Monthly Archives: January 2014

HOWTO verify the SSL Cipher Suite and Plug-ins supported by your browser and validate your website certificate

15 Wednesday Jan 2014

Posted by in Security

1 Comment

Tags

If you ever wondered what your browser tells the world in terms of your supported SSL/TLS cipher suites, key sizes and plug-in versions, try the first four URLs below in each web browser that you use. If you have a website, the bottom three check your site certificate.

For your Browsers:

Qualys Vulnerable Plug-in Browser Check
https://browsercheck.qualys.com/?scan_type=js

Mozilla Vulnerable Plug-in Check for Firefox, Opera, and Chrome. I believe the Qualys checker above is a little better but it doesn’t hurt to run both Qualys and Mozilla’s just in case one misses something. Also, the Qualys check doesn’t always capture the latest micro point release from Firefox.
http://www.mozilla.org/en-US/plugincheck/

SSL Cipher Suite Details of your Browser
https://cc.dcsec.uni-hannover.de/

SSL/TLS Details of your Browser and POODLE Test
https://www.ssllabs.com/ssltest/viewMyClient.html

For your Website:

Check your Site Certificate or CSR
https://ssltools.websecurity.symantec.com/checker/

Qualys SSl Labs Site checker
https://www.ssllabs.com/ssltest/index.html

SSL Site Configuration Checker
https://sslcheck.globalsign.com/en_US

HOWTO Secure iSCSI Luns Between Oracle Solaris 11 and NetApp Storage Using Bidirectional CHAP

09 Thursday Jan 2014

Posted by in iSCSI, NetApp, Oracle, Security, Solaris

Leave a comment

Tags

, , , ,

This post demonstrates how to secure iSCSI luns between Oracle Solaris 11 and NetApp storage. Solaris calls it Bidirectional CHAP rather than Mutual CHAP. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple. Research the relationship between Solaris EFI, Solaris VTOC and lun size as well as UFS vs ZFS to make sure you choose the proper type for your environment. This was done with Solaris 11 (11/11) x86. All steps except the fdisk step near the end are the same for SPARC systems.

1) Check for the iSCSI packages. They should be installed by default.
> pkginfo | grep iSCSI
system    SUNWiscsir    Sun iSCSI Device Driver (root)
system    SUNWiscsiu    Sun iSCSI Management Utilities (usr)

2) Make sure the iSCSI service is running on your Solaris host.
> svcs | grep iscsi
online  6:41:58 svc:/network/iscsi/initiator:default

If not, start it.
> svcadm enable svc:/network/iscsi/initiator:default

3) Get your local iSCSI Initiator Node Name or iqn name on the Solaris host.
> iscsiadm list initiator-node | grep iqn
Initiator node name: iqn.1986-03.com.sun:01:e00000000000.52bcad1c

4) Make sure the iscsi service is running on the NetApp.
netapp> iscsi status

5) Create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

6) Create a lun on the volume.
netapp> lun create -s 5g -t solaris_efi /vol/MCHAPVOL/SOL11_iSCSI_MCHAP_01

7) Create an igroup and add the Solaris iscsi node name or iqn from step 3 above to it.
netapp> igroup create -i -t solaris ISCSI_MCHAP_SOL11
netapp> igroup add ISCSI_MCHAP_SOL11 iqn.1986-03.com.sun:01:e00000000000.52bcad1c
netapp> igroup show

ISCSI_MCHAP_SOL11 (iSCSI) (ostype: solaris):
iqn.1986-03.com.sun:01:e00000000000.52bcad1c (not logged in)

8) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/SOL11_iSCSI_MCHAP_01 ISCSI_MCHAP_SOL11 01

Note: Solaris EFI is for larger than 2 TB luns and Solaris VTOC for smaller disks. This lun is small just to demonstrate the configuration.

9) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.4055372815

10) On the Solaris host, configure the target (NetApp controller) to be statically discovered. Note that there are two dashes “- -” in front of –static and –sendtargets. For some reason it displays as one dash in some browsers.
> iscsiadm modify discovery –static enable
> iscsiadm modify discovery –sendtargets enable
> iscsiadm add discovery-address 10.10.10.141:3260
> iscsiadm add static-config iqn.1992-08.com.netapp:sn.4055372815,10.10.10.141:3260
> iscsiadm list static-config
Static Configuration Target: iqn.1992-08.com.netapp:sn.4055372815,10.10.10.141:3260

11) Check your discovery methods. Make sure Static and Send Targets are enabled.
> iscsiadm list discovery
Discovery:
Static: enabled
Send Targets: enabled
iSNS: disabled

