Blog

Apr 12
NetApp OnCommand System Manager: Implement Microsoft CA Signed SSL Certificate

NetApp::> security cert show
Vserver    Serial Number   Common Name                            Type
---------- --------------- -------------------------------------- ------------
AFF_SAN_DEFAULT_SVM
           xxxxxxxxxxxxxx  nfs_server_aff                         server
    Certificate Authority: nfs_server_aff
          Expiration Date: Thu Mar 08 14:41:55 2018

NetApp xxxxxxxxxxxxxx  aff                                    server
    Certificate Authority: aff
          Expiration Date: Thu Mar 08 14:28:42 2018

2 entries were displayed.

NetApp::> security ssl show
          Serial                                         Server  Client
Vserver   Number Common Name                             Enabled Enabled
--------- ------ --------------------------------------- ------- -------
AFF_SAN_DEFAULT_SVM
          xxxxxxxxxxxxxx
                 nfs_server_aff                          true    false
 Certificate Authority: nfs_server_aff

NetApp
          xxxxxxxxxxxxxx
                 aff                                     true    false
 Certificate Authority: aff

2 entries were displayed.

NetApp::> security certificate generate-csr -common-name NetApp -size 2048 -country US -state VA -locality blah -organization blah -unit IT -email-addr caleb@meadows.it

"-common-name"  should match the DNS record that points to your NetApp's cluster management LIF

Certificate Signing Request :
-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----


Private Key :
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

Note: Please keep a copy of your certificate request and private key for future reference.

Microsoft CA Web Enrollment - https://<servername>/certsrv

--Request a Certificate

--advanced certificate request

--Enter your generated CSR

--Web Server

--Base 64 encoded

--Download certificate

NetApp::> security certificate install -vserver NetApp -type server

Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----


Please enter Private Key: Press <Enter> when done
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----


Please enter certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: n

You should keep a copy of the private key and the CA-signed digital certificate for future reference.

NetApp::> security cert show
Vserver    Serial Number   Common Name                            Type
---------- --------------- -------------------------------------- ------------
AFF_SAN_DEFAULT_SVM
           xxxxxxxxxxxxxx  nfs_server_aff                         server
    Certificate Authority: nfs_server_aff
          Expiration Date: Thu Mar 08 14:41:55 2018

NetApp xxxxxxxxxxxxxxxxserialxxxxxxxxxxxxxxxx
                           NetApp                             server
    Certificate Authority: Microsoft CA
          Expiration Date: Wed Apr 10 13:32:09 2019

NetApp xxxxxxxxxxxxxx  aff                                    server
    Certificate Authority: aff
          Expiration Date: Thu Mar 08 14:28:42 2018

3 entries were displayed.

NetApp::> ssl show -vserver NetApp
  (security ssl show)

                                         Vserver: NetApp
                   Server Certificate Issuing CA: aff
                Server Certificate Serial Number: xxxxxxxxxxxxxx
                  Server Certificate Common Name: aff
               SSL Server Authentication Enabled: true
               SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
                        Timeout for OCSP Queries: 10s
 Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
                 Use a NONCE within OCSP Queries: true

NetApp::> ssl modify -vserver NetApp -ca "Microsoft CA" -serial xxxxxxxxxxxxxxxxserialxxxxxxxxxxxxxxxx -common-name NetApp
  (security ssl modify)

NetApp::> ssl show -vserver NetApp
  (security ssl show)

                                         Vserver: NetApp
                   Server Certificate Issuing CA: Microsoft CA
                Server Certificate Serial Number: xxxxxxxxxxxxxxxxserialxxxxxxxxxxxxxxxx
                  Server Certificate Common Name: NetApp
               SSL Server Authentication Enabled: true
               SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
                        Timeout for OCSP Queries: 10s
 Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
                 Use a NONCE within OCSP Queries: true

NetApp::>

https2.jpg


Nov 17
Zerto: Implement Microsoft CA Signed SSL Certificate

Zerto support touches on this topic with the following KB articles but I found that the information provided does not result in a straightforward and successful implementation due to some incorrect command syntax and lack of pertinent details.

http://www.zerto.com/myzerto/knowledge-base/generate-certificate-signing-request-and-key/

https://www.zerto.com/myzerto/knowledge-base/how-to-use-cer-ssl-certificate/


Zerto Virtual Manager Host:

