Install HP ArcSight Logger v5.3.1

08 Saturday Jun 2013

Tags

This is a follow-up post from a previous post here: https://slice2.com/2013/06/05/tweaking-the-hp-arcsight-logger-centos-vmware-appliance/

You can continue the installation with the post below. Once you get to the step to run the installer script, I have colored the answers in red text. The final post to be completed soon will show installation of connectors and Logger configuration.

Note: the default factory root password is arcsight.

1) Login as root and install man pages.
-> yum install man -y

2) Create user for services that cant run as root.
-> useradd -d /home/arcsvcadm -c “Arcsight Service Accoint” arcsvcadm
-> passwd arcsvcadm

3) Change hostname and set a static IP.
-> vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=<your hostname>
GATEWAY=<your gateway IP address>
-> wq!

-> vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0″
IPADDR=”<your IP address>”
NETMASK=”255.255.255.0″
BROADCAST=”<your broadcast address>”
IPV6INIT=”no”
ONBOOT=”yes”
TYPE=”Ethernet”
-> wq!

-> vi /etc/hosts
<your IP address> <your hostname> <your FQDN>
->wq!
-> reboot

4) Add another disk to the VM. Right-click VM and selet Edit Settings.
a) Click Add on the Hardware tab.
b) Select Hardrive and click Next.
c) Create a New Virtual Disk and click Next.
d) Edit your disk size (20 gigs is fine to test), whether think or thin and click Next.
e) Accept defaults on Advanced options and click Next.
f) Click Finish.
g) Wait a minute and reboot the VM.

5) Log in as root and copy the binary to the correct execution location.
-> cd /opt/arcsight/installers
-> ls -l
-rwxr—–. 1 arcsight arcsight 467865676 Apr 16 08:00 ArcSight-logger-5.3.1.6838.0.bin
-rwxr—–. 1 arcsight arcsight 67 Apr 16 08:00 ArcSight-logger-5.3.1.6838.0.bin.md5
-> cp ArcSight-logger-5.3.1.6838.0.bin /opt/arcsight/logger/

6) Run the installer.
-> cd /opt/arcsight/logger/
-> ./ArcSight-logger-5.3.1.6838.0.bin

Preparing to install…
Extracting the JRE from the installer archive…
Unpacking the JRE…
Extracting the installation resources from the installer archive…
Configuring the installer for this system’s environment…

Launching installer…
Graphical installers are not supported by the VM. The console mode will be used instead…
=========================================================================
ArcSight Logger 5.3 SP1 (created with InstallAnywhere)
——————————————————————————-

Preparing CONSOLE Mode Installation…

=========================================================================
Introduction
————

InstallAnywhere will guide you through the installation of ArcSight Logger 5.3 SP1.

It is strongly recommended that you quit all programs before continuing with this installation.

Respond to each prompt to proceed to the next step in the installation. If you want to change something on a previous step, type ‘back’.

You may cancel this installation at any time by typing ‘quit’.

PRESS <ENTER> TO CONTINUE: (pres enter)

=========================================================================
License Agreement
—————–

Installation and Use of ArcSight Logger 5.3 SP1 Requires Acceptance of the Following License Agreement:

END USER LICENSE AGREEMENT

PLEASE READ CAREFULLY: THE USE OF THE SOFTWARE IS SUBJECT TO THE TERMS AND
CONDITIONS THAT FOLLOW (“AGREEMENT”), UNLESS THE SOFTWARE IS SUBJECT TO A
SEPARATE LICENSE AGREEMENT BETWEEN YOU AND HP OR ITS SUPPLIERS. BY
DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR USING THE SOFTWARE, OR BY
CHOOSING THE “I ACCEPT” OPTION LOCATED ON OR ADJACENT TO THE SCREEN WHERE THIS
AGREEMENT MAY BE DISPLAYED, YOU AGREE TO THE TERMS OF THIS AGREEMENT, ANY
APPLICABLE WARRANTY STATEMENT AND THE TERMS AND CONDITIONS CONTAINED IN THE
“ANCILLARY SOFTWARE” (as defined below). IF YOU ARE ACCEPTING THESE TERMS ON
BEHALF OF ANOTHER PERSON OR A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND
WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL
ENTITY TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT DOWNLOAD,
INSTALL, COPY, ACCESS, OR USE THE SOFTWARE, AND PROMPTLY RETURN THE SOFTWARE
WITH PROOF OF PURCHASE TO THE PARTY FROM WHOM YOU ACQUIRED IT AND OBTAIN A
REFUND OF THE AMOUNT YOU PAID, IF ANY. IF YOU DOWNLOADED THE SOFTWARE, CONTACT
THE PARTY FROM WHOM YOU ACQUIRED IT.

