Networking & Security on Wojciech Marusiak IT Blog

Protect your Git secrets with Gitguardian

Mon, 17 Mar 2025 00:00:00 +0000

Since I started my journey with Hugo blogging platform migrating away from Wordpress several years ago I’ve been using Git more and more. It has been essential for me to save all critical work I am working on in Git. But as you are working it might happen that a secret or two might be pushed to the Git repository. I am not guilty of that but as my process of learning and mastering the technology I found out that there is a possibility to protect your Git repositories even before pushing anything to the repository. In todays post I will show you how easily it is to use GitGurardian and prevent secrets leaking to public repositories.

Luckily for us they provide free account with some nice stats.

You can take a look at the detailed pricing.

Prerequisites

As a main prerequisite is Git repository. In my case I am using GitHub so I will show you how to configure it with GitHub.

ggshield installation

At first in your local environment you need to install ggshiled. It is a CLI tool which will will do the heavy work for you.

Simply follow your operating system installation guide.

Then you need to create GitGuardian account as you will need to authenticate via CLI.

Run manual repository scan

Now as we have ggshield CLI installed we can initiate our scan.

It is as simple as running the command ggshield secret scan repo /path/to/the/repo.

Here is the result of my manual scan on one of my repositories.

You can simply run this command on all of your repositories but if you have a lot of them it might take some time to do it.

Add pre commit hooks to secure your repository

It is possible to configure a pre commit hook in your Git repository so prior commit a ggshield CLI scann will be initiated.

In order to do it you need to create a file called .pre-commit-config.yaml. In tat file add following code

repos:
  - repo: https://github.com/gitguardian/ggshield
    rev: v1.37.0
    hooks:
      - id: ggshield-push
        language_version: python3
        stages: [pre-push]

You can check if there are some changes in this code as per installation guide.

In order to add pre-commit we need to install it via Pip.

`1`	`pip install pre-commit`

Once installed and the file is created you can simply by running command.

`1`	`pre-commit install --hook-type pre-push`

If installed successfully you will receive following output pre-commit installed at .git/hooks/pre-push.

After installing pre-commit before every push of code to Git repository it will be automatically scanned with ggshield.

If everything is configured correctly your repository should be scanned prior to push.

Optional - Scan all your repositories

If you are ok with that you can grant GitGuardian permissions to scan your whole Git account. In my case I allowed this and several issues have been identified. Luckily for me all those affected repositories are private.

Summary

I hope you liked it and that this will help you to secure your Git repositories.

Enhanced Security for Your VMware Workloads: VPC Service Controls Now GA in Google Cloud VMware Engine

Tue, 03 Sep 2024 00:00:00 +0000

Secure Your Cloud VMware Environment with VPC Service Controls

Google Cloud VMware Engine just got even more secure! VPC Service Controls are now generally available, providing an additional layer of protection for your valuable data and applications.

What are VPC Service Controls?

VPC Service Controls help you mitigate the risk of data exfiltration and unauthorized access to your Google Cloud resources, including your VMware Engine private clouds. They act as a virtual perimeter around your services, preventing sensitive data from leaving your defined boundary.

How Does this Benefit You?

Prevent Data Exfiltration: Control data flow and prevent sensitive information from leaving your environment.
Reduce the Risk of Unauthorized Access: Restrict access to your VMware Engine resources and protect against malicious actors.
Enhanced Security Posture: Strengthen your overall security posture and comply with regulatory requirements.
Simplified Security Management: Centrally manage security policies across your Google Cloud and VMware Engine environments.

Getting Started with VPC Service Controls

To learn more about how to enable and configure VPC Service Controls for your Google Cloud VMware Engine environment, check out the official documentation:

VPC Service Controls for Google Cloud VMware Engine

Summary

With the general availability of VPC Service Controls, Google Cloud VMware Engine provides a more secure and compliant environment for your mission-critical VMware workloads. Take advantage of this powerful security feature to protect your data and applications in the cloud.

Use SSH With Private and Public Keys in VMware ESXi

Tue, 24 Nov 2020 12:46:47 +0100

I am a private Linux user since many Years and I always have used combination of username and password to authenticate when logging via Secure Shell (SSH). It worked pretty well for Years but recently as my Linux footprint grew it started to be very tiresome. I knew that there is this “magical way” to login without password but I was reluctant to try it out. Once I tried it out I loved it and I never ever want to user password to authenticate with SSH. In this post you will learn how you can use combination of public and private keys to login to VMware ESXi.

Why should you consider using key based authentication?

Thats a very good question. Public Key Infrastructure Public Key Infrastructure - Wikipedia is a very secure way of generating and using a pair of keys - public and private one. Public key can be shared with everyone and private one should be stored securely. In every modern operating system you can create such a key pair and login to SSH enabled systems.

How to create a public / private key pair?

Generally speaking it is very easy and can be done in several ways. It differes per Operating System.

macOS

In macOS you can do it in terminal of your choice.

Open Terminal.
Type ssh-keygen.
You will be asked where you want to store your keys.
Optionally you can secure your keys with a passphrase.
Pair of keys will be generated.

Linux

In Linux procedure is pretty much the same as in macOS :D

Windows

In Windows keys creation of course might be different based on software you use. In my case I am using free PuTTY to login via SSH. In order to generate SSH keys you need to start software called PuTTY Key Generator - puttygen.exe.

Start puttygen.exe.
Choose type of key you want to generate. I suggest as minimum RSA with 2048 bits.
Click Generate.
You will need to generate some randomness with your mouse.
Once done you can configure authentication with keys in your PuTTY session.

Where to store you public keys?

In my case I am using two macOS laptops and one Windows 10 based computer (to play some games). I have different SSH keys on each computer. I added all SSH keys to my GitHub account and whenever I need to retrieve them I simply check them using following command.

wget https://github.com/wojciehm.keys

Add your public keys to VMware ESXi

Procedure is quite simple.

Login to VMware ESXi Server using SSH.
Edit following file /etc/ssh/keys-root/authorized_keys and add your keys.
Execute following command to restart SSH service. /etc/init.d/SSH restart.
Try logging in and mark that you don’t need password anymore.

NSX 6.4.0 released with cool new features

Thu, 18 Jan 2018 14:58:02 +0000

A few days ago VMware released its flagship product NSX. In version 6.4.0 many new features and enhancements are introduced.

Security Services:

Identity Firewall: Identity Firewall (IDFW) now supports user sessions on remote desktop and application servers (RDSH) sharing a single IP address, new “fast-path” architecture improves the processing speed of IDFW rules. Active Directory integration now allows selective synchronization for faster AD updates.
Distributed Firewall: Distributed Firewall (DFW) adds layer-7 application-based context for flow control and micro-segmentation planning. Application Rule Manager (ARM) now recommends security groups and policies for a cohesive and manageable micro-segmentation strategy.
Distributed Firewall rules can now be created as stateless rules at a per DFW section level.
Distributed Firewall supports VM IP realization in the hypervisor. This allows users to verify if a particular VM IP is part of a securitygroup/cluster/resourcepool/host which is used in the source, destination, or appliedTo fields of a DFW rule.
IP address discovery mechanisms for VMs: Authoritative enforcement of security policies based on VM names, or other vCenter-based attributes requires that NSX know the IP address of the VM. NSX 6.2 introduced the option to discover the VM’s IP address using DHCP snooping, or ARP snooping. In NSX 6.4.0, the number of ARP discovered IPs have been increased up to 128 and are configurable from 1 to 128. These new discovery mechanisms enable NSX to enforce IP address-based security rules on VMs that do not have VMware Tools installed.
Guest Introspection: For vCenter 6.5 and later, Guest Introspection (GI) VM’s are named Guest Introspection (XX.XX.XX.XX), where XX.XX.XX.XX is the IPv4 address of the host on which the GI machine resides. This occurs during the initial deployment of GI.

NSX User Interface:

Support for vSphere Client (HTML5): Introduces VMware NSX UI Plug-in for vSphere Client (HTML5). For a list of supported functionality, please see VMware NSX for vSphere UI Plug-in Functionality in vSphere Client.
HTML5 Compatibility with vSphere Web Client (Flash): NSX functionality developed in HTML5 (for example, Dashboard) remains compatible with both vSphere Client and vSphere Web Client, offering seamless experience for users who are unable to transition immediately to vSphere Client.
Improved Navigation Menu: Reduced number of clicks to access key functionality, such as Grouping Objects, Tags, Exclusion List and System Configuration.

Operations and Troubleshooting:

Upgrade Coordinator provides a single portal to simplify the planning and execution of an NSX upgrade. Upgrade Coordinator provides a complete system view of all NSX components with current and target versions, upgrade progress meters, one-click or custom upgrade plans and pre- and post-checks.
A new improved HTML5 dashboard is available along with many new components. The dashboard is now your default homepage. You can also customize existing system-defined widgets and can create your own custom widgets through API.
New **System Scale **dashboard collects information about the current system scale and displays the configuration maximums for the supported scale parameters. Warnings and alerts can also be configured when limits are approached or exceeded.
Guest introspection reliability and troubleshooting enhancements. Features such as EAM status notification, upgrade progress, custom names for SVMs, additional memory and more improve the reliability and troubleshooting of GI deployments.
A Central CLI for logical switch, logical router, and edge distributed firewall reduces troubleshooting time with centralized access to distributed network functions.
New Support Bundle tab is available to help you collect the support bundle through UI on a single click. You can now collect the support bundle data for NSX components like NSX Manager, hosts, edges, and controllers. You can either download this aggregate support bundle or can directly upload the bundle to a remote server. You can view the overall status of data collection and status for each component.
New Packet Capture tab is available to capture packets through UI. If there is a host which is not in a healthy state, you can get the packet dump for that host, and administrator can examine the packet information for further debugging.
You can now enable Controller Disconnected Operation (CDO) mode from the Management tab on the secondary site to avoid temporary connectivity issues. CDO mode ensures that the data plane connectivity is unaffected in a multi-site environment when the primary site loses connectivity.
Multi-syslog support for up to 5 syslog servers.
API improvements including JSON support. NSX now offers the choice or JSON or XML for data formats. XML remains the default for backward compatibility.
Some of the NSX Edge system event messages now include Edge ID and/or VM ID parameters. For example, event code 30100, 30014, 30031.
These message parameters will not be available for older system events. In such cases, the event message will display {0} or {1} for the Edge Id and/or VM Id parameters.

NSX Edge Enhancements:

Enhancement of Edge load balancer health check. Three new health check monitors have been added: DNS, LDAP, and SQL.
You can now filter routes for redistribution based on LE/GE in prefix length in the destination IP.
Support for BGP and static routing over GRE tunnels.
NAT64 provides IPv6 to IPv4 translation.
Faster failover of edge routing services.
Routing events now generate system events in NSX Manager.
Improvements to L3 VPN performance and resiliency.

NSX SFTP Backup stops working after upgrade to NSX 6.3.*

Mon, 23 Oct 2017 08:33:03 +0000

I am in a process of upgrading NSX 6.2.4 by a customer in three locations deployed using VVD Deployment Toolkit. The NSX Upgrade itself went really smoothly. However, after the upgrade, we noticed that SFTP backup stopped working with an enigmatic error.

`1`	`Unable to connect to server FQDN at 22. Either server details are invalid or invalid credentials are presented.( Common algorithms not found. )`

After checking credentials and SFTP backup destination server I found that with NSX 6.3.0 SFTP supports following backup ciphers:

1
2
3

Encryption: aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
Message Authentication(mac): hmac-sha2-256
Key Exchanges: diffie-hellman-group-exchange-sha256

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/rn/releasenotes_nsx_vsphere_630.html

To fix the issue sshd config must be adjusted:

Edit the ssh_config.
sshd_config keywords Cipher and MACs need to be updated with the correct Cipher and MAC algorithms.For example:

`1`	`Ciphers aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr MACs hmac-sha2-256`

Once config change is done, restart ssh deamon and backup will start to work again.

vExpert NSX 2017

Wed, 16 Aug 2017 09:31:30 +0000

Last night in the evening I received an email from Corey Romero that I was nominated VMware vExpert NSX 2017.

Today I checked on VMware Blog and my name is really there. I am very proud being nominated not only vExpert 2014 - 2017 for vSphere community work but as well VMware NSX.

To view the list of NSX articles please click this link https://www.wojcieh.net/vmware-nsx/

Upgrade of NSX 6.2.4 to NSX 6.3.1

Tue, 06 Jun 2017 13:30:51 +0000

Welcome in the next from the Homelab upgrade series. Today as a part of the update we will cover upgrade of NSX 6.2.4 to NSX 6.3.1. VMware NSX 6.3.0 was the first release which supports vSphere 6.5. I already covered upgrade of ESXi 6.0 to 6.5 using different method along with vCenter Server upgrade.

Prerequisites

First and most critical part of the upgrade is to check on VMware Product Interoperability Matrix https://www.vmware.com/resources/compatibility/sim/interop_matrix.php#upgrade&solution=93 if the upgrade path is supported.

In my Homelab I am using NSX 6.2.4 Build 4292526 and upgrade to NSX 6.3.1 as a direct upgrade path is supported.

Second and perhaps most critical part of the upgrade is to perform the backup of NSX Manager. Once done let’s start with NSX upgrade.

Upgrade of NSX 6.2.4 to NSX 6.3.1

<img  src="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-2.webp" alt="Upgrade of NSX 6.2.4 to NSX 6.3.1 - 2" width="742" height="262" srcset="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-2.webp 742w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-2-283x100.webp 283w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-2-50x18.webp 50w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-2-75x26.webp 75w" sizes="(max-width: 742px) 100vw, 742px"/>][3]

Once again click Upgrade and point to NSX Manager upgrade bundle. Click continue.

<img  src="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-3.webp" alt="Upgrade of NSX 6.2.4 to NSX 6.3.1 - 3" width="576" height="189" srcset="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-3.webp 576w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-3-300x98.webp 300w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-3-50x16.webp 50w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-3-75x25.webp 75w" sizes="(max-width: 576px) 100vw, 576px"/>][4]

Upgrade bundle upload starts. Once the upload is finished upgrade process will start.

<img  src="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-4.webp" alt="Upgrade of NSX 6.2.4 to NSX 6.3.1 - 4" width="561" height="497" srcset="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-4.webp 561w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-4-113x100.webp 113w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-4-50x44.webp 50w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-4-75x66.webp 75w" sizes="(max-width: 561px) 100vw, 561px"/>][5]

Upgrade take a while. After few minutes and a reboot, we successfully upgraded NSX 6.2.4 to NSX 6.3.1.