 

Download and install OpenSSL

Run CMD as administrator

C:\Windows\system32>cd c:\OpenSSL-Win32\bin

c:\OpenSSL-Win32\bin>

c:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

c:\OpenSSL-Win32\bin>openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generating a 2048 bit RSA private key

......+++

....................................+++

writing new private key to 'privateKey.key'

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:blah

State or Province Name (full name) [Some-State]:blah

Locality Name (eg, city) []:blah

Organization Name (eg, company) [Internet Widgits Pty Ltd]:blah

Organizational Unit Name (eg, section) []:blah

Common Name (e.g. server FQDN or YOUR name) []:Zerto Virtual Manager Host IP ADDRESS

Email Address []:blah

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:blah

 

The aforementioned process creates a Certificate Signing Request. Locate the server.csr file on your Zerto Virtual Manager Host in the following directory: C:\OpenSSL-Win32\bin

Open the server.csr file with Notepad and copy the contents. You will need this for the next step.

 

Microsoft CA Web Enrollment - https://<servername>/certsrv :

               

Select Request a Certificate


Z1.png

 

Select advanced certificate request


Z2.png

 

Paste the contents of the aforementioned server.csr file into the Base-64-encodeed certificate request field

Certificate Template: Web Client and Server

Select Submit >


Z3.png

Select Base 64 encoded

Select Download certificate


Z4.png

Copy the downloaded certnew.cer file to the following directory on your Zerto Virtual Manager Host: C:\OpenSSL-Win32\bin

 

Zerto Virtual Manager Host:

 

Run CMD as administrator

C:\Windows\system32>cd c:\OpenSSL-Win32\bin

c:\OpenSSL-Win32\bin>

c:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey privateKey.key -in certnew.cer -out server.pfx

Enter Export Password:UniquePassword

Verifying - Enter Export Password:UniquePassword

c:\OpenSSL-Win32\bin>

 

Run the Zerto Virtual Replication Diagnostics & Configuration Utility: C:\Program Files\Zerto\Zerto Virtual Replication\ZertoDiagnostics.exe

Select Reconfigure Zerto Virtual Manager

Select Next


Z5.png

Select NEXT


Z6.png


Select NEXT


Z7.png

               

Select NEXT


Z8.png

 

Select Replace SSL certificate

Select to browse for file

Navigate to the following path: C:\OpenSSL-Win32\bin

Select the server.pfx file

Select Open


Z9.png
Z10.png

 

Enter the UniquePassword for the certificate file

Select YES


Z11.png

Select NEXT


Z12.png

 Select RUN


Z13.png


Select OK


Z14.png

 

Select EXIT


Z15.png

 

 

 


Jan 14
Mock vSphere Implementation Part 1 - Networking

Mock vSphere Implementation Part 1 - Networking

 

I've created the following diagrams and configuration examples to represent a basic and redundant networking concept in vSphere.

Please note that there is no "one design fits all" for vSphere networking and that a configuration suited for one environment may not be the best fit for another environment.


Starting with the physical network infrastructure:


x4 Cisco 3750's (WS-C3750G-24TS) "stacked" via StackWise to create a single logical switch.

A unique power source per switch is ideal. Attaching all four switches to the same PDU/circuit introduces a single point of failure.

Each switch has a Gigabit Ethernet fiber uplink (1000BaseSX) via interface Gi*/0/28 (SFP) that connects to a core switch(es).

These uplinks are aggregated into a Port-channel (Port-channel2) to form a single logical Ethernet uplink. (Etherchannel)​

With the uplink interfaces configured as trunk ports, all core switch VLAN's will be made available to the switch stack for explicit tagging via access ports and or passed along further down the line via additional trunk ports.​ VLAN Trunking Protocol

1-Final.JPG

2-Final.JPG

Leveraging two physical 4-port network adapters in ESXi host ESXi01.LAB.LOCAL; the host interfaces are strategically distributed to the four switches. 

Note that each network interface card has multiple Gigabit Ethernet copper uplinks to different switches in the stack. This redundant topology combined with Etherchannel will help protect the host from network isolation in the event that a host network interface card and or switch in the stack fails.​

4-Final.JPG 

On to the virtual network infrastructure:


Standard virtual switch vSwitch0 as depicted in the following diagram is dedicated to the management traffic VMkernal port.

