Tag: Windows

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Enabling stronger cipher/protocol security with Enterprise Manager

If your exacqVision Enterprise Manager is already using HTTPS as described in our Knowledge Base Article ‘How to Enable HTTPS for ESM’ you can make sure you are using strong ciphers and the most current ssl protocol using this document.

<br>

Locate and make the indicated changes to the file httpd-ssl.conf

<br>

Windows

C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra\httpd-ssl.conf

<br>

Linux

/usr/local/exacq/esm/apache_solr/apache2/conf/extra/httpd-ssl.conf

<br>

Find SSLCipherSuite and SSLProxyCipherSuite and make sure they match the following.

<br>

Find the SSL Protocol Support section and make sure the following is set as follows.   Note, it may be possible to user TLSv1.3 but it has not been tested yet.

<br>

Verifying

To verify the endpoint is running as expected for your Enterprise Manager HTTPS site.

<br>

Run the following command from a Linux machine with openssl installed.

<br>

Note the output under SSL-Session.

<br>

Enabling-stronger-cipher-protocol-security-with-Enterprise-Manager.pdf
Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Downgrading Enterprise Manager to 19.06 and below

Issue

Downgrading exacqVision Enterprise Manager from 19.09 to any version lower will fail due to the migration from Python2 to Python3.  Manual steps will be required in order to downgrade to 19.06.

<br>

Note: Instructions below provide a downgrade path to 19.06.  If you need to downgrade beyond that, follow these instructions, then you can downgrade to previous versions just by running the appropriate installer.

Steps to Downgrade

  1. Download the appropriate installer for your environment:
  2. Download the  “new_south_manifest.py” file.
  3. Copy the “new_south_manifest.py” file to the appropriate directory for your environment:
    • Windows:  C:\exacqVisionESM\EnterpriseSystemManager
    • Linux:  /usr/local/exacq/esm
  4. Run the downloaded installer.
  5. If using Windows:
    • Delete the following file: C:\exacqVisionESM\EnterpriseSystemManager\zmq\libzmq.cp37-win32.pyd
    • Restart the Importer service.

<br>

Downgrading-Enterprise-Manager-to-19.06-and-below.pdf
Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Solr vulnerability – CVE-2017-12629

Enterprise Manager

Enterprise Manager (formerly ESM) includes a version of Apache Solr which is vulnerable to attack allowing remote code execution.  Further information can be found here: https://nvd.nist.gov/vuln/detail/CVE-2017-12629

<br>

Mitigation: It is recommended that you follow the steps below appropriate for your Operating System.

For Windows

Note: File paths vary depending on installation, 64-bit or 32-bit.

<br>

  1. Launch services, then stop ‘solrJetty’
  2. Click the ‘Start’ button and type ‘Notepad.exe’.  Right-click notepad and select ‘Run as administrator’.
  3. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit:”C:\exacqVisionESM\apache_solr\apache-solr\server\solr\collection1\conf\solrconfig.xml”
    • For 32-bit:”C:\exacqVisionESM\apache_solr\apache-solr\solr\collection1\conf\solrconfig.xml”
  4. Add the following highlighted section just above the “Function Parsers” line:
  5. If 64-bit, click ‘File’, then ‘Open’, and navigate to the following file: “C:\exacqVisionESM\apache_solr\apache-solr\bin\solr.cmd”
    • Find the line: set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
    • Below this line, add the following: set “START_OPTS=%START_OPTS% -Ddisable.configEdit=%true%”
  6. Save the file.
  7. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit: Launch ‘regedit’ from start menu.
      • Go to HKEY_LOCAL_MACHINE->SYSTEM->ControlSet001->Services->solrJetty
      • Double click ImagePath
      • In value data put double quotes around C:\PROGRA~1\EXACQV~1\ENTERP~1\apache_solr/apache-solr\scripts\prunsrv.exe
    • For 32-bit: “C:\exacqVisionESM\apache_solr\apache-solr\scripts\serviceinstall.bat”
      • Find the entry:  ++JvmOptions=-XX:MaxPermSize=128M
      • Add a space after this entry and add: ++JvmOptions=-Ddisable.configEdit=true
      • Fine the quoted text: –Install=”C:\exacqVisionEsm\apache_solr/apache-solr\scripts\prunsrv.exe\”
      • Replace it with: –Install='”C:\exacqVisionEsm\apache_solr/apache-solr\scripts\prunsrv.exe\”‘
    • Note: Ensure there is a space after this entry.
  8. Save the file and close Notepad.
  9. Click the Windows ‘Start’ button and type ‘cmd’.  Right-click on “Command Prompt’ and select ‘Run as administrator’.
  10. Run the following two commands sequentially:
    • C:\exacqVisionEsm\apache_solr\apache-solr\scripts\serviceinstall.bat
    • C:\exacqVisionEsm\apache_solr\apache-solr\scripts\serviceinstall.bat INSTALL
  11. Launch services, then start ‘solrJetty’