<img  src="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-5.webp" alt="Upgrade of NSX 6.2.4 to NSX 6.3.1 - 5" width="407" height="157" srcset="/images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-5.webp 407w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-5-259x100.webp 259w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-5-50x19.webp 50w, /images/uploads/2017/05/upgrade-of-nsx-6.2.4-to-nsx-6.3.1-5-75x29.webp 75w" sizes="(max-width: 407px) 100vw, 407px"/>][6]

Summary

This post showed you how to upgrade existing NSX 6.2.4 to NSX 6.3.1.

Ransomware education from Veeam

Mon, 22 May 2017 09:46:01 +0000

Blog sponsor Veeam created interesting articles about a very hot topic - Ransomware.

Ransomware has become the threat du jour for businesses of all types and end users alike, as well as the money extortion tool of choice for cybercriminals. This is hardly surprising given its impressive ability to evolve and sneak by traditional data protection strategies. The frustration of those affected is palpable, with outcomes also including critical data loss, lowered productivity and damaged reputation.

Veeam e-book not only gives an insight into the ransomware threat but also reviews the fundamentals of top-notch ransomware preparedness and recovery, in order to help protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared and ready to recover.

Learn more about:

Ransomware milestones, key capabilities, and impact
Key layers of ransomware protection and preparedness against attacks
Quick and painless recovery from backups
And much more!

Download ebook

Simply visit https://go.veeam.com/ransomware-awareness-education link and download a free ebook.

Additional resources

Designing Veeam Availability Suite to Protect Against Ransomware Threats

Ransomware resiliency & Availability: The endpoint is a great place to start</a

How to disable LED’s in Asus AC3200 on Tomato

Wed, 03 May 2017 09:13:01 +0000

This is post is quite different than you usually find on my blog. It is going to be about How to disable LED’s in Asus AC3200 on Tomato.

Asus AC3200 is a very powerful router. I bought it because I wanted to have better bandwidth control (QoS). I chose AC3200 due to the fact that it has three separate wireless interfaces. Last selection factor is that it supports alternative firmware called Tomato. I used tomato on my very old and still working Linksys WRT54G.

How to install Tomato on Asus AC3200 router?

A procedure is very easy. My router originally came with following firmware FW 3.0.0.4.380_3479-g683f27. When I tried to upload Tomato firmware I received immediately this warning: Firmware upgrade unsuccessful. This may result from incorrect image or error transmission. Please check the version of firmware and try again. This is because Asus blocked firmware upgrade.

To skip this I downgraded Asus firmware to WRT-AC3200_30043789529 using ASUS Firmware Restoration utility. Once downgraded flashing Tomato firmware was possible.

How to disable LEDs on Asus AC3200 router?

To disable the LEDs (both wireless interfaces plus all LAN) simply enter following commands via SSH.

et robowr 0x00 0x18 0x1e0
et robowr 0x00 0x1a 0x1e0
wl -i eth1 leddc 1
wl -i eth2 leddc 1
gpio enable 12
gpio enable 15

To enable LEDs enter following commands via SSH.

et robowr 0x00 0x18 0x1ff
et robowr 0x00 0x1a 0x1ff
wl -i eth1 leddc 0
wl -i eth2 leddc 0
gpio disable 12
gpio disable 15

Once enabled they will stay in defined state.

How to schedule LEDs change on Asus AC3200 router?

In Tomato go to Administration / Scheduler and configure scheduler according to your needs. I disable all LEDs at 10PM and enable them at 8 AM.

Summary

I hope this post will be informative for you. If you wish to learn about Asus AC3200 router specification visit this page https://www.asus.com/Networking/RTAC3200/specifications/.

Runecast Analyzer 1.5 review

Wed, 05 Apr 2017 22:21:38 +0000

I’ve been using Runecast Analyzer in my lab since I introduced it to my readers a while ago Runecast Analyzer review. Not so long ago Runecast Analyzer 1.5 release was introduced to customers.

I would like to focus in this review on new enhancements and features introduced in version 1.5.

Multiple VMware vSphere vCenters support

Runecast Analyzer 1.5 allows to view and manage multiple VMware vSphere vCenters via one dashboard.Many customers have more than one vCenter Server: Production, Q&A or Dev environments or even more. Having one dashboard with all vCenter Server provides easier management and monitoring of the environment. This enhancement allows deploying single Runecast Analyzer appliance with reduced overhead on the environment.

Multiple vCenter Dashboard

Once you install Runecast Analyzer you see an empty dashboard. We will connect several vCenters to show you how easy it is to see more than one vCenter in Runecast Analyzer 1.5.

Login to Runecast GUI.
Go to Settings where we will add several vCenter Servers.
In the main GUI, click Analyze Now and confirm which vCenter Servers you would like to analyze.
It takes a moment to analyze the whole environment.
From the top menu, you can choose vCenter on which you would like to focus.
Once selected you can take a look at details of selected vCenter Server and its environment.

Other enhancements

Other enhancements in version 1.5 include improved security, enhanced log search and filtering and improved Knowledge Base filters.

Summary

As you saw enhancements done by Runecast Analyzer Team are very useful and will improve productivity and ease of use of the product. In my opinion, product get much better with 1.5 release and I could simply suggest to install it in your environment and give it a try. I recommend reading Deployment Guide in case you need more detailed information about setup https://www.runecast.biz/RunecastUserGuide1.5.pdf.

How to change logging level in NSX

Fri, 30 Sep 2016 07:00:27 +0000

Troubleshooting issues aren’t always fun and easy way to do. Especially in complex environments where multiple issues might occur at the same time. Having a way to easily find root cause is crucial. Today I will show you how to change logging level in NSX and its components.

Change logging level in NSX Manager

Unfortunately, it isn’t possible to change logging level in NSX Manager fro GUI. It has to be done using API calls or from the command line. In my earlier post https://www.wojcieh.net/configuring-syslog-server-for-vmware-nsx-components/ , I showed you how certain operations are done using REST API calls.

NSX Manager log levels:


OFF	FATAL	WARN	ERROR	INFO	DEBUG	TRACE	ALL

Change logging level in NSX Manager - API

To check what kind of logging level initiate the following API call

`1`	`GET https://IP ADDR/api/1.0/services/debug/loglevel/com.vmware.vshield`

To enable debug logging level in NSX Manager initiate the following API call

`1`	`POST https://IP ADDR/api/1.0/services/debug/loglevel/com.vmware.vshield?level=DEBUG`

We will check once again if logging was changed to debug.

Change logging level in NSX Manager - command line

Changing logging level in NSX Manager via command line is fairly easy.

`1`	`show com.vmware.vshield logging-level`

Next step is to change it to another level.

Changing log level of NSX control plane

NSX Control Plane logs are written on each ESXi host. To modify ESXi netcpa log level it has to be done from command line.

Enable writing to file by typing:

`1`	`chmod +wt /usr/lib/vmware/netcpa/etc/netcpa.xml`

Edit the file in vi and change following line:

`1`	`<level>info</level>`

to desired log level

`1`	`<level>debug</level>`

Restart netcpa service by typing:

/etc/init.d/netcpad restart

Changing logging level on Distributed Logical Router or Edge Services Gateway

There are several ways to change logging level on Distributed Logical Router or Edge Services Gateway.

Changing logging level on Distributed Logical Router or Edge Services Gateway - API call

In REST Client initiate following call

`1`	`POST https://NSX Manager IP/api/4.0/edges/edgeID/logging?level=debug`

Let’s check what level is configured in GUI.

Changing logging level on Distributed Logical Router or Edge Services Gateway - GUI

To change logging level on Distributed Logical Router or Edge Services Gateway click Action on DLR or ESG.

Select desired logging level.

There is as well possibility to enable logging with a different level per DLR or ESG components.

DLR Components

DLR - HA
DLR - Dynamic Routing

ESG Components

ESG - DHCP
ESG - NAT rules
ESG - Routing
ESG - Load Balancer
ESG - IPsec VPN
ESG - SSL VPN-Plus

Enabling Firewall logging

Enabling firewall rule logging is very easy.

Click on rule you want to log and in action section choose Log.

Summary

I hope you enjoyed this article. If you have any questions simply write a comment.

NSX 6.2 API Reference Guide

How to replace NSX Manager SSL Certificate

Fri, 09 Sep 2016 07:00:42 +0000

I am working on daily basis with many Customers in CEMEA region. Pretty much all of them are large Enterprises where a focus on security is quite high. As the best practice, it is recommended to replace self-signed SSL Certificates with Certificate Authority Certificates.

I already did few post about SSL Certificate replacement:

Like every component NSX Manager has web based admin interface which is accessible via secured protocol. Today, I will show you how to replace NSX Manager SSL Certificate with CA SSL Certificate.

How to replace NSX Manager SSL Certificate?

Replacement of NSX Manager SSL Certificate doesn’t take much time. The most problems you might have is when root and intermediate certificate have to be combined with NSX Manager SSL Certificate.

Login to NSX Manager and click Manage Appliance Settings.
Go to SSL Certificates.
Click Generate CSR and fill all needed fields. Take a look on my CSR.
Download CSR and upload it to CA for approval. vSphere 6.0 SSL Certificate template is configured by following VMware KB: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).
Combine SSL Certificates for NSX Manager. In order to be able to import NSX SSL Certificate, it has to be merged with Intermediate and/or Root CA. It can be done in a text editor or command line. The most important thing is to remember the order

`1`	`NSX SSL Certificate → Intermediate CA → Root CA`

After the successful combining of both files, certificate looks ok.
The last step is to import it into NSX Manager. Click Import, choose file and click once again Import.
If every step was followed we just need to reboot NSX Manager appliance.
Reboot takes a moment to complete and after the refresh of NSX Manager web page, we see that NSX Manager SSL Certificate was replaced.

Summary

I hope this post was informative for you and you will wait for a new post on my blog.

Configuring Syslog server for VMware NSX components

Wed, 07 Sep 2016 07:00:28 +0000

Syslog server is a must in all environments. It doesn’t matter if you have 5 or 100 ESXi host or you use NSX or not. Today, we configure Syslog server for VMware NSX components. In my case it will be VMware vRealize Log Insight.

Configuring Syslog server for VMware NSX components

Unfortunately it is not possible to configure Syslog for all components in NSX GUI so in some cases API calls must be used.

API preparation

In my lab I use Google Chrome with application Postman to initiate API calls. Any API client can be used - in my case Postman simply works. I had one issue in Firefox with API calls where self signed certificate had to first added to exceptions and then API calls worked.

To fix issue with self-signed SSL Certificates in Google Chrome follow this excellent link: http://blog.getpostman.com/2014/01/28/using-self-signed-certificates-with-postman/.

NSX Manager

API

Request:

`1`	`PUT https://<nsxmgr-ip</api/1.0/appliance-management/system/syslogserver`

Request Body:

<syslogserver
  <syslogServer192.168.1.15<syslogServer</>
  <port>514</port>
  <protocol>UDP</protocol>
</syslogserver>

To check if Syslog is configured correctly initiate API call.

Request:

`1`	`GET https://<nsxmgr-ip</api/1.0/appliance-management/system/syslogserver`

GUI

In main GUI click Manage Appliance Settings.
Click Edit in section Syslog Server.
Enter Syslog server IP or DNS, port and protocol.

Syslog check

After few minutes logs are visible in Syslog server - in my case in vRealize Log Insight.

NSX Controller

NSX Controller Syslog server can be configured only using API call. To configure Syslog server for controllers you need controller IDs. You can find them in GUI.

API

Request:

`1`	`POST https://<nsxmgr-ip</api/2.0/vdn/controller/{controller-id}/syslog`

Request Body:

<controllerSyslogServer>
  <syslogServer>192.168.1.15</syslogServer>
  <port>514</port>
  <protocol>UDP</protocol>
  <level>INFO</level>
</controllerSyslogServer>

Once pushed you can check if settings are applied.

Request:

`1`	`GET https://<nsxmgr-ip</api/2.0/vdn/controller/{controller-id}/syslog`

Proceed with configuration on remaining controllers.

Syslog check

NSX EDGE

In order to configure NSX Edge Services Gateway it is required to know its ID. It can be found in NSX Edges page.

API

Request:

`1`	`PUT https://<nsx-mgr-ip</api/4.0/edges/edgeId/syslog/config`

Request Body:

<syslog>
   <protocol>udp</protocol>
   <serverAddresses>
      <ipAddress>192.168.1.15</ipAddress>
   </serverAddresses>
</syslog>

GUI

Click on NSX Edges and select EDGE to configure Syslog.
In Configuration section click Change to enable Syslog.
Enter Syslog IP address or FQND, protocol and click OK.

Syslog check

I had to manually initiate an event in my lab.

NSX DLR

Let’s finish configuring Syslog server for VMware NSX components with Distributed Logical Router.

API

NSX Distributed Logical Router

Request:

`1`	`PUT https://<nsx-mgr-ip</api/4.0/edges/edgeId/syslog/config`

Request Body:

<syslog>
   <protocol>udp</protocol>
   <serverAddresses>
      <ipAddress>192.168.1.15</ipAddress>
   </serverAddresses>
</syslog>

GUI

Choose desired DLR to configure and click Change.
Enter Syslog IP or FQDN and protocol.

Syslog check

Summary

Enabling logging on your critical infrastructure might save you time when you need to quickly troubleshoot issues. It is always good recommendation to use Syslog server.

For other NSX API call please view NSX 6.2 for vSphere API Guide.

Runecast Analyzer review

Wed, 24 Aug 2016 07:00:58 +0000

Introduction

Welcome to another review of fantastic software on my blog. Today Runecast Analyzer review will show us what proactive monitoring in addition to best practices and VMware Knowledge base articles can do in your environment.

Runecast Analyzer is a startup company founded by Stanimir Markov in 2014. Since then product grew and already Runecast has quite large portfolio of customers.

Installation

After introduction to Runecast Analyzer I will guide you through installation of appliance in my lab. I used version 1.0.0.30 which requires to install 2vCPU and 6GB of RAM, 2,7GB of disk space as thin and 40GB of disk space as thick.