This Software may be provided to you by Electronic Delivery. “Electronic
Delivery” means any delivery of Software to you that is made solely by remote

PRESS <ENTER> TO CONTINUE: (press enter about 14 times to get to the end)

DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): Y

Custom code execution Started…
Custom code execution Completed…
Custom code execution Started…
Custom code execution Completed…

=========================================================================
Choose Install Folder
———————

Provide a location for ArcSight Logger 5.3 SP1 that has a minimum of 30GB of storage available.

Where would you like to install?

Default Install Folder: /opt

ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT
: /opt/arcsight/logger

INSTALL FOLDER IS: /opt/arcsight/logger
IS THIS CORRECT? (Y/N): y

=========================================================================
Select License Type
——————-

This installation package includes a trial license that can be used for a limited period to evaluate the product. For deploying in a production environment, you need a license file from HP.

Do you have license file for this installation?

1- No, use the trial license
->2- Yes

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

=========================================================================
Pre-Install Summary
——————-

Please Review the Following Before Continuing:

Product Name:
ArcSight Logger 5.3 SP1

Install Folder:
/opt/arcsight/logger

PRESS <ENTER> TO CONTINUE: (press enter)

=========================================================================
Installing…
————-

[=================|=================|=================|=================]
[—————————————————————————-

=========================================================================
User Settings
————-

Due to product security requirements, certain Logger processes cannot be run as a root user. Therefore, a non-root user account is required even when you install Logger as a root user.

Enter a non-root user name that exists on this system. Optionally, enter an alternate HTTPS port.

NOTE: Once you press [Enter], you cannot change the entered values.

User Name (DEFAULT: ): arcsvcadm

HTTPS Port (DEFAULT: 443): 443

Custom code execution Started…
Custom code execution Completed…

=========================================================================
User Settings
————-

Choose if you want to run Logger as a system service.

NOTE: Once you press [Enter], you cannot change the entered value.

->1- Configure as a service
2- Configure as standalone

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

=========================================================================
Locale Setting
————–

Select the Locale setting.
The Locale setting ensures that the user interface displays information such as date, time, numbers, and messages in the format and language appropriate for the selected country.

Once configured, Locale cannot be changed.

->1- English (United States)
2- Japanese (Japan)
3- Simplified Chinese
4- Traditional Chinese

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

Custom code execution Started…
Custom code execution Completed…

=========================================================================
Begin Initialization
——————–

The installation of Logger software was successful…

Initialization will begin after pressing [Enter]. This may take several minutes.

PRESS <ENTER> TO CONTINUE: (press enter)

=========================================================================
Begin Configuration
——————-

The initialization of Logger software was successful…

Configuration of Logger will start after pressing [Enter].

The Configuration Complete screen is displayed once configuration is complete and Logger has started up.

PRESS <ENTER> TO CONTINUE: (press enter)

=========================================================================

Custom code execution Started…
Custom code execution Completed…

=========================================================================
Configuration Is Complete
————————-

Logger has started. Press [Enter] to close the installer.

Use this URL to access the Logger User Interface.

https://10.10.10.34:443/ (note – your URL will show your IP address)

PRESS <ENTER> TO CONTINUE: (press enter)

7) Launch a browser and login to the URL above as the factory default admin/password.

