Tag Archives: security

Using Microsoft certreq.exe to generate a certificate signing request (CSR)

This posting is ~4 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Generating a certificate signing request (CSR) is the first step towards a signed certificate. The requests is generated with the applicants private key and consists of the public key, a name and optional attributes.

To generate a CSR, you can use tools like OpenSSL on a Linux box, or sometimes the application itself can generate a CSR. But if you have a Windows box, you don’t have OpenSSL by default. And it’s unhandy to install something just for a single CSR. You can use certreq.exe to create a CSR. This tool is mostly unknown, but it’s included since Server 2000. The syntax slightly differs between the version, so I focus on the version that is shipped with Server 2008/ Windows Vista and newer.

To generate a CSR, you have to create a configuration file. This file specifies the key length, the common name, if the private key is exportable etc. This is a configuration file which includes additional names (subject alternative names, SAN).

This CSR includes three subject alternative names, which are listed below the [Extension] section. The syntax of this file is very important!

To create a CSR, open a CMD and change to the directory where the CSR is stored:

The csr-server1.req file can be used to create a CA signed certificate. The result is a signed certificate, based on the issued CSR. Very handy, especially in VMware Horizon View deployments in which you do not have access to a Windows-based Enterprise CA.

Stunnel refuses to work after update

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Yesterday I’ve updated a CentOS 6.6 VM with a simple yum update. A couple of packages were updated and to be honest: I haven’t checked which packages were updated. Today I noticed that an application, that uses a secure tunnel to connect to another application, doesn’t work. While browsing through the log files, I found this message from Stunnel.

I rised the debug level and restarted Stunnel. Right after the restart, I found this in the logs.

So Stunnel was working in FIPS mode. But what is FIPS and why is Stunnel using it? I recommend to read the Wikipedia article about the Federal Information Processing Standards (FIPS). To be precise, Stunnel follows FIPS 140-2. My stunnel.conf is really simple and there’s nothing configured that is, or might be related to FIPS. A short search with man -K fips led me to the stunnel man page.

This explains a lot. FIPS is enabled by default with this version. So it was enabled with the updated Stunnel version. With FIPS enabled, only TLS can be used. More interesting: FIPS is disabled by default with beginning of version 5.0. But I’m running version 4.29. So I had two options to get rid of this error:

  • Disable FIPS
  • Enable TLS

To disable FIPS, you have to add the following line to the stunnel.conf on the server-side:

You can have FIPS enabled when you enforce the use of TLS. In my case, I added the following line on the server- and client-side:

After a restart of Stunnel on the server-side, the connection began to work again.

Replace HP iLO security certificates

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

When you access the HP iLO webinterface, you will be redirected to a HTTPS website. This connection is usually secured by a self-signed SSL certificate. To replace this certificate with a certificate that was issued by your own CA, you have to complete several steps. I will guide you to the steps. I focused on HP ilO 2, but the steps are similar for iLO 3 or iLO 4.

The requirements

We need:

  • an iLO interface that is connected to the network and that has an ip address assigned
  • access to this iLO interface
  • a CA and access to it
  • a web browser

Create the Certificate Signing Request (CSR)

Before we can issue the certificate, we need to create a certificate signing request. This request is used by the CA to create the digital certificate. The CSR contains information to identifying the applicant. This is e.g. the distinguished name (DN), which is the FQDN for a webserver. To create a CSR we have to login into the iLO webinterface.

Create the CSR, issue and install the certificate

I use a Microsoft Windows Server 2012 R2 CA in my lab. This CA is integrated into my Active Directory and I use it to issue certificates for my lab infrastructure. Because it’s my lab, I don’t use a two-tier CA with an offline root CA. ;) But if you are interested in how to setup this, I recommend this two excellent articles written by Derek Seaman and posted on his blog: Windows Server 2012 R2 Two-Tier PKI CA Pt. 1 & Windows Server 2012 R2 Two-Tier PKI CA Pt. 2.

To create a CSR we have to login into iLO and access the “Administration” tab. Then select “Security” from the left menu.

ilo2_ssl_cert_1

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Usually the lower fields are greyed out, so you have to enable “Customized CSR”. Then you can fill the lower, now enabled fields, with values. Don’t forget to hit apply.

