SSL3 GET RECORD

I was doing an in-place upgrade of a vCenter 5.5 to vCenter 6 (Windows), when I encountered an unusual error, that didn’t seem to have a relevant KB article or much other information. This was most definitely NOT a database incompatibility, as was indicated by the second error.

It turns out that the solution is buried in the vCenter 6.0 U1b Release Notes

On Windows OS:

Open file C:\ProgramData\VMware\CIS\runtime\VMwareSTS\Conf\Server.xml.

Remove the tag sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″ from the below line in the server.xml file: <Connector SSLEnabled=”true” sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″

Restart VMwareSTS and VMwareIdentityMgmtService services.

Start the SSO service.

Of course, in true VMware style, you will find no services with the names “VMwareSTS,” “VMwareIdentityMgmtService,” and/or “SSO,” so after you edit the file, restart all VMware and VirtualCenter services.

Here are the steps:

Edit the file: C:\ProgramData\VMware\CIS\runtime\VMwareSTS\Conf\Server.xml

 

Remove the text: sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″

The file should look like this now:

Now restart all of the VMware and VirtualCenter services.

Data Center Etiquette

For the last 10 to 15 years, I have been in and out of Data Centers of all types. I’ve also had the privilege of working in many different capacities, from corporate IT pawn, to the guy running the project. During this time I have had the privilege of working with and learning from some wise old hands, but I’ve also witnessed colossal screw-ups on the part of uninformed Newbies!

I have recently been on an extended 3-city trip, working in and on large corporate Data Centers. I’m talking about million plus square foot facilities around Kings Mountain and Maiden North Carolina, highly-sensitive financial systems in Manhattan, and big-name IT in Silicon Valley. There is a particular etiquette to working in these massive corporate facilities; some of it written, some not. I thought I would collect my notes and present them here. Hopefully, this document will evolve and grow over time and with contribution.

Gaining access to the site/facility

Be expected or make an appointment

Even if the facility is a hosting or co-location facility and you are the client, simply showing up at the door is probably not going to work. You may need to be accompanied to and from your work area, or you may need to be accompanied the entire time you are in the facility. Either way, you need to make an appointment so the facility can schedule adequate resources to address your needs.

Be on-time

This should be self-explanatory. Never be late, but also don’t be early by more than 10 or 15 minutes. This is especially true if you are a contractor (as I often am) and/or working on a construction site; just wait in the car until it is your time.

Bring proper ID

Generally one form of government-issued picture ID will be acceptable. Some sites may issue their own ID/Access card, which you will be expected to provide on future visits.

Be prepared to sit orientation training

Hosting and colocation facilities generally do not require any sort of orientation prior to granting access. Corporate facilities, however, may require you to sit in orientation/security/safety training, before allowing you to access the site. These training “sessions” generally last 2-4 hours, but can take up most of a full day depending on the availability of Human Resources personnel to deliver the training.

If you ask in advance about the protocol required to access the site, you can be prepared to budget the necessary additional time in your work schedule.

Know the hours

Don’t get caught in a facility after-hours, or make people wait around on you. Some of the individuals who will be tasked with your visit may work for entirely different departments, or even different companies. Your decision to get “just one more thing done” might end up costing a great deal of money or making you very unpopular with management by pushing someone else into overtime! Don’t even be 5 minutes late leaving the facility if you have been given a hard-stop time!

Once you are in the facility

Don’t use anything that isn’t specifically earmarked for your use

What I am talking about can be as innocuous as a table or chair, or liability-inducing as a ladder. If you are working in a room and there are 3 ladders crowding the floor space, there’s a reason: one ladder belongs to the electricians, one ladder belongs to the HVAC team and one ladder belongs to the guys pulling copper and fiber through the facility! Chances are, you aren’t any one of these so don’t use their ladders under any circumstances!

Assume everything is being video-recorded

Any SSAE 16 audited facility will have recorded video surveillance throughout the facility. It’s not simply that you need to act professionally, but you need to mind your business and your business only! Don’t go looking around, peeking into server racks/cabinets that you haven’t been tasked with, or wander around. If you are observed looking or walking in places not specifically designated for you, the best case result is you will not be asked back on site; the worst case is you will be shown the door!

Assume all Internet traffic is being captured

If you are working as a customer in a colocation facility, your network is your network. If you have the authority to do so, you can ping, scan and trace to your hearts content.

If you are working as a contractor or employee on a corporate network, you must assume that all traffic is being monitored. First and foremost, don’t take your personal laptop with you if it has anything loaded on it that might cause unwanted/prohibited traffic. Peer-to-Peer (BitTorrent), gaming client, and remote access software are certain to be not only prohibited, but also easily detectable.