12) Enable Bidirectional CHAP on the Solaris host for the target NetApp controller.
> iscsiadm modify target-param –authentication CHAP iqn.1992-08.com.netapp:sn.4055372815
> iscsiadm modify target-param -B enable iqn.1992-08.com.netapp:sn.4055372815

13) Set the target device secret key that identifies the target NetApp controller. Note Solaris supports a minimum of 12 and a maximum of 16 character CHAP secrets. Also, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify target-param –CHAP-secret iqn.1992-08.com.netapp:sn.4055372815
Enter secret: NETAPPBICHAP
Re-enter secret: NETAPPBICHAP

14) Set the Solaris host initiator name and CHAP secret. Remember, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify initiator-node –authentication CHAP
> iscsiadm modify initiator-node –CHAP-name iqn.1986-03.com.sun:01:e00000000000.52bcad1c
> iscsiadm modify initiator-node –CHAP-secret
Enter secret: BIDIRCHAPSOL11
Re-enter secret: BIDIRCHAPSOL11

15) Verify your target parameters. Make sure Bidirectional Authentication is enabled and Authentication type is CHAP.
> iscsiadm list target-param -v iqn.1992-08.com.netapp:sn.4055372815
Target: iqn.1992-08.com.netapp:sn.4055372815
Alias: –
Bi-directional Authentication: enabled
Authentication Type: CHAP
CHAP Name: iqn.1992-08.com.netapp:sn.4055372815
Login Parameters (Default/Configured):
Data Sequence In Order: yes/-
Data PDU In Order: yes/-
Default Time To Retain: 20/-
Default Time To Wait: 2/-
Error Recovery Level: 0/-
First Burst Length: 65536/-
Immediate Data: yes/-
Initial Ready To Transfer (R2T): yes/-
Max Burst Length: 262144/-
Max Outstanding R2T: 1/-
Max Receive Data Segment Length: 8192/-
Max Connections: 65535/-
Header Digest: NONE/-
Data Digest: NONE/-
Tunable Parameters (Default/Configured):
Session Login Response Time: 60/-
Maximum Connection Retry Time: 180/-
Login Retry Time Interval: 60/-
Configured Sessions: 1

16) Set the Bidirectional CHAP secrets on the NetApp controller.
netapp> iscsi security add -i iqn.1986-03.com.sun:01:e00000000000.52bcad1c -s chap -p BIDIRCHAPSOL11 -n iqn.1986-03.com.sun:01:e00000000000.52bcad1c -o NETAPPBICHAP -m iqn.1992-08.com.netapp:sn.4055372815

a) View the iSCSI security configuration.
netapp> iscsi security show
init: iqn.1986-03.com.sun:01:e00000000000.52bcad1c auth: CHAP Local Inbound password: **** Inbound username: iqn.1986-03.com.sun:01:e00000000000.52bcad1c Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815

17) On the Solaris host, reconfigure the /dev namespace to recognize the iSCSI disk (lun) you just connected.
> devfsadm -i iscsi or devfsadm -Cv -i iscsi

18) Login to server and format the disk. Note – the fdisk command below can be skipped on SPARC systems. Your input is in bold red in the next sequence.
> format
Searching for disks…done

AVAILABLE DISK SELECTIONS:
0. c4t0d0 <VMware-Virtual disk-1.0 cyl 1824 alt 2 hd 255 sec 63>
/pci@0,0/pci15ad,1976@10/sd@0,0
1. c5t2d0 <NETAPP-LUN-7350 cyl 2558 alt 2 hd 128 sec 32>
/iscsi/disk@0000iqn.1992-08.com.netapp%3Asn.8416793903E8,1
Specify disk (enter its number): 1
selecting c5t2d0
[disk formatted]
No Solaris fdisk partition found.

FORMAT MENU:
disk       – select a disk
type       – select (define) a disk type
partition  – select (define) a partition table
current    – describe the current disk
format     – format and analyze the disk
fdisk      – run the fdisk program
repair     – repair a defective sector
label      – write label to the disk
analyze    – surface analysis
defect     – defect list management
backup     – search for backup labels
verify     – read and display labels
save       – save new disk/partition definitions
inquiry    – show disk ID
volname    – set 8-character volume name
!<cmd>     – execute <cmd>, then return
quit
format> fdisk   (skip this command if you are on a SPARC system)
No fdisk table exists. The default partition for the disk is:

a 100% “SOLARIS System” partition

Type “y” to accept the default partition,  otherwise type “n” to edit the
partition table.
y