Solaris 10 1/13 Kerberos KDC HOWTO

07 Friday Jun 2013

Posted by Slice2 in Security, Solaris

≈ 2 Comments

Tags

Security, Solaris

This is based on my demo lab. If you follow the steps and just insert your info you should be fine. I’ll post Kerberized NFS and other services soon.

1) Verify packages are installed. If not, install them.
-> pkginfo SUNWkrbr SUNWkrbu SUNWkdcu SUNWkdcr
system SUNWkdcr Kerberos V5 KDC (root)
system SUNWkdcu Kerberos V5 Master KDC (user)
system SUNWkrbr Kerberos version 5 support (Root)
system SUNWkrbu Kerberos version 5 support (Usr)

2) If not installed, insert DVD, mount ISO or use NFS mount:
-> pkgadd -d /path/to/package/SUNWkrbr
-> pkgadd -d /path/to/package/SUNWkrbu
-> pkgadd -d /path/to/package/SUNWkdcu
-> pkgadd -d /path/to/package/SUNWkdcr

3) Make sure all of the SSH packages are installed.
-> pkginfo SUNWsshcu SUNWsshdr SUNWsshdu SUNWsshr SUNWsshu
system SUNWsshcu SSH Common, (Usr)
system SUNWsshdr SSH Server, (Root)
system SUNWsshdu SSH Server, (Usr)
system SUNWsshr SSH Client and utilities, (Root)
system SUNWsshu SSH Client and utilities, (Usr)

4) Define these elements before you start.
a. Realm name = LAB.SLICE2.COM. This is the name of your Kerberos Realm. Think of it like your Active Directory domain.
b. Master KDC = labkdc01.slice2.com. This is your Kerberos Key Distribution Center. Think of it like your Windows Domain Controller.
c. admin principal and password = kws/admin. This is your administrative principle user account. Think of it like your Windows Domain Admin.
d. The KDC Master password = (your choice). This is the KDC master database password. Do no forget this password or you will be hosed.
e. Host OS: Solaris 10. This was done with Solaris 10 x86 Update 11.
f. Hosts: Solaris 10u11 KDC and Solaris 10u11 client.

5) Configure NTP. Time is critical to Kerberos. If NTP is already done, skip this step.
-> /var/ntp/ntp.drift
-> cp /etc/inet/ntp.client /etc/inet/ntp.conf
-> vi /etc/inet/ntp.conf
server 10.10.10.2
server 10.10.10.3
driftfile /var/ntp/ntp.drift
multicastclient 224.0.1.1
-> wq!
-> svcadm restart ntp (or svcadm enable ntp if never run before)

a. Verify ntp:
-> ntpq -p
remote refid st t when poll reach delay offset disp
=======================================================
labdc01.lab.sli .LOCL. 1 u 23 64 3 1.17 -25.978 7887.18
labdc02.lab.sli labdc01.lab.sli 2 u 22 64 3 0.99 -36.954 7895.22

6) Login as root on the Solaris host to become the KDC. Edit the Kerberos configuration file krb5.conf to fit your environment. Only change where the text is red below.

-> cp /etc/krb5/krb5.conf /etc/krb5/krb5.conf.orig
-> vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = LAB.SLICE2.COM

[realms]
LAB.SLICE2.COM = {
kdc = labkdc01.lab.slice2.com
# kdc = ___slave_kdc1___
# kdc = ___slave_kdc2___
# kdc = ___slave_kdcN___
admin_server = labkdc01.lab.slice2.com
}

[domain_realm]
lab.slice2.com = LAB.SLICE2.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, …)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
# help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}

-> wq!

7) Edit the KDC file kdc.conf. Change the text in red with your environment and add the lines in blue to the end of the [realms] header.

-> cp /etc/krb5/kdc.conf /etc/krb5/kdc.conf.orig
-> vi /etc/krb5/kdc.conf

[kdcdefaults]
kdc_ports = 88,750

[realms]
LAB.SLICE2.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}

-> wq!

