seconds of starting the first instruction to avoid inconvenience to the users. It is recommend that you keep relevant windows open before proceeding with the same:

#Shutdown NEOSYS by TEMPORARILY putting a file called GLOBAL.END in the parent directory of NEOSYS (if there is already a GLOBAL.END.TEMP file then rename it to GLOBAL.END). Leaving the file there would prevent NEOSYS from starting up again. Shutting down NEOSYS from the Support menu will not work because of the hung processes.
#Use Windows Task Manager to kill all the NTVDM processes - assuming that you have closed all the visible NEOSYS processes, then the NTVDM processes in the task manager would be the hung one.
#Delete GLOBAL.END or rename it to GLOBAL.END.TEMP
#Restart the processes back again. If there are many datasets then you need to restart them all well within the 30 seconds period. Restarting a process will not be noticed by users, if started immediately.
#*Create a [[Configuring_STARTALL.cmd_command_to_auto_start_all_processess | STARTALL.cmd]] file for future cases, where you may need to quickly start many processes for clients with multiple datasets.

In case of Patsalides, where we have a thousand datasets which start "on demand" i.e. usually on login; all you need to do is start one dataset which will restart all the other datasets "on demand". If there is no response within 30 seconds then one of the running datasets will start it up so there appears to be a 30 second delay when you login to one of the thousand datasets the first time on any one day.

===Temporary workarounds for hung NEOSYS processes===
Until the error in the software is fixed users can often get their results by simplifying their requirements. For example select individual clients instead of selecting all the brands for a particular client. If the user has repeated his request (in forlorn hope that it would work finally) then the number of working NEOSYS processes will drop causing severe slowdown for other users and complete stop if all the NEOSYS processes hang.

==Fixing " You do not have sufficient privilege to access this file "==

This error message may come up while NEOSYS processes start up at the same time.

Error message on:
16 bit MS-DOS Subsystem
D:\hosts\Client_nam\NEOSYS\AREV.EXE
C:\Windows\SYSTEM32\CONFIG.NT. Error Code 0x20. You do not have sufficient privilige to access this file. See your system administrator. Choose 'Close' to terminate the application.

Close the error message window and look for NEOSYS processes for that client. In case there is no process, start the NEOSYS process.

[[image:Errormsg.jpg]]

==Fixing wrong default program assigned to open a file type==

The NEOSYS process (cmd file) might open up in a notepad, instead of the usual black colour DOS window. This may happen if a JavaScript file is opened using notepad. Support MUST be very CAREFUL when accessing .JS and .JSE files and double check that the default program remains wscript.exe and not changed to notepad/wordpad. The issue can be fixed by the following:

#Check if Windows Script 5.6/5.7 is installed, IF NOT download and install it from the Microsoft Website.
#Go to Control Panel -> Default Programs -> Associate a file type or protocol with a program and then change the default program for .JS and .JSE to "Microsoft Windows Based Script Host"

For file types that must not have any default program to open them (e.g. .vol file type):

#Right click the concerned file (e.g. ADAGENCY.vol) > Open with > Choose another app > More apps
#Select "Always use this app to open XXXX files"
#Click "Look for another app on this PC"
#Locate and select the concerned file (ADAGENCY.vol in this example). An error should appear "This app can't be run on your PC". Click OK.

==Fixing a 'Could not start' error on Scheduled Tasks in Windows Server 2000 SP4==

This error occurs because of a change that is made to the data that is stored in the credentials database when you install Windows 2000 SP4. Hence installing SP4 causes the the data that is stored in the credentials database to get converted to an SP4-compatible format. A registry key is configured to indicate that the data has been converted to the SP4 format.

Hence the Scheduled Tasks do not work sometimes. However the Scheduled Tasks works fine sometimes, but when you uninstall SP4, it does not work.

The best solution is to:

#Incase Scheduled Tasks do not work after installing SP4, then uninstall SP4 and it should be fine.
#Incase Scheduled Tasks works after installing SP4, and later after uninstalling SP4, it does not work, then install SP4 and it should be fine.

==Checking for server or NEOSYS crashes==

#NEOSYS Maintenance Mode
#General Menu, Setup, Processes
#Select the dates and the option Detailed

This report shows a list of dates and times that NEOSYS logged in but did not log out properly.

Ignore the very latest entries since they represent the current NEOSYS processes. For example, if you have four NEOSYS processes running at the time that you get the report (including any in maintenance mode) then you can ignore the last four entries.

The date and time shows for each process that has failed to shutdown correctly when the process logged in. Versions of NEOSYS from January 2008 will also show the date and time that each crashed NEOSYS process was last active (heartbeat) so that the time of failure can be known.

If you see a bunch of NEOSYS processes all started up at around the same time but all failed to shutdown correctly then the cause will be a server failure - usually power failure.

Isolated one-off failures will be related to individual NEOSYS process crashes - most commonly caused by one of the following:

#NEOSYS hanging to due to software failure
#Manually exiting a NEOSYS process on the server either by pressing Ctrl+Alt+Del or clicking the "X" close icon/box and ignoring the warning
#Random server failures eg memory, disk etc

Example:

LOGIN 22/12/2007 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:00 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:01 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:52 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:52 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:53 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:00 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:01 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 13:51 NEOSYS SERVER NEOSYS Current user session

Interpretation:

The first four entries indicate that all four NEOSYS processes started at 06am were suddenly killed probably by power failure

The next four entries indicate that NEOSYS was restarted at around 08:52 and all these processes were AGAIN killed probably by power failure

The last four entries can be ignored because there were four NEOSYS processes running at the time that the report was generated

==Searching for word/number in the database files using maintenance mode==

You can search for any word/number in the database files of NEOSYS, using the following command line:

F5
FIND FILENAME WORDWITHOUTANYSPACES

For eg:
FIND CURRENCIES 1.1
(here you are searching for the number 1.1 in the currencies file) You CANNOT search for a phrase ie include spaces like this.

Or you can also type:
FIND FILENAME <enter>
and it will ask you what you want do to search. You can enter an exact phrase with spaces.

Incase you do not know the filenames, you can enter the following command to see all the filenames in the system:

F5
LF

==Troubleshooting a Service Unavailable message on Internet Explorer when opening up NEOSYS==

===Error Message===

The following error message appears in Internet Explorer when you try to open up NEOSYS:

Service Unavailable

===Solution===

Open the IIS Manager, right click Web Sites and select properties:
[[Image:serviceunavailable1.jpg]]

Switch to the Service Tab and tick the "Run WWW Service in IIS 5.0 Isolation Mode".
[[Image:serviceunavailable2.jpg]]

You will be asked for Restart of IIS. Click yes to restart IIS. If you are not asked just restart IIS.

==Inspecting IIS log files==

At a windows command prompt:

c:
cd \Windows\system32\LogFiles\W3SVC1

or

%SystemDrive%
cd %SystemRoot%
cd system32\LogFiles\W3SVC1

then (substituting the ip number you are interested in)

find "192.168.1.55" *|sort>temp.log

Open temp.log in Excel and use Tools, Data, Text to Columns to split into columns using options "Delimited" and check split on Space.

Autowidth all columns by clicking on the top left box just outside the data to the left of column A and above column 1 then double click the column separator to the right of column "A"

Note that times and dates are in UTC/GMT so you have to add/subtract your timezone offset to get local times.

==Inspecting Database LOGS Folder==
NEOSYS log files e.g. 15123103.xml are created by the database processes and contain user requests to the NEOSYS database. Each XML file represents commands executed by each NEOSYS process.

If the database is not available according to the website then no entry will appear in that log. (The request will appear in the IIS website log but that log is nothing to do with database processes)

It is often quicker and easier to do a preliminary search for database requests using the Request Log in NEOSYS UI, although more specific details such as Session No, Host IP, Filename and DataOut/In are only available in the XML logs.

Find log files in neosys/LOGS. The file naming format is yymmdd(log created by process No.) E.g 18060402 = 4th of July 2018 process02.

Use simple text editor to view the log files.

Details found in XML log files: 
Message: Date, Time, User, Filename, WorkstationIP, HostIP, HTTP and Session. 
Request: Req1, Req2, Req.. 
Response: ProcessingSecs 
DataOut/DataIn:

===Understanding Log Entries===
Inspecting and searching through Logs file allows NEOSYS staff to answer clients queries like "Who deleted schedule XXXX" etc.

To read and understand the log file with more ease, copy the portion of the log file required to be analysed into another text editor.

While going through the log file you may come across a request "EXECUTE GENERAL GETTASKS NOT", this request is concerned with getting a list of tasks that the user is *not* allowed to do.

To read and understand the log file with more ease, copy the portion of the log file required to be analysed into another text editor.

The text that appears as %FE, %FC, %FD, etc. are basically separators. Replace %FE, %FD, %FC, etc. with a separator like "--".

Once replacing all these characters is done, the log file will be more easily readable and vital information will be clearer.

In the log file, you may find numbers like 17290, 17195, etc. These numbers denote dates selected or entered by the NEOSYS user. These are basically the number of days from 31st December 1967 till the date chosen by the user. For example, to convert 17290 to actual date, 31/12/1967 + 17290 = 3/5/2015. So the actual date is 3rd May 2015.

To convert these numbers to dates using maintenance mode, refer to the article [http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Finding_out_when_and_by_whom_a_record_was_deleted Finding out when and by whom a record was deleted]

[[image:NEOSYS Logs.jpg]]

==Fixing NEOSYS processes that do not auto start / Recovering from incorrect advanced date or time==
This solution is applicable to live database processes only. Test database processes don’t auto-start any other processes.

===Problem explained===
After starting up the 1st process, the rest of the processes don't start up.

===Solution===

The possible cause for this could be that the system date/time might have been changed - either manually or by the auto synchronization. Do the following checks in the sequence of order:

#Check for any *.$* files (* after dollar sign should show a number, the highest being the latest one). If it shows OK, then proceed ahead.
#Check for any .end files and delete it to rename to .end.temp
#Check the System Event Viewer log for any 520 or 577 error message (refer http://128.175.24.251/forensics/timechange.htm). Also check for any out of sequence / ahead of today date or time.
#In case of no 520 or 577 error message, go to Administrative Tools > Local Security Policy > Local Policies > Audit Policy > Audit Privilege use - make sure that Success and Failure are selected under this (this will ensure that future changes to the date/time are recorded in the System Log).
#In NEOSYS maintenance mode - F5 ED PROCESSES %UPDATE% - and see what it says, incase of any text (only text, not numbers) there, that means that for sure the system date has been changed. To fix this, exit the editor by pressing the ESCAPE key and then type DELETE PROCESSES "%UPDATE%"

==Fixing starting issues with NEOSYS processes or Maintenance Mode==

===Fixing "UNABLE TO OPEN BOOT MEDIA MAP" error===

Opening NEOSYS process or maintenance mode just opens and closes the window instantly.

Running ADAGENCY.BAT from a windows CMD shows an error message

Unable to open boot media map.

Cause:

AREV.EXE is unable to access the REVMEDIA.LK file.

Possibly due to windows permissions problems. For example after using CYGWIN RSYNC without the --no-perms option.

Solution:

If cygwin rsync has screwed up the permissions you can reset the permissions for all files on the D: disk

D: disk properties, security tab, Advanced button

#Owner: change to administrator
#Check "Replace owner on subcontainers and objects"
#Check "Replace all child object permission entries with ... "
#Apply and confirm all questions
#Repeat and change BACK to Owner: SYSTEM

[[Image:Unableopenbootmediamap.png]]

===Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately===

Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately.

#Check if a file with the name global.end exists in the root directory of the NEOSYS installation. Eg D:\global.end . If you find such a file, rename it to global.end.temp - for more information on global.end and what it does, refer to [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]
#If the above didn't fix the problem and NEOSYS still does not start, do a windows search for the entire NEOSYS folder for *.end (i.e. any file ending with .end extension). You may find a (databasecode).end file in D:\neosys\neosys folder which is created by the NEOSYS program during backup at 1 am and later on removed automatically. In this case NEOSYS program might have crashed during the backup and left this file behind. (databasecode).end files prevent other other NEOSYS processes starting up on the database while exclusive processes (like backup) are being done.

Or try: Delete the read-only file REVBOOT file (under d:/neosys/neosys folder). REVBOOT file is recreated when you start maintenance mode.

In case the above didn't fix the problem then escalate to the programmer immediately.

==Recognising and Solving Low Memory Problems==

Quick Note: Installing a server class operating system on a workstation class computer with the intention of NEOSYS serving a heavy load is likely to cause problems with low memory.

Quick Fix: Disable *ALL* non-essential features in the power-on setup menu.

===Effects===

It is speculated but not proven that low memory may cause NEOSYS to fail by hanging, causing damaged files etc.

===Checking===

F5
MEMORY

On server class machines it should say somewhere around 350Kb to 370Kb Free

Some server class machines have around 330Kb and sometimes even less with no reported problems

The actual effect of low memory is supposed to make NEOSYS slower and perhaps cause hanging and damaged files however this has not been proven in an specific case so far.

On workstation class machines it may often say around 280Kb to 300Kb.

===Cause===

Although there is plenty of real memory in virtually all computers now, NEOSYS runs in the legacy 16 bit virtual memory space of a windows mode called NTVDM. This is limited to 1Mb plus 4Mb of EMS memory.

The 1Mb memory space is shared with:

#Various non-essential windows drivers which NEOSYS automatically disables them in autoexec.nt
#Various plug and play hardware device drivers for the various adapters in the computer like video, network adapters and various other items that NEOSYS is unable to disable.

In a server class computer the hardware device drivers are usually minimally present in the 1Mb base memory and do not therefore DOESNT a low memory situation for NEOSYS.

In workstation class computers there are often many hardware device drivers present in the 1Mb base memory and this DOES causes a low memory situation for NEOSYS.

When NEOSYS is installed on workstation class computers with XP there is usually not a heavy load expectation and therefore the low memory does not cause a problem.

If Windows Server OS is installed on a workstation class computer NEOSYS may well be expected to serve a heavy load with limited amounts of memory.

Workstation class computers: hardware drivers present and EMS is installed in low memory (0000-9FFF) causing low memory for NEOSYS and possible inability to

Server class computers: Usually few hardware drivers are present in high part (A000-FFFF) of the 1Mb base memory and EMS is able to occupy the high memory leaving the low part (0000-9FFFF) of the 1Mb memory free for NEOSYS. You can find out how much memory is available to NEOSYS and whether EMS is occuping high or low memory using the following sections.

===Fixing Low Memory===

Start, Run, notepad c:\windows\system32\autoexec.nt

Every time NEOSYS starts it tries to make some changes as follow:

#replaces all lines in C:/WINDOWS/SYSTEM32/AUTOEXEC.NT starting with 'lh ' to start with 'rem NEOSYS LH ' instead.
#changes the line in C:/WINDOWS/SYSTEM32/CONFIG.NT "files=..." to "FILES=200"

The replacement is case sensitive triggered on 'lh' and 'files' so if you manually edit the files and remove the rem or change the number of files and leave the LH and FILES in uppercase then NEOSYS will NOT make further changes. This allows you to do manual amendments to the files without NEOSYS overwriting them.

Check that NEOSYS has successfully disabled all the drivers in the lines starting with LH.

They should be commented out (prefixed) with REM or REM NEOSYS as follows.

After making changes reopen NEOSYS in maintenance mode to use the MEMORY and WHO commands again.

<pre>
REM Install CD ROM extensions
REM NEOSYS LH %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
REM NEOSYS LH %SystemRoot%\system32\redir

REM Install DPMI support
REM NEOSYS LH %SYSTEMROOT%\SYSTEM32\DOSX
</pre>

Low Memory Issues in Windows 2003 server can be fixed using instructions mentioned at [http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Enabling_EMS_memory_on_Window_2003 Fixing Low Memory in Windows 2003 Server]

===Allowing DOS programs that require DOSX to run on the same computer as NEOSYS===

The automatic commenting out DOSX by NEOSYS will prevent some other DOS-like programs from running. If NEOSYS is on dedicated server then there should be no other such programs to fail. However, if you must allow DOS-like programs to work as well as NEOSYS you can do the following configuration:

#leave or restore the original AUTOEXEC.NT and CONFIG.NT files where they are
#copy them to another folder eg neosys folder
#make the necessary REM changes there by hand
#right click the NEOSYS\NEOSYS\AREV.PIF and select properties
#change the location of the AUTOEXEC.NT and CONFIG.NT files in the following location

[[image:pifsettings.jpg]]

===Checking EMS Memory Configuration===

====Inspection====

F5
WHO

press the up arrow to get to the last part/page

=====Example of Typical Server EMS Memory=====
[[image:serveremm.jpg]]

=====Example of Typical Workstation EMS Memory=====
[[image:workstationemm.jpg]]

====Correction====

No easy way

Removal of hardware adapters designed for workstations instead of servers eg graphics cards and network cards.

Many of the devices may be located on the motherboard and not relocatable except possibly by BIOS configuration or special manufacturer information.

Use windows device manager, View: Resources by Connection, Open the Memory item and look for items between 000A0000 up to 000FFFFF that might give you a clue as to what hardware could be removed or reconfigured. Actually only 000C0000 to 000FFFFF is candidate for EMS memory since 000A000-000BFFFF is mandatory video memory in all systems.

[[image:devicemanager.jpg]]

==Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately==

#Find if a file with the name global.end exists in the root directory of the NEOSYS installation. Eg D:\global.end . If you find such a file, rename it to global.end.temp - for more information on global.end and what it does refer to [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]
#If the above didn't fix the problem and NEOSYS still does not start, do a windows search for the entire NEOSYS folder for *.end (i.e. any file ending with .end extension). You may find a (databasecode).end file in D:\neosys\neosys folder which is created by the NEOSYS program during backup at 1 am and later on removed automatically. In this case NEOSYS program might have crashed during the backup and left this file behind. (databasecode).end files prevent other other NEOSYS processes starting up on the database while exclusive processes (like backup) are being done.

In case the above didn't fix the problem then escalate to the programmer immediately.

===Solving "Control Record" error in maintenance mode===

If processes dont start after you log into maintenance mode and you get an error message
<pre>
╔════[FS152]═══════════════════════════════════════╗
║ The control record "RECORDS" ║
║ is too long to be saved. ║
║ The current record length is 65539 characters. ║
║ ║
║ < Press any key > ║
╚══════════════════════════════════════════════════╝
</pre>
[[File:Record1.jpg]]

'''1'''. Press space to get rid of the error message and you should then get this menu

[[File:Record2.jpg]]

'''2'''. Press F5 and run this command (case sensitive)

DICT DEFINITIONS

or Press Alt+S and run this command (case sensitive)

EXECUTE DICT DEFINITIONS

[[File:Record3.jpg]]

'''3'''. Press Shift+F3 to get the following message
<pre>
╔══[B202]══════════════════════════════════╗
║ "DEFINITIONS" has ║
║ "QUICKDEX" installed ║
║ ║
║ Do you want to remove "QUICKDEX"? [Y/N] ║
║ ║
║ <Y >║
╚══════════════════════════════════════════╝
</pre>

Do you want to remove "QUICKDEX"? [Y/N]

'''4'''. Press Enter to choose Yes.

[[File:Record4.jpg]]

'''5.'''Restart NEOSYS to see if the problem has been solved

==Solving “page not found” or "HTTP Error 404.3 - Not Found" when downloading some file types after uploading them successfully==

A user gets this error message when trying to download a file that has been uploaded into NEOSYS.

Windows web server will not download file types that it is unaware of. You can enable the download of new file types.

===Adding Mime Types in Windows Sever 2003===

====One by One====

Follow below steps to enable the download of new file types one by one.

This process is tedious and error-prone if you have to add many types.

#Computer Management
#Services and Applications
#IIS properties
#Mime Types
#Add

The added Mime type will not take effect unless IIS is restarted. This should be done only when users are offline because restarting IIS kills login sessions and therefore forces users to login again.

Open command prompt and enter the following command
iisreset

====Many====

Window Server 2003 is unaware of all the Office 2007+ file types. To add all Office 2007+ file types at once do the following:

Stop IIS

iisreset /stop

Open the list of mime types

*Start, Run, notepad C:\WINDOWS\system32\inetsrv\MetaBase.xml

Search the file for “xlsx” and quit the editor if already inserted.

Otherwise, find the following line,

.xml,text/xml

and insert after that line the following lines. They do not need to be indented.

<pre>
.docm,application/vnd.ms-word.document.macroEnabled.12
.docx,application/vnd.openxmlformats-officedocument.wordprocessingml.document
.dotm,application/vnd.ms-word.template.macroEnabled.12
.dotx,application/vnd.openxmlformats-officedocument.wordprocessingml.template
.potm,application/vnd.ms-powerpoint.template.macroEnabled.12
.potx,application/vnd.openxmlformats-officedocument.presentationml.template
.ppam,application/vnd.ms-powerpoint.addin.macroEnabled.12
.ppsm,application/vnd.ms-powerpoint.slideshow.macroEnabled.12
.ppsx,application/vnd.openxmlformats-officedocument.presentationml.slideshow
.pptm,application/vnd.ms-powerpoint.presentation.macroEnabled.12
.pptx,application/vnd.openxmlformats-officedocument.presentationml.presentation
.xlam,application/vnd.ms-excel.addin.macroEnabled.12
.xlsb,application/vnd.ms-excel.sheet.binary.macroEnabled.12
.xlsm,application/vnd.ms-excel.sheet.macroEnabled.12
.xlsx,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
.xltm,application/vnd.ms-excel.template.macroEnabled.12
.xltx,application/vnd.openxmlformats-officedocument.spreadsheetml.template
</pre>

Save the file with File and Exit

Restart IIS

===Adding Mime Types in Windows Server 2008===

"The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map."

[[file:mime2008.jpg]]

This message shows when a user attempts to download a file that has been uploaded into NEOSYS and the file extension is not configured in IIS server Mime Maps.

The user may also get the below error message:

"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

[[file:mimetype.jpg]]

Solution:

Add mime mappings in IIS. Use the GUI or the servers command line.
The exact solution depends on the file type. Example for .msg files:

C:\windows\System32\inetsrv\appcmd set config /section:staticContent /+"[fileExtension='.msg',mimeType='application/vnd.ms-outlook']"

The bit that varies in the above example is:

*.msg

*application/vnd.ms-outlook

Other mime types can be found on the web eg https://www.thoughtco.com/file-extensions-and-mime-types-3469109

Getting the 2nd part right enables the user to have the downloaded file open automatically in the right application for the file extension, but only if they have the right application installed.

==Handling Neosys Automatic Upgrade Error Messages==

===Error Message===
We will receive an email from the NEOSYS client installation with the following message:

'''"UPGRADEN.EXE" does not have expected exe MZ signature'''

===Solution===
This message is a note that the NEOSYS automatic update procedure failed to download an upgrade file correctly.
This happens sometimes due to network issues but can be ignored because the file will be probably be correctly downloaded on the next automatic update check.

'''Note:''' This message is only informative to help with any problem with the automatic upgrade procedure and may be removed in a later version of neosys (currently Oct 2012)

==Handling Duplicate Login Error E-mails==

===Explanation===
When a user starts a new session on NEOSYS, any existing session is lost. If a user then tries to go back and work on the old session, they will receive a Duplicate Login Error email.

This is because any user can have only one active session to work on. For example, if a user account is logged into NEOSYS from two different browsers or two different workstations at the same time, the user will receive this error e-mail.

===Error E-mail===
[[File:dup-login.png]]

===Solution===
To avoid the Duplicate Login error e-mail, you must always logout from your active NEOSYS session before starting a new session elsewhere.

==Testing https connection==

The following procedure tests that the https server is operational and not blocked by firewall etc. It does not detect certificate errors.

From a windows command prompt use the following telnet command:
<pre>
telnet clientname.hosts.neosys.com 4430
</pre>

#4430 is the usual NEOSYS http port but replace it by whatever port is actually used for NEOSYS https on the system being tested. If there are multiple https installations on a particular server then different ports are probably used
#Replace clientname.hosts.neosys.com with the normal https login domain name of the client for whom we want to check the https service

Normal behavior is that it should open a black screen. Pressing Enter or any key returns the _ character. (Close the window using the [X] since there is no keyboard command to do so)

Hanging means that there is some connectivity issue (firewall/ip/server not running/https not installed etc)

==Troubleshooting "page not found" error while using https==

'''Problem:'''

#The https service stops working and gives "Page not found" error.
#The https connection tests fine using telnet (see article above)

'''Solution:'''

#Reinstall https using the usual procedure (currently using selfssl)
#Email clients, requesting to reinstall the new security certificate by following the instructions for [http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Generally#Fixing_HTTPS_certificate_error_when_logging_in_from_an_external_link_using_IE8.2C_IE9_and_IE10 Internet Explorer] or [http://userwiki.neosys.com/index.php/Configuring_Safari_for_MAC_OS#Fixing_HTTPS_certificate_error_when_logging_in_using_an_external_link_using_MAC_Operating_System Safari] browser.

==Installing "QUICKDEX" on some files==
"Quickdex" is a type of index that keeps an alphabetical order on small files. In some maintenance procedures you may be asked to "install Quickdex".

For example to add a quickdex to the UNITS file.

Maintenance mode press F5

DICT UNITS

<pre>
г=================Dictionary=================┐
│ │
│ File name UNITS │
│ Field name ......................... │
│ │
│ Dict type │
│ Single/Multi │
│ Data type │
│ Output format │
│ Validation patterns │
│ │
│ Position Key part │
│ │
│ Column heading │
│ │
│ │
│ Justification Display length │
│ Description │
│ │
│ │
L============================================-
</pre>

Press Shift+F3.

If it says "Do you want to remove ..." then Quickdex has already been installed and you should not continue. Press Esc to cancel, then Esc to quit.

<pre>
г=[B202]==================================┐
│ │
│ "UNITS" has │
│ "QUICKDEX" installed. │
│ │
│ Do you want to remove "QUICKDEX"? [Y/N] │
│ │
│<Y >│
L=========================================-
</pre>

Otherwise it should say "Do you want to install ...". Press Enter to accept.

<pre>
г=[W963]============================┐
│ │
│ Do you want to install a │
│ Quickdex or Rightdex index? [Q/R] │
│ │
│<Q >│
L===================================-
</pre>

It should then say "Do you want to update ...". Press Enter to accept.

<pre>
г=[W901]========================================┐
│ │
│ The "UNITS" file has had │
│ the "QUICKDEX" modifying filing system added. │
│ There are 0 records in "UNITS". │
│ │
│ Do you want to update "QUICKDEX"? [Y/N] │
│ │
│<Y >│
L===============================================-
</pre>

Afterwards it should return to the initial screen. Press Esc to quit.

==Solving NEOSYS smtp server failure==
In case the neosys smtp server fails then we can just use the client's smtp server.

The following information is required from the client's smtp server configuration:

#hostname
#username
#password
#port no. (most likely = 25)

These details should be entered in the '''System Configuration File''':

[[image:SYSCFGFILE-SMTP.jpg]]

==Strange characters in maintenance mode==
While in Maintenance mode, pressing keys on keyboard gives strange characters. Even Enter and Esc don’t work.

This problem has been seen using RDP on:

*Window Server 2003 Web Edition
*Windows Server 2003 R2 SP2

[[image:strangecharmaint.jpg]]

Solution:

#Go to Windows -> control panel
#Go to Regional and Language Options
#Click on Languages tab then click on Details [[image:lang1.jpg]] 
#Click on Settings Tab and Change default input language to English (United States) (or perhaps something else depending on rdp keyboard) [[image:lang2.jpg]] 

==NEOSYS processes do not start after Windows Update==

===Problem===
Scheduled Task to start the NEOSYS processes fail on Servers with Windows 2008 after Windows update. Support will have to log into the server to start the processes manually
Message on the Schedule Task displays " The operation being requested was not performed because the user has not logged on to the network. The specified service does not exit ".

[[image:sti.jpg]]

===Solution===

For clients who cannot tolerate manual intervention after server reboots for any reason (e.g.need to start work before NEOSYS support is available or on NEOSYS support weekends), tick "highest privileges" and "run whether the user is logged in or not". This approach means that NEOSYS processes which are started by the windows scheduled task are not visible on the desktop and run hidden in the background and only listed in task manager, so avoid this approach on small clients (only few users). Avoiding this approach will also serve to act as an indicator of server restarts.

==Troubleshooting NEOSYS remote support port forwarding==
This assumes that you have already “port forwarded” tcp port 19580 from your public internet router to the NEOSYS server.

===Tst 0 - Check if SSH is working on the NEOSYS Server===
Type in the following command in command prompt:
telnet 127.0.0.1 19580

IF ALL OK you will see the following:

[[image:tr-pf-03.jpg]]

===Test 1 - Check if SSH is basically working on NEOSYS server over the LAN===
You must know and use the NEOSYS SERVER LAN IP to do this.

telnet ???.???.???.??? 19580

[[image:tr-pf-01.jpg]]

If you have the WRONG SERVER LAN IP or NEOSYS server SSH is NOT working then it will hang for about 15 seconds and then say “Could not open connection to host …”

[[image:tr-pf-02.jpg]]

OR IF ALL OK you will see the following:

[[image:tr-pf-03.jpg]]

Press Enter to Exit

[[image:tr-pf-04.jpg]]

===Test 2 - Check if can connect to the NEOSYS ssh from OUTSIDE the office===
From any internet connected computer OUTSIDE the office test if you can connect to NEOSYS ssh service. You cannot do this test from inside the office.

You need to know the public ip or domain name of the router. If the router IP is dynamic then NEOSYS sets up dynamic name server so instead of a static ip number you will have a domain name something like clientxyz.redirectme.net.

Enter the command .. using YOUR public internet IP number (NOT the LAN ip number) or the dynamic domain name.

[[image:tr-pf-05.jpg]]

If everything is working OK you will get a black screen as follows. You will NOT get the “SSH-2.0-OpenSSH-4.7” banner” because NEOSYS ssh remote support is restricted to connect ONLY from LAN ip nos and NEOSYS office ip nos.

[[image:tr-pf-06.jpg]]

If you press Enter a few times then the cursor will just go down. You have click the [X] to close the window.

[[image:tr-pf-07.jpg]]

===Test 3 - Check that the ssh connection from step 2 was rejected===
On the NEOSYS server, check the Windows Application log to verify that an SSH connection was rejected.

The rejected ip number will be of the system outside the office that you performed the test from.

[[image:tr-pf-08.jpg]]

===Sample Email: Solving port 19580 port forwarding issues===

Some IT people know how to troubleshoot port forwarding issues but others are mostly just power users who can configure a home router. If the IT person is in the second category then it is quicker for NEOSYS support to offer to configure their router from the NEOSYS server using Teamviewer. Ideally NEOSYS should not be doing client IT work but if client IT allows NEOSYS access to their router then NEOSYS support can make a brief attempt to do the configuration. If the issue is still unresolved then request the client to get a professional IT network expert to do the job and inform them that NEOSYS will not be able to provide them any support till connectivity is fixed. Below is a letter advising a more skilled person to check connections using telnet which is a low level test.

You can usually determine the NEOSYS server LAN IP number from Nagios. If so then adjust the email text appropriately.
<pre>
Dear XYZ,

It is highly critical to fix the connectivity with the NEOSYS server because NEOSYS will not be able to provide any support until connectivity is fixed. User support issues will be delayed and remain unresolved if you do not fix this issue URGENTLY.

At the moment there is no connection from the internet via your router to the NEOSYS server and when we do the following, we get no connection.

telnet CLIENTNAME.hosts.neosys.com 19580

Normally it should connect and presents a black screen (saying SSH something after pressing Enter) which we close.

Please check that you can connect to the NEOSYS server internally by using the NEOSYS server IP address in the following command on any computer in your LAN.

telnet 192.168.?.? 19580

If you can connect to the NEOSYS server internally then please check port forwarding.

Additionally check the following:
1. Has your router IP changed? The IP we have is x.x.x.x
2. Has your server’s LAN IP changed and are you forwarding to the correct LAN IP?
3. Is the configuration really correct?
4. Check router logs for clues
5. Check NAT settings in the router

If you still cannot see the problem, do "telnet CLIENTNAME.hosts.neosys.com 19580" command from OUTSIDE your network to replicate the problem we are facing.

For troubleshooting steps refer Troubleshooting NEOSYS remote support
http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding

If the problem still persists, please get a professional IT network expert to fix the issue.

Best Regards,

</pre>

===Port mapping restricted by Source IP===

On NEOSYS router, port forwarding has been setup only for specific source IP addresses. This means you will not be able to establish a TCP connection to NEOSYS server unless your server's outbound IP is mapped to the NEOSYS router. In other words unless the outbound i.e source IP/port of your server has been granted access on the NEOSYS router for all incoming connections you will not be able to make connections to NEOSYS server.

Outbound IP is used whenever a server tries to make a connection to another server outside its network. On the other hand a server receives all incoming connections using it's Inbound IP.

Therefore to setup ssh connection from a new Client server to NEOSYS server we need to grant access to its outbound IP on the NEOSYS router. See [[Troubleshooting_NEOSYS_Generally#If_Telnet_does_not_work | link]] to find the outbound server IP/ports of the server.

==Solving “Cant login … INVALID DATA PATH … permission denied”==
===Error Message===

[[image:error-invalid-data-path-1.jpg]]

'''Error Text:'''

Cannot login because:
ERROR: INVALID DATA PATH
“D:\HOSTS\HOSTNAME\DATA\HOSTNAME\~8746345.1$” Permission Denied

===Problem Explained===
When installing NEOSYS on an existing “non-clean” Windows installation, the standard NEOSYS installation procedure can result in failure to login if the standard windows folder permissions have been modified.

===Solution===
The solution is to grant IIS permission to write in the \neosys\DATA folder and subfolders as follows:

#First add the IUSR_XXXXXXX user to the list of users. (XXXXXXXX is the server name and therefore varies per server) as follows:
#*Right Click on DATA Folder and click on Properties
#*Click on Security Tab -> Add -> Advanced
#*Click on Find Now, Select the IUSR_XXXXXXX user and Click on OK [[image:error-invalid-data-path-2.jpg]] [[image:error-invalid-data-path-3.jpg]] 
#Second, for the newly added IUSR (IIS user) change the permissions as follows:
#*'''REMOVE''' the read and execute permission (for security, IIS should be unable to execute things that it might have uploaded)
#*'''ADD''' the write permission [[image:error-invalid-data-path-4.jpg]] 
#Login should now be possible.

==NEOSYS process window displays message "Upgrade Downloading"==

[[image:upgradedownloading.jpg]]

===Problem Explained===
NEOSYS thinks it sees an new neosys2.exe upgrade file on the location http://www.neosys.com/support/neosys2.exe which is accessed by http so attempts to download it.

Http proxies and various internet issues can cause incorrect info to be sent and there is actually no upgrade available. In this case, eventually it realizes that it cant find an appropriate and it stops.

You don’t have to worry about this case.

==Enabling EMS memory on Window 2003==

Normally EMS memory is provided by Windows 2003 but this can vary depending on the server hardware/bios configuration

If you get the following messages on Windows 2003

#Backup File Size is 0
#RTP27. [B28] Not enough String Space – Out of Memory

===Cause===

On servers that had no problem previously, the problem is caused by a windows update in Oct 2012 that disables standard Windows EMS memory.

The patch is issued by Microsoft on 9 Oct 2012 but the installation date in the server depends on when the update was actually installed.

http://support.microsoft.com/kb/2724197

===Solution 1 - maximum performance===

To re-enable standard windows EMS on older slower servers or servers where NEOSYS performance must be maximized.

The following link contains instructions how to remove the offending windows update

It also shows how to prevent it being reinstalled automatically by Windows.

http://www.columbia.edu/~em36/wpdos/emsxp.html

Don't forget to prevent it being reinstalled again automatically

===Solution 2 – ease of installation===

This option can also be used if Window 2003 is unable to provide EMS memory for example when the server hardware/bios configuration prevents it.

Install EMSMAGIC in the same way as for Windows server 2008

EMSMAGIC has higher memory consumption and makes NEOSYS processes slower so it is better to use Solution 1 above if NEOSYS performance is an issue.

==Fixing no output file in XXX YYY Issue==

===Error Message===

[[File:Nooutputfile.jpg]]

===Problem Explained===

The message “No output file in XXX YYY” can appear at several instances in NEOSYS, most often when generating reports or documents.

This problem is usually caused by software error and it indicates that the NEOSYS server responded without any output and without any message.

===Solution===

*Find proof to check if the data required for the report actually exists. This way we can eliminate lack of data as a cause for this error.
*Check to see if a similar issue has been fixed in latest version of NEOSYS.
*Document HOW and WHERE the problem can be duplicated by NEOSYS programmers to identify and correct the software.

==Fixing "Units file is missing" error==

[[Image:unitsfile.png]]

===Solution===

As the message mentions, the 'Units' file is missing. This error can be fixed by copying the file from any other installation, since the Units file is the same in all installations.

The Units file is found in the 'General' folder. Path : neosys/NEOSYS/DATA/DATABASE/GENERAL/

==Troubleshooting Internet Connections==

===Cannot Connect===

While investigating as to why users are not able to access NEOSYS or http://www.neosys.com/ , you can check which ISP the connection issue is on.

