Seminar on Server, Network and Security for WebSAMS

Download Report

Transcript Seminar on Server, Network and Security for WebSAMS

Seminar on Server, Network and Security
for WebSAMS
Contents:

WebSAMS Architecture

Network and Server Configuration

Security and Maintenance

Backup of Data

Routine Jobs

Trouble-shoot Case Studies
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A-2
WebSAMS Architecture
WebSAMS Requirements

Accessing WebSAMS by URL

Determined by Domain Name Server (DNS)


WebSAMS Architecture
Accessing the WebSAMS server from different subnets or
networks will use different IP addresses
3 types of WebSAMS users, examples:

WebSAMS users:


ITED users:


websams.schabc.edu.hk => 10.128.15.150 / 192.168.0.3
Internet users:

Sep 2016
websams.schabc.edu.hk => 10.128.30.150
websams.schabc.edu.hk => 202.123.219.100
Seminar on Server, Network and Security for WebSAMS
A-4
WebSAMS Requirements
( cont’d )



WebSAMS Architecture
WebSAMS Network is a private and separated network,
isolated from ITED Network
Outside the WebSAMS Network, all users must via the
HTTP Server to access WebSAMS
HTTP Server can be located within the DMZ zone, or
inside the ITED Network, as shown in the following:
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A-5
Network Designs in WebSAMS
Sep 2016
Seminar on Server, Network and Security for WebSAMS
WebSAMS Architecture
A-6
Network Designs in WebSAMS
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
WebSAMS Architecture
A-7
Internet Gateway

Internet Gateway

Separate Internet and ITED



WebSAMS Architecture
2 interfaces - one for real IP and another for internal IP
Support NAT ( Network Address Translation ), i.e.
access from Internet to ITED
It could be:

Hardware firewall ( e.g. SonicWALL , Cisco PIX, Netscreen, CheckPoint,
and so on … )
Sep 2016

Proxy server with NAT function

Router with NAT function

Linux server ( 2 interface cards , using iptables or ipchains + ipmasqadm )

Windows server ( 2 interface cards , routing and remote access )
Seminar on Server, Network and Security for WebSAMS
A-8
What is NAT?


Network Address Translation ( NAT )
Translate the IP address from one network to other
network


Sep 2016
WebSAMS Architecture
Typically one is inside and one is outside
Port mapping function
Seminar on Server, Network and Security for WebSAMS
A-9
DMZ






WebSAMS Architecture
It is called “Demilitarized Zone”
A separated area between Internet and Local Area
Network
Internet gateway should has at least 3 interfaces to
support DMZ, such as Internet, ITED LAN segment &
DMZ
Provide services opened to public
Aggregate servers, such as FTP server, Web server,
and so on, in a restricted area
Help to minimize impact to LAN in case of school
network being hacked
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 10
HTTP Server


WebSAMS Architecture
HTTP server is simply
a relay server which
forwards all the
requests to the
WebSAMS server
The HTTP server itself
does not store any
data
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 11
WebSAMS Router
Sep 2016
Seminar on Server, Network and Security for WebSAMS
WebSAMS Architecture
A - 12
WebSAMS Router (cont’d)

WebSAMS Architecture
WebSAMS Router ( between WebSAMS and ITED )

*Block all unnecessary network traffic

*Only allow specific network services and TCP ports

HTTP Server connects to WebSAMS server


WebSAMS server can access Internet without passing
through proxy


Sep 2016
Using TCP 8009 for production, TCP 7009 for training, TCP
8109 for 1 server 2 SAMS
TCP 80 ( HTTP ) , TCP 443 ( HTTPS ), TCP/UDP 53 ( DNS )
TCP 25 ( SMTP ), TCP 110 ( POP3 )
Seminar on Server, Network and Security for WebSAMS
A - 13
Network and Server Configuration
WebSAMS LAN segment
accesses Internet
Network and Server
Configuration

Access Internet directly not through the Proxy server

Involved equipment



WebSAMS router
Internet Gateway
ISP
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 15
Network Settings on
WebSAMS server
Network and Server
Configuration
Under WebSAMS server

