Nexenta NMS Web Interface Not Responding?

When I arrived to work this morning and tried to view the status of my Nexenta storage server, its web interface just would not respond and displayed, "Waiting to establish NMS connection."  I know it's "time-change" Monday, but come on!  To try to find out what the problem was, I opened a SSH session and checked the 2 log files that could possibly tell me what is wrong with the NMS service:

• /var/log/nms.log
• /var/svc/log/application-nms\:default.log

Unfortunately, the first one was completely empty and the second one hadn't been written to since last week.  So I figured the easiest thing to try next was to simply restart the nms service with the following commands:

1. