Month: March 2019

Home / Month: March 2019

HPE’s entry level MSA storage arrays are delivered with a self-signed certificate from HPE. A lot of storage administrators ignore the web warnings and leave the configuration untouched. However, in order to pass the security scans performed by companies installing a CA Certificate is a must.

A self-signed certificate is a certificate issued and signed by the same entity whose identity it certifies. In this case, the MSA arrays are issued with a self-signed certificate of Hewlett-Packard Enterprise (HPE).

Before we continue with the installation steps, take note of the following:

  • the installation can be done online without interruption of host IO’s but a restart of the management controllers is required at the final step.
  • To deal with certificates I use OpenSSL tool for Windows.
  • the FTP protocol is by default disabled on new MSA arrays. You might need to enable it using web interface, of using the following command:
show protocols
set protocols ftp enabled

If you are familiar with certificates, jump below to Commands Used

Request certificate

First of all, gather the needed information about your storage array, i.g. the Fully Qualified Domain Name (FQDN), your organization name etc and request your Certificate Authority owner to provide you with a certificate. Microsoft Windows CA will provide you with a .PFX file which is contains a variety of cryptographic information, including certificate(s), certificate chains, root authority and private keys.

Extract the (.pfx) certificate

In order to implement such a certificate in you MSA array, you will need to extract it in 2 separate files, one containing the certificate itself and the other containing the private keys.

  1. We will start by extracting the private keys first. Use the following command to extract the private key file:
    openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

    – Enter the Import Password, received by your CA Manager.
    – Choose a PEM pass phrase, or a password to secure your Private Key file

  2. The MSA array doesn’t accept protected Private Key files, use the following command to remove the pass phrase you created on step 1.
    openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

    Now you have a supported private key file.

  3. Next step is to extract the certificate from the .PFX file. Use the following command to extract it:
    openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

    The newly create file is now called certificate-file.crt

Append Intermediate and Root certificate

In this step, you’ll need to edit the .crt certificate file you created in the previous step and add the intermediate and or the root certificate together. This is required by the array to communicate with the certificate chain implemented in your company.

The certificate file structure should look like this:

—–BEGIN CERTIFICATE—–
Array’s certificate (the content of the file you created during the previous step)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The intermediate certificate chain (If you company uses one)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The ROOT CA certificate
—–END CERTIFICATE—–

Once you have merged the certificates, use a distinctive name for your new file and save it.

Installation of the certificate

To install the certificate to your MSA array you’ll need to connect through FTP.

  1. Open an elevated command prompt and navigate to the directory where you certificate (.crt file) and private key file reside.
  2. Type FTP > Open
  3. Enter array’s IP address or DNS alias
  4. Upload the certificate using the following command
    put <certificate file name.crt> cert-file

  5. Next, upload the private key file using the following command
    put <key file.key> cert-key-file

  6. Finally, restart the management controller of your MSA and your browser should be reporting a valid SSL certificate.

Commands used

OpenSSL

Extract cerificate’s private key:

openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

Decrypt private key file

openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

Extract certificate file

openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

FTP

Upload the certificate

put <certificate file name.crt> cert-file

Upload the certificate file

put <key file.key> cert-key-file

A CLI (Command Language Interpreter or Command Line Interface) is a program which handles the interface using text in lines (command lines). The usage of Command Lines dates back from from the mid 1960’s where computer terminals were widely used as standard technology.

Today, almost every platform or software’s fundamentals are based on command line. Starting from Windows Server 2012, any Linux distribution or even computer or storage networks (SAN).

Below we will cover some command line commands which are essential for every Storage Administrator. If you think there’s more interesting to be added, feel encouraged to contact us.