8) Create the KDC database.

-> /usr/sbin/kdb5_util create -s

Initializing database ‘/var/krb5/principal’ for realm ‘LAB.SLICE2.COM’,
master key name ‘K/M@LAB.SLICE2.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

9) Edit the Kerberos access control list.

-> cp /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.orig
-> vi /etc/krb5/kadm5.acl and add:

*/admin@LAB.SLICE2.COM *

-> wq!

10) Add principals.

-> /usr/sbin/kadmin.local
Authenticating as principal root/admin@LAB.SLICE2.COM with password.
kadmin.local:

a. Add administration principals to the database.
kadmin.local: addprinc kws/admin

WARNING: no policy specified for kws/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “kws/admin@LAB.SLICE2.COM”:
Re-enter password for principal “kws/admin@LAB.SLICE2.COM”:
Principal “kws/admin@LAB.SLICE2.COM” created.

b. Create the kiprop principals.
admin.local: addprinc -randkey kiprop/labkdc01.lab.slice2.com

WARNING: no policy specified for kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy add_principal: Principal or policy already exists while creating “kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM”.

c. Create a keytab file for the kadmind service.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/labkdc01.lab.slice2.com

Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/labkdc01.lab.slice2.com

Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw

Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

d. Add the kiprop principal for the master KDC server to the kadmind keytab file.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/labkdc01.lab.slice2.com

Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

e. Quit kadmin.local.
kadmin.local: quit

11) Start the Kerberos daemons.
-> svcadm enable -r network/security/krb5kdc
-> svcadm enable -r network/security/kadmin

12) Start kadmin and add more principals.
-> /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin with password.
Password for kws/admin@LAB.SLICE2.COM:

a. Create the master KDC host principal.
kadmin: addprinc -randkey host/labkdc01.lab.slice2.com

WARNING: no policy specified for host/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy
Principal “host/labkdc01.lab.slice2.com@LAB.SLICE2.COM” created.

b. Create the kclient principal.
kadmin: addprinc clntconfig/admin

WARNING: no policy specified for clntconfig/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Re-enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Principal “clntconfig/admin@LAB.SLICE2.COM” created.

c. Add the master KDC’s host principal to the master KDC’s keytab file.
kadmin: ktadd host/labkdc01.lab.slice2.com

Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.

d. Quit kadmin.
kadmin: quit

13) Synchronize the master KDCs clock.
-> svcadm restart ntp

14) Copy the Master KDC’s krb5.conf file to an NFS share for clients. Create a folder and share it out for clients.
-> mkdir -p /export/install/kerberos_files/
-> vi /etc/dfstab/dfs and add something like this to fit your environment:
share -F nfs -o rw=krbclient01.lab.slice2.com -d “Kerberos Files for Clients” /export/install/kerberos_files
-> wq!
-> shareall
-> cp /etc/krb5/krb5.conf /export/install/kerberos_files/

15) Backup the KDC database

-> /usr/sbin/kdb5_util dump -verbose /export/install/kerberos_files/krb5.db.bkp

K/M@LAB.SLICE2.COM
changepw/labkdc01.lab.slice2.com@LAB.SLICE2.COM
clntconfig/admin@LAB.SLICE2.COM
host/krbclient01.lab.slice2.com@LAB.SLICE2.COM
host/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kadmin/changepw@LAB.SLICE2.COM
kadmin/history@LAB.SLICE2.COM
kadmin/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM
krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
kws/admin@LAB.SLICE2.COM
nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM

16) Create user principles.
-> kadmin kws/admin
-> addprinc johndoe

WARNING: no policy specified for johndoe@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “johndoe@LAB.SLICE2.COM”:
Re-enter password for principal “johndoe@LAB.SLICE2.COM”:
Principal “johndoe@LAB.SLICE2.COM” created.

Test user:

-> kinit johndoe
-> klist -c

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: johndoe@LAB.SLICE2.COM

Valid starting Expires Service principal
06/07/13 11:50:45 06/07/13 19:50:45 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 11:50:45

Configure a Solaris client to use Kerberos.