Login to vSphere Web Client, select Cluster to place Runecast Analyzer.
Click Actions, Deploy OVF Template and navigate to directory where Runecast Analyzer OVA is downloaded. Click Next.
Review details of appliance and click Next.
Accept End User License Agreement and click Next.
Choose folder to install Runecast Analyzer and name for virtual machine. Click Next.
Choose Thin or Thick Provision virtual disk format and destination datastore. Thin provisioned installation size is 2,7GB and thick provisioned installation is 40GB.
Choose correct network and click Next.
We are almost at the end of Runecast Analyzer appliance deployment and we have to provide few values: hostname, default gateway, dns, network IP and netmask.
On last let’s review all settings and to complete appliance installation click Finish.
Use default credentials: rcuser with password Runecast! to login to appliance.
As we see appliance is up and running, but to make it fully operational let’s configure it.

Configuration

Go to Settings and click Edit to configure vCenter Server connection.
Enter vCenter Server FQDN or IP address, change port if needed and provide username and password with administrative rights.
Next step is to enable Automatic Scheduler. You can set scanning and analysis frequency based on your needs. Click Edit and change it from Manual to Automatic. I configured it to run on daily basis.
In production environment Email alerting is most common way to deliver reports. Runecast Analyzer naturally has this functionality as well. Simply click Edit to enter settings from your environment.
In section Log Analysis it is possible to configure retention of collected logs. It is possible to choose from Days and occupied Disk space.
In section User Profile it is possible to change password for local user rcuser and integrate Runecast Analyzer with Active Directory. By default members of Active Directory group Runecast_admins have access rights to use Runecast Analyzer. I configured it (since this is lab) with Domain Admins Active Directory group.
Go to Licenses to change 30 day trial to your purchased license. Click Add License and use download file from Runecast portal.
Choose which ESXi hosts to license and click Assign License button.

Usage

To have full picture of environment ESXi logging configuration has to point to Runecast Analyzer. There are several ways how to do it - fastest way will be use PowerCLI script - one example could be PowerCLI – Configure Syslog for All Hosts.

The other way to do it is by using Runecast Analyzer itself.

Go to Status and click on Host syslog settings section.
Click wrench icon and choose all ESXi hosts. Don’t worry - original syslog settings are preserved and Runecast Analyzer is appended to configuration. ESXi supports multiple syslog servers.
Once Configure button is entered, confirmation window appears. Click Ok to finish syslog configuration.
Recent tasks pane in vSphere Web Client we see that configuration is applied.
To be 100% sure that previous settings were not overwritten and of course that Runecast Analyzer receives logs as well, ESXi Advanced System Settings has to be checked. 6. Last step is to start analysis of environment. Click big orange button Analyze Now, wait few minutes so Runecast Analyzer scans whole environment.

Results

Finally we are in the most interesting part of review. I was extremely curious of what results Runecast finds in my lab. Scan itself took around 10 minutes for 7 ESXi hosts.

Dashboard

After first scan we go directly to Dashboard where we see result of scan. It has few sections nicely organized.

From dashboard we can easily see where and what we have to do. In my case we see the following:

Inventory

In inventory view we can focus on each part of environment: Compute, VMs, Storage and Network. Selecting each category it is possible to drill down to desired component of each section. Once resource is selected we have nice list of findings categorized by severity.

It was quite difficult to catch inventory and its result on one screen and I decided to open two browser windows so you could see it better.

Issue List

In Issue List view we simply see all issue categorized by severity. I find it really useful to remove filters per category and filter by keyword.

Another fantastic feature is Copy, CSV and PDF. Copy allows you to copy (of course, what else would it do 😀 ) and paste all results to clipboard and paste it later on to any editor.

CSV allows you to quickly export to comma separated value file and then work on them in Excel.

PDF provides simple and quick export of report to pdf format.

KBs discovered

First Critical Issue

Runecast Analyzer did fantastic job finding related things to my lab. First issue NETDEV WATCHDOG timeout error and ESXi 6.0 loses network connectivity (2124669)is as well in my environment.

Note that affected objects count is 6 and I have 7 ESXi. Why not 7? KB relates to ESXi 6.0 Update 1 and one of the hosts is ESXi 6.0 Update 1b.

Second Critical Issue

Second issue found in my environment is as well related to ESXi patch level I am using - it is well-known CBT bug.

Of course I have more issues/KBs and I didn’t want to bore you to death with them.

Best Practices

Best practices detected a lot of issues. I reviewed recommendations and from my experience perspective they are quite correct.

Security Hardening

Same as above - I find all security hardening recommendations valid and they should be implemented. Hopefully your environment is better secured than my lab.

Summary

After spending few hours with Runecast Analyzer I am convinced that product is at least worth to test in your environment. As Runecast advertise it, its primary function is to scan your environment proactively and not reactively. So by having it in your environment you really can avoid a lot of issues. Of course if you will face unknown bug in your environment (and there is no KB released yet) that there is nothing you can do and to call VMware Support (and by the way they are superheroes!).

Here are companies who already decided to use Runecast Analyzer

To learn more about Runecast Analyzer follow link: https://www.runecast.biz/

This article was sponsored by Runecast.

How to backup NSX?

Fri, 19 Aug 2016 07:00:28 +0000

One of the components of modern and agile environments is Software Defined Network (SDN). Imagine that your Software Defined Data Center (SDDC) dies and you as Administrator of that environment have to recover it to state before crash.

So you as an Admin have a task to make sure that whole SDDC stack including NSX can be recovered after a failure or issue. Besides relying on High Availability provided by hypervisor and/or storage you must be 100% sure that you can recover NSX to state before crash. Today I will guide you through simple yet effective process of configuring NSX and its backup.

NSX backup strategy

As I mentioned above NSX is most likely be part of your SDDC platform which is fast, agile and there are many changes. In order to keep up to constant changes NSX should be backed up as often as possible. From my experience working with Clients who already use NSX in SDDC and IoT environments, NSX backup is as important as any other components.

NSX backup should be done with conjunction with vCenter Server backups and vCenter Server database backups.

Example backup schedule:

vCenter Server is backed up on daily basis
vCenter Server Database is backed up on daily basis (Full SQL backup) and transaction logs are backed up every hour
NSX Manager configuration is backed up every hour

From example above we clearly see that all critical components of environment are backup up at same time. Why do we do it that way? Answer is very simple - if we face issue with more than one component we will be able to recover full SDDC stack to state before crash. From architectural point of view we use terms Recovery Point Objective (RPO) and Recovery Time Objective (RTO). If you don’t know this terms take a look on my Colleague post who described it in details: RPO, RTO, WRT, MTD…WTH?!

How to backup NSX?

One and only supported way to backup NSX is to export whole configuration to FTP or SFTP server. This export consist all settings you configured in NSX - may it be Controllers, Edges, DLRs or firewall rules. All settings are stored in NSX Manager database and in case something must be restored or redeployed it can be done if you have NSX Manager config backup.

Login to NSX Manager appliance.
Click on Backup & Restore.
Click on Change button in FTP Server Settings.
We must provide following information:
IP/Hostname
Transfer Protocol
User name
Password
Backup Directory
Filename Prefix
Pass Phrase
Once all information is provided click Ok.
Click on Scheduling to schedule NSX Manager backups.
Once all settings are configured after few hours you will see that schedule is working.

Summary

As you see from operational point of view configuration of NSX takes few moments. From architectural point of view it is worth to consider how and when do we take NSX backups. I hope you will start to backup NSX now and in case you have some questions feel free to ask them in comments or sent me message.

Step by Step NSX Upgrade

Wed, 13 Jul 2016 07:00:54 +0000

I haven’t been writing much about NSX so far, but I am working on an Internet of Things (IoT) Project where NSX is one of the core products. In Today post Step by Step NSX Upgrade, I would like to show you how NSX upgrade should be done.

Before we upgrade

It is very important to validate all necessary components before NSX is upgraded. It is not only valid for a minor upgrade which we will be doing - 6.2.2 to 6.2.3, but for every version. Checklist below will help you to prepare your environment to upgrade:

Download NSX upgrade bundle and check MD5.
There is known bug which affects EDGE upgrade when incorrect ciphers are configured. VMware KB NSX Edge is unmanageable after upgrading to NSX 6.2.3 explain steps needed to check it and/or change it before the upgrade.
Familiarize yourself with Update sequence for vSphere 6.0 and its compatible VMware products.
Backup of components:
Take a backup of NSX Manager (if you are not doing it regularly) before the upgrade.
Before upgrading download technical support logs.
Export of vSphere Distributed Switches configuration. Check out my Git repository for the detailed script.
Create a backup of vCenter Server database.
Take a snapshot of vCenter Server and vCenter Server database.
Take a snapshot of NSX Manager (without quiescing VMware Tools, because it is not supported and it might crash your NSX Manager).

3, 2, 1 - Go!

Upgrade of NSX Manager

Download NSX upgrade bundle.
Login to NSX Manager and go to Upgrade section.
Click on Upgrade button, specify a location of upgrade bundle and click Continue.
It will take few minutes to upload it.
Choose if you want to enable SSH and participate in Customer Experience Improvement Program (CEIP). Click Upgrade to proceed.
Upgrade takes a while so be patient. In my lab, it took 15 minutes.
GUI reports that upgrade was done.
Go back to vSphere Web Client and go to Networking&Security. After logging in I immediately noticed new section Dashboard.

NSX Controllers Upgrade

To continue upgrade click on Installation and hit Upgrade Available button.
Confirm that we want to proceed with Controllers upgrade.
It will take few moments to upgrade controllers. In my case, it was ~15 minutes per controller.
Once all controllers upgraded and the reboot is finished, green status is displayed.

VMware ESXi NSX VIBs Upgrade

Navigate to Installation section and click Host Preparation.
Click on Upgrade Available in every cluster you are using NSX and confirm Upgrade by clicking Yes.
In vSphere Client uninstalls and install tasks are visible.
To finish with upgrade ESXi hosts have to be rebooted.

NSX Edge Services Gateway and Distributed Logical Router Upgrade

Next step is to upgrade Edge Services Gateway and Distributed Logical Router. In my environment, I have only ESG deployed so we will proceed with the upgrade of it.
Please remember that there might be service interruption depending on a configuration used in environment.
In vSphere Web Client in current tasks, it is visible, that two temporary new Edge Services Gateways deployment is in progress.
After two minutes Edge Services Gateways upgrade to 6.2.3 is completed.
Same procedure should be used to perform an upgrade of Distributed Logical Routers.

Post-Upgrade Checklist

Check if NSX Manager is working.
Check if NSX Manager backup is working.
Check if NSX VIBs are installed on ESXi host.
Resynchronize the host message bus.
Remove snapshot from NSX Manager.
Remove snapshot from vCenter Server.
Remove snapshot from vCenter Server database.

Documentation:

Renew ESXi SSL certificates in vSphere Web Client

Wed, 25 May 2016 07:00:44 +0000

In my earlier post vCenter Server 6.* – Replacing SSL certificates with Enterprise VMCA I showed you how to use VMware Certificate Authority in Enterprise mode using subordinate Certificate Authority. Once the vCenter Server SSL certificates are replaced the next step is to **Renew ESXi SSL certificates in vSphere Web Client ** in our environment.

Renew ESXi SSL certificates in vSphere Web Client

Before we will start with renew of ESXI SSL certificate I would like to show you how old certificate looks like.

Login to vCenter Server and select ESXi host.
Select desired ESXi and choose **Certificates \ Renew Certificate.
Confirm that we want to renew the certificate for the host.
In the recent tasks you can see that certificate was refreshed.
New certificate can be seen as well in browser or ESXi itself.Below you will find ESXi view.
Here you can see how SSL certificate is seen in Web Browser.

Summary

Once VMCA in Enterprise mode is used ESXi SSL Certificates can be renewed in few steps and this is very useful. I hope you will find this post informative and whenever you have any questions or doubts just leave comment.

vCenter Server 6.* – Replacing SSL certificates with Enterprise VMCA

Mon, 16 May 2016 07:00:45 +0000

In my earlier post vCenter Server 6.* – Replacing SSL certificates with Custom VMCA I described how you can replace SSL certificates with Custom CA certificates. Today in post vCenter Server 6. – Replacing SSL certificates with Enterprise VMCA* I would like to guide you through replacement of VMCA self-signed SSL certificate with Microsoft CA certificates. This will allow you to take advantage of VMCA as a single point of certificate management in your environment while ensuring that

Prerequisites

Certificate Authority.
Template for VMware in Certificate Authority – follow VMware Knowledge Base Article for details: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)
XCA – Optional to store all certificates, requests and private keys.

VMCA Topologies

As mentioned in my earlier post I suggest to read about VMCA topologies from which you can choose from. Below you will find two best articles to familiarize yourself:

Replacing SSL certificates with Enterprise VMCA

Before we will start with certificate replacement I suggest to begin with editing file certool.cfg in C:\Program Files\VMware\vCenter Server\vmcad. In this file we will provide all information needed to issue certificate.
Country = US
Name = CA
Organization = VMware
OrgUnit = VMware
State = California
Locality = Palo Alto
IPAddress = 127.0.0.1
Email = email@acme.com
Hostname = server.acme.com
This is how my certool.cfg looks like.
Login to your vCenter Server and start command prompt as administrator.
Change directory to vCenter Server installation directory. In my case I have default path which is: C:\Program Files\VMware\vCenter Server\vmcad.
Start script: certificate-manager.bat
Select option 2 and enter Y to use previously edited certool.cfg.
Enter administrator@vsphere.local as username and provide password to this account.
Immediately we have to configure first of certificate machine_ssl. It is kind of strange because we were asked in previous step if we want to generate all certificates using configuration file. If you edited certool.cfg file before you just need to hit enter several times. Pay attention that at the end you have to provide FQDN of vCenter Server.
Same steps have to be done for other certificates:
machine_ssl - was created in previous step
machine
vpxd
vpxd-extension
vsphere-webclient
At the end we have to export Certificate Signing Request and Key for VMCA Root certificate. Select 1.
Enter directory where all files will be stored. In my cases it is C:\SSL. If you will be asked to reconfigure certool.cfg you can skip it.
Once we have files let’s sign them with Certificate Authority.
I am using Internet Explorer to sign certificate. Go to https://CA-FQDN/certsrv.
Click Request a certificate.
Choose advanced certificate request.
Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Paste previously generated CSR to field and as certificate template select Sub CA template previously created and click Submit.
Once the certificate is approved export it as Base 64 encoded. To do it simply click Download certificate. Export Root CA certificate, because we will need it later on.

Next step is to combine Root CA certificate (from your Certificate Authority) with Sub CA certificate. Below you will find format how to do it.

