Creating Certificates With Dual San Attributes

For organizations that have certain security standards, it is customary that the common name on certificates must match the host name of the machine. Furthermore, wildcard certificates are generally unacceptable because of the broad reach that such a certificate implementation could have.

The solution that most organizations will take in light of these considerations is to use a subject alternative name (SAN) attribute on their certificate in order to avoid the ugly certificate mismatch screen that appears in IE7. In IE6 it was an issue because of the homely NT login box that appeared, however this user experience is amplified  in IE7 since the certificate mismatch error will consume an entire page and is therefore not the most attractive experience for users. What a SAN attribute basically accomplishes is the allowance of multiple identities to be bound as the subject on a certificate, whether it is something like a URL, IP, etc. for the certificate request attribute, so that the mismatch never occurs.

So far, this sounds like a pretty good solution for people whose CN must match the hostname of the SharePoint machine. But, if you dig a little deeper into the request architecture for a default Windows Server 2003 instance you will see that natively it is not possible to submit a certificate request where subject alternative names are identified. This of course is a large problem.

The solution is pretty straight forward though, and involves a combination of creating a new certificate request .inf along with a combination of command lines that are run both on the requesting machine and the issuing CA box.

Step 1 – Create a New Certificate Request .inf file

The first step is to create a sharepointcertreq.inf file that will act as an parameter for certificate creation input. This can just be done in your favorite text editor, notepad suffices just fine. Within the .inf file, place the following content:

[NewRequest]
Subject = “CN=sharepointhostname”
KeySpec = 1
KeyLength = 1024
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1

Step 2 – Create The New Certificate Request 

Using this .inf file, you can pass it in as a parameter to create a certificate request using the certreq tool. This is done on your SharePoint machine that you desire the certificate for. If you are having trouble finding the certreq tool, you might not have it installed on the server. The certreq tools is a part of the  Windows Server 2003 Administration Tools Pack, which you can download from here:

Windows Server 2003 Administration Tools Pack

which will include certreq.exe. Once you have located the executable, submit the following parameters with it:

certreq -new c:\sharepointcertreq.inf c:\sharepointservercert.req

As a side note, this may take a few moments to execute, mainly depending on the size of the key that is specified in the sharepointcertreq.inf file.

Step 3 – Change Some Registry Attributes

Step 3 occurs on the issuing CA machine, so switch to that machine.

Using the certutil -setreg method is nice because you can directly avoid using regedit and navigating through its innards to the appropriate attributes and flags. Issue the following command to support subject alternative names:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Step 4 – Restart Certificate Services

Once you have gotten this far with the changes, it is time to restart certificate services so that the changes take effect. This is best done by creating a small reusable .bat file, since you might be doing certificate configuration a fair amount if you are heavily tailoring the MCS implementation. Like the previous step, this happens on the issuing CA.

Create the following in a CertficateRestart.bat file:

@echo off
REM – File: CertficateRestart.bat
REM – Description: Restart’s Certificate Services
REM – Author: Adam Buenz
echo Restarting Certificate Services…
echo ======================================================
net stop “certificate services”
net start “certificate services”
echo ======================================================
echo Certificate Services Has Been Successfully Restarted

Run the .bat file in order to restart certificate services, which should display “Certificate Services Has Been Successfully Restarted” when it is complete.

Step 5 – Submit the certificate request

With the request file that you created previously, you now have to issue the certificate request. Place the sharepointservercert.req file that you previously created on some sort of accessible medium from the issuing CA machine, best stored on the actual disk somewhere. Following, run the below command in order to submit the certificate request with the relevant SAN attributes:

certreq -q -attrib “SAN:DNS=mysharepointserverSAN” -submit sharepointservercert.req

Once this is complete, your certificate request will go through with the relevant SAN attributes.

Share

Dual San’s and SharePoint Search (Solution)

When working with SharePoint and certificate solutions (SSL, not IPSec) for providing client level pipe security, you may run into some issues that although doesn’t occur with every environment. This particular concern occurs when you have a Dual SAN (Subject Alternative Access) for your SSL certificate because your SharePoint machine host name is different than the Common Name (CN) that is present on the certificate.