<pre>whois ipno</pre>

Inspect very carefully to get clues as to which ISP and which AREA of the ISP the problematic ip numbers are and which do NOT have problems

Doing tracert on windows command prompt on the user's computer may help locate which point on the route between the user and the server is blocking access

tracert xxxx.hosts.neosys.com

where "xxxx" is the client name. In this example, the output will be something like shown below:

<pre>Tracing route to xxxx.hosts.neosys.com [37.48.81.101]
over a maximum of 30 hops:

1 2 ms 1 ms 3 ms ukr.sb.com [192.168.2.1]
2 10 ms 10 ms 11 ms losubs.subs.bng2.th-lon.zen.net.uk [62.3.80.21]
3 12 ms 10 ms 67 ms ae1-182.cr1.th-lon.zen.net.uk [62.3.86.80]
4 10 ms 11 ms 11 ms ae0-0.br2.th-lon.zen.net.uk [62.3.80.42]
5 13 ms 14 ms 14 ms peering.thn.lon.leaseweb.net [195.66.225.56]
6 23 ms 23 ms 24 ms te-0-10-0-19.bb01.ams-01.leaseweb.net [31.31.32.71]
7 22 ms 22 ms 23 ms xe-11-2-3.br01.ams-01.nl.leaseweb.net [31.31.38.89]
8 25 ms 28 ms 26 ms be-10.cr02.ams-01.nl.leaseweb.net [81.17.34.21]
9 24 ms 20 ms 25 ms po-1002.ce02.ams-01.nl.leaseweb.net [37.48.95.195]
10 24 ms 22 ms 22 ms nl10r.neosys.com [37.48.81.101]</pre>

===Troubleshooting TCP/IP Connections===

====Telnet check====
telnet <hostname> 19580

If success then host is on web and port is open.
Otherwise if error: "Connection refused," then either an intermediate firewall is blocking access or the port is closed on host machine.
Action: check with client if office firewall(s) allow connection on that port and if the port is open on the host server.

====If Telnet does not work====
In case telnet does not work, login to the remote host server to investigate the issue. Run the following command simultaneously while doing Telnet from client server to the remote host to check if the TCP packets are reaching the Remote server.
<pre>
tcpdump -v 'src host client-domain-name/ip'
tcpdump -v portno
</pre>

To check if packets are sent from the client server to the remote host, you can run the following command simultaneously while trying to ssh to the remote server.
<pre>netstat -an </pre>

You can also check if the outbound ports are open from which you are trying to establish the TCP connection to the remote server.
<pre>telnet portquiz.net portno </pre>

The outbound IP addresses at times can be different from the public IP of the Client server so be sure that the public IP of the client server is the same as its source IP (which represents an incoming connection from Client to Remote server). One way to find the source IP of the Client server is sending an email from Client server to "support@neosys.com". On receiving the email in Thunderbird, select the email and press Ctrl+u. A new window Opens giving full details of the email received. The third "Received :from" gives the IP of the source.

===Troubleshooting DNS failure===

NEOSYS clients routers are usually configured to use their ISP DNS service and the ISP DNS service is supposed to contact one of NEOSYS's DNS servers to convert server names like hosts.neosys.com into IP numbers. Misconfiguration of clients routers or problems in the ISP DNS server may cause CANNOT CONNECT problems. Often the connect fails quickly and immediately since if a name cannot be converted to an ip number then the connection cannot even be attempted and therefore there is little or no timeout to wait through.

NEOSYS.COM name servers are listed publically and obtained by whois command.

whois neosys.com

Name Server: DNS1.EASYDNS.COM
Name Server: DNS2.EASYDNS.NET
Name Server: DNS3.EASYDNS.ORG
Name Server: NS12.ZONEEDIT.COM
Name Server: NS18.ZONEEDIT.COM

In order to contact NEOSYS DNS servers the ISP's have to use a global DNS to obtain the ip addresses of NEOSYS DNS servers given the host names of NEOSYS DNS servers given in the whois info

Here is an example of DU testing NEOSYS DNS servers. The NEOSYS DNS server ip addresses are listed in the Destination column.

[[File:internet.png]]

If one DNS server is down or unreachable REGARDLESS OF REASON, the ISP is supposed to use the other DNS servers. It is impossible for all NEOSYS DNS servers to be unreachable except in gross disconnection from the internet of the ISP since it is effectively impossible that all NEOSYS DNS servers which are carefully spread around the internet, to be unreachable.

In the above test one of the NEOSYS DNS servers is unreachable but all the others are reachable therefore DU should have no problem providing DNS service to its clients.

ISP are often worse at providing DNS server than the famous GOOGLE DNS servers, so re configuring client router to use GOOGLE DNS servers is a way to prove that the problem lies with the ISP's DNS service

===Additional test for troubleshooting problems with uploading===

====Verifying that upload.dll can run====

This isnt a complete test of everything. It just checks if the upload program can be run by the web server. It doesnt check if uploads work or the image directory is correctly configured with the right permissions and uploads can actually be done.

=====Error Message=====

... to be added when discovered ...

=====Test=====

Test HTTP if accessible by LAN; Test HTTPS is accessible by Internet; Test both if both are available.

On the server type the following into a browser

LAN/HTTP:

http://localhost/neosys/neosys/dll/upload.dll

WAN/HTTPS:

https://localhost:9999/neosys/dll/upload.dll

=====Expected Result=====

<pre>
Upload Error. !
Please call me from a form !!!
The first param must be Filename= name of the uploaded file, TYPE=TEXT
The second param must be Filedata= uploaded file, TYPE=FILE
The third param is optional PathData= path to uploaded file, default c:\temp\, TYPE=HIDDEN
The forth param is optional RedirectPage= name of asp who receive the results, TYPE=HIDDEN
Add others params at the end with INPUT tag.
</pre>

[[image:Uerror.jpg]]

==Patching a NEOSYS program==

Patches done to NEOSYS programs are not affected by live to test database copy, since the programs are on installation level and not database level.

The patch provided will tell you the program name and contain either a whole replacement program text or just some changed lines which you will have to find and edit.

For older versions of NEOSYS, you will need to know the file name which may be provided along with the patch or you can find it using the following code in maintenance mode:

ED VOC programname

ED VOC XYZ tells you what program name is executed and from what file, when you type the command XYZ. Normally the program name is the same as the command.

The file name will normally be BP for agency programs, GBP for general programs or ABP for finance programs.

NEOSYS programs are stored in files just like records of ordinary database files. You can edit either with "ED filename programname" or "TED filename programname". TED is better for editing source code as it opens the the code in a text editor, whereas ED opens the code in the same maintenance window.

To test patches immediately, Support may have to clear cache by pressing CTRL+F5. Refer to [[Configuring_IIS#IIS_web_page_caching|Web Caching]] for more information.

===Installing patch in live database===

In the rare case that the programmer asks Support to install the patch directly on LIVE dataset, start by typing the following command in maintenance mode before commencing:

UTIL

Follow the instructions mentioned in the [[Troubleshooting_NEOSYS_Generally#Installing_patch_in_test_database| next section]], but skip the instruction to TEST the patched program in test dataset.

The instruction to INSTALL the patched program MUST be followed BEFORE testing the patch in live dataset. Otherwise the changes will not get reflected.

===Installing patch in test database===

1. EDIT the program source code.

TED programname

If you have to edit or patch a program that starts with the word DICT. and the remainder of the program name is the same as a real file name e.g DICT.INVOICES, then you cannot omit and must type the actual source file name - in this case, "BP".

Otherwise, if you just type "ED DICT.INVOICES" hoping to edit the DICT.INVOICES program in the BP file, then you will end up editing the dictionary of INVOICES, which is not what you are trying to do. Use the command below to edit such type of programs:

ED BP DICT.INVOICES

If you want to patch line 8, i.e. the source code, of an S type dictionary then you can use TED for easier editing.

TED DICT.filename itemname

Next either cut and paste to modify the whole program or edit the program text according to the patch/instructions provided.

Save and close the program source code.

2. COMPILE it. If you get errors then check your edits are correct and recompile otherwise return the patch to programming.

In newer versions of NEOSYS, versions in and after April 2018, use the below command for compiling.

CO programname

In older versions of NEOSYS, you will have to include the filename.

COMPILE filename programname

3. TEST it. Ensure the patched program now works in TEST database.

4. INSTALL the patched program in the LIVE database.

For newer versions of NEOSYS, versions in and after April 2018, use the below command to copy from test to live.

COPYBP programname

For older versions of NEOSYS, depending on the filename that you patched, one of the following commands will have to be used.

COPYGBP programname
COPYABP programname
COPYBP programname

==Patching NEOSYS dictionaries==

A patch to a dictionary applies immediately when you save it and to all datasets regardless of which dataset you work in.

You need:

#the file name eg INVOICES
#the item name (column name) eg DATETIME_AMENDED
#10 lines of data similar to the example below.
#if the item is an S type dictionary, then either the whole, or only the amended part, of the source code of the dictionary.

ED DICT INVOICES DATETIME_AMENDED

TYPE everything below exactly on the corresponding line numbers except lines 3 and very commonly line 8, as these lines may contain multiple values separated by a superscript 2 (²). Line numbers in the below screen are only for illustrative purpose.

<pre>
╔═══════════════════════════┤DATETIME_AMENDED├═════════════════════════╗
1║S ║
2║ ║
3║DateTime²Amended ║
4║S ║
5║ ║
6║ ║
7║[DATETIME] ║
8║updated=@record<28>²created=@record<31,1>²@ans=''²if created and num(c║..actually this line continues off the screen to the right
9║R ║
10║10 ║
11║ ║
: :
: :
╚══════════════════════════════════════════════════════════════════════╝
</pre>

Press Ctrl+E on lines 3 or 8 in order to enter sub-lines.

The multiple values (on line 3 and 8) separated by a superscript 2 (²) automatically appear when sub-lines are entered.

For line 8, you will need to cut and paste the lines of below program to the Ctrl+E screen:

<pre>
╔═════════════════════════┤Field 8 of DATETIME_AMENDED├════════════════════════╗
║updated=@record<28> ║
║created=@record<31,1> ║
║@ans='' ║
║if created and num(created) and num(updated) then ║
║ createdsecs=field(created,'.',1)*86400+field(created,'.',2) ║
║ updatedsecs=field(updated,'.',1)*86400+field(updated,'.',2) ║
║ if abs(updatedsecs-createdsecs)>120 then ║
║ @ans=updated ║
║ end ║
║ end ║
║ ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
</pre>

After you save and exit the Ctrl+E screen, you will see the sublines separated by superscript 2 appear in one line in the ED screen.

Similarly, for line 3, you need to enter its sub-lines in Ctrl+E screen.

To ensure indenting remains nice (although indenting is not important and can be messed up without causing any problem) then copy the double bars at the front of the lines (if available, otherwise insert some char in position 1 of each line perhaps) and then remove them after you paste ... or just edit until the indenting is correct if you really want to.

Press F9 and/or Esc to save and/or exit from Ctrl+E screen

Press F9 and/or Esc to save and/or exit from ED

==Linux Commands==

This section is aimed teaching support, new to the Linux environment, how to navigate and use the most common useful commands.

Use google or "man <programName>" to get the manual of a program. E.g "man man" gives you the MANual for the Manual program.

"|" use the pipe command to take output of one command and input into another. E.g Cmd: " Echo "ABC" | removeA | removeC ". Output = "B"

Typically commands assume you mean the current directory, if you don't specify which directory you want the command to perform in/on.

Strings with spaces have to be wrapped in double quotation "May 14 01:30:55" before use as input to most commands.

Follow this convention in wiki to understand the syntax (structure) of the Linux commands and options.

Input wrapped in "<...>" is mandatory.

Input wrapped in "[...]" is optional.

===Searching for strings in one or many files using grep===

Using the GUI with Ctrl + F is laborious and less powerful.

Use grep command in Linux or Cygwin to search files especially when you are doing deep inspection of NEOSYS Logs.

Use the following command to search for a string in any file or directory

grep <string> [path to file OR filename] [-r]

Where "string" is the text to be searched and "-r" means recursive - check all files in all sub directories.

grep -i -a string path/file

where "file" is the type of file you are looking for and "path" is the path of the directory you are looking into. Use "" when having spaces in your string.

"-i" means ignore upper/lower case characters in the string and "-a" means treat the file type as text and display the matching text)

e.g when searching in NEOSYS logs the year/month/date is specified in the file name, so if you are looking for a file in year 2016 in the month of Feb, use

grep XXXX path/1602*

In the above command * (asterisk) is a wildcard "means replace * with any thing" and is used when you don't know what that part of the command could be.

E.g "*.jpg" means any file names that end with ".jpg"

Sample below of grep command and its output where it is searching for "Dior" in 2016 march logs.

$ grep -i Dior /cygdrive/d/hosts/test/logs/test/2016/1603*
Binary file path/16030301.XML matches

Using * (asterisk), a string can also be searched globally across all installations on the server.

Below example will search all files whose file names begin with "NEOS00", in all client installation folders inside the "hosts" folder, for log entries containing text "5th June 2016".
$ grep -a "2016 JUN 05" /cygdrive/d/hosts/*/logs/NEOS00*|less

Use the commands below to display the search string and required number of lines that come either after or before the search string, depending on what you enter in your command. It helps to get more information from files especially when you only know few words and the other information around the searched string also gets displayed.

grep -A<NUM> string file

Above command will display the line where the searched string was found, and also display NUM lines after the searched text

grep -B<NUM> string file

Above command will display the line where the searched string was found, and also display NUM lines before the searched text

See the examples and their respective outputs below:

$ grep -A2 -i "Dior" 1603*
Binary file 16032101.XML matches
Binary file 16032901.XML matches

$ grep -A2 -a "Dior" 1603*
16030301.XML:<DataOut>DIOR%FEPOI%FE'''Dior''' Poison%FE%FE%FE%FE%FEDubai, UAE%FE%FE%FE%FEN%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEN%FE%FE%FE17584.43592%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FENEOSYS%FE17584.43592%FE94_200_49_146%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEpaulson</DataOut></Message>
--
16030301.XML:<DataOut>DIOR%FEPOI%FE'''Dior''' Poison%FE%FE%FE%FE%FEDubai, UAE%FE%FE%FE%FEN%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEN%FE%FE%FE17584.43592%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FENEOSYS%FE17584.43592%FE94_200_49_146%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEpaulson</DataOut></Message>

Some more examples of grep below:

Use the command below when searching for more than one string 
grep -a string1 *|grep string2

Use the below command to omit the lines containing specific strings in your search:
grep -B2 -a Processing 160329*|grep -v DataIn|grep -v Message|less 
Above command will display lines containing string "Processing" and exclude lines containing string "DataIn" and "Message", |"less" displays the output in a new screen.

Use "zgrep" command to search in zip files:
zgrep string1 /path |zgrep string2 |less

===FIND===

Use this find command to list all files/directories modified after a certain date.

find [path, if omitted means = current directory] [-type f,d] [-newermt 'MM/DD/YYYY HH:MM:SS']

Or use a filename instead of date:

find -newer filename

==Managing the queue of reports being delivered by email==

In maintenance mode.

===Listing===

LIST DOCUMENTS WITH SCHEDULED_ONCE

===Clearing===

SELECT DOCUMENTS WITH SCHEDULED_ONCE
DELETE DOCUMENTS

==Reduce used disk space on NEOSYS or client hosted servers==
Non essential files getting accumulated over time can take up a lot of space on the hard disk resulting in low free space on the server. NEOSYS Client Monitoring system alerts about low free space for win3 server as it monitors the Disk Space of both C & D drive. To fix it Support team will have to create free space on the server.

Making space on the server is time taking and requires patience as you need to go through all the files/folders looking for non-essential files. Do not make any assumptions for not looking into a folder.

Non-essential files are the ones without which we can work properly and will continue to work in future.

Support team should keep in mind the below points while creating space on the server:

#Look into the drive for which nagios is alerting and dig into all the folders.
#Right click Folder > Properties > Size on Disk, to find out the size of a folder.
#On d drive majority of the space is taken by d:\hosts and d:\data.bak folder and on c drive it's taken up by the important windows/cygwin folders.
#The space distribution will give you an idea about which folders to target that can free up a good amount of space on clean up.
#Following are the non essential files/folders which can create a lot of space on removal. Use your intelligence and presence of mind while deleting files/folders because once deleted the information is lost forever.
#*Folder: d\data.bak. Check for stopped clients' backups and delete if present.
#*Folder: d\hosts\clientname\logs (where clientname stands for all the client folders in hosts) Look into logs prior to the current year and the year before and delete them. In the recent versions of NEOSYS, log folders are compressed and take up a lot less space on disk than presented as their size. You can see the difference in their properties.
#*Folder: d\hosts\clientname\downloads. This folder might contain lot of old versions of neosys.exe files. Keep the two latest versions and delete the rest. Do this for all client folders except test installation because Support maintains all the old versions of neosys.exe in it.
#*Folder: d\hosts\old. In this folder, delete all client folders that are older than 1 year.
#*Apart from above folders look for random backup.zip files present in c/d drive. This happens when Support restores data from a zip file and forgets to delete it after the restore.

To quickly get an idea of which directories consume the largest space, SSH onto server and use the "du" command along with various options, combined with command "sort".

"du" Disk Usage is used to estimate file space usage under a particular directory. Look up "sort" and "head".

Use this to find the estimate disk usage of each sub directory of every log directory in /hosts and then sort -n umerically and -r everse sort from high to low:

du /*/LOGS/*/20* --time | sort -n -r

Go to /hosts or D:/NEOSYS folder. Use command to get the estimate disk usage for all sub directories excluding directories where you know for certain files cannot be deleted.
(sort the directories by highest to lowest estimated disk usage in kb and then shows the top 20)

du --exclude={*/NEOSYS,*/neosys.net,*path/to/another/dir/that/cannot/be/deleted} --time | sort -r -n | head -n 20

===Reduce used disk space on backup servers===

If a server is scheduled to daily delete backup files older than 30 days, then there may be random files that are left behind for longer than 30 days, which are:

*any xx/xx/31 files on months than are followed by months with only 30 days, since the backup procedure deletes the previous month's file on the same day and day 31 does not exist in all months and
*any "same day last month" files that were not deleted by the backup procedure because it did not run or did not complete.

Use "crontab -l" to list all scheduled tasks, to find the how old a file must be before it is deleted.

==Troubleshooting Scripting Disabled error message on browser==
Error: NEOSYS requires You have
1. Internet Explorer 6+
or Safari 3.1+
or Firefox 3+
or Chrome 8.0+
2. Scripting enabled Scripting disabled
3. Cookies enabled Unknown

[[image:IEtrb1.jpg]]

Follow steps in given link to fix Script disable error on browsers : https://wmich.edu/helpdesk/internetenablecookies

==[[Configuring_IIS#Solving_.22Service_unavailable.22_error_due_to_disabled_application_pool | Handling 'Service Unavailable' on browser due to IIS issue]]==

==Searching for users with a particular email address==

In maintenance mode

FIND USERS XX@YY.COM

Configuring IIS

2019-12-02T21:34:15Z

Steve: /* Solving "HTTP Error 503. The service is unavailable." */

After you have installed all the NEOSYS program files you need to configure IIS so that you can operate NEOSYS. Instructions are below.

== Configuring IIS for windows 2003 ==

=== Creating a new website in IIS ===

First step is to stop the default website in IIS. Right click on Default Web Site and select "Stop".

'''Client Server:''' Create a website called neosys linked to D:\neosys\neosys.net:

'''WIN3 Server:''' Create a website called "clientname" linked to D:\hosts\clientfolder\neosys.net

[[image:figure1.jpg]]

[[image:figure3.jpg]]

A new window will pop up "IP Address and Port Setting" after completion of the above step.

'''Client Server:''' Select *(All Unassigned)* from the drop down list of "Enter the IP address to use for the Web site" and keep the default port as 80.

'''WIN3 Server:''' Select the static Ip from the drop down list of "Enter the IP address to use for the Web site" and enter then next port available and click on next.

[[image:Figure_2.jpg‎]]

'''Client Server:''' Within the above neosys web site folder create a virtual directory called data linked to D:\neosys\data:

'''WIN3 Server:''' Within the above clientwebsite folder create a virtual directory called data linked to D:\hosts\clientfolder\data:

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

=== To allow file uploads ===

==== Create IMAGES directory ====

'''Client server:''' create a folder IMAGES under D:\neosys and within the neosys web site folder create a virtual directory called images linked to D:\neosys\images: Modes: READ and WRITE

'''WIN3 Server:''' create a folder IMAGES under D:\hosts\clientfolder and within the client web site folder create a virtual directory called images linked to D:\hosts\clientfolder\images: Modes: READ and WRITE

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

==== Permit upload.dll ====

# Right click on dll ( Default Web Site, neosys, NEOSYS, dll)
# Under Permissions set Execute Permissions: Scripts and Executables

# Internet Information Services (IIS) Manager
# Web Service Extensions
# All Unknown ISAPI Extensions: Allowed

=== Create "Cache-Control" HTTP Header ===

This custom HTTP Header is created so that users will not have to clear browser cache after a NEOSYS upgrade.

#Right click on neosys (Web Sites, neosys)
#Select Properties and click on the HTTP Headers tab
#Add a new custom HTTP Header with "Cache-Control" as header name and "public,max-age=300" as the header value.

[[File:cacheheader.png]]

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Installing IIS for Windows 2008 ==

First install IIS from Control Panel > Programs & Features > Turn Windows Features ON or OFF > Add Roles:

[[image:iis1.jpg]]

On the window that pops up click on next and you will get this screen, tick Web Server (IIS) - on the prompt click on Add Required Resources and then on Next:

[[image:iis2.jpg]]

On the next window, click on next until you get this window - tick ASP and ISAPI Extensions:

[[image:iis3.jpg]]

Click on Next and Finish

== Configuring IIS for Windows 2008 and Windows 10==
===Create a new Website===
After successfully installing IIS, go to Control Panel > Administrative Tools > Computer Management > Services and Applications > Internet Information Services (IIS) > Machine Name > Sites > Default Website.

'''Client Server:'''
#Stop the Default Website.
#Right click on Sites folder and click on Add Website.
#Create a website called '''neosys''' and linked to {{Client server Installation Location}}neosys.net as shown in the screenshot below.

'''WIN3:'''
#Right click on Sites folder and click on Add Website.
#Create a website called "clientname" linked to {{NEOSYS server Installation Location}}neosys.net as shown in screenshot below.
#Since win3 is not connected to any LAN and exclusively serves https only, therefore setup a https binding only with a port number which is unique, unused and one greater than the previous port used in the series which is 4431 onwards. The highest port number used in this series can be found by checking IIS manager -> NEOSYS ->Sites.

Refer to [[Setting_up_HTTPS#Creating_multiple_HTTPS_web_sites_on_NEOSYS_hosted_server| setting up the https for a site on NEOSYS hosted server]] for details.

[[image:iis4.jpg]]

===Link Data Folder===

'''Client Server:''' Within the neosys website folder create a virtual directory called '''data''' linked to {{Client server Installation Location}}data

'''WIN3:''' Within the "clientname" website folder create a virtual directory called '''data''' linked to {{NEOSYS server Installation Location}}data

[[image:iis5.jpg]]

===Allow file uploads===

'''Client Server:''' create a folder '''images''' under D:\neosys and within the neosys web site folder create a virtual directory called '''images''' linked to {{Client server Installation Location}}images

'''WIN3:''' create a folder '''images''' under D:\hosts\clientfolder and within the "clientname" website folder create a virtual directory called '''images''' linked to {{NEOSYS server Installation Location}}images

[[image:iis7.jpg]]

After you add all virtual directories the tree map of the website should look as follows:

[[image:iis8.jpg]]

===Configure file uploads besides adding the images directory===

#In IIS open Handler mappings in the top server level
#Right click ISAPI-dll and choose Edit Feature Permissions
#Check Execute and save.

This is already setup for win3

[[image: iisisapi.jpg]]

'''For single site servers follow the steps below only if file upload does not work in NEOSYS after doing the above.'''

Go under IIS > Default Website > neosys

Click on Handler Mappings and delete the ISAPI you see there

[[image:iis9a.jpg]]

Thereafter click on Add Script Map and fill in the details as follows –

Request path: *.dll

Executable: {{Client server Installation Location}}neosys.net\NEOSYS\dll\upload.dll

Name: ISAPI

Click on OK and on YES in the confirmation box

[[image:iis9b.jpg]]

[[image:hm.jpg]]

===Editing the hosts file===
Edit the hosts file under c:\windows\system32\drivers\etc\ - delete the # sign next to 127.0.0.1 localhost and include the # sign before ::1 localhost

[[image:iis10.jpg]]

=== IIS web page caching ===

Webpage cache is set to 5 mins in neosys.net/web.config on Windows 2008/10 and in IIS configuration on Windows 2003.

If a NEOSYS user opens a web page 5 mins after the file was updated then their computer will get the latest version.

If support team is patching and wants to test without waiting for 5 mins then they will have to press Ctrl+F5 to refresh or perhaps even clear their cache using the usual methods.

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Disabling unsecure SSL3 protocol on Windows IIS web server ==

POODLE is an information leakage attack on client browsers while accessing web server that support the older SSL3 protocol. It is easy to prevent it by reconfiguring web servers to not support SSL3.

=== Securing IIS web server on win2003 and 2008 by disabling unsafe SSL3 protocol ===

#For Systems with https installed check if the web server is vulnerable (see [[Configuring_IIS#Testing_for_IIS_vulnerability| Testing for IIS vulnerability]] ). For systems with no https installed,continue to step2 to prevent SSL3 accidentally being enabled if https is installed in the server in future and then test for vulnerability.
# run the following commands on the server
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /t REG_DWORD /v Enabled /d 0 /f
#Reboot the server (at any time later using standard NEOSYS rebooting procedure without disturbing users)
#Perform the diagnostic for vulnerability

=== Testing for IIS vulnerability ===
==== A. Determine host and port and where to test from ====
If you have a public https server that you can access like https://demo.neosys.com:443, in a linux command prompt eg nagios login:

*$HOST for host name like demo.neosys.com
*$PORT with something like 443 or 4430 depending on port forwarding on the public router

or if testing a private https server with no public access, using a cygwin installation on the same server in the cygwin prompt:

*$HOST for host name like 127.0.0.1
*$PORT with something like 443 or 4430 as per IIS manager configuration

If https is enabled on the server/website and you are able to access the website via https using a browser, then you must be able to test for openssl on the same browsed host and port. You must also test this locally to ensure that the right server is being fixed. If the website is not public, then https must not be enabled, which means there is no reason for using cygwin openssl.

==== B. Check you CAN connect to https server using TLS ====

openssl s_client -host $HOST -port $PORT

<pre>
nagios@vm1m:~$ echo|openssl s_client -host demo.neosys.com -port 443
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2DCCAUWgAwIBAgIQd0J0l4kJrpJHonAv5U8VLjAJBgUrDgMCHQUAMBoxGDAW
BgNVBAMTD2RlbW8ubmVvc3lzLmNvbTAeFw0wODA3MjcxOTUxMDNaFw0zNTEyMTIx
OTUxMDNaMBoxGDAWBgNVBAMTD2RlbW8ubmVvc3lzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAxzwtoqq49vV7pyBQ6Ej+PvbB1QxkdsxNn5EZSLSOppCb
jNjV8fFa98unPR0pGM0UdjWMUYodj12c2pnIrfrtXv7pYf+iC1corPEY7607Icbs
rSOc5aFwnlUYpktoysV1G1crGYgYgXbXgVOUO9phHXJarpKf6SjVw3uXTLlmPUkC
AwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCwAAAAMAkG
BSsOAwIdBQADgYEAmgyW60pT62JuM8GH+KogHW7viaMsifXitm3BC/GfaORpJCox
aS20fAlzGyAlDe9nZWN4roLSxQv0laJkxyNPDuHvLJt1l0FVdk6/vGB6QH0KqM+S
UaUTLsDZ99UNS/inotobxD9vXuKl58Uoe2lu7r9vJ+1DWDC6AyueSZ6xnno=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 635 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 8A0A00002D51DE183AC2845C6B3FF4BC7485181B4DCBC1758E3A2D5399BDD71C
Session-ID-ctx:
Master-Key: B10B9370E4DF70E873873AB9851B3CEF19623E6ADA697955E375D931DEE8301D798B4CB14C8D33FCF1BA066C0CC23897
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885416
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== C. Check that you cannot CANNOT to https server using SSL3 ====

openssl s_client -ssl3 -host $HOST -port $PORT

==== CAN CONNECT = VULNERABLE = NOT OK ====

If you get this then you need to configure the server to prevent SSL3

<pre>
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
gethostbyname failure
connect:errno=0
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB3jCCAUugAwIBAgIQNj9FMjT1vIxGo2Mv2Ta9vzAJBgUrDgMCHQUAMB0xGzAZ
BgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTAeFw0wODAzMjUxMTIxMzFaFw0zNTA4
MTAxMTIxMzFaMB0xGzAZBgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEArRuijA8jz3qBm2ZZEwITIJLWIMlQmZxcUvOo
HNZL0+3oJuX0AQqtpRZMp/7ob9agngfwJQ36vK+424zcBbmKxA2MweKZRalN2jz+
rdr1oeZ6/Ff3r8+rCPFj/B8CfMOQbSv6YcR0kVc+8ugybB7qT6Nq5ZWOAczG3Ikt
4EnOlqUCAwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCw
AAAAMAkGBSsOAwIdBQADgYEAHIq5Gn2LiMgXFaUYrFEfHeajD4jAwdFw+zrjcBDZ
qM9LnhndHhdPogow9m9cCv1n57ne9rZL1v7w7Y6C53359hTUVZFqtHFfzcWnNyKD
uHD9a8QDk6/dSwBr/SWIE6OdFUYAj/kDXRQNB5H459spRVa3Yws8vpwrWZhoklxq
CQg=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 649 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 441A0000EBC1D634B2CDB12924F9B980D2A4CF8C4DD6D3FB9728D3C74F62A8FE
Session-ID-ctx:
Master-Key: 38F040BE3E7098857B7CB9FF3B44937786F8F8C002B0042370B29F20EFB582833F9E24CFC8E6560AFD06751DC93412D3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885545
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== CANNOT CONNECT = NOT VULNERABLE = OK ====

<pre>
nagios@vm1m:~$ echo|openssl s_client -ssl3 -host demo.neosys.com -port 443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885702
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre>

=== Enabling Internet Explorer 6 to access secured https web servers ===

To use Internet explorer 6 (on win2003 and XP-before-SP3) to access secured http web sites you need to enable IE6 to use TLS 1.0. Internet Explorer 6 is present in Windows Server 2003 and Windows XP-pre-SP3.

You can also disable SSL 2.0 and SSL 3.0 for additional safety. This good for later versions of Internet Explorer too.

[[File:IE_options.jpg]]

== Generating IIS certificates for https using openssl ==

This covers the two main type of certificates:

#"proper" certificates (accepted by all browsers without complaint) - issued by bona fide certification authority only on proof of control of a domain name - usually for a small fee
#"self signed" certificates (not accepted by all browsers without error messages without special configuration) - easily
issued by anybody without the slightest restriction

NEOSYS' proper https certificate for *.hosts.neosys.com, valid approx Jan-Dec 2016, issued by Comodo, was purchased from namecheap.com for a small fraction of the price of purchasing from Comodo or one of the other main certification authorities.

There is no technical requirement to renew certificates with the same issuing authority, nor is their any restriction whatsoever from having multiple concurrent overlapping certificates, in any combination, for the the same domain name or subsets of a domain name. For a certificate to be "proper" it merely has to be issued by (not necessarily purchased from) one of the certificate authorities registered in all the main browsers using by NEOSYS clients. Unlike DNS domain name registrars, of which you can only have one at any one time, and which take to change, certificates are simply installed in particular servers without reference to each other, nor to any imaginary central internet registry, as IS the case for the DNS domain name registry.

The sales of certificates is a bit of scam really because anybody can get a certificate from the main commercial certificate authorities merely by proving control over a domain name - for example, by receiving an email to ADMIN@xxxxx.com. Except for EV certificates such as those issued to banks etc, most https certificates are issued without any check on physical identity or reputation, therefore the cost of issuing https certificates rests merely on the fact that the certification authority has managed to inveigle itself into all the main browsers and have their public key installed along with the browser software. Hoowever, the market seems to be collapsing, with even free certificate authorities appearing although with some minor limitations like short duration of validity of certificates.

Excellent summary of using openssl to manage certificates .. no Alternate Names though
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Excellent summary of selfsigned and properly signed certificate
https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

==== Commentary on https security ====

With the general move to using https instead of http after the Snowdon revelations, people have begun to better understand how https certificates really work. People are more aware now that most https certificates mean little more than that their communication with the server is a) confidential b) not tampered with c) is truly with the server/domain name apparent and not some other. ALL WITH THE EXCEPTION OF *ANYBODY* WHO IS A CERTIFICATE AUTHORITY REGISTERED IN THE MAIN BROWSERS - WHICH IS MANY - INCLUDING NON-FRIENDLY NATIONAL STATE ACTORS!

It is possible however to be virtually certain of confidentiality and accuracy of your communication using standard browsers, EVEN VERSUS CERTIFICATION AUTHORITIES. If, by inspecting the certificate when you are browsing a particular web site, you can satisfy yourself that it is in fact truly the one in use by the web server, the chances of your communication being secure is virtually 100% The only chance is some failure in fundamental encryption protocols. Such failures would either be public knowledge very quickly, or not used versus you, for fear of it becoming public knowledge, unless you really have something incredibly valuable to hide. In this sense, self-certified certificates are the most secure, since you can obtain them by some other secure channel directly from the web server operator and do not change without your action. Note that in order to ensure that a certificate does not change during your session, to say an unknown valid certificate that breaks your security, your browser must support certificate pinning, in which case the browser will either prevent, or inform you if the certificate for the web site changes, either between or within sessions.

To gain a practical understanding of the issues raised if you trust the certification authorities built in to your browser, consider the fact that many companies require an additional certificate authority to be installed in all corporate browsers (and in some famous cases have installed it covertly), and thereafter all https communications are decrypted in the company firewall/proxy using the corporate certificate, checked for content and reencrypted with the true certificate before being passed on - or vice versa, depending on the direction of flow of information. This, for example means that an employee accessing their bank account would be completely exposed to the corporate gaze. Two factor security would prevent corporate interference in say, instructions to make payments, but all information would be exposed and probably logged in possibly long term records. The same would apply to all https web sites accessed by the employee. Courts seem to agree that corporations have every right to do this but the average person is commonly not aware of it. If a person understood how https security works, they could inspect the https certificate to make sure it is the correct (same one issued by their bank apparent at home for example), since it is unlikely that an adversary (or in this case their employer) would control their actual browser software, but security is an arms race and once everybody knows how to defend themselves, adversaries and security operators will simply move to the next level. The next level may be preventing users from using their own browsers. This is already the case in most secure environment, but not all, and BYOD attitudes may prevail in the long run. Whatever the issues are in this case, the same general principle apply in other situations involving security.

=== Generating a self signed certificate in pfx form for IIS ===

Generating certificates and keys https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

Generating a pfx using openssl https://langui.sh/2009/01/24/generating-a-pkcs12-pfx-via-openssl/

==== Generate standard cert and key pair ====

First generate a matching pair of certificate and key files (x509 and rsa format respectively)

Example for *.mydomain and validity 9999 days from now

signer=self
mydomain=neosys.com
mydomains=*.neosys.com
expirydays=9999
keyno=`date`
certno=$keyno
#
certfilename=$mydomain-$signer-$certno.cer
keyfilename=$mydomain-$keyno.key
#"-nodes" means -no-DES ie no encryption ie generate a key file without encrypting it and therefore without requiring a password on it
openssl req -new -x509 -nodes -days $expirydays -out "$certfilename" -keyout "$keyfilename" \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \

Consider adding subject and subject alternative names

openssl x509 -req -new -sha256 \
-newkey rsa:2048 \
-keyout neosys.com-102.key \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \
-out neosys.com-102.crt \
-nodes \
-days 9999

Example session:

Country Name (2 letter code) [AU]:AE
State or Province Name (full name) [Some-State]:DUBAI
Locality Name (eg, city) []:DUBAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NEOSYS
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.neosys.com
Email Address []:it@neosys.com

=== Generating a properly signed certificate ===

http://wiki.gandi.net/en/ssl/csr#sha-2_certificate_request

==== Generate key and CSR file ====

A certificate signing request file (.csr) for *.hosts.neosys.com (wildcard certificate)

if you are renewing (and want to reuse an existing secret server key file mydomain.key, although not clear on the benefit ATM)

openssl req -new -nodes -sha256 -key mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to generate a new secret server key file

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to request SAN subdomain wildcards (unlikely to be granted by main cert authorities but perfectly legal and can be self certified)

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" -out mydomain.csr \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:neosys.com,DNS:*.neosys.com,DNS:*.support.neosys.com,DNS:*.hosts.neosys.com"))

View the csr and verify correct (check that SAN additional domains are listed if you requested them above)

openssl req -in mydomain.csr -noout -text

==== Either send to CA and get crt/cer file back ====

Send the csr file to the certifying authority and put their response in a mydomain.crt file

Make sure you inform them that the type of software you used to generate the csr is "mod Apache/ModSSL"

mydomain.csr -> mydomain.cer

==== Or self sign to test all ok ====

nano ssl.conf

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Dubai
localityName = Locality Name (eg, city)
localityName_default = Dubai
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = *.neosys.com
commonName_max = 64
#
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
#
[alt_names]
DNS.1 = neosys.com
DNS.2 = *.neosys.com
DNS.3 = *.hosts.neosys.com
DNS.4 = *.support.neosys.com

openssl x509 -signkey mydomain.key -in mydomain.csr -req -days 9999 -extensions v3_req -extfile ssl.conf -out mydomain.crt

view the cert and check extensions (additional domain names) are present if required

openssl x509 -in mydomain.crt -text -noout

==== Merge private key and signed public cert into password protected pfx file ====

Convert the pair of standard files into a single pfx file that IIS can import

friendlyname="COMODO SIGNED hosts.neosys.com *.hosts.neosys.com"
openssl pkcs12 -export -in mydomain.crt -inkey mydomain.key -name "$friendlyname" -out mydomain.pfx

It will ask for a password .. the usual NEOSYS one is 1f... which will be required when you import the pfx file into IIS before binding to web sites

Example session:

Enter Export Password:
Verifying - Enter Export Password:

Check the pfx file

openssl pkcs12 -in mydomain.pfx

openssl pkcs12 -in mydomain.pfx | openssl x509 -noout -text

==== Copy the pfx file to the IIS server and import/bind in the usual way ====

Copy it to the https server

mysshport="-P 19510"
mysshtarget="administrator@win3.neosys.com:/cygdrive/d/hosts/CERTIFICATES"
scp $mysshport mydomain.pfx $mysshtarget

==== Friendly name in pfx file ====

On the IIS server after importing, if you have multiple certificates for the same domain name you might like to add a "friendly name" to distinguish them in the dropdown when binding certificates to web sites.