—-BEGIN CERTIFICATE—-
Sub Certificate Authority certificate
—-END CERTIFICATE—-
—-BEGIN CERTIFICATE—-
Root Certificate Authority certificate
—-END CERTIFICATE—-

if everything done correctly you should see that chain is working fine.
Next step is to import combined certificates (I called them chain certificate) to VMware Certificate Authority (VMCA). Return to certificate-manager script and select option 1.
Provide path to chain certificate and private key.
Choose Y to replace Root Certificate and all other certificates.
If all steps were followed carefully all certificates will be replaced. It takes few minutes to complete.
Once logged in to vSphere Web Client you can easily check that certificate was replaced.

Summary

This post is quite long, but I hope it will be useful to all of those who can use VMware Sub CA in your environment. For those who have to use VMCA in custom mode you can simply follow my post how to replace SSL certificates with custom VMCA mode vCenter Server 6.* – Replacing SSL certificates with Custom VMCA.

Konferencja infraXstructure 2016 której nie możesz przegapić!

Fri, 18 Mar 2016 11:28:40 +0000

Jako osoba która od ładnych kilku lat bawi się w IT przeżyłem i widziałem wiele. Najbardziej lubiałem konferencje bo po pierwsze był zazwyczaj to płatny dzień pracy, a po drugie możliwość poznania nowych technologi i nawiązania nowych kontaktów. Dzisiaj chciałbym zaprosić Was drodzy czytelnicy do uczestnictwa w konferencji infraXstructure.

W konferencji zapowiedziało udział wiele gwiazd polskiego IT - pozwolę wymienić sobie kilka nazwisk: Jarek Zieliński (Inleo Sp. z o.o.), Mirek Burnejko (Microsoft), Paweł Serwan (lider Polskiej Grupy Citrix) czy Krzysztof Waszkiewicz (Netology).

Agenda

Nie będę kopiował całej agendy bo jest to bez sensu. Zapraszam do odwiedzenia strony konferencjigdzie możecie zapoznać się ze szczegółami. Wszystkie sesje zapowiadają się fantastycznie a poniżej lista sesji które szczególnie polecam:

Wojna o Wirtualizację, czyli VMware vs. Hyper-V
SDN w praktyce. Znacząca poprawa bezpieczeństwa wewnątrz Data Center dzięki sieci sterowanej programowo.
Cloud Migration Checklist – Czyli jakie błędy popełniła firma, której ludzie nie przyszli na tą prezentację.
Wirtualizacja aplikacji czy desktopów? Którą technologię wdrożyć w swojej firmie?

Miejsce konferencji

Druga edycja konferencji infraXstructure odbędzie się 20 kwietnia w hotelu Mariott w Warszawie

Po konferencji

Na zakończenie konferencji organizatorzy zaplanowali losowanie nagród oraz spotkanie na piwie! Więcej informacji znajdziecie na stronie http://2016.infraxstructure.com/pl/news/5/.

Rejestracja

Aby zarejestrować się na konferencję kliknij w link http://2016.infraxstructure.com/registration/.

vCenter Server 6 – Replacing SSL certificates with Custom VMCA

Wed, 17 Feb 2016 13:32:23 +0000

In earlier post How to replace VMware ESXi 6.* SSL certificateI described how to replace VMware ESXi 6.* SSL certificate. This post will focus on replacing SSL certificates with Custom VMCA in vCenter Server 6.* on Windows.

Prerequsites

Certificate Authority.
Template for VMware in Certificate Authority – follow VMware Knowledge Base Article for details: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).
XCA – Optional to store all certificates, requests and private keys.

VMCA topologies

I am not going to copy&paste VMware documentation - it is easier to read it. Below you will find a list of interesting documentation (in my opinion of course) to read:

Today we will use VMware Certificate Authority (VMCA) in custom topology. This means VMCA will be used only to store certificates for all vCenter Server solutions and all certificate replacement has to be done manually.

Replacing SSL certificates with custom VMCA

Replacing vCenter Server machine_ssl certificate

Login to vCenter Server and start command line.
In command line go to directory where you installed vCenter Server 6.. In my case it is default directory: **C:\Program Files\VMware\vCenter Server\vmcad*.
Start tool called certificate-manager and select operation 1.
Provide valid SSO password and hit Enter. Choose Operation 1 - Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate and hit Enter.
Enter directory path where CSR and private key will be saved. For simplicity I created directory C:\SSL.
Certificate Signing Request and private key to machine_ssl was generated successfully.
I am not going to bore you to death by approving all certificates and documenting it. Check my earlier post where I did it - How to replace VMware ESXi 6.* SSL certificate.
Once certificate is signed and saved to local disk we return to certificate-manager tool to replace certificates. Click 1 and hit Enter.
As requested provide path to certificate, certificate signing request and root certificate authority certificate. Hit Enter and select Y to continue operation of replacing machine_ssl certificate.
Certificate manager will replace machine_ssl certificate and restart vCenter Server services. It takes a while to do it so do not worry. If everything was configured correctly operation will succeed.

Replacing vCenter Server solution user certificates (machine, vpxd, vpxd-extension, vsphere-webclient)

We will continue with replacement of other certificates.

Start certificate manager and select option 5 - Replace Solution user certificates with Custom Certificate.
Provide valid SSO password and hit Enter.
Select option 1 to generate CSRs and provide directory location where CSRs will be saved.
Sign all CSRs in your certificate authority - see How to replace VMware ESXi 6.* SSL certificate link.
Once signed we can start to replace all solution user certificates.
Return to certificate manager and choose option 1 to continue certificate replacement. Provide path to all certificates, private keys and root certificate authority certificate.
Hit Enter and select Y to continue. vCenter Server solution user certificates will be stopped and vCenter Server services will be restarted. Once completed we finished our task to replace vCenter Server SSL certificates.
To check if certificate was replaced successfully simply check certificate in vSphere Web Client.

Additional tasks

One of the most important things to change right after replacing certificates is to change vCenter Server certificate mode from default vmca to custom. In order to do that follow VMware documentation: Change the Certificate Mode. If you will not change it you will have problems with High Availability - in short words, vCenter Server will not trust your ESXi hotsts SSL thumbprints and HA will not work.

This is what you will see in HA information field.

From my experience there are several things that you have to be really careful about:

Correct template of certificate in your certificate authoriy
Certificate authority can’t overwrite any field in certificate. If it will be done vCenter Services will not start properly.
You will not see vsphere-webclient certificate SSL certificate browser. This is ok - by design machine_ssl certificate is used as reverse proxy. Read more: Where vSphere 6.0 Uses Certificates.

How to replace VMware ESXi 6.* SSL certificate

Mon, 08 Feb 2016 08:00:18 +0000

Certificates are very common in our daily life. Starting from logging to your banking account, checking email or simply visiting social media, we use secure communication. One of ingredients of it are certificates. I will not describe you in details how do we use them - if you are reading this most likely you know what you are doing.

Today blog post How to replace VMware ESXi 6. SSL certificate* will describe you how to replace SSL certificates on ESXi hosts.

Prerequisites

First of all you need ESXi host, certificate authority and few minutes to replace certificates.To generate SSL certificate for your ESXi host you need OpenSSL version 0.9.8 installed on your local system or tool called XCA. In VMware documentation all certificate signing requests are done using OpenSSL but I will show you how to do it in faster and more efficient way with XCA.

Certificate Authority
Template for VMware in Certificate Authority - follow VMware Knowledge Base Article for details: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).
OpenSSL 0.9.8 - follow VMware Knowledge Base Article for details: Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387).
XCA - Optional to replace OpenSSL
SSH access to ESXi

How to replace VMware ESXi 6.* SSL certificate

Procedure of replacing ESXi certificate is not complex one, but if you want to replace more certificates in your environment some things have to be prepared first to make procedure smooth.

Generate certificate signing request (CSR)

One of the first steps in certificate replacement is to correctly identify settings which certificate has to have. If some certain parameters will not be included or configured, either certificate replacement will fail or you might encounter more serious problems in your environment.

Certificate template

I am using fantastic tool called XCA to store certificate template, certificates, private keys and certificate signing requests. First step to replace ESXi SSL certificate is to create template.

Download XCA from SourceForge XCA download page for your platform.
Once installed start XCA and create new database.
Enter the name for the new database and select desired location.
Enter password to your database.
Database was successfully created. We will create new template for our ESXi hosts. In XCA switch to templates tab and click New template.
We are asked now what preset templates values we should import. Select Nothing.
Fill Subject section with following values.
Switch to Extensions tab. Fill X509v3 Subject Alternative Name with ESXi FQDN and IP address.
Switch to Key Usage tab and select displayed values.
This are all settings we need to successfully generate certificate signing requests.

Certificate signing request

Once our preparation with certificates is done we can initiate certificate signing requests.

To generate certificate signing request select template we just created and click Create request.
Switch to Subject tab and enter Internal name - this is just name displayed internally in XCA. Change as well commonName field to match new server name. Once field 1 and 2 are filled click on field 3 Generate a new key.
We have to generate private key which we will upload to ESXI host and it will be validated with certificate we will get from this certificate signing request. Type Name matching Internal name to easily correlate private key and certificate.
Private key was successfully created.
Click OK and you will see confirmation that we successfully created certificate signing request for our ESXi host.

Generate certificate

Last step to receive certificate is to export it from XCA. Switch to Certificate Signing Request tab and select friendly name you have choose for your ESXi. In my case it is ESXi03.wojcieh.local. Click Export. We simply use PEM format to export CSR.
Once we exported certificate we need to request certificate with our Certificate Authority. In my case it is Certificate Authority installed on Microsoft Windows Server 2012 R2. Navigate to CA https://FQDN/certsrv. Click Request a certificate link.
Choose advanced certificate request.
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open with any editor previously saved CSR and paste it to CA, select previously created vSphere certificate template and click Submit.
Depending of you certificate authority configuration you will receive certificate immediately or certificate will have to be approved. In my case since I am in lab environment, certificate was immediately approved and ready to download. Select Base 64 encoded and click Download certificate.
Export private key from XCA. Switch to Select ESXi host and

Replace certificate on ESXi host

We are nearly at the end of the of the process of replacing SSL Certificate on ESXi 6.*. We will simply follow VMware Knowledge Base Article: Configuring CA signed certificates for ESXi 6.0 hosts.

Log in to vCenter Server.
Enter maintenance mode on ESXi server we will replace certificates on.
In my case, I have vSAN working in this cluster and this is why have an additional question about data availability. I selected No data migration because I don’t have any virtual machines running in that cluster.
Start SSH service on ESXi.
Upload private key and certificate for your ESXi to local datastore or upload it via SCP protocol.
As you see on the screen I have two filenames. Rename certificate to rui.crt and private key file to rui.key.
No we will move old certificates from /etc/vmware/ssl to local datastore.
Now we will move CA signed certificates to /etc/vmware/ssl directory.
Once certificates are replaced we just need to restart management agents. Simply type services.sh restart. As you see below certificate was successfully replaced. ![How to replace VMware ESXi 6. SSL certificate - 29][29]

Summary

As you see the procedure to replace ESXi 6.0 SSL Certificates is not that complex. More time you spend preparing template, receive a certificate or upload it to ESXi.

Securing VMware appliance GRUB

Thu, 10 Dec 2015 12:39:28 +0000

In my earlier post How to reset root password in vRealize Orchestrator I showed you how to reset root password in VMware Appliance - vRealize Orchestrator. Fortunately and unfortunately for us we see more and more products shipped as Appliances. I will show you how to secure your Appliances with few simple steps.

Securing VMware appliance GRUB

Before we will start securing our Linux-based appliance GRUB I suggest to create snapshot of virtual machine. What we will do Today is simply add password protection to GRUB (GRand Unified Bootloader) so nobody will be able to override boot settings.

Login as root to your appliance. In my case I will secure vRealize Operations Manager GRUB.
As root type grub and GRUB and new shell will appear.
We will create hashed password by executing command md5crypt. Once asked type your password and carefully write it down. I used password VMware2015 to generate hashed password.
Type quit to exit GRUB shell.
Navigate to /boot/grub and edit menu.lst file with your favourite editor (vi in my case) which has all boot configuration. In third line, right after timeout type:

`1`	`password --md5 YOUR_HASHED_PASSWORD`

6. Commit changes and reboot appliance. 7. Once the GRUB boot loader will appear note small change: Press enter to boot the selected OS or ‘p’ to enter a password to unlock the next set of features.
8. To test if we entered correctly our hashed password press p and type your password. Press Enter to confirm.

Summary

I hope this post will be informative to you and you will secure your appliances with simple yet effective protection. Let me know if you want to read more about securing virtual appliances.

How to reset root password in vRealize Orchestrator

Wed, 25 Nov 2015 08:00:18 +0000

Working as a Consultant has extremely advantages - you meet different customers, you face challenges you wouldn’t be able to find in your own environment or in you home lab. Yesterday I was asked by my colleague to take a closer look on two vRealize Orchestrator appliances - we were not able to login via ssh as root user any more. I will show you how to reset root password in vRealize Orchestrator in just a few steps.

Luckily for us VMware has a standardized way of appliance delivery. Most of them I used are SuSe Linux-based and they have a lot of in common in terms of configuration. For example you can configure networking in the same way - I was building lab on my laptop and I configured vRealize Operations Manager and vRealize Orchestrator using same script.

How to recover vRealize Orchestrator root password?

Unfortunately there is no VMware KB which we can use to reset vRealize Orchestrator root password but as I mentioned before - we can do it a bit differently. There are some blog post which guide you how to reset admin password, but in order to do it you need root access - what to do if you lost it?

Take snapshot of vRO virtual machine.
Reboot it and once GRUB is visible move arrows or press space bar to stop booting process. Select VMware vRealize Orchestrator Appliance and press e key to edit commands before booting.
Once selected choose kernel and press e once more.
Add init=/bin/bash to kernel parameters. After you added bash to kernel parameters hit Enter.
Press b key and wait for vRealize Orchestrator Appliance to boot.
In order to reset password type passwd root. Enter new password twice and you are done.
To finish root password recovery reboot appliance and check if you can login with newly set password.

Summary

As you see resetting root password isn’t that complicated. One could ask why is this process so easy? It is because GRUB changes are not protected. In next post I will show you how to secure your Appliance GRUB.

It is extremely important to have proper RBAC - Role Base Access Control so unauthorized people will not have access rights to your core infrastructure.

How to use Managed Service Accounts with vCenter Server

Tue, 10 Nov 2015 14:25:28 +0000

Many of the IT environments have so called security driven approach. Every time I hear that something has to be implemented it is because security said so. Don’t get me wrong - by all means I like to be secure and compliant. In my opinion there should be balance between Security and Costs.