DHCP server setup

DNS server setup
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 16
Network and Server
Configuration
DHCP server setup
Start > Administrative
Tools > DHCP
1
2
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 17
DHCP server setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 18
DHCP server setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 19
DHCP server setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 20
Network and Server
Configuration
Internal DNS setup
Start > Administrative
Tools > DNS
1
2
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 21
Internal DNS setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 22
Internal DNS setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 23
Internal DNS setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 24
Internal DNS setup ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Network and Server
Configuration
A - 25
Router Config

Modified default route

Example:


Network and Server
Configuration
ip route 0.0.0.0 0.0.0.0 10.128.15.253
ACL modification

Example:







Sep 2016
access-list 101 permit tcp any 10.128.30.0 0.0.0.255 gt 1023 established
access-list 101 permit udp any 10.128.30.0 0.0.0.255 gt 1023
access-list 101 permit icmp any 10.128.30.0 0.0.0.255 echo-reply
access-list 101 permit icmp any host 10.128.30.150 packet-too-big
access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 8009
access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 7009
access-list 101 deny ip any any log
Seminar on Server, Network and Security for WebSAMS
A - 26
Security and Maintenance
Best practices

Security & Maintenance
Best practices on protection of and export of data
from WebSAMS :



Proper Access Control
Data Encryption
Password Handling
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 28
Patch update
Security & Maintenance
 Update security patches of Windows

Server 2012R2
Install major Windows patches for
Windows Servers only after testing by
EDB as announced via WebSAMS
Release Notes / CDR message from
time to time
 Update virus pattern on Anti-virus

program
Update IOS (Cisco) or firmware on
WebSAMS Router (Consult to hardware
vendor)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 29
Data Security

Security & Maintenance
Disconnect any shared folder on WebSAMS Server
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 30
Data Security (cont'd)



Security & Maintenance
NAS should be connected to
WebSAMS Server with a cross-over
ethernet cable. Do not connect NAS
device to the WebSAMS network
switch.
Exposure of any sensitive export
data to any public machine, such as
student & guardian personal info,
staff personal info, financial report,
etc. is not recommended.
Keep an offline and offsite backup
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 31
Data Security (cont'd)

Security & Maintenance
Keep original basic network
setting in WebSAMS
unchanged.




E.g.: Wrongly connect
WebSAMS Server to the ITED
network switch or firewall
directly.
Wrongly connect WebSAMS
HTTP Server to the WebSAMS
network switch.
Wrongly connect NAS device
to WebSAMS network switch.
Wrongly connect Internet
cable from ISP to WebSAMS
Server.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 32
Resources on IT Security of
WebSAMS

IT Security in Schools – Recommended Practice (ITSS):


Security & Maintenance
Path: EDB Webpage > Education System and Policy > Primary and
Secondary School Education > Applicable to Primary and Secondary
School > IT in Education > On-going Support
Security Guides for WebSAMS:

Path: http://cdr.websams.edb.gov.hk > 主頁 > 參考資料 > 保安
及處理敏感數據指引

WebSAMS Version Upgrade release note


Path: http://www.websams.edb.gov.hk > Version Upgrade for 3.0
> Major Upgrade
Security reminders in security alert from EDB from time to
time

e.g.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 33
Resources on IT Security of
WebSAMS (cont’d)

Regularly visit the Information Security
website of HKSAR for the update information
of IT security


http://www.infosec.gov.hk
Cyber Security Information Portal


Security & Maintenance
http://www.cybersecurity.hk/tc/index.php
Hong Kong Computer Emergency Response
Team Coordination Centre (HKCERT)

https://www.hkcert.org
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 34
Internet Security

Security & Maintenance
Only open WebSAMS to Internet access for a specific period when
necessary:
1. Restrict the time for accessing WebSAMS from clients outside SAMS LAN
segment at “Security > Configuration > System Configuration”
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 35
Internet Security (cont'd)
Security & Maintenance
2. Set up specific “Internet Access Time Profile” to further
control the access time for particular user clients outside
SAMS LAN segment at “Security > Access Control > Internet
Access Time Profile”
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 36
Internet Security (cont'd)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Security & Maintenance
A - 37
WebSAMS Server Security

Security & Maintenance
Windows server policies and security best practices:
1. Local Security Policy



