Realex Payments recently announced that it will be ending support for TLS Version 1.0 and 1.1 and began sending emails out letting their customers know of this change.
I have written this guide which should help people use security best practices on an IIS Windows server, which should address the new Realex security requirements.
Please note that in order for the changes to take effect you will need to restart your server.
This guide is only for servers running Windows and IIS.
Your Web Applications (Web Sites) will also need to have an SSL Cert.
Step 1: Download IIS Crypto 2.0
Go to Nartac and download IISCrypto.exe to your server.
Step 2: Run IIS Crypto 2.0
Run the executable you just downloaded. It is a portable program so it doesn't install anything. The program should display a screen similar to the one shown here.
Step 3: Click the Best Practices Button
On the screen click the "Best Practices" button on the bottom left or select the options you want. The window should then look like the screen below. Once you are happy with the selected tick boxes. Click the "Apply" button.
Step 3: Restart your Server
After you clicked "Apply" you will need to reboot your server. IIS Crypto will tell you to do this (it will not reboot the server for you).
Step 4: Check your server at Qualys SSL Labs
Once your server and IIS has come back online you will need to check the rating of your server. Enter the URL of the site or the IP address of the server and have Qualys SSL test your server. You will want to get at least an A rating for server. If you do not get an A rating you will need to review your server's security settings and re-run the SSL Report.
I hope this helps anyone who may want to update their servers security.
Lately I learned of a new tool which gets and sets an SSL certificate automatically for you and renews itself every 3 months - Let's Encrypt.
I was eager to try out this new service on one of our Umbraco sites however, there was an issue when I tried to run the program.
Let's Encrypt adds a folder called ".well-known" to the root of the site. It then uses this folder to verify the site and issue an SSL certificate. When you attempt to do this using an Umbraco site you will be given an error which says something along the lines of "Let's Encrypt cannot access this folder".
In order to get the SSL issued and installed you will need to modify the WebConfig of your Umbraco site like below.
<add key="umbracoReservedPaths" value="~/umbraco,~/install/" />
<add key="umbracoReservedPaths" value="~/umbraco,~/install/,~/.well-known/" />
Re-run the Let's Encrypt program and the SSL certificate should then be issued and installed for your Umbraco site.
Note: That this will also work for Azure hosted Umbraco sites using the KUDU Let's Encrypt site extension.
Congratulations are in order as the following Dovetailers passed their Microsoft Certification exams.
Tomás and Murilo passed 70-461: Querying Microsoft SQL Server
Fabrizio and Kit passed 70-483: Programming in C#
John and Mossy passed 70-532: Developing Microsoft Azure Solutions
Progression is one of Dovetail's core values and we promote constant learning and improvement. In the fast-moving technical sector, no one can afford to sit still and we are already planning next year's Progression Goals.
This week, Irish Rail launched the Online Payments facility for Fixed Payment Notices (which are penalties for fare evasion and other infringements).
The Dovetail-developed system allows passengers to pay a Fixed Payment Notice online. It is mobile-friendly and allows customers to pay a Fixed Payment Notice on their mobile, tablet, laptop or desktop computer.
The system is built using ASP.Net, C#, CSS and HTML5 and it is integrated with the Irish Rail Fixed Payment Notice Management system (a version of the Standard Fare Backoffice Management System which Dovetail previously developed for Dublin Bus).
Our work with Irish Rail, LUAS and Dublin Bus is all part of Dovetail's continued involvement with the transport sector.
The following article appeared in the February 2016 edition of Rail Brief, the Irish Rail staff magazine. You can view the PDF here.
John and Martin with the Irish Rail Team in Connolly Station.
A FINE NEW SYSTEM
In 2015 there were 9,606 Fixed Payment Notices issued. There was a 22% increase in the number of Fixed Payment Notices issued in 2014 compared with 2013 and this trend remains in an upward direction putting more pressure on the system in use. As a source of revenue for us, it is critical that there is an intelligent information system to ensure detailed reporting and timely payment of fines.
Main Triggers for the New System
1. Two separate systems existed, one for DART and one for Innercity
The back office was using two disparate systems; Access and Infopath as both the Intercity & Commuter (ICCN) and DART had individual systems. This meant inputters were moving between systems with differing designs. These disparate systems continued when the RPU was centralised, meaning that the Head of Revenue Protection and the Revenue Protection & Prosecutions Manager had to interrogate each system separately and add the results together. Often they had to physically count original fines for statistics purpose as the original system didn’t allow for any meaningful interrogation. Another issue with the existing system was there was no single view across one person. A person could have a fine on the DART database but the ICCN database had no visibility of it.
2. Everything was manually typed
Prior to the new system, everything was manually typed, for example, there were no drop down boxes with list of stations, Revenue Protection officers’ names, train times or routes. This
lead to the likelihood of poor quality data as typing errors/spelling errors could occur due to the high volumes to be input.
3. Inconsistent design between forms and databases
The fields on the screen and the form didn’t match. As a result, it slowed down the speed of inputting as everything on the screen had to be matched to the form field for input. This contributed to a growing backlog and as a consequence, reminder notices, at times, were late going out to customers. This type of backlog can be very demotivating for an employee – no matter how hard the team worked, there seemed no end to it!