I have found very nice chart which shows that.

In Today post I will show you how to configure vCenter Server to work with MSA.

Managed Service Account and Group Managed Service Account - what is that?

Managed Service Account was introduced by Microsoft with release of Windows Server 2008 R2.The best description is from Microsoft Technet Article.

The managed service account is designed to provide crucial applications such as IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. It is a managed domain accounts that provides automatic password management and simplified SPN management. Virtual accounts are “managed local accounts” that can use a computer’s credentials to access network resources.

Group Managed Service Accounts was released with Windows Server 2012.

The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers.

Unfortunately MSA was not ideal solution to most user problems due to limitations. With release of gMSA many more use cases might be found to use them. See table below with supported applications with MSA and gMSA supported applications.


	Managed Service Accounts	Group Managed Service Accounts
Microsoft Exchange	Supported	Supported
Microsoft IIS	Supported	Supported
Microsoft SQL Server	Not Supported	Supported
Task Scheduler	Not Supported	Supported

Which MSA should I use then some of you might ask. That depends how will you plan your environment. If you want to use same MSA account on several computers than you should use gMSA. If you will use MSA account on one server than you should use MSA.

Managed Service Account and Group Managed Service Account- prerequisites

Managed Service Accounts require the Active Directory schema to be updated to the Server 2008 R2 version.

Group Managed Service Accounts require the Active Directory schema to be updated to the Server 2012 version.

In my test lab I will show you how to run vCenter Server services and Microsoft SQL Server using Managed Service Accounts.

Managed Service Account creation

Open PowerShell and import module Active Directory.

`1`	`Import-Module ActiveDirectory`

To create a standalone managed service account which is linked to a specific computer, we will use the -RestrictToSingleComputer parameter in New-AdServiceAccount command.

`1`	`New-ADServiceAccount -Name vmwareafd -RestrictToSingleComputer`

In the next step we will associate newly created MSA account to computer.

`1`	`Add-ADComputerServiceAccount -Identity vcenter -ServiceAccount vmwareafd`

On the target computer where we will install MSA open PowerShell, install Active Directory module (if it is not installed previously).

1
2

Import-Module ServerManager
Add-WindowsFeature Rsat-AD-PowerShell

Import Active Directory module (see first step) and install MSA account.

`1`	`Install-ADServiceAccount vmafd`

Last step is to change log on account. Remember to clear password and Confirm password fields.
Newly added account to service will be granted Log On As A Service right.

VMware vCenter Server Services

Below you can find all vCenter Server services. In third column you can see MSA account names.


Service Display Name	Service Name	MSA account name
VMware afd Service	VMWareAfdService	vmvafd
VMware Certificate Service	VMWareCertificateService	vmcertservice
VMware Component Manager	VMwareComponentManager	vmcomponentmgr
VMware Content Library Service	vdcs	vmcontentlibr
VMware Directory Service	VMwareDirectoryService	vmdirservice
VMware ESX Agent Manager	EsxAgentManager	vmesxmanager
VMware HTTP Reverse Proxy	rhttpproxy	vmrhttproxy
VMware Identity Management Service	VMwareIdentityMgmtService	vmidentservice
VMware Inventory Service	invsvc	vminvservice
VMware License Service	vmware-license	vmlicservice
VMware Message Bus Config Service	mbcs	vmmbcs
VMware Performance Charts	vmware-perfcharts	vmperfchar
VMware Security Token Service	VMwareSTS	vmsts
VMware Service Control Agent	VMwareServiceControlAgent	vmsvcctrlag
VMware Syslog Collector	vmSyslogCollector	vmsyslogcoll
VMware System and Hardware Health Manager	vmwarevws	vmhwmanager
VMware USB Arbitration Service	VMUSBArbService	vmusbarbit
VMware vAPI Endpoint	vapiEndpoint	vmvapiend
VMware vCenter Configuration Service	vmware-cis-config	vmcisconfig
VMware vCenter workflow manager	vmware-vpx-workflow	vmvpxworkflow
VMware VirtualCenter Server	vpxd	vmvpxd
VMware vService Manager	VServiceManager	vmvservicemng
VMware vSphere Auto Deploy Waiter	vmware-autodeploy-waiter	vmadwaiter
VMware vSphere ESXi Dump Collector	vmware-network-coredump	vmdumpcoll
VMware vSphere ESXi Dump Collector WebService	VMWareNetworkCoredumpWebserver	vmdumpcollweb
VMware vSphere Profile-Driven Storage Service	vimPBSM	vmpdss
VMware vSphere Web Client	vspherewebclientsvc	vmwebclient

The next step is to import all MSA accounts to target computer. I simply added accounts using Computer Management.

Once we have all accounts added to local Administrators groups we will stop all vCenter Services and replace user accounts associated to each service.

I had to add WOJCIEH\vminvservice$, WOJCIEH\vmvpxd$ account as security login to vCenter Server and MSDB databases. This is needed to start vCenter Server service. If you will not do it you will see errors like this.

After all changes and some tweaking we have fully functional vCenter Server running with MSA accounts.

Virtual Accounts

However with vCenter Server 6.0 new concept of virtual accounts was introduced. Following VMware KB explains this concept: Use of virtual accounts for services on a Windows vCenter Server 6.0 (2124709).From VMware KB we see that following services are used as virtual accounts.


Service	Service Account
VMware Component Manager	NT SERVICE\VMwareComponentManager
VMware Content Library Service	NT SERVICE\vdcs
VMware ESX Agent Manager	NT SERVICE\EsxAgentManager
VMware Message Bus Config Service	NT SERVICE\mbcs
VMware Performance Charts	NT SERVICE\vmware-perfcharts
VMware Postgres	NT SERVICE\vPostgres
VMware vAPI Endpoint	NT SERVICE\vapiEndpoint
VMware vCenter workflow manager	NT SERVICE\vmware-vpx-workflow
vmware vService Manager	NT SERVICE\VServiceManager
VMware vSphere Audo Deploy Waiter	NT SERVICE\vmware-autodeploy-waiter
VMware vSphere Web Client	NT SERVICE\vspherewebclientsvc

As VMware guru you have to consider all cons and pros of each solution and decide to go with MSA accounts or not.

Summary

It took me a while to check prepare this post but I am happy that I could prove that MSA accounts are working as well with vCenter Server. What is unknown if VMware Support will help you if you are using MSA accounts. If you wish I can check as well if Group Managed Accounts are working with vCenter Server 6.0.

Installing signed SSL certificates in HP c7000 enclosure

Wed, 23 Sep 2015 07:00:15 +0000

Installing signed SSL certificate in HP c7000 enclosure isnt’ difficult thing to do. From my experience most of the time you will spend is to setup Certificate Authority. If you work in bigger company most likely you already have working Certificate Authority. If you don’t have it you certainly can create it.

Here you can find some guides how to install Certificate Authority:

Linux based Certificate Authority https://jamielinux.com/docs/openssl-certificate-authority/
Windows based Certificate Authority http://www.rickroetenberg.com/install-certificate-authority/

Installing signed SSL certificates in HP c7000 enclosure

In my particular setup I used Certificate Authority which use certificate-signing request (CSR). You can read more in Wikipedia: https://en.wikipedia.org/wiki/Certificate_signing_request.

Generating certificate-signing request in HP c7000 enclosure

Login to enclosure and go to Enclosure Information, expand Active Onboard Administrator and select Certificate Administration. You will see details about your old self signed certificate.
As I mentioned at the beginning we will use CSR request with Certificate Authority. I will not go through CSR signing itself. Switch to Certificate Request tab and select Generate a certificate-signing request (CSR). You need to fill in mandatory fields with asterisk *****.
Country (C)
State or Provice (ST)
City or Locality (L)
Organization Name (O)
Common Name (CN)
Again - if your CA supports additional optional information than by all means use it. Some Certificate Authorities simply strip certificates from that information - it depends how is it configured.
Once you filled all information click Apply and CSR will be generated.
As you can see on picture below CSR is generated.
Once you will upload CSR to your CA and generate certificate from it export it to Base-64 encoded X.509 (.CER) format.
Last thing we have to do is to import certificate into Onboard Administrator. Navigate to Certificate Upload, paste your signed certificate and click Upload.
Once certificate is uploaded you will be signed out and SSL certificate will be replaced.
Onboard Administrator is uploading certificate.
Wait until your sessions is reloaded.
As you see my certificate is replaced and valid.

Summary

As you see procedure is fairly simple (besides Certificate Authority itself). What you need to do next is replace standby Onboard Administrator certificate.

HP OneView SSL certificate replacement

Tue, 07 Jul 2015 08:56:35 +0000

In my previous post we configured HP OneView to manage HP c7000 enclosure. Today I will show you how to replace self signed certificate with one from trusted Certificate Authority.

Login to your appliance and in main menu click **Settings.
In Actions menu click Create certificate signing request.
In Certificate Signing Request section fill necessary field - Country, State or province, City. Common name will be taken from appliance settings. Fill only fields which are relevant and used by your Certificate Authority.
Once you fill all fields click OK and you will see base64 encoded certificate request.
Go through certificate approval process and once it is done you can upload signed certificate to your appliance.
In Actions menu click Import Certificate.
Paste base64 encoded certificate into field and click OK.
Wait for certificate import.
Once it is imported click in main Setting menu Certificate.
You will see in your browser that certificate is valid (trusted) and you can view details of you certificate.

This concludes how to install signed SSL Certificate in HP OneView.

How to generate new self-signed certificate in HP c7000 enclosure

Mon, 09 Mar 2015 14:36:04 +0000

For a period of days I am working on replacing self-signed certificates in my environment and I found one issue with my enclosure. My certificate authority supports only 2048 Bits Certificate Signing Requests and in my case enclosure had 1024 Bits certificate. I found solution how to quickly fix problem and replace self-signed certificate.

Hardware details:

HP c7000 enclosure

Onboard Administrator: 4.30

How to generate 2048 Bits certificate

Procedure itself is really simple. According to HP documentation http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03659074 if you reset Onboard Administrator then new key will be generated.

HP info

To switch from 1024-bit to 2048-bit keys you needed to first reset the OA configuration to factory defaults which would cause the generation of new keys.

Certificate generation

Starting from Onboard Administrator version 3.56 you can do it easier.

Simply login to Onboard Administrator using SSH and execute this command

`1`	`generate key all 2048`

You will be asked if you want to regenerate private keys. Answer yes and Onboard Administrator will be restarted.

After restart you will have new fresh 2048 Bits certificate.

Repeat same step for second Onboard Administrator.

HP OneView overview and installation

Wed, 11 Feb 2015 09:00:00 +0000

Introduction

I have worked with HP Hardware (rack and blade servers) for more than five Years. I think that blades and HP enclosure is fantastic product and has wonderful capabilities.

However when your business grows it happens as well with your infrastructure - more and more enclosures are purchased and more blades are deployed. Managing all that stuff starts being difficult. Where is this blade? Do I have same VLAN’s in enclosures? What kind of firmware version I have in enclosure A and in enclosure B?

You probably have same experience as I have so you will really like when I will tell you a bit more about HP OneView. I promise I will not bother you with marketing bullshit but my impression of the tool and some core functions.

The Idea

I believe HP overslept when Cisco announced its blades technology. For me Cisco did perfect thing - in one fabric interconnect you can have up to 320 blades which translates into 40 enclosures you can manage from single UI! This is AWESOME!

HP of courses allowed you to use Enclosure Linked Mode or Virtual Connect Multi Stacking but this is completely different idea introduced in HP OneView. In HP OneView you can connect up to 40 enclosures which gives you maximum of 640 blades you can manage from one single interface!

Features

Pure HTML5 interface
RESTful APIs
Integration with VMware vCenter Server
Server Profiles where you control: firmware, BIOS settings, network connectivity, boot order, iLO settings
Native integration with HP 3PAR storage which allows you to
Templates for components:
- Enclosures - you keep the same configuration across enclosures
- Logical Interconnect group
- Uplink Set
- Network set
One place to monitor up to 40 Enclosures
One place to manage all of your servers
Data center visualization
Asset location
Management and configuration of HP ProLiant servers
SSO to iLO and Onboard Administrator

Licensing and Pricing

HP OneView comes with two licensing models:

HP OneView Standard - used for inventory purposes, health monitoring, alerting and reporting. It supports the following generation of Blades - G6, G7, G8 and G9.
HP OneView Advanced - additional purchase and is licensed per physical server. Can be used free of charge for 60 days.

Support and Compatibility Matrix

One of most important things in corporate environments is support. I recommend to view HP Support Matrix you can view here: HP OneView Support Matrix. In this document you can see as well:

Appliance requirements
Supported hardware
Configuration Maximus

Appliance requirements

HP OneView is delivered as virtual appliance. It requires the following amount of resources:

VMware vSphere 5.*
2 vCPU
10GB of RAM
160GB of disk space

Minimum supported firmware to be able to use OneView:

HP Virtual Connect - 3.15
HP Onboard Administrator -3 .0
HP iLO 3 - 1.2
HP iLO 4 - 1.01

HP OneView installation

Once you downloaded it from HP website you should install OneView, adjust your network settings to existing environment and then you can power on Virtual Machine.

Please refer to one of my earlier post how to deploy OVF Template https://www.wojcieh.net/deploying-ovf-template-using-vsphere-client-and-vsphere-web-client/.

HP OneView startup takes a lot of time so be patient. Once it is up and running we start with accepting HP OneView License.
You can enable Application Support. Basically it allows HP Support to get access to your system through system console to fix issues you reported. Choose appropriate setting and clock OK.
Login to HP OneView using credentials. Username - Administrator, password - admin and click OK.
You will be asked to change default password to new one. Do it and click OK.

HP OneView initial configuration

Once we finished we need to provide several details to complete initial configuration.

Choose FQDN name for HP OneView.
Provide either Manual or DHCP IP address.
Enter Preffered DNS server and alternate DNS server.
Select IPv6 configuration.
In Time and Language section choose right time synchronization setting. You can synchronize time with VM host or use time server.
Select default language and locale settings from the list.
After we finished with initial configuration click OK and wait for HP OneView configuration.
Once your configuration is saved and validated you can login to HP OneView via Browser.

Summary

As I mentioned at the beginning - HP overslept a bit with their management tools. I strongly believe that HP OneView is the tool you will really like to use in your environment. From my side it is pity that it doesn’t support G6 Blades fully - just monitoring purposes. The problem is with mixed environments where you still have some old crappy Unix/Linux production servers nobody want’s to touch and migrate to never hardware.