In this configuration; physical network interfaces Gi1/0/1(vmnic0) and Gi2/0/1(vmnic4) are configured as trunk ports and assigned to vSwitch0. As result all VLAN's are presented to the vSwitch and the desired VLAN (VLAN 1) must be tagged on the management traffic VMkernal port including the corresponding IP settings.

ESXi represents physical network interfaces as vmnic's. If you're unsure what physical interface a vmnic corresponds to you can utilize Cisco Discovery Protocol to identify what's what.

vswitch0-0.JPG

For vSwitch redundancy interfaces Gi1/0/1(vmnic0) and Gi2/0/1(vmnic4) are connected to different switches and aggregated to form Port-channel0 allowing vSwitch0 to tolerate a single switch failure.

vswitch0-1.JPG
​When utilizing Etherchannel to aggregate vSwitch interfaces; VMware requires all vmnic's to be configured as active. In addition the route based on IP hash load balancing policy must be used.​

vswitch0-2.JPG

 Standard virtual switch (vSwitch1) as depicted in the following diagram is dedicated to Multi-NIC vMotion.

In this configuration; physical network interfaces Gi1/0/2(vmnic1) and Gi2/0/2(vmnic5) are configured as access ports for VLAN 2. As result you do not need to tag the VLAN on the vMotion VMkernal ports.

vSwitch1 Final.JPG

For vSwitch redundancy interfaces Gi1/0/2(vmnic1) and Gi2/0/2(vmnic5) are connected to different switches allowing vSwitch1 to tolerate a single switch failure.

It is recommended that you not use link aggregation, Etherchannel and or port channels with Multi-NIC vMotion. VMware guru Frank Denneman has a great post on this topic; kudos.​

red.JPG
With Multi-NIC vMotion you must create two vMotion VMkernal ports accompanied by unique IP settings that correspond to the VLAN in use.

vMotion VMkernal (VMotion-01) - Check Override switch failover order. Configure the first adapter (vmnic1) as Active and move the second adapter (vmnic5) to Standby.

vSwitch1 vMotion-01.JPG

vMotion VMkernal (VMotion-02) - Check Override switch failover order. The adapter configuration will be the inverse of vMotion VMkernal (VMotion-01)​. Configure vmnic5 as Active and vmnic1 as Standby.

vSwitch1 vMotion-02.JPG

Standard virtual switch (vSwitch2) as depicted in the following diagram is dedicated to virtual machines.

In this configuration; physical network interfaces Gi3/0/1(vmnic2), Gi3/0/2(vmnic6), Gi4/0/1(vmnic3) and Gi4/0/2(vmnic7) are configured as trunk ports and assigned to vSwitch2. As result all VLAN's are presented to the vSwitch and desired VLAN's must be tagged via Virtual Machine Port Groups.

vSwitch2-Final.JPG

For vSwitch redundancy interfaces Gi3/0/1(vmnic2), Gi3/0/2(vmnic6), Gi4/0/1(vmnic3) and Gi4/0/2(vmnic7) are aggregated to form Port-channel1 allowing vSwitch0 to tolerate a single switch failure.

Yellow.JPG

When utilizing Etherchannel to aggregate vSwitch interfaces; VMware requires all vmnic's to be configured as active. In addition the route based on IP hash load balancing policy must be used.

vSwitch2 Properties.JPG


This same concept should carry from host to host to create a cluster and can be applied to distributed switches if desired. Expanded redundancy and throughput can be achieved by incorporating additional network adapters as well as 10 Gigabit Ethernet combined with Network I/O Control for QoS.​

Stay tuned for part 2 as I transition into shared storage for vSphere!

Jun 17
Cisco MDS 9124: Upgrade NX-OS software from version 4.1(3a) to version 5.2(8d)

Cisco MDS 9124

 

Task:

Upgrade NX-OS software from version 4.1(3a) to version 5.2(8d)

 

Per Cisco "Upgrading to Cisco NX-OS Release 5.2(8d) without first upgrading to Release 5.0(x) is not recommended and is not supported, and might result in configuration loss."