format> p

PARTITION MENU:
0      – change `0′ partition
1      – change `1′ partition
2      – change `2′ partition
3      – change `3′ partition
4      – change `4′ partition
5      – change `5′ partition
6      – change `6′ partition
7      – change `7′ partition
select – select a predefined table
modify – modify a predefined partition table
name   – name the current table
print  – display the current table
label  – write partition map and label to the disk
!<cmd> – execute <cmd>, then return
quit
partition> p
Current partition table (default):
Total disk cylinders available: 2557 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders        Size            Blocks
0 unassigned    wm       0               0         (0/0/0)           0
1 unassigned    wm       0               0         (0/0/0)           0
2     backup    wu       0 – 2556        4.99GB    (2557/0/0) 10473472
3 unassigned    wm       0               0         (0/0/0)           0
4 unassigned    wm       0               0         (0/0/0)           0
5 unassigned    wm       0               0         (0/0/0)           0
6 unassigned    wm       0               0         (0/0/0)           0
7 unassigned    wm       0               0         (0/0/0)           0
8       boot    wu       0 –    0        2.00MB    (1/0/0)        4096
9 unassigned    wm       0               0         (0/0/0)           0

partition> 0
Part      Tag    Flag     Cylinders        Size            Blocks
0 unassigned    wm       0               0         (0/0/0)           0

Enter partition id tag[unassigned]: <press enter>
Enter partition permission flags[wm]: <press enter>
Enter new starting cyl[0]: <press enter>
Enter partition size[0b, 0c, 0e, 0.00mb, 0.00gb]: 4.99gb

partition> l     (This is a lower case “L” not a numeral one or 1. This step labels the disk.)
Ready to label disk, continue? y

partition> q

format> q

19) Create the file system. You can choose either UFS or ZFS. Both options are shown below.

a) If you will use UFS:
> newfs -Tv /dev/rdsk/c5t2d0s0
newfs: construct a new file system /dev/rdsk/c5t2d0s0: (y/n)? y
mkfs -F ufs /dev/rdsk/c5t2d0s0 10465280 32 128 8192 8192 -1 1 250 1048576 t 0 -1 8 128 y
/dev/rdsk/c5t2d0s0:     10465280 sectors in 2555 cylinders of 128 tracks, 32 sectors
5110.0MB in 18 cyl groups (149 c/g, 298.00MB/g, 320 i/g)
super-block backups (for fsck -F ufs -o b=#) at: 32, 610368, 1220704, 1831040, 2441376,
3051712, 3662048, 4272384, 4882720, 5493056,
6103392, 6713728, 7324064, 7934400, 8544736, 9155072, 9765408, 10375744

> fsck /dev/rdsk/c5t2d0s0
> mkdir /old_ufs_filesystem
> mount /dev/dsk/c5t2d0s0 /old_ufs_filesystem
> vi /etc/vfstab and add the line below to the bottom of the file. This will mount it when the system boots.
/dev/dsk/c5t2d0s0 /dev/rdsk/c5t2d0s0 /old_ufs_filesystem  ufs  2 yes –
> wq! (to exit the vi session)

b) Check the new mount.
> df -h | grep old_ufs_filesystem
/dev/dsk/c5t2d0s0      5.0G  5.0M 4.9G 1% /old_ufs_filesystem

20) If you will use ZFS:
a) Create a pool.
> zpool create -f netappluns c5t2d0s0

b) Create the filesystem.
> zfs create netappluns/fs

c) List the new filesystem.
> zfs list -r netappluns
NAME           USED  AVAIL  REFER  MOUNTPOINT
netappluns     124K  4.89G    32K  /netappluns
netappluns/fs   31K  4.89G    31K  /netappluns/fs

d) Use the legacy display method.
> df -h | grep netappluns
netappluns       4.9G    32K   4.9G   1%    /netappluns
netappluns/fs    4.9G    31K   4.9G   1%    /netappluns/fs

21) You are done. Hope this helps.

Using vSphere Update Manager to deploy HP Drivers and Patches for ESXi 5

05 Sunday Jan 2014

Posted by in ESXi, HP, VMware

8 Comments

Tags

, ,

This post demonstrates how to add your server vendor’s (in this case HP) VMware VIBs to VMware vSphere Update Manager. This allows you to apply drivers, patches and updates specific to your server platform directly to ESXi. You use the same workflow as you would a VMware patch: scan for updates and remediate host. Its that simple.

Many server vendors release OEM Customized Installers for ESXi5. Its a good idea to use them because they include the necessary drivers and integration for ESXi. Ever wonder why you don’t have good detection of hardware on the Host’s Hardware Status tab (View: Sensors)?  Use the OEM version of ESXi and you will. For this post I use ESXi5.1 on HP DL360G5 servers.

For reference, using the URL below, you go to the VMware ESXi download site, select your ESXi version, click the Custom ISO tab and then click >OEM Installer CDs to expand the category. Select your vendor and that’s the ISO you should use when you install or upgrade ESXi.

HPvibdepot-000

For ESXi 5.1 the URL is:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1#custom_iso

Now, on to the reason for this post. The HP VIBs are posted to the sites below.