For most environments, you will be accessing your site with a different requesting name than the host name, mostly through the use of Host Headers (HH mode):

Example SharePoint Server Host Configuration:

Server (Machine or Host) Name: servername.sharepointsecurity.com
Querying Name (host-header name): sharepoint.sharepointsecurity.com

(The querying name is the name that matches the Common Name (CN) on the server SSL certificate)

The reason that dual SAN attributes become increasingly important in this type of configuration is because SharePoint users will run into a certificate error saying that there is a mismatch that occurs between the website being requested and the common name that is present on the website certificate if there is no Dual SAN attribute to compensate for the differentiation. Although this resulted in a homely grey box when requesting the website in Internet Explorer 6, in Internet Explorer 7 a whole separate page prompt is brought up making the user aware that there is a mismatch. This is pretty bad for usability and overall user experience. General users that aren’t savvy with internet technology will generally choose the giant red symbol rather than the other which tells them that continuing to this website is not recommended, since, hey, everyone goes by Microsoft recommendations.

When implementing the dual SAN in order to bypass this prompt, you will notice that the search results will continually offer a no-item count in the search results, regardless of how the default content access account is structured. Regardless of the privilege of the default content access account, whether you are using a client certificate, this problem will still persist. This is known problem with dual SAN’s within a SharePoint environment in regards to returned search results.

The easiest, quickest solution to the problem is to extend the SSL secured web application into another, unsecure (HTTP) web application that is accessible by the SharePoint gatherer. Extending a new web application essentially places the relevant SharePoint files, associates the application pool, establishes the appropriate references, content mapping, etc. so that the content that is being served through the extended application is essentially the same between the two web applications.
When extending the web application you can either use an IP loopback adapter or IPSec in order to restrict the communication between the gatherer and the site. This would in essence cause the only entity that is able to access the HTTP site to be the SharePoint gatherer maintain security standards.

In order to extend the SSL Web Application to an HTTP accessible site for content gatherering, there are a few steps to follow through WCAM (Web Central Administration). Because you are extending a new web application, it is important to realize that you are going to be making a new IIS site since this essentially translates to a new web application.

  1. Open SharePoint Central Administration
  2. Navigate to the Application Management
  3. Create or Extend Web Application
  4. Select Extend an Existing Web Application
  5. Fill in the relevant information in order to extend the secured information to an SSL site.

*note: some images and things might appear funky when you actually request the site. This doesn’t really matter since the only time it will be requestable with an IP loopback adapter or IPSec is when the SharePoint gatherer IP is hitting it.

Once the web application has been extended onto an accessible HTTP site, you can set the content sources for the search to crawl the non-secure site (HTTP) instead of the secure site (HTTPS). To change the content source configuration:

  1. On the relevant Shared Services Administration page (choose the SSP that search is filed under), in the Search section, click Search settings.
  2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules.
  3. There should be a content source already there that is provisioned by default with SharePoint called “Local Office SharePoint Server sites”.
  4. When you are in the “Edit Content Source ” screen, in the “Start Addresses” section, place: http://unsecurenewsharepointsite, sps3s://regularoldSSLsite/
  5. Then set the relevant crawl schedules as your organization deems fit.

After you crawl the content source, you will notice that you are again indexing items, which solves half of the dillema. As well, a majority of the URLS are being re-written in the default Core Search Results WebParts, but not all of them!

In order to rewirte the remaining URL’s, you must adjust the XSL being used by the core search results WebPart. Include the following with the managed property that you are using, in this example I am using the sitename property.

Once you have the re-writing in place, you can use the re-written managed properties for something like getting the site that a particular item is on:

Share

SharePoint Knowledge Management Accelerator for Healthcare

The Knowledge Management Accelerator for Healthcare is an attempt to implement a framework that uses KP cubed architecture in order to break down business data into identifiable organizational assets.

KM is knowledge Management that works with healthcare systems, and it consists of human elements and processing. At one time, particular accomplishment issues restricted the healthcare changeable, including restricting cost and care to patients. As advances took place however, the administrative of healthcare as well as clinical aspects evolved with differentiating changes, while redefining doctrines of competing nature, changing the outlook of the treatment in healthcare and administration. Today, healthcare atmosphere treat patients by predicting illnesses before they arrive and preventing them to progress. Thus, the system works to manage the patient’s health by instigating healthier tactics and enforcing the action throughout the lifespan. The approach required substantial investments and intelligence assets. The key focus in the Knowledge Management-KM system is lagging the intellect of the hospital’s KM from deterioration.

Many hospitals lack knowledge of the usage of their achieved information bottom. The information is often left behind since employees’ abrasion causes deterioration, and the high rates of turnover, and cost-effective measures, including wrongfully submitted documentation, have brought down the insight and need for KM.

Certain tools in KM, such as metrics center on the hospitals gain, storage, and retrieving of intelligent benefits. The focus is tangibly constructed with other tools to make the system work, including enhancing strategic for learning, planning and making decisions.

The concept lengthens the skills of logic, and productively designing plans in growth and development.

