Thursday, September 27, 2012

VMware vCenter Orchestrator Trusted Certificate Installation

If you've ever tried to install vCenter Orchestrator 5.0 you'll find the Certificate Request (CSR) generated via the "Server Certificate" option may not work.  I wanted to take the CSR and generate a Server Certificate signed by a trusted authority.  The default certificate is a SHA512 with RSA but the key size was rejected by my Certificate Authority (CA).

After digging into the following docs, keytool and working with Orchestrator SSL, I came up with four keytool commands to delete the existing keystore, regenerate it, export a CSR for my CA and import the resulting PKCS#7 formatted certificate chain.

Ensure the Orchestrator service is stopped before you begin.  In the examples below I've denoted placeholders using <PLACEHOLDER_NAME>.  You will need to replace them with your own settings.  Let's dig in to each command.

First we delete the exsting key named "dunes" from the key store.
keytool -delete -alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -storepass dunesdunes

Second we generate a new private/public key pair using SHA512withRSA as our algorithm and a key size of 2048.  The certificate expires after ten years.  You will need to specify the Fully Qualified Domain Name (FQDN), Department, Company, City, State or Province and Country Code.

keytool -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -storepass dunesdunes -genkey -alias dunes  -validity 3650 -keyalg RSA -sigalg SHA512withRSA -keysize 2048 -dname "CN=<YOUR_FQDN>, OU=<DEPARTMENT>, O=<COMPANY_NAME>, L=<CITY>, ST=<STATE/PROVINCE>, C=<COUNTRY_CODE>"

Next we'll export the CSR to a file.  In this example the CSR is saved to C:\vco.csr.
keytool -certreq -alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -keypass dunesdunes -file C:\vco.csr

Take the CSR and have it signed by a CA.  Download the PKCS#7 formatted certificate chain or .p7b file from your CA and save it to the vCenter Orchestrator server.

Lastly we import the signed certificate.  Specify the path to the .p7b  file.
keytool -importcert -alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -keypass dunesdunes -file <PATH_TO_P7B_FILE>

Start the Orchestrator service and log in via the Orchestrator client.  You should receive zero certificate warnings.


Friday, August 17, 2012

DIY Temp/Humidity via Arduino

The motivating factor here is my garden.  I grow veggies.  Not too many but more than my family of four can possibly consume in the short time it takes for them to go from feeding us to feeding the flies.

There are ways to properly store vegetables for the long term without resorting to canning and pickling.  These were called root cellars and they naturally maintained a constant temperature and humidity.

Flash forward to the modern age.  Root cellars are gone and we have houses with concrete floors.  Agriculture science can tell us the precise temperature range at which specific varieties of fruits and veggies can be stored for 2 - 3 months, sometimes longer.

There are no shortage of articles from the agricultural extensions with directions on how to properly store squash.  One such article, http://www.ces.ncsu.edu/depts/hort/hil/hil-24-c.html, says that after the curing period butternut squash should be maintained at a temperature of approx. 50 degrees Fahrenheit.

I could build or buy a box specifically for this purpose.  But I'm storing a variety of material, squash, cucumbers  tomatoes, peppers, onions.  Each requires it's own storage conditions.  Easily achievable by storing things at the top or bottom shelf in a small room.  Also, you should not store fruits near squashes as they emit ethylene gas.

My problem:
How the heck am I supposed to know what room in my house is best suited for storing veggies?  I need environmental data.  Moreover, as environmental conditions change within my house how do I know when to opt for environmental controls?

Pre-packaged solutions are expensive:
http://www.amazon.com/Temperature-lert-TM-WIFI220-WiFi-Edition/dp/B002YKU2Q6/ref=sr_1_4?ie=UTF8&qid=1345250935&sr=8-4&keywords=Wifi+Temperature+Sensor  $300!? YUCK!  Not only is it expensive but it doesn't solve my data problem.  I need long term data to monitor graph and watch the ever changing conditions in my house.

