System Administration

System Administration information

Restarting Noodle service

  • Microsoft
    • sc stop noodle
    • sc start noodle
  • Linux like sysvinit/Upstart
    • service noodle restart
  • Linux like Systemd
    • systemctl restart noodle
  • Linux like launchd
    • launchctl unload /System/Library/LaunchDaemons/noodle.plist
    • launchctl load /System/Library/LaunchDaemons/noodle.plist
  • Linux like SMF
    • svcadm restart noodle

  1. Make sure the port you want to use is not already in use
    • Linux-like systems
      • netstat -ln | grep ":80 "
    • Microsoft
      • netstat -na | findstr ":80"
  2. Edit the text file cfg/multiserver.conf in the Noodle Home directory changing the line "Connection.CM_0.Port = 80" to an available port.
  3. Remember to update the OS and network firewalls.
  4. restart the noodle service
  5. Update the Noodle setting “System Tools > Settings > URL for Noodle”

Microsoft Windows runs http.sys on port 80 by default. Disable http.sys by running these 2 commands:

  1. sc config http start= disabled
  2. net stop http /y

Or if you want to use both you can bind them to different IPs;

  1. http.sys IP (netsh http add iplisten ipaddress=192.168.0.101)
  2. Noodle IP (Connection.CM_0.BindAddress = 192.168.0.100)

LAN security options for the server

  • Whole disk encription (prevents bypassing security by reading the disk with another computer)
  • Dedicated server (reduces exploitable surface area)
  • Linux OS (protects from windows malware)
  • Firewall blocking all but ssh and the noodle http[s] ports. (reduces exploitable surface area)
  • ssh keys (prevents password guessing on ssh)

Network

  1. On a network not (even indirectly) connected to the internet. (most secure)
  2. On a network only indirectly connected to the internet with no Microsoft windows devices on the network.
    • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government)
    • Anonymity networks like tor can be used (optionally with ssl or ssh) (in practice will prevent anyone, including governments, from knowing what server a user is talking to)
  3. On a network only indirectly connected to the internet.
  4. On a public network with a firewall or NAT port forwarding blocking all but one port
  5. On a public network (least secure)

 

List of most to least secure ways of connecting to the Noodle service

  1. On a network not (even indirectly) connected to the internet.
  2. On a network only indirectly connected to the internet.
  3. On a public network with a firewall or NAT port forwarding blocking all but one port
  4. On a public network

Public network security options:

  • SSL (prevent passwords collection from public wifi)
  • White list (prevent passwords guessing from known hostile networks)
  • "Session Security Level" to 4 (prevent session hijacking)
  • "Minimum password length" to 8 (make password guessing harder)
  • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government)
  • Anonymity networks like tor can be used (optionally with ssl or ssh) (in practice will prevent anyone, including governments, from knowing what server a user is talking to)

  • We encourage reporting issues and upgrading to a fixed version instead of downgrading.
  • If there is a new unwanted feature it can often be made optional by adding a setting to disable it.
  • To test customizations against a new version we recommend cloning the VM or DB to a test instance and try the upgrade out before applying it to the production version.
  • If only the last version number has changed downgrading can be done by replacing the lib directory with the old version.
  • If the second number in the version changes a custom jar may be required to revert the database structure.

Windows example of converting a Tomcat SSL certificate to Apache :

keytool -storepass 123 -keystore noodle.jks -export -alias domain.tld -rfc -file server.crt

keytool -storepass 123 -keystore noodle.jks -export -alias root -rfc -file server-ca.crt

keytool -importkeystore -srckeystore noodle.jks -srcalias domain.tld -srcstorepass 123456 -deststorepass 123456 -destkeystore apache.p12 -deststoretype PKCS12
openssl pkcs12 -in apache.p12 -nocerts -nodes > server.key
delete apache.p12

Official keytool manual

Official openssl manual

Noodle can be setup for SSO but not using IWA.

Note that this is independent of the Noodle AD features.

  1. Add a web shortcut to the users startup
  2. Options:
    • Enable  the "Noodle>System Tools>Settings>User Settings>Remember my login information" feature
      • http[s]://YOUR.DOMAIN.TLD[:PORT]/[IntraNet.po|Noodle.po]
      • This option will ask for a password if the user ever clicks logout.
    • , or include the user/pass in the url:
      • http[s]://YOUR.DOMAIN.TLD[:PORT]/HandleLogin.po?user_name=YOURUSER&user_password=YOURPASS[&user_domain=YOURDOMAIN]
      • A link can be downloaded from the profile page.
      • The caveat here is having to update the link on password change.
  3. onelogin or other 3rd party adapters.

This page is for those who host on their own Windows server and are trying to diagnose the cause of a 404.

Identify the problem:

  1. If your browser on the server is displaying the page (http://127.0.0.1) properly, it's a networking problem.
    • check port forwarding, routing, firewalls, and dns on the server, client, and every device in-between.
  2. If your browser on the server is displaying the wrong page or anything other than a timeout, it's a service conflict. (multiserver.log contains "Address already in use")
    • Use a different port or stop and disable other services using port 80
      • Windows built in
        • sc config http start= disabled
        • net stop http /y
      • Linux list what is using the port
        • netstat -lnp | grep ":80"
  3. If /logs/err.log said it can't find a class
    • use 7z to check no jar files are corrupted.
  4. If there is no multiserver.log it's a .bat or java problem.
    • run the intranet.bat one line at a time to isolate the problem
    • reinstall java and update intranet.bat to the new java.exe
  5. If there is no java.exe in the task manager it's a config problem.
    • look in the log file for errors.
    • run a copy of intranet.bat without the loop or exit to find errors not in the log.

If the Noodle log contains something like this:

2012.01.24 13:48:51: .intranet,ALERT: ConnectionAllocator: failed to allocate a new connection
2012.01.24 13:48:51: .intranet,ALERT+ The connection pool is empty!
2012.01.24 13:48:51: .intranet,ALERT+ due tocom.inet.tds.ab: Msg 4064, Level 11, State 1, Line 1, Sqlstate 01000
2012.01.24 13:48:51: .intranet,ALERT+ [WIN-5A73M1LPPMU]Cannot open user default database. Login failed.Error code: 4064
2012.01.24 13:48:51: .intranet,ALERT+ SQLState: 01000

Unlisted codes:

01 ambiguous
02 Invalid userid
05 Invalid userid
06 Attempt to use a Windows login name with SQL Authentication
07 Login disabled and password mismatch
08 Password mismatch or password policy clash
09 Invalid password
11 Valid login but server access failure
12 Valid login but server access failure
13 SQL Server service paused
16 user does not have permissions to log into the target database
18 Change password required
27 could not determine the initial database for the session.
4064 Cannot open user default database. Login failed. (wait a few more seconds for the database to start and use net start in the intranet.bat)
18456 can be caused by a firewall

SQL to list all Error codes for your MSSQL version:

SELECT error,description FROM sysmessages where msglangid='1033' order by error;