The Knowledge Management-KM views the knowledge assets and management tool for gain. The improvement of healthcare and patient care directs toward the proportional hospital assets of intellect. The skillfully KM tool promotes expertise, while promoting employees to stay focused while capturing the reflections of its strategy, practicing devices, policy scheme, and capturing the information at each level of the patient care and healthcare activity level.

The insubstantial benefit of KM to employees’ care for fundamental novelty in that it goes forward in planning, interchanging in management, culture of hospital, while giving a balance approach.

KM is vital for developing sharing of knowledge attitudes and competence in patient care.

Sharing is essential in managing the KM assets since it reduces or increases cost, ‘cycle time,’ and improves the hospitals investments, satisfaction, indexing, and leaves room for healthier paramedical intellect and medical treatment.

At one time, KM was only available to a hand full of practitioners. Over the past few years however, researchers exploded and brought forth new light and applications. A measure of concern in the strategy of KM is pending for few practitioners, which poses a threat, since it may affect the reproduction of intelligence, entirety of excellence management, and the business of re-engineering. Discipline becomes an interest, since it must sustain at a particular level to remove any flaws from the concept simultaneously while delivering a measure of value to the business.

Ironically, however, as the disciplinary begins to work, interest of the concept is lost, and additional failures become apparent, thus, the true benefit is lost.

This leads to a breaking point, since ambitiously and interest of KM starting points in healthcare evolves at various levels, and may work technically, but it will not continue working in an economical sense. With this in mind, we can see that the healthcare systems continue to be enormous gear for repayments in healthcare expenses. , social workers, and healthcare networks including medical experts will remain aware of the power and tools available to them over the Internet.

The outlook is not completely unenthusiastic, even if it changes gradually from the first pattern.

Though substantial development has been reached, it will take extensive work to deliver KM promising value. In the end, in order to understand the true value of KM, healthcare experts must find motivation while including organization, sharing, and creating. The majority forecasting models have been urbanized in healthcare in the previous era.

The models given ear to how exploitation of arrangement designs includes pay, deductibles, et cetera, and would manipulate deployment of behaviors and to regulate for case-mix and risks for the reason of forecasting global expenses and placing sets on capitation repayment rates.

Until currently, little interest was applied in predictable tools to individuals for the reason of reduction of cost and improving care of individuals. The lack of interest was primarily due to absence of the tools, which could be precisely predicted in future individuality of patient use, precisely for patients that had no current use.

In terms of general understanding, the current use of particular types of health services is best predicted of future usage. The methods of prediction of future usage of particular services, while there is no current usage existing of similar service tend to produce results that are meaningless to program managers in healthcare. Currently, the rapid increase in generation and data collection, researchers are capable of exploring patterns hidden with large databases.

Substantial quantities of healthcare data, is available within databases that could be utilized for discovering knowledge. The diversity and complexity of healthcare data demands concentration for usage of statistical techniques.

Decision trees present challenges of unique quality in data analysis, which are extremely opposite of linear regression techniques. The decision trees make available unique models especially suited for this particular analysis strategy. These analyses demonstrate the CART data mining methods and how they can be employed to extract knowledge from incorporated healthcare datasets, which concern future mental health usage in population, including those that have no current mental health usages.

The tools could be utilized in identifying patients likely to require mental health usage in the future, based on non-mental healthcare utilization prior to entry into the mental health systems. The managerial aspects would obviously vary from health plans from this technique, but various approaches could be propositioned. Identification of this technique could be utilized to notify mangers and others. The purpose is for the need of intervention sooner, and identifying patients and sending information packages on availability of behavior health services, sending the packages early, while encouraging patients to call for appointments. The patients are encouraged to call when feeling depressed or anxious over recent changes in healthcare events, and behavior health providers utilizing a list of identified patients could make outreach calls to the patients in need. Such intervention strategies can reduce costs while improving quality of life for those suffering serious mental and physical health conditions. Speaking irrespectively, the explicit techniques implemented in data mining techniques are noteworthy and the idea has brought forth a widespread outcome of application of ALL techniques, since it has brought forth innovative knowledge.

The newly creation of knowledge growing extant knowledge base of orgs, not only adds value to intangible assets, it also increases overall organizational value of new managerial techniques, such as balance scorecards, which it has demonstrated.

Today’s knowledge-base economy sustains strategic returns as it gains more from organization knowledge assets, than from traditional types of assets within organizations. In today’s economy, the processing, tools, and techniques serve to develop knowledge assets in organizations, thus increasing value of strategic necessity and competitiveness.

Healthcare is recognized for utilizing leading-edge medical technologies, while embracing innovative scientific discoveries, enabling healthier cures for disease and better solutions for enabling early detection of most life-threatening diseases.