Start Control Panel ->
Administrative Tools ->
Local Security Policy
In Account Policies ->
Account Lockout Policy,
set Account lockout
threshold to “3” invalid
logon attempts
Set Account logout
Duration and also Reset
account lockout counter
after to “30 minutes”.
Sep 2016
2.
1.
3.
Seminar on Server, Network and Security for WebSAMS
A - 38
WebSAMS Server Security
(cont'd)



Security & Maintenance
In Local Policies ->
Audit Policy
Set Audit object
access security
setting to “Failure”
and also set Audit
system events
security setting to
“Success”
More policy
settings in
Appendix 8 of
Installation
Guidelines for
WebSAMS 3.0
Sep 2016
1.
2.
3.
Seminar on Server, Network and Security for WebSAMS
A - 39
WebSAMS Server Security
(cont'd)
Security & Maintenance
2. User account
management


Start -> Control Panel
-> Administrative
Tools -> Computer
Management ->
System Tools -> Local
Users and Groups ->
Users ->
Administrator
On the General tab of
ALL user accounts
properties, uncheck
the Password never
expires checkbox.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 40
WebSAMS Server Security
(cont'd)
Security & Maintenance
3. Enable Screen Saver Timeout

Start -> Control Panel -> Display > Change screen saver
1.
2.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 41
WebSAMS Server Security
(cont'd)
Security & Maintenance
4. Enable Windows Firewall

Start -> Control Panel -> Windows Firewall > Advanced settings
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 42
WebSAMS Server Security
(cont'd)

Security & Maintenance
Inbound Rules > new Rule…
1.
Sep 2016
2.
Seminar on Server, Network and Security for WebSAMS
A - 43
WebSAMS Server Security
(cont'd)

Security & Maintenance
Rule Type > Port
1.
2.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 44
WebSAMS Server Security
(cont'd)


Security & Maintenance
Protocol and Ports > TCP > Specific local ports:
80, 443, 8009, 7009, 3268, 7010, 7268 (Add 8109 & 9268 for 1
Server 2 WebSAMS only)
1.
2.
3.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 45
WebSAMS Server Security
(cont'd)

Security & Maintenance
Action > Allow the connection
2.
1.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 46
WebSAMS Server Security
(cont'd)

Security & Maintenance
Profile > Domain, Private & Public
2.
1.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 47
WebSAMS Server Security
(cont'd)

Security & Maintenance
Name > WebSAMS > Finish
2.
1.
4.
3.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 48
Root certificate on ITED or
Internet client PC

Security & Maintenance
Purpose of installing root certificate:
 SSL is used is to keep sensitive information sent across the
Internet and the ITED network encrypted so that only the
intended recipient can understand it.
SS
L


With this root certificate, WebSAMS is confirmed as a
trusted website. No more warning message will be shown
whenever accessing WebSAMS again.
SSL SHA2 cert. will be deployed in late 2016 since current
cert. will be expired in 1/1/2017
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 49
Backup of Data
Backup
Backup of Data

** Remind: Importance of Off-Line Backup

WebSAMS Backup Schedule



Pre-backup  Backup  Post-backup
From about 00:00 am to 06:00 am
Flow of Scheduled Backup:




Stop WebSAMS engine
Backup
Housekeep WebSAMS application log files
Start WebSAMS engine
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 51
Backup Job Workflow
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 52
Pre-backup
Backup of Data

D:\WebSAMS3.0\batch\pre_backup.bat

15 mins

Stop JBoss, database, Apache

Make copy of WebSAMS data to

E:\data\<SUID>\database\sched
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 53
Backup Rotation Configuration
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 54
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 55
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 56
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 57
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 58
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 59
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 60
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 61
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 62
Backup Rotation Configuration
(cont’d)
Backup of Data
After the time of scheduled
job – Pre_backup.bat
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 63
Backup Rotation Configuration
(cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 64
Post-backup


D:\WebSAMS3.0\batch\post_backup.bat
Housekeep Apache log files


E:\data\CDS\<dest_id>\system\log\
Housekeep Report temp log files


D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log
Housekeep CDS log ( More than 30 days )


D:\WebSAMS3.0\Apache\logs\
Housekeep WebSAMS server log files ( older than 30 days )