Diagnostic scanning and packet-capture (even done for legitimate diagnostic proposes) should only be done with the proper authorization and notice!

Special considerations for construction sites

When the Data Center you will be working on or in is still under construction, an entirely different set of rules apply, over and above the generalities expressed above.

PPE on a construction siteBe prepared with PPE (Personal Protective Equipment)

  • Safety glasses
  • Hard Hat
  • Steel-toe shoes with ankle protection
  • Safety jacket or vest

Some contractors may have loaner PPE, but you will be imposing and end up looking like a doofus. Bring your own PPE whenever possible.

Wear your PPE at all times, unless you are specifically allowed to remove part or all of it in areas of a facility. A good example from experience; hard-hats don’t fit well inside server-racks. Make sure to get permission to remove your hard-hat, prior to removing it and leaning into a rack!

Be ready to take a drug-test

Be ready to take a drug-test on-site or immediately in advance of accessing the site. Contractors will often require their own drug-testing protocol and provider, over and above any pre-employment or random policy your employer may already have in place.

Sign in and out daily

Even if the opportunity to circumvent security presents itself, be sure to sign in and especially out! Signing out of a job-site releases both you and the General Contractor of liability for things than happen when you aren’t there.

Equipment

If you’re going to be working IN the Data Center, then your work probably isn’t 100% logical. It’s best to be prepared for all eventualities, because your work will probably involve “touching” some form of equipment. A good Data Center kit will allow you to do your work, and address eventualities that may carry well-beyond what you intended to do.

IT toolkitTools and Equipment

  • Gigabit Ethernet port. My laptop doesn’t have a built-in Ethernet port, so I carry a USB to Dual-Gigabit Ethernet adapter.
  • DB-9 Serial port. Unfortunately these 1980’s-technology ports are still all over the place in the Data Center, and you may need to connect to one at any given time. Most computers of the last 10 years no longer have these obsolete ports, so I carry a USB to DB-9 Serial Adapter. You’ll also want:
    • USB Extension
    • Null-modem cable
    • DB-9 Gender-changer
  • External DVD-RW Drive
  • Quality computer-connectable label maker
  • RJ45 Cable-crimper
  • Cable tester, preferably the kind that not only tests continuity but also qualifies speed (CAT 5, CAT6, etc.)
  • Scissors
  • Clamshell tool kit with screwdrivers, Alan wrenches, side cutters
  • Needle-node pliers
  • Side-cutters

Supplies

  • Cable ties and/or Velcro
  • Flexible label tape
  • DVD-R Media
  • RJ45 ends
  • Colored vinyl tape (Red, Blue, Green, White)

Binaries

Believe it or not, many Data Centers either do not have Internet Access, or only highly restricted access. You should bring with you all of the binaries you intend to use to complete your work, plus a standard set of utilities, just in case. I can’t emphasize how important it is to download these utilities from trusted sources in advance of the job and then scan them with up-to-date enterprise antivirus software. Moreover, check with network administration prior to running a utility that creates any sort of broadcast traffic (like an IP or port scanner), or you will likely be shown the door in short order!

  • Wireshark
  • IP and Port Scanners. Sometimes, known good IP scanners are flagged by firewalls and antivirus software as malicious because they could be used by hackers – get better antivirus software if this happens, because these tools are legitimate and necessary in the right hands.
  • Gparted partition manager
  • Putty or a trusted Terminal/SSH client. You may have to emulate VT-100.
  • Have Telnet installed on your workstation – yes another 1980’s technology that remains prevalent in today’s Data Centers!
  • Windows source files for any Windows OS you will be touching. You may have to install .NET Framework or similar while offline.

Staying in touch

Some Data Centers are built with the properties of a Faraday Cage, or simply have no cell-phone signal inside. Yet many of these same facilities have a “Guest” WiFI network inside. It makes perfect sense; they get to control and statefully inspect all traffic in or out!

Since we have all become totally dependent on constant communication, think about how you will stay in-touch while in a Wi-Fi equipped facility with no cell-phone signal.

  • I have CSIP Simple (VoIP) installed on my cell-phone and can connect to the company PBX anywhere there is a reasonable WiFi connection (although Verizon blocks SIP port 5060 over mobile networks)
  • There are dedicated wired and WiFi VoIP phones available
  • There are VoIP clients available for your laptop computer
  • You can use GoToMeeting or similar technology
  • A good noise-cancelling headset with microphone. Data Centers are noisy places, so test your headset in advance at the noisiest location you can find. Remember, it’s not just that you need to hear the other person, they need to be able to hear and understand you as well.