1) Login as root to the client. Interactively Configure Kerberos by answering the questions in red:
-> /usr/sbin/kclient

Starting client setup

—————————————————
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: LAB.SLICE2.COM
Specify the KDC hostname for the above realm: labkdc01.lab.slice2.com
labkdc01.lab.slice2.com

Note, this system and the KDC’s time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: kws/admin
Obtaining TGT for kws/admin …
Password for kws/admin@LAB.SLICE2.COM:

Do you have multiple DNS domains spanning the Kerberos realm LAB.SLICE2.COM ? [y/n]: n
No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: y

nfs/krbclient01.lab.slice2.com entry ADDED to KDC database.
nfs/krbclient01.lab.slice2.com entry ADDED to keytab.

host/krbclient01.lab.slice2.com entry ADDED to KDC database.
host/krbclient01.lab.slice2.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: y
Enter the pathname of the file to be copied: /net/10.10.10.101/export/install/kerberos_files/krb5.conf

Copied /net/10.10.10.101/export/install/kerberos_files/krb5.conf.

—————————————————
Setup COMPLETE.

2) Check the configuration.
-> klist -e -k -t

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp Principal
—- —————– ———————————————————
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3) Configure ssh to user Kerberos.

3) Create a Kerberos principal to local Solaris user connection using the gsscred command. In this example, link my Kerberos principal johndoe@LAB.SLICE2.COM to my local Solaris user johndoe.

-> gsscred -m kerberos_v5 -a -c John Doe -n johndoe@LAB.SLICE2.COM -u johndoe

a. Check the Kerberos association database:

-> gsscred -l
0401000B06092A864886F712010202000000166A6F686E646F65404C41422E534C494345322E434F4D 100 johndoe, kerberos_v5

4) Ticket info. Sometimes you have to destroy the ticket to properly obtain a new one.
-> kdestroy

Get a fresh ticket:

-> kinit kws/admin
Password for kws/admin@LAB.SLICE2.COM:

Now list your new ticket:

-> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kws/admin@LAB.SLICE2.COM

Valid starting Expires Service principal
06/07/13 15:12:31 06/07/13 23:12:31 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 15:12:31

Now you can login to kadmin as the kws admin user.

-> kadmin kws/admin
Authenticating as principal kws/admin@LAB.SLICE2.COM with password.
Password for kws/admin@LAB.SLICE2.COM:

Microsoft employee takes a polygraph

06 Thursday Jun 2013

Posted by Slice2 in VMware

≈ Leave a comment

Tags

VMware

NetApp releases Data ONTAP PowerShell Toolkit v2.4

06 Thursday Jun 2013

Posted by Slice2 in NetApp

≈ Leave a comment

Tags

NetApp

Update: 23 DEC 2013 – a new version was released. Click here for the new post.

You need a free NetApp Communities account to download the toolkit.

http://support.netapp.com/eservice/public/community.do

This is the URL for ONTAP Powershell Toolkit page. Click Download on the left in the Spaces panel.

https://communities.netapp.com/community/products_and_solutions/microsoft/powershell

Version 2.4 release notes:
Major features

Virtual disk space reclamation
A new cmdlet, Invoke-NaVirtualDiskSpaceReclaim, can reclaim space from a virtual disk (VHD and VHDX format, NTFS file system). With Windows Server 2012, it is possible to perform space reclamation on a running virtual machine by taking a Hyper-V snapshot of the running virtual machine, running Invoke-NaVirtualDiskSpaceReclaim, and then removing the Hyper-V snapshot.

VMDK to VHD/VHDX IDE driver injection

Toolkit 2.4 introduces the Win2K3ScsiToIde switch to ConvertTo-NaVhd and ConvertTo-NaVhdx. When present, the Toolkit will automatically install and configure IDE drivers on a Windows Server 2003 virtual disk.