Microsoft Windows Powershell

Determine a Virtual Machine’s underlying physical host (Command execution: Guest computer)

(get-item "HKLM:\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters").GetValue("HostName")

Get a VM’s .VHD(X) location files and .VHD details (Command execution: On the host computer)

Get-VM | Select-Object VMID | Get-VHD | Select-Object Path
Get-VHD <.VHDX file path>

Get a Host Adapter’s WWN (Command execution: On the host computer)

Get-InitiatorPort | Select-Object -Property PortAddress | Format-List -Property PortAddress

Get Host Adapter’s WWN remotely or for a whole cluster (Command Execution : On the host computer)

Get-InitiatorPort -CimSession <Computer name>
Get-ClusterNode | %{Get-InitiatorPort -cimsession $_.Name}

Show MPIO disk paths of a volume / vlun (Command execution: On the host computer)

(gwmi -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}

 

Brocade OS CLI

Find a host Alias name using WWN

nodefind <Host's wwn>

Find a host alias using a wildcard ” ”

nsaliasshow | grep -i "<alias name>"

Display zone information of an alias

zoneshow | grep -i "<alias name>"

Display error information of a single port of all switch ports

porterrshow
porterrshow <port number>

In this article we will cover the way to merge or promote a 3PAR StoreServ snapshot in to a base virtual volume. The execution of this procedure is done offline so this might bring downtime to your workloads. Before going into details, we assume you are already familiar with following technologies:

Definition snapshot: Snapshot is a common industry term denoting the ability to record the state of a storage device at any given moment and preserve that snapshot as a guide for restoring the storage device in the event that it fails. A snapshot primarily creates a point-in-time copy of the data.

Basically, what we’re going to do is restore a snapshot (taken at a certain time) into a virtual volume.

    1. Open 3PAR Management Console or SSMC and find the primary virtual volume.
    2. Expand the list and locate the desired snapshot that needs to be promoted

      – Volume and array names are obfuscated for privacy purposes.
      – Latest snapshot can be verified if you click on it and expand the Virtual Volume Details-tab.

 

  1. Take note of the snapshot that you’re going to promote to base volume
  2. Stop the corresponding RC Group
  3. Unexport Virtual Volume (Remove Virtual Volume from the Virtual Volume Set or unexport your VVOL if you’re not using Vvol Sets)
  4. Use CLI to promote the snapshot to base volume
    promotesv -rcp <snapshot name>

  5. You can check the status of the activity using following command
    showtask -d <task ID>
  6. Once the operation is completed, export the virtual volume to the host (or add the vvol to the Virtual Volume Set)
  7. Restart the RC Group
  8. You’re done!

Free SSL certificate for your website

05/03/2019 | WebDev | No Comments

 

Nothing more annoying that browsing a website that indicates insecure content with an red sign on the address bar.

Imagine running a website that deals with sensitive data, being it personal records coming from a web form or anything else where the connection is insecure. Your visitors wouldn’t be happy with that.

Today, most of the professional websites utilize SSL certificates. Even Google pushes towards secure URL’s in its indexing mechanism. Some sources even claim that HTTPS-links are better crawled by search engines.

In the article we will go through some possibilities on how to get rid of the “red sign address bar”. Furthermore, implementing a SSL certificate on your website doesn’t need to be costly – if not free of charge 😉

What is SSL or a SSL Certificate?

SSL stands for Secure Socket Layer and it is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link ensures that visitors (=customers) data remains private and encrypted during transmission.
A SSL Certificate is a digital certificate that proves the host (website’s visitors) that the corresponding web service has the ownership of the domain. The issuance is done by the Certificate Authority (CA).

There are different Certificate Authority entities worldwide, with Comodo, Symantec, GlobalSign, DigiCert being the well known. A W3Techs survey from May 2018 shows that IdenTrust, a cross-signer of Let’s Encrypt intermediates, has risen to be the most popular SSL certificate authority.

Let’s Encrypt and CloudFlare

Let’s Encrypt and CloudFlare are 2 SSL CA providers where I would like to pay attention at.

Let’s Encrypt is a non-profit certificate authority that provides X.509 certificates at no charge. The certificates issued by Let’s Encrypt remain valid for 90 days, and during the time they can also be renewed. The project’s goals are to make the World Wide Web servers standard encrypted.