Nondisruptive Upgrade Path to Cisco MDS NX-OS Release 5.2(8d)
Current Release Nondisruptive Upgrade Path and Ordered Upgrade Steps
NX-OS:
Release 5.2(x)Upgrade directly to NX-OS Release 5.2(8d).
All 5.0(x) releasesUpgrade directly to NX-OS Release 5.2(8d).
All 4.2(x) releases and 4.1(x) releases

1.http://www.cisco.com/en/US/i/templates/blank.gif Upgrade to NX-OS Release 5.0(x).

2.http://www.cisco.com/en/US/i/templates/blank.gif Upgrade to NX-OS Release 5.2(8d).

 

 

In this case you will first upgrade to version 5.0(1a) then to version 5.2(8d).

To obtain the necessary downloads you will need an active SMARTnet service contract with Cisco.

Note: SMARTnet support contracts are negotiated through a reseller. They will need the chassis serial number to provide you with a quote. This serial number can be read from the sticker on the unit itself; or remotely via the cli using the following command: show sprom backplane 1

 

switch# show sprom backplane 1

DISPLAY backplane sprom contents:

Common block:                 

 Block Signature : 0xabab

 Block Version   : 3

 Block Length    : 160

 Block Checksum  : 0x151b

 EEPROM Size     : 1024

 Block Count     : 6

 FRU Major Type  : 0x6003

 FRU Minor Type  : 0x0

 OEM String      : Cisco Systems, Inc.

 Product Number  : DS-C9124-K9

 Serial Number   : ***********

                               

Download the Kick Start and System files:


Kick Start

5.0(1a)

- m9100-s2ek9-kickstart-mz.5.0.1a.bin

5.2(8d)

- m9100-s2ek9-kickstart-mz.5.2.8d.bin

System

5.0(1a)

- m9100-s2ek9-mz.5.0.1a.bin

5.2(8d)

- m9100-s2ek9-mz.5.2.8d.bin


Now that you have the files you'll need a TFTP server instance to copy the files to the switch. They're a number of free TFTP server installs out there​.


Copy files to the switch via TFTP:


Copy tftp://TFTPserverIPorHostname/filename bootflash:/

 

switch# copy tftp://TFTPserverIPorHostname/m9100-s2ek9-kickstart-mz.5.0.1a.bin bootflash:/

Trying to connect to tftp server......

Connection to server Established. Copying Started.....

\

TFTP get operation was successful

switch# copy tftp://TFTPserverIPorHostname/m9100-s2ek9-mz.5.0.1a.bin bootflash:/

Trying to connect to tftp server......

Connection to server Established. Copying Started.....

|

TFTP get operation was successful​


Identify install impact:


show install all impact kickstart bootflash:m9100-skek9-kickstart-mz.5.0.1a.bin system bootflash:m9100-mz.5.0.1a.bin

 

switch# show install all impact kickstart bootflash:m9100-s2ek9-kickstart-mz.5.0.1a.bin system bootflash:m9100-s2ek9-mz.5.0.1a.bin

 

Verifying image bootflash:/m9100-s2ek9-kickstart-mz.5.0.1a.bin for boot variable "kickstart".

[####################] 100% -- SUCCESS

 

Verifying image bootflash:/m9100-s2ek9-mz.5.0.1a.bin for boot variable "system".

[####################] 100% -- SUCCESS

 

Verifying image type.

[####################] 100% -- SUCCESS

 

Extracting "system" version from image bootflash:/m9100-s2ek9-mz.5.0.1a.bin.

[####################] 100% -- SUCCESS

 

Extracting "kickstart" version from image bootflash:/m9100-s2ek9-kickstart-mz.5.0.1a.bin.

[####################] 100% -- SUCCESS

 

Extracting "bios" version from image bootflash:/m9100-s2ek9-mz.5.0.1a.bin.

[####################] 100% -- SUCCESS

 

Performing Compact Flash and TCAM sanity test.

[####################] 100% -- SUCCESS

 

Notifying services about system upgrade.