I like the tool very much and I am using it more and more by daily basis.

Great Job HP!

HP c7000 Blade Enclosure Configuration

Wed, 28 Jan 2015 09:00:33 +0000

Managing you blade infrastructure might be sometimes challenging. I decided to guide you through components of HP c7000 Enclosure and components you can use. After short introduction I went through initial configuration and additional settings which I thing are quite useful.

HP c7000 Enclosure overview

The HP BladeSystem c7000 Enclosure goes beyond just Blade servers. It consolidates server, storage, networking and power management into a single solution that can be managed as a unified environment.

The BladeSystem c7000 enclosure provides all the power, cooling, and I/O infrastructure needed to support modular server, interconnect, and storage components today and throughout the next several years. The enclosure is 10U high and holds up to 16 server and/or storage blades plus optional redundant network and storage interconnect modules.

Intelligent Infrastructure support: Power Discovery Services allows BladeSystem enclosures to communicate information to HP Intelligent PDUs that automatically track enclosure power connections to the specific iPDU outlet to help ensure redundancy and prevent downtime. Location Discovery Services allows the c7000 to automatically record its exact location in HP Intelligent Series Racks, eliminating time-consuming manual asset tracking.

HP BladeSystem Onboard Administrator is the built-in enclosure management processor, subsystem, and firmware base used to support the HP BladeSystem c-Class enclosures and all the managed devices contained within them. Onboard Administrator provides a single point from which to perform management tasks on server blades or switches within the enclosure.

Together with the enclosure’s HP Insight Display, the Onboard Administrator was designed for both local and remote HP BladeSystem c-Class administration.

This module and its firmware provide:

Wizards for simple, fast setup and configuration
Highly available and secure local or remote access to the HP BladeSystem infrastructure
Security roles for server, network, and storage administrators
Automated power and cooling of the enclosure
Agentless device health and status
Power and cooling information and control

Each enclosure ships with an Onboard Administrator module/firmware. HP BladeSystem Platinum Enclosures can be configured with redundant Onboard Administrator modules to provide uninterrupted manageability of the entire enclosure and blades. When two Onboard Administrator modules are present, they work in an active-standby mode, assuring full redundancy of the enclosure’s integrated management.

HP c7000 Enclosure specification

Technical features

System fan features

10 Active Cool 200 Fans

Form factor

8 Full Height Blades/16 Half-Height Blades
Mixed configurations supported

BladeSystems supported

HP ProLiant, Integrity and Storage blades in either mixed or homogenous configurations

Management features

OneView (OV) software License

Power availability

2400W (6) 1 phase Platinum power supply kits

What’s included

(1) HP BLc7000, (6) Power Supplies, (10) Fans, (1) Onboard Administrator with KVM, and, (16) ROHS Full Licenses OneView

Product differentiator

1 Phase 6 Pwr Supplies 10 Fans ROHS 16 OV Lic

Warranty

3/3/3 (parts-labor-onsite)

Dimensions and weight

Dimensions (W x D x H)

75.89 x 60.65 x 101.29 cm (29.88 x 23.88 x 39.88 in)

Weight

136.08 kg (300 lb)

HP c7000 Enclosure interconnects

HP Virtual Connect

HP Virtual Connect is an essential building block for any virtualized or cloud-ready environment. This innovative, wire-once HP connection management simplifies server connectivity, making it possible to add, move, and change servers in minutes vs. hours or days. Virtual Connect is the simplest way to connect servers to any network and reduces network sprawl at the edge by up to 95 percent.

Main two types Virtual Connect modules used by customers are HP Virtual Connect FlexFabric and HP Virtual Connect Flex-10.

HP Virtual Connect FlexFabric

In short word first one act as pass-thru device and is compatible with all other NPIV standards-based switch products. Any changes to the server are transparent to its associated network, cleanly separating the servers from SAN and relieving SAN Administrators from server maintenance.

QuickSpecs

Performance

(8) 2/4/8Gb Auto-negotiating Fibre Channel uplinks connected to external SAN switches
(2) Fibre Channel SFP+ Transceivers included with the Virtual Connect Fibre Channel Module
(16) 1/2/4/8Gb Auto-negotiating Fibre Channel downlink ports provide maximum HBA performance
HBA Aggregation on uplinks ports using ANSI T11 standards-based N_Port ID Virtualization (NPIV) technology
Allows up to 255 virtual machines running on the same physical server to access separate storage resources
Extremely low latency throughput provides switch-like performance.

Management

Storage management is no longer constrained to a single physical HBA on a server blade
Managed with the Virtual Connect Ethernet Module
Does not add to SAN switch domains or require traditional SAN management
Appears as a pass-thru device to the SAN Manager

Virtual server profiles

Provisioned storage resource is associated directly to a specific virtual machine - even if the virtual server is re-allocated within the BladeSystem
Ability to pre-configure server I/O connections
Ability to move, add, or change servers on the fly
Once defined, SAN Administrators don’t have to be involved in server changes

HP Virtual Connect Flex-10/10D

Performance

16 x 10Gb downlinks to server NICs
Each 10Gb downlink supports up to 4 FlexNICs or 3 FlexNICs and 1 iSCSI FlexHBA
Each iSCSI FlexHBA can be configured to transport Accelerated iSCSI protocol.
Each FlexNIC and iSCSI FlexHBA is recognized by the server as a PCI-e physical function device with adjustable speeds from 100Mb to 10Gb in 100Mb increments when connected to a HP NC553i 10Gb 2-port FlexFabric Converged Network Adapter or any Flex-10 NIC and from 1Gb to 10Gb in 100Mb increments when connected to a NC551i Dual Port FlexFabric 10Gb Converged Network Adapter or NC551m Dual Port FlexFabric 10Gb Converged Network Adapter including NC554FLB Dual Port FlexFabric Adapter
4 x 10Gb cross connects for redundancy and stacking
10 x 10Gb SR, LR, or LRM fiber and copper SFP+ uplinks
Supports up to 4 FlexNICs per 10Gb server connections.
Each FlexNIC is recognized by the server as a PCI-e physical function device with customizable speeds from 100Mb to 10Gb.
Line Rate, full-duplex 600 Gbps bridging fabric
1.0 μs latency
MTU up to 9216 Bytes - Jumbo Frames
Supports up to 128K MAC addresses and 1K IGMP groups
VLAN Tagging, Pass-Thru and Link Aggregation supported on all uplinks
In tunneled VLAN mode, up to 4,096 networks are supported per network uplink and server downlink. In mapped VLAN mode, up to 1,000 networks are supported on network uplinks per Share Uplink Set, domain or module and on server downlinks up to 162 networks are supported per 10Gb physical port (VC v3.30 or later).
Stack multiple Virtual Connect Flex-10/10D modules with other VC Flex-10/10D, VC FlexFabric or VC Flex-10 across up to 4 BladeSystem enclosures allowing any server Ethernet port to connect to any Ethernet uplink

Management

Virtual Connect Manager is included with every module
HTTPS and a secure, scriptable CLI interface is ready out of the box. Easy setup and management via the Onboard Administrator interface
SNMP v.1, v.2 and v.3, provide ease of administration and maintenance.
Port Mirroring on any uplink provides network troubleshooting support with Network Analyzers
IGMP Snooping optimizes network traffic and reduces bandwidth for multicast applications such as streaming applications
Role-based security for network and server administration with LDAP, TACACS+ and RADIUS compatibility
Remotely update Virtual Connect firmware on multiple modules using Virtual Connect Support Utility 1.10.1 or greater
CLI auto-filling with TAB key
GUI and CLI session timeout for security
QoS configurable based on DOT1P and DSCP
Configurable filtering of multicast traffic
sFlow monitoring

Virtual Connect Server Profiles

Create up to 4 individual FlexNICs with their own dedicated, customized bandwidth per 10Gb downlink connection.
Set FlexNIC speeds from 100Mb to 10Gb per connection
Allows setup of server connectivity prior to server installation for easy deployment
Ability to move, add, or change server network connections on the fly
Once defined, LAN and SAN administrators don’t have to be involved in server changes

Fibre Channel Switches

Brocade 8Gb SAN Switch

Advanced Fabric Services

Hardware Enforced Zoning (included)
Dynamic Path Selection (included)
WebTools (included)
Enhanced Group Management (EGM)
Power Pack+ fabric services software bundle (optional)
- Fabric Vision
- ISL Trunking
- Fabric Watch
- Extended Fabrics
- Advanced Performance Monitoring
Secure Fabric OS (included in base FOS)
SAN Network Advisor (optional)

Manageability

WebTools (included)
Enhanced Group Management (EGM)
Advanced Performance Monitoring (optional Power Pack+ upgrade)
HP OnBoard Administrator (included with HP BladeSystem)
HP Systems Insight Manager (included with HP BladeSystem)
HP Storage Essentials (optional)
API
SNMP

Interoperability

Brocade Access Gateway enables Brocade embedded SAN switches to interoperate with other SAN fabrics running supported firmware. While in Brocade Access Gateway mode, the device must also be connected to an NPIV-enabled edge switch or director. Supported edge environments are listed in the Brocade Fabric OS® release notes.

HP c7000 Enclosure configuration

HP c7000 Enclosure configuration - Insight Display

First step to configure enclosure is IP address configuration using Insight Display.

Navigate to Enclosure Settings
Navigate to Active OA and click OK.
Navigate to Active IPv4 and click OK.
Choose proper value - static IP configuration or DHCP and click OK.
Interface will direct you to Accept button. Click OK.
Now you can enter your IP address. It takes a while and after setting IP address go to Accept.
Do the same with second Onboard Administrator module and now we can switch to web based configuration.

HP c7000 Enclosure configuration - First Time Setup Wizard

After you successfully login to enclosure you will be welcome by First Time Setup Wizard. We will go through it since it configure majority of settings.

Check Do not automatically show this wizard again if you don’t want to be bothered again by this wizard. Click Next.
On the next screen you can choose to enable FIPS (Federal Information Processing Standards) which is in simple words set of standard cryptographic modules. Select it according to your needs.
Select your enclosure and click Next.
If you have previously saved configuration file you can use it to set up enclosure.
Configure Rack Name, Enclosure Name and Date and Time. I suggest to use NTP server to have always up to date time and date settings.
You can change password for Administrator and enable PIN protection before using the enclosure’s Insight Display. Click Next.
In next section we can create additional Local User Accounts. Let us create one just to show you how do we do it. Click New.
Provide User Name, password and Privilege Level. On the right part of the screen choose where user should have access. At the end click Add User.
On the next screen we will configure EBIPA - Enclosure Bay IP Addressing. EBIPA is internal DHCP scope for Blades iLO and devices in enclosure bays (HP Virtual Connect or HP Access Gateway). Click Next.
We need to fill in First EBIPA Address, Subnet Mask, Gateway, Domain and DNS Servers. Next step is to click button Autofill which will fill in whole range.
We do the same for Interconnect Bays and click Next.
You can configure IPv6 in the same way. I skipped this and I moved ahead to next step.
Next step is to configure Directory Groups.
Click New and add Group Name, set privilege level and gave group necessary permissions. After that click Add Group.
Click Next and we will setup Directory Settings.
Select Enable LDAP Authentication and Use NT Account Name Mapping (DOMAIN\username). Provide following settings:
- Directory Server Address.
- Directory Server SSL Port.
- Search Context.
Click Next and we will go ahead to Network Settings.
Provide settings for both Onboard Administrator modules:
- DNS Host Name
- IP Address
- Subnet Mask
- Gateway
- DNS Server 1
- DNS Server 2
Click Next ( I skipped IPv6 configuration) and we will go ahead with next wizard setting.
Almost at the end you can configure SNMP Settings. In my wizard I skipped it.
Last step is to set Power Management settings.
- Power Mode - select AC Redundant, Power Supply Redundant or Not Redundant.
- AC Redundant - In this configuration N power supplies are used to provide power and N are used to provide redundancy.
- Power Supply Redundant: Up to 6 power supplies can be installed with one power supply always reserved to provide redundancy.
- Not Redundant: No power redundancy rules are enforced and power redundancy warnings will not be given.
Dynamic Power - This mode is off by default since the high-efficiency power supplies save power in the majority of situations. When enabled, Dynamic Power attempts to save power by running the required power supplies at a higher rate of utilization and putting unneeded power supplies in standby mode.
Power Limit - Power Limit AC Input Watts over this set limit.
Click Next and you will finish First Time Setup Wizard.

HP c7000 Enclosure configuration - Additional Settings

HP c7000 Enclosure additional settings - Directory Settings

In order to use Active Directory authentication we need to import domain controller certificate into enclosure.

Go to Users/Authentication expand Local Users and click to Directory Settings.
Click on Certificate Upload, paste your certificate and click Upload.
Last step is to test settings. Navigate to Test Settings tab. In order to do it give username and password and click test settings.
After you click Test Settings you have to wait a while for test result.
If everything is set up correctly you should see success. In my case I don’t have Passed in all cases because I can’t ping domain controller, but authentication works.

HP c7000 Enclosure additional settings - Enclosure IP Mode

Similar to Virtual Connect Module, Onboard Administrator support “virtual IP mode”. In simple words it means that by accessing OA you will be always redirected to active OA in enclosure. In order to enable it go to Enclosure Settings click Enclosure TCP/IP Settings and you will find setting in IPv4 Settings tab. Select Enclosure IP Mode and click Apply.

HP c7000 Enclosure additional settings - Onboard Administrator Active/Standby Transition

Another quite useful feature in Onboard Administrator is possibility to switch between Active and Standby OA. In order to switch you simply need to click Transition Active to Standby in Enclosure Settings, Active to Standby.

HP c7000 Enclosure additional settings - Link Loss Failover

Link Loss Failover allows monitoring of network link status of the Active Module. If we enable this function in case Active OA loose network automatic failover to Standby OA will happen. To enable it navigate to Enclosure Settings and click Link Loss Failover. Select Enable Link Loss Failover, provide Failover Interval in seconds and lick Apply.

Summary

This concludes HP c7000 Enclosure configuration. I hope you will find it useful and you enjoyed it.

HP Virtual Connect Module Configuration – Part2

Wed, 14 Jan 2015 08:00:40 +0000

In the second post I will guide you through configuration of networks and providing network connectivity to Blade Servers.

Virtual Connect configuration - Connections

After quite long introduction and setup it is time to setup some networking.