My idea (roughly):
Get an Arduino
Solder on a temperature sensor: http://learn.adafruit.com/tmp36-temperature-sensor
Get a wifi Arduino shield: http://store.arduino.cc/ww/index.php?main_page=product_info&cPath=11_5&products_id=237
Use this example code to send the data to Google: http://www.open-electronics.org/how-send-data-from-arduino-to-google-docs-spreadsheet/

Just an idea right now but it looks possible.

Monday, July 2, 2012

Make a disposable putty knife

I worked on a project that required high performance wood filler.  The wood filler is specifically designed for outdoor use as such it hardens like rock and requires clean up with acetone.

For this project, I made my own putty knife with a disposable plastic blade.  I used plastic from a square, 4" plant container.  The kind you usually buy with perennials in the spring.  The plastic on this particular container is easily pliable but offers enough spring to adequately handle puttying.

Attach the knife to the handle.  Your mileage may vary here and you will have to get inventive.  I considered using a couple of dry wall screws, cutting them flush and using duct tape to cover the cut ends.  I was lucky enough to find matching machine screws and nuts in my junk bin.  Use what you find in your junk drawer.  If you're going to the store to buy fasteners then you're Doing It Wrong.

The finished blade is about 3" long.  I also put a hole in the handle's end and ran a twisty tie through it so I could hang the tool.

I used it and it worked well.  I was able to mix the putty and apply it OK.  When I was done I undid the nuts, slipped off the knife and threw it away.

Things I wish I had done:
  • Made the knife longer.
  • Used a thicker plastic.

For the knife cut the plastic into a 5" long by 1 1/2" wide rectangle and trimmed off any uneven bits from the top of the container.  The finished length was 4".  I rounded one side of the rectangle.

Cut an old paint stick into a  5" handle.  The paint stick is the free kind you get from any big box hardware store.  They'll give them to you for free if you ask.  I had a used one laying around that I was going to throw out anyway.

Attach the blade to the handle.  Clamp the handle and knife together and overlap the blade and knife by 1".

Drill two small holes about 1/2" apart, leaving 1/4" on each side.  This is important as you do not want to split the handle.  It is a cheap paint stick and will split easily.

Insert two 3/8" long, 1/8" diameter machine screws into the handle.  Slip the plastic blade over the screws.  Fasten with nuts.  Hand tighten and give it a 1/4 or 1/2 turn with a pair of pliers or small wrench.




Friday, May 11, 2012

Secure Backups with Proteus Bluecat

I've been working with the Bluecat platform, Proteus and Adonis, for the past 7 to 8 months.  Being security minded I always look to encrypted protocols when I first configure a device.  Frankly, I'm dissapointed that vendors still configure their appliances with clear-text protocols like http and ftp by default.  This is true of Bluecat products.

By default Bluecat uses http.  Enabling https is cumbersome and replacing the default self signed certificate is even more difficult for the average user.  Not what I expected in an appliance that is meant to make network administration easier.

Proteus' backup facility is no exception.  There is no facility to transport backups via a secure channel to a remote server.  So I decided to hack one.

I wrote a script that will create the necessary files and configure cron to synchronize the backup repository to remote server running sftp.

 The script, located here, makes use of rsync to sync the backup repository to a remote server.  I chose rsync because I didn't want to deal with removing old backups on the remote server side.  If I had used scp I would have had to think about removing backups from the remote side and that would have added unnecessary complexity.

Luckily for us rsync can use ssh so I made use of that facility as you can see on line 49 of the script:

rsync -r -v --delete-after -e "ssh -i ${BIN_PATH}/${SSH_PRIVATEKEY} -o StrictHostKeyChecking=no" ${DATA_PATH} ${USER}@${SCP_HOST}:${SCP_HOSTPATH}
I use a SSH key for password-less entry and we trust the destination host explicitly so rsync should expect no prompts.

The project is hosted at Google code and you can find it at: http://code.google.com/p/proteus-secure-backup/

Hopefully Bluecat will eliminate the need for these sort of ugly hacks.  Vendors need to enable encryption by default and make clear text protocols the option.