A little further down the page, you can create a certificate request.

ilo2_ssl_cert_2

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click the “Create Certificate Request” button. The certificate request will be generated and you will forwarded to the next page. Now you have to copy the request into a text file or you can past it directly into you CA. I use a W2K12 R2 CA which is running on another host. So I copied the text into a file and saved the file as ilo-esx1.csr.

ilo2_ssl_cert_3

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

No it’s time to issue the certificate. I copied the CSR to my CA into a temp directory. Open an elevated CMD, switch to the directory with the CSR and run the following command:

A windows will pop up where you have to chose the CA. Because I only have on CA, I can’t choose much… Select you CA and click “OK”. Copy the pem file to you client (or whereever you have the browser with the iLO open), click “Next Step” and then paste the content of the pem file into the text field.

ilo2_ssl_cert_4

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click “Install Certificate”.

ilo2_ssl_cert_5

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you click “Restart” a counter will appear. After 60 seconds you will be redirected to the login page. Please note, that you have to access the login page via the FQDN. Otherwise you will get a certificate error.

Summary

Essentially there is nothing special. It’s much more easier as to do this for a VMware environment… It’s a simple three-step plan: 1. Create the CSR, 2. issue a certificate by using the CSR and 3. install the certificate. Don’t forget to import the CA certificate into you browser. Otherwise you will furthermore get this nasty security warning…

HP Data Protector: Backup of DMZ servers

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to backup system, that are behind a firewall. A good example for this are servers in a DMZ. When using HP Data Protector there are some things to know and consider, before you can backup systems behind a firewall. Lets start with some basics.

The components

Cell Manager: The Cell Manager (CM) is the backup server itself. It controls the whole enviroments, stores the licenses, clients, media, devices, backup specifications etc.

Backup specification: A backup specification describes WHAT has to be backuped and WHERE it should be written..

Backup Session Manager: The Backup Session Manager (BSM) starts MA and DA, controls the session and stores meta data to the DB.

Disk Agent: The Disk Agent (DA) is the backup client itself. It’s used to read or write data from or to the server, and send the data to the Media Agent (MA).

Media Agent: The Media Agent (MA) reads or writes data from or to a backup device. The data is sent or received by a DA. The MA can be installed on every server, that has a backup device (tape or disk) attached.

HP Data Protector Session Flow

The different components of HP Data Protector act with each other. The BSM is started on the HP Data Protector Cell Manager and it reads the backup specification. Then the BSM starts the DA and MA. The control data is exchanged between DA, MA and BSM. The actual backup data travels from the DA to the MA, and in case of a restore from the MA to the DA.

dp_session_flow

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Typically the MA is running in the same hosts as the BSM (which is started on the Cell Manager). But you can also use different servers for the CM/ BSM and the MA. Think about a virtualized HP Data Protector Cell Manager and a physical host, that has a tape library connected. If your BSM and MA are behind a firewall (from the DA perspective), you have to get the control data and the data flow through the firewall. For this, ports must be opened on the firewall.

dp_session_flow_with_fw

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The requirements

One of the most important things in a HP Data Protector enviroment is DNS! Most errors I see are DNS related. This leads to the requirement, that there has to be a functional name resolution between Cell Manager, MA and DA. Before you proceed further, please check the name resolution. Please note that ping isn’t a qualified tool to test the name resolution! You should use nslookup or dig for this. The next step is to define port ranges that are used for the communication between BSM, MA and DA. Because HP Data Protector is a top notch backup product, you have to change the omnirc file with your favorite editor. Yes, even if you have a windows based Cell Manager. The omnirc file is located in:

Operating SystemPath
Windows < 2008C:\Program Files\Omniback\omnirc
Windows > 2008C:\ProgramData\Omniback\omnirc
Linux/ UNIX/opt/omni/.omnirc

You have to add the OB2PORTRANGESPEC parameter, which limits the amount of ports that are used for communication between the different components. Then you have to open this port ranges in you firewall. The ports will picked randomly from the range. The complete parameter looks like this:

 xSM is used to define the ports that are used by Backup Session Manager (BSM), Restore Session Manager (RSM) and Database Session Manager (DBSM). For each session manager one port is used. You can define specific ranges for each session manager by replacing the x with B, R or DB. For example:

If the option “Reconnect broken connections” is enabled, each DA needs a connection to a xSM. DA to BSM when taking a backup, DA to RSM when doing a restore and DA to DBSM for IDB backup. So the xSM parameter limits the amount of concurrent sessions of your Cell Manager. Choose this wisely… Because the data flows directly from the DA to the MA, each DA needs a connection to a MA. With the above specified port range, you could have 11 concurrent connections from a DA to a MA. If the server you want to backup, runs an application like Oracle, Exchange or MS SQL, then you need additional connections to the Cell Manager, to be precise, the Cell Request Server (CRS). The port range for this connections are defined with the CRS part of the OB2PORTRANGESPEC parameter. If the MA runs in a different host then the Cell Manager, you have to add the xMA part of the OB2PORTRANGESPEC in the omnirc file on the server with the MA. After you changed the omnirc file you have to restart the HP Data Protector services.