You might also want to add the friendly name to the pfx file if you intend to import it again or elsewhere using certificate export to pfx with options Include All and Export All

https://rickardrobin.wordpress.com/2012/12/05/specifying-a-friendly-name-to-a-certificate/

=== Understanding SSL certificates ===

==== What are RSA Private Keys, CSRs and Certificates? ====

YOUR RSA PRIVATE KEY FILE

is a digital file created by you and never ever shared with others. It is USED ONLY BY YOU (never by others) to either:

*to DECRYPT secret, encrypted, messages received by you from others
*to SIGN messages before sending them to others providing them certainty that the message came from you without being tampered with and that you cannot deny signing them.

YOUR RSA PUBLIC KEY FILE

is a digital file created by you and freely shared with others. It is USED BY OTHERS (never by you) to either:

*ENCRYPT messages before sending them to you
*VERIFY that signed messages were in fact signed by you and not tampered with and you cannot deny signing them.

OTHER PERSON'S RSA PUBLIC KEY FILE

is a digital file created by the other person and freely shared with you and others. It is USED BY YOU OR ANYBODY (never by the other person) to either:

*ENCRYPT messages to achieve secrecy before sending them to the other person.
*VERIFY that signed messages received were in fact signed by the other person and that they cannot deny signing them nor claim they have been tampered with.

To obtain someone's public key, you need a trusted channel, ie a signed channel, but not a secret or encrypted channel since the information is public and not confidential.

Using your private key and someones public key together:

*If you want to send a signed secret message to someone and allow them to be sure it came unmodified from you, you first sign the message using YOUR PRIVATE KEY, then encrypt the message using THEIR PUBLIC KEY
*If you want to receive a secret message and verify that it came unmodified from someone in particular, you first you decrypt the message using YOUR PRIVATE KEY, then verify the message using THEIR PUBLIC KEY

Signing and Verification = Encryption and Decryption Mathematical Process with keys reversed

Actually, the process of "signing" is doing the same mathematical process as encryption, but since you use the recipients public key, the resultant "encrypted" messege is not secret because it can be "decrypted" using a public key which are freely available.

Likewise, the process of "verification" on a received message is doing the same mathematical process as decryption, but since you are using the senders public key, and anybody could "decrypt" the message, it was not really encrypted in the sense of being secret.

So we have two processes, one called Encryption/Signing but is exactly the same mathematical process with two names depending on whether we use a public or private key, and another process called Decryption/Verification which uses the opposite key.

What YOU use for what:

*YOUR (PRIVATE) KEY = USED BY YOU for decryption and signing
*THEIR (PUBLIC) KEY = USED BY YOU for encryption and verification

*YOUR (PUBLIC) KEY = NEVER USED BY YOU - since anybody else could do the same thing so no trust or secrecy could be obtained
*THEIR (PRIVATE) KEY = NEVER USED BY YOU - since you dont have it!

What to use:

*ENCRYPT OUTGOING = Use THEIR (public) key
*VERIFY INCOMING = Use THEIR (public) key

*DECRYPT INCOMING = Use YOUR (private) key
*SIGN OUTGOING = Use YOUR (private) key

So the slightly strange thing is that you dont encrypt messages with your private key as might be assumed naturally. You encrypt using the target recipient's public key. This is perfectly logical if you understand the concept asymmetric cryptography.

One thing to note is that, while it is obvious that other people never use your private key, since they dont have it, it is not obvious, but perfectly true, that you never use your public key. NOBODY EVER USES THEIR OWN PUBLIC KEY ... THEY ONLY GIVE IT TO OTHERS TO USE.

CERTIFICATE

It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you. It can also be used by you to sign messages that can be verified as having come from you by anyone who receives the signed message, using your public key.

CSR FILE

A Certificate Signing Request (CSR) is a digital file which contains your public key and your details eg name/domain name etc. You send the CSR to a Certifying Authority (CA), who will create a real Certificate containing your detail eg your domain name and your public key, signed by them using their private RSA private key.

CERTIFICATE

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

==== What is Asymmetric cryptography? ====

Asymmetric cryptography allows you to freely publish a "public" key that can be used by anyone to send you encrypted messages. Such messages can only be decrypted by you using a special matching "private" key which you always keep secret.

Asymmetric cryptography also allows you to publish "signed" messages that can be verified by anyone as coming directly from you without any modification by others. Such messages are created using your "private" key and can be verified by anyone who has your "public" key. Creation involves the same process as encryption. Verification uses the same process as decryption.

Note that you dont ever actually use your own public key. You use your private key to decrypt messages sent to you, and you use the same key to "sign" messages to prove they came from you and without modification. Likewise other people only ever use your "public" key - either for encrypting messages that they want to send to you, or verifying that signed messages did come from you unmodified.

So we have a pair of keys that if either one is used for encryption/signing, then the other one is required for decryption/verifying. In that sense, it does not matter which we choose to keep private and which public, but ensure that we only ever publish one of them and forever keep the other secret.

So, to start encrypting or signing, you need a matched pair of keys, and you need to publish one to other people and forever keep the other one secret.

.key a file that contains a random collection of characters that can be used to encrypt

.cer a file that contains a random collection of characters that can be given out publicly and used by anybody to encrypt something to be sent to you

A certificate is some information that has been processed by a private and secret key.

pfx contains a private key and public certificate which contains your public key embedded. Usually pfx files are encrypted and you have to enter a password before using them, ie importing them.

==[[Backing up and Restoring IIS configuration]]==

== Solving IIS errors ==

=== Solving error during file upload: "Page cannot be displayed" HTTP Error 405 in windows 2003 ===

This error should not occur in normal NEOSYS installations but the solution is as follows:

# Go to Control Panel, Administrative Tools, Internet Information Services
# Expand the tree to COMPUTERNAME, Web Sites
# Right-click "Default Web Site" (or specific Web Site if multiple NEOSYS http/https installations on the server as per WIN3)
# Properties
# Home Directory
# Configuration
# Mappings, Add
# Browse
# Dynamic Link Libraries *.dll" from the "Files of Type" dropdown
# Find and select D:\NEOSYS\neosys.net\NEOSYS\dll\upload.dll (OR upload.dll in the installation directory)
# Extension Type: dll
# Limit to: All
# Click the "OK" button

=== Solving error during file upload: "HTTP verb used to access this page is not allowed" HTTP Error 405 in windows 2008 ===

Cause: This error occurs when upload.dll is not set up on IIS

Solution: Ensure upload.dll is setup as per configuration: [[Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory|Setting up upload.dll]]

[[File:uploadiis2.jpg]]

=== Solving "HTTP Error 503. The service is unavailable." ===

Look in event log for errors saying various dlls have failed to load eg

The Module DLL C:\Windows\System32\inetsrv\authsspi.dll failed to load. The data is the error.

These errors indicate that IIS is configured to use various modules that have not been installed, possibly due to restoration of IIS configuration backups which mention them but the restore program restores the configuration but does not install the dll. They may not even be required, but how to exclude them is not solved in this article.

Solution is to install the various required modules by right clicking IIS role and choosing Add Role Service

*inetsrv\filter.dll - ISAPI Filters
*validcfg.dll - .NET Extensibility?
*iis_ssi.dll - Server Side Includes
*authsspi.dll - Windows Authentication

A list of module names mapped to dll files can be found in the IIS configuration file. This may give a clue what module is required to be added in Programs and Features or Roles. Alternatively, the module may no longer be required on a new server and can be deleted from the configuration file (take a backup. this may could cause other strange errors, perhaps much later on) and IIS restarted with the new configuration.

cd C:\Windows\System32\inetsrv\config
notepad applicationHost.config

Example from neosys win3:
<pre>
<globalModules>
<add name="UriCacheModule" image="%windir%\System32\inetsrv\cachuri.dll" />
<add name="FileCacheModule" image="%windir%\System32\inetsrv\cachfile.dll" />
<add name="TokenCacheModule" image="%windir%\System32\inetsrv\cachtokn.dll" />
<add name="HttpCacheModule" image="%windir%\System32\inetsrv\cachhttp.dll" />
<add name="StaticCompressionModule" image="%windir%\System32\inetsrv\compstat.dll" />
<add name="DefaultDocumentModule" image="%windir%\System32\inetsrv\defdoc.dll" />
<add name="DirectoryListingModule" image="%windir%\System32\inetsrv\dirlist.dll" />
<add name="ProtocolSupportModule" image="%windir%\System32\inetsrv\protsup.dll" />
<add name="StaticFileModule" image="%windir%\System32\inetsrv\static.dll" />
<add name="AnonymousAuthenticationModule" image="%windir%\System32\inetsrv\authanon.dll" />
<add name="RequestFilteringModule" image="%windir%\System32\inetsrv\modrqflt.dll" />
<add name="CustomErrorModule" image="%windir%\System32\inetsrv\custerr.dll" />
<add name="HttpLoggingModule" image="%windir%\System32\inetsrv\loghttp.dll" />
<add name="RequestMonitorModule" image="%windir%\System32\inetsrv\iisreqs.dll" />
<add name="IsapiModule" image="%windir%\System32\inetsrv\isapi.dll" />
<add name="IsapiFilterModule" image="%windir%\System32\inetsrv\filter.dll" />
<add name="ConfigurationValidationModule" image="%windir%\System32\inetsrv\validcfg.dll" />
<add name="ManagedEngine" image="%windir%\Microsoft.NET\Framework\v2.0.50727\webengine.dll" preCondition="integratedMode,runtimeVersionv2.0,bitness32" />
<add name="ServerSideIncludeModule" image="%windir%\System32\inetsrv\iis_ssi.dll" />
<add name="WindowsAuthenticationModule" image="%windir%\System32\inetsrv\authsspi.dll" />
<add name="ManagedEngineV4.0_32bit" image="c:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll" preCondition="integratedMode,runtimeVersionv4.0,bitness32" />
<add name="ManagedEngineV4.0_64bit" image="c:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll" preCondition="integratedMode,runtimeVersionv4.0,bitness64" />
</globalModules>
</pre>

=== Solving HTTP Error 404 Error occurring immediately on opening NEOSYS login page on a new server installation: "System Failure. Do you want to retry?" ===

This error message is caused by failing to enable Active Server Pages in the IIS configuration. To resolve this in windows 2008, [[Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory| ensure that Read, Script, Execute is ticked (enabled) in the feature permissions of these Handler Mappings.]]

This message is from IE8 and a Windows 2003 server. The message may be different for other browser versions.

<pre>
Message from web page.

System Failure. Do you want to retry?

The page cannot be found
The page you are looking for might have been removed, had its name change, or it temporarily unavailable.

Please try the following:
(omitted)
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
</pre>

[[image:http404.jpg]]

=== Solving HTTP 404 Webpage cannot be found ===

This error message clearly states that the page cannot be found. Check for the requested page in the client website folder under the virtual directory data. This page will be available under the data folder in D:\neosys\data. A possible cause of this error is by failing to create a virtual directory called data linked to D:\neosys\data:

[[image:http404p.jpg]]

=== Solving "Service unavailable" error due to disabled application pool ===

====Problem:====

Browser shows "Service unavailable" when trying to access NEOSYS

[[image:serviceunavailable.jpg]]

Check if IIS application pool is disabled. IIS application pool gets automatically disabled after a series of worker process failures.

Open system logs and check for W3SVC error with event ID 1002 to confirm that the application pool was disabled automatically due to a series of failures in the process(es) serving that application pool.

[[image:w3svcerror.jpg]]

====Solution:====
Open IIS, expand application pools, right-click the application pool that was automatically disabled, and click Start.
Browse to NEOSYS website to check if the problem is fixed.

====Additional Information:====

To view the settings for the number of process failures after which the application pool gets disabled, go to IIS, expand application pools, right-click the application pool, click "Set Application Pool Defaults" (for Windows Server 2003, right-click the application pool, click properties and then go to the "Health" tab).

"Rapid-Fail Protection" is the feature that disables the application if there are a certain number of worker process failures within a specified time period.

As per the configuration shown in the example screenshot below, application pool "DefaultAppPool" will be automatically disabled if 5 or more worker process failures happen within a time period of 5 minutes.

[[image:apppool.jpg]]

===Solving Error "The specified Executable does not exist on the server"===

While adding Script Map in Handler Mappings in the above step, if you get the below error, this means you have not yet run the Maintenance window/ NEOSYS processes and skipped steps in Installing NEOSYS. File upload.dl_ is installed from NEOSYS.EXE or NEOSYS2.EXE and converted to .dll the first time you run NEOSYS Maintenance/Process. You can also manually rename the file to upload.dll.

[[image:Dll_error.png]]

=== Solving IIS error 500 on uploading for windows 2008===

To test if permissions are the problem, in grant full control to IUSR over the whole client directory e.g d:\neosys or d:\hosts\clientx in security tab of windows explorer and see if you can upload.

Regardless of the result, remove the full control permissions since they are a security risk.

If permissions are the problem then grant specific permissions as follows:

#images folder - read and write permissions (but not execute)
#dll folder - read and execute permission (no write permission)

=== Solving error "Upload folder cannot be created.The system cannot find the drive specified" ===

This error message comes up when the file uploads are configured to a different location in the software than what is set up in IIS.

There is an internal system configuration in line 49 of the DOS SYSTEM.CFG file which mentions the upload folder location (normally blank which means xxxxxx\images\ where xxxxxx is the installation directory e.g d:\neosys)

In installations where the images are uploaded to a place other than the installation directory, the configuration may say something like h:\images\ where h represents the drive where the folder is located e.g on an external USB drive. This may be done in case of client installations where file uploads are configured on USB drives due to a huge number of files getting uploaded.

The IIS and internal system configuration must agree, otherwise users will probably not be able to upload files, or the uploaded files may not be saved in the right place and may be lost, not backed up and/or not viewable.

To fix this issue, you MUST link the '''images''' folder in IIS to xxxxxx\images\ where xxxxxx is the directory of the images folder as shown in the error message.

[[File:Uploaderror.png]]

===[[Troubleshooting_NEOSYS_Generally#Solving_.E2.80.9Cpage_not_found.E2.80.9D_or_.22HTTP_Error_404.3_-_Not_Found.22_when_downloading_some_file_types_after_uploading_them_successfully|Solving “page not found” or "HTTP Error 404.3 - Not Found" when downloading some file types after uploading them successfully]] ===

Configuring IIS

2019-12-02T21:32:21Z

Steve: /* Solving "HTTP Error 503. The service is unavailable." */

After you have installed all the NEOSYS program files you need to configure IIS so that you can operate NEOSYS. Instructions are below.

== Configuring IIS for windows 2003 ==

=== Creating a new website in IIS ===

First step is to stop the default website in IIS. Right click on Default Web Site and select "Stop".

'''Client Server:''' Create a website called neosys linked to D:\neosys\neosys.net:

'''WIN3 Server:''' Create a website called "clientname" linked to D:\hosts\clientfolder\neosys.net

[[image:figure1.jpg]]

[[image:figure3.jpg]]

A new window will pop up "IP Address and Port Setting" after completion of the above step.

'''Client Server:''' Select *(All Unassigned)* from the drop down list of "Enter the IP address to use for the Web site" and keep the default port as 80.

'''WIN3 Server:''' Select the static Ip from the drop down list of "Enter the IP address to use for the Web site" and enter then next port available and click on next.

[[image:Figure_2.jpg‎]]

'''Client Server:''' Within the above neosys web site folder create a virtual directory called data linked to D:\neosys\data:

'''WIN3 Server:''' Within the above clientwebsite folder create a virtual directory called data linked to D:\hosts\clientfolder\data:

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

=== To allow file uploads ===

==== Create IMAGES directory ====

'''Client server:''' create a folder IMAGES under D:\neosys and within the neosys web site folder create a virtual directory called images linked to D:\neosys\images: Modes: READ and WRITE

'''WIN3 Server:''' create a folder IMAGES under D:\hosts\clientfolder and within the client web site folder create a virtual directory called images linked to D:\hosts\clientfolder\images: Modes: READ and WRITE

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

==== Permit upload.dll ====

# Right click on dll ( Default Web Site, neosys, NEOSYS, dll)
# Under Permissions set Execute Permissions: Scripts and Executables

# Internet Information Services (IIS) Manager
# Web Service Extensions
# All Unknown ISAPI Extensions: Allowed

=== Create "Cache-Control" HTTP Header ===

This custom HTTP Header is created so that users will not have to clear browser cache after a NEOSYS upgrade.

#Right click on neosys (Web Sites, neosys)
#Select Properties and click on the HTTP Headers tab
#Add a new custom HTTP Header with "Cache-Control" as header name and "public,max-age=300" as the header value.

[[File:cacheheader.png]]

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Installing IIS for Windows 2008 ==

First install IIS from Control Panel > Programs & Features > Turn Windows Features ON or OFF > Add Roles:

[[image:iis1.jpg]]

On the window that pops up click on next and you will get this screen, tick Web Server (IIS) - on the prompt click on Add Required Resources and then on Next:

[[image:iis2.jpg]]

On the next window, click on next until you get this window - tick ASP and ISAPI Extensions:

[[image:iis3.jpg]]

Click on Next and Finish

== Configuring IIS for Windows 2008 and Windows 10==
===Create a new Website===
After successfully installing IIS, go to Control Panel > Administrative Tools > Computer Management > Services and Applications > Internet Information Services (IIS) > Machine Name > Sites > Default Website.

'''Client Server:'''
#Stop the Default Website.
#Right click on Sites folder and click on Add Website.
#Create a website called '''neosys''' and linked to {{Client server Installation Location}}neosys.net as shown in the screenshot below.

'''WIN3:'''
#Right click on Sites folder and click on Add Website.
#Create a website called "clientname" linked to {{NEOSYS server Installation Location}}neosys.net as shown in screenshot below.
#Since win3 is not connected to any LAN and exclusively serves https only, therefore setup a https binding only with a port number which is unique, unused and one greater than the previous port used in the series which is 4431 onwards. The highest port number used in this series can be found by checking IIS manager -> NEOSYS ->Sites.

Refer to [[Setting_up_HTTPS#Creating_multiple_HTTPS_web_sites_on_NEOSYS_hosted_server| setting up the https for a site on NEOSYS hosted server]] for details.

[[image:iis4.jpg]]

===Link Data Folder===

'''Client Server:''' Within the neosys website folder create a virtual directory called '''data''' linked to {{Client server Installation Location}}data

'''WIN3:''' Within the "clientname" website folder create a virtual directory called '''data''' linked to {{NEOSYS server Installation Location}}data

[[image:iis5.jpg]]

===Allow file uploads===

'''Client Server:''' create a folder '''images''' under D:\neosys and within the neosys web site folder create a virtual directory called '''images''' linked to {{Client server Installation Location}}images

'''WIN3:''' create a folder '''images''' under D:\hosts\clientfolder and within the "clientname" website folder create a virtual directory called '''images''' linked to {{NEOSYS server Installation Location}}images

[[image:iis7.jpg]]

After you add all virtual directories the tree map of the website should look as follows:

[[image:iis8.jpg]]

===Configure file uploads besides adding the images directory===

#In IIS open Handler mappings in the top server level
#Right click ISAPI-dll and choose Edit Feature Permissions
#Check Execute and save.

This is already setup for win3

[[image: iisisapi.jpg]]

'''For single site servers follow the steps below only if file upload does not work in NEOSYS after doing the above.'''

Go under IIS > Default Website > neosys

Click on Handler Mappings and delete the ISAPI you see there

[[image:iis9a.jpg]]

Thereafter click on Add Script Map and fill in the details as follows –

Request path: *.dll

Executable: {{Client server Installation Location}}neosys.net\NEOSYS\dll\upload.dll

Name: ISAPI

Click on OK and on YES in the confirmation box

[[image:iis9b.jpg]]

[[image:hm.jpg]]

===Editing the hosts file===
Edit the hosts file under c:\windows\system32\drivers\etc\ - delete the # sign next to 127.0.0.1 localhost and include the # sign before ::1 localhost

[[image:iis10.jpg]]

=== IIS web page caching ===

Webpage cache is set to 5 mins in neosys.net/web.config on Windows 2008/10 and in IIS configuration on Windows 2003.

If a NEOSYS user opens a web page 5 mins after the file was updated then their computer will get the latest version.

If support team is patching and wants to test without waiting for 5 mins then they will have to press Ctrl+F5 to refresh or perhaps even clear their cache using the usual methods.

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Disabling unsecure SSL3 protocol on Windows IIS web server ==

POODLE is an information leakage attack on client browsers while accessing web server that support the older SSL3 protocol. It is easy to prevent it by reconfiguring web servers to not support SSL3.

=== Securing IIS web server on win2003 and 2008 by disabling unsafe SSL3 protocol ===

#For Systems with https installed check if the web server is vulnerable (see [[Configuring_IIS#Testing_for_IIS_vulnerability| Testing for IIS vulnerability]] ). For systems with no https installed,continue to step2 to prevent SSL3 accidentally being enabled if https is installed in the server in future and then test for vulnerability.
# run the following commands on the server
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /t REG_DWORD /v Enabled /d 0 /f
#Reboot the server (at any time later using standard NEOSYS rebooting procedure without disturbing users)
#Perform the diagnostic for vulnerability

=== Testing for IIS vulnerability ===
==== A. Determine host and port and where to test from ====
If you have a public https server that you can access like https://demo.neosys.com:443, in a linux command prompt eg nagios login:

*$HOST for host name like demo.neosys.com
*$PORT with something like 443 or 4430 depending on port forwarding on the public router

or if testing a private https server with no public access, using a cygwin installation on the same server in the cygwin prompt:

*$HOST for host name like 127.0.0.1
*$PORT with something like 443 or 4430 as per IIS manager configuration

If https is enabled on the server/website and you are able to access the website via https using a browser, then you must be able to test for openssl on the same browsed host and port. You must also test this locally to ensure that the right server is being fixed. If the website is not public, then https must not be enabled, which means there is no reason for using cygwin openssl.

==== B. Check you CAN connect to https server using TLS ====

openssl s_client -host $HOST -port $PORT

<pre>
nagios@vm1m:~$ echo|openssl s_client -host demo.neosys.com -port 443
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2DCCAUWgAwIBAgIQd0J0l4kJrpJHonAv5U8VLjAJBgUrDgMCHQUAMBoxGDAW
BgNVBAMTD2RlbW8ubmVvc3lzLmNvbTAeFw0wODA3MjcxOTUxMDNaFw0zNTEyMTIx
OTUxMDNaMBoxGDAWBgNVBAMTD2RlbW8ubmVvc3lzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAxzwtoqq49vV7pyBQ6Ej+PvbB1QxkdsxNn5EZSLSOppCb
jNjV8fFa98unPR0pGM0UdjWMUYodj12c2pnIrfrtXv7pYf+iC1corPEY7607Icbs
rSOc5aFwnlUYpktoysV1G1crGYgYgXbXgVOUO9phHXJarpKf6SjVw3uXTLlmPUkC
AwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCwAAAAMAkG
BSsOAwIdBQADgYEAmgyW60pT62JuM8GH+KogHW7viaMsifXitm3BC/GfaORpJCox
aS20fAlzGyAlDe9nZWN4roLSxQv0laJkxyNPDuHvLJt1l0FVdk6/vGB6QH0KqM+S
UaUTLsDZ99UNS/inotobxD9vXuKl58Uoe2lu7r9vJ+1DWDC6AyueSZ6xnno=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 635 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 8A0A00002D51DE183AC2845C6B3FF4BC7485181B4DCBC1758E3A2D5399BDD71C
Session-ID-ctx:
Master-Key: B10B9370E4DF70E873873AB9851B3CEF19623E6ADA697955E375D931DEE8301D798B4CB14C8D33FCF1BA066C0CC23897
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885416
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== C. Check that you cannot CANNOT to https server using SSL3 ====

openssl s_client -ssl3 -host $HOST -port $PORT

==== CAN CONNECT = VULNERABLE = NOT OK ====

If you get this then you need to configure the server to prevent SSL3

<pre>
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
gethostbyname failure
connect:errno=0
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB3jCCAUugAwIBAgIQNj9FMjT1vIxGo2Mv2Ta9vzAJBgUrDgMCHQUAMB0xGzAZ
BgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTAeFw0wODAzMjUxMTIxMzFaFw0zNTA4
MTAxMTIxMzFaMB0xGzAZBgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEArRuijA8jz3qBm2ZZEwITIJLWIMlQmZxcUvOo
HNZL0+3oJuX0AQqtpRZMp/7ob9agngfwJQ36vK+424zcBbmKxA2MweKZRalN2jz+
rdr1oeZ6/Ff3r8+rCPFj/B8CfMOQbSv6YcR0kVc+8ugybB7qT6Nq5ZWOAczG3Ikt
4EnOlqUCAwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCw
AAAAMAkGBSsOAwIdBQADgYEAHIq5Gn2LiMgXFaUYrFEfHeajD4jAwdFw+zrjcBDZ
qM9LnhndHhdPogow9m9cCv1n57ne9rZL1v7w7Y6C53359hTUVZFqtHFfzcWnNyKD
uHD9a8QDk6/dSwBr/SWIE6OdFUYAj/kDXRQNB5H459spRVa3Yws8vpwrWZhoklxq
CQg=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 649 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 441A0000EBC1D634B2CDB12924F9B980D2A4CF8C4DD6D3FB9728D3C74F62A8FE
Session-ID-ctx:
Master-Key: 38F040BE3E7098857B7CB9FF3B44937786F8F8C002B0042370B29F20EFB582833F9E24CFC8E6560AFD06751DC93412D3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885545
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== CANNOT CONNECT = NOT VULNERABLE = OK ====

<pre>
nagios@vm1m:~$ echo|openssl s_client -ssl3 -host demo.neosys.com -port 443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885702
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre>

=== Enabling Internet Explorer 6 to access secured https web servers ===

To use Internet explorer 6 (on win2003 and XP-before-SP3) to access secured http web sites you need to enable IE6 to use TLS 1.0. Internet Explorer 6 is present in Windows Server 2003 and Windows XP-pre-SP3.

You can also disable SSL 2.0 and SSL 3.0 for additional safety. This good for later versions of Internet Explorer too.

[[File:IE_options.jpg]]

== Generating IIS certificates for https using openssl ==

This covers the two main type of certificates:

#"proper" certificates (accepted by all browsers without complaint) - issued by bona fide certification authority only on proof of control of a domain name - usually for a small fee
#"self signed" certificates (not accepted by all browsers without error messages without special configuration) - easily
issued by anybody without the slightest restriction

NEOSYS' proper https certificate for *.hosts.neosys.com, valid approx Jan-Dec 2016, issued by Comodo, was purchased from namecheap.com for a small fraction of the price of purchasing from Comodo or one of the other main certification authorities.

There is no technical requirement to renew certificates with the same issuing authority, nor is their any restriction whatsoever from having multiple concurrent overlapping certificates, in any combination, for the the same domain name or subsets of a domain name. For a certificate to be "proper" it merely has to be issued by (not necessarily purchased from) one of the certificate authorities registered in all the main browsers using by NEOSYS clients. Unlike DNS domain name registrars, of which you can only have one at any one time, and which take to change, certificates are simply installed in particular servers without reference to each other, nor to any imaginary central internet registry, as IS the case for the DNS domain name registry.

The sales of certificates is a bit of scam really because anybody can get a certificate from the main commercial certificate authorities merely by proving control over a domain name - for example, by receiving an email to ADMIN@xxxxx.com. Except for EV certificates such as those issued to banks etc, most https certificates are issued without any check on physical identity or reputation, therefore the cost of issuing https certificates rests merely on the fact that the certification authority has managed to inveigle itself into all the main browsers and have their public key installed along with the browser software. Hoowever, the market seems to be collapsing, with even free certificate authorities appearing although with some minor limitations like short duration of validity of certificates.

Excellent summary of using openssl to manage certificates .. no Alternate Names though
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Excellent summary of selfsigned and properly signed certificate
https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

==== Commentary on https security ====

With the general move to using https instead of http after the Snowdon revelations, people have begun to better understand how https certificates really work. People are more aware now that most https certificates mean little more than that their communication with the server is a) confidential b) not tampered with c) is truly with the server/domain name apparent and not some other. ALL WITH THE EXCEPTION OF *ANYBODY* WHO IS A CERTIFICATE AUTHORITY REGISTERED IN THE MAIN BROWSERS - WHICH IS MANY - INCLUDING NON-FRIENDLY NATIONAL STATE ACTORS!

It is possible however to be virtually certain of confidentiality and accuracy of your communication using standard browsers, EVEN VERSUS CERTIFICATION AUTHORITIES. If, by inspecting the certificate when you are browsing a particular web site, you can satisfy yourself that it is in fact truly the one in use by the web server, the chances of your communication being secure is virtually 100% The only chance is some failure in fundamental encryption protocols. Such failures would either be public knowledge very quickly, or not used versus you, for fear of it becoming public knowledge, unless you really have something incredibly valuable to hide. In this sense, self-certified certificates are the most secure, since you can obtain them by some other secure channel directly from the web server operator and do not change without your action. Note that in order to ensure that a certificate does not change during your session, to say an unknown valid certificate that breaks your security, your browser must support certificate pinning, in which case the browser will either prevent, or inform you if the certificate for the web site changes, either between or within sessions.

To gain a practical understanding of the issues raised if you trust the certification authorities built in to your browser, consider the fact that many companies require an additional certificate authority to be installed in all corporate browsers (and in some famous cases have installed it covertly), and thereafter all https communications are decrypted in the company firewall/proxy using the corporate certificate, checked for content and reencrypted with the true certificate before being passed on - or vice versa, depending on the direction of flow of information. This, for example means that an employee accessing their bank account would be completely exposed to the corporate gaze. Two factor security would prevent corporate interference in say, instructions to make payments, but all information would be exposed and probably logged in possibly long term records. The same would apply to all https web sites accessed by the employee. Courts seem to agree that corporations have every right to do this but the average person is commonly not aware of it. If a person understood how https security works, they could inspect the https certificate to make sure it is the correct (same one issued by their bank apparent at home for example), since it is unlikely that an adversary (or in this case their employer) would control their actual browser software, but security is an arms race and once everybody knows how to defend themselves, adversaries and security operators will simply move to the next level. The next level may be preventing users from using their own browsers. This is already the case in most secure environment, but not all, and BYOD attitudes may prevail in the long run. Whatever the issues are in this case, the same general principle apply in other situations involving security.

=== Generating a self signed certificate in pfx form for IIS ===

Generating certificates and keys https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

Generating a pfx using openssl https://langui.sh/2009/01/24/generating-a-pkcs12-pfx-via-openssl/

==== Generate standard cert and key pair ====

First generate a matching pair of certificate and key files (x509 and rsa format respectively)

Example for *.mydomain and validity 9999 days from now

signer=self
mydomain=neosys.com
mydomains=*.neosys.com
expirydays=9999
keyno=`date`
certno=$keyno
#
certfilename=$mydomain-$signer-$certno.cer
keyfilename=$mydomain-$keyno.key
#"-nodes" means -no-DES ie no encryption ie generate a key file without encrypting it and therefore without requiring a password on it
openssl req -new -x509 -nodes -days $expirydays -out "$certfilename" -keyout "$keyfilename" \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \

Consider adding subject and subject alternative names

openssl x509 -req -new -sha256 \
-newkey rsa:2048 \
-keyout neosys.com-102.key \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \
-out neosys.com-102.crt \
-nodes \
-days 9999

Example session:

Country Name (2 letter code) [AU]:AE
State or Province Name (full name) [Some-State]:DUBAI
Locality Name (eg, city) []:DUBAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NEOSYS
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.neosys.com
Email Address []:it@neosys.com

=== Generating a properly signed certificate ===

http://wiki.gandi.net/en/ssl/csr#sha-2_certificate_request

==== Generate key and CSR file ====

A certificate signing request file (.csr) for *.hosts.neosys.com (wildcard certificate)

if you are renewing (and want to reuse an existing secret server key file mydomain.key, although not clear on the benefit ATM)

openssl req -new -nodes -sha256 -key mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to generate a new secret server key file

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to request SAN subdomain wildcards (unlikely to be granted by main cert authorities but perfectly legal and can be self certified)

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" -out mydomain.csr \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:neosys.com,DNS:*.neosys.com,DNS:*.support.neosys.com,DNS:*.hosts.neosys.com"))

View the csr and verify correct (check that SAN additional domains are listed if you requested them above)

openssl req -in mydomain.csr -noout -text

==== Either send to CA and get crt/cer file back ====

Send the csr file to the certifying authority and put their response in a mydomain.crt file

Make sure you inform them that the type of software you used to generate the csr is "mod Apache/ModSSL"

mydomain.csr -> mydomain.cer

==== Or self sign to test all ok ====

nano ssl.conf

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Dubai
localityName = Locality Name (eg, city)
localityName_default = Dubai
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = *.neosys.com
commonName_max = 64
#
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
#
[alt_names]
DNS.1 = neosys.com
DNS.2 = *.neosys.com
DNS.3 = *.hosts.neosys.com
DNS.4 = *.support.neosys.com

openssl x509 -signkey mydomain.key -in mydomain.csr -req -days 9999 -extensions v3_req -extfile ssl.conf -out mydomain.crt

view the cert and check extensions (additional domain names) are present if required

openssl x509 -in mydomain.crt -text -noout

==== Merge private key and signed public cert into password protected pfx file ====

Convert the pair of standard files into a single pfx file that IIS can import

friendlyname="COMODO SIGNED hosts.neosys.com *.hosts.neosys.com"
openssl pkcs12 -export -in mydomain.crt -inkey mydomain.key -name "$friendlyname" -out mydomain.pfx

It will ask for a password .. the usual NEOSYS one is 1f... which will be required when you import the pfx file into IIS before binding to web sites

Example session:

Enter Export Password:
Verifying - Enter Export Password:

Check the pfx file

openssl pkcs12 -in mydomain.pfx

openssl pkcs12 -in mydomain.pfx | openssl x509 -noout -text

==== Copy the pfx file to the IIS server and import/bind in the usual way ====

Copy it to the https server

mysshport="-P 19510"
mysshtarget="administrator@win3.neosys.com:/cygdrive/d/hosts/CERTIFICATES"
scp $mysshport mydomain.pfx $mysshtarget

==== Friendly name in pfx file ====

On the IIS server after importing, if you have multiple certificates for the same domain name you might like to add a "friendly name" to distinguish them in the dropdown when binding certificates to web sites.

You might also want to add the friendly name to the pfx file if you intend to import it again or elsewhere using certificate export to pfx with options Include All and Export All

https://rickardrobin.wordpress.com/2012/12/05/specifying-a-friendly-name-to-a-certificate/

=== Understanding SSL certificates ===

==== What are RSA Private Keys, CSRs and Certificates? ====

YOUR RSA PRIVATE KEY FILE

is a digital file created by you and never ever shared with others. It is USED ONLY BY YOU (never by others) to either:

*to DECRYPT secret, encrypted, messages received by you from others
*to SIGN messages before sending them to others providing them certainty that the message came from you without being tampered with and that you cannot deny signing them.

YOUR RSA PUBLIC KEY FILE

is a digital file created by you and freely shared with others. It is USED BY OTHERS (never by you) to either:

*ENCRYPT messages before sending them to you
*VERIFY that signed messages were in fact signed by you and not tampered with and you cannot deny signing them.

OTHER PERSON'S RSA PUBLIC KEY FILE

is a digital file created by the other person and freely shared with you and others. It is USED BY YOU OR ANYBODY (never by the other person) to either:

*ENCRYPT messages to achieve secrecy before sending them to the other person.
*VERIFY that signed messages received were in fact signed by the other person and that they cannot deny signing them nor claim they have been tampered with.

To obtain someone's public key, you need a trusted channel, ie a signed channel, but not a secret or encrypted channel since the information is public and not confidential.