<br>

For Linux

Note: File paths vary depending on installation, 64-bit or 32-bit.

  1. Open a Terminal.
  2. Stop ESMWebservice with the following command:
    • sudo /usr/local/exacq/esm/scripts/ESMWebservice stop
    • Enter your password and press “Enter”
  3. Open ‘gedit’ (or your preferred text editor) with ‘sudo’ privileges with the following command: sudo gedit
  4. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64bit: “/usr/local/exacq/esm/apache_solr/apache-solr/server/solr/collection1/conf/solrconfig.xml”
    • For 32bit: “/usr/local/exacq/esm/apache_solr/apache-solr/solr/collection1/conf/solrconfig.xml”
  5. Add the following highlighted section just above the “Function Parsers” line:
  6. Save the file.
  7. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit: “/usr/local/exacq/esm/apache_solr/apache-solr/bin/solr”
      • Before the line that reads: SOLR_START_OPTS
      • Add the line: DISABLE_CONFIG_EDIT=”true”
      • Find the line with “${SOLR_HOST_ARG[@]}” “-Duser.timezone=$SOLR_TIMEZONE” \
      • Change the line to:
        “${SOLR_HOST_ARG[@]}” “-Duser.timezone=$SOLR_TIMEZONE” “-Ddisable.configEdit=$DISABLE_CONFIG_EDIT” \
    • For 32-bit:  “/usr/local/exacq/esm/apache_solr/apache-solr/scripts/ctl.sh”
      • After the line: SOLR_PID=””
      • Add a new line: DISABLE_CONFIG_EDIT=”true”
      • Change the line: SOLR=
      • To: SOLR=”$JAVABIN -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml -Ddisable.configEdit=$DISABLE_CONFIG_EDIT”
  8. Save the file and close gedit.
  9. Back in the terminal, run the following command
    • sudo /usr/local/exacq/esm/apache_solr/ctlscript.sh restart
  10. Restart ESMWebservice with the following command:
    • sudo /usr/local/exacq/esm/scripts/ESMWebservice start

<br>

Solr-vulnerability-CVE-2017-12629.pdf
Categories
Knowledge Support Support exacqVision Server Categories Products

Troubleshooting Cloud Drive

Note: Only H.264 streams are currently allowed for Cloud Drive.  All other streams will be hidden on the Archiving Schedule page.

Note: Audio is not currently supported for Cloud Drive.

<br>

As of 9.8, Cloud Drive technically runs as a side integration that is installed by default.  This results in log files that are separate from the Server’s regular logs.  Cloud Drive activity can be confirmed only by accessing the logs in the following location on the Server:

  • Windows: C:\Program Files\exacqVision\Server\cloud-drive\logs\YYYYMMDD.txt
  • Linux: /usr/local/exacq/server/cloud-drive/logs/YYYYMMDD.txt

<br>

To confirm that Cloud Drive is functioning appropriately, look for: INFO successfuly uploaded clip for uuid /tmp/4719360_1550870199563.mp4:

<br>

If a 30 second clip fails to upload to Cloud Drive within the allowed time-frame, the following log will appear and the video is discarded: ERROR    failed to upload clip for uuid /tmp/4719360_1550847735563.mp4 (7): curl_easy_perform() failed: Timeout was reached

<br>

Cloud Drive will attempt to create .mp4 files in the System’s Temp directory:

  • Windows: C:\Windows\Temp\
  • Linux: /tmp/

The file pattern looks like: 4719360_1550847735563.mp4

The first set of numbers (4719360) is the Camera ID, which can be verified by right-clicking on any video stream in the exacqVision Client and selecting Properties.