Backup of Data
E:\data\<SUID>\rpt\temp
Start database, JBoss, Apache
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 65
Backup on HTTP Server

Back up WebSAMS HTTP server (SUSE Linux Enterprise 11)
setting to a floppy or a USB drive




Backup of Data
Use command “fdisk -l” to check USB device name
e.g.: sda1, sda2 or sdb1…,etc.
Use command “grepconfig” / “grepconfig /dev/{USB device
name}”.
(For 1 Server 2 WebSAMS environment, use “grepconfig_1s2s”)
Run the command when HTTP server is running in good
condition
Those files can be copied to any Windows storage for
backup purpose
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 66
Backup on HTTP Server
(cont'd)

Step 1 : Log in HTTP server as root

Step 2 : Type command “grepconfig /dev/sda1”.

Step 3 : Press “Y” in the following screen
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 67
Backup on HTTP Server
(cont'd)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Backup of Data
A - 68
Backup on HTTP Server
(cont'd)


Backup of Data
Step 4: Press “0” if all information is correct
Step 5: Press “Y” to confirm in the following screen
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 69
Routine Jobs
Logs checking

Windows Event Viewer log


Routine Jobs
Control Panel > Administrative Tools > Event Viewer
Apache log

D:\WebSAMS3.0\Apache\logs\


access.log-<dd-MM-yyyy> ( http request log )
errors.log-<dd-MM-yyyy> ( error log )

Virus scanning log

Backup software log
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 71
Logs checking (cont'd)

Routine Jobs
Local backup log

To check whether the pre-backup tasks have been
run successfully (E:\data\<SUID>\Log\DB\backup.log)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 72
Logs checking (cont'd)

Routine Jobs
JBoss Server Log

D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log\server.log
Severity
Time Stamp
Sep 2016
Message
Seminar on Server, Network and Security for WebSAMS
A - 73
Logs checking (cont'd)

Routine Jobs
WebSAMS Upgrade Logs




E:\temp\wsup1\<yyyyMMdd.HHmm>\*
E:\temp\wsup2\<yyyyMMdd.HHmm>\*
(For 2nd instance of 1 Server 2 WebSAMS)
E:\temp\training\<yyyyMMdd.HHmm>\*
Files and directories are saved under <yyyyMMdd.HHmm> folder,
and the latest folder should be kept for tracking purpose.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 74
Logs checking (cont'd)

Routine Jobs
WebSAMS HTTP Linux Server

Apache log
(/var/log/apache2/access_log_80, 443, 7010)

Error log
(/var/log/apache2/error_log_80, 443, 7010)

System log
(/var/log/messages)

Virus scan log
(/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 75
Logs checking (cont'd)

Routine Jobs
Linux System Log

/var/log/messages

/var/log/
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 76
Logs checking (cont'd)

Routine Jobs
All logs in anti-virus:



https://websams.school.edu.hk:14943
Virus Logs, Spyware Logs, Scan Logs & System Logs
/var/log/TrendMicro/SProtectLinux/
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 77
Logs checking (cont'd)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Routine Jobs
A - 78
Logs checking (cont'd)

Routine Jobs
Hardware Firewall Log Screen
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 79
Housekeeping

Housekeep the WebSAMS server files

Housekeep the HTTP server files

Housekeep the WebSAMS upgrade backup files

Clear the Java Web Start cache
Sep 2016
Seminar on Server, Network and Security for WebSAMS
Routine Jobs
A - 80
Housekeep WebSAMS files

Routine Jobs
WebSAMS Server

Windows Event log
Control Panel > Administrative Tools > Event Viewer

WebSAMS Apache logs
D:\WebSAMS3.0\Apache\logs\access.log
D:\WebSAMS3.0\Apache\logs\error.log

WebSAMS JBoss Cache
D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\tmp\vfs\*
D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\tmp\work\*

Sep 2016
Backup software log
Seminar on Server, Network and Security for WebSAMS
A - 81
Housekeep HTTP files

Routine Jobs
Linux HTTP server

Apache log
(/var/log/apache2/access_log_80, 443, 7010)

Error log
(/var/log/apache2/error_log_80, 443, 7010)