Using your private key and someones public key together:

*If you want to send a signed secret message to someone and allow them to be sure it came unmodified from you, you first sign the message using YOUR PRIVATE KEY, then encrypt the message using THEIR PUBLIC KEY
*If you want to receive a secret message and verify that it came unmodified from someone in particular, you first you decrypt the message using YOUR PRIVATE KEY, then verify the message using THEIR PUBLIC KEY

Signing and Verification = Encryption and Decryption Mathematical Process with keys reversed

Actually, the process of "signing" is doing the same mathematical process as encryption, but since you use the recipients public key, the resultant "encrypted" messege is not secret because it can be "decrypted" using a public key which are freely available.

Likewise, the process of "verification" on a received message is doing the same mathematical process as decryption, but since you are using the senders public key, and anybody could "decrypt" the message, it was not really encrypted in the sense of being secret.

So we have two processes, one called Encryption/Signing but is exactly the same mathematical process with two names depending on whether we use a public or private key, and another process called Decryption/Verification which uses the opposite key.

What YOU use for what:

*YOUR (PRIVATE) KEY = USED BY YOU for decryption and signing
*THEIR (PUBLIC) KEY = USED BY YOU for encryption and verification

*YOUR (PUBLIC) KEY = NEVER USED BY YOU - since anybody else could do the same thing so no trust or secrecy could be obtained
*THEIR (PRIVATE) KEY = NEVER USED BY YOU - since you dont have it!

What to use:

*ENCRYPT OUTGOING = Use THEIR (public) key
*VERIFY INCOMING = Use THEIR (public) key

*DECRYPT INCOMING = Use YOUR (private) key
*SIGN OUTGOING = Use YOUR (private) key

So the slightly strange thing is that you dont encrypt messages with your private key as might be assumed naturally. You encrypt using the target recipient's public key. This is perfectly logical if you understand the concept asymmetric cryptography.

One thing to note is that, while it is obvious that other people never use your private key, since they dont have it, it is not obvious, but perfectly true, that you never use your public key. NOBODY EVER USES THEIR OWN PUBLIC KEY ... THEY ONLY GIVE IT TO OTHERS TO USE.

CERTIFICATE

It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you. It can also be used by you to sign messages that can be verified as having come from you by anyone who receives the signed message, using your public key.

CSR FILE

A Certificate Signing Request (CSR) is a digital file which contains your public key and your details eg name/domain name etc. You send the CSR to a Certifying Authority (CA), who will create a real Certificate containing your detail eg your domain name and your public key, signed by them using their private RSA private key.

CERTIFICATE

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

==== What is Asymmetric cryptography? ====

Asymmetric cryptography allows you to freely publish a "public" key that can be used by anyone to send you encrypted messages. Such messages can only be decrypted by you using a special matching "private" key which you always keep secret.

Asymmetric cryptography also allows you to publish "signed" messages that can be verified by anyone as coming directly from you without any modification by others. Such messages are created using your "private" key and can be verified by anyone who has your "public" key. Creation involves the same process as encryption. Verification uses the same process as decryption.

Note that you dont ever actually use your own public key. You use your private key to decrypt messages sent to you, and you use the same key to "sign" messages to prove they came from you and without modification. Likewise other people only ever use your "public" key - either for encrypting messages that they want to send to you, or verifying that signed messages did come from you unmodified.

So we have a pair of keys that if either one is used for encryption/signing, then the other one is required for decryption/verifying. In that sense, it does not matter which we choose to keep private and which public, but ensure that we only ever publish one of them and forever keep the other secret.

So, to start encrypting or signing, you need a matched pair of keys, and you need to publish one to other people and forever keep the other one secret.

.key a file that contains a random collection of characters that can be used to encrypt

.cer a file that contains a random collection of characters that can be given out publicly and used by anybody to encrypt something to be sent to you

A certificate is some information that has been processed by a private and secret key.

pfx contains a private key and public certificate which contains your public key embedded. Usually pfx files are encrypted and you have to enter a password before using them, ie importing them.

==[[Backing up and Restoring IIS configuration]]==

== Solving IIS errors ==

=== Solving error during file upload: "Page cannot be displayed" HTTP Error 405 in windows 2003 ===

This error should not occur in normal NEOSYS installations but the solution is as follows:

# Go to Control Panel, Administrative Tools, Internet Information Services
# Expand the tree to COMPUTERNAME, Web Sites
# Right-click "Default Web Site" (or specific Web Site if multiple NEOSYS http/https installations on the server as per WIN3)
# Properties
# Home Directory
# Configuration
# Mappings, Add
# Browse
# Dynamic Link Libraries *.dll" from the "Files of Type" dropdown
# Find and select D:\NEOSYS\neosys.net\NEOSYS\dll\upload.dll (OR upload.dll in the installation directory)
# Extension Type: dll
# Limit to: All
# Click the "OK" button

=== Solving error during file upload: "HTTP verb used to access this page is not allowed" HTTP Error 405 in windows 2008 ===

Cause: This error occurs when upload.dll is not set up on IIS

Solution: Ensure upload.dll is setup as per configuration: [[Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory|Setting up upload.dll]]

[[File:uploadiis2.jpg]]

=== Solving "HTTP Error 503. The service is unavailable." ===

Look in event log for errors saying various dlls have failed to load eg

The Module DLL C:\Windows\System32\inetsrv\authsspi.dll failed to load. The data is the error.

These errors indicate that IIS is configured to use various modules that have not been installed, possibly due to restoration of IIS configuration backups which mention them but the restore program restores the configuration but does not install the dll. They may not even be required, but how to exclude them is not solved in this article.

Solution is to install the various required modules by right clicking IIS role and choosing Add Role Service

*inetsrv\filter.dll - ISAPI Filters
*validcfg.dll - .NET Extensibility?
*iis_ssi.dll - Server Side Includes
*authsspi.dll - Windows Authentication

A list of module names mapped to dll files can be found in the IIS configuration file. This may give a clue what module is required to be added in Programs and Features or Roles. Alternatively, the module may no longer be required on a new server and can be deleted from the configuration file (may cause strange errors later on) and IIS restarted with a new configuration.

cd C:\Windows\System32\inetsrv\config
notepad applicationHost.config

Example from neosys win3:
<pre>
<globalModules>
<add name="UriCacheModule" image="%windir%\System32\inetsrv\cachuri.dll" />
<add name="FileCacheModule" image="%windir%\System32\inetsrv\cachfile.dll" />
<add name="TokenCacheModule" image="%windir%\System32\inetsrv\cachtokn.dll" />
<add name="HttpCacheModule" image="%windir%\System32\inetsrv\cachhttp.dll" />
<add name="StaticCompressionModule" image="%windir%\System32\inetsrv\compstat.dll" />
<add name="DefaultDocumentModule" image="%windir%\System32\inetsrv\defdoc.dll" />
<add name="DirectoryListingModule" image="%windir%\System32\inetsrv\dirlist.dll" />
<add name="ProtocolSupportModule" image="%windir%\System32\inetsrv\protsup.dll" />
<add name="StaticFileModule" image="%windir%\System32\inetsrv\static.dll" />
<add name="AnonymousAuthenticationModule" image="%windir%\System32\inetsrv\authanon.dll" />
<add name="RequestFilteringModule" image="%windir%\System32\inetsrv\modrqflt.dll" />
<add name="CustomErrorModule" image="%windir%\System32\inetsrv\custerr.dll" />
<add name="HttpLoggingModule" image="%windir%\System32\inetsrv\loghttp.dll" />
<add name="RequestMonitorModule" image="%windir%\System32\inetsrv\iisreqs.dll" />
<add name="IsapiModule" image="%windir%\System32\inetsrv\isapi.dll" />
<add name="IsapiFilterModule" image="%windir%\System32\inetsrv\filter.dll" />
<add name="ConfigurationValidationModule" image="%windir%\System32\inetsrv\validcfg.dll" />
<add name="ManagedEngine" image="%windir%\Microsoft.NET\Framework\v2.0.50727\webengine.dll" preCondition="integratedMode,runtimeVersionv2.0,bitness32" />
<add name="ServerSideIncludeModule" image="%windir%\System32\inetsrv\iis_ssi.dll" />
<add name="WindowsAuthenticationModule" image="%windir%\System32\inetsrv\authsspi.dll" />
<add name="ManagedEngineV4.0_32bit" image="c:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll" preCondition="integratedMode,runtimeVersionv4.0,bitness32" />
<add name="ManagedEngineV4.0_64bit" image="c:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll" preCondition="integratedMode,runtimeVersionv4.0,bitness64" />
</globalModules>
</pre>

=== Solving HTTP Error 404 Error occurring immediately on opening NEOSYS login page on a new server installation: "System Failure. Do you want to retry?" ===

This error message is caused by failing to enable Active Server Pages in the IIS configuration. To resolve this in windows 2008, [[Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory| ensure that Read, Script, Execute is ticked (enabled) in the feature permissions of these Handler Mappings.]]

This message is from IE8 and a Windows 2003 server. The message may be different for other browser versions.

<pre>
Message from web page.

System Failure. Do you want to retry?

The page cannot be found
The page you are looking for might have been removed, had its name change, or it temporarily unavailable.

Please try the following:
(omitted)
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
</pre>

[[image:http404.jpg]]

=== Solving HTTP 404 Webpage cannot be found ===

This error message clearly states that the page cannot be found. Check for the requested page in the client website folder under the virtual directory data. This page will be available under the data folder in D:\neosys\data. A possible cause of this error is by failing to create a virtual directory called data linked to D:\neosys\data:

[[image:http404p.jpg]]

=== Solving "Service unavailable" error due to disabled application pool ===

====Problem:====

Browser shows "Service unavailable" when trying to access NEOSYS

[[image:serviceunavailable.jpg]]

Check if IIS application pool is disabled. IIS application pool gets automatically disabled after a series of worker process failures.

Open system logs and check for W3SVC error with event ID 1002 to confirm that the application pool was disabled automatically due to a series of failures in the process(es) serving that application pool.

[[image:w3svcerror.jpg]]

====Solution:====
Open IIS, expand application pools, right-click the application pool that was automatically disabled, and click Start.
Browse to NEOSYS website to check if the problem is fixed.

====Additional Information:====

To view the settings for the number of process failures after which the application pool gets disabled, go to IIS, expand application pools, right-click the application pool, click "Set Application Pool Defaults" (for Windows Server 2003, right-click the application pool, click properties and then go to the "Health" tab).

"Rapid-Fail Protection" is the feature that disables the application if there are a certain number of worker process failures within a specified time period.

As per the configuration shown in the example screenshot below, application pool "DefaultAppPool" will be automatically disabled if 5 or more worker process failures happen within a time period of 5 minutes.

[[image:apppool.jpg]]

===Solving Error "The specified Executable does not exist on the server"===

While adding Script Map in Handler Mappings in the above step, if you get the below error, this means you have not yet run the Maintenance window/ NEOSYS processes and skipped steps in Installing NEOSYS. File upload.dl_ is installed from NEOSYS.EXE or NEOSYS2.EXE and converted to .dll the first time you run NEOSYS Maintenance/Process. You can also manually rename the file to upload.dll.

[[image:Dll_error.png]]

=== Solving IIS error 500 on uploading for windows 2008===

To test if permissions are the problem, in grant full control to IUSR over the whole client directory e.g d:\neosys or d:\hosts\clientx in security tab of windows explorer and see if you can upload.

Regardless of the result, remove the full control permissions since they are a security risk.

If permissions are the problem then grant specific permissions as follows:

#images folder - read and write permissions (but not execute)
#dll folder - read and execute permission (no write permission)

=== Solving error "Upload folder cannot be created.The system cannot find the drive specified" ===

This error message comes up when the file uploads are configured to a different location in the software than what is set up in IIS.

There is an internal system configuration in line 49 of the DOS SYSTEM.CFG file which mentions the upload folder location (normally blank which means xxxxxx\images\ where xxxxxx is the installation directory e.g d:\neosys)

In installations where the images are uploaded to a place other than the installation directory, the configuration may say something like h:\images\ where h represents the drive where the folder is located e.g on an external USB drive. This may be done in case of client installations where file uploads are configured on USB drives due to a huge number of files getting uploaded.

The IIS and internal system configuration must agree, otherwise users will probably not be able to upload files, or the uploaded files may not be saved in the right place and may be lost, not backed up and/or not viewable.

To fix this issue, you MUST link the '''images''' folder in IIS to xxxxxx\images\ where xxxxxx is the directory of the images folder as shown in the error message.

[[File:Uploaderror.png]]

===[[Troubleshooting_NEOSYS_Generally#Solving_.E2.80.9Cpage_not_found.E2.80.9D_or_.22HTTP_Error_404.3_-_Not_Found.22_when_downloading_some_file_types_after_uploading_them_successfully|Solving “page not found” or "HTTP Error 404.3 - Not Found" when downloading some file types after uploading them successfully]] ===

Setting up HTTPS

2018-10-06T17:17:05Z

Steve:

== Setting up HTTPS for NEOSYS website ==

CAUTION: When importing certificates on servers that are not owned by NEOSYS you MUST NOT check the "allow certificate export" option otherwise anybody with access to the server can steal the NEOSYS certificate and pass off their own servers as NEOSYS certified.

NEOSYS has a very simple way of enabling https for all the clients. Every client has been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.

Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported. Also refer to [http://itwiki.neosys.com/index.php/SSL_certificate SSL certificate]

If a client's URL is not as per NEOSYS standards, but has been in use for many years, do not change the URL without a good enough reason.

=== Creating a single HTTPS web site on Windows 2008 ===

To create a single HTTPS web site on Windows 2008, follow three simple steps:

*Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server (password to be used is present in a text file in the same folder).
*Import the certificate to IIS without option to export and MUST be deleted after import. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Steps_to_follow_while_importing_certificate_and_why Importing certificate in IIS] for details.
*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.

[[image:sslwin2008-2.jpg]]
[[image:sslwin2008-3.jpg]]

[[image:sslwin2008-4.jpg]]

Test the site from explorer to make sure it works.

=== Creating a single HTTPS web site on Windows 2003 ===

*Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
*Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See [https://support.microsoft.com/en-us/kb/816794 Installing imported certificate in Windows 2003 IIS] for detailed steps to import.

=== Creating multiple HTTPS web sites on NEOSYS hosted server ===

All clients hosted on NEOSYS servers use the same IP address but unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.

*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "*.hosts.neosys.com.pfx" certificate from the drop down and click OK.

Since the http access is not required for any Client on NEOSYS hosted server, this step of https binding can be performed while creating the client website as shown in the screen shot below.

[[image:IISwin3.png]]

=== Steps to follow while importing certificate and why ===

#It MUST be imported WITHOUT OPTION TO EXPORT and
#It MUST be deleted after import.

It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.

==Setting up HTTPS for installations with more than 1 database==

In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in [[Setting_up_HTTPS#Setting_up_HTTPS_for_NEOSYS_website|Setting up HTTPS]] as the case maybe.

==Setting up HTTPS for installations where outside office access is usually restricted==

During a new installation, support staff MUST import the certificate to IIS, bind the certificate to NEOSYS website (following the steps mentioned above in [[Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008|Creating a single HTTPS web site]]) and test if NEOSYS can be accessed via https on the server (https://localhost:4430), so that no problems are faced in future if the client ever requests for outside access with their management's approval.

Since the client management has informed that outside access is not required, close the server's port 4430 (i.e. remove 4430 from Windows Firewall exceptions). Do not remove the certificate binding in IIS.

If and when https access is required by the client, this can be enabled by unblocking the server's port 4430 and instructing the client to get their IT to configure the router to port forward port 4430 for https.

== Troubleshooting setup of multiple HTTPS websites ==

=== Error while binding COMODO signed certificate to NEOSYS website===

[[image:Test11.jpg]]

A specified logon session does not exist. It may already have been terminated.

If importing a certificate ONCE at the top level onto a NEOSYS controlled server with multiple web sites then you need to have used the you need to "mark the private key as exportable".

Setting up HTTPS

2018-10-06T17:11:22Z

Steve: /* Error while binding COMODO signed certificate to NEOSYS website */

== Setting up HTTPS for NEOSYS website ==

NEOSYS has a very simple way of enabling https for all the clients. Every client has been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.

Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported. Also refer to [http://itwiki.neosys.com/index.php/SSL_certificate SSL certificate]

If a client's URL is not as per NEOSYS standards, but has been in use for many years, do not change the URL without a good enough reason.

=== Creating a single HTTPS web site on Windows 2008 ===

To create a single HTTPS web site on Windows 2008, follow three simple steps:

*Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server (password to be used is present in a text file in the same folder).
*Import the certificate to IIS without option to export and MUST be deleted after import. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Steps_to_follow_while_importing_certificate_and_why Importing certificate in IIS] for details.
*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.

[[image:sslwin2008-2.jpg]]
[[image:sslwin2008-3.jpg]]

[[image:sslwin2008-4.jpg]]

Test the site from explorer to make sure it works.

=== Creating a single HTTPS web site on Windows 2003 ===

*Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
*Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See [https://support.microsoft.com/en-us/kb/816794 Installing imported certificate in Windows 2003 IIS] for detailed steps to import.

=== Creating multiple HTTPS web sites on NEOSYS hosted server ===

All clients hosted on NEOSYS servers use the same IP address but unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.

*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "*.hosts.neosys.com.pfx" certificate from the drop down and click OK.

Since the http access is not required for any Client on NEOSYS hosted server, this step of https binding can be performed while creating the client website as shown in the screen shot below.

[[image:IISwin3.png]]

=== Steps to follow while importing certificate and why ===

#It MUST be imported WITHOUT OPTION TO EXPORT and
#It MUST be deleted after import.

It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.

==Setting up HTTPS for installations with more than 1 database==

In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in [[Setting_up_HTTPS#Setting_up_HTTPS_for_NEOSYS_website|Setting up HTTPS]] as the case maybe.

==Setting up HTTPS for installations where outside office access is usually restricted==

During a new installation, support staff MUST import the certificate to IIS, bind the certificate to NEOSYS website (following the steps mentioned above in [[Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008|Creating a single HTTPS web site]]) and test if NEOSYS can be accessed via https on the server (https://localhost:4430), so that no problems are faced in future if the client ever requests for outside access with their management's approval.

Since the client management has informed that outside access is not required, close the server's port 4430 (i.e. remove 4430 from Windows Firewall exceptions). Do not remove the certificate binding in IIS.

If and when https access is required by the client, this can be enabled by unblocking the server's port 4430 and instructing the client to get their IT to configure the router to port forward port 4430 for https.

== Troubleshooting setup of multiple HTTPS websites ==

=== Error while binding COMODO signed certificate to NEOSYS website===

[[image:Test11.jpg]]

A specified logon session does not exist. It may already have been terminated.

If importing a certificate ONCE at the top level onto a NEOSYS controlled server with multiple web sites then you need to have used the you need to "mark the private key as exportable".

Configuring NEOSYS on Windows 10

2018-04-11T16:02:38Z

Steve: /* Excluding ntvdm.exe from Windows Defender */

== Installing NEOSYS on Windows 10 ==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

=== Installing IIS using appwiz.cpl ===

#Use windows search bar to navigate to 'Windows Features'
#Check 'IIS' & expand 'IIS'
#Expand 'World Wide Web Services'
#Expand 'Application Development Features'
#Check 'ASP'
#Click OK
[[image:Win10checkASP.jpg]]

=== Excluding ntvdm.exe from Windows Defender ===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

=== Running AREV.EXE in compatibility mode ===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

=== Configuring Windows Automatic Update ===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose day "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply.

[[image:Win10setAutoUpdate.jpg]]

=== Get NEOSYS process running ===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

Troubleshooting email not received

2018-02-28T13:32:37Z

Steve: /* Check Nagios system if any email stuck in outgoing email queue */

== Troubleshooting email not received ==

=== Was any email actually sent? ===

Possibly the server was switched off at the time the email was supposed to be sent. Check the server uptime or logs. Check NEOSYS server monitor history.

Rerun the report or program with the exact same options and conditions. Monitor the process on the server maintenance screen looking for messages that emails have been sent or not.

=== Check log for any problems sending email ===

#First step is Login to client’s server, open NEOSYS check the logs in support menu.
#It will generate the log report, check the report thoroughly and see if there is any error shown around the time that the emails were supposed to be sent.

==== Error: No logs found ====
No logs found for the date while checking the logs in support menu.

'''Error explained''':
This above error means that no error has been logged on the date you selected.

==== Error: Failed to connect to the server ====

[[Image:001.png]]

If report shows the error shown above then do the following steps to check why the email was not sent out.

This above error means that but the mail could not be sent due to an inability to connect to the outgoing email server.

See [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

=== Check NEOSYS email configuration ===

NEOSYS needs to know how to send email. The default configuration is mailout.neosys.com 2500

Check the configuration in NEOSYS Support Menu, System Configuration File.

=== Send a test email ===

WARNING This test requires a version of NEOSYS later than 5th Dec 2012 otherwise no error message is shown in some cases when there is in fact an error.

Check if you can send a test email. Go to maintenance mode and press F5 then type the following.

sendmail support@neosys.com

If mail server accepts the message then you will see the following.

This is no guarantee that the mail server can or will deliver the email to the recipient.

╔═════════════════════════════════════════════════════════════════╗
║ Step 1 OK. Mail for SUPPORT@NEOSYS.COM accepted by mail server. ║
║ ║
║ Step 2. Now check if actually received by recipient ║
║ to verify that the mail server can actually ║
║ deliver email to SUPPORT@NEOSYS.COM ║
║ ║
║ < Press any key > ║
╚═════════════════════════════════════════════════════════════════╝

If there is some problem connecting to the mail server then you might see something like the following:

╔══════════════════════════════════════════════════════════════╗
║ SUPPORT@NEOSYS.COM ║
║ Error in sendmail.js, CDO.Message.Send(). The transport ║
║ failed to connect to the server. ║
║ ║
║ From: companyxyz@neosys.com ║
║ To: support@neosys.com ║
║ Server: mailout.neosys.com ║
║ Port: 2500 ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════╝

To solve unreliable connections to NEOSYS email server, see [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

=== Invalid Sender Email Address in NEOSYS System Configuration File ===

The following problem might indicate that the "Sender email address" is not acceptable to the mail server - even though the message mentions a problem with "recipient addresses".

For sending email via the default NEOSYS mailout.neosys.com server the "Sender Email Address" MUST end in @neosys.com eg companyxyz@neosys.com.

╔══════════════════════════════════════════════════════════════╗
║ SUPPORT@NEOSYS.COM ║
║ Error in sendmail.js, CDO.Message.Send(). The server ║
║ rejected one or more recipient addresses. The server ║
║ response was: 550 Administrative prohibition ║
║ ║
║ From: neosys@companyxyz.com ║
║ To: support@neosys.com ║
║ Server: mailout.neosys.com ║
║ Port: 2500 ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════╝

=== Check the size of the mail being sent to client's email account===

Email could be missing due to the reason that NEOSYS mail exceeds the upper limit of mail size on client mail server. Confirm the upper limit of mail size with client IT and check the size of email being sent by NEOSYS. For large clients a whole years report could exceed 10MB, which is the common upper limit for most mail servers. Ask client's IT to increase the upper limit of mail size to receive emails with large report from NEOSYS. NEOSYS staff can advise users to test a report attached email for a small period to check if emailed reports can actually be received by client's email or not. Also see [http://userwiki.neosys.com/index.php/Media_FAQ#How_to_handle_.22No_Response_from_the_database_server_in_600_seconds.22 whether email is received when Email Body is chosen as the Report Delivery option.]

=== Check Nagios system if any email stuck in outgoing email queue ===

Nagios Monitoring system checks and warns if there are any emails stuck in outgoing email queues on all NEOSYS servers, including imap/smtp, nl8, mailout and mailout2.

If there are any emails in the queues, Nagios Monitoring system will report the problem and you can get information about exactly what is pending and why it is, by clicking and inspecting the service in detail.

=== Check low level network connectivity to the mail server ===

To test if there is basic connectivity - from the client server to the configured email server, type the following in command prompt, on the client server.

You might need to install Windows option for Telnet on Windows 2008. A software firewall installed on the workstation may block connections selectively by program so you might be able to send email by telnet but not by outlook for example.

Assuming that the configuration is the default of mailout.neosys.com port 2500. You must use your configuration.

telnet mailout.neosys.com 2500

it will show you

Connecting to mailout.neosys.com ...

==== Successful connection ====

Blank window with some text at the top. This text can vary slightly but will usually mention SMTP somewhere.

220 mailout.neosys.com ESMTP Postfix (Ubuntu)

Try to send an email using telnet as shown below. Type the bits in bold in the following with no mistyping since backspace doesn't work.

220 mailout.neosys.com ESMTP Postfix (Ubuntu)
'''helo steve'''
250 mailout.neosys.com
'''mail from:<clientname@neosys.com>''' (use client name which is appropriate to the situation to identify sender)
250 2.1.0 Ok
'''rcpt to:<support@neosys.com>''' (use a recipient email ID which is appropriate to the the situation)
250 2.1.5 Ok
'''data'''
354 End data with <CR><LF>.<CR><LF>
'''Testing'''
'''Testing''' (don't forget to end with a dot on a new line)
'''.'''
250 2.0.0 Ok: queued as 872B21F6
'''quit'''
221 2.0.0 Bye
Connection to host lost.

==== Unsuccessful connection ====

If there is some network connection problem or the mail server is not running then after a while it will show something like:

Could not connect to the host, on port 2500: Connect failed

If you determine that there is a basic problem connecting to the mail server then and other locations are not facing the same problem then contact the IT administrator of the network and probe if they have outgoing ports (2500 in this case) blocked or filtered on their firewall.

See [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

=== Ensure missing email is not being treated as spam by NEOSYS email server ===

Email could be missing due to the reason that NEOSYS mail server might be treating it like spam.
Escalate issue to NEOSYS IT, who will check if missing email is being treated as spam.

Upgrading NEOSYS

2018-02-01T20:34:28Z

Steve: /* Restart IIS web server */

==Prior to Upgrade==
When any change is made to NEOSYS, it is the responsibility of the Support staff to test and verify that there are no errors. Proceed to upgrade NEOSYS only after Support staff has tested and confirmed that the new features are working fine. Do NOT install untested versions of NEOSYS under any circumstance.

Any patches done on the client will be overwritten when NEOSYS is upgraded. The patch fixes will be lost if not included in the version of NEOSYS being installed. So support staff must do the following prior to upgrading:

#Find out if any patches were done to the client between the last upgrade and current date. There is no certain way to do this, apart from support staff memory and by checking support emails.
#Check whether the patches (if any) are included in the version to be installed.
#Inform the programmer if the patches are not included.
#Upgrade NEOSYS only after confirming that the patches are included and tested on TEST system.

== Upgrading NEOSYS fully ==
NEOSYS can be upgraded in two ways either the evening before the nightly backup or during the day.

Procedure to upgrade NEOSYS during the day.

#Email the management and staff the standard email on upgrade for agreement of time.
#Confirm the date and time and inform the staff about the update.
#During upgrade make sure all users are logged off and follow the installation procedures.
#Once the upgrade is over mail the management and staff the steps they should perform before using NEOSYS.

NEOSYS can also be upgraded with smaller patches by the programmer and this can be done at any time while the users are working.

For any non Dubai client if their weekend falls on Support team's weekday e.g Sunday is a holiday in Beirut/Cyprus, NEOSYS support should schedule upgrades on those days so that Client doesn't face any downtime.

Avoid major upgrades on Sundays because weekend issues have often accumulated and need to be solved and at times the programmer is not available in case issues arise.

=== Sample Emails to be sent PRIOR to Upgrading NEOSYS ===
Any decision or instructions related to upgrading NEOSYS must be in support@neosys.com i.e. please ensure that all emails are sent to clients while mentioning support@neosys.com in cc.

For situations where the upgrade email was sent out with wrong information, support MUST resend the upgrade email with the correct information to inform all users about the change.

==== Informing the client of the intention to upgrade ====

Email all users using Email Users option in Help Menu.

'''SAMPLE EMAIL - VERSION 1: Quick Upgrade'''

Quick Upgrade only applies to Clients with less than 10 users, Clients having large installations will always have a planned upgrade.
<pre>
Dear Team,

NEOSYS needs to be upgraded to its latest version because (give reason).

We will upgrade between (selected time period, according to the Client's time zone) on (the selected date, it can be the same day also).

* Please inform all users that they should be logged off during the upgrade.

We will notify you immediately once the upgrade is complete.
</pre>

'''SAMPLE EMAIL - VERSION 2: Planned Upgrade'''

Email MUST be sent no less than 7 WORKING HOURS prior to upgrade, and for large NEOSYS clients with many users as far in advance as possible and no less than 15 WORKING HOURS, so that the client has enough time to bring up any concerns related to the upgrade or its timing. In the case of large clients, a reminder should be sent the day prior to the upgrade, preferably before noon. In case, not possible to meet these deadlines, then the upgrade MUST be postponed and handled properly at a late date.

<pre>
Dear Team,

NEOSYS needs to be upgraded to its latest version because (give reason).

We will upgrade between 9 am – 10 am (change as per the Client's time zone if Client not located in Dubai) on (the selected date).

The upgrade will be done first thing in the morning after the nightly backup to complete the upgrade in a short time .

* Please inform all users that they should be logged off during the upgrade.
* Please contact NEOSYS support immediately if you have any concerns about the upgrade.

We will notify you immediately once the upgrade is complete.
</pre>

=== Downloading ===

Latest version of NEOSYS is available at http://www.neosys.com/support/neosys2.exe

In NEOSYS servers housed at client location, download neosys2.exe using IE in NEOSYS\downloads folder and rename it to neosys2-(DATE).exe (eg neosys2-10th November 2009.exe) - this is to keep track of the various downloads we do for the client and also allows to install a previous version if needed.

In situations where NEOSYS hosts clients in its own servers, download neosys2.exe into your computer first. Then copy-paste it into the server using SFTP in Tunnelier.

'''*** IMPORTANT: DO NOT RUN/EXECUTE THE NEOSYS EXE FILE NOW ***'''

=== Downloading previous versions of NEOSYS ===
The 9 previous versions of neosys are stored at:

http://www.neosys.com/support/neosys21.exe

http://www.neosys.com/support/neosys22.exe

http://www.neosys.com/support/neosys23.exe

http://www.neosys.com/support/neosys24.exe

http://www.neosys.com/support/neosys25.exe

http://www.neosys.com/support/neosys26.exe

http://www.neosys.com/support/neosys27.exe

http://www.neosys.com/support/neosys28.exe

http://www.neosys.com/support/neosys29.exe

=== Backing up prior to upgrading ===
THIS WHOLE BACKUP PROCEDURE IS MANDATORY

Make sure that all NEOSYS users are logged off and the processes are closed before you do any folder copying.

The upgrade procedure includes taking a copy of the programs. If the upgrade fails due to some reason the NEOSYS folder can be reverted back to how it was before the upgrade attempt. Also in case the Client has critical issues using the new version then we will be able to revert them to the old version if the versions are not too different. If this is done by coping the programs back to the original location then no authorisation number will be required. The directories that contain the programs are:
*D:\NEOSYS\NEOSYS
*D:\NEOSYS\NEOSYS.NET

After completing the upgrade, do NOT delete the backup copy of above NEOSYS directories otherwise you will not be able to revert it back in case of issues due to upgrade.

==== Small Installations ====
#Take a normal proper backup using the NEOSYS Support Menu - for all live databases if there is more than one.
#If a USB change was made by the client's IT person prior to doing this manual backup, ensure that after the upgrade is done, the backup file for that manual backup is moved to another location (preferably in a new folder on the D drive)so that the clients backup cycle is not affected by the existence of a days backup in the USB before the cycle actually begins the following morning.
#Take a copy of the whole of the D:\NEOSYS folder (or where-ever NEOSYS is installed) into another folder. This way, if the upgrade fails due to some reason, the NEOSYS folder can be reverted back to how it was before the upgrade attempt. You can omit the D:\NEOSYS\IMAGES and D:\NEOSYS\LOGS folders from the copy to save time. Preferably place the copy on another disk or partition so that it is not included in any whole disk backup that might be running in parallel to NEOSYS backup.

==== Large Installations ====

This includes multiple installations on the same server eg NEOSYS hosts.

Copying the whole of the D:\NEOSYS folder can take so much time as to be virtually impossible. In this case do the upgrade EARLY IN THE MORNING since all the data will have been backed up the previous night. The NEOSYS nightly backup only backs up data, so you MUST manually take copies of the program folders mentioned above.

=== Installing ===
PRECAUTION:
DO NOT install versions of NEOSYS older than the one currently installed, even by mistake. LOOK CAREFULLY at the version note when you open the upgrade file.

Run / Execute the .EXE file that you downloaded into the NEOSYS\downloads folder and Install to D:\NEOSYS\ .

Closing NEOSYS processes should happen automatically during upgrade but you can also do it manually as follows:

[[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services ]]

The installation procedure first creates a GLOBAL.END file in the NEOSYS programs folder causing all serving processes to terminate. Maintenance processes must be terminated manually.

Next, the installation procedure attempts to update the WAITING.EXE file and, if the processes haven’t terminated quickly enough, this will fail asking for retry or abort. Retry immediately or once all the processes have terminated.

The last step of the installation procedure is to delete the GLOBAL.END file to allow processes to start normally.

=== Restart IIS web server ===

This is not necessary for versions of NEOSYS starting Feb 2018 and probably of no effect on prior versions either.

Skip this if you are performing a quick upgrade without getting users offline as restarting IIS kills login sessions therefore forces people to login again.

Quickest way to restart IIS when upgrading is to use the very simple command in the command line as follows:
iisreset

You can also restart the IIS web server either from the IIS service control panel or from the command line as follows:
net stop w3svc
net start w3svc

The objective behind restarting IIS is to avoid the users facing problems using NEOSYS until they clear cache.

=== Post installation steps ===
New versions of the software sometimes perform quick or long database conversions.

Start NEOSYS in maintenance mode immediately after upgrading, as this will put you more in control if anything goes wrong.

If the upgrade does not require users to clear their cache (because there is no change in the user interface) then BEFORE starting any NEOSYS process, enter maintenance mode and when asked "if you want to email users about the upgrade", select No.

You MUST start a NEOSYS process after upgrade else users will get an error message "database is not available" while logging in.

Set Handler Mappings for win3 clients refer [http://techwiki.neosys.com/index.php/Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory link ]

=== NEOSYS version ===

You can check the current version of NEOSYS under Menu>Help>About. After an upgrade, changes in the server process software causes an increment in the version date. Unfortunately changes in the NEOSYS user interface only does not always cause an increment in the version date

=== Email sent to the Clients after an upgrade ===

On starting a NEOSYS process or maintenance mode after an upgrade, NEOSYS will automatically email all the users something like the following:

<pre>
The NEOSYS system software has been upgraded

Before you login to NEOSYS, please follow the instructions at
http://userwiki.neosys.com/index.php/cache to avoid error using NEOSYS.

Please email SUPPORT@NEOSYS.COM for any assistance.

This is an automated email. You cannot reply to it.
</pre>

Currently this email is only sent to the users in the *first* database started. If there are other live databases in the same NEOSYS installation that users should be emailed then you can trigger the email in maintenance mode for the desired database as follows:

EMAILUSERS UPGRADE

=== Sample email to be sent to clients who face issues due to failure in clearing browser cache ===
<pre>
Dear XYZ,

You are facing this error because you have failed to clear your browser cache as instructed in the upgrade notification email.
In order to resolve this issue please follow instructions in the following wiki link:

http://userwiki.neosys.com/index.php/Cache

Please seek the help of your IT or NEOSYS-expert colleague to help you with the above step if needed.
</pre>

=== Troubleshooting ===
If you choose to abort the installation for any reason then the GLOBAL.END file will have to be deleted manually since its presence prevents any processes from starting up.

==== Handling "Error opening file for writing" while executing the NEOSYS setup file ====

During an upgrade if you see a message saying "Error opening file for writing", this means there is a file which is in use by a process and NEOSYS didnt shutdown yet. You should look for a process which is still running and wait for it to end after that you can click on Retry and proceed with the upgrade. In case the process does not close automatically then investigate for an invisibly hung process and close it.

If the error message still does not go then you can abort the installation, investigate further for any process or file in use and close all processes hung/invisible so that NO process is running. Once this is done, re run the set up file and upgrade the installation.

[[File:Setup.jpg]]

== Upgrading NEOSYS with patch files ==
Patch files can be used to update a very recent installation of neosys without doing a full install and without getting people out of NEOSYS.

WARNING: DO *NOT* INSTALL OLDER PATCH FILES ON NEWER VERSIONS OF NEOSYS

Only install patch files dated after the NEOSYS software version date. If in doubt, do a full install.

#Copy the file which is probably something like ADAGENCY.1 or ACCOUNTS.1 to the neosys\neosys folder
#Open Maintenance Mode and Press F5
#Type the command to install the patch as follows:
#:If the filename of the patch file is ADAGENCY.1 then type
#: <pre>INSTALL ADAGENCY</pre>
#:If the filename of the patch file is ACCOUNTS.1 then type
#: <pre>INSTALL ACCOUNTS</pre>
#Follow instructions on screen

== Quick Upgrade ==
In certain cases, we may have to perform an upgrade during client's working hours without causing much delay to client for certain minor bug fixes. In such a situation there are no upgrade emails sent prior to upgrading the client and consequently we are not asking the users to log off from the system.