Data ONTAP 8.2 API support

Data ONTAP 8.2 includes a great number of new and updated APIs. Toolkit 2.4 includes 133 new cmdlets covering most of these new APIs. Toolkit 2.4 also updates over 60 cmdlets to include new parameters available in Data ONTAP 8.2.

New cmdlets, not including the Data ONTAP 8.2 API set:

Invoke-NaVirtualDiskSpaceReclaim

The following 7-Mode categories contain new cmdlets:

aggr (1 cmdlet)
feature (1 cmdlet)
volume (2 cmdlets)

The following clustered ONTAP categories contain new cmdlets:

aggr (8 cmdlets)
cifs (31 cmdlets)
cluster (2 cmdlets)
feature (1 cmdlet)
fpolicy (22 cmdlets)
group mapping (5 cmdlets)
license (3 cmdlets)
lun (3 cmdlets)
net (6 cmdlets)
qos (10 cmdlets)
qtree (1 cmdlet)
snapmirror (7 cmdlets)
snapmirror policy (7 cmdlets)
snapshot (4 cmdlets)
system (1 cmdlet)
volume (5 cmdlets)
vserver (1 cmdlet)
vserver peer (7 cmdlets)
vserver peer transition (4 cmdlets)

Enhancements

Many of the host-side cmdlets use the ‘Na’ prefix even when they are able to operate on either a 7-Mode or clustered ONTAP controller. In order to prevent confusion, all of these cmdlets have been aliased with the ‘Nc’ prefix.
Toolkit 2.4 supports Update-Help. Use Add-NaHelpInfoUri to enable functionality.

Fixes

Get-NaCommand and Get-NcCommand were case-sensitive.
Get-NaCifsShare would not fill out IsAccessBasedEnum value.
Invoke-NaHostVolumeSpaceReclaim would emit “Target volume is not hosted by Data ONTAP.” error on Windows Server 2003.

Tweaking the HP ArcSight Logger CentOS VMware Appliance

05 Wednesday Jun 2013

Posted by Slice2 in HP, Linux

≈ Leave a comment

Tags

HP, Linux

So, HP ArcSight Logger is a CentOS 6.2 VMWare appliance. If you want to kick the tires, patch it and add a GUI desktop, perform the following steps.

– Note that this probably voids your support and is totally unsupported by HP.

1) Download the VM appliance from the URL below. I selected the VMware appliance. Extract the zip file and import the OVA into vCenter.

Click Trials and Demos here:
http://www8.hp.com/us/en/software-solutions/software.html?compURI=1314386

2) The The default root password is arcsight. They have configured ssh to allow remote root logins which is odd for a Security related product.

-> ssh root@<your logger vm IP>

3) Add the CentOS repository to yum.conf.

-> vi /etc/yum.conf and add the section below to the bottom of the file.

[base]
name=CentOS-$releasever – Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos6
enabled=1
#released updates

-> wq!

4) Import the key.

-> rpm –import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

4) Update yum.

-> yum update (enter no to update all packages)

5) Install the Desktop.

For a Gnome desktop run:
-> yum groupinstall Desktop

For a KDE desktop run:
-> yum groupinstall “kde desktop”

When done installing, fix a bug and add a few rpms.

-> mkdir -p /var/run/dbus/system_bus_socket;chmod 775 /var/run/dbus/system_bus_socket

-> yum install perl

-> yum install gpm

-> -yum install xorg-x11-drv-intel

6) Install VMware tools. Copy the vmware tools for linux iso file over to the vm via scp or Winscp, place in /tmp and mount.