Virtual Connect Connections - Shared Uplink Sets

We start our Virtual Connect Module networking configuration in Shared Uplink Sets section.

Click Add and in next section we have to provide some additional information

Give Uplink Set meaningful name and select ports where you have connected uplinks.

Select LACP Timer - best idea would be to discuss this setting with networking team. Remember that settings configured in Virtual Connect have to cooperate with existing networking infrastructure.

Virtual Connect Connections - Ethernet Networks

Next step is to add VLAN tagged networks in uplink set.

Click Add and provide following information:

Network Name - human friendly network name. For example - Production
VLAN ID: correct VLAN number
Optional: Color and Label
Native - Identifying an associated network as the native VLAN causes all untagged incoming Ethernet packets to be placed onto this network. Only one associated network can be designated as the native VLAN. All outgoing Ethernet packets are VLAN tagged.
Smart Link - Enabling Smart Link configures the network so that if all external links lose their link to external switches, Virtual Connect drops the Ethernet link on all local server blade Ethernet ports connected to that network. This feature can be useful when using certain server network teaming (bonding) configurations.
Private Network - The Private Networks option provides extra networking security. When checked, the network is configured so that all server ports connected to it cannot communicate with each other within the Virtual Connect domain. All packets from servers are sent through the VC domain and out the uplink ports only. Servers on the network can only communicate with each other through an external Layer 3 router that redirects the traffic back to the VC domain.

Virtual Connect Connections - Server Profiles

The last thing to provide networking connectivity to servers we need to create server profile which will have desired networks. In order to do it navigate to Server Profiles and click icon to create new profile.

Next window will open where you can configure networking for blade. Below you see empty profile without any settings.

Server Profile with one network per NIC

Here is sample profile where one network adapter is assigned to one Ethernet network. Simply click **Select a network **and pick it from previously created networks.

I entered following settings:

Profile Name: Your friendly name for profile

Hide Unused FlexNICs: selected

Ethernet Adapter Connections: Select as many networks as required. In my example I have eight network adapters.

Port Speed Type: You can select it according to your needs.

If the speed type is “Auto”, the maximum port speed is determined by the maximum configured speed for the network. If the speed type is “Preferred”, the speed of the network is the same as the preferred speed of the network to which the connection is associated. If no preferred speed is configured for a network, it defaults to “Auto”.

Last thing you have to select is Assign Profile to Server Bay.

Server Profile with multiple networks per NIC

In order to have multiple networks in NIC select **Multiple Networks **and select desired networks from the list.

The last thing to do is select speed for NIC.

And here you can see how complete profile looks like.

Please bare in mind that even though you configured speed for your network connections you will not see it in profile until you power on your server.

Additional resources

In the last section of this post I would like to share with you some interesting links to documentation and guides.

Technical white paper Overview of HP Virtual Connect technologies
HP Virtual Connect Flex-10 10Gb Ethernet Module for BladeSystem
c-Class - overview
HP Virtual Connect for c-Class BladeSystem Setup and Installation Guide
HP Virtual Connect for c-Class BladeSystem User Guide
Virtual Connect for Dummies

HP Virtual Connect Module Configuration – Part1

Wed, 07 Jan 2015 08:00:22 +0000

Welcome to first post about HP Virtual Connect Module configuration. In first post we will focus on initial Virtual Connect Module configuration and some additional settings which are important from my point of view.

What is HP Virtual Connect?

HP developed Virtual Connect technology to simplify networking configuration for the server administrator using an HP BladeSystem c-Class environment. The baseline Virtual Connect technology virtualizes the connections between the server and the LAN and SAN network infrastructure. Virtual Connect adds a hardware abstraction layer that removes the direct coupling between the LAN and SAN. Server administrators can physically wire the uplinks from the enclosure to its network connections once, and then manage the network addresses and uplink paths through Virtual Connect software.

Virtual Connect interconnect modules provide the following capabilities:

Reduces the number of cables required for an enclosure, compared to using pass-thru modules.
Reduces the number of edge switches that LAN and SAN administrators must manage.
Allows pre-provisioning of the network, so server administrators can add, replace, or upgrade servers without requiring immediate involvement from the LAN or SAN administrators.
Enables a flatter, less hierarchical network, which reduces equipment and administration costs, reduces latency, and improves performance.
Delivers direct server-to-server connectivity within the BladeSystem enclosure. This is an ideal way to optimize for east/west traffic flow, which is becoming more prevalent at the server edge with the growth of server virtualization, cloud computing, and distributed applications.
Provides direct-attach SAN and dual-hop Fibre Channel over Ethernet (FCoE) capabilities to extend cost benefits further into the storage network.

Configuration prerequisites

I assume that you have:

existing HP enclosure configured with Onboard Administrator
EBIPA is configured so you can access Virtual Connect module
you have local Administrator password for Virtual Connect module

Virtual Connect configuration - initial Wizard

Once you login to Virtual Connect you will see Virtual Connect Manager Domain Setup Wizard. I will guide you through wizard and I will show you additional steps to configure it completely.

On initial screen click Next.
In the next step we have possibility to import previously exported enclosure - or simply its configuration. We skip this step and click next.
Next step is to import enclosure. In the initial configuration Local Enclosure is already pre-selected, we need to provide username and password.
Click Next and wait for enclosure import.
Virtual Connect import is done and now you are ready to create Virtual Connect domain.
In my case I inserted previously used Virtual Connect in other enclosure and I have possibility to use locally discovered domain configuration. However we will create completely new domain.
On confirmation page click Yes.
Wait for import and after a while import will be successful.
It might take up to five minutes to import enclosure and click Next.
Provide name of Virtual Connect Domain and click Next.
If needed create additional Local User Accounts. We will skip this because we will configure Virtual Connect with Active Directory.
Last step in Wizard is the possibility to go through Network Setup Wizard. We will skip this section for now because it will be covered later on.

Virtual Connect configuration - Domain Settings

After clicking Finish you will be redirected to Virtual Connect Manager webpage. In this section we will focus on additional settings.

Virtual Connect Domain Settings - IP Address

In the IP Address section I use Virtual Connect Domain IPV4 Address. In short words this is virtual IP address used to manage both Virtual Connect Modules. If you will use this setting there is no longer need to use per VCM module IP but to use one IP.

Go to Domain Settings and click IP Address. Select Use Virtual Connect Domain IPv4 Address or IPv6. Provide IPv4 or IPv6 address, Subnet Mask and Gateway (for IPv4) and Gateway for IPv6. Click Apply.

You will be logged out and redirected to virtual IP Address you configured.

Virtual Connect Domain Settings - Backup/Restore

Another quite important section is **Backup/Restore. **In here you can backup you entire Domain configuration with encryption key or restore previously configured domain. ,

In my opinion there are two interesting check boxes in restore section:

Ignore enclosure serial number in restored configuration file

Selecting this check box will allow you to restore configuration of entire domain from another Virtual Connect module.
Ignore firmware version in restored configuration file

Selecting this check box will allow you to ignore firmware version during import. Imagine you received new Virtual Connect module with never firmware and you want to have same configuration as the other enclosures.

Virtual Connect configuration - Users/Authentication

Another section I recommend to focus on is Users/Authentication Item. Whenever I can I use Active Directory integrated authentication. Virtual Connect Module is capable of having local and use Active Directory users/groups.

Virtual Connect Users/Authentication - Local User Accounts

If in your environment you can’t use Active Directory authentication local user accounts have to be used.

From the settings above I suggest to use policy **Require Strong Passwords **with minimum 8 characters in passwords. From the usability point of view you might extend session timeout to bigger value than 15 minutes. Besides that you can assign specific user to specific role - for example user A can update firmware and user B can configure domain.

Virtual Connect Users/Authentication - LDAP Settings

In order to use Active Directory authentication you need to provide some information.

LDAP Server Address: provide IP or FQDN to your domain controller or for example Active Directory Load Balancer.

LDAP Server SSL Port: by default LDAPS is using port 636, if changed enter it.

Search Context. You need to provide distinguished name in format: CN=Group Name,OU=OU Name,DC=your domain name,DC=dot something

Use Windows NT Account Name Mapping: If you select this check box you can login to VCM using this format: domain\user. In case you don’t select it you will have to login using this format user@domain.something

Virtual Connect Users/Authentication - LDAP Groups

In this section we need to add new group.

Click add and provide Group Name.

Virtual Connect Users/Authentication - LDAP Certificate

The last thing we need to do is to upload X.509 certificate. You can do it from URL or paste it. Once you have it in click Upload and wait.

After configuration of following setting you will be able to use Active Directory authentication with Virtual Connect Module.

Virtual Connect Users/Authentication - SSL Cerificate Administration

If in your infrastructure you have exisiting PKI infrastructure it is possible to replace self signed SSL Virtual Connect certificate. In order to do it you need to upload it into Certificate Upload tab.

Virtual Connect Users/Authentication - SSH Administration

If you prefer to configure Virtual Connect Module through SSH you can secure it a bit more and use SSH Keys. In section SSH Administration you can paste or download SSH Keys from URL.

In this post we configured our Virtual Connect Module by creating domain and configuring base settings. In next post we will configure network connections and we will provide network connectivity to blades.

Migrate from Vyatta to VyOS

Wed, 25 Jun 2014 20:59:38 +0000

In my earlier posts I explained how to configure Vyatta as a router in VMware Workstation. Unfortunately Vyatta Community Edition is no longer available since Winter 2013. Luckily for us community fork **VyOS **started being developed so great router software still can be used for free.

VyOS

VyOS is a community fork of Vyatta, a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.

Runs on both physical and virtual platforms.
Supports paravirtual drivers and integration packages for virtual platforms.
Completely free and open source.

You can download it for free using this link http://vyos.net/wiki/Main_Page.

How to migrate from Vyatta to VyOS?

Installaton of VyOS is as simple as Vyatta and there shouldn’t be any problem if you follow my earlier guides.

In order to migrate from Vyatta to VyOS we need to save current config from Vyatta and import it into VyOS. Please execute following command: show configuration commands and after that you will get nice and easy to implement commands in VyOS.

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set interfaces ethernet eth0 address '192.168.255.250/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '10.0.0.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback 'lo'
set nat source rule 10 description 'LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.0.0/24'
set nat source rule 10 translation address 'masquerade'
set service dns forwarding cache-size '150'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '192.168.255.254'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system gateway-address '192.168.255.254'
set system host-name 'router'
set system login user vyatta authentication encrypted-password 'PASSWORD'
set system login user vyatta level 'admin'
set system name-server '192.168.255.254'
set system ntp server '0.vyatta.pool.ntp.org'
set system ntp server '1.vyatta.pool.ntp.org'
set system ntp server '2.vyatta.pool.ntp.org'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'stable'
set system package repository community password ''
set system package repository community url 'http://packages.vyatta.com/vyatta'
set system package repository community username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'GMT'

In my case installation and migration took somewhere about 5 minutes.

VMware vSphere 5.5 Update 1 Hardening Guide

Sat, 07 Jun 2014 12:49:48 +0000

Mike Foley announced on VMware blog that vSphere 5.5 Update 1 Hardening Guide is released.

There are 4 new additions to the guide:

enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc.. One interesting change is the “enable-nfc-ssl” control. That has been renamed to “verify-nfc-ssl” now that SSL is enabled by default in 5.5 for NFC traffic. All of the changes are called out in the Change Log.

You can download it from here http://www.vmware.com/files/xls/HardeningGuide-vSphere5-5-Update-1-GA.xlsx

VMware vSphere 5.5 Hardening Guide

Wed, 12 Feb 2014 13:00:30 +0000

In October 2013 VMware released vSphere 5.5 Hardening Guide. I think this is quite an important document to keep your virtual environment safe and secure.

It consists great recommendations for several areas of vSphere stack - VM, ESXi, vNetwork, vCenter Server, VUM, SSO, WebClient, vCSA. It is delivered in handy Excel spreadsheet with the description of vulnerability and (which is, in my opinion, the “killer feature”) PowerCLI reference how to apply security recommendation.

There are two files - changelog and hardening guide.

vSphere 5.5 Hardening Guide changelog

vSphere 5.5 Hardening Guide

VMware ESXi 5.5 Active Directory authentication – step by step

Tue, 24 Dec 2013 18:00:36 +0000

Have you ever wondered if it is possible to skip creation of local user on each ESXi host and use only one account to rule them all?

If yes then I have good news for you - you can use Active Directory together with VMware ESXi. I will show you how you can do it in few steps.

Prerequisites:

In order to successfully authenticate Active Directory in ESXi hosts you must have:

Correct DNS servers configured on ESXi hosts
Your Active Directory account should have rights to add Computer objects in Active Directory

ESXi configuration

Login to ESXi using root account.
Navigate to **Configuration \ Authentication Services
Click Properties and change Local Authentication to Active Directory.
Enter domain name, click Join Domain and give User name and password for valid user account which can join computers to Active Directory.
You are done! Your ESXi server is added to Active Directory domain.
Now you need to assign user or group to specific role in ESXi. In order to do this navigate to Home \ Inventory \ Permissions and click Add Permission.

Select appropriate role (Administrator, Read-Only, No access) and provide user or group name.

How to remove Google Authenticator account?

Tue, 20 Aug 2013 19:49:45 +0000

Do you know Google Authenticator? I hope you do, because it is really key to increase security for your Google account.

You can read more about it on Wikipedia or on Google website. Anyway it is really good way to secure your other services as well. For instance LastPass is using Google Authenticator to two-step authentication, which will allow you to increase security of your WordPress. You can even install WordPress Plugin called Google Authenticator. I was using it for one week but I removed it after all - it was exaggeration IMHO.

Anyway - I was fighting with Internet because I didn’t know how to remove certain “account” from application.

In short words you just need to hold on account you want to remove and click on bin.

Vyatta – Router running on VMware Workstation – Part 3, Firewall Hardening

Wed, 31 Jul 2013 20:51:29 +0000

In part 2 of configuring Vyatta I implemented simple firewall rules which blocked all network traffic. Next step is to implement firewall rules which will allow us to connect to ESXi hosts as well to vCenter server.