HP VIBs Home page:
http://vibsdepot.hp.com/

Root of the HP VIBs.
http://vibsdepot.hp.com/hpq/

VIBs index used in this post for ESXi 5.1:
http://vibsdepot.hp.com/hpq/sep2013/index.xml

1) Login to vCenter. Select Home > under Solutions and Applications select Update Manager.

HPvibdepot-00

2) On the Configuration tab, select Download Settings. Under Download Sources, click Add Download Sources on the right.

HPvibdepot-01

3) Enter your Source URL and a description. In this case its http://vibsdepot.hp.com/hpq/sep2013/index.xml. Click Validate URL and when successful click OK.

HPvibdepot-02

a) Note: as of the date of this post, Sept 2013 is the latest VIB update for ESXi 5.1. Using the root URL above (http://vibsdepot.hp.com/hpq/) you simply select the latest date in the directory for the version of ESXi you are running. That way you only download what you need.

4) Back on the Download Settings page, click Apply. This creates the Download source.

HPvibdepot-03

5) Click the Download Now button to start the download. Click OK on the Download Task pop-up window.

HPvibdepot-04

6) Select the Events tab. This is where you can see how many patches were downloaded.

HPvibdepot-05

7) On the patch repository page, sort by vendor and you can see the patches that were downloaded. Note that the patches are automatically added to the Critical and Non-Critical Host Patches baselines. Make sure they are attached to your Datacenter or Hosts.

HPvibdepot-06

8) Right-click your Cluster and select Scan for Updates. Select Patches and Extensions as well as Upgrades and click Scan to scan your hosts.

9) Since this process will update drivers and possibly the ESXi kernel (security and bug fixes), its a good idea to patch one host to verify stability. Place a Host into maintenance mode (right-click Host > Enter Maintenance Mode). When done right-click the host and select Remediate. Select Critical and Non Critical Baselines (on the right) and then complete the Wizard based on your shop’s patching practices.

10) After the host reboots and comes online in vCenter, make sure it’s functional. Verify vMotion, VMkernel Ports, Datastores, etc., check the Host’s Hardware Status tab and see if you notice that additional hardware sensors are now available. If everything is good, continue to remediate your Hosts.

As a side note, if you are in a secure location that does not allow internet access, you could download the patches and index file, stage them with HFS and and download them into Update Manager. For reference, see my HFS post for NetApp’s ONTAP upgrade here.

Install and Configure the NetApp FAS/V-Series VASA Provider v1.0.1 for vSphere

01 Wednesday Jan 2014

Posted by in NetApp, VMware

1 Comment

Tags

, ,

The FAS/V-Series VASA Provider is a software component that supports the VMware VASA (vStorage APIs for Storage Awareness) framework, first introduced in vSphere 5. It acts as an information pipeline between NetApp storage systems and the vCenter Server, enabling you to monitor relevant storage system status.
FAS/V-Series VASA Provider collects data from your storage systems and delivers information about storage topology, LUN and volume attributes, and events and alarms to the vCenter Server.

1) Download the VASA Provider at the following URL:
http://support.netapp.com/NOW/download/software/vasa_win/1.0.1/

2) After it is downloaded, move the VASA provider to your server. Double-click netappvp-1-0-1-win64.exe > click Next > Next > Install. Make sure Launch VASA Configuration is selected and click Finish.

a) On the VASA Configuration window, in the upper left, enter your vCenter user and password and click Save.

b) On the right under Storage Systems, click Add. Add your storage systems that provide NFS or VMFS datastores to vCenter.

c) Under VMware vCenter, enter your vCenter FQDN, user and password and click Register Provider. Click OK on the VASA Provider Has Been Registered pop-up window and click OK to close the VASA Configuration window. Make sure the NetApp VASA Provider service is running by checking the status light shown as green. If it isn’t, manually start the service in Start > Run > services.msc.

vasa-00

3) Log out of vCenter and then log back in.

4) In vCenter, click View > Administration > Storage Providers. Under Vendor Providers, select NVP and the details will display below.

vasa-01
5) Click your Cluster > select the Storage Views tab. On the upper left of the Storage View tab next to View, click Maps. Your NetApp luns will be identified as such.

vasa-02
6) To see all of the storage profiles, click View > Management > VM Storage Profiles. At the top in the middle select Manage Storage Capabilities. The items with type “System” are now available. You are using Storage Profiles right?

vasa-03
7) Click View > Inventory > Datastores and Clusters. Select an NFS or VMFS Datastore provided by the NetApp array. On the Summary tab under Storage Capabilities, you should see System Storage Capability for that datastore. If you click the little blue call-out icon, the Storage Capabilities Details pop-up window appears.

vasa-04