The used port ranges in a clear table:

SourceTargetLocationTCP Source Port RangeTCP Destination Port Range
Cell ManagerDADMZ1024 – 655365555
DAMALAN1024 – 6553619000-19010
DAxSMLAN1024 – 6553620000-20250
DACRSLAN1024 – 6553618000-18005

I hope this article has helped to understand the functioning of HP Data Protector.

Juniper Firefly Perimeter

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

I’m a big fan of Juniper Networks! I work mainly with the SSG (ScreenOS) and SRX (Junos) series. The Juniper SRX is a network security solution, which can be positioned in the data center or at the branch. You will surely agree, that virtualization and cloud computing changed a lot from the network perspective. This demands security solutions that are not bound to hardware boundaries. Juniper Firefly Perimeter addresses this demands.

What is Juniper Firefly Perimeter?

Juniper Firefly Perimeter is a SRX Service Gateway and it’s delivered in form of a virtual appliance. You can compare it with HP VSR1000 Virtual Service Router or Cisco Cloud Service Router 1000V. Firefly Perimeter is available for VMware vSphere 5.x and Linux KVM. Microsoft Hyper-V is currently not supported. When you take a look into the datasheet you will notice, that Firefly Perimeter can all the cool things, that you expect from this kind of a virtual appliance: From simple routing, routing protocols (RIP, OSP, BGP, IS-IS…), MPLS, VPN, stateful/ stateless firewall, Network attack detection, a lot of management feature and many more.

A really cool thing is the Juniper Software Advantage for Security. With this licensing you can choose from multiple options and deploy the software on any platform, regardless if it’s hardware or a virtual appliance. The licensing is a perpetual licensing, so you buy once and use it indefinitely.

When using hardware based appliances it’s easy to track them. Go into the datacenter or the branch office and take a look into the rack. But a lesson I learned over the last years is: When you use virtualization, you need a lifecycle management. Otherwise you will often hear the question “What does server XYZ do??”. Junos Space Virtual Director addresses this demands. It’s a management application for Juniper Firefly Perimeter that helps you to automate the deployment and management of Juniper Firefly Perimeter appliances. To do so, you can use the REST API and attach the Junos Space Virtual Director to other platforms and tools (e.g. VMware Orchestrator).

Shut up and take my money!

If you want to test Juniper Firefly Perimeter in your lab, then you can simply download it. Juniper provides a 60 days evaluation. All you need is a Juniper Networks account and this link: *click*

juniper_firefly_download

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

I assume that you use VMware vSphere. In this case you have to download the OVA file and deploy it with the vSphere C# or Web Client. The virtual appliance is configured with 2 vCPUs, 2 GB RAM and two E1000 vNICs. If you want to build complex setups, you can add additional vNICs (up to 10). Simply deploy the OVA file.

After powering on the appliance, the appliance will try to get an IP address on interface ge-0/0/0.0 via DHCP. Web management is also enabled on this interface. If the VM gets an IP address, you can open a browser and enter the IP address. If everything went right, the Setup Wizard appears.

juniper_firefly_setup_wizard

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The wizard helps you to do the initial configure of the appliance. It’s very handy if you have not much experience with Junos. If you’re versed with the configuration of Junos, you can configure the appliance using the CLI. Just login as root without a password. Juniper Networks has a really good documentation, so take a look into the Junos 12.1 documentation.

HP VSR1000: How to configure a IPsec tunnel

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

One possible use case for the HP VSR1000 is to build IPsec tunnels for secure data transfer. In this post I will show you how to configure a IPsec tunnel between two HP VSR1000. If you need a short introduction, feel free to take a look at this article.

The experimental setup

We have two server VMs (in this case Windows Server 2008 R2 with SP1) and two HP VSR1000 Virtual Service Router. To simplify I added a vSwitch without uplinks to my ESXi at home. This vSwitch has three port groups. While each VSR1000 is connected to only one site and the WAN port group, the server VMs are only connected to one site. The WAN port group should simulate the WAN link, but in reality WAN can be anything. This is a screenshot of the ESXi vSwitch and port group configuration, as well as the logical setup.

vsr1000_ipsec_lab

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

vrs1000_ipsec_lab_logical

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Site A uses the subnet 192.168.100.0/24. Site B uses the subnet 192.168.200.0/24. The subnet 10.0.0.0/30 is used on the WAN side. The ip addressing looks like this:

Site A
VSR1192.168.100.1/24
SRV1192.168.100.2/24
Site B
VSR2192.168.200.1/24
SRV2192.168.200.2/24
WAN
VSR110.0.0.1/30
VSR210.0.0.2/30

The VSR1000 uses HP Comware 7.1, so it’s possible that the IPsec configuration differs from Comware 5.