-> mount -o loop VMware-tools-linux-9.0.5-1065307.iso /mnt

-> cd /mnt

-> cp VMwareTools-9.0.5-1065307.tar.gz /tmp/

-> cd /tmp/

-> umount /mnt

-> tar -zxvf VMwareTools-9.0.5-1065307.tar.gz

-> cd vmware-tools-distrib

-> ./vmware-install.pl (and follow the prompts – defaults are fine for now)

-> reboot

7) Increase the size of /boot so the patches can be applied. Download the systemrescuecd ISO, attach to the VM and boot into it. Note that you may have to boot into the VM bios and change the boot order by moving the CDROM device to the top.
a) once the ISO boots, at the prompt enter: startx.
b) Click the CD icon in the lower left corner (like the Start menu in Windows), System > GParted.
c) Right-click /dev/sda3 and select Resize/move. Reduce the size by 2 Gigs and click Resize/Move. At the top under Partition, click the green Check Mark to apply the changes. This will take about 5 minutes. Right-click /dev/sda3 and select Resize/Move. On the slider bar, click the partition itself and move it to the right as far as it will go. This changes the start of the partition and allows you to resize /boot. Click the green check mark and ignore the warning about moving the partition.
d) Right-click /dev/sda2 and select Resize/Move. Increase the size by the remaining space available clicking the small up arrow in the New Size field and click Resize/Move. At the top under Partition, click the green Check Mark to apply the changes. This will take about 5 minutes.
e) Click the CD Icon and click Log Out > Log Out.
f) Shutdown the VM and disconnect the ISO from within Edit Settings. When done power on the VM.

8) Log in as root and update the rest of the VM.

-> yum upgrade

-> reboot

Configuring MPIO and iSCSI Mutual CHAP on Windows 2003, Windows 2008 and Windows 2012 with NetApp storage.

02 Sunday Jun 2013

Posted by Slice2 in Security, Windows

≈ Leave a comment

Tags

Security, Windows

This is a followup to a previous post where I outlined how to deploy iSCSI LUNs using NetApp SnapDrive for Windows. This post does not use SnapDrive.

This document demonstrates how to enable MPIO, configure Mutual CHAP for iSCSI sessions, create iGroups and LUNs and then format the LUNs with NTFS.

The doc is here: Configuring MPIO and iSCSI Mutual CHAP on Windows v1

It covers Windows 2003, Windows 2008 and Windows 2012. Since Windows 2003 is quite lame, I had to use the NetApp DSM MPIO. Otherwise, its just plain old native Windows features and NetApp LUNs. All OS’s are grouped together by task so if you only need Windows 2003, just follow those steps through the document. Same for Windows 2008 or 2012.

Yes, Mutual CHAP does not provide robust crypto security but its better than nothing. It’s also a DoD STIG finding if not enabled. Its fairly easy to configure so why not use it.

Building a Jumpstart Server with Solaris 10 Update 10 x64 DVD/ISO

01 Saturday Jun 2013

Posted by Slice2 in Solaris

≈ Leave a comment

Tags

Solaris

The same process works for SPARC as well. Create an Install Server.

1) Insert the Solaris 10 10 DVD into the Sun server DVD or mount the ISO in the Solaris VM.
-> mkdir -p /export/install/sol_10_u10_x86
Note: that I always add the release version in the directory. Since you can have multiple Solaris versions on the same jumpstart server, it keeps you organized.

2) Start the jumpstart server build process by executing the following:
-> cd /cdrom/sol_10_811_x86/Solaris_10/Tools
-> ./setup_install_server /export/install/sol_10_u10_x86
Verifying target directory…
Calculating the required disk space for the Solaris_10 product
Calculating space required for the installation boot image
Copying the CD image to disk…
Copying Install Boot Image hierarchy…
Copying /boot netboot hierarchy…
Install Server setup complete
Note: this will take quite a while to finish on older servers (and slow DVD drives). ISOs are much faster.

3) Create the jumpstart directory.
-> cd /
-> mkdir /jumpstart_sol_10_u10_x86
-> cp -r /cdrom/sol_10_811_x86/Solaris_10/Misc/jumpstart_sample/* /jumpstart_sol_10_u10_x86/

4) Create and share the jumpstart directory
-> vi /etc/dfs/dfstab and enter the following line:
share -F nfs -o ro,anon=0 -d “Solaris 10 Update 10 Jumpstart” /jumpstart_sol_10_u10_x86
-> wq!
-> share all

Type the share command to verify.
-> share
– /jumpstart_sol_10_u10_x86 ro,anon=0 “Solaris 10 Update 10 Jumpstart”

5) Create a profile for your server. I just use a generic profile because I custom install every server I build (mirrors/RAID5, various packages, etc). You can run highly customized profiles. See the Solaris 10 Installation Guide for more info.
-> cd /jumpstart_sol_10_u10_x86
-> vi homelab_profile (use any name you want – my lab is homelab) and enter the following:
install_type initial_install
system_type standalone
cluster SUNWCall
-> wq!

