20 lines
6.5 KiB
JSON
20 lines
6.5 KiB
JSON
[
|
|
{"timestamp": "1:43", "title": "ST Certificate Fundamentals and X.509 Wrapping", "summary": "All certificates in ST are treated uniformly as X.509s internally. SSH keys are wrapped with the local CA to create X.509s for easier management. ST maintains expiration dates on all certificates including those originally without them. Two distinct certificate storage locations: global (server-shared) and per-account (user-specific)."},
|
|
{"timestamp": "5:44", "title": "Certificate Storage Tiers: Global, Local, Trusted CAs", "summary": "Global list: certificates any user and server can use. Local certificates: public-private pairs used for protocol daemons and shared authentication to partner sites. Trusted CAs: root and intermediate certificates. ST's internal CA is one of many trusted CAs and signs all generated certificates."},
|
|
{"timestamp": "10:46", "title": "Account-Level Certificate Categories", "summary": "Three per-account certificate tabs: Login certificates (public keys for user authentication via SSH/certificate protocols). Partner certificates (public certs for PGP encryption and AS2 mutual trust). Private certificates (for logging into partner servers and PGP decryption)."},
|
|
{"timestamp": "12:33", "title": "Client-Private, Server-Public Key Authentication Model", "summary": "For authentication, the connecting client carries the private key; server carries the public key to validate against. PGP encryption uses public key; decryption uses private. SSL X.509s contain both components plus metadata."},
|
|
{"timestamp": "15:45", "title": "Certificate Placement Troubleshooting and Access Levels", "summary": "Partner certificates tab holds only public components; if private key needed for transfer sites, place in private certificates tab instead. Local certificates work for both because they contain both public and private. Access levels control sharing: private (account-only), business unit, or public scopes."},
|
|
{"timestamp": "20:41", "title": "DigiCert Import Workflow and Certificate Chaining", "summary": "Import signed DigiCert certificate into local certificates first. 'Valid and chained' status means the full chain is trusted. If not chained, missing intermediate or root CA — use browser to extract chain, then import intermediates and roots into trusted CAs. Operations panel server certificate field draws only from local certificates."},
|
|
{"timestamp": "22:06", "title": "Certificate Validation Status and Chain Verification", "summary": "Two validation components: 'valid' checks certificate dates and time zones; 'chained' verifies path to trusted root. Keep adding root and intermediate certificates until status shows 'valid and chained'. Certificates not meeting this requirement cause service errors even if partially functional."},
|
|
{"timestamp": "29:16", "title": "Passwordless Certificate Import and Browser Conversion", "summary": "Import passwordless cert into browser, mark private key exportable, export it, then apply password before importing to ST. Browser approach works faster than OpenSSL for certificate handling. ST requires all local and private certificates to have password protection."},
|
|
{"timestamp": "33:38", "title": "Password Types: Private Key vs CA Password", "summary": "X.509 import password protects the private key. SSH key import asks for CA password (internal CA's password to sign the key into X.509). Different screens ask for different password types — important to distinguish when troubleshooting import failures."},
|
|
{"timestamp": "35:22", "title": "External Script Routes for Conditional File Processing", "summary": "Create route with external script as first step; configure proceed on success only. Script checks file contents and exits zero for success or non-zero for failure. Script must be local (not NFS) and installed on all cluster nodes. Log scripts to standard output for debugging."},
|
|
{"timestamp": "37:39", "title": "External Script Performance and File Passing Limitations", "summary": "Each external script invocation creates new JVM runtime; hundreds of files cause resource issues. Pluggable Java steps are a more efficient alternative. External scripts do not properly pass files to next step; they leave files in sandbox. Uncheck 'proceed only with result from preceding step' to grab all sandbox files regardless of source."},
|
|
{"timestamp": "40:56", "title": "PFX Certificate Format and Browser Workaround", "summary": "ST does not support PFX format. Import PFX into browser, export as P12, then import to ST. Browser automatically extracts and links proper intermediates and roots during import, making manual chain discovery unnecessary."},
|
|
{"timestamp": "45:48", "title": "Trigger Files for Batched File Processing", "summary": "Non-scheduled folder monitors wait until trigger file arrives before processing batch. Trigger supports grab-all, pattern-matching, or file-list modes. New option: if trigger contains file list, waits for all listed files to arrive before processing. Batch processing reduces resource overhead vs. per-file handling."},
|
|
{"timestamp": "49:34", "title": "Windows to Linux Storage Migration: NFS, GFS, GPFS", "summary": "Linux backend supports NFS (cheaper, less performant), GFS, GPFS (commercial-grade, clustered, faster). NetApp appliance can export NFS mounts. Samba protocol provides Unix equivalent for folder monitor pulls. Capacity guide documents performance comparisons for file system choices."},
|
|
{"timestamp": "55:45", "title": "Cloud and Windows Migration Strategy Considerations", "summary": "Delay Windows-to-Linux migration if moving to cloud within two years — double migration wastes effort. Text file line-ending conversion (Windows CRLF vs Unix LF) requires routing changes. Unix file permissions differ from Windows account-based security."},
|
|
{"timestamp": "58:51", "title": "June 2023 Patch Folder Monitor Root Permission Regression", "summary": "June 2023 patch changed folder monitor to verify root directory access, breaking existing setups requiring only parent-directory permission. Windows security model differs from Unix; Unix always requires parent permission clearance by design. Annie committed to investigating and reporting findings."},
|
|
{"timestamp": "70:29", "title": "Folder Monitor Scheduling, Cache Behavior, and Event Queue", "summary": "Rescheduling busy folder monitors does not stop in-flight execution; cache may take hours to clear. Disabling folder monitor service globally stops thread. November release adds event queue UI showing queued files behind processing. Folder monitor pull lists directory files at least N seconds old regardless of arrival time."}
|
|
]
|