The second set after the underscore will be the Unix Epoch time when the file was created.

<br>

A maximum of 3 files will be created and held in Temp per capable device.  If this queue is already maxxed, Cloud Drive will discard any future video until at least one of the current uploads completes and clears one of the files from the queue.  The following log will occur:

request failed for /tmp/4719360_1550847985563.mp4: too many clips in cloud upload queue (max X)

<br>

Troubleshooting-Cloud-Drive.pdf
Categories
Knowledge Support Support exacqVision Server Categories Products

Disabling Short Filename Support May Speed Up Drive Scans

Each hour, the server scans all enabled recording volumes in order to index all existing video recordings, and to determine the oldest video to be deleted in order to make space for new recordings.

This task can be time consuming, sometimes to the point that the scan may not actually complete within an hour. In the case of Windows 7, Windows Server 2008, or older, this may partly be due to 8.3 (short) filename support remaining in effect on all enabled recording volumes.

<br>

Categories
Knowledge Support Categories exacqVision Hardware

Setting up the Kiosk User for ExacqVision Systems

Windows systems built by ExacqVision no longer ship with a default ‘admin’ and restricted ‘user’ account beginning with Windows 10.

Some early Ubuntu 16.04 images still contain the ‘admin’ account, but do not have the restricted ‘user’ (this was changed in a later image will not have either ‘admin’ or ‘user’). 

This change is due to security compliance requirements. 

The first time a system boots, the user will be asked to create a custom user account with admin privileges. 

To enable similar functionality of the old restricted ‘user’ account, you will need to enable ‘Kiosk Mode’ by following the instructions below, based on your operating system.

<br>

Windows 10

1. Access the Desktop for your custom user created when the machine first booted.

2. Double-click the Setup Kiosk Mode script.

3. Follow the prompts to set a custom account name, enter the desired password twice, the use Y or N to determine if the OS will automatically boot to the new restricted Kiosk user.

To undo the changes, use the Undo Kiosk Mode script and follow the prompts.

<br>

Ubuntu 16.04 & higher

1. Access the Desktop for your custom user created when the machine first booted.

2. Use the Exacq Kiosk User either on the Desktop, or from the menu Applications > Exacq.

3. Type in your desired restricted user account name.

NOTE: Ubuntu has the following restrictions for user names.

  • Must start with a lowercase letter
  • May only contain lowercase letters, underscore (_), and dash (-)
  • May optionally end with a dollar sign ($)

4. Enter your desired password, then check the Auto Login User option if the OS will automatically boot to the new restricted Kiosk user.

5. To undo the changes, run the same Exacq Kiosk User link on the Desktop and type in the name of the user you want to remove or modify.

<br><br>

Troubleshooting

In the event you get an Error similar to the following check the user name to ensure it meets Ubuntu’s restrictions.

  • Must start with a lowercase letter
  • May only contain lowercase letters, underscore (_), and dash (-)
  • May optionally end with a dollar sign ($)

<br>

Categories
Knowledge Support Support exacqVision Server Categories Products

Removing an Unwanted USB I/O Device from a Server’s Configuration

If a USB I/O module was previously used and later disconnected from the server, the software will retain the configuration and the module will remain listed in the left-side navigation panel.

If you wish to permanently remove this device from appearing in the software, you will need to log in to the server’s operating system as an Administrator and perform the following steps.

Windows

  1. Log in to the operating system’s admin account.<br><br>
  2. Click Start, type services.msc, and press Enter.<br><br>
  3. Right-click on the ExacqVision Server service and select Stop. Keep the Services window open.<br><br>
  4. Browse to C:\Program Files\exacqVision\Server and rename the usbdiopi.xml file to usbdiopi.bak.<br><br>
  5. Back in Services, select ExacqVision Server and click Start.<br><br>