[####################] 100% -- SUCCESS

 

 

 

Compatibility check is done:

Module  bootable          Impact  Install-type  Reason

------  --------  --------------  ------------  ------

1       yes  non-disruptive         reset 

 

 

 

Images will be upgraded according to following table:

Module       Image                  Running-Version(pri:alt)           New-Version  Upg-Required

------  ----------  ----------------------------------------  --------------------  ------------

1      system                                   4.1(3a)               5.0(1a)           yes

1   kickstart                                   4.1(3a)               5.0(1a)           yes

1        bios     v1.0.19(02/01/10):  v1.0.19(02/01/10)     v1.0.19(02/01/10)            no​


​Install NX-OS 5.0.1a:

install all kickstart bootflash:m9100-s2ek9-kickstart-mz.5.0.1a.bin system bootflash:m9100-s2ek9-mz.5.0.1a.bin


switch# install all kickstart bootflash:m9100-s2ek9-kickstart-mz.5.0.1a.bin system bootflash:m9100-s2ek9-mz.5.0.1a.bin

 

Verifying image bootflash:/m9100-s2ek9-kickstart-mz.5.0.1a.bin for boot variable "kickstart".

[####################] 100% -- SUCCESS

 

Verifying image bootflash:/m9100-s2ek9-mz.5.0.1a.bin for boot variable "system".

[####################] 100% -- SUCCESS

 

Verifying image type.

[####################] 100% -- SUCCESS

 

Extracting "system" version from image bootflash:/m9100-s2ek9-mz.5.0.1a.bin.

[####################] 100% -- SUCCESS

 

Extracting "kickstart" version from image bootflash:/m9100-s2ek9-kickstart-mz.5.0.1a.bin.

[####################] 100% -- SUCCESS

 

Extracting "bios" version from image bootflash:/m9100-s2ek9-mz.5.0.1a.bin.

[####################] 100% -- SUCCESS

 

Performing Compact Flash and TCAM sanity test.

[####################] 100% -- SUCCESS

 

Notifying services about system upgrade.

[####################] 100% -- SUCCESS

 

 

 

Compatibility check is done:

Module  bootable          Impact  Install-type  Reason

------  --------  --------------  ------------  ------

     1       yes  non-disruptive         reset 

 

 

 

Images will be upgraded according to following table:

Module       Image                  Running-Version(pri:alt)           New-Version  Upg-Required

------  ----------  ----------------------------------------  --------------------  ------------

     1      system                                   4.1(3a)               5.0(1a)           yes

     1   kickstart                                   4.1(3a)               5.0(1a)           yes

     1        bios     v1.0.19(02/01/10):  v1.0.19(02/01/10)     v1.0.19(02/01/10)            no

 

 

Do you want to continue with the installation (y/n)?  [n] y

 

Install is in progress, please wait.

 

Notifying services about the upgrade.

[####################] 100% -- SUCCESS

 

Setting boot variables.

[####################] 100% -- SUCCESS

 

Performing configuration copy.

[####################] 100% -- SUCCESS

 

Module 1: Refreshing compact flash and upgrading bios/loader/bootrom.

Warning: please do not remove or power off the module at this time.

[####################] 100% -- SUCCESS

 

Upgrade can no longer be aborted, any failure will result in a disruptive upgrade.

 

Freeing memory in the file system.

[####################] 100% -- SUCCESS

 

Loading images into memory.

[####################] 100% -- SUCCESS

 

Saving linecard runtime state.

[####################] 100% -- SUCCESS

 

Saving supervisor runtime state.

[####################] 100% -- SUCCESS

 

Saving mts state.

[####################] 100% -- SUCCESS

 

Rebooting the switch to proceed with the upgrade.

Telnet and Ssh will now be disabled.


​Confirm upgrade to NX-OS 5.0(1a):

show version

​​switch# show version

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

 

Software

  BIOS:      version 1.0.19

  loader:    version N/A

  kickstart: version 5.0(1a)

  system:    version 5.0(1a)

  BIOS compile time:       02/01/10

  kickstart image file is: bootflash:///m9100-s2ek9-kickstart-mz.5.0.1a.bin

  kickstart compile time:  12/25/2020 12:00:00 [02/21/2010 20:55:31]

  system image file is:    bootflash:///m9100-s2ek9-mz.5.0.1a.bin

  system compile time:     2/2/2010 17:00:00 [02/21/2010 21:40:51]



When you have confirmed a successful upgrade to version 5.0(1a); follow the same procedure to upgrade from version 5.0(1a) to 5.2(8d).





Jul 21
Welcome to my blog!

This is where I'll be sharing my thoughts on topics that matter to me. Who knows... I might even share pictures, videos and links to other interesting stuff.

If I catch your interest, let me hear from you.