System log
(/var/log/messages)

Virus scan log
(/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 82
Housekeep WebSAMS upgrade
backup files




Routine Jobs
E:\temp\wsup1\<yyyyMMdd.HHmm>\*
E:\temp\wsup2\<yyyyMMdd.HHmm>\*
(For 2nd instance of 1 Server 2 WebSAMS)
E:\temp\training\<yyyyMMdd.HHmm>\*
Files and directories are saved under <yyyyMMdd.HHmm>
folder, and the latest folder should be kept for tracking
purpose.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 83
Clear Java Web Start cache

Routine Jobs
Go to Windows Control Panel  Java  General
tab  [Setting…]  [Delete Files…]
1.
2.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 84
Clear Java Web Start cache (cont’d)
3.
Sep 2016
Routine Jobs
4.
Seminar on Server, Network and Security for WebSAMS
A - 85
Ad-hoc tasks

Ad-hoc database backup

Ad-hoc training database backup

Back up in HTTP server


Routine Jobs
Manually back up WebSAMS server D: and E: to other
computer
Change Passwords in each 3 months



OS System administrator
WebSAMS login accounts “sysadmin” and “asysadmin”
HTTP root account
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 86
Ad-hoc task ( cont’d )
Routine Jobs
WebSAMS
(Windows Desktop\WebSAMS)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 87
Ad-hoc task ( cont’d )
Routine Jobs
Ad-hoc database backup

It will stop database and JBoss automatically

It also will start up after finish

It will back up:




CDS files
User upload files
Database files
User upload report template files

E:\data\<SUID>\database\adhoc\

Check the “Backup Log” to see whether success or not
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 88
Ad-hoc task ( cont’d )
Routine Jobs
WebSAMS Training
(Windows Desktop\WebSAMS_T)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 89
Ad-hoc task ( cont’d )

Ad-hoc Production Database backup path


Routine Jobs
E:\data\<suid>\database\adhoc\
Ad-hoc Training Database backup path

Sep 2016
E:\Data\9999\database\backup_snapshot\
Seminar on Server, Network and Security for WebSAMS
A - 90
Trouble-shoot Case Studies
General trouble-shoot ( Helpdesk issues )

10 general issues frequently received by
WebSAMS Helpdesk:
1.
ITED / Internet cannot access WebSAMS
2.
Unable to connect CDS
3.
Unable to back up
4.
ITED-access becomes Internet-access
5.
WebSAMS-access becomes ITED-access
6.
How to setup WebSAMS client PC?
7.
How to install WebSAMS root certificate on ITED or Internet client PC?
8.
Generate report problem
9.
Fonts problem
10. Version upgrade problem
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 92
1. ITED / Internet cannot access WebSAMS

Double check whether WebSAMS has been started ?

Test if WebSAMS segment works or not

Check whether ITED client PC has resolved the IP problem ?





Check using “Internet Explorer” on the ITED client PC
Check whether the ITED client PC uses proxy in IE ?
Confirm whether HTTP server has been started up & the ‘Pass Phrase’
has been entered?


DNS problem / DHCP problem
Proxy client
Idle 25 seconds > rcapache2 restart
In HTTP server, do the test by typing:

Sep 2016
telnet <WebSAMS_server_IP> 8009
Seminar on Server, Network and Security for WebSAMS
A - 93
1. ITED / Internet cannot access WebSAMS
( cont’d )

Success Sample

Failure Sample
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 94
1. ITED / Internet cannot access WebSAMS
( cont’d )

If succeed, it must be ITED segment problem

If fail, it could be:





HTTP server crash
HTTP server wrong setting
WebSAMS’s router wrong setting ( or reset )
School firewall setting if HTTP server in DMZ
If it can load SSL prompt, that means HTTP running
smoothly.
Otherwise, it may be HTTP setting or router setting
problem
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 95
1. ITED / Internet cannot access WebSAMS
( cont’d )

ITED can access WebSAMS successfully but Internet
cannot. The problem is due to:

Hosting registration of WebSAMS domain name in Internet

Internet Gateway problem ( port mapping )