Procedure:
#Backup the NEOSYS folder.
#*Go to the folder where NEOSYS is installed and do select all, copy & paste i.e. ctrl+a , ctrl+c & ctrl+v
#Download the latest version of NEOSYS from http://www.neosys.com/support/neosys2.exe in NEOSYS\downloads folder and rename it to neosys2-(DATE).exe
#Run the exe file
#Restart NEOSYS processes on the server immediately after the installation has completed!

Restricting usage of NEOSYS to licence period

2018-01-31T09:44:24Z

Steve: /* Entering NEOSYS licensing information */

=== Restricting usage of NEOSYS to licence period ===
*A NEOSYS software licence key is granted depending on the last paid up invoice licence period plus optional grace days.
*The NEOSYS software prevents, after the grace period, creation of new documents not dated within the licence period.
*The NEOSYS software does not at any time place any limitation whatsoever on the use of documents already created in the system or the creation of new documents dated within the licence period.
*The intention of NEOSYS licence expiry is to allow the user to continue using the NEOSYS system normally for documents that apply to valid licence periods while at the same time, after a grace period after the expiry of the licence, to prevent them from entering new documents that are related to periods outside the valid licence periods.
*Once a licence has been entered in a database, then usage of that database is thereafter subject to licensing restrictions. (Currently there are no usage restrictions prior to entering any licence, however this may change in later versions of the NEOSYS software and no database may be used without valid licensing in place)

'''Example:'''

The last paid up invoice for software support and licence covered a licence period of one month from '''1 Oct 2009''' to '''31 Oct 2009'''.

A licence key has been installed in the database for the same period and with a grace period of 7 days.

Up to '''7th Nov 2009''' users can create documents without restriction.

From the '''8th Nov 2009''' onwards:
*Users can view and amend any document already created
*Users can create documents dated up to '''31 Oct 2009'''
*Users *cannot* create any new document dated '''1st Nov 2009''' or later

When a user tries to save a new document that 
*does not fall within a valid licence period and
*the current date is more than the number of grace days after the licence expiry date
the user will get the following message:

[[image:licence_period.jpg]]

=== Entering NEOSYS licensing information ===

If adding multiple licences to a database that currently has no licence restrictions, be careful to add any current licences first and historical licences last, so that any active users working on current periods do not get locked out , however briefly.

Use the following code in maintenance mode to view the licences already entered in the database.

CHKLIC

The list of licences is generated as shown below

[[image:licence_list.png]]

The Following steps are done in NEOSYS maintenance mode (F5).

==== Step 1 – Generate “licencetext” ====

Depending on what licence you want to grant, enter the following command. It will show a line of “licencetext” including the computerid and databaseid.

ADDLIC ''modulenames fromdate uptodate daygrace''

All parameters are required and must appear in the order shown.

Generally support should just renew the licence similar to the previous licence unless otherwise instructed. All the required parameters (i.e. modulenames, licence period and days grace) are available in the list of licences report (CHKLIC) mentioned in the previous section.

If the prior licence allows more than 7 days grace, then the days grace for the new licence MUST be determined by NEOSYS accounts team (or whoever asked for the licence to be added).

If there are no prior licences, then the module names, licence period and days grace MUST all be decided by NEOSYS accounts team (or whoever asked for the licence to be added).

''modulenames'' can be any combination of the following, separated by commas with NO spaces, or a single * to allow all modules.

*MEDIA
*JOBS
*FINANCE
*TIMESHEETS

''daygrace'' is how many days after the licence expiry before NEOSYS starts restricting creation of new documents to dates within the licence period.

Example:

ADDLIC MEDIA,FINANCE 1/4/2016 30/6/2016 7

The output for the above code appears as shown below:

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :ADDLIC MEDIA,FINANCE 1/4/2016 30/6/2016 7 │
│ │
╘═══════╔═════════════════════════════════════════════════════════════╗══════╛
▒▒▒▒▒▒▒▒║ PLEASE GIVE THE FOLLOWING TEXT TO YOUR NEOSYS SUPPORT STAFF ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ "MEDIA,FINANCE 1/4/2016 30/6/2016 7 084505 225FAB0E" ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ What is the verification code? ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║< >║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒╚═════════════════════════════════════════════════════════════╝▒▒▒▒▒▒▒
</pre>

==== Step 2 – Request “licencecode” from NEOSYS ====

Give the complete “licencetext” (shown in the above output) to NEOSYS Admin, who will provide the corresponding “licencecode” which is a 1-6 digit number.

==== Step 3 – Enter the licencetext and licencecode ====

Either enter the same command as in step 1 and enter the licencecode when prompted, or enter the following command. The format of the command is almost identical to step 1 but adds computerid databaseid licencecode.

ADDLIC ''modulenames fromdate uptodate daysgrace computerid databaseid licencecode''

Example:

ADDLIC MEDIA,FINANCE 1/4/2016 30/6/2016 7 542684 1D63A3AC 13193

==== Step 4 – Verify that the licence has been added successfully ====

Run CHKLIC in maintenance mode to generate the list of existing licences and verify that the new licence information has been added to this list.

=== Removing NEOSYS Licences ===
If it is no longer required to restrict usage of NEOSYS to a licence period for a database, then delete the licence from that database. All licences installed in a database get removed/deleted once the below commands are followed.

====Step 1 - Generate the licence deletion text====
In maintenance mode, enter the following command
DELLIC

Select Yes.

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :DELLIC │
│ │
╘════════════════════════════════════════════════════════════════════════════╛
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒╔════════════════════════════════╗▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ Delete all NEOSYS Licences? ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║───┬────────────────────────────║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ 1>Yes ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ 2│No ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒╚════════════════════════════════╝▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
</pre>

Output:

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :DELLIC │
│ │
╘═══════╔═════════════════════════════════════════════════════════════╗══════╛
▒▒▒▒▒▒▒▒║ PLEASE GIVE THE FOLLOWING TEXT TO YOUR NEOSYS SUPPORT STAFF ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ "DELETE 741701 2996420B" ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ What is the verification code? ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║< >║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒╚═════════════════════════════════════════════════════════════╝▒▒▒▒▒▒▒
</pre>

====Step 2 - Request for verification code from NEOSYS====
Give the complete “text” (shown in the above output) to NEOSYS Admin, who will provide the corresponding verification code, which is a 1-6 digit number.

====Step 3 - Enter the verification code====
Either enter the same command as in step 1 and enter the verification code when prompted, or enter the following command in maintenance mode

DELLIC ''verificationcode''

Example

DELLIC 915036

====Step 4 - Verify that all licences have been removed successfully====
Run CHKLIC in maintenance mode to generate the list of existing licences. The NEOSYS licences report should show "0 records".

Installing NEOSYS Service

2018-01-15T05:41:06Z

Steve:

= INSTALLING NEOSYS SERVICE =

Reference to X:\ in the notes below denotes the actual drive letter and needs to be replaced (eg D:\)

== Main installation: ==

Make sure NOT TO COPY an existing NEOSYS installation to another location and ONLY do a
completely new install with a fresh database, because copying a folder will copy a variety of
hidden configurations.

=== Installing NEOSYS on partitions ===
Good server management practice is to have separate partitions for operating system (C:) and data partitions (D:)

In the case of operating system reinstallation (which causes the loss of the C: partition) if NEOSYS programs and data were installed on D: can be preserved. If there is only one partition then NEOSYS programs and data will have to be backed up and restored.

==== Multiple Partitions ====
NEOSYS MUST be installed on a different partition rather than the C drive for reasons already explained above (eg. D drive)

==== Single Partition ====
If there is only one partition then you have to inform the client to take the effort to reinstall the operating system or using third party repartitioning tools to create separate partitions.

=== Downloading and running installation files ===
# http://www.neosys.com/support/neosys.exe ... and unzip/install to X:\neosys (or to X:\hosts\client for multi-installation on one server where "client" is the client folder name which MUST be same as the main database code planned to be used, to reduce the number of codes that are in use. This folder name MUST also be in lower case to maintain consistency and be able to see deviations easily.)
# http://www.neosys.com/support/neosys2.exe ... and install same as previous step.

=== Creating shortcuts ===
In x:\neosys (or x:\hosts\client), make a shortcut called ‘Maintenance’ and link it to

x:\neosys\neosys\adagency.bat (for Adagency install)

or

x:\neosys\neosys\accounts.bat (for Accounts install)

=== Activating NEOSYS using authorization number ===

Start NEOSYS Maintenance, select Initial Backup and it will give a “Computer Number” and ask for an “Authorisation No”

Send the computer number to NEOSYS admin, email: admin@neosys.com to get the authorisation no. Do not leave the authorisation no. promt page open for a long time. This will cause the CPU usage to go to 100%.

If you cannot get the authorisation number immediately then you can close NEOSYS and when you reopen NEOSYS it will still give the same computer number and accept the same authorisation number.

=== Installing initial Database ===
For standard NEOSYS Installations, copy the BACKUP.ZIP file from WIN3 server (D:\DATA.BAK\STARTUP1\"Day of week") and place it on the D drive of the server where we wish to install NEOSYS. You may choose any other drive also but make sure that this file exists in the root folder e.g. D:\BACKUP.ZIP
 

Follow the steps below:
#Click on the Maintenance icon.
#Select BASIC DATA SET and type in the NEOSYS username and password. (If the system does not prompt for a username and password,then go to Quit > Quit to next user and type the same in. If you do not enter with a username and password then NEOSYS will not allow you to restore the database). The first time when you enter maintenance you will get a command box (like when you do F5). If you do not get a command box, hit the F5 key and get it on the screen and hit ESC after you get it.
#Now restore the BACKUP.ZIP (STARTUP DATABASE), to do so go to General > Backup & Data Management, select (the 4th option) Restore from disk or diskette. select D drive (or whichever drive you put the backup.zip file in) and follow the prompts ahead.
#On every successful restore or creation of dataset, system will give you a message to switch to new database always '''say NO''' to this,because the switch to database option brings you back to the BASIC DATA SET. Hence press the ESC button, type EXIT on the F5 prompt.
#Now startup maintenance again and you will find a new database "STARTUP DATABASE" select it and login with NEOSYS username and password. Once you enter you may find a prompt "TASK ADDED" follow the prompt and continue.
#After you have logged in, go to General > Backup & Data Management > Delete a dataset and select the "BASIC DATASET" to delete, to confirm the delete system will ask you to enter the dataset code. Enter the code and delete the basis dataset.
#Now create a new dataset for the client, go to general > Backup & Data management> Create a new dataset, select (6th option) and follow the instruction on how to setup database code from the following link [[Installing_NEOSYS_Service#Assigning_database_codes|Assigning database codes]]
#Once the client dataset is created,login to the clientdataset and follow the steps in above point6 and delete the STARTUP DATABASE. (while logging in to the client dataset, it asks " This database has been copied or the database name or code has been changed. Is this going to be a unique new master database?" select first option YES - Going to be a new independent database.
#To check the list of dataset on the computer, go to go to General > Backup & Data Management > See a list of dataset in the computer(8th option).

Note:
#Sometimes it may tell you that you cannot use FILEMAN as you are logged in as MASTER. Hence you need to hit the ESC key, go to General > Backup & Data Management > Restore from disk or diskette, select C drive or whichever drive you put the backup.zip file in and follow the prompts ahead.
#While doing the step no.2 if you get a message as below just hit enter or space and continue.

[[File:Message while installing.jpg]]

==== Assigning database codes ====
It is necessary to make sure that the following guidelines are met while creating database codes:

#The code MUST be within 8 letters
#The client MUST be instantly recognisable or as recognisable as possible from the main database code
#The test database code MUST END with the word "TEST" and it is not necessary that it must be recognisable. The system needs to know if a database is "test" or not. Otherwise test documents like invoices appear like real live documents potentially causing serious confusion. Many other internal problems will also occur.
#The test database code MUST sort alphabetically after the main database code at login. Prefixing the code with the letter X may achieve this.
#In cases where the company name consists of more than one word, make sure you choose the right combination which implies the company name clearly.

Examples of wrong and right database codes:

ALTO VISTA ADVERTISING

ALTOVIST and XALTTEST - right
AVISTA and AVTEST - wrong - AVISTA is not as recognisable as ALTOVIST above

GLOBAL EDGE ADVERTISING

GLOBEDGE and XGLOTEST - right
GLOBEDAD or GLOBALED and XGEATEST - wrong - GLOBEAD and GLOBALED are not as recognisable as GLOBEDGE above

CONTEXTURE ASSOCIATES

CONTEXT and XCONTEST - right
CONTEXT and CONTEST - wrong - CONTEST will be alphabetically first in the login screen database drop down

=== Creating a .CMD file to start NEOSYS Service: ===
(Note: change x to the correct drive you have installed NEOSYS on)

In x:\neosys create a file start MAIN-DATABASE-CODE.cmd (eg start ALTOVIST.cmd)

x:
cd \neosys\neosys
Start neosys.js /system ADAGENCY /database databasecode

(where databasecode is the code of the database)
(also you need to replace ADAGENCY with ACCOUNTS if this is an accounts only installation)

In x:\neosys create a file start TEST-DATABASE-CODE.cmd (eg start AVTEST.cmd)

x:
cd \neosys\neosys
Start neosys.js /system ADAGENCY /database testdatabasecode

(where testdatabasecode is the code of the testdatabase)
(also you need to replace ADAGENCY with ACCOUNTS if this is an accounts only installation)

TEST THAT THE FILES YOU HAVE CREATED CAN RUN SUCCESSFULLY

ENSURE THAT YOU DO NOT CLOSE THE PROCESS WINDOWS BY USING THE X BUTTON. HIT ESC 3 TIMES ON EACH WINDOW.

=== Differences for Pure Accounts Module Only Installations ===
Accounts module only has a slightly different startup command. In the above, replace '''/system adagency''' with '''/system accounts''' to startup a service and use '''accounts.bat''' instead of '''adagency.bat''' to start up maintenance. Other than that, accounts module setup is identical. Pure accounts clients are very few and tend not to upgrade often so care needs to be taken when upgrading. Upgrade is done using the usual neosys2.exe file.

=== Setting up daily scheduled tasks ===
NEOSYS is normally configured to backup and shutdown at 1 am. All the processes shutdown except one which performs the backup and then closes.

==== If NEOSYS is installed on NEOSYS Server (win3) ====
Edit d:/hosts/STARTXXX.cmd (XXX could be MEA, USA etc. depending on the time zone of the client) to configure the client's live and test processes to start up automatically. As of 2016 TEST process is set to start first followed by LIVE processes for all clients in STARTXXX.cmd

The number of live and test processes configured to startup in STARTMEA.cmd MUST be exactly the same as the number of processes configured in the client's system configuration file. Otherwise, if a client's required number of processes are not started up by STARTMEA.cmd, then that client's remaining required processes will automatically start up after a few minutes and may interfere with startups of other clients' processes, thus ruining the desired sequential startup of client processes.

Use web access and go to Support Menu, System Configuration File and set the following for a) tiny clients : 1 process for main database and 1 for test database or b) large clients : 2 processes for main database and 1 for test database c) very large clients who have issues regularly with no process available : 3 processes for main database and 1 for test database.

Set up an automatic copy of the main database to test database as shown at the end of the next section. The copy is done immediately after the backup. Test running “Copy now” SHOULD be avoided while users are online.

==== If NEOSYS is installed on client server ====
A Windows Scheduled Task MUST be created to startup NEOSYS every day typically at 6 am. It can startup one live database process and that process will startup all other required database processes. Test databases will not startup other database processes automatically unless configured to do so from the System Configuration File.

On Windows 2008 Standard, untick highest privileges and untick run whether user is logged in or not. This means that NEOSYS processes will be visible on the desktop when you login BUT the windows scheduled tasks to startup NEOSYS will FAIL to run if the server is rebooted for any reason including power failure or when the monthly Windows Update procedure reboots.

Alternatively, for clients which cannot tolerate manual intervention after server reboots for any reason (e.g.need to start work before NEOSYS support is available or on NEOSYS support weekends), tick "highest privileges" and "run whether the user is logged in or not". This approach means that NEOSYS processes which are started by the windows scheduled task are not visible on the desktop and run hidden in the background and only listed in task manager, so avoid this approach on small clients (only a few users). Windows Update is a common cause for server reboots so configure Updates to install at 3 AM on any day between Sunday to Wednesday since on these days Support will be available to manually restart NEOSYS processes after a server restart.

Create a task to start one Main database process at 6:00 am daily.

[[File:start1.jpg]] 
[[File:start2.jpg]] 
[[File:start3.jpg]] 

(For multiple sites on the same computer put the second site starting five minutes later at 6:05 am, the third site starting five minutes earlier at 5:55 am, the fourth site starting five minutes later at 6:10 am and so on.)

Once created, test them to see that they are working correctly by running them directly using right click- Run. There is no problem testing the “daily 6 am startup task” at any time since it will just add an additional process.

[[File:task1.jpg]] 

Use web access and go to Support Menu, System Configuration File to request 3 processes for main database and 1 for test database. Also, set up an automatic copy of the main database to test database as below. The copy is done immediately after the backup. Test running “Copy now” SHOULD be avoided while users are online.

[[File:autocopy.jpg]] 

=== Configuring NEOSYS to start automatically on server start-up / reboot ===
We no longer configure NEOSYS processes to start on reboot as we would like to know of the failures at the client side and hence whenever the server reboots we expect the client to inform us and we will start the process - or NEOSYS will start automatically next day at 6 am

Unfortunately using this method the NEOSYS processes are not visible when you login as a user.

[[Image:win_sch_task.jpg]]

Schedule a task to run the main database file whenever the computer starts. In Windows 2008 you need to tick the options - Run whether user logged in or not and Run with highest privilege.

Additional in Windows 2008: Tick Highest Priviledges and Run whether user logged in or not

== Installing and upgrading NEOSYS pure accounting systems ==

Basic installation using NEOSYS.EXE and upgrades using NEOSYS2.EXE are identical to the normal adagency installation process.

Differences are as follows:

# Maintenance shortcut to ACCOUNTS.BAT
# Process startup file contains "/system ACCOUNTS" instead of "/system ADAGENCY"
# Internet address is http://server/neosys/accounts.htm although it auto converts to http://server/neosys/default.htm??ACCOUNTS. Although not to be relied upon, the login page stores a cookie so even plain http://server/neosys or http://server/neosys/default.htm works thereafter until the cookie is lost. To get back to adagency login you use http://server/neosys/default.htm??ADAGENCY
# BACKUP.ZIP files created by ADAGENCY systems and ACCOUNTS systems are slightly incompatible with the result that restoring one in the other type of system will not work. NEOSYS programmers can convert from one type to the other but it is almost never required since any ad agency that only requires accounts only module is given the adagency version of NEOSYS and accounting only clients becoming ad agencies never happened.

Installing EMS Magic

2017-12-23T12:05:48Z

Steve:

== About EMS memory ==

NEOSYS requires EMS memory to function well.

Lack of EMS memory causes inability to process large databases and documents, and errors like:

#Backup File Size is 0
#RTP27. [B28] Not enough String Space – Out of Memory
#B703 Error
#B706 - String Space Format Error

Window 10 provides EMS memory automatically so installation of EMS Magic is NOT required.

Windows 2008 does not provide EMS memory itself so installation of EMS Magic IS required

Windows 2003 usually provides EMS memory itself BUT this can vary depending on the server hardware/bios configuration therefore installation of EMS Magic MAY or MAY NOT be required.

Please read the notes at [[Troubleshooting_NEOSYS_Generally#Recognising_and_Solving_Low_Memory_Problems|Recognising and Solving Low Memory Problems]] to understand more about EMS related problems.

== Installing EMS Magic ==

# Download http://www.neosys.com/support/EMSMAGIC.EXE and place it in C:\Windows folder
# Restart NEOSYS in maintenance mode and check that the EMS memory shows in the maintenance mode by typing WHO in the command line (instructions at [[Troubleshooting_NEOSYS_Generally#Checking_EMS_Memory_Configuration|Checking EMS Memory Configuration]])
# Double check that EMS Magic is functioning by noticing the following screen briefly as soon as you open up a maintenance or process window:

[[image:emsscreenmaint.jpg]]

== Installing EMS Magic on older versions of NEOSYS ==

In versions of NEOSYS prior to Dec 2018 it is also required to edit the AUTOEXEC.NT file as follows:

Edit c:\windows\system32\autoexec.nt file in Notepad to include the following at the bottom:

[[image:autoexecnt.jpg]]

Technical / Hardware requirements

2017-11-01T19:03:48Z

Steve: /* Software requirements */

=== Hardware requirements ===
* Entry level physical or virtual server *dedicated to NEOSYS only*
* 2 or more CPU cores
* 1 GB RAM
* 10 GB HDD - SSD Recommended

=== Software requirements ===
* Windows 10 Pro. Must be 32bit. Cannot be 64bit.
* Windows 10 Enterprise. Must be 32bit. Cannot be 64bit.
* Windows 2008 Standard Edition. Must be 32bit. Cannot be 64bit/R2.
* Administrator Access Rights
* Configured with two partitions on the hard disk (C & D)
* Configured as a workgroup and not as part of a domain
* No roles assigned for the server (eg DNS or DHCP or FILE SERVER)
* All service packs and updates applied
* No Anti-Virus or any other program loaded
* Configured with an internal static IP (ie dynamic IP delivered by DHCP is not allowed)

=== NEOSYS Software Browser and OS Requirements ===

Internet Explorer 8+, Firefox, Chrome on Windows/OSX/Mobile

Browsers must have pop-up blockers turned off and must not have any 3rd party toolbars installed.

=== Backup requirements ===
If entry level physical server or if virtual server that supports USB passthrough (e.g. VMWare vSphere version 4.1 and above):
* 3 x 4 GB USB drives for backup
* Someone to change the USB drives on a scheduled basis (weekly)

If virtual server that does not support USB passthrough:
* Client must *at their own responsibility* agree to arrange copy of the backup files to an external backup location every day.
Also refer to [[Backup_and_Restore#Backup_in_virtual_server| Backup to virtual server]]

=== Router requirements ===
* Username and password for the router OR someone who can configure port forwarding/virtual server configuration for:
**SSH on port 19580
**HTTPS on 4430 OR port no. provided by NEOSYS Support (Required only if NEOSYS needs to be accessed from outside office and prior management approval for this is obtained)
* Outgoing access to the internet on port 2500 or access to send email via an internal email server.

=== Remote support requirement ===

[[Letter_to_obtain_agreement_of_client_IT_staff_to_provide_remote_access| Letter to obtain agreement of client IT staff to provide remote access]]

Technical / Hardware requirements

2017-11-01T19:02:50Z

Steve: /* Hardware requirements */

=== Hardware requirements ===
* Entry level physical or virtual server *dedicated to NEOSYS only*
* 2 or more CPU cores
* 1 GB RAM
* 10 GB HDD - SSD Recommended

=== Software requirements ===
* Windows 2008 Standard Edition. Must be 32bit. Cannot be 64bit/R2.
* Administrator Access Rights
* Configured with two partitions on the hard disk (C & D)
* Configured as a workgroup and not as part of a domain
* No roles assigned for the server (eg DNS or DHCP or FILE SERVER)
* All service packs and updates applied
* No Anti-Virus or any other program loaded
* Configured with an internal static IP (ie dynamic IP delivered by DHCP is not allowed)

=== NEOSYS Software Browser and OS Requirements ===

Internet Explorer 8+, Firefox, Chrome on Windows/OSX/Mobile

Browsers must have pop-up blockers turned off and must not have any 3rd party toolbars installed.

=== Backup requirements ===
If entry level physical server or if virtual server that supports USB passthrough (e.g. VMWare vSphere version 4.1 and above):
* 3 x 4 GB USB drives for backup
* Someone to change the USB drives on a scheduled basis (weekly)

If virtual server that does not support USB passthrough:
* Client must *at their own responsibility* agree to arrange copy of the backup files to an external backup location every day.
Also refer to [[Backup_and_Restore#Backup_in_virtual_server| Backup to virtual server]]

=== Router requirements ===
* Username and password for the router OR someone who can configure port forwarding/virtual server configuration for:
**SSH on port 19580
**HTTPS on 4430 OR port no. provided by NEOSYS Support (Required only if NEOSYS needs to be accessed from outside office and prior management approval for this is obtained)
* Outgoing access to the internet on port 2500 or access to send email via an internal email server.

=== Remote support requirement ===

[[Letter_to_obtain_agreement_of_client_IT_staff_to_provide_remote_access| Letter to obtain agreement of client IT staff to provide remote access]]

NEOSYS DDNS Service

2016-06-03T12:56:44Z

Steve: /* Troubleshooting NEOSYS DDNS Service */

== Using NEOSYS DDNS service ==

The NEOSYS monitoring server at monitor.neosys.com will update NEOSYS
DNS server currently zonedit.com if it is requested to do so by NEOSYS
installations. NEOSYS installations do that automatically when updating
Nagios and can also have a Windows service configured to do it at all times.

Normally this would only be used at NEOSYS installations that have a
dynamic ip number ie do not have a static ip number.

This is not required generally at client installations with static ip
numbers or NEOSYS win3/win4 installations but it MAY be used in that
situation too to provide for automatic change of static DNS for example
to cater for:

*migration from old server to new server
*moving to backup servers
*moving back to live servers
*moving between client's own server and NEOSYS hosts on win3/win4.

Care will be needed to ensure that the DDNS service is not running
simultaneously on the both old and new servers.

=== Using Windows service neosysddns ===

This will work even when NEOSYS processes are not running. This is
useful when NEOSYS processes are stopped overnight and when the server
is rebooted, for example for Windows Updates, and NEOSYS processes are
not configured to run automatically after rebooting

==== Starting Windows service on the client server ====

In NEOSYS maintenance mode

STARTDDNS

==== Stopping the Windows service on the client server ====

In NEOSYS maintenance mode

STOPDDNS

or you can stop and/or disable the windows service manually

This will NOT stop Nagios based DDNS which has to be done separately. See section below.

=== Nagios based DDNS ===

NAGIOS can update NEOSYS ddns entries (currently on zoneedit) automatically as by product of the processing of NAGIOS server updates from NEOSYS processes running on the client server. This is done independently and in parallel to the NEOSYSDDNS service which runs on NEOSYS servers.

=== Automatic Nagios based DDNS ===

This will occur if a special file exists on the NAGIOS server. This file is automatically created when STARTDDNS has been run on the NEOSYS server, or can be created manually.

Therefore, if you are running NEOSYSDDNS service on the NEOSYS server, DDNS will be ALSO be done in parallel by Nagios. This is useful as a backup for example in the case where the NEOSYSDDNS service has to be stopped on the NEOSYS server eg while Cygwin updates are being processed.

To see what hosts are subject to automatic Nagios based DDNS.

ll /var/lib/neosysddns

=== Manually starting Nagios based DDNS ===

If you need to switch on DDNS service for some reason but cannot get to the NEOSYS server to do so, then you can request Nagios to perform DDNS by creating a special file in the NAGIOS server as follows:

touch /var/lib/neosysddns/xxxxxxxx.client
chmod a+rw /var/lib/neosysddns/xxxxxxxx.client

=== Stopping Nagios based DDNS ===

If you need to stop DDNS being done by NAGIOS after either automatically or manually starting it as above, you must remove a special file in the NAGIOS server as follows. Note that running STOPDDNS in the NEOSYS server does NOT remove the special file on NAGIOS server, so just running STOPDDNS in the NEOSYS server will NOT stop the parallel NAGIOS server updating DDNS. Therefore if you wish complete cessation of DDNS service for a hostname you will have to do this step AS WELL.

rm /var/lib/neosysddns/xxxxxxxx.client

=== Configuring neosysddns on monitor.neosys.com ===

The configuration of NEOSYS DDNS service on nagios i.e monitor.neosys.com can be controlled as follows:

Remember that this is the neosysddns service on monitor.neosys.com and NOT the windows service on the server with dynamic ip no.

neosysddns logging level may be configured NOT to show every DDNS update check if the IP no hasn't changed to save log file space since the neosysddns windows servers triggers every minute.

nano /etc/nagios3/conf.d/ddnsconf.py
sudo service neosysddns restart

Other NEOSYS DDNS service commands are:

sudo service neosysddns stop
sudo service neosysddns start
sudo service neosysddns status

All service commands with the exception of status show nothing if successful or error message if not.

== Troubleshooting NEOSYS DDNS Service ==

On nagios/monitor server to see recent ddns updates for a hostname "XXXX" whatever is entered as System ID in System configuration file.

journalctl|grep -i ddns|grep XXXX

or to watch new ddns updates as they come in

journalctl -f | grep -i ddns

or to watch new ddns updates as they come in for xxxxxxxx

journalctl -f | grep -i ddns | grep xxxxxxxx

Lines containing ddns.py are the result of NEOSYS Windows service.

Lines containing apache2 are the result of nagios updates. e.g as shown below:

Jan 28 00:03:04 monitor apache2: DDNS IP_NO ums <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 82.178.63.35" ZONE="XXXX.hosts.neosys.com">
Jan 28 01:54:26 monitor ddns.py: DDNS IP_NO 4481 "ddns XXXX" No. 11327 was 82.178.63.35 <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 85.154.7.138" ZONE="XXXX.hosts.neosys.com">

Working/Status Files

ll /var/lib/neosysddns/
ll /var/lib/neosysddns/ignored

Configuration File

nano /etc/nagios3/conf.d/ddnsconf.py

Configuration options - see comments in file

Hosts that have been seen by Nagios but were ignored because the xxxxxxxx.client file was not present in /var/lib/neosysddns

ll /var/lib/neosysddns/ignored

NEOSYS DDNS Service

2016-06-02T07:24:13Z

Steve: /* Troubleshooting NEOSYS DDNS Service */

== Using NEOSYS DDNS service ==

The NEOSYS monitoring server at monitor.neosys.com will update NEOSYS
DNS server currently zonedit.com if it is requested to do so by NEOSYS
installations. NEOSYS installations do that automatically when updating
Nagios and can also have a Windows service configured to do it at all times.

Normally this would only be used at NEOSYS installations that have a
dynamic ip number ie do not have a static ip number.

This is not required generally at client installations with static ip
numbers or NEOSYS win3/win4 installations but it MAY be used in that
situation too to provide for automatic change of static DNS for example
to cater for:

*migration from old server to new server
*moving to backup servers
*moving back to live servers
*moving between client's own server and NEOSYS hosts on win3/win4.

Care will be needed to ensure that the DDNS service is not running
simultaneously on the both old and new servers.

=== Using Windows service neosysddns ===

This will work even when NEOSYS processes are not running. This is
useful when NEOSYS processes are stopped overnight and when the server
is rebooted, for example for Windows Updates, and NEOSYS processes are
not configured to run automatically after rebooting

==== Starting Windows service on the client server ====

In NEOSYS maintenance mode

STARTDDNS

==== Stopping the Windows service on the client server ====

In NEOSYS maintenance mode

STOPDDNS

or you can stop and/or disable the windows service manually

This will NOT stop Nagios based DDNS which has to be done separately. See section below.

=== Nagios based DDNS ===

NAGIOS can update NEOSYS ddns entries (currently on zoneedit) automatically as by product of the processing of NAGIOS server updates from NEOSYS processes running on the client server. This is done independently and in parallel to the NEOSYSDDNS service which runs on NEOSYS servers.

=== Automatic Nagios based DDNS ===

This will occur if a special file exists on the NAGIOS server. This file is automatically created when STARTDDNS has been run on the NEOSYS server, or can be created manually.

Therefore, if you are running NEOSYSDDNS service on the NEOSYS server, DDNS will be ALSO be done in parallel by Nagios. This is useful as a backup for example in the case where the NEOSYSDDNS service has to be stopped on the NEOSYS server eg while Cygwin updates are being processed.

To see what hosts are subject to automatic Nagios based DDNS.

ll /var/lib/neosysddns

=== Manually starting Nagios based DDNS ===

If you need to switch on DDNS service for some reason but cannot get to the NEOSYS server to do so, then you can request Nagios to perform DDNS by creating a special file in the NAGIOS server as follows:

touch /var/lib/neosysddns/xxxxxxxx.client
chmod a+rw /var/lib/neosysddns/xxxxxxxx.client

=== Stopping Nagios based DDNS ===

If you need to stop DDNS being done by NAGIOS after either automatically or manually starting it as above, you must remove a special file in the NAGIOS server as follows. Note that running STOPDDNS in the NEOSYS server does NOT remove the special file on NAGIOS server, so just running STOPDDNS in the NEOSYS server will NOT stop the parallel NAGIOS server updating DDNS. Therefore if you wish complete cessation of DDNS service for a hostname you will have to do this step AS WELL.

rm /var/lib/neosysddns/xxxxxxxx.client

=== Configuring neosysddns on monitor.neosys.com ===

The configuration of NEOSYS DDNS service on nagios i.e monitor.neosys.com can be controlled as follows:

Remember that this is the neosysddns service on monitor.neosys.com and NOT the windows service on the server with dynamic ip no.

neosysddns logging level may be configured NOT to show every DDNS update check if the IP no hasn't changed to save log file space since the neosysddns windows servers triggers every minute.

nano /etc/nagios3/conf.d/ddns.conf
sudo service neosysddns restart

Other NEOSYS DDNS service commands are:

sudo service neosysddns stop
sudo service neosysddns start
sudo service neosysddns status

All service commands with the exception of status show nothing if successful or error message if not.

== Troubleshooting NEOSYS DDNS Service ==

On nagios/monitor server to see recent ddns updates for a hostname "XXXX" whatever is entered as System ID in System configuration file.

journalctl|grep -i ddns|grep XXXX

or to watch new ddns updates as they come in

journalctl -f | grep -i ddns

or to watch new ddns updates as they come in for xxxxxxxx

journalctl -f | grep -i ddns | grep xxxxxxxx

Lines containing ddns.py are the result of NEOSYS Windows service.

Lines containing apache2 are the result of nagios updates. e.g as shown below:

Jan 28 00:03:04 monitor apache2: DDNS IP_NO ums <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 82.178.63.35" ZONE="XXXX.hosts.neosys.com">
Jan 28 01:54:26 monitor ddns.py: DDNS IP_NO 4481 "ddns XXXX" No. 11327 was 82.178.63.35 <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 85.154.7.138" ZONE="XXXX.hosts.neosys.com">

Working/Status Files

ll /var/lib/neosysddns/
ll /var/lib/neosysddns/ignored

Configuration File

nano /etc/nagios3/conf.d/ddnsconf.py

Configuration options

loginvalid=False #requests with the wrong format. maybe random packets from the internet.
loglanrejected=False #requests for lan ipno 192.168 172.16-32 10 127
logskipped=False #hostnames that
lognotchanged=False #ipno same as before
logzoneeditresponses=True #recommended True so you can see what zoneedit replies to requests to update ipno Success/Failure/Ignored
lognthpacket=1000 #always log every nth request if not 0, regardless of other options. useful to check service is active when little is logged.

Hosts that have been seen by Nagios but were ignored because the xxxxxxxx.client file was not present in /var/lib/neosysddns

ll /var/lib/neosysddns/ignored

NEOSYS DDNS Service

2016-05-31T21:44:59Z

Steve: /* Troubleshooting NEOSYS DDNS Service */

== Using NEOSYS DDNS service ==

The NEOSYS monitoring server at monitor.neosys.com will update NEOSYS
DNS server currently zonedit.com if it is requested to do so by NEOSYS
installations. NEOSYS installations do that automatically when updating
Nagios and can also have a Windows service configured to do it at all times.

Normally this would only be used at NEOSYS installations that have a
dynamic ip number ie do not have a static ip number.

This is not required generally at client installations with static ip
numbers or NEOSYS win3/win4 installations but it MAY be used in that
situation too to provide for automatic change of static DNS for example
to cater for:

*migration from old server to new server
*moving to backup servers
*moving back to live servers
*moving between client's own server and NEOSYS hosts on win3/win4.

Care will be needed to ensure that the DDNS service is not running
simultaneously on the both old and new servers.

=== Using Windows service neosysddns ===

This will work even when NEOSYS processes are not running. This is
useful when NEOSYS processes are stopped overnight and when the server
is rebooted, for example for Windows Updates, and NEOSYS processes are
not configured to run automatically after rebooting

==== Starting Windows service on the client server ====

In NEOSYS maintenance mode

STARTDDNS

==== Stopping the Windows service on the client server ====

In NEOSYS maintenance mode

STOPDDNS

or you can stop and/or disable the windows service manually

This will NOT stop Nagios based DDNS which has to be done separately. See section below.

=== Nagios based DDNS ===

NAGIOS can update NEOSYS ddns entries (currently on zoneedit) automatically as by product of the processing of NAGIOS server updates from NEOSYS processes running on the client server. This is done independently and in parallel to the NEOSYSDDNS service which runs on NEOSYS servers.

=== Automatic Nagios based DDNS ===

This will occur if a special file exists on the NAGIOS server. This file is automatically created when STARTDDNS has been run on the NEOSYS server, or can be created manually.

Therefore, if you are running NEOSYSDDNS service on the NEOSYS server, DDNS will be ALSO be done in parallel by Nagios. This is useful as a backup for example in the case where the NEOSYSDDNS service has to be stopped on the NEOSYS server eg while Cygwin updates are being processed.