Note that if you remove “cluster SUNWCall” from the profile, you will be forced though a full interactive install. It’s up to you if you want to cherry pick packages.

6) Update the Rules file. Add the following at the bottom of the rules file:
-> vi rules
# Homelab Profile
any – – homelab_profile –
-> wq!

7) Validate the rules file. You must run this command before every jumpstart session even if you didn’t change it.
-> cd /jumpstart_sol_10_u10_x86
– > ./check
Validating rules…
Validating profile zfsrootsimple…
Validating profile net924_sun4c…
Validating profile upgrade…
Validating profile x86-class…
Validating profile any_machine…
Validating profile homelab_profile…
The custom JumpStart configuration is ok.

8) Edit the /etc/ethers file. The Jumpstart server needs to have a MAC/Hostname paring in the ethers file. To get the MAC address from a running system, open an Xterm and run the following:
– > ifconfig -a | grep ether
ether 0:c:29:a4:73:98

The output 0:c:29:a4:73:98 should be added to the /etc/ethers file along with the IP address of the host.
a) To get the MAC from a new SPARC system with no OS, attach a monitor (or serial cable) to the server and boot. The ethernet address is shown in the banner. You can also type banner at the OK# prompt. Some Sun server models have tiny stickers on the server with MAC addresses.
b) To get the MAC on a Solaris VM, start the Solaris 10 VM. You are looking for the following variable in the .vmx file:
ethernet0.generatedAddress = “00:0c:29:4b:fa:48”
– When the Solaris VM boots the MAC is displayed. You have to be fast to write it down. Or, you can try the options below.
– VMware Workstation on Windows: Browse out the .vmx file for the Solaris VM you want to jumpstart and open the .vmx file in notepad. Look for the ethernet0.generatedAddress variable.
– VMware Workstation on Linux: cd to the .vmx file for the Solaris VM you want to jumpstart and cat the .vmx file.
– VMware vSphere/ESXi: login to vCenter, right-click the Solaris VM, select Edit Settings, on the Hardware tab, select the Network Adapter and the MAC address is shown on the right.

Example /etc/ethers on the Jumpstart server with the MAC from a host named solclient01:
-> vi /etc/ethers
00:0c:29:4b:fa:48 solclient01
-> wq!

c) Make sure you add and entry for the host you are jumpstarting to the hosts file on the master jumpstart server.
-> vi /etc/inet/hosts
# For Jumpstart
10.10.10.111 solclient01 solclient01.lab.slice2.com

9) Setup your server to boot from the network.

Note that this is only good for systems on the same subnet as the jumpstart server. To boot servers off a different subnet, see Create a Boot Server in the Solaris 10 Advanced Installation Guide.
-> cd /cdrom/sol_10_811_x86/Solaris_10/Tools
-> ./add_install_client -c soljump:/jumpstart_sol_10_u10_x86 solclient01 i86pc (or sun4u/sun4v for SPARC)

a) In the add install_client command above, the options that are used have the following meanings:
b) -c – Specifies the master Jumpstart server and path to the Jumpstart directory.
c) solclient01 – The hostname of a system to be built.
d) i86pc – Specifies the platform group of the systems that use the jumpstart server as an install server. Note that if you want to use a sysidcfg file you can use the -p option to provide the path to the file. Most likely you would place it in the shared jumpstart directory. See the sysidcfg man page for variables.

Boot the client and the jumpstart process will start by pulling the solaris binaries from the jumpstart server.