HTTP server’s Default Gateway setting is wrong


Sep 2016
It should be set to the Internet Gateway which performs port
mapping
Type “route” in Linux command line to show default gateway
setting
Seminar on Server, Network and Security for WebSAMS
A - 96
2. Unable to connect CDS

It may be caused by:





Network connection of WebSAMS server has ever broken a short
period
Wrong URL of the Primary and Secondary CDS Extensions in
WebSAMS at “CDS > Transmission > Schedule Transmission”
Wrong Internet Gateway setting
Wrong WebSAMS router setting
In WebSAMS server, try to connect Internet without
passing through proxy


Go to (www.hsbc.com.hk) then click “logon” to test whether https URL
works or not;
Try to ping:
cdsx1.websams.edb.gov.hk and cdsx2.websams.edb.gov.hk

Sep 2016
If fail, it may be DNS problem
Seminar on Server, Network and Security for WebSAMS
A - 97
2. Unable to connect CDS ( cont’d )

Nearly 95% of network problem with the message of
“Unable to connect CDS” could not pass the following
testing.



e.g. Internet Gateway did not allow WebSAMS server access
Internet
e.g. WebSAMS router setting had a wrong ACL or wrong
default route
A very special case may happen that CDS can send but
cannot receive messages.


Under our investigation , it may be caused by the ISP and
network setting
Solution :

Sep 2016
Implement “packet-too-big” into router setting
Seminar on Server, Network and Security for WebSAMS
A - 98
3. Unable to back up



Hardware failure or no free space of hard disk in NAS
Besides, over 95% of cases are due to the following 3 reasons :
 Backup task is configured wrongly
 Backup task spends too much time that causes post_backup
starting early than estimation
 The administrator password in system does not synchronize
with one from backup batch jobs
For case 3 above, we need to :
 Change the password in pre_backup , post_backup
 Change the password in Backup software
 All password settings must be same as system administrator
password
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 99
4. ITED-access becomes Internet-access

Internal DNS setting

Proxy client ?

Client PC using proxy in IE ?

Trouble-shoot



Ping URL in command prompt, check what IP is resolved
It should be HTTP internal IP
In one very extreme case


The school places HTTP in DMZ
The school Internet gateway changes the source IP

Sep 2016
i.e. SNAT in Linux
Seminar on Server, Network and Security for WebSAMS
A - 100
5. WebSAMS-access becomes ITED-access

Make sure the WebSAMS version to be on 3.0.0.28082015 or above

Internal DNS setting

Proxy client ?

Client PC / WebSAMS server using proxy in IE ?

Trouble-shoot




Sep 2016
Ping URL in Command Prompt, check what IP is resolved
It should be WebSAMS server IP
2 ethernet ports in WebSAMS server:

In Command Prompt, enter ‘ipconfig /all’. The first IP address should be the private
IP of WebSAMS server. If the first IP address is to connect the NAS, swap the
ethernet cables and setting of Internet Protocol (TCP/IP) in between the WebSAMS
interface and NAS interface.
4 ethernet ports in WebSAMS server:

Make sure the primary ethernet port which connects to WebSAMS segment and it
does not connect to NAS

Make sure the primary ethernet port that matches in the BIOS setup (Motherboard
setup)
Seminar on Server, Network and Security for WebSAMS
A - 101
6. How to setup WebSAMS client PC?

OS requires Windows Vista or above

Adobe Reader 10.0 or above supports Windows Vista/7/8/10


Enable Hong Kong Supplementary Character Set (HKSCS) in Windows
Vista/7/8/10, refer to the 9th question
WebSAMS supports IE versions after IE’s Roadmap, beginning of 12th
Jan., 2016:

Windows Vista SP2 + IE 9

Windows 7 SP1 + IE11

Windows 8.1 Update + IE11

Sep 2016
Windows 10 + IE11
(Microsoft Edge is not compatiable
with WebSAMS)
Seminar on Server, Network and Security for WebSAMS
A - 102
6. How to setup WebSAMS client PC?

How to find IE11 on Windows 10?


Sep 2016
Start menu > Windows Accessories >
Internet Explorer
Search “IE” > Internet Explorer
Seminar on Server, Network and Security for WebSAMS
A - 103
6. How to setup WebSAMS client PC? ( cont’d )

SAP Crystal Reports 2013 ( full installation )

SAP Sybase SQL Anywhere 16 ODBC Driver (32-bit)
How to get ODBC Driver ?