4. Databases were not built for high volume
There were over 38,000 records on the databases which were not built for high volume and as a result crashes often happened. Up to eight people could have been inputting at any one time
and the input may not have updated correctly. The resulting consequence was that a letter could go out to someone who has already paid a fine.
Leading the Change
Roger Tobin, Head of Revenue Protection, has been leading the change project with support from Dave Cannon Manager Revenue and Prosecutions and Shauna Fitzsimmons on the systems side. The back office team have also supported the change process. The team worked with David Bettles Information Systems, Keith Faherty Online Manager, Group IT and Customer First in specifying and clarifying what the system requirements were before Dovetail could commence their work.
Communications and Training
The team had been briefed on the full extent of the system change. These briefings were supported by the Customer First, People and Communications Lead, Linda Allen and were made
by Dave Cannon and Shauna Fitzsimmons. A training test system was set up by Dovetail to ensure all the team were comfortable with the system before it launched. They all found the system to be very straightforward and could really appreciate its benefits. The Dovetail systems supplier facilitated the training for all involved. They also provided systems support for the team to ensure the team were fully supported in the ‘go live’ and beyond. Brian Quinn, Business Process Lead, documented the new processes arising from the implementation of the new system. This was to ensure there was no ambiguity in the implementation and ensured the process in place was the optimal one.
Phase 2 Online Payment Facility
Work is currently ongoing in setting up an online payment facility with a Go Live expected in February 2016. Currently there are limitations on payment options as a customer can only pay
during office hours, Monday to Friday 9am to 5pm. There will be huge benefits to the customer to pay online anytime as the back office team had received complaints from people who wanted to pay but couldn’t get through. This will also mean a reduction of phone calls to the office to allow the employees allocate their time on the key tasks of managing repeat offenders, analysing areas to target and managing files for maximum court prosecutions.
Phase 3 Customer First
Customer First is currently looking at electronic solutions to make the RPU more efficient. Currently Revenue Protection Officers write out Fixed Payment Notices (FPN’s) which would mean real time inputting. There will be real benefits in the adoption of these portable devices.
Benefits of the New Dovetail System
One of the biggest benefits for the team is the removal of the backlog. All their hard work has significantly contributed to this. Other benefits include:
1. One single view of a ‘customer’
The new system can highlight fraudulent persons or highlight repeat offenders. It is able to supply fraud lists or repeat offenders across both systems.This allows for a more intelligent type of reporting and more successful prosecutions.
2. Better targeting of fare evasion
It allows the RPU team to more intelligently target times and services where there are fare evasions above average. The system allows them to interrogate information by multiple fields
e.g. by station, by time, by ticket types, by day of the week and by any other fields stored. The new system has all the information in the one place, it reduces the dependence on physical files.
3. One single system in place and customisation of screens
There is now one single system in place for all the back office team capturing all Railway Undertaking fine data. Customisation took place for ease of use for the inputter on all screens. The new screens mirror the FPN form and will follow the fields of the form as it appears on the page.
4. Template letters created for all scenarios
Template files for all types of letter have been supplied to the new system and can be generated automatically.
5. Preloaded lists and drop down boxes
The new system will have these all lists preloaded along with the actual timetable. It will also have an address link with google maps eliminating the need for freeform typing.
6. Appeals process standardised
The time spend on appeals has reduced as the appeals process has been standardised and the appeal is done via email with the addition of the attachment on the system.
7. Flexible to change
The new system is more flexible to change. The systems allows the addition of new routes, times, officers and can allow the addition or amendment of any fields.
Here at Dovetail we love Team City and Visual Studio.
We recently updated our Team City configuration to allow projects to be built using Visual Studio 2015, C# 6, and to use the latest Nuget package manager.
In doing so, we discovered a very peculiar setting deep within Team City that caused one of our projects to break on build and break once deployed.
The Build Failures
After updating, we ran our build and the compiler threw an error saying that it could not find a specific version of a Nuget package. For example, our packages.config within Visual Studio specified we use Nuget to install Newtonsoft.Json version 7. However Team City reported that the project needed Newtonsoft.Json version 8.
We made the decision to update all affected nuget packages to the latest versions, pushed our project and Team City built it successfully.
The Deploy Failure
Looking back at our Octopus Deploy package we found that the JQuery file we were referencing and pushing to our repository was not there any more. However, we did see the latest version of the JQuery min file. Our file was being removed and replaced with the latest JQuery min version.
The Update Package Setting
We soon found the setting buried deep inside the Team City "build steps" screens:
Within the NuGet Installer build step is a setting which, when turned on, updates all your packages. This sounds great in theory but when you run into build and deploy issues this will cause headaches.
The text underneath states "Uses the NuGet update command to update all packages under solution. Package versions and constraints are taken from packages.config files". Whether this is a bug in Team City or not, this text seems very vague for an "Update Packages" function.
Be careful, because when checking this check-box, Team City will not read the packages.config version numbers and instead it will download the latest version of every package.
Update: Team City have been back to us and they're going to update the explanatory text on this checkbox to make it more clear.