Linux

  1. Log in to the operating system’s admin account.<br><br>
  2. Open a Terminal window, by pressing CTRL+ALT+T, and type the following to stop the ExacqVision Server service:
    sudo service edvrserver stop
    • When prompted for the password, enter the operating system’s admin password and click Enter. You will not see the password as you type it.<br><br>
  3. Type the following single-line command in Terminal to rename usbdiopi.xml to usbdiopi.bak:
    sudo mv /usr/local/exacq/server/usbdiopi.xml /usr/local/exacq/server/usbdiopi.bak<br><br>
  4. Type the following in Terminal to start the exacqVision Server service:
    sudo service edvrserver start

<br>

Categories
Knowledge Support Support exacqVision Webservice Categories Products

Unable to Start Web Service on Windows 10

Problem

Users installing the exacqVision web service on Windows 10 machines find that the exacqVision web service is not enabled and encounter errors when attempting to manually start the service.

<br>

Cause

This is due to a port conflict. The default port used by evApache is port 80. This is also the default port for most web services. Windows 10 contains a service which is enabled by default that binds to port 80 before evApache attempts to start and since two services cannot bind to the same port number, evApache and the exacqVision web service fail to start.

<br>

Resolution

There are two possible ways to work around this.

  1. Open Services.msc in Windows and locate the ‘World Wide Web Publishing Service’. Stop this service and change the start up type to ‘Disabled’. You may also consider disabling the IIS service if it is installed on your machine. After these changes have been made you may either reboot your machine or manually start the exacqVision web service.
  2. Manually change the port number to something other than the default of 80. This requires editing a configuration file in Apache. You may find instructions on this in the following knowledge base article: 42205

<br>

Unable-to-Start-Web-Service-on-Windows-10.pdf
Categories
User Guides exacqVision Server Categories Products

Installing Windows Security Essentials on Win7 based evServers

  1. Stop exacqvision Server Service (Control Panel -> Administrative Tools ->Services -> exacqVision Server : Stop)
  2. Download Windows Security Essentials Package (mseinstall.exe, x64) from Microsoft website, and execute the installer on the target machine.
  3. Select all default options, except for the ones listed below.
    1. Do not join the program (Optional)
    2. Unselect both options below:
    3. Do not immediately scan
    4. The system will update automatically (if connected to the internet) and come to the following page:
    5. If Internet was not accessible, connect to the internet, and update definitions. Make sure the system shows the latest definitions are installed.
    6. On the settings page, schedule a daily scan to a time of your convenience.
    7. Click on ‘Exclude Files and Locations’, and hit Browse.
    8. Select all the Data Drives (on which Video is stored) and choose the exacq install location (C:\Program Files\exacqVision), and hit OK.
    9. All Data drives and the exacq install directory should be shown, separated with a semi-colon.
    10. Hit ‘Add’, and all the data drives and the exacq install directory should be on the excluded list.
    11. Come back to Home page and run a full scan.
Installing-Windows-Security-Essentials-on-Win7-based-evServers.pdf
Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Changing the EM Web Service port

Enterprise Manager (EM), formerly known as Enterprise System Manager (ESM), uses Apache to provide the underlying web server.

During initial install a graphical dialogue will allow you to change your port numbers.

If you’ve already installed the application you may wish to perform this change manually.

The first step to manual editing is to find the location of the config file where the port numbers are held. This depends on both the platform (operating system) and version of the Web Service you have installed. The default installation location for the configuration file httpd.conf is as follows:

Windows:

  • HTTP:
    • C:\Program Files\exacqVision\EnterpriseManager\apache\conf\https.conf
  • HTTPS:
    • C:\Program Files\exacqVision\EnterpriseManager\apache\extra\httpd-ssl.conf

Linux:

  • HTTP:
    • /usr/local/exacq/em/apache/conf/httpd.conf
  • HTTPS:
    • /usr/local/exacq/em/apache/conf/extra/httpd-ssl.conf

<br><br>
Determine where this file is for your install before continuing.

Once you have found the file, open it using your editor of choice (be sure to do so with administrative privileges) and perform either of the following depending on its name:

For httpd.conf (HTTP port) and httpd-ssl.conf (HTTPS port):

  1. Find the Listen directive in the file
    • For example, if the current port is 80, the line should read Listen 80
  2. Modify the port number as desired
  3. Save the file and restart the following services:
    • ExacqVision Enterprise Manager Apache
    • ExacqVision Enterprise Manager Web Service

<br>