Available in the installation CD of SAP Sybase SQL
Anywhere 16
Driver Installation: Databases > SQL Anywhere (32-bit) >
SQL Anywhere client
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 104
6. How to setup WebSAMS client PC? ( cont’d )
Driver Installation: Databases > SQL Anywhere (32-bit) >
SQL Anywhere Client
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 105
6. How to setup WebSAMS client PC? ( cont’d )
Configure ODBC Setting:
For 32-bit Windows : Control Panel > Administrative Tools >
Data Sources (ODBC)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 106
6. How to setup WebSAMS client PC? ( cont’d )
Configure ODBC Accounts:
For 64-bit Windows : Type “ODBC” in the search field of
Windows Start menu > ODBC Data Sources Administrator
(32-bit)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 107
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 108
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 109
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 110
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 111
7. How to install WebSAMS root certificate on
ITED or Internet client PC?

Install WebSAMS Root Certificate on Windows Vista/7/8/10
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 112
7. How to install WebSAMS root certificate on
ITED or Internet client PC? ( cont’d )

Install WebSAMS Root Certificate on Windows Vista/7/8/10
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 113
7. How to install WebSAMS root certificate on
ITED or Internet client PC? ( cont’d )

Install WebSAMS Root Certificate on Windows Vista/7/8/10
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 114
7. How to install WebSAMS root certificate on
ITED or Internet client PC? ( cont’d )

Install WebSAMS Root Certificate on Windows Vista/7/8/10
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 115
7. How to install WebSAMS root certificate on
ITED or Internet client PC? ( cont’d )

Install WebSAMS Root Certificate on Windows Vista/7/8/10
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 116
7. How to install WebSAMS root certificate on
ITED or Internet client PC? ( cont’d )

Verification of root certificate in Internet Explorer

Tools (Alt+T) > Internet Options > Content tab
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 117
7. How to install WebSAMS root certificate on
ITED or Internet client PC? ( cont’d )

Verification of root certificate in Internet Explorer
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 118
8. Generate report problem

Checking Crystal Reports Server

SAP BusinessObjects Central Configuration Manager


Sep 2016
Apache Tomcat for BI 4
Server Intelligence Agent
Seminar on Server, Network and Security for WebSAMS
A - 119
8. Generate report problem ( cont’d )

SAP BusinessObjects Central
Management Console (CMC)


http://localhost:8080/BOE/CMC/
Or
http://127.0.0.1:8080/BOE/CMC/
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 120
8. Generate report problem ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 121
8. Generate report problem ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 122
8. Generate report problem ( cont’d )
Add parameters “ -ipport 1566 -reportdirectory E:\Data”
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 123
8. Generate report problem ( cont’d )
Other cases:

Check WebSAMS server computer name

Is that equal to the sub-domain name in URL ?


If the sub-domain name is websams-am.schabc.edu.hk then WebSAMS server
computer name should be “websams-am”
The report is generated from customized template


Restart JBoss
Try to generate built-in template first


Sep 2016
If succeed,

Customized template problem
If fail,

Download “Points to Note for Upgrading of WebSAMS 3.0 (Sybase and
Crystal Reports) ” from “http://cdr.websams.edb.gov.hk >主頁 > 2014
提升「網上學校行政及管理系統」參考資料”

Contact help desk for further investigation
Seminar on Server, Network and Security for WebSAMS
A - 124
8. Generate report problem ( cont’d )

Update any user-customized report in WebSAMS 3.0

Open Data Sources (ODBC)


Sep 2016
For 32bit Windows: Control Panel > Administrative Tools
For 64-bit Windows: Type “ODBC” in the search field of
Windows Start menu > ODBC Data Sources Administrator
(32-bit)
Seminar on Server, Network and Security for WebSAMS
A - 125
8. Generate report problem ( cont’d )

Input an ODBC login
account on the
WebSAMS workstation
for connecting to
WebSAMS database,
such as “genuser”,
“fmpuser” or “stfuser”