The configuration

I’ve described the initial configuration of a VSR in this article. So in this article I focus on the configuration of the IPsec tunnel itself. First of all we need to configure the interfaces. On VSR1 (the first router):

 And on VSR2 (the second router)

Sure, we could setup a small single area OSPF, but for now a static routing is sufficient. These two routes allow us to reach the other side. There is currently no default route (gateway of last resort). On VSR1:

And on VSR2:

I will show you how to configure a ACL-based IPsec tunnel. This happens in three steps:

  • Create an ACL
  • Create a IPsec policy
  • Apply the policy to an interface

The first step is to configure ACLs. These ACLs are used to determine what kind of traffic should be protected. The ACL number 3000 determines, that this is an advanced ACL (ACL number 3000 – 3999). The ACL consists of multiple rules, in this case two rules and a comment. The rules define, that every traffic from 192.168.100.0/24 to 192.168.200.0/24 (and vice versa) should be permitted. All other traffic will be denied. On VSR1:

And on VSR2:

The next steps are to configure the transform set, the keychain, an IKE profile and an IPsec policy. The transform set is part of the IPsec policy and defines the security parameters for the IPsec SA negotiation. This includes the security protocol (AH, ESP), the encapsulation mode and the encryption and authentication algorithms. Because this is a site-2-site VPN the encapsulation mode “tunnel” is used. On VSR1:

An on VSR2:

Now the keychain is configured. The keychain includes the pre-shared key. On VSR1:

And on VSR2:

The pre-shared key is displayed encrypted in the configuration, even if it’s entered here in plain text format. The next step is to configure the IKE profile. In this example it’s simply called “1”. You can give it another name if you like. The IKE profile links the identity of the remote VSR and the keychain. On VSR1:

And on VSR2:

Now the second step (creating an IPsec policy) comes to an end. The IPsec policy links the transform set, the IKE profle and the ACL together. The 10 is the sequence number. You can choose another sequence number if you like. You can also choose another name. I named my policy “policy1”. On VSR1:

And on VSR2:

The last step is to apply the IPsec policy to an interface. On VSR1:

And on VSR2:

The result

Once the traffic comes, the IPsec tunnel is established. You can verify this with this command:

That’s it!  :) If you are looking for more, take a look into the HP VSR1000 configuration guides. This is a 18 MB (!) PDF which covers all aspects of the VSR1000 and it includes a lot of configuration examples.

Regenerating expired vCenter SSL certificates

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

During a vSphere 5.0 > 5.5 upgrade I got this message:

The customer hasn’t installed CA-signed certificats, so the expired certificates are the out-of-the-box self-signed certificates. The certificates are valid for two (VirtualCenter 2.5) respectively 10 years (since vCenter 4.x), depending on the Version. The only way to continue the installation is to renew the certificates. After renewing the certificates, you can simply continue the setup due the fact, that the vCenter service is stopped at this point of the setup and it loads the new certificates during startup. It’s the setup which checks the validity of the certificates. KB1009092 describes in great detail what to do, so I will not repeat what is already written there. You should note, that you can’t use the ESXi busybox to renew the certificates. The necessary OpenSSL binary isn’t included. The KB articles recommends OpenSSL for Windows. I simply used my Linux root server. But you can also use a small Linux VM. After renewing the certificates for vCenter, Inventory server and Web Client I simply continued the setup and it ran without problems by. The deployment of CA-signed certifcates is planned.

I recommend to use CA-signed certificates. You need a CA (this can be your own CA) and the vCenter Certificate Automation Tool, which makes the deployment of your own certificates much more easy! There are a couple of excellent posts on this topic. Derek Seaman wrote an awesome four-part series about the usage of the vCenter Certificate Automation Tool. This posting of Craig Kilborn is also a good reference. Craig refers to other sources, like Michael Webster.

Dealing with certificates can bedifficult for unexperienced administrators. They have to clearly understand how certificates work, what the job of a CA is and how all works together. Don’t be a beginner and quickly deploy a CA, just because you need NOW CA-signed certificates. Just use the self-signed certificates for a couple of weeks and work out a CA design that satisfies the customers requirements. Maybe the customer can use a CA for other purposes. Be a trusted advisor, not Mr. Quick ‘n Dirty. ;)