Firewall hardening

In my case I opened following ports:

22 - SSH
53 - DNS
80 - HTTP
902 - vCenter Server / VMware Infrastructure Client - UDP for ESX/ESXi Heartbeat
903 - Remote Console
443 - Web Access
3389 - RDP

I didn’t open any extra port so far but opening firewall port is relatively easy. In order to do it type on Vyatta:

set firewall name WAN-TO-LAN rule 39
set firewall name WAN-TO-LAN rule 39 action accept
set firewall name WAN-TO-LAN rule 39 description “RDP to Domain Controller”
set firewall name WAN-TO-LAN rule 39 destination address 10.0.0.11
set firewall name WAN-TO-LAN rule 39 destination port 3389
set firewall name WAN-TO-LAN rule 39 source address 192.168.255.101
set firewall name WAN-TO-LAN rule 39 protocol tcp
set firewall name WAN-TO-LAN rule 39 log enable
set firewall name WAN-TO-LAN rule 39 state established enable
set firewall name WAN-TO-LAN rule 39 state new enable
set firewall name WAN-TO-LAN rule 39 state related enable

If you are following motto - work smart not hard then I suggest that you use firewall generator from a website. It will literally save you a lot of time to put all Firewall rules in place. You need to download excel file and put all ports you need to open in a specific rule. As on my example, you will see rules:

You can also download generated firewall rules prepared by myself using this link Vyatta_firewall.xls.

In case you don’t remember ports to open to allow communication to ESXi host and vCenter server you can find it in VMware KB http://kb.vmware.com/kb/1005189.

In next post, I will create trunk and LACP so much fun is coming 🙂

Vyatta – Router running on VMware Workstation – Part 2 DNS, Firewall and NAT

Wed, 17 Jul 2013 20:58:40 +0000

In previous post https://www.wojcieh.net/vyatta-router-running-on-vmware-workstation-part-1/ we configured basic network connectivity between two networks. Today we will enable NAT, Firewall and DNS.

NAT

Configuring NAT on Vyatta is quite simple. To do it type following commands:

set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.0.0/24
set nat source rule 10 translation address masquerade
set nat source rule 10 description “LAN to WAN”

Firewall

In my case I decided to use simple firewall rules based on zones. At the beginning it might be difficult to understand but if you will spend a while it should be crystal clear.

First part is to create firewall rules - I used WAN-TO-LAN and LAN-TO-WAN rules.

WAN-TO-LAN

set firewall name WAN-TO-LAN
- set firewall name WAN-TO-LAN default-action drop
- set firewall name WAN-TO-LAN rule 10 action accept
- set firewall name WAN-TO-LAN rule 10 protocol all
- set firewall name WAN-TO-LAN rule 10 state established enable
- set firewall name WAN-TO-LAN rule 10 state related enable

Here you see how rule WAN-TO-LAN should look like in configuration.

name WAN-TO-LAN {
  default-action drop
    rule 10 {
            action accept  
            protocol all
            }
}

LAN-TO-WAN

set firewall name LAN-TO-WAN
set firewall name LAN-TO-WAN default-action drop
set firewall name LAN-TO-WAN rule 10 action accept

Here you see how rule LAN-TO-WAN should look like in configuration.

name LAN-TO-WAN
{
  default-action drop
    rule 10 {
            action accept
          }
}

Zone policies

Now we will create zones - in my case WAN and LAN and we will assign them to apriopriate ethernet interfaces.

set zone-policy zone WAN
set zone-policy zone WAN description “WAN”
set zone-policy zone WAN default-action drop
set zone-policy zone WAN interface eth0
set zone-policy zone LAN
set zone-policy zone LAN description “LAN”
set zone-policy zone LAN default-action drop
set zone-policy zone LAN interface eth1

Assign firewall to zones

This one is tricky - read carefully syntax of commands.

WAN firewall - set zone-policy zone WAN from LAN firewall name LAN-TO-WAN

LAN firewall - set zone-policy zone LAN from WAN firewall name WAN-TO-LAN

Here you see how zone WAN should look like.

default-action drop
description WAN
  from LAN {
firewall {
  name LAN-TO-WAN
  }
}

interface eth0

Here you see how zone LAN should look like.

default-action drop
description LAN
from WAN {
firewall {
name WAN-TO-LAN
}
} 
interface eth1

DNS configuration

DNS configuration is quite simple. In order to make it work enter following commands:

set service dns forwarding name-server **IP **(In my case it is 192.168.255.254)
set service dns forwarding listen-on eth1

In order to really test it from Domain Controller I set forwarded to Vyatta LAN IP - 10.0.0.1 and I deleted all root hints.

EOT

Wow - this was really long post. I hope you will find it really usefull and all will work in you environment as well.

Vyatta – Router running on VMware Workstation – Part 1 basic networking

Fri, 12 Jul 2013 22:09:35 +0000

Have you ever thought of using your own router in your virtual lab? I did and previously I was using GNS with Cisco IOS images but with new lab I would like to use Vyatta as router and firewall. Configuration of GNS with VMware Workstation was not as easy as is Vyatta.

What is Vyatta?

Vyatta - as Wikipedia says is Debian based software-based virtual router, firewall, vpn. I find it very powerful (although I will not use more than 5% of its capabilities) and people familiar with Cisco and Juniper will feel like home. One feature which might be useful (Web GUI) was removed in version 6.3 - shame on them 😛

Ok let’s do it!

Basic Networking

After downloading ISO create Virtual Machine deploy VM (I used 1 vCPU, 512MB RAM and 3GB of Storage) with Debian as Operating System. I used two network adapters - one will be connected to LAN (OUTER Network, we can call it public) network 192.168.255.0 / 24 (to access Vyatta via SSH) and second one to VMNet1 which is network for Virtual Machines (INNER Network). Vyatta will do routing and firewall between networks.
After boot screen hit enter and login to vyatta using following credentials:
Username: vyatta
Password: vyatta
Next step is really simple - installation of Vyatta on local disk. In order to do that simply execute command: install system and confirm it.
I went with default settings for partitions but you can align them as you wish.
Set vyatta user password.
Reboot Vyatta by executing command: reboot.
Login again to vyatta and we will start with setting hostname. Enter configuration mode by typing configure and type set system host-name your_hostname.
Now we will setup network interfaces:
set interfaces ethernet eth0 address 192.168.255.250 / 24
set interfaces ethernet eth1 address 10.0.0.1 / 24
Commit changes by executing command commit and save changes save.
Now when we have both interfaces up and running we will enable SSH. In order to do it execute following commands: set service ssh. Commit and save.
Before you will be able to connect to INNER Network you need to add route on your PC or even on your physical router. In my case I added following route using command(I am running Windows) route add 10.0.0.0 mask 255.255.255.0 192.168.255.250 -p.
Now you should be able to reach VM’s in INNER Network - in my case subnet 10.0.0.0 / 24.
This is my current network diagram

Summary

In next posts we will configure firewall rules and iSCSI storage for ESXi hosts.

Zarzadzanie hasłami w środowisku korporacyjnym

Tue, 29 May 2012 09:49:16 +0000

W dobie wszechobecnych problemów z bezpieczeństwem sami wiecie, że długie i złożone hasła są bardzo ważne.

W dzisiejszym wpisie chciałbym przedstawić Wam komercyjne rozwiązanie jakim jest produkt firmy Thycotic Secret Server.

Jak to działa?

Secret Server zainstalować można zainstalować na następujących systemach operacyjnych:

Windows Server 2003
Windows Server 2003 R2
Windows XP
Windows Server 2008 32 i 64 bitowe
Windows Server 2008 R2
Windows Vista Business / Ultimate
Windows 7 Professional / Ultimate

Do działania wykorzystywana jest baza sql oraz IIS instalowany w systemie operacyjnym. Wszystkie dane są szyfrowane algorytmem AES 256 i haszowane SHA512 - produkt spełnia również normy FIPS 140-2.

Demo

Krótkie demo produktu zobaczyć można pod tym adresem http://www.thycotic.com/secretserver_movie.html.

Czy jest to produkt dla mnie?

Produkt ten nie jest dla “zwykłego śmiertelnika” - zdecydowanie jest przeznaczony dla większych firm i korporacji. W dużych firmach gdzie administratorzy zarządzają dużą ilością serwerów dosyć często pojawia się problem haseł.

kto zna hasło do danego systemu?
kiedy ostatnio hasło było zmieniane?
złożoność hasła
znajomość haseł przez osoby niepowołane

Są to oczywiście jedynie wybrane przeze mnie zagrożenia jednak według mnie jedne z ważniejszych.

Dlaczego wybrałbym Secret Server?

Przede wszystkim polecam zapoznanie się z licencjonowaniem i zalecam wybranie edycji od wersji Professional. Wersja ta posiada integrację z Active Directory co w środowisku korporacyjnym jest niezwykle ważne (integracja z Active Directory pozwala pozbyć się lokalnych użytkowników). Bardzo ciekawie prezentuje się zarządzanie dostępem do haseł - możemy tworzyć foldery, dodawać role użytkowników do konkretnych folderów.

Kolejną z ciekawych funkcji jest możliwość uruchamiania konsoli SSH (np. PuTTY) czy RDP bezpośrednio do danego systemu z oprogramowania. Bardzo podoba mi się możliwość wymuszenia automatycznej zmiany haseł do systemów (urządzenie / system powinien mieć dostęp przez telnet lub ssh) oraz możliwość tworzenia skryptów.

Wspierane systemy do automatycznej zmiany haseł to:

Windows Local admin
Active Directory
UNIX/Linux/Mac (incl. root)
MS SQL Server
Oracle
Sybase
MySQL
VMware ESX
DSEE
Cisco
Juniper
Enterasys
WatchGuard
Check Point
Dell DRAC
HP iLO
OpenLDAP
SSH / Telnet

Przykładowa zmiana hasła na urządzeniu Cisco http://support.thycotic.com/KB/a251/heartbeat-and-remote-password-changing-for-cisco-accounts.aspx?KBSearchID=22719.

Produkt posiada również wiele innych funkcji, których nie będę wymieniał - link do wszystkich funkcji http://www.thycotic.com/products_secretserver_featurelist.html

Zachęcam Was do testów programu (bądź innych programów tego typu) gdyż może on rozwiązać wiele problemów przy niewielkim nakładzie kosztów.

Import certyfikatów SSL w Linuxie i Windowsie

Sun, 22 Apr 2012 22:10:40 +0000

Dzisiejszy wpis będzie o imporcie niezaufanych (wygenerowanych samodzielnie) certyfikatów SSL do Windowsa 7 i Ubuntu. Są to obecnie dwa najbardziej popularne systemy.

Certyfikaty SSL służą do szyfrowania danych przesyłanych pomiędzy użytkownikiem a serwerem w sieci Internet. Nie będę wnikał i opisywał co to jest certyfikat SSL a po więcej informacji zapraszam tutaj http://ssl.certum.pl/. Codziennie odwiedzamy wiele stron zabezpieczone certyfikatami SSL i jak sami wiecie część z nich posiada certyfikaty wygenerowane samodzielnie. Jak można rozpoznać takie certyfikaty?

Bardzo prosto 🙂

Chrome
Firefox
Internet Explorer

Jak sami widzicie nie jest trudno rozpoznać certyfikaty nie podpisane przez zaufane centrum autoryzujące.

Podobnie wygląda to w Ubuntu.

Jest to według mnie dobra praktyka producentów przeglądarek aby ostrzegać ZU (zwykłego użytkownika) o potencjalnym zagrożeniu. Co jednak jeżeli na 100% wiemy, że strona jest bezpieczna a ostrzeżenia o certyfikatach tylko nas denerwują?

Pokażę filmik jak zrobić to w Windows 7.

W Ubuntu / Linuxie zrobimy to inaczej. Nie będzie filmiku lecz odpowiednie komendy. Wszystkie polecenie wykonujemy oczywiście z poziomu su.

openssl s_client -connect STRONA_ZABEZPIECZONA_SSL:443 |tee STRONA_ZABEZPIECZONA
openssl x509 -inform PEM -in STRONA_ZABEZPIECZONA -text -out STRONA_ZABEZPIECZONA.pem
cp STRONA_ZABEZPIECZONA.**pem **/usr/share/ca-certificates/STRONA_ZABEZPIECZONA.crt
vi /etc/ca-certificates.conf gdzie dodajemy STRONA_ZABEZPIECZONA.crt
c_rehash
update-ca-certificates

Po wykonaniu wszystkich komend (gdzie oczywiście w miejscie STRONA_ZABEZPIECZONA_SSL należy podać adres IP albo nazwę dns strony) certyfikat powinien być dodany do systemu. Do wykonania komend w systemie potrzebna jest biblioteka openssl.

Jako działający przykład pokażę stronę z torrentami korzystającą z własnego certyfikatu SSL.

Truecrypt i maly skrypt

Thu, 12 Jul 2007 18:04:02 +0000

Dzisiejszy wpis traktuje o świetnym programie jakim jest Truecrypt , mały opis programu z Wikipedia.pl

![Truecrypt logo][1]

TrueCrypt jest darmowym oprogramowaniem Open Source dla systemów Microsoft Windows 2000/XP/2003 oraz Linux, umożliwiającym szyfrowanie całych partycji dyskowych “w locie”.

Polecam przede wszystkim świetny FAQ oraz opis na stronie jakilinux.org. Nie będę opisywał samego programu bo jest to bezcelowe i powielę jedynie opisane już dobrze funkcje programu.

Jednak celem dzisiejszego wpisu są utworzone przeze mnie 2 skrypty do montowania i od montowania dysków.

Skrypt montujący:

_@echo off
  
cls
  
truecrypt /a /v DeviceHarddisk0Partition2 /l D /p &TWOJETAJNEHASLO; /q
  
cls_
_@echo off
  
cls
  
truecrypt /a /v DeviceHarddisk0Partition2 /l D /p &TWOJETAJNEHASLO; /q
  
cls_

Gdzie /v i ścieżka to ścieżka do partycji( co ważne to, iż w waszym systemie partycja zaszyfrowana może mieć inna ścieżkę i trzeba to uwzględnić przy samym skrypcie), D po /l oznacza jaka literę chcemy przypisać dla partycji /p i “tekst w cudzysłowach” to Twoje hasło do partycji a /q oznacza wyjście z programu.

Od montowanie partycji

_@echo off
  
cls
  
truecrypt /d D /q
  
cls_

Gdzie /d oznacza demontowanie a /q wyjście z programu.

Oczywiście aby skrypt działał jak należy powinniśmy umieścić go w katalogu instalacji programu. jeśli zamierzamy sam skrypt mieć w innym miejscu należy przed truecrypt wpisać cala ścieżkę do programu. Nie należy zapomnieć również o zapisaniu plików do rozszerzenia *.bat czyli np mount.bat i umount.bat. [1]: /images/uploads/2007/07/truecrypt.webp