To see what hosts are subject to automatic Nagios based DDNS.

ll /var/lib/neosysddns

=== Manually starting Nagios based DDNS ===

If you need to switch on DDNS service for some reason but cannot get to the NEOSYS server to do so, then you can request Nagios to perform DDNS by creating a special file in the NAGIOS server as follows:

touch /var/lib/neosysddns/xxxxxxxx.client
chmod a+rw /var/lib/neosysddns/xxxxxxxx.client

=== Stopping Nagios based DDNS ===

If you need to stop DDNS being done by NAGIOS after either automatically or manually starting it as above, you must remove a special file in the NAGIOS server as follows. Note that running STOPDDNS in the NEOSYS server does NOT remove the special file on NAGIOS server, so just running STOPDDNS in the NEOSYS server will NOT stop the parallel NAGIOS server updating DDNS. Therefore if you wish complete cessation of DDNS service for a hostname you will have to do this step AS WELL.

rm /var/lib/neosysddns/xxxxxxxx.client

=== Configuring neosysddns on monitor.neosys.com ===

The configuration of NEOSYS DDNS service on nagios i.e monitor.neosys.com can be controlled as follows:

Remember that this is the neosysddns service on monitor.neosys.com and NOT the windows service on the server with dynamic ip no.

neosysddns logging level may be configured NOT to show every DDNS update check if the IP no hasn't changed to save log file space since the neosysddns windows servers triggers every minute.

nano /etc/nagios3/conf.d/ddns.conf
sudo service neosysddns restart

Other NEOSYS DDNS service commands are:

sudo service neosysddns stop
sudo service neosysddns start
sudo service neosysddns status

All service commands with the exception of status show nothing if successful or error message if not.

== Troubleshooting NEOSYS DDNS Service ==

On nagios/monitor server to see recent ddns updates for a hostname "XXXX" whatever is entered as System ID in System configuration file.

journalctl|grep DDNS|grep XXXX

or older updates

grep DDNS /var/log/syslog-*|grep XXXX

or to watch new ddns updates as they come in

journalctl -f | grep DDNS

or to watch new ddns updates as they come in for xxxxxxxx

journalctl -f | grep DDNS | grep xxxxxxxx

Lines containing ddns.py are the result of NEOSYS Windows service.

Lines containing apache2 are the result of nagios updates. e.g as shown below:

Jan 28 00:03:04 monitor apache2: DDNS IP_NO ums <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 82.178.63.35" ZONE="XXXX.hosts.neosys.com">
Jan 28 01:54:26 monitor ddns.py: DDNS IP_NO 4481 "ddns XXXX" No. 11327 was 82.178.63.35 <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 85.154.7.138" ZONE="XXXX.hosts.neosys.com">

Working/Status Files

ll /var/lib/neosysddns/

Hosts that have been seen by Nagios but were ignored because the xxxxxxxx.client file was not present in /var/lib/neosysddns

ll /var/lib/neosysddns/ignored

Backing up and Restoring IIS configuration

2016-05-21T20:01:32Z

Steve: /* Backing up certificate bindings */

== Backing up and Restoring IIS configuration ==

An automated backup process already exists in Windows IIS in every
installation but only to C: drive. This article discusses how to get it
backed up properly off-server by NEOSYS backup processes for servers
with lots of installations. Small installations hardly need backup of
IIS since it takes little time to reconfigure a single website.

The main point of this article is to give an understanding of the backup
process and perhaps most importantly how it can be used to restore on
servers with large numbers of web sites like win3/win4.

All IIS configuration performed in IIS manager seems to be backed
up/restored by the following procedures ... EXCEPT imported certificates
and the binding/mapping of port numbers to certificates which is
discussed later on in [[Backing up and Restoring IIS
configuration#Backing up certificate bindings]].

This article does not include backup or restore of actual web site
directories, files and permissions.

A simple backup of IIS configuration can be done any time and quickly at
before doing some change you are uncertain of in IIS.

c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME

A simple restore will put everything back as it was. It appears that
sites unaffected by the restore are not restarted so this can be done
while users are online to unaffected websites. In the worst case, users
will have to login again but as this is a popup in the middle of
existing NEOSYS screens, they should not lose any work they are doing or
documents they are entering.

c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME

Essentially the whole of IIS configuration for all sites is stored in a
single text file which can be edited, backed up and restored manually by
simple file copy, or by using the APPCMD.EXE programs which has the
advantage of automatically reloading IIS at the appropriate time.

applicationHost.config

Windows provides a command "appcmd.exe" to manage IIS configuration from
the command line. All APPCMD commmands either need to be run in the
following directory or to be prefixed with "%windir%\system32\inetsrv\"
as follows:

c:
cd %windir%\system32\inetsrv
appcmd list backup

or all in one line

%windir%\system32\inetsrv\appcmd list backup

=== Set IIS automatic backup location to d: ===

By default, Windows automatically backups the last 10 IIS configurations
to c:\inetpub\history, looking for changes every 2 minutes.

Below steps are already done on win3/win4

We need to:

1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL
2. Increase the number of backups. OPTIONAL

Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100

mkdir d:\inetpub\history
c:
cd %windir%\system32\inetsrv
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost

Check that automatic backups are in fact now going to D: by making some
trivial change in IIS and waiting 2 minutes to see the backup appear in D:

=== Using other IIS configuration commands ===

Other APPCMD configuration commands are as follows. Here showing setting
the default configuration.

appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost
appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost

=== Manually triggering backup of IIS ===

appcmd add backup SOMEBACKUPNAME

Manual backups are just copies of the IIS configuration file, the same
as the automatic backups ... but they are stored in a different place

C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME

=== Restoring IIS backups ===

Copy the last backup directory (eg CFGHISTORY_0000000913) from d:\inetpub\history to c:\inetpub\history eg using cut and paste

Get to the directory where the APPCMD program is stored

c:
cd %windir%\system32\inetsrv

List available backups and check your backup is available

appcmd list backup

Perform the restore

appcmd restore backup CFGHISTORY_0000000913

Note that restoring will also set the backup directory to whereever it was in the backup (ie d:\inetpub\history)

Each backup is stored in a separate directory and you can rename them by simply changing the directory name.

The list of available backups is a merged set from the default automatic
location, the configured automatic location (changed from the default C:
to D:), and default manual backup location

c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY)
D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION)
c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)

There is no need to restart IIS after restoring using APPCMD RESTORE but
you may need to press F5 to refresh in IIS manager to see results of
restore if restore changes anything.

=== Manually editing IIS configuration ===

You can edit the configuration files in any backup and then restore that
backup.

This is useful in order either to make custom changes that cannot be
done in the UI, eg removing an https binding without affecting other
sites that use the same certificate, or to make mass changes that can be
done quicker by editing a text file than navigating a complex GUI, such
as removing all http site bindings.

applicationHost.config

=== other IIS APPCMD config commands ===

c:
cd %windir%\system32\inetsrv
appcmd list site
appcmd list site demo
appcmd list config

=== Backing up certificate bindings ===

There is not a lot too this really but it is better that it is automated.

To make a backup file called bindcerts.sh

Find the hash of the current standard *.hosts.neosys.com certificate.
This will change only once a year or however often the https certificate
is renewed, probably once a year. Check the expiry date on the
certificate. Run the following command and pick the hash next to a port
you know is currently bound to the certificate. probably most or all
ports will be bound to the same certificate hash.

netsh http show sslcert|grep -B1 Hash

Make the backup file called bindcerts.sh. put CERTHASH=.. what you found
in the previous step. NO SPACES OR QUOTES

CERTHASH=06249326271595871fd935a37bd1334bb761e519

netsh http show sslcert| \
grep -B1 "$CERTHASH"| \
grep port| \
awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \
| tee bindcerts.sh

The bindcerts.sh created by the above and that we will use to restore certificate binding will contain something like the following:

netsh http add sslcert ipport=0.0.0.0:443 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4432 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4433 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4436 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4437 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4439 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4440 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4441 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4449 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4451 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4453 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4454 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4460 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4461 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4462 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4463 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4465 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4466 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4469 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4470 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4471 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4472 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4473 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

If you need to rebind the certificates then you need to delete them first something like the following:

netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=0.0.0.0:4432
netsh http delete sslcert ipport=0.0.0.0:4433
netsh http delete sslcert ipport=0.0.0.0:4436
netsh http delete sslcert ipport=0.0.0.0:4437
netsh http delete sslcert ipport=0.0.0.0:4439
netsh http delete sslcert ipport=0.0.0.0:4440
netsh http delete sslcert ipport=0.0.0.0:4441
netsh http delete sslcert ipport=0.0.0.0:4449
netsh http delete sslcert ipport=0.0.0.0:4451
netsh http delete sslcert ipport=0.0.0.0:4453
netsh http delete sslcert ipport=0.0.0.0:4454
netsh http delete sslcert ipport=0.0.0.0:4460
netsh http delete sslcert ipport=0.0.0.0:4461
netsh http delete sslcert ipport=0.0.0.0:4462
netsh http delete sslcert ipport=0.0.0.0:4463
netsh http delete sslcert ipport=0.0.0.0:4465
netsh http delete sslcert ipport=0.0.0.0:4466
netsh http delete sslcert ipport=0.0.0.0:4469
netsh http delete sslcert ipport=0.0.0.0:4470
netsh http delete sslcert ipport=0.0.0.0:4471
netsh http delete sslcert ipport=0.0.0.0:4472
netsh http delete sslcert ipport=0.0.0.0:4473
netsh http delete sslcert ipport=0.0.0.0:4474
netsh http delete sslcert ipport=0.0.0.0:4475

=== Restoring certificate bindings ===

Import the certificate(s) first.

#IIS
#Server item
#Server Certificates
#Import
#Certificate File D:\hosts\CERTIFICATES\hosts.neosys.com.pfx
#Password 1fd...
#Allow to be exported. NO

Bind the certificate to the https ports

If you dont have the binding backup file (bindcerts.sh) then you can just redo the bindings one by one on each website without much effort anyway. This process is more to enable automated restores on warm backup servers.

This will only ADD bindings, it will not delete, nor overwrite any existing bindings so you might have to delete bindings first to allow changes.

Get the bindcerts.sh file from the restore stage

Make the file executable and execute it

chmod +x bindcerts.sh
./bindcerts.sh

or just cut and paste the contents of the file into a windows command console

==== "SSL Certificate add failed, Error: 1312" ====

A specified logon session does not exist.
It may already have been terminated.

You didnt import the certificate first OR the HASH in export wasnt correct (doesnt match the imported certificate)

If you get a message "parameter incorrect" then check that your hash is
correct and everything else is exactly correct. Check characters one by
one from the BACK of the sentence SLOWLY to ensure you are not suffering
from inattention to detail!

The parameter is incorrect.

==== "SSL Certificate add failed, Error: 183" ====

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.

perhaps you have already bound the port to the right certificate .. or a wrong/old certificate

... delete the binding and try again. Here is an example of deleting
binding on port 43999

netsh http delete sslcert ipport=0.0.0.0:43999

Backing up and Restoring IIS configuration

2016-05-21T15:36:57Z

Steve: /* Restoring certificate bindings */

== Backing up and Restoring IIS configuration ==

An automated backup process already exists in Windows IIS in every
installation but only to C: drive. This article discusses how to get it
backed up properly off-server by NEOSYS backup processes for servers
with lots of installations. Small installations hardly need backup of
IIS since it takes little time to reconfigure a single website.

The main point of this article is to give an understanding of the backup
process and perhaps most importantly how it can be used to restore on
servers with large numbers of web sites like win3/win4.

All IIS configuration performed in IIS manager seems to be backed
up/restored by the following procedures ... EXCEPT imported certificates
and the binding/mapping of port numbers to certificates which is
discussed later on in [[Backing up and Restoring IIS
configuration#Backing up certificate bindings]].

This article does not include backup or restore of actual web site
directories, files and permissions.

A simple backup of IIS configuration can be done any time and quickly at
before doing some change you are uncertain of in IIS.

c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME

A simple restore will put everything back as it was. It appears that
sites unaffected by the restore are not restarted so this can be done
while users are online to unaffected websites. In the worst case, users
will have to login again but as this is a popup in the middle of
existing NEOSYS screens, they should not lose any work they are doing or
documents they are entering.

c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME

Essentially the whole of IIS configuration for all sites is stored in a
single text file which can be edited, backed up and restored manually by
simple file copy, or by using the APPCMD.EXE programs which has the
advantage of automatically reloading IIS at the appropriate time.

applicationHost.config

Windows provides a command "appcmd.exe" to manage IIS configuration from
the command line. All APPCMD commmands either need to be run in the
following directory or to be prefixed with "%windir%\system32\inetsrv\"
as follows:

c:
cd %windir%\system32\inetsrv
appcmd list backup

or all in one line

%windir%\system32\inetsrv\appcmd list backup

=== Set IIS automatic backup location to d: ===

By default, Windows automatically backups the last 10 IIS configurations
to c:\inetpub\history, looking for changes every 2 minutes.

Below steps are already done on win3/win4

We need to:

1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL
2. Increase the number of backups. OPTIONAL

Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100

mkdir d:\inetpub\history
c:
cd %windir%\system32\inetsrv
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost

Check that automatic backups are in fact now going to D: by making some
trivial change in IIS and waiting 2 minutes to see the backup appear in D:

=== Using other IIS configuration commands ===

Other APPCMD configuration commands are as follows. Here showing setting
the default configuration.

appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost
appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost

=== Manually triggering backup of IIS ===

appcmd add backup SOMEBACKUPNAME

Manual backups are just copies of the IIS configuration file, the same
as the automatic backups ... but they are stored in a different place

C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME

=== Restoring IIS backups ===

Copy the last backup directory (eg CFGHISTORY_0000000913) from d:\inetpub\history to c:\inetpub\history eg using cut and paste

Get to the directory where the APPCMD program is stored

c:
cd %windir%\system32\inetsrv

List available backups and check your backup is available

appcmd list backup

Perform the restore

appcmd restore backup CFGHISTORY_0000000913

Note that restoring will also set the backup directory to whereever it was in the backup (ie d:\inetpub\history)

Each backup is stored in a separate directory and you can rename them by simply changing the directory name.

The list of available backups is a merged set from the default automatic
location, the configured automatic location (changed from the default C:
to D:), and default manual backup location

c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY)
D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION)
c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)

There is no need to restart IIS after restoring using APPCMD RESTORE but
you may need to press F5 to refresh in IIS manager to see results of
restore if restore changes anything.

=== Manually editing IIS configuration ===

You can edit the configuration files in any backup and then restore that
backup.

This is useful in order either to make custom changes that cannot be
done in the UI, eg removing an https binding without affecting other
sites that use the same certificate, or to make mass changes that can be
done quicker by editing a text file than navigating a complex GUI, such
as removing all http site bindings.

applicationHost.config

=== other IIS APPCMD config commands ===

c:
cd %windir%\system32\inetsrv
appcmd list site
appcmd list site demo
appcmd list config

=== Backing up certificate bindings ===

There is not a lot too this really but it is better that it is automated.

To make a backup file called bindcerts.sh

Find the hash of the current standard *.hosts.neosys.com certificate.
This will change only once a year or however often the https certificate
is renewed, probably once a year. Check the expiry date on the
certificate. Run the following command and pick the hash next to a port
you know is currently bound to the certificate. probably most or all
ports will be bound to the same certificate hash.

netsh http show sslcert|grep -B1 Hash

Make the backup file called bindcerts.sh. put CERTHASH=.. what you found
in the previous step. NO SPACES OR QUOTES

CERTHASH=06249326271595871fd935a37bd1334bb761e519

netsh http show sslcert| \
grep -B1 "$CERTHASH"| \
grep port| \
awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \
| tee bindcerts.sh

The bindcerts.sh created by the above and that we will use to restore certificate binding will contain something like the following:

netsh http add sslcert ipport=0.0.0.0:443 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4432 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4433 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4436 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4437 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4439 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4440 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4441 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4449 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4451 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4453 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4454 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4460 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4461 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4462 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4463 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4465 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4466 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4469 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4470 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4471 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4472 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4473 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

=== Restoring certificate bindings ===

Import the certificate(s) first.

#IIS
#Server item
#Server Certificates
#Import
#Certificate File D:\hosts\CERTIFICATES\hosts.neosys.com.pfx
#Password 1fd...
#Allow to be exported. NO

Bind the certificate to the https ports

If you dont have the binding backup file (bindcerts.sh) then you can just redo the bindings one by one on each website without much effort anyway. This process is more to enable automated restores on warm backup servers.

This will only ADD bindings, it will not delete, nor overwrite any existing bindings so you might have to delete bindings first to allow changes.

Get the bindcerts.sh file from the restore stage

Make the file executable and execute it

chmod +x bindcerts.sh
./bindcerts.sh

or just cut and paste the contents of the file into a windows command console

==== "SSL Certificate add failed, Error: 1312" ====

A specified logon session does not exist.
It may already have been terminated.

You didnt import the certificate first OR the HASH in export wasnt correct (doesnt match the imported certificate)

If you get a message "parameter incorrect" then check that your hash is
correct and everything else is exactly correct. Check characters one by
one from the BACK of the sentence SLOWLY to ensure you are not suffering
from inattention to detail!

The parameter is incorrect.

==== "SSL Certificate add failed, Error: 183" ====

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.

perhaps you have already bound the port to the right certificate .. or a wrong/old certificate

... delete the binding and try again. Here is an example of deleting
binding on port 43999

netsh http delete sslcert ipport=0.0.0.0:43999

Backing up and Restoring IIS configuration

2016-05-21T15:23:23Z

Steve: /* Restoring IIS backups */

== Backing up and Restoring IIS configuration ==

An automated backup process already exists in Windows IIS in every
installation but only to C: drive. This article discusses how to get it
backed up properly off-server by NEOSYS backup processes for servers
with lots of installations. Small installations hardly need backup of
IIS since it takes little time to reconfigure a single website.

The main point of this article is to give an understanding of the backup
process and perhaps most importantly how it can be used to restore on
servers with large numbers of web sites like win3/win4.

All IIS configuration performed in IIS manager seems to be backed
up/restored by the following procedures ... EXCEPT imported certificates
and the binding/mapping of port numbers to certificates which is
discussed later on in [[Backing up and Restoring IIS
configuration#Backing up certificate bindings]].

This article does not include backup or restore of actual web site
directories, files and permissions.

A simple backup of IIS configuration can be done any time and quickly at
before doing some change you are uncertain of in IIS.

c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME

A simple restore will put everything back as it was. It appears that
sites unaffected by the restore are not restarted so this can be done
while users are online to unaffected websites. In the worst case, users
will have to login again but as this is a popup in the middle of
existing NEOSYS screens, they should not lose any work they are doing or
documents they are entering.

c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME

Essentially the whole of IIS configuration for all sites is stored in a
single text file which can be edited, backed up and restored manually by
simple file copy, or by using the APPCMD.EXE programs which has the
advantage of automatically reloading IIS at the appropriate time.

applicationHost.config

Windows provides a command "appcmd.exe" to manage IIS configuration from
the command line. All APPCMD commmands either need to be run in the
following directory or to be prefixed with "%windir%\system32\inetsrv\"
as follows:

c:
cd %windir%\system32\inetsrv
appcmd list backup

or all in one line

%windir%\system32\inetsrv\appcmd list backup

=== Set IIS automatic backup location to d: ===

By default, Windows automatically backups the last 10 IIS configurations
to c:\inetpub\history, looking for changes every 2 minutes.

Below steps are already done on win3/win4

We need to:

1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL
2. Increase the number of backups. OPTIONAL

Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100

mkdir d:\inetpub\history
c:
cd %windir%\system32\inetsrv
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost

Check that automatic backups are in fact now going to D: by making some
trivial change in IIS and waiting 2 minutes to see the backup appear in D:

=== Using other IIS configuration commands ===

Other APPCMD configuration commands are as follows. Here showing setting
the default configuration.

appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost
appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost

=== Manually triggering backup of IIS ===

appcmd add backup SOMEBACKUPNAME

Manual backups are just copies of the IIS configuration file, the same
as the automatic backups ... but they are stored in a different place

C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME

=== Restoring IIS backups ===

Copy the last backup directory (eg CFGHISTORY_0000000913) from d:\inetpub\history to c:\inetpub\history eg using cut and paste

Get to the directory where the APPCMD program is stored

c:
cd %windir%\system32\inetsrv

List available backups and check your backup is available

appcmd list backup

Perform the restore

appcmd restore backup CFGHISTORY_0000000913

Note that restoring will also set the backup directory to whereever it was in the backup (ie d:\inetpub\history)

Each backup is stored in a separate directory and you can rename them by simply changing the directory name.

The list of available backups is a merged set from the default automatic
location, the configured automatic location (changed from the default C:
to D:), and default manual backup location

c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY)
D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION)
c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)

There is no need to restart IIS after restoring using APPCMD RESTORE but
you may need to press F5 to refresh in IIS manager to see results of
restore if restore changes anything.

=== Manually editing IIS configuration ===

You can edit the configuration files in any backup and then restore that
backup.

This is useful in order either to make custom changes that cannot be
done in the UI, eg removing an https binding without affecting other
sites that use the same certificate, or to make mass changes that can be
done quicker by editing a text file than navigating a complex GUI, such
as removing all http site bindings.

applicationHost.config

=== other IIS APPCMD config commands ===

c:
cd %windir%\system32\inetsrv
appcmd list site
appcmd list site demo
appcmd list config

=== Backing up certificate bindings ===

There is not a lot too this really but it is better that it is automated.

To make a backup file called bindcerts.sh

Find the hash of the current standard *.hosts.neosys.com certificate.
This will change only once a year or however often the https certificate
is renewed, probably once a year. Check the expiry date on the
certificate. Run the following command and pick the hash next to a port
you know is currently bound to the certificate. probably most or all
ports will be bound to the same certificate hash.

netsh http show sslcert|grep -B1 Hash

Make the backup file called bindcerts.sh. put CERTHASH=.. what you found
in the previous step. NO SPACES OR QUOTES

CERTHASH=06249326271595871fd935a37bd1334bb761e519

netsh http show sslcert| \
grep -B1 "$CERTHASH"| \
grep port| \
awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \
| tee bindcerts.sh

The bindcerts.sh created by the above and that we will use to restore certificate binding will contain something like the following:

netsh http add sslcert ipport=0.0.0.0:443 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4432 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4433 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4436 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4437 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4439 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4440 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4441 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4449 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4451 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4453 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4454 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4460 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4461 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4462 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4463 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4465 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4466 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4469 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4470 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4471 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4472 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4473 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

=== Restoring certificate bindings ===

If you dont have the backup file then you can just import the
certificate and redo the bindings without much effort anyway. This
process is more to enable automated restores on warm backup servers.

This will only ADD bindings, it will not delete, nor overwrite any
existing bindings so you might have to delete bindings first to allow
changes.

Get the bindcerts.sh file from the restore stage

Make the file executable and execute it

chmod +x bindcerts.sh
./bindcerts.sh

If you get a message "parameter incorrect" then check that your hash is
correct and everything else is exactly correct. Check characters one by
one from the BACK of the sentence SLOWLY to ensure you are not suffering
from inattention to detail!

The parameter is incorrect.

If you get a message "already exists" then perhaps you have already
bound the port to the right certificate .. or a wrong/old certificate

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.

... delete the binding and try again. Here is an example of deleting
binding on port 43999

netsh http delete sslcert ipport=0.0.0.0:43999

Backing up and Restoring IIS configuration

2016-05-21T14:39:09Z

Steve: /* Backing up certificate bindings */

== Backing up and Restoring IIS configuration ==

An automated backup process already exists in Windows IIS in every
installation but only to C: drive. This article discusses how to get it
backed up properly off-server by NEOSYS backup processes for servers
with lots of installations. Small installations hardly need backup of
IIS since it takes little time to reconfigure a single website.

The main point of this article is to give an understanding of the backup
process and perhaps most importantly how it can be used to restore on
servers with large numbers of web sites like win3/win4.

All IIS configuration performed in IIS manager seems to be backed
up/restored by the following procedures ... EXCEPT imported certificates
and the binding/mapping of port numbers to certificates which is
discussed later on in [[Backing up and Restoring IIS
configuration#Backing up certificate bindings]].

This article does not include backup or restore of actual web site
directories, files and permissions.

A simple backup of IIS configuration can be done any time and quickly at
before doing some change you are uncertain of in IIS.

c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME

A simple restore will put everything back as it was. It appears that
sites unaffected by the restore are not restarted so this can be done
while users are online to unaffected websites. In the worst case, users
will have to login again but as this is a popup in the middle of
existing NEOSYS screens, they should not lose any work they are doing or
documents they are entering.

c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME

Essentially the whole of IIS configuration for all sites is stored in a
single text file which can be edited, backed up and restored manually by
simple file copy, or by using the APPCMD.EXE programs which has the
advantage of automatically reloading IIS at the appropriate time.

applicationHost.config

Windows provides a command "appcmd.exe" to manage IIS configuration from
the command line. All APPCMD commmands either need to be run in the
following directory or to be prefixed with "%windir%\system32\inetsrv\"
as follows:

c:
cd %windir%\system32\inetsrv
appcmd list backup

or all in one line

%windir%\system32\inetsrv\appcmd list backup

=== Set IIS automatic backup location to d: ===

By default, Windows automatically backups the last 10 IIS configurations
to c:\inetpub\history, looking for changes every 2 minutes.

Below steps are already done on win3/win4

We need to:

1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL
2. Increase the number of backups. OPTIONAL

Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100

mkdir d:\inetpub\history
c:
cd %windir%\system32\inetsrv
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost

Check that automatic backups are in fact now going to D: by making some
trivial change in IIS and waiting 2 minutes to see the backup appear in D:

=== Using other IIS configuration commands ===

Other APPCMD configuration commands are as follows. Here showing setting
the default configuration.

appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost
appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost

=== Manually triggering backup of IIS ===

appcmd add backup SOMEBACKUPNAME

Manual backups are just copies of the IIS configuration file, the same
as the automatic backups ... but they are stored in a different place

C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME

=== Restoring IIS backups ===

IIS backups can be listed, restored and deleted.

c:
cd %windir%\system32\inetsrv
appcmd list backup
appcmd restore backup SOMEBACKUPNAME
appcmd delete backup SOMEBACKUPNAME

Each backup is stored in a separate directory and you can rename them by
simply changing the directory name.

The list of available backups is a merged set from the default automatic
location, the configured automatic location (changed from the default C:
to D:), and default manual backup location

c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY)
D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION)
c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)

There is no need to restart IIS after restoring using APPCMD RESTORE but
you may need to press F5 to refresh in IIS manager to see results of
restore if restore changes anything.

=== Manually editing IIS configuration ===

You can edit the configuration files in any backup and then restore that
backup.

This is useful in order either to make custom changes that cannot be
done in the UI, eg removing an https binding without affecting other
sites that use the same certificate, or to make mass changes that can be
done quicker by editing a text file than navigating a complex GUI, such
as removing all http site bindings.

applicationHost.config

=== other IIS APPCMD config commands ===

c:
cd %windir%\system32\inetsrv
appcmd list site
appcmd list site demo
appcmd list config

=== Backing up certificate bindings ===

There is not a lot too this really but it is better that it is automated.

To make a backup file called bindcerts.sh

Find the hash of the current standard *.hosts.neosys.com certificate.
This will change only once a year or however often the https certificate
is renewed, probably once a year. Check the expiry date on the
certificate. Run the following command and pick the hash next to a port
you know is currently bound to the certificate. probably most or all
ports will be bound to the same certificate hash.

netsh http show sslcert|grep -B1 Hash

Make the backup file called bindcerts.sh. put CERTHASH=.. what you found
in the previous step. NO SPACES OR QUOTES

CERTHASH=06249326271595871fd935a37bd1334bb761e519

netsh http show sslcert| \
grep -B1 "$CERTHASH"| \
grep port| \
awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \
| tee bindcerts.sh

The bindcerts.sh created by the above and that we will use to restore certificate binding will contain something like the following:

netsh http add sslcert ipport=0.0.0.0:443 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4432 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4433 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4436 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4437 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4439 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4440 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4441 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4449 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4451 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4453 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4454 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4460 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4461 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4462 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4463 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4465 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4466 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4469 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4470 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4471 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4472 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4473 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

=== Restoring certificate bindings ===

If you dont have the backup file then you can just import the
certificate and redo the bindings without much effort anyway. This
process is more to enable automated restores on warm backup servers.

This will only ADD bindings, it will not delete, nor overwrite any
existing bindings so you might have to delete bindings first to allow
changes.

Get the bindcerts.sh file from the restore stage

Make the file executable and execute it

chmod +x bindcerts.sh
./bindcerts.sh

If you get a message "parameter incorrect" then check that your hash is
correct and everything else is exactly correct. Check characters one by
one from the BACK of the sentence SLOWLY to ensure you are not suffering
from inattention to detail!

The parameter is incorrect.

If you get a message "already exists" then perhaps you have already
bound the port to the right certificate .. or a wrong/old certificate

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.

... delete the binding and try again. Here is an example of deleting
binding on port 43999

netsh http delete sslcert ipport=0.0.0.0:43999

Configuring IIS

2016-05-21T14:32:32Z

Steve: /* What is Asymmetric cryptography? */

After you have installed all the NEOSYS program files you need to configure IIS so that you can operate NEOSYS. Instructions are below.

== Configuring IIS for windows 2003 ==

=== Creating a new website in IIS ===

First step is to stop the default website in IIS. Right click on Default Web Site and select "Stop".

'''Client Server:''' Create a website called neosys linked to D:\neosys\neosys.net:

'''WIN3 Server:''' Create a website called "clientname" linked to D:\hosts\clientfolder\neosys.net

[[image:figure1.jpg]]

[[image:figure3.jpg]]

A new window will pop up "IP Address and Port Setting" after completion of the above step.

'''Client Server:''' Select *(All Unassigned)* from the drop down list of "Enter the IP address to use for the Web site" and keep the default port as 80.

'''WIN3 Server:''' Select the static Ip from the drop down list of "Enter the IP address to use for the Web site" and enter then next port available and click on next.

[[image:Figure_2.jpg‎]]

'''Client Server:''' Within the above neosys web site folder create a virtual directory called data linked to D:\neosys\data:

'''WIN3 Server:''' Within the above clientwebsite folder create a virtual directory called data linked to D:\hosts\clientfolder\data:

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

=== To allow file uploads ===

==== Create IMAGES directory ====

'''Client server:''' create a folder IMAGES under D:\neosys and within the neosys web site folder create a virtual directory called images linked to D:\neosys\images: Modes: READ and WRITE

'''WIN3 Server:''' create a folder IMAGES under D:\hosts\clientfolder and within the client web site folder create a virtual directory called images linked to D:\hosts\clientfolder\images: Modes: READ and WRITE

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

==== Permit upload.dll ====

# Right click on dll ( Default Web Site, neosys, NEOSYS, dll)
# Under Permissions set Execute Permissions: Scripts and Executables

# Internet Information Services (IIS) Manager
# Web Service Extensions
# All Unknown ISAPI Extensions: Allowed

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Configuring IIS for Windows 2008 ==

=== Installing IIS ===

First install IIS from Control Panel > Programs & Features > Turn Windows Features ON or OFF > Add Roles:

[[image:iis1.jpg]]

On the window that pops up click on next and you will get this screen, tick Web Server (IIS) - on the prompt click on Add Required Resources and then on Next:

[[image:iis2.jpg]]

On the next window, click on next until you get this window - tick ASP and ISAPI Extensions:

[[image:iis3.jpg]]

Click on Next and Finish

=== Configuring IIS ===
====Create a new Website====
After successfully installing IIS, go to Control Panel > Administrative Tools > Computer Management > Services and Applications > Internet Information Services (IIS) > Machine Name > Sites > Default Website.

'''Client Server:''' Stop the Default Website and then right click on Sites folder and click on Add Website called '''neosys''' linked to {{Client server Installation Location}}neosys.net as shown in the screenshot below

'''WIN3:''' Right click on Sites folder and click on Add Website. Create a website called "clientname" linked to {{NEOSYS server Installation Location}}neosys.net;
Since win3 is not connected to any LAN and exclusively serves https only, therefore setup a https binding only with a port number which is unique, unused and one greater than the previous port used in the series which is 4431 onwards. The highest port number used in this series can be found by checking IIS manager -> NEOSYS ->Sites.

Refer to [[Setting_up_HTTPS#Creating_multiple_HTTPS_web_sites_on_NEOSYS_hosted_server| setting up the https for a site on NEOSYS hosted server]] for details.

[[image:iis4.jpg]]

====Link Data Folder====

'''Client Server:''' Within the neosys website folder create a virtual directory called '''data''' linked to {{Client server Installation Location}}data

'''WIN3:''' Within the "clientname" website folder create a virtual directory called '''data''' linked to {{NEOSYS server Installation Location}}data

[[image:iis5.jpg]]

====Allow file uploads====

'''Client Server:''' create a folder '''images''' under D:\neosys and within the neosys web site folder create a virtual directory called '''images''' linked to {{Client server Installation Location}}images

'''WIN3:''' create a folder '''images''' under D:\hosts\clientfolder and within the "clientname" website folder create a virtual directory called '''images''' linked to {{NEOSYS server Installation Location}}images

[[image:iis7.jpg]]

After you add all virtual directories the tree map of the Default Website should look as follows:

[[image:iis8.jpg]]

====Configure file uploads besides adding the images directory====

For single site servers

Go under IIS > Default Website > neosys

Click on Handler Mappings and delete the ISAPI you see there

[[image:iis9a.jpg]]

Thereafter click on Add Script Map and fill in the details as follows –

Request path: *.dll

Executable: {{Client server Installation Location}}neosys.net\NEOSYS\dll\upload.dll

Name: ISAPI

Click on OK and on YES in the confirmation box

[[image:iis9b.jpg]]
[[image:hm.jpg]]

For multiple site servers

Go under IIS>NEOSYS>Click on Handler Mappings > Edit Feature Permissions > Select Read, Script and Execute

For WIN3 the above setting is already setup

===Editing the hosts file===
Edit the hosts file under c:\windows\system32\drivers\etc\ - delete the # sign next to 127.0.0.1 localhost and include the # sign before ::1 localhost

[[image:iis10.jpg]]

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Solving IIS errors ==

=== Solving error during file upload: "Page cannot be displayed" HTTP Error 405 in windows 2003 ===

This error should not occur in normal NEOSYS installations but the solution is as follows:

# Go to Control Panel, Administrative Tools, Internet Information Services
# Expand the tree to COMPUTERNAME, Web Sites
# Right-click "Default Web Site" (or specific Web Site if multiple NEOSYS http/https installations on the server as per WIN3)
# Properties
# Home Directory
# Configuration
# Mappings, Add
# Browse
# Dynamic Link Libraries *.dll" from the "Files of Type" dropdown
# Find and select D:\NEOSYS\neosys.net\NEOSYS\dll\upload.dll (OR upload.dll in the installation directory)
# Extension Type: dll
# Limit to: All
# Click the "OK" button

=== "HTTP Error 503. The service is unavailable." ===

Look in event log for errors saying various dlls have failed to load eg

The Module DLL C:\Windows\System32\inetsrv\authsspi.dll failed to load. The data is the error.

These errors indicate that IIS is configured to use various modules that have not been installed, possibly due to restoration of IIS configuration backups which mention them but the restore program restores the configuration but does not install the dll. They may not even be required, but how to exclude them is not solved in this article.

Solution is to install the various required modules by right clicking IIS role and choosing Add Role Service

*inetsrv\filter.dll - ISAPI Filters
*validcfg.dll - .NET Extensibility?
*iis_ssi.dll - Server Side Includes
*authsspi.dll - Windows Authentication

=== Solving HTTP Error 404 Error occurring immediately on opening NEOSYS login page on a new server installation: "System Failure. Do you want to retry?" ===

This error message is caused by failing to enable Active Server Pages in the IIS configuration. To resolve this in windows 2008, [[Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory| ensure that Read, Script, Execute is ticked (enabled) in the feature permissions of these Handler Mappings.]]

This message is from IE8 and a Windows 2003 server. The message may be different for other browser versions.

<pre>
Message from web page.

System Failure. Do you want to retry?

The page cannot be found
The page you are looking for might have been removed, had its name change, or it temporarily unavailable.

Please try the following:
(omitted)
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
</pre>

[[image:http404.jpg]]

=== Solving HTTP 404 Webpage cannot be found ===

This error message clearly states that the page cannot be found. Check for the requested page in the client website folder under the virtual directory data. This page will be available under the data folder in D:\neosys\data. A possible cause of this error is by failing to create a virtual directory called data linked to D:\neosys\data:

[[image:http404p.jpg]]
===Solving Error "The specified Executable does not exist on the server"===

While adding Script Map in Handler Mappings in the above step, if you get the below error, this means you have not yet run the Maintenance window/ NEOSYS processes and skipped steps in Installing NEOSYS. File upload.dl_ is installed from NEOSYS.EXE or NEOSYS2.EXE and converted to .dll the first time you run NEOSYS Maintenance/Process. You can also manually rename the file to upload.dll.

[[image:Dll_error.png]]

=== Solving IIS error 500 on uploading for windows 2008===

To test if permissions are the problem, in grant full control to IUSR over the whole client directory e.g d:\neosys or d:\hosts\clientx in security tab of windows explorer and see if you can upload.

Regardless of the result, remove the full control permissions since they are a security risk.