Dublin Bus this week launched the Online Payments facility for Standard Fares.
The Dovetail-developed system allows passengers to pay a Standard Fare online. It is mobile-friendly and allows customers to pay a Standard Fare on their mobile, tablet, laptop or desktop computer.
The system is built using C#, CSS and HTML5 and it is integrated with the Standard Fare Backoffice Management System which Dovetail previously developed for Dublin Bus and which is used by three large Irish Transport Operators: LUAS (Dublin Light Rail), Irish Rail and Dublin Bus.
Our work with Dublin Bus, LUAS and Irish Rail is all part of Dovetail's continued involvement with the transport sector.
12/01/2017 UPDATE: It is Against the Azure Terms of Service to use a VM to send out emails. Microsoft recommends you use a third party email sender.
Today I had an interesting challenge. It was to set up a SMTP server on an Azure virtual machine for a client who were moving to the cloud.
As we all know Microsoft likes to lock down or change certain settings on us when using their cloud services so hopefully this guide will help someone when setting up their SMTP on an Azure VM.
Here is the steps I needed to do in order to get SMTP server working on the Azure virtual machine.
- Install SMTP via Server Manager > Manage > Add Roles and Features
- Click Next until you reach "Server Roles"
- Tick Web server
- Click Next
- Tick SMTP
- After Installation Open IIS 6.0 Manager
- Right Click on SMTP Virtual Server and click properties
- Pick the VMs local IP address (Should be only one in drop down)
- Click Access Tab
- In the "Connection" and "Relay" screens select "All Except the list below"
- Click Apply and OK
- Go to Services
- Right Click "Simple Mail Transfer Protocol"
- Set the startup type to Automatic
- Click Apply
- Stop and Start the Service
- Click OK
- In your Web configs ensure to change any SMTP Server values from "localhost" to the name of the Azure VM e.g. "DovetailExampleVMName" This is the name you used when you first created the Virtual Machine on the Azure portal.
- Test your SMTP server
Hope this helps some people who are having trouble porting some websites over to an Azure virtual machine that used SMTP on their server.
I love SSL certs the green banner they give give a nice since of security when shopping online. But this week I was installing an SSL certificate and I encountered a very strange error "CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met."
The error occurred when I tried to install the certificate via IIS.
To fix the problem I had to do the following:
- Click Start, click Run, type mmc.exe, and then click OK.
- Click File, click Add/Remove Span-ins.
- Select Certificates, and click Add, and then click OK.
- Select Computer account, and click Next, and then click Finish.
- Click OK.
- Expand Certificates (Local Computer), and Personal, and then Certificates.
- Right-click the certificate, and then click Properties.
- Edit the Friendly name field
After I finally got the certificate installed I applied the it to the IIS binding for the site and we got the green banner on the site when we visited the secure side of the site.
.NET Membership with MVC & Auto Scripting
Kit this week has been building a Membership implementation for a client. He was trying to do it via code first approach were the database would be built later on.
I thought there was no automatic script building for SQL server. However buried deep inside .NET and not well documented Kit found how to get the database on the SQL server to be automatically populated specificly for Membership/Identity. All one had to do was send in the connection string and when you registered your first user the tables would be created on your SQL database. This will make creating Membership entities a lot easier int he future. Nice on Kit.
public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
: base("ConnectionString.SQL Server (SqlClient)", throwIfV1Schema: false)
public static ApplicationDbContext Create()
return new ApplicationDbContext();
The Return of Gregory
Greg our intern for 7 months last year has returned to work full time with Dovetail. We are delighted to welcome him back. Hopefully he will have a blog post for you this month. He has been working with Fabrizio on the IKEA project.
It has once again been a busy month for Dovetail. With development work, meetings and trips to Denmark we are looking forward to the Bank Holiday weekend.
Rafal & Mossy have been working on the Lobbying web application. They have been putting some finishing touches to the application.
Murilo has been working on the CSS for the Lobbying application. The CSS will feature high contrast colours which will mean the site will be more accessible. He is also working on transferring some old virtual machines over from Tomas's old machine to his new one. This involves getting the old VHD file to work on Hyper-V.
Murilo has also delivered an update to our Hawkeye application. The new update allows us to monitor various Azure products and to alert us when they go down which means we can quickly determine if an issue lies with an application or with Azure.
Fabrizio has been working on some new features for IKEA Swipe a Surpirse.
Kit has been doing some fantastic work on an update for a client and we hope to have more on this very soon.
Tomas has been working on finishing some updates for CIS. He also manged to fit in some other work for other clients.
Trevor and Martin have been going to meetings to get a scope on a new project.
I've been working steadily on updates to the Irish Rail project as well provide support to existing clients.
And we are happy to announce the return of Greg who has finished his degree with Griffith College and will be starting work here on Tuesday.
We look forward to welcoming him back to the Dovetail team.
I brought my two Goldfish with me today to work and they have set to work with immediate effect. Their job "Be a Fish".
As I'm moving soon to a new place I needed to re-home these cool Shubunkin Goldfish.
They will be in the Dovetail office for about month or so.
All thanks to Trevor for letting me use the office to house them.