Wednesday, March 7, 2012

Building a VMware View Thin Client using Ubuntu 10.04 LTS

I wrote a how to on building a VMware View PCIOP thin client on Ubuntu 10.04 LTS, http://sc.marseglia.org/jplms and learned a bit about the process and the View PCIOP client.


With simplicity in mind I started with Ubuntu 10.04 LTS Server with no package selection.  I ran through some tutorials on getting autologin working and starting a GUI application from the command line.  I was able to launch the VMware View application but I could not get it to work full screen.

Starting the application in this slim-est of environments just didn't work.  I tried a few ways to work around this, including determining via xrandr the geometry of the desktop and passing it to the vmware-view.bin executable as a command line argument.

It didn't help that the VMware View PCIOP client comes with zero documentation.  I finally found a PDF that detailed the command line options.  I saved the PDF to my Google Docs for safe keeping.  I also noticed that vmware-view is a wrapper script, all command line arguments passed to vmware-view are dropped.  Use vmware-view.bin to pass arguments.


The VMware View PCIOP client didn't full screen.  I think it must need a window manager in order to full screen.  I don't know why.


Note: the VMware View Open Client operates in full screen mode just fine without a window manager.  I was able to call it from .xinitrc ala /usr/bin/vmware-view --serverURL=<URL> --fullscreen

In the end I gave up on my "slim" environment and opted for Ubuntu 10.04 LTS Desktop.  From Ubuntu Desktop I had all the components I needed to get the View client running in full screen mode.  I modified GDM to autologin a non-privileged user account and removed all the menus and start up items from Gnome.  I created one start up item, my vmware-view client.


I could try to winnow the packages to just the base few needed.  I'm guessing GDM and Compiz are all that's needed.  But Ubuntu has so many dependencies I figured I would end up installing nearly the entire "Ubuntu Desktop" anyway.

References
  1. Marseglia, Michael.  "Build a VMware View Thin Client." https://docs.google.com/document/pub?id=1PrSN5pGQbZ-ZryML5DcZTu2A6Cg_h6QCrhxCiIq-p1w. n.p. Web. 7 March 2012. <https://docs.google.com/document/pub?id=1PrSN5pGQbZ-ZryML5DcZTu2A6Cg_h6QCrhxCiIq-p1w>
  2. "Using VMware View Client for Linux." https://docs.google.com/open?id=1yjUAxfFoabf7xZQ28URRhAkm2ElYdGG1FJoLgmD93chCymOsgjkHL_IRPsOY. VMware, Inc. Dec 2011. PDF. 7 March 2012. <https://docs.google.com/open?id=1yjUAxfFoabf7xZQ28URRhAkm2ElYdGG1FJoLgmD93chCymOsgjkHL_IRPsOY>
  3. natrinicle. "Setting Up Ubuntu as a Kiosk Web Appliance." http://www.instructables.com. instructables. n.d. Web. 7 Mar 2012.<http://www.instructables.com/id/Setting-Up-Ubuntu-as-a-Kiosk-Web-Appliance/?ALLSTEPS>
  4. "Configuration." http://library.gnome.org. The Gnome Project. n.d. Web. 7 March 2012. http://library.gnome.org/admin/gdm/stable/configuration.html.en#daemonconfig
  5. "Sessions Preferences" http://library.gnome.org. The Gnome Project. n.d. Web. 7 March 2012.  <http://library.gnome.org/users/user-guide/2.32/prefs-sessions.html.en>
  6. "Setting Session Defaults" http://library.gnome.org. The Gnome Project. n.d. Web. 7 March 2012. <http://library.gnome.org/admin/system-admin-guide/stable/sessions-3.html.en>
  7. k.dejong. "CustomXSession." https://help.ubuntu.com. n. p. 08 Apr 2011. Web. 7 Mar 2012. <https://help.ubuntu.com/community/CustomXSession>
  8. d2globalinc. "HOWTO: Disable or Enable Gnome Session Startup Applications from Command Line." http://ubuntuforums.org. n. p., 11 Feb 2009. Web. 7 Mar 2012. <http://ubuntuforums.org/showthread.php?t=1067101>