If permissions are the problem then grant specific permissions as follows:

#images folder - read and write permissions (but not execute)
#dll folder - read and execute permission (no write permission)

=== Solving error "Upload folder cannot be created.The system cannot find the drive specified" ===

This error message comes up when the file uploads are configured to a different location in the software than what is set up in IIS.

There is an internal system configuration in line 49 of the DOS SYSTEM.CFG file which mentions the upload folder location (normally blank which means xxxxxx\images\ where xxxxxx is the installation directory e.g d:\neosys)

In installations where the images are uploaded to a place other than the installation directory, the configuration may say something like h:\images\ where h represents the drive where the folder is located e.g on an external USB drive. This may be done in case of client installations where file uploads are configured on USB drives due to a huge number of files getting uploaded.

The IIS and internal system configuration must agree, otherwise users will probably not be able to upload files, or the uploaded files may not be saved in the right place and may be lost, not backed up and/or not viewable.

To fix this issue, you MUST link the '''images''' folder in IIS to xxxxxx\images\ where xxxxxx is the directory of the images folder as shown in the error message.

[[File:Uploaderror.png]]

== Disabling unsecure SSL3 protocol on Windows IIS web server ==

POODLE is an information leakage attack on client browsers while accessing web server that support the older SSL3 protocol. It is easy to prevent it by reconfiguring web servers to not support SSL3.

=== Securing IIS web server on win2003 and 2008 by disabling unsafe SSL3 protocol ===

#For Systems with https installed check if the web server is vulnerable (see [[Configuring_IIS#Testing_for_IIS_vulnerability| Testing for IIS vulnerability]] ). For systems with no https installed,continue to step2 to prevent SSL3 accidentally being enabled if https is installed in the server in future and then test for vulnerability.
# run the following commands on the server
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /t REG_DWORD /v Enabled /d 0 /f
#Reboot the server (at any time later using standard NEOSYS rebooting procedure without disturbing users)
#Perform the diagnostic for vulnerability

=== Testing for IIS vulnerability ===
==== A. Determine host and port and where to test from ====
If you have a public https server that you can access like https://demo.neosys.com:443, in a linux command prompt eg nagios login:

*$HOST for host name like demo.neosys.com
*$PORT with something like 443 or 4430 depending on port forwarding on the public router

or if testing a private https server with no public access, using a cygwin installation on the same server in the cygwin prompt:

*$HOST for host name like 127.0.0.1
*$PORT with something like 443 or 4430 as per IIS manager configuration

If https is enabled on the server/website and you are able to access the website via https using a browser, then you must be able to test for openssl on the same browsed host and port. You must also test this locally to ensure that the right server is being fixed. If the website is not public, then https must not be enabled, which means there is no reason for using cygwin openssl.

==== B. Check you CAN connect to https server using TLS ====

openssl s_client -host $HOST -port $PORT

<pre>
nagios@vm1m:~$ echo|openssl s_client -host demo.neosys.com -port 443
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2DCCAUWgAwIBAgIQd0J0l4kJrpJHonAv5U8VLjAJBgUrDgMCHQUAMBoxGDAW
BgNVBAMTD2RlbW8ubmVvc3lzLmNvbTAeFw0wODA3MjcxOTUxMDNaFw0zNTEyMTIx
OTUxMDNaMBoxGDAWBgNVBAMTD2RlbW8ubmVvc3lzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAxzwtoqq49vV7pyBQ6Ej+PvbB1QxkdsxNn5EZSLSOppCb
jNjV8fFa98unPR0pGM0UdjWMUYodj12c2pnIrfrtXv7pYf+iC1corPEY7607Icbs
rSOc5aFwnlUYpktoysV1G1crGYgYgXbXgVOUO9phHXJarpKf6SjVw3uXTLlmPUkC
AwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCwAAAAMAkG
BSsOAwIdBQADgYEAmgyW60pT62JuM8GH+KogHW7viaMsifXitm3BC/GfaORpJCox
aS20fAlzGyAlDe9nZWN4roLSxQv0laJkxyNPDuHvLJt1l0FVdk6/vGB6QH0KqM+S
UaUTLsDZ99UNS/inotobxD9vXuKl58Uoe2lu7r9vJ+1DWDC6AyueSZ6xnno=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 635 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 8A0A00002D51DE183AC2845C6B3FF4BC7485181B4DCBC1758E3A2D5399BDD71C
Session-ID-ctx:
Master-Key: B10B9370E4DF70E873873AB9851B3CEF19623E6ADA697955E375D931DEE8301D798B4CB14C8D33FCF1BA066C0CC23897
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885416
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== C. Check that you cannot CANNOT to https server using SSL3 ====

openssl s_client -ssl3 -host $HOST -port $PORT

==== CAN CONNECT = VULNERABLE = NOT OK ====

If you get this then you need to configure the server to prevent SSL3

<pre>
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
gethostbyname failure
connect:errno=0
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB3jCCAUugAwIBAgIQNj9FMjT1vIxGo2Mv2Ta9vzAJBgUrDgMCHQUAMB0xGzAZ
BgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTAeFw0wODAzMjUxMTIxMzFaFw0zNTA4
MTAxMTIxMzFaMB0xGzAZBgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEArRuijA8jz3qBm2ZZEwITIJLWIMlQmZxcUvOo
HNZL0+3oJuX0AQqtpRZMp/7ob9agngfwJQ36vK+424zcBbmKxA2MweKZRalN2jz+
rdr1oeZ6/Ff3r8+rCPFj/B8CfMOQbSv6YcR0kVc+8ugybB7qT6Nq5ZWOAczG3Ikt
4EnOlqUCAwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCw
AAAAMAkGBSsOAwIdBQADgYEAHIq5Gn2LiMgXFaUYrFEfHeajD4jAwdFw+zrjcBDZ
qM9LnhndHhdPogow9m9cCv1n57ne9rZL1v7w7Y6C53359hTUVZFqtHFfzcWnNyKD
uHD9a8QDk6/dSwBr/SWIE6OdFUYAj/kDXRQNB5H459spRVa3Yws8vpwrWZhoklxq
CQg=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 649 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 441A0000EBC1D634B2CDB12924F9B980D2A4CF8C4DD6D3FB9728D3C74F62A8FE
Session-ID-ctx:
Master-Key: 38F040BE3E7098857B7CB9FF3B44937786F8F8C002B0042370B29F20EFB582833F9E24CFC8E6560AFD06751DC93412D3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885545
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== CANNOT CONNECT = NOT VULNERABLE = OK ====

<pre>
nagios@vm1m:~$ echo|openssl s_client -ssl3 -host demo.neosys.com -port 443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885702
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre>

=== Enabling Internet Explorer 6 to access secured https web servers ===

To use Internet explorer 6 (on win2003 and XP-before-SP3) to access secured http web sites you need to enable IE6 to use TLS 1.0. Internet Explorer 6 is present in Windows Server 2003 and Windows XP-pre-SP3.

You can also disable SSL 2.0 and SSL 3.0 for additional safety. This good for later versions of Internet Explorer too.

[[File:IE_options.jpg]]

== Generating IIS certificates for https using openssl ==

This covers the two main type of certificates:

#"proper" certificates (accepted by all browsers without complaint) - issued by bona fide certification authority only on proof of control of a domain name - usually for a small fee
#"self signed" certificates (not accepted by all browsers without error messages without special configuration) - easily
issued by anybody without the slightest restriction

NEOSYS' proper https certificate for *.hosts.neosys.com, valid approx Jan-Dec 2016, issued by Comodo, was purchased from namecheap.com for a small fraction of the price of purchasing from Comodo or one of the other main certification authorities.

There is no technical requirement to renew certificates with the same issuing authority, nor is their any restriction whatsoever from having multiple concurrent overlapping certificates, in any combination, for the the same domain name or subsets of a domain name. For a certificate to be "proper" it merely has to be issued by (not necessarily purchased from) one of the certificate authorities registered in all the main browsers using by NEOSYS clients. Unlike DNS domain name registrars, of which you can only have one at any one time, and which take to change, certificates are simply installed in particular servers without reference to each other, nor to any imaginary central internet registry, as IS the case for the DNS domain name registry.

The sales of certificates is a bit of scam really because anybody can get a certificate from the main commercial certificate authorities merely by proving control over a domain name - for example, by receiving an email to ADMIN@xxxxx.com. Except for EV certificates such as those issued to banks etc, most https certificates are issued without any check on physical identity or reputation, therefore the cost of issuing https certificates rests merely on the fact that the certification authority has managed to inveigle itself into all the main browsers and have their public key installed along with the browser software. Hoowever, the market seems to be collapsing, with even free certificate authorities appearing although with some minor limitations like short duration of validity of certificates.

Excellent summary of using openssl to manage certificates .. no Alternate Names though
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Excellent summary of selfsigned and properly signed certificate
https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

==== Commentary on https security ====

With the general move to using https instead of http after the Snowdon revelations, people have begun to better understand how https certificates really work. People are more aware now that most https certificates mean little more than that their communication with the server is a) confidential b) not tampered with c) is truly with the server/domain name apparent and not some other. ALL WITH THE EXCEPTION OF *ANYBODY* WHO IS A CERTIFICATE AUTHORITY REGISTERED IN THE MAIN BROWSERS - WHICH IS MANY - INCLUDING NON-FRIENDLY NATIONAL STATE ACTORS!

It is possible however to be virtually certain of confidentiality and accuracy of your communication using standard browsers, EVEN VERSUS CERTIFICATION AUTHORITIES. If, by inspecting the certificate when you are browsing a particular web site, you can satisfy yourself that it is in fact truly the one in use by the web server, the chances of your communication being secure is virtually 100% The only chance is some failure in fundamental encryption protocols. Such failures would either be public knowledge very quickly, or not used versus you, for fear of it becoming public knowledge, unless you really have something incredibly valuable to hide. In this sense, self-certified certificates are the most secure, since you can obtain them by some other secure channel directly from the web server operator and do not change without your action. Note that in order to ensure that a certificate does not change during your session, to say an unknown valid certificate that breaks your security, your browser must support certificate pinning, in which case the browser will either prevent, or inform you if the certificate for the web site changes, either between or within sessions.

To gain a practical understanding of the issues raised if you trust the certification authorities built in to your browser, consider the fact that many companies require an additional certificate authority to be installed in all corporate browsers (and in some famous cases have installed it covertly), and thereafter all https communications are decrypted in the company firewall/proxy using the corporate certificate, checked for content and reencrypted with the true certificate before being passed on - or vice versa, depending on the direction of flow of information. This, for example means that an employee accessing their bank account would be completely exposed to the corporate gaze. Two factor security would prevent corporate interference in say, instructions to make payments, but all information would be exposed and probably logged in possibly long term records. The same would apply to all https web sites accessed by the employee. Courts seem to agree that corporations have every right to do this but the average person is commonly not aware of it. If a person understood how https security works, they could inspect the https certificate to make sure it is the correct (same one issued by their bank apparent at home for example), since it is unlikely that an adversary (or in this case their employer) would control their actual browser software, but security is an arms race and once everybody knows how to defend themselves, adversaries and security operators will simply move to the next level. The next level may be preventing users from using their own browsers. This is already the case in most secure environment, but not all, and BYOD attitudes may prevail in the long run. Whatever the issues are in this case, the same general principle apply in other situations involving security.

=== Generating a self signed certificate in pfx form for IIS ===

Generating certificates and keys https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

Generating a pfx using openssl https://langui.sh/2009/01/24/generating-a-pkcs12-pfx-via-openssl/

==== Generate standard cert and key pair ====

First generate a matching pair of certificate and key files (x509 and rsa format respectively)

Example for *.mydomain and validity 9999 days from now

signer=self
mydomain=neosys.com
mydomains=*.neosys.com
expirydays=9999
keyno=`date`
certno=$keyno
#
certfilename=$mydomain-$signer-$certno.cer
keyfilename=$mydomain-$keyno.key
#"-nodes" means -no-DES ie no encryption ie generate a key file without encrypting it and therefore without requiring a password on it
openssl req -new -x509 -nodes -days $expirydays -out "$certfilename" -keyout "$keyfilename" \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \

Consider adding subject and subject alternative names

openssl x509 -req -new -sha256 \
-newkey rsa:2048 \
-keyout neosys.com-102.key \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \
-out neosys.com-102.crt \
-nodes \
-days 9999

Example session:

Country Name (2 letter code) [AU]:AE
State or Province Name (full name) [Some-State]:DUBAI
Locality Name (eg, city) []:DUBAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NEOSYS
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.neosys.com
Email Address []:it@neosys.com

=== Generating a properly signed certificate ===

http://wiki.gandi.net/en/ssl/csr#sha-2_certificate_request

==== Generate key and CSR file ====

A certificate signing request file (.csr) for *.hosts.neosys.com (wildcard certificate)

if you are renewing (and want to reuse an existing secret server key file mydomain.key, although not clear on the benefit ATM)

openssl req -new -nodes -sha256 -key mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to generate a new secret server key file

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to request SAN subdomain wildcards (unlikely to be granted by main cert authorities but perfectly legal and can be self certified)

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" -out mydomain.csr \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:neosys.com,DNS:*.neosys.com,DNS:*.support.neosys.com,DNS:*.hosts.neosys.com"))

View the csr and verify correct (check that SAN additional domains are listed if you requested them above)

openssl req -in mydomain.csr -noout -text

==== Either send to CA and get crt/cer file back ====

Send the csr file to the certifying authority and put their response in a mydomain.crt file

Make sure you inform them that the type of software you used to generate the csr is "mod Apache/ModSSL"

mydomain.csr -> mydomain.cer

==== Or self sign to test all ok ====

nano ssl.conf

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Dubai
localityName = Locality Name (eg, city)
localityName_default = Dubai
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = *.neosys.com
commonName_max = 64
#
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
#
[alt_names]
DNS.1 = neosys.com
DNS.2 = *.neosys.com
DNS.3 = *.hosts.neosys.com
DNS.4 = *.support.neosys.com

openssl x509 -signkey mydomain.key -in mydomain.csr -req -days 9999 -extensions v3_req -extfile ssl.conf -out mydomain.crt

view the cert and check extensions (additional domain names) are present if required

openssl x509 -in mydomain.crt -text -noout

==== Merge private key and signed public cert into password protected pfx file ====

Convert the pair of standard files into a single pfx file that IIS can import

friendlyname="COMODO SIGNED hosts.neosys.com *.hosts.neosys.com"
openssl pkcs12 -export -in mydomain.crt -inkey mydomain.key -name "$friendlyname" -out mydomain.pfx

It will ask for a password .. the usual NEOSYS one is 1f... which will be required when you import the pfx file into IIS before binding to web sites

Example session:

Enter Export Password:
Verifying - Enter Export Password:

Check the pfx file

openssl pkcs12 -in mydomain.pfx

openssl pkcs12 -in mydomain.pfx | openssl x509 -noout -text

==== Copy the pfx file to the IIS server and import/bind in the usual way ====

Copy it to the https server

mysshport="-P 19510"
mysshtarget="administrator@win3.neosys.com:/cygdrive/d/hosts/CERTIFICATES"
scp $mysshport mydomain.pfx $mysshtarget

==== Friendly name in pfx file ====

On the IIS server after importing, if you have multiple certificates for the same domain name you might like to add a "friendly name" to distinguish them in the dropdown when binding certificates to web sites.

You might also want to add the friendly name to the pfx file if you intend to import it again or elsewhere using certificate export to pfx with options Include All and Export All

https://rickardrobin.wordpress.com/2012/12/05/specifying-a-friendly-name-to-a-certificate/

=== Understanding SSL certificates ===

==== What are RSA Private Keys, CSRs and Certificates? ====

YOUR RSA PRIVATE KEY FILE

is a digital file created by you and never ever shared with others. It is USED ONLY BY YOU (never by others) to either:

*to DECRYPT secret, encrypted, messages received by you from others
*to SIGN messages before sending them to others providing them certainty that the message came from you without being tampered with and that you cannot deny signing them.

YOUR RSA PUBLIC KEY FILE

is a digital file created by you and freely shared with others. It is USED BY OTHERS (never by you) to either:

*ENCRYPT messages before sending them to you
*VERIFY that signed messages were in fact signed by you and not tampered with and you cannot deny signing them.

OTHER PERSON'S RSA PUBLIC KEY FILE

is a digital file created by the other person and freely shared with you and others. It is USED BY YOU OR ANYBODY (never by the other person) to either:

*ENCRYPT messages to achieve secrecy before sending them to the other person.
*VERIFY that signed messages received were in fact signed by the other person and that they cannot deny signing them nor claim they have been tampered with.

To obtain someone's public key, you need a trusted channel, ie a signed channel, but not a secret or encrypted channel since the information is public and not confidential.

Using your private key and someones public key together:

*If you want to send a signed secret message to someone and allow them to be sure it came unmodified from you, you first sign the message using YOUR PRIVATE KEY, then encrypt the message using THEIR PUBLIC KEY
*If you want to receive a secret message and verify that it came unmodified from someone in particular, you first you decrypt the message using YOUR PRIVATE KEY, then verify the message using THEIR PUBLIC KEY

Signing and Verification = Encryption and Decryption Mathematical Process with keys reversed

Actually, the process of "signing" is doing the same mathematical process as encryption, but since you use the recipients public key, the resultant "encrypted" messege is not secret because it can be "decrypted" using a public key which are freely available.

Likewise, the process of "verification" on a received message is doing the same mathematical process as decryption, but since you are using the senders public key, and anybody could "decrypt" the message, it was not really encrypted in the sense of being secret.

So we have two processes, one called Encryption/Signing but is exactly the same mathematical process with two names depending on whether we use a public or private key, and another process called Decryption/Verification which uses the opposite key.

What YOU use for what:

*YOUR (PRIVATE) KEY = USED BY YOU for decryption and signing
*THEIR (PUBLIC) KEY = USED BY YOU for encryption and verification

*YOUR (PUBLIC) KEY = NEVER USED BY YOU - since anybody else could do the same thing so no trust or secrecy could be obtained
*THEIR (PRIVATE) KEY = NEVER USED BY YOU - since you dont have it!

What to use:

*ENCRYPT OUTGOING = Use THEIR (public) key
*VERIFY INCOMING = Use THEIR (public) key

*DECRYPT INCOMING = Use YOUR (private) key
*SIGN OUTGOING = Use YOUR (private) key

So the slightly strange thing is that you dont encrypt messages with your private key as might be assumed naturally. You encrypt using the target recipient's public key. This is perfectly logical if you understand the concept asymmetric cryptography.

One thing to note is that, while it is obvious that other people never use your private key, since they dont have it, it is not obvious, but perfectly true, that you never use your public key. NOBODY EVER USES THEIR OWN PUBLIC KEY ... THEY ONLY GIVE IT TO OTHERS TO USE.

CERTIFICATE

It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you. It can also be used by you to sign messages that can be verified as having come from you by anyone who receives the signed message, using your public key.

CSR FILE

A Certificate Signing Request (CSR) is a digital file which contains your public key and your details eg name/domain name etc. You send the CSR to a Certifying Authority (CA), who will create a real Certificate containing your detail eg your domain name and your public key, signed by them using their private RSA private key.

CERTIFICATE

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

==== What is Asymmetric cryptography? ====

Asymmetric cryptography allows you to freely publish a "public" key that can be used by anyone to send you encrypted messages. Such messages can only be decrypted by you using a special matching "private" key which you always keep secret.

Asymmetric cryptography also allows you to publish "signed" messages that can be verified by anyone as coming directly from you without any modification by others. Such messages are created using your "private" key and can be verified by anyone who has your "public" key. Creation involves the same process as encryption. Verification uses the same process as decryption.

Note that you dont ever actually use your own public key. You use your private key to decrypt messages sent to you, and you use the same key to "sign" messages to prove they came from you and without modification. Likewise other people only ever use your "public" key - either for encrypting messages that they want to send to you, or verifying that signed messages did come from you unmodified.

So we have a pair of keys that if either one is used for encryption/signing, then the other one is required for decryption/verifying. In that sense, it does not matter which we choose to keep private and which public, but ensure that we only ever publish one of them and forever keep the other secret.

So, to start encrypting or signing, you need a matched pair of keys, and you need to publish one to other people and forever keep the other one secret.

.key a file that contains a random collection of characters that can be used to encrypt

.cer a file that contains a random collection of characters that can be given out publicly and used by anybody to encrypt something to be sent to you

A certificate is some information that has been processed by a private and secret key.

pfx contains a private key and public certificate which contains your public key embedded. Usually pfx files are encrypted and you have to enter a password before using them, ie importing them.

==[[Backing up and Restoring IIS configuration]]==

Setting up and using remote support

2016-05-21T10:49:15Z

Steve: /* Configuring SSHD to use a non-standard port number */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Support MUST not provide NEOSYS support via Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime because it is a BAD idea to simply open port 3389 since an open port 3389 attracts scanners/hackers like flies.

Also, IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or the arent-I-clever "P@ssw0rd" or even blank. In this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

If the client has already gone ahead and provided Microsoft RDP with an obvious/weak system password, then Support MANDATORY MUST get Windows reinstalled from scratch. Antivirus may not be able to tell that the server has been infected and rootkitted and therefore a scan does not prove it has not been infected.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Choose "yes" to "Folder does not exist. Create new?"
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands: (not needed in recent versions of Cygwin so dont do this)

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Refer [[Setting_up_and_using_remote_support#Reinstalling_SSHD_if_service_fails_to_startup| here]] if you get an error while doing the above steps.

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line or just add ",noacl" to the existing similar line. (What is the effect of omitting this?)

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:
Only asked if running again:
Overwrite existing /etc/ssh_config file? yes
Overwrite existing /etc/sshs_config file? yes
.
StrictModes - no
Privilege – yes
New local sshd account - yes
Install SSHD as a service - yes
Enter value of daemon - Just press Enter
Different name - no
Create new privileged user - yes
Enter a password now - Invent a NEW totally random password with caps and both upper and lower case.
Re-enter the password - Enter it again. Dont record it anywhere. Forget it.

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===

This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is SIGNIFICANT AND CANNOT BE IGNORED in cygwin/linux commands

open cygwin command prompt

cd /etc
nano sshd_config

change the Port to look like this:

#Port 22
Port 19580

Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.

net stop sshd
net start sshd

To check that the server is running and listening on port 19580

ssh -p 19580 administrator@localhost

If you are asked for to confirm the server id is correct or enter password then the check is successful. No need to continue.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

====Error message====
chmod: cannot access '/etc/passwd': No such file or directory
chmod: cannot access ‘/etc/group’: No such file or directory

====Solution====
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained in the section below.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade.

Since something may go wrong and the script might FAIL to re enable ssh remote connections, you can take one of the precautionary measures listed below.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

'''TeamViewer 9 issue'''

When attempting to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer. After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

===== Running the script =====

[[Setting_up_and_using_remote_support#Finding_the_script|Just locate the upgradecygwin.cmd script]] and run it some usual way by clicking and pressing Enter.

You MUST inspect the version of the pre-installed script against the http version and upgrade to the latest. As the script is updated with fixes for problems faced in the past.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will re enable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#[[Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F|You must check the versions of "cygwin" and "openssh"]] at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created or upgraded as follows:

First find the text of the script at http://www.neosys.com/support/upgradecygwin.cmd

Then, assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmdzz

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version. You can find out the Cygwin.dll version by using the following command:

cygcheck -V

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd /DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Adding packages to Cygwin after installation ==

Adding packages causes Cygwin to also upgrade but upgrade requires a special process because it cant be upgraded remotely while Cygwin sshd server is working.

#Upgrade Cygwin
#Add the package using Cygwin normal setup program

Step 1 is NOT optional if you want to do step 2.

In the above procedure upgrade Cygwin using the script and follow the precautionary measures listed in [[Setting up and using remote support#Upgrading Cygwin with a script | Upgrade using script]], in case script fails to renable ssh remote connection. Next run setup.exe file present in D:\neosys\neosys to install the required the package.

=== Adding individual packages to cygwin without doing a full upgrade ===

You can add individual packages to cygwin without doing a full upgrade in many cases. The installed or upgraded version of cygwin should be recent since the current version of the package you want to install might not work with an old version installed cygwin.dll.

To figure out if the cygwin version is recent and will be compatible with the new package, compare the current installed version with the latest version of cygwin.

Cygwin DLL has been named cygwin1.dll and the number 1 is present in the beginning of the release name. Additionally there are DLL major and minor numbers that correspond to the name of the release and a release number respectively. The major version number gets incremented only when a change is made that makes existing software incompatible. The minor version changes every time a new backward compatible Cygwin release is made available. Therefore we need to check the major version of cygwin on the server.

In other words cygwin-1.7.1-2 means cygwin1.dll, major version 7, minor version 1 and release 2.

e.g if the current version of Cygwin DLL is 2.3.0 and latest version is 2.4.1-1 that means there is a change in the major version from 3 to 4 so we cannot go ahead with installing a new package.

Commands below to add or remove packages. Press the View button repeatedly in the installation wizard to get to "Pending" to see what will be installed.
#adding
setup-x86 -P PACKAGE_NAME

#removing
setup-x86 -x PACKAGE_NAME

== Getting Ownership and Permissions Correct ==

Installation of cygwin under domain administrator account needs to be fixed as follows:

#c:\cygwin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

=== Solution 4 ===

On the target server, check whether authorized_keys file contains your public key. You can do that by checking the user name displayed at the end of each key.

To view the authorized_keys file, open cygwin terminal and type

cat .ssh/authorized_keys

If authorized_keys file does not contain your public key, then copy it from authorized_keys.backup file using the below command:

cat .ssh/authorized_keys.backup

Next edit the authorized_keys file using the below command:

nano .ssh/authorized_keys

Then paste the copied key in a new line. Ensure that the key appears in a single line and then close the authorized_keys file.

Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key)

Setting up and using remote support

2016-05-21T10:36:34Z

Steve: /* Configuring and starting SSHD */

== Getting agreement of client IT staff to provide remote support ==

[[Letter to obtain agreement of client IT staff to provide remote support]]

== Initial Connection to the server before setting up permanent remote connection ==

In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.

Support MUST not provide NEOSYS support via Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime because it is a BAD idea to simply open port 3389 since an open port 3389 attracts scanners/hackers like flies.

Also, IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or the arent-I-clever "P@ssw0rd" or even blank. In this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

If the client has already gone ahead and provided Microsoft RDP with an obvious/weak system password, then Support MANDATORY MUST get Windows reinstalled from scratch. Antivirus may not be able to tell that the server has been infected and rootkitted and therefore a scan does not prove it has not been infected.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

# Read [[Avoiding Corrupt Cygwin Installations]]
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Choose "yes" to "Folder does not exist. Create new?"
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands: (not needed in recent versions of Cygwin so dont do this)

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Refer [[Setting_up_and_using_remote_support#Reinstalling_SSHD_if_service_fails_to_startup| here]] if you get an error while doing the above steps.

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line or just add ",noacl" to the existing similar line. (What is the effect of omitting this?)

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:
Only asked if running again:
Overwrite existing /etc/ssh_config file? yes
Overwrite existing /etc/sshs_config file? yes
.
StrictModes - no
Privilege – yes
New local sshd account - yes
Install SSHD as a service - yes
Enter value of daemon - Just press Enter
Different name - no
Create new privileged user - yes
Enter a password now - Invent a NEW totally random password with caps and both upper and lower case.
Re-enter the password - Enter it again. Dont record it anywhere. Forget it.

At the command prompt type

net start sshd

=== Configuring SSHD to use a non-standard port number ===
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is signification in cygwin/linux commands

open cygwin command prompt
cd /etc
chown administrator sshd_config
nano sshd_config (assuming that you have installed the NANO editor)
notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to '''Port 22''' and change 22 to 19580. 
Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config
net stop sshd
net start sshd

To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost

You will be prompted to confirm the connection (say yes)

Now enter the system password to complete the procedure.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

sshd: ALL

or a ip numbers or CIDR format

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages

Insert the following script using cygwin command prompt.

NOTE! it@neosys.com to whatever you want.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

Inserted trusted ip nos.

cd /etc
nano trustedipnos

<pre>
#sorry, ip ranges and cidr etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

Make sure that you configure the file permissions

chmod a+x sshrc

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

====Error message====
chmod: cannot access '/etc/passwd': No such file or directory
chmod: cannot access ‘/etc/group’: No such file or directory

====Solution====
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_5.9 (protocol 2.0)

=== Upgrading Cygwin remotely ===

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained in the section below.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade.

Since something may go wrong and the script might FAIL to re enable ssh remote connections, you can take one of the precautionary measures listed below.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

'''TeamViewer 9 issue'''

When attempting to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer. After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

===== Running the script =====

[[Setting_up_and_using_remote_support#Finding_the_script|Just locate the upgradecygwin.cmd script]] and run it some usual way by clicking and pressing Enter.

You MUST inspect the version of the pre-installed script against the http version and upgrade to the latest. As the script is updated with fixes for problems faced in the past.

If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will re enable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#[[Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F|You must check the versions of "cygwin" and "openssh"]] at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created or upgraded as follows:

First find the text of the script at http://www.neosys.com/support/upgradecygwin.cmd

Then, assuming that NEOSYS is installed in the root directory of D:

Single installation
notepad d:\neosys\neosys\upgradecygwin.cmdzz

Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version. You can find out the Cygwin.dll version by using the following command:

cygcheck -V

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd /DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Adding packages to Cygwin after installation ==

Adding packages causes Cygwin to also upgrade but upgrade requires a special process because it cant be upgraded remotely while Cygwin sshd server is working.

#Upgrade Cygwin
#Add the package using Cygwin normal setup program

Step 1 is NOT optional if you want to do step 2.

In the above procedure upgrade Cygwin using the script and follow the precautionary measures listed in [[Setting up and using remote support#Upgrading Cygwin with a script | Upgrade using script]], in case script fails to renable ssh remote connection. Next run setup.exe file present in D:\neosys\neosys to install the required the package.

=== Adding individual packages to cygwin without doing a full upgrade ===

You can add individual packages to cygwin without doing a full upgrade in many cases. The installed or upgraded version of cygwin should be recent since the current version of the package you want to install might not work with an old version installed cygwin.dll.

To figure out if the cygwin version is recent and will be compatible with the new package, compare the current installed version with the latest version of cygwin.

Cygwin DLL has been named cygwin1.dll and the number 1 is present in the beginning of the release name. Additionally there are DLL major and minor numbers that correspond to the name of the release and a release number respectively. The major version number gets incremented only when a change is made that makes existing software incompatible. The minor version changes every time a new backward compatible Cygwin release is made available. Therefore we need to check the major version of cygwin on the server.

In other words cygwin-1.7.1-2 means cygwin1.dll, major version 7, minor version 1 and release 2.

e.g if the current version of Cygwin DLL is 2.3.0 and latest version is 2.4.1-1 that means there is a change in the major version from 3 to 4 so we cannot go ahead with installing a new package.

Commands below to add or remove packages. Press the View button repeatedly in the installation wizard to get to "Pending" to see what will be installed.
#adding
setup-x86 -P PACKAGE_NAME

#removing
setup-x86 -x PACKAGE_NAME

== Getting Ownership and Permissions Correct ==

Installation of cygwin under domain administrator account needs to be fixed as follows:

#c:\cygwin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh_if_it_doesn.E2.80.99t_exist_or_is_out_of_date| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

=== Solution 4 ===

On the target server, check whether authorized_keys file contains your public key. You can do that by checking the user name displayed at the end of each key.

To view the authorized_keys file, open cygwin terminal and type

cat .ssh/authorized_keys

If authorized_keys file does not contain your public key, then copy it from authorized_keys.backup file using the below command:

cat .ssh/authorized_keys.backup

Next edit the authorized_keys file using the below command:

nano .ssh/authorized_keys

Then paste the copied key in a new line. Ensure that the key appears in a single line and then close the authorized_keys file.

Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key)

Configuring IIS

2016-04-22T19:41:50Z

Steve: /* Solving error during file upload: "Page cannot be displayed" HTTP Error 405 in windows 2003 */

After you have installed all the NEOSYS program files you need to configure IIS so that you can operate NEOSYS. Instructions are below.

== Configuring IIS for windows 2003 ==

=== Creating a new website in IIS ===

First step is to stop the default website in IIS. Right click on Default Web Site and select "Stop".

'''Client Server:''' Create a website called neosys linked to D:\neosys\neosys.net:

'''WIN3 Server:''' Create a website called "clientname" linked to D:\hosts\clientfolder\neosys.net

[[image:figure1.jpg]]

[[image:figure3.jpg]]

A new window will pop up "IP Address and Port Setting" after completion of the above step.

'''Client Server:''' Select *(All Unassigned)* from the drop down list of "Enter the IP address to use for the Web site" and keep the default port as 80.

'''WIN3 Server:''' Select the static Ip from the drop down list of "Enter the IP address to use for the Web site" and enter then next port available and click on next.

[[image:Figure_2.jpg‎]]

'''Client Server:''' Within the above neosys web site folder create a virtual directory called data linked to D:\neosys\data:

'''WIN3 Server:''' Within the above clientwebsite folder create a virtual directory called data linked to D:\hosts\clientfolder\data:

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

=== To allow file uploads ===

==== Create IMAGES directory ====

'''Client server:''' create a folder IMAGES under D:\neosys and within the neosys web site folder create a virtual directory called images linked to D:\neosys\images: Modes: READ and WRITE

'''WIN3 Server:''' create a folder IMAGES under D:\hosts\clientfolder and within the client web site folder create a virtual directory called images linked to D:\hosts\clientfolder\images: Modes: READ and WRITE

'''(I haven’t got the screenshot because I can only get it once I create the above)'''

==== Permit upload.dll ====

# Right click on dll ( Default Web Site, neosys, NEOSYS, dll)
# Under Permissions set Execute Permissions: Scripts and Executables

# Internet Information Services (IIS) Manager
# Web Service Extensions
# All Unknown ISAPI Extensions: Allowed

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Configuring IIS for Windows 2008 ==

=== Installing IIS ===

First install IIS from Control Panel > Programs & Features > Turn Windows Features ON or OFF > Add Roles:

[[image:iis1.jpg]]

On the window that pops up click on next and you will get this screen, tick Web Server (IIS) - on the prompt click on Add Required Resources and then on Next:

[[image:iis2.jpg]]

On the next window, click on next until you get this window - tick ASP and ISAPI Extensions:

[[image:iis3.jpg]]

Click on Next and Finish

=== Configuring IIS ===
====Create a new Website====
After successfully installing IIS, go to Control Panel > Administrative Tools > Computer Management > Services and Applications > Internet Information Services (IIS) > Machine Name > Sites > Default Website.

'''Client Server:''' Stop the Default Website and then right click on Sites folder and click on Add Website called '''neosys''' linked to {{Client server Installation Location}}neosys.net as shown in the screenshot below

'''WIN3:''' Right click on Sites folder and click on Add Website. Create a website called "clientname" linked to {{NEOSYS server Installation Location}}neosys.net;
Since win3 is not connected to any LAN and exclusively serves https only, therefore setup a https binding only with a port number which is unique, unused and one greater than the previous port used in the series which is 4431 onwards. The highest port number used in this series can be found by checking IIS manager -> NEOSYS ->Sites.

Refer to [[Setting_up_HTTPS#Creating_multiple_HTTPS_web_sites_on_NEOSYS_hosted_server| setting up the https for a site on NEOSYS hosted server]] for details.

[[image:iis4.jpg]]

====Link Data Folder====

'''Client Server:''' Within the neosys website folder create a virtual directory called '''data''' linked to {{Client server Installation Location}}data

'''WIN3:''' Within the "clientname" website folder create a virtual directory called '''data''' linked to {{NEOSYS server Installation Location}}data

[[image:iis5.jpg]]

====Allow file uploads====

'''Client Server:''' create a folder '''images''' under D:\neosys and within the neosys web site folder create a virtual directory called '''images''' linked to {{Client server Installation Location}}images

'''WIN3:''' create a folder '''images''' under D:\hosts\clientfolder and within the "clientname" website folder create a virtual directory called '''images''' linked to {{NEOSYS server Installation Location}}images

[[image:iis7.jpg]]

After you add all virtual directories the tree map of the Default Website should look as follows:

[[image:iis8.jpg]]

====Configure file uploads besides adding the images directory====

For single site servers

Go under IIS > Default Website > neosys

Click on Handler Mappings and delete the ISAPI you see there

[[image:iis9a.jpg]]

Thereafter click on Add Script Map and fill in the details as follows –

Request path: *.dll

Executable: {{Client server Installation Location}}neosys.net\NEOSYS\dll\upload.dll

Name: ISAPI

Click on OK and on YES in the confirmation box

[[image:iis9b.jpg]]
[[image:hm.jpg]]

For multiple site servers

Go under IIS>NEOSYS>Click on Handler Mappings > Edit Feature Permissions > Select Read, Script and Execute

For WIN3 the above setting is already setup

===Editing the hosts file===
Edit the hosts file under c:\windows\system32\drivers\etc\ - delete the # sign next to 127.0.0.1 localhost and include the # sign before ::1 localhost

[[image:iis10.jpg]]

===[[Backing_up_and_Restoring_IIS_configuration#Set_IIS_automatic_backup_location_to_d:| Set IIS automatic backup location to D:]] ===

== Solving IIS errors ==

=== Solving error during file upload: "Page cannot be displayed" HTTP Error 405 in windows 2003 ===

This error should not occur in normal NEOSYS installations but the solution is as follows:

# Go to Control Panel, Administrative Tools, Internet Information Services
# Expand the tree to COMPUTERNAME, Web Sites
# Right-click "Default Web Site" (or specific Web Site if multiple NEOSYS http/https installations on the server as per WIN3)
# Properties
# Home Directory
# Configuration
# Mappings, Add
# Browse
# Dynamic Link Libraries *.dll" from the "Files of Type" dropdown
# Find and select D:\NEOSYS\neosys.net\NEOSYS\dll\upload.dll (OR upload.dll in the installation directory)
# Extension Type: dll
# Limit to: All
# Click the "OK" button

=== "HTTP Error 503. The service is unavailable." ===

Look in event log for errors saying various dlls have failed to load eg

The Module DLL C:\Windows\System32\inetsrv\authsspi.dll failed to load. The data is the error.