Verify database in
Crystal Reports on
WebSAMS workstation
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 126
8. Generate report problem ( cont’d )
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 127
8. Generate report problem ( cont’d )
Remove the
User ID and
leave it blank
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 128
8. Generate report problem ( cont’d )

Sep 2016
Click “OK” several times
Seminar on Server, Network and Security for WebSAMS
A - 129
8. Generate report problem ( cont’d )


Unable to open cumtomized report template by Crystal
Reports 2013.
Open it by Crystal Reports 9

Delete any duplicate parameter
field(s) in Field Explorer
Delete any
duplicate
parameter
field(s)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 130
8. Generate report problem ( cont’d )

Verify the SQL syntax of the user-customized report
templates

For details, please refer to http://cdr.websams.edb.gov.hk >
主頁 > 2014年提升「網上學校行政及管理系統」參考資料 >
Points to Note for Upgrading of WebSAMS 3.0 (Sybase and
Crystal Reports)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 131
9. Fonts problem
The font in WebSAMS Server is corrupted

Cannot display HKSCS fonts in WebSAMS report (.PDF)

If the size of “MingLiU.TTC” font file NOT = 26M
1.
2.
3.
4.
5.
6.
7.
8.

Reboot the WebSAMS Server and press F8 key during startup to enter Windows Safe
Mode;
Right-click the bottom left Windows Start button and select “Command Prompt
(Admin)”;
Type the command "takeown /f C:\Windows\Fonts\mingliu.ttc" and press ENTER key;
Type the command"icacls C:\Windows\Fonts\mingliu.ttc /grant administrators:F" and
press ENTER key;
Type the command "ren C:\Windows\Fonts\mingliu.ttc mingliu.bak" and press ENTER
key;
Type the command "exit" and press ENTER key to close the Command Prompt
window;
Copy the font file :
 from D:\WebSAMS3.0\batch\utilities
 To
C:\Windows\Fonts
Reboot the WebSAMS Server to Windows Normal Mode and start WebSAMS services.
Don’t install any Government HKSCS on WebSAMS Server.
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 132
9. Fonts problem ( cont’d )
Enable HKSCS (Hong Kong Supplementry Character Set) on Workstation

Cannot display HKSCS fonts in WebSAMS report (.XLS / .DOC)

Sep 2016
Windows Vista, 7, 8 & 10 have built-in support for HKSCS-2004 with
ISO 10646/Unicode code allocation scheme.
Seminar on Server, Network and Security for WebSAMS
A - 133
9. Fonts problem ( cont’d )
Enable HKSCS (Hong Kong Supplementry Character Set) on Workstation
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 134
10. Version Upgrade Problem



WebSAMS version <> DB version
Caused by unsuccessful WebSAMS upgrade
Solution



Sep 2016
WebSAMS Java version cannot be upgraded
Recover files from E:\temp\wsup1\<the latest folder>\backup\
Contact Helpdesk to get the instruction
Seminar on Server, Network and Security for WebSAMS
A - 135
10. Version Upgrade Problem ( cont’d )


If database is running, execute the
< 2. Start Database > again…
The following error will be prompted:
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 136
WebSAMS Helpdesk Scope

WebSAMS Application enquiry



Modules maintenance
General usage enquiries
WebSAMS Technical enquiry

Sep 2016
Focus on WebSAMS Application
Seminar on Server, Network and Security for WebSAMS
A - 137
Resources

WebSAMS Central Document Repository:


WebSAMS System Manual:




E:\Data\Doc\AOM
E:\Data\Doc\COPM
E:\Data\Doc\UM
WebSAMS Forum:



http://cdr.websams.edb.gov.hk
WebSAMS Central Document Repository ->主頁 > 網頁連結 > 香港教育城校管系
統討論區 or ;
http://forum.hkedcity.net/forumdisplay.php?fid=71
WebSAMS Helpdesk:




Sep 2016
Hotline: 3125-8510
Fax: 3125-8999
E-mail: [email protected]
Leave your School ID, contact person and contact number
Seminar on Server, Network and Security for WebSAMS
A - 138
CDR Website
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 139
WebSAMS Forum (cont’d)
Sep 2016
Seminar on Server, Network and Security for WebSAMS
A - 140
Q & A Section
The End