External “Trusted” CAs
Continue reading “Do you actually need CA Certificates?”
There is a common misconception that security is improved Through installing certificates issued by “trusted” CAs. The truth is that certificates issued by external CAs like Thawte, Verisign and GoDaddy are no more secure than those you create yourself! In fact, by going to an external source in the first place, and trusting them with your Certificate Signing Request (CSR) and Privacy Key (PK) at all, you are placing the security of your organization in their hands! External CAs are generally security-aware, but they are also massive targets for hackers. The risk, if your data got exposed by an external CA, is that hackers could masquerade as you and potentially gain access to critical systems!
In an ideal world, management would provide unlimited funding to upgrade hardware continuously! We all know that’s not going to happen! Sometimes it is necessary to prolong the lifespan of servers as long as possible, particularly when they are extremely well-provisioned devices, even by today’s standards!
Such is the case with our HP BL460 G7 Blades. They are each equipped with a dual-port 10Gb onboard NIC adapter (Emulex HP NC553i) and a dual-port Mezzanine NIC adapter (Emulex HP NC551m), rendering a total of four 10Gb ports.
Recently, after running HP Service Pack for Proliant (SPP), we lost network connectivity to the Emulex HP NC551m adapter. It wasn’t simply that no network traffic was being passed, but rather the entire adapter disappeared from the configuration in ESXi 6, and the adapters were not visible using the SSH CLI command: esxcli network nic list It’s as if the NC551m adapter simply wasn’t there! Continue reading “ESXi NC551m stops working after firmware update”
I was designing a customer vSAN deployment and I came across the guidelines and formula for calculating the required ESXi Coredump partition size: https://kb.vmware.com/s/article/2147881
Right away, I started working the formula for my customers deployment, when it occurred to me; this is WAY more complicated than it needs to be!
VMware actually wants you to take a number (the size of SSD in GB), divide by 100, multiply by 0.181 and then multiply by 0.25. Ridiculous!
- Why not just multiply by 0.0045, it is exactly the same thing!
Continue reading “Setting the coredump partition when using vSAN”
For years, I have dismissed Virtual Machine Hardware version as unimportant. In fact, in this very blog, I may have advocated for leaving VM Hardware Version set at 8, to maintain full compatibility with both the vSphere C# Client and the vSphere Web Client.
Unfortunately, thanks to Spectre and Meltdown, things have changed. Updating your VM Hardware Version also updates the VM BIOS, and that’s an important part in the remediation of Speculative Execution Vulnerabilities, specifically: CVE-2017-5715 ‘Spectre Variant 2’. Continue reading “Virtual Machine Hardware Version does make a difference”
Invalid snapshot configurations happen. Mostly, they occur because of problems with storage arrays during snapshot creation/consolidation, but they can also occur if certain process become interrupted (like replication) mid-snapshot.
The more heavily you rely on snapshots, the more likely it is you will come across a problem with snapshots. Specifically if you use a product like Veeam, which leverages a VMware Snapshot to quiesce data, you may see an Invalid Snapshot Configuration from time to time.The more often you protect your data, the more often you create and remove snapshots. This is NOT to sat that there is a problem with Veeam; Veeam is awesome, however it is subject to events on the underlying infrastructure and possible on VPN/MPLS links between sites Continue reading “Invalid Snapshot Configuration”
Many people are under the incorrect belief that it is hardware-level firmware updates from companies like HPE and Dell that will protect our Virtual Machines from Speculative Execution Vulnerabilities. This is NOT TRUE.
- As far as your VMs are concerned, the VM BIOS and Hypervisor are the hardware!
Continue reading “Spectre, Meltdown and VMware vSphere”
As we are all aware, recent updates to Shockwave Flash caused the vSphere Web Client to crash on most browser platforms. The interim solution was to install an outdated version of Shockwave Flash, just to access the Web Client. More recently, Adobe Shockwave Flash version 220.127.116.11 was pushed out in updates to Google Chrome (and other browser platforms) that fixes the problem.
- Gone is the choice between “Allow Flash” and “Ask First,”
- Now there is the choice between “Ask First” and “Block sites from running Flash.”
- What’s new is the ability to add allowed sites, including the use of wildcard characters, where Shockwave Flash will run unprompted.
Continue reading “The VMware vSphere Web Client is fixed (sort of – until next time)”
Photon OS installs by default with DHCP enabled. This is perfect for building and distributing Photon OS OS as a Virtual Appliance, but for most practical applications, you’ll want to set a static IP address.
Changing the IP of Photon OS involves a newer, albeit standardized procedure of editing files located in: /etc/systemd/network that will be unfamiliar to many RHEL and Debian users. Continue reading “Setting static IP for Photon OS”
For some users, whether you should or shouldn’t use SSH is a matter for debate. Rather than be hypocritical, I simply acknowledge that most admins will access Linux systems using SSH, and prefer to suggest that using strong passwords or passphrases and secure Management Networks is a more realistic approach to Linux administration. Continue reading “Enabling SSH access for Photon OS”
VMware photon OS is described as “yum compatible.” Yum has been the package manager for all Fedora derivative distros like RHEL and CentOS. Photon OS actually uses Tiny DNF (TDNF), which appears to be a fork of the Fedora DNF package management system. Continue reading “Updating Photon OS with yum”