On the other hand CloudFlare is a company that provides content delivery network services, DDoS attack protection, internet security and Domain Name Server services. I personally recommend using CloudFlare’s services for your website.

CloudFlare

CloudFlare is my favorite free method to encrypt the traffic to my website. It is also easier and simple to configure.

All you need to do is create an account, verify domain ownership and replace your domain name servers with CloudFlare’s own nameservers.

Let’s Encrypt

Enabling and installing an SSL certificate on your web depends from the type of web hosting you own. If your web runs on a dedicated server and you have root permissions you can easily request and install a SSL certificate from Let’s Encrypt – just read the manual.

In my case, I use Linux (shared) hosting from GoDaddy and my host runs on a Linux Cloud OS with limited root access rights.

Basically, if your hosting provider does not support Let’s Encrypt by default, you’ll have to use alternative ways to create the certificate request and approve it by Let’s Encrypt.

Hosting providers that support Let’s Encrypt can be found here.

In order to create the Certificate Signing Request (CSR) we will use an online freeware called ZeroSSL.

  1. Navigate to ZeroSSL.com
  2. Click on Online Tools
  3. Click Start to start the FREE SSL Certificate Wizard
  4. Enter your domain name (include a record with and without www-prefix)
  5. Make sure to check the following boxes:
    – HTTP verification
    – Accept ZeroSSL TOS
    – Accept Let’s Encrypt SA (pdf)
  6. In my case, I only entered storcom.com without the www-prefix but the wizard asked if I wanted to add the prefix
  7. Hit Next to proceed
  8. At this point we have received the CSR (Certificate Signing Request)
  9. Click Download or Save it manually in a text file
  10. Click Next to continue
  11. Once the Key Account is created, download it or save it manually
  12. At this point we should have 2 separate files
    – The CSR file and
    – The Key Account file
  13. Next we will need to verify the domain ownership. Download 2 files below
  14. Navigate to your webhosting’s CPANEL and open the file manager
  15. On the root directory (i.g. public_html) create a folder .well-known and a subfolder acme-challenge. The directory structure should look like this:
  16. If the folder is not visible, go to Settings (top right corner) and check Show Hidden Files (dotfiles)
  17. Under the .well-known/acme-challenge upload the 2 files we downloaded from step 13
  18. Navigate back to the ZeroSSL web and click on the links

    If the links are resolved into text files you have uploaded, you should be OK to continue.
  19. Proceed by clicking Next and your certificate should be created and valid for 90 days.
  20. Below the page, download the Certificate file (CRT) and the Domain (Key) file
  21. Navigate to your hosting’s CPANEL and open TLS/SSL
  22. Click on Manage SSL sites
  23. Select your domain
  24. Copy the text from the Certificate (CRT) file and paste it into the Certificate: (CRT) text box

    Notice that the CRT file includes both: the certificate itself and the certificate bundle. Cut or remove the certificate bundle, and paste it below on the 3rd box Certificate Bundle.
  25. Copy and paste the Domain Key into the Private Key (KEY) text box
  26. Make sure the Certificate Authority Bundle (CABUNDLE) has been filled in and click Install Certificate
  27. Congrats! You have installed a free certificate on your website.

  28. You website should indicate a valid SSL certificate.

Redirect HTTP to HTTPS

Finally, in order to use the installed certificate correctly you will need to tell your web server to always use HTTPS for incoming requests. 

WordPress

  1. Go to your WP admin panel
  2. Navigate to Settings > General
  3. Modify the WordPress (URL) and Site Address (URL) to point to https

Non-CMS

Another way to accomplish it, is to tell your web server to redirect all http requests to https. This can be easily done by adding a code to the .htaccess file.

Redirect on Appache web server

  1. Go to your hosting’s file manager
  2. On the root directory /public_html edit or create a file called .htaccess
  3. Append the following code at the end:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect on Nginx web server

  1. Go to your hosting’s file manager
  2. Look for nginx config-file
  3. Append the following code:
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;
}

In case of questions, use the contact form to get in touch with us.