Piszki Lab | EN

My case study in the clouds…

2019/11/19
by Piotr Pisz
0 comments

vSphere 6.7U3 – Unable to push CA certificates and CRLs to host

The current version of vCenter 6.7U3 brought with it an interesting change, as we can read here, all CA certificates in trusted store must have the “X509v3 Basic Constraints: CA: TRUE” flag set. Lack of this flag in any certificate basically blocks all operations on certificates, the error “Certificate is not valid CA certificate” appears. Today, on the example of the problem with refreshing CA certificates at the host level, I will show you how to deal with it. Generally, as I wrote in this post, the vCenter CA certificate store should be in order, the mess brings only problems.

ca3

Continue Reading →

2019/09/27
by Piotr Pisz
0 comments

Secure file server based on Samba, CTDB, CephFS and OpenLDAP

The purpose of today’s exercise will be to run a secure, full HA, Samba cluster with which we will serve files directly from CephFS and authorize users at the OpenLDAP level. The closest equivalent to this configuration is the Failover Cluster + DFS service available in Microsoft Windows Server 2012+. Ceph and OpenLDAP configuration can be found in the linked articles, here we will focus mainly on CTDB and Samba. Clustered Trivial Data Base, because this is how this abbreviation develops, ensures the consistency of user sessions between multiple nodes. He also oversees the work of samba itself. In this configuration the VFS module samba-vfs-ceph (Samba Gateway for CephFS) will be used, this module allows samba to work correctly (natively) with CephFS. Using this module, Samba dumps all file operations (opening, blocking, closing, etc.) on CephFS. To ensure consistency with recent configurations, users will be taken from OpenLDAP (the entire Samba configuration will also be stored there). Thanks to this approach, we will obtain a coherent, redundant configuration that will seamlessly connect many components. Due to the use of the latest versions, which are not available in CentOS 7 or Ubuntu 18, all configuration will be carried out on Fedora Server 29 (but I think we will put it on CentOS 8 without any problems).

smb5

Continue Reading →

2019/09/13
by Piotr Pisz
0 comments

Cryptographic security in vSphere aka what is KMS, vTPM, VBS and others.

Quite recently I wrote about support for TPM 2.0 in vSphere 6.7, why use this technology and how to configure it. Today I would like to take the topic further, we will deal with the security of virtual machines (VM). VMware is intensively developing the VM security by introducing support for virtual machine encryption, support for virtual TPM (vTPM) and support for Microsoft Virtualization Based Security (VBS) technology. This is a very interesting piece of knowledge that I will try to bring as detailed as possible.

vsphere-encryption

Continue Reading →

2019/09/04
by Piotr Pisz
0 comments

Microsoft WSFC and vSAN 6.7U3

Recently, I decided to perform AD migration from 2012R2 to 2019 in my lab, and follow the blow, migrate all services (DFS, SQL and others) to 2019. I decided to use the new feature that appeared in vSphere 6.7U3, i.e. support for RDM (SCSI-3 PR), and run the new Microsoft Windows Server Failover Cluster on this. As Piszki Lab is already two physical servers, such a cluster has more sense, of course it is only over the lab. There is also official VMware documentation describing the whole process, in addition, you can use the detailed instructions for placing WSFC.

msc0

Continue Reading →

2019/05/29
by Piotr Pisz
1 Comment

Kerberos with OpenLDAP backend configuration in CentOS 7

Today we will deal with LDAP kerberization, it sounds a bit strange, but it comes down to installing and configuring a cluster consisting of multiple nodes (N +) operating in active mode. This cluster will serve LDAP and Kerberos services for Linux systems. The kerberosa database will be stored in OpenLDAP, thanks to this service, kerberos will also work as multi master. In addition to the cluster itself, we will also configure the client system to authenticate the user at the LDAP level and that the user can use the kerberos ticket to move freely between the systems. This exercise aims to prepare an authorization system for use in the subsequent installation of Hadoop.

ticket

Continue Reading →

2018/07/18
by Piotr Pisz
0 comments

Upgrade Trend Micro Deep Security in vSphere 6.7 i NSX 6.4 (to new version).

The title of this post is quite enigmatic, but it touches a very serious problem. How to perform an upgrade of such a complex environment as vSphere with NSX and Trend Micro Deep Security without interruption in ensuring security? The Trend Micro statement says that to perform the upgrade, you must remove the protection, unregister the service, uninstall DSVA, perform the upgrade, re-register in NSX, install DSVA and enable protection. This means a long break in the operation of the environment. Can we resolve this problem in the production system? Fortunately, you can bend this and that and upgrade so that you do not destroy anything by the way. Upgrade Trend Micro Deep Security Management Server to version 11 is quite a simple task and in my opinion there is no point in describing it in detail (just run exe).

tmup00

Continue Reading →

.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.