These errors indicate that IIS is configured to use various modules that have not been installed, possibly due to restoration of IIS configuration backups which mention them but the restore program restores the configuration but does not install the dll. They may not even be required, but how to exclude them is not solved in this article.

Solution is to install the various required modules by right clicking IIS role and choosing Add Role Service

*inetsrv\filter.dll - ISAPI Filters
*validcfg.dll - .NET Extensibility?
*iis_ssi.dll - Server Side Includes
*authsspi.dll - Windows Authentication

=== Solving HTTP Error 404 Error occurring immediately on opening NEOSYS login page on a new server installation: "System Failure. Do you want to retry?" ===

This error message is caused by failing to enable Active Server Pages in the IIS configuration. To resolve this in windows 2008, [[Configuring_IIS#Configure_file_uploads_besides_adding_the_images_directory| ensure that Read, Script, Execute is ticked (enabled) in the feature permissions of these Handler Mappings.]]

This message is from IE8 and a Windows 2003 server. The message may be different for other browser versions.

<pre>
Message from web page.

System Failure. Do you want to retry?

The page cannot be found
The page you are looking for might have been removed, had its name change, or it temporarily unavailable.

Please try the following:
(omitted)
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
</pre>

[[image:http404.jpg]]

=== Solving HTTP 404 Webpage cannot be found ===

This error message clearly states that the page cannot be found. Check for the requested page in the client website folder under the virtual directory data. This page will be available under the data folder in D:\neosys\data. A possible cause of this error is by failing to create a virtual directory called data linked to D:\neosys\data:

[[image:http404p.jpg]]
===Solving Error "The specified Executable does not exist on the server"===

While adding Script Map in Handler Mappings in the above step, if you get the below error, this means you have not yet run the Maintenance window/ NEOSYS processes and skipped steps in Installing NEOSYS. File upload.dl_ is installed from NEOSYS.EXE or NEOSYS2.EXE and converted to .dll the first time you run NEOSYS Maintenance/Process. You can also manually rename the file to upload.dll.

[[image:Dll_error.png]]

=== Solving IIS error 500 on uploading for windows 2008===

To test if permissions are the problem, in grant full control to IUSR over the whole client directory e.g d:\neosys or d:\hosts\clientx in security tab of windows explorer and see if you can upload.

Regardless of the result, remove the full control permissions since they are a security risk.

If permissions are the problem then grant specific permissions as follows:

#images folder - read and write permissions (but not execute)
#dll folder - read and execute permission (no write permission)

=== Solving error "Upload folder cannot be created.The system cannot find the drive specified" ===

This error message comes up when the file uploads are configured to a different location in the software than what is set up in IIS.

There is an internal system configuration in line 49 of the DOS SYSTEM.CFG file which mentions the upload folder location (normally blank which means xxxxxx\images\ where xxxxxx is the installation directory e.g d:\neosys)

In installations where the images are uploaded to a place other than the installation directory, the configuration may say something like h:\images\ where h represents the drive where the folder is located e.g on an external USB drive. This may be done in case of client installations where file uploads are configured on USB drives due to a huge number of files getting uploaded.

The IIS and internal system configuration must agree, otherwise users will probably not be able to upload files, or the uploaded files may not be saved in the right place and may be lost, not backed up and/or not viewable.

To fix this issue, you MUST link the '''images''' folder in IIS to xxxxxx\images\ where xxxxxx is the directory of the images folder as shown in the error message.

[[File:Uploaderror.png]]

== Disabling unsecure SSL3 protocol on Windows IIS web server ==

POODLE is an information leakage attack on client browsers while accessing web server that support the older SSL3 protocol. It is easy to prevent it by reconfiguring web servers to not support SSL3.

=== Securing IIS web server on win2003 and 2008 by disabling unsafe SSL3 protocol ===

#For Systems with https installed check if the web server is vulnerable (see [[Configuring_IIS#Testing_for_IIS_vulnerability| Testing for IIS vulnerability]] ). For systems with no https installed,continue to step2 to prevent SSL3 accidentally being enabled if https is installed in the server in future and then test for vulnerability.
# run the following commands on the server
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /t REG_DWORD /v Enabled /d 0 /f
#reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /t REG_DWORD /v Enabled /d 0 /f
#Reboot the server (at any time later using standard NEOSYS rebooting procedure without disturbing users)
#Perform the diagnostic for vulnerability

=== Testing for IIS vulnerability ===
==== A. Determine host and port and where to test from ====
If you have a public https server that you can access like https://demo.neosys.com:443, in a linux command prompt eg nagios login:

*$HOST for host name like demo.neosys.com
*$PORT with something like 443 or 4430 depending on port forwarding on the public router

or if testing a private https server with no public access, using a cygwin installation on the same server in the cygwin prompt:

*$HOST for host name like 127.0.0.1
*$PORT with something like 443 or 4430 as per IIS manager configuration

If https is enabled on the server/website and you are able to access the website via https using a browser, then you must be able to test for openssl on the same browsed host and port. You must also test this locally to ensure that the right server is being fixed. If the website is not public, then https must not be enabled, which means there is no reason for using cygwin openssl.

==== B. Check you CAN connect to https server using TLS ====

openssl s_client -host $HOST -port $PORT

<pre>
nagios@vm1m:~$ echo|openssl s_client -host demo.neosys.com -port 443
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2DCCAUWgAwIBAgIQd0J0l4kJrpJHonAv5U8VLjAJBgUrDgMCHQUAMBoxGDAW
BgNVBAMTD2RlbW8ubmVvc3lzLmNvbTAeFw0wODA3MjcxOTUxMDNaFw0zNTEyMTIx
OTUxMDNaMBoxGDAWBgNVBAMTD2RlbW8ubmVvc3lzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAxzwtoqq49vV7pyBQ6Ej+PvbB1QxkdsxNn5EZSLSOppCb
jNjV8fFa98unPR0pGM0UdjWMUYodj12c2pnIrfrtXv7pYf+iC1corPEY7607Icbs
rSOc5aFwnlUYpktoysV1G1crGYgYgXbXgVOUO9phHXJarpKf6SjVw3uXTLlmPUkC
AwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCwAAAAMAkG
BSsOAwIdBQADgYEAmgyW60pT62JuM8GH+KogHW7viaMsifXitm3BC/GfaORpJCox
aS20fAlzGyAlDe9nZWN4roLSxQv0laJkxyNPDuHvLJt1l0FVdk6/vGB6QH0KqM+S
UaUTLsDZ99UNS/inotobxD9vXuKl58Uoe2lu7r9vJ+1DWDC6AyueSZ6xnno=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 635 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 8A0A00002D51DE183AC2845C6B3FF4BC7485181B4DCBC1758E3A2D5399BDD71C
Session-ID-ctx:
Master-Key: B10B9370E4DF70E873873AB9851B3CEF19623E6ADA697955E375D931DEE8301D798B4CB14C8D33FCF1BA066C0CC23897
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885416
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== C. Check that you cannot CANNOT to https server using SSL3 ====

openssl s_client -ssl3 -host $HOST -port $PORT

==== CAN CONNECT = VULNERABLE = NOT OK ====

If you get this then you need to configure the server to prevent SSL3

<pre>
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
gethostbyname failure
connect:errno=0
nagios@vm1m:~$ echo xxx|openssl s_client -ssl3 -host demo.neosys.com -port 4430
CONNECTED(00000003)
depth=0 CN = demo.neosys.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = demo.neosys.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=demo.neosys.com
i:/CN=demo.neosys.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB3jCCAUugAwIBAgIQNj9FMjT1vIxGo2Mv2Ta9vzAJBgUrDgMCHQUAMB0xGzAZ
BgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTAeFw0wODAzMjUxMTIxMzFaFw0zNTA4
MTAxMTIxMzFaMB0xGzAZBgNVBAMTEmFkbGluZWQubmVvc3lzLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEArRuijA8jz3qBm2ZZEwITIJLWIMlQmZxcUvOo
HNZL0+3oJuX0AQqtpRZMp/7ob9agngfwJQ36vK+424zcBbmKxA2MweKZRalN2jz+
rdr1oeZ6/Ff3r8+rCPFj/B8CfMOQbSv6YcR0kVc+8ugybB7qT6Nq5ZWOAczG3Ikt
4EnOlqUCAwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCw
AAAAMAkGBSsOAwIdBQADgYEAHIq5Gn2LiMgXFaUYrFEfHeajD4jAwdFw+zrjcBDZ
qM9LnhndHhdPogow9m9cCv1n57ne9rZL1v7w7Y6C53359hTUVZFqtHFfzcWnNyKD
uHD9a8QDk6/dSwBr/SWIE6OdFUYAj/kDXRQNB5H459spRVa3Yws8vpwrWZhoklxq
CQg=
-----END CERTIFICATE-----
subject=/CN=demo.neosys.com
issuer=/CN=demo.neosys.com
---
No client certificate CA names sent
---
SSL handshake has read 649 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 441A0000EBC1D634B2CDB12924F9B980D2A4CF8C4DD6D3FB9728D3C74F62A8FE
Session-ID-ctx:
Master-Key: 38F040BE3E7098857B7CB9FF3B44937786F8F8C002B0042370B29F20EFB582833F9E24CFC8E6560AFD06751DC93412D3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885545
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
</pre>

==== CANNOT CONNECT = NOT VULNERABLE = OK ====

<pre>
nagios@vm1m:~$ echo|openssl s_client -ssl3 -host demo.neosys.com -port 443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413885702
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre>

=== Enabling Internet Explorer 6 to access secured https web servers ===

To use Internet explorer 6 (on win2003 and XP-before-SP3) to access secured http web sites you need to enable IE6 to use TLS 1.0. Internet Explorer 6 is present in Windows Server 2003 and Windows XP-pre-SP3.

You can also disable SSL 2.0 and SSL 3.0 for additional safety. This good for later versions of Internet Explorer too.

[[File:IE_options.jpg]]

== Generating IIS certificates for https using openssl ==

This covers the two main type of certificates:

#"proper" certificates (accepted by all browsers without complaint) - issued by bona fide certification authority only on proof of control of a domain name - usually for a small fee
#"self signed" certificates (not accepted by all browsers without error messages without special configuration) - easily
issued by anybody without the slightest restriction

NEOSYS' proper https certificate for *.hosts.neosys.com, valid approx Jan-Dec 2016, issued by Comodo, was purchased from namecheap.com for a small fraction of the price of purchasing from Comodo or one of the other main certification authorities.

There is no technical requirement to renew certificates with the same issuing authority, nor is their any restriction whatsoever from having multiple concurrent overlapping certificates, in any combination, for the the same domain name or subsets of a domain name. For a certificate to be "proper" it merely has to be issued by (not necessarily purchased from) one of the certificate authorities registered in all the main browsers using by NEOSYS clients. Unlike DNS domain name registrars, of which you can only have one at any one time, and which take to change, certificates are simply installed in particular servers without reference to each other, nor to any imaginary central internet registry, as IS the case for the DNS domain name registry.

The sales of certificates is a bit of scam really because anybody can get a certificate from the main commercial certificate authorities merely by proving control over a domain name - for example, by receiving an email to ADMIN@xxxxx.com. Except for EV certificates such as those issued to banks etc, most https certificates are issued without any check on physical identity or reputation, therefore the cost of issuing https certificates rests merely on the fact that the certification authority has managed to inveigle itself into all the main browsers and have their public key installed along with the browser software. Hoowever, the market seems to be collapsing, with even free certificate authorities appearing although with some minor limitations like short duration of validity of certificates.

Excellent summary of using openssl to manage certificates .. no Alternate Names though
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Excellent summary of selfsigned and properly signed certificate
https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

==== Commentary on https security ====

With the general move to using https instead of http after the Snowdon revelations, people have begun to better understand how https certificates really work. People are more aware now that most https certificates mean little more than that their communication with the server is a) confidential b) not tampered with c) is truly with the server/domain name apparent and not some other. ALL WITH THE EXCEPTION OF *ANYBODY* WHO IS A CERTIFICATE AUTHORITY REGISTERED IN THE MAIN BROWSERS - WHICH IS MANY - INCLUDING NON-FRIENDLY NATIONAL STATE ACTORS!

It is possible however to be virtually certain of confidentiality and accuracy of your communication using standard browsers, EVEN VERSUS CERTIFICATION AUTHORITIES. If, by inspecting the certificate when you are browsing a particular web site, you can satisfy yourself that it is in fact truly the one in use by the web server, the chances of your communication being secure is virtually 100% The only chance is some failure in fundamental encryption protocols. Such failures would either be public knowledge very quickly, or not used versus you, for fear of it becoming public knowledge, unless you really have something incredibly valuable to hide. In this sense, self-certified certificates are the most secure, since you can obtain them by some other secure channel directly from the web server operator and do not change without your action. Note that in order to ensure that a certificate does not change during your session, to say an unknown valid certificate that breaks your security, your browser must support certificate pinning, in which case the browser will either prevent, or inform you if the certificate for the web site changes, either between or within sessions.

To gain a practical understanding of the issues raised if you trust the certification authorities built in to your browser, consider the fact that many companies require an additional certificate authority to be installed in all corporate browsers (and in some famous cases have installed it covertly), and thereafter all https communications are decrypted in the company firewall/proxy using the corporate certificate, checked for content and reencrypted with the true certificate before being passed on - or vice versa, depending on the direction of flow of information. This, for example means that an employee accessing their bank account would be completely exposed to the corporate gaze. Two factor security would prevent corporate interference in say, instructions to make payments, but all information would be exposed and probably logged in possibly long term records. The same would apply to all https web sites accessed by the employee. Courts seem to agree that corporations have every right to do this but the average person is commonly not aware of it. If a person understood how https security works, they could inspect the https certificate to make sure it is the correct (same one issued by their bank apparent at home for example), since it is unlikely that an adversary (or in this case their employer) would control their actual browser software, but security is an arms race and once everybody knows how to defend themselves, adversaries and security operators will simply move to the next level. The next level may be preventing users from using their own browsers. This is already the case in most secure environment, but not all, and BYOD attitudes may prevail in the long run. Whatever the issues are in this case, the same general principle apply in other situations involving security.

=== Generating a self signed certificate in pfx form for IIS ===

Generating certificates and keys https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

Generating a pfx using openssl https://langui.sh/2009/01/24/generating-a-pkcs12-pfx-via-openssl/

==== Generate standard cert and key pair ====

First generate a matching pair of certificate and key files (x509 and rsa format respectively)

Example for *.mydomain and validity 9999 days from now

signer=self
mydomain=neosys.com
mydomains=*.neosys.com
expirydays=9999
keyno=`date`
certno=$keyno
#
certfilename=$mydomain-$signer-$certno.cer
keyfilename=$mydomain-$keyno.key
#"-nodes" means -no-DES ie no encryption ie generate a key file without encrypting it and therefore without requiring a password on it
openssl req -new -x509 -nodes -days $expirydays -out "$certfilename" -keyout "$keyfilename" \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \

Consider adding subject and subject alternative names

openssl x509 -req -new -sha256 \
-newkey rsa:2048 \
-keyout neosys.com-102.key \
-subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.hosts.neosys.com,DNS:*.support.neosys.com")) \
-out neosys.com-102.crt \
-nodes \
-days 9999

Example session:

Country Name (2 letter code) [AU]:AE
State or Province Name (full name) [Some-State]:DUBAI
Locality Name (eg, city) []:DUBAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NEOSYS
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.neosys.com
Email Address []:it@neosys.com

=== Generating a properly signed certificate ===

http://wiki.gandi.net/en/ssl/csr#sha-2_certificate_request

==== Generate key and CSR file ====

A certificate signing request file (.csr) for *.hosts.neosys.com (wildcard certificate)

if you are renewing (and want to reuse an existing secret server key file mydomain.key, although not clear on the benefit ATM)

openssl req -new -nodes -sha256 -key mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to generate a new secret server key file

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.hosts.neosys.com" -out mydomain.csr

or if you want to request SAN subdomain wildcards (unlikely to be granted by main cert authorities but perfectly legal and can be self certified)

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -subj "/C=AE/ST=DUBAI/O=NEOSYS/CN=*.neosys.com" -out mydomain.csr \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:neosys.com,DNS:*.neosys.com,DNS:*.support.neosys.com,DNS:*.hosts.neosys.com"))

View the csr and verify correct (check that SAN additional domains are listed if you requested them above)

openssl req -in mydomain.csr -noout -text

==== Either send to CA and get crt/cer file back ====

Send the csr file to the certifying authority and put their response in a mydomain.crt file

Make sure you inform them that the type of software you used to generate the csr is "mod Apache/ModSSL"

mydomain.csr -> mydomain.cer

==== Or self sign to test all ok ====

nano ssl.conf

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Dubai
localityName = Locality Name (eg, city)
localityName_default = Dubai
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = *.neosys.com
commonName_max = 64
#
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
#
[alt_names]
DNS.1 = neosys.com
DNS.2 = *.neosys.com
DNS.3 = *.hosts.neosys.com
DNS.4 = *.support.neosys.com

openssl x509 -signkey mydomain.key -in mydomain.csr -req -days 9999 -extensions v3_req -extfile ssl.conf -out mydomain.crt

view the cert and check extensions (additional domain names) are present if required

openssl x509 -in mydomain.crt -text -noout

==== Merge private key and signed public cert into password protected pfx file ====

Convert the pair of standard files into a single pfx file that IIS can import

friendlyname="COMODO SIGNED hosts.neosys.com *.hosts.neosys.com"
openssl pkcs12 -export -in mydomain.crt -inkey mydomain.key -name "$friendlyname" -out mydomain.pfx

It will ask for a password .. the usual NEOSYS one is 1f... which will be required when you import the pfx file into IIS before binding to web sites

Example session:

Enter Export Password:
Verifying - Enter Export Password:

Check the pfx file

openssl pkcs12 -in mydomain.pfx

openssl pkcs12 -in mydomain.pfx | openssl x509 -noout -text

==== Copy the pfx file to the IIS server and import/bind in the usual way ====

Copy it to the https server

mysshport="-P 19510"
mysshtarget="administrator@win3.neosys.com:/cygdrive/d/hosts/CERTIFICATES"
scp $mysshport mydomain.pfx $mysshtarget

==== Friendly name in pfx file ====

On the IIS server after importing, if you have multiple certificates for the same domain name you might like to add a "friendly name" to distinguish them in the dropdown when binding certificates to web sites.

You might also want to add the friendly name to the pfx file if you intend to import it again or elsewhere using certificate export to pfx with options Include All and Export All

https://rickardrobin.wordpress.com/2012/12/05/specifying-a-friendly-name-to-a-certificate/

=== Understanding SSL certificates ===

==== What are RSA Private Keys, CSRs and Certificates? ====

YOUR RSA PRIVATE KEY FILE

is a digital file created by you and never ever shared with others. It is USED ONLY BY YOU (never by others) to either:

*to DECRYPT secret, encrypted, messages received by you from others
*to SIGN messages before sending them to others providing them certainty that the message came from you without being tampered with and that you cannot deny signing them.

YOUR RSA PUBLIC KEY FILE

is a digital file created by you and freely shared with others. It is USED BY OTHERS (never by you) to either:

*ENCRYPT messages before sending them to you
*VERIFY that signed messages were in fact signed by you and not tampered with and you cannot deny signing them.

OTHER PERSON'S RSA PUBLIC KEY FILE

is a digital file created by the other person and freely shared with you and others. It is USED BY YOU OR ANYBODY (never by the other person) to either:

*ENCRYPT messages to achieve secrecy before sending them to the other person.
*VERIFY that signed messages received were in fact signed by the other person and that they cannot deny signing them nor claim they have been tampered with.

To obtain someone's public key, you need a trusted channel, ie a signed channel, but not a secret or encrypted channel since the information is public and not confidential.

Using your private key and someones public key together:

*If you want to send a signed secret message to someone and allow them to be sure it came unmodified from you, you first sign the message using YOUR PRIVATE KEY, then encrypt the message using THEIR PUBLIC KEY
*If you want to receive a secret message and verify that it came unmodified from someone in particular, you first you decrypt the message using YOUR PRIVATE KEY, then verify the message using THEIR PUBLIC KEY

Signing and Verification = Encryption and Decryption Mathematical Process with keys reversed

Actually, the process of "signing" is doing the same mathematical process as encryption, but since you use the recipients public key, the resultant "encrypted" messege is not secret because it can be "decrypted" using a public key which are freely available.

Likewise, the process of "verification" on a received message is doing the same mathematical process as decryption, but since you are using the senders public key, and anybody could "decrypt" the message, it was not really encrypted in the sense of being secret.

So we have two processes, one called Encryption/Signing but is exactly the same mathematical process with two names depending on whether we use a public or private key, and another process called Decryption/Verification which uses the opposite key.

What YOU use for what:

*YOUR (PRIVATE) KEY = USED BY YOU for decryption and signing
*THEIR (PUBLIC) KEY = USED BY YOU for encryption and verification

*YOUR (PUBLIC) KEY = NEVER USED BY YOU - since anybody else could do the same thing so no trust or secrecy could be obtained
*THEIR (PRIVATE) KEY = NEVER USED BY YOU - since you dont have it!

What to use:

*ENCRYPT OUTGOING = Use THEIR (public) key
*VERIFY INCOMING = Use THEIR (public) key

*DECRYPT INCOMING = Use YOUR (private) key
*SIGN OUTGOING = Use YOUR (private) key

So the slightly strange thing is that you dont encrypt messages with your private key as might be assumed naturally. You encrypt using the target recipient's public key. This is perfectly logical if you understand the concept asymmetric cryptography.

One thing to note is that, while it is obvious that other people never use your private key, since they dont have it, it is not obvious, but perfectly true, that you never use your public key. NOBODY EVER USES THEIR OWN PUBLIC KEY ... THEY ONLY GIVE IT TO OTHERS TO USE.

CERTIFICATE

It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you. It can also be used by you to sign messages that can be verified as having come from you by anyone who receives the signed message, using your public key.

CSR FILE

A Certificate Signing Request (CSR) is a digital file which contains your public key and your details eg name/domain name etc. You send the CSR to a Certifying Authority (CA), who will create a real Certificate containing your detail eg your domain name and your public key, signed by them using their private RSA private key.

CERTIFICATE

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

==== What is Asymmetric cryptography? ====

Asymmetric cryptography allows you to freely publish an encryption key that can be used by anyone to send you encrypted messages. Such messages can only be decrypted by you using a decryption key which you always keep secret.

It also allows you to publish messages that can be verified by anyone as coming from you without any modification by others.

So we have a pair of keys that if either one is used for encryption, then the other one is required for decryption. In that sense, we should not refer to the private key as the encryption key and the public key a

To start encrypting or signing, you need a matched pair of keys and you need to forever keep one of them secret.

.key a file that contains a random collection of characters that can be used to encrypt

.cer a file that contains a random collection of characters that can be given out publically and used by anybody to encrypt something to be sent to you

A certificate is some information that has been processed by a private and secret key.

pfx contains a private key and public certificate which contains your public key embedded. Usually pfx files are encrypted and you have to enter a password before using them, ie importing them.

==[[Backing up and Restoring IIS configuration]]==

Backing up and Restoring IIS configuration

2016-04-22T15:13:41Z

Steve: /* other IIS APPCMD config commands */

Backing up and Restoring IIS configuration

2016-04-22T15:13:24Z

Steve: /* Restoring IIS backups */

Backing up and Restoring IIS configuration

2016-04-22T15:12:49Z

Steve: /* Backing up and Restoring IIS configuration */

Backing up and Restoring IIS configuration

2016-04-22T15:11:49Z

Steve: /* Set IIS automatic backup location to d: */

NEOSYS DDNS Service

2016-02-05T09:59:04Z

Steve: /* Troubleshooting NEOSYS DDNS Service */

== Using NEOSYS DDNS service ==

The NEOSYS monitoring server at monitor.neosys.com will update NEOSYS
DNS server currently zonedit.com if it is requested to do so by NEOSYS
installations. NEOSYS installations do that automatically when updating
Nagios and can also have a Windows service configured to do it at all times.

Normally this would only be used at NEOSYS installations that have a
dynamic ip number ie do not have a static ip number.

This is not required generally at client installations with static ip
numbers or NEOSYS win3/win4 installations but it MAY be used in that
situation too to provide for automatic change of static DNS for example
to cater for:

*migration from old server to new server
*moving to backup servers
*moving back to live servers
*moving between client's own server and NEOSYS hosts on win3/win4.

Care will be needed to ensure that the DDNS service is not running
simultaneously on the both old and new servers.

=== Using Windows service neosysddns ===

This will work even when NEOSYS processes are not running. This is
useful when NEOSYS processes are stopped overnight and when the server
is rebooted, for example for Windows Updates, and NEOSYS processes are
not configured to run automatically after rebooting

==== Starting Windows service on the client server ====

In NEOSYS maintenance mode

STARTDDNS

==== Stopping the Windows service on the client server ====

In NEOSYS maintenance mode

STOPDDNS

or you can stop and/or disable the windows service manually

This will NOT stop Nagios based DDNS which has to be done separately. See section below.

=== Nagios based DDNS ===

NAGIOS can update NEOSYS ddns entries (currently on zoneedit) automatically as by product of the processing of NAGIOS server updates from NEOSYS processes running on the client server. This is done independently and in parallel to the NEOSYSDDNS service which runs on NEOSYS servers.

=== Automatic Nagios based DDNS ===

This will occur if a special file exists on the NAGIOS server. This file is automatically created when STARTDDNS has been run on the NEOSYS server, or can be created manually.

Therefore, if you are running NEOSYSDDNS service on the NEOSYS server, DDNS will be ALSO be done in parallel by Nagios. This is useful as a backup for example in the case where the NEOSYSDDNS service has to be stopped on the NEOSYS server eg while Cygwin updates are being processed.

To see what hosts are subject to automatic Nagios based DDNS.

ll /var/lib/neosysddns

=== Manually starting Nagios based DDNS ===

If you need to switch on DDNS service for some reason but cannot get to the NEOSYS server to do so, then you can request Nagios to perform DDNS by creating a special file in the NAGIOS server as follows:

touch /var/lib/neosysddns/xxxxxxxx.client
chmod a+rw /var/lib/neosysddns/xxxxxxxx.client

=== Stopping Nagios based DDNS ===

If you need to stop DDNS being done by NAGIOS after either automatically or manually starting it as above, you must remove a special file in the NAGIOS server as follows. Note that running STOPDDNS in the NEOSYS server does NOT remove the special file on NAGIOS server, so just running STOPDDNS in the NEOSYS server will NOT stop the parallel NAGIOS server updating DDNS. Therefore if you wish complete cessation of DDNS service for a hostname you will have to do this step AS WELL.

rm /var/lib/neosysddns/xxxxxxxx.client

== Troubleshooting NEOSYS DDNS Service ==

On nagios/monitor server to see recent ddns updates for a hostname "XXXX" whatever is entered as System ID in System configuration file.

grep DDNS /var/log/syslog|grep XXXX

or older updates

grep DDNS /var/log/syslog-*|grep XXXX

or to watch new ddns updates as they come in

tail -f /var/log/syslog | grep DDNS

or to watch new ddns updates as they come in for xxxxxxxx

tail -f /var/log/syslog | grep DDNS | grep xxxxxxxx

Lines containing ddns.py are the result of NEOSYS Windows service.

Lines containing apache2 are the result of nagios updates. e.g as shown below:

Jan 28 00:03:04 monitor apache2: DDNS IP_NO ums <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 82.178.63.35" ZONE="XXXX.hosts.neosys.com">
Jan 28 01:54:26 monitor ddns.py: DDNS IP_NO 4481 "ddns XXXX" No. 11327 was 82.178.63.35 <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 85.154.7.138" ZONE="XXXX.hosts.neosys.com">

Working/Status Files

ll /var/lib/neosysddns/

Hosts that have been seen by Nagios but were ignored because the xxxxxxxx.client file was not present in /var/lib/neosysddns

ll /var/lib/neosysddns/ignored

NEOSYS DDNS Service

2016-02-05T09:55:09Z

Steve: /* Stopping the Windows service on the client server */

== Using NEOSYS DDNS service ==

The NEOSYS monitoring server at monitor.neosys.com will update NEOSYS
DNS server currently zonedit.com if it is requested to do so by NEOSYS
installations. NEOSYS installations do that automatically when updating
Nagios and can also have a Windows service configured to do it at all times.

Normally this would only be used at NEOSYS installations that have a
dynamic ip number ie do not have a static ip number.

This is not required generally at client installations with static ip
numbers or NEOSYS win3/win4 installations but it MAY be used in that
situation too to provide for automatic change of static DNS for example
to cater for:

*migration from old server to new server
*moving to backup servers
*moving back to live servers
*moving between client's own server and NEOSYS hosts on win3/win4.

Care will be needed to ensure that the DDNS service is not running
simultaneously on the both old and new servers.

=== Using Windows service neosysddns ===

This will work even when NEOSYS processes are not running. This is
useful when NEOSYS processes are stopped overnight and when the server
is rebooted, for example for Windows Updates, and NEOSYS processes are
not configured to run automatically after rebooting

==== Starting Windows service on the client server ====

In NEOSYS maintenance mode

STARTDDNS

==== Stopping the Windows service on the client server ====

In NEOSYS maintenance mode

STOPDDNS

or you can stop and/or disable the windows service manually

This will NOT stop Nagios based DDNS which has to be done separately. See section below.

=== Nagios based DDNS ===

NAGIOS can update NEOSYS ddns entries (currently on zoneedit) automatically as by product of the processing of NAGIOS server updates from NEOSYS processes running on the client server. This is done independently and in parallel to the NEOSYSDDNS service which runs on NEOSYS servers.

=== Automatic Nagios based DDNS ===

This will occur if a special file exists on the NAGIOS server. This file is automatically created when STARTDDNS has been run on the NEOSYS server, or can be created manually.

Therefore, if you are running NEOSYSDDNS service on the NEOSYS server, DDNS will be ALSO be done in parallel by Nagios. This is useful as a backup for example in the case where the NEOSYSDDNS service has to be stopped on the NEOSYS server eg while Cygwin updates are being processed.

To see what hosts are subject to automatic Nagios based DDNS.

ll /var/lib/neosysddns

=== Manually starting Nagios based DDNS ===

If you need to switch on DDNS service for some reason but cannot get to the NEOSYS server to do so, then you can request Nagios to perform DDNS by creating a special file in the NAGIOS server as follows:

touch /var/lib/neosysddns/xxxxxxxx.client
chmod a+rw /var/lib/neosysddns/xxxxxxxx.client

=== Stopping Nagios based DDNS ===

If you need to stop DDNS being done by NAGIOS after either automatically or manually starting it as above, you must remove a special file in the NAGIOS server as follows. Note that running STOPDDNS in the NEOSYS server does NOT remove the special file on NAGIOS server, so just running STOPDDNS in the NEOSYS server will NOT stop the parallel NAGIOS server updating DDNS. Therefore if you wish complete cessation of DDNS service for a hostname you will have to do this step AS WELL.

rm /var/lib/neosysddns/xxxxxxxx.client

== Troubleshooting NEOSYS DDNS Service ==

On nagios/monitor server to see recent ddns updates for a hostname "XXXX" whatever is entered as System ID in System configuration file.

grep DDNS /var/log/syslog|grep XXXX

or older updates

grep DDNS /var/log/syslog-*|grep XXXX

or to watch new ddns updates as they come in

tail -f /var/log/syslog | grep DDNS

or to watch new ddns updates as they come in for xxxxxxxx

tail -f /var/log/syslog | grep DDNS | grep xxxxxxxx

Lines containing ddns.py are the result of NEOSYS Windows service. Lines containing apache2 are the result of nagios updates. e.g as shown below:

Jan 28 00:03:04 monitor apache2: DDNS IP_NO ums <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 82.178.63.35" ZONE="XXXX.hosts.neosys.com">
Jan 28 01:54:26 monitor ddns.py: DDNS IP_NO 4481 "ddns XXXX" No. 11327 was 82.178.63.35 <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 85.154.7.138" ZONE="XXXX.hosts.neosys.com">

Working/Status Files

ll /var/lib/neosysddns/

NEOSYS DDNS Service

2016-02-05T09:53:25Z

Steve: /* Nagios based DDNS */

== Using NEOSYS DDNS service ==

The NEOSYS monitoring server at monitor.neosys.com will update NEOSYS
DNS server currently zonedit.com if it is requested to do so by NEOSYS
installations. NEOSYS installations do that automatically when updating
Nagios and can also have a Windows service configured to do it at all times.

Normally this would only be used at NEOSYS installations that have a
dynamic ip number ie do not have a static ip number.

This is not required generally at client installations with static ip
numbers or NEOSYS win3/win4 installations but it MAY be used in that
situation too to provide for automatic change of static DNS for example
to cater for:

*migration from old server to new server
*moving to backup servers
*moving back to live servers
*moving between client's own server and NEOSYS hosts on win3/win4.

Care will be needed to ensure that the DDNS service is not running
simultaneously on the both old and new servers.

=== Using Windows service neosysddns ===

This will work even when NEOSYS processes are not running. This is
useful when NEOSYS processes are stopped overnight and when the server
is rebooted, for example for Windows Updates, and NEOSYS processes are
not configured to run automatically after rebooting

==== Starting Windows service on the client server ====

In NEOSYS maintenance mode

STARTDDNS

==== Stopping the Windows service on the client server ====

In NEOSYS maintenance mode

STOPDDNS

or you can stop and/or disable the windows service manually

=== Nagios based DDNS ===

NAGIOS can update NEOSYS ddns entries (currently on zoneedit) automatically as by product of the processing of NAGIOS server updates from NEOSYS processes running on the client server. This is done independently and in parallel to the NEOSYSDDNS service which runs on NEOSYS servers.

=== Automatic Nagios based DDNS ===

This will occur if a special file exists on the NAGIOS server. This file is automatically created when STARTDDNS has been run on the NEOSYS server, or can be created manually.

Therefore, if you are running NEOSYSDDNS service on the NEOSYS server, DDNS will be ALSO be done in parallel by Nagios. This is useful as a backup for example in the case where the NEOSYSDDNS service has to be stopped on the NEOSYS server eg while Cygwin updates are being processed.

To see what hosts are subject to automatic Nagios based DDNS.

ll /var/lib/neosysddns

=== Manually starting Nagios based DDNS ===

If you need to switch on DDNS service for some reason but cannot get to the NEOSYS server to do so, then you can request Nagios to perform DDNS by creating a special file in the NAGIOS server as follows:

touch /var/lib/neosysddns/xxxxxxxx.client
chmod a+rw /var/lib/neosysddns/xxxxxxxx.client

=== Stopping Nagios based DDNS ===

If you need to stop DDNS being done by NAGIOS after either automatically or manually starting it as above, you must remove a special file in the NAGIOS server as follows. Note that running STOPDDNS in the NEOSYS server does NOT remove the special file on NAGIOS server, so just running STOPDDNS in the NEOSYS server will NOT stop the parallel NAGIOS server updating DDNS. Therefore if you wish complete cessation of DDNS service for a hostname you will have to do this step AS WELL.

rm /var/lib/neosysddns/xxxxxxxx.client

== Troubleshooting NEOSYS DDNS Service ==

On nagios/monitor server to see recent ddns updates for a hostname "XXXX" whatever is entered as System ID in System configuration file.

grep DDNS /var/log/syslog|grep XXXX

or older updates

grep DDNS /var/log/syslog-*|grep XXXX

or to watch new ddns updates as they come in

tail -f /var/log/syslog | grep DDNS

or to watch new ddns updates as they come in for xxxxxxxx

tail -f /var/log/syslog | grep DDNS | grep xxxxxxxx

Lines containing ddns.py are the result of NEOSYS Windows service. Lines containing apache2 are the result of nagios updates. e.g as shown below:

Jan 28 00:03:04 monitor apache2: DDNS IP_NO ums <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 82.178.63.35" ZONE="XXXX.hosts.neosys.com">
Jan 28 01:54:26 monitor ddns.py: DDNS IP_NO 4481 "ddns XXXX" No. 11327 was 82.178.63.35 <SUCCESS CODE="200" TEXT="XXXX.hosts.neosys.com updated to 85.154.7.138" ZONE="XXXX.hosts.neosys.com">

Working/Status Files

ll /var/lib/neosysddns/

NEOSYS DDNS Service

2016-01-31T21:46:16Z

Steve: /* Troubleshooting NEOSYS DDNS Service */

NEOSYS DDNS Service

2016-01-31T21:43:56Z

Steve: /* Using NEOSYS DDNS service */

NEOSYS DDNS Service

2016-01-31T10:30:02Z

Steve: /* Troubleshooting NEOSYS DDNS Service */