The healthcare industry has been extremely slow to adopt key business processes, in both the US and globally. The process of knowledge management has crept along, and the techniques, including data mining, all have moved along slowly.

With this in mind, making more of an investment is indispensable in business processing and techniques. Furthermore, the notion and investment is a strategic vital comeback for the US healthcare industry, if the industry is to achieve premier standings with respective high-value, high quality, and high-accessibility of healthcare delivery systems.

A final report composed by the Committee on the Quality of Healthcare in America, noted that improvements of patient care integrally links to providing high-quality healthcare. Furthermore, to achieve high quality of healthcare, the committee recognized six key aims in the healthcare industry, including the changes necessary to make healthcare more sufficiently:

1. Safe environment: preventing injuries to patients from the care that is intended to assist them,

2. Effective: providing services based on scientific knowledge to all who could benefit and refrain from providing services to those who will not benefit (i.e., avoiding under-use and overuse),

3. Patient-centered: providing care that is respectful of and responsive to individual patient preferences, needs, and values and ensuring that patient values guide all clinical decisions

4. timely: reducing waiting and sometimes harmful delays for both those receiving care and those who give care

5. Efficient: avoiding waste

6. Equitable: providing care that does not vary in quality based on personal characteristics.

The poor quality healthcare is related to the highly fragmented delivery system in the healthcare system, since it lacks rudimentary clinical information capable of issue productive results, since it its poorly designed care process characterizes unnecessary duplications of services, which leads to long waiting time and delays.

The applications and development of sophisticated information systems is indispensable to tackle these quality matters and to improve competence. Up till now, healthcare delivery has been comparatively untouched by the transformation of information technology, new business administration processes, such as knowledge management or innovative techniques, such as data mining, which are transformed in many areas of business today.

Healthcare groups are encountering a quite a rebellion, since the industry is fueled by economic pressures and reexamination of the principles of distribution of care. These corporations are also committing to the attacks from technology. As laggards, the healthcare delivery institution often faces the adoption of the prevailing innovations in information technology. The impact of the World Wide Net and innovations in telecommunications, computing, and the enduring arrival of micro-devices are commencing to be touched in healthcare delivery.

The force of these effects are found in the confluence of the technology itself, with innovations in marketing, management, and the altering perspective of the healthcare consumers. Currently there is a rising trend of increased consciousness, empowerment, and changes in the attitudes of healthcare consumers concerning the delivery of healthcare services.

The intersection of this brunt of changes is producing a tremendous enlargement in knowledge flowing through the healthcare system. Starting at the bedside to medical school, onward to the examining room, and to the medical encounters, including family and patient roles, the delivery of healthcare services, has new facets to our knowledge regarding healthcare and its delivery.

Medical knowledge has placed medical professions in confrontation, since KM is on the rise. Genetic researching, innovative drugs, and expansion of field research in areas of biotech and biomedical engineering creates strong needs in management. Today, medical professions, particularly students are equipped with PDA’s, and other miniature- information tech devices that permit them to access vast arrays of knowledge.

Healthcare delivery, as well as its followers and professionals, we now can produce added knowledge in a day than in hundreds—possibly thousands—of years in humane history. Just imagine producing more automobiles in one day, in what could take a hundred years to design. Our highways and byways would clog immediately, and it would create a task so horrible to sort out the traffic jam, that it would lead to frustration beyond human capacity. A comparable state of affairs occurs in the growth of knowledge in the healthcare delivery arena.

Since the healthcare delivery industry is jammed with the continuing production of knowledge, there is a desperate need for knowledge management, especially management capable of inserting order into the developing confusion in the making. In view of the fact that healthcare is notoriously sluggish in adopting such innovations, we are now beginning to understand the original forays of these orgs into the epoch of knowledge management systems. The healthcare system is taking careful baby-steps and currently very little systematic exertion that documents such a passage into an innovative era of managing knowledge.

In the final examination, healthcare delivery is the manipulation of knowledge and the management of organizations— including healthcare organizations — is the administration of knowledge. We are now apprehending that unless groups are competent of efficiently managing the knowledge they need to act and to survive, they are destined to catastrophe. This manuscript offers a considerate array of topics, ranging from the principles of knowledge management, e-health organizations, knowledge management infrastructure, and how to start and progress-knowledge management systems. It’s an original effort to create responsiveness of the importance of knowledge management in healthcare delivery. It’s also the reverberation of a call to other scholars inviting them to join in discovering the fundamental and rapidly growing areas of knowledge management in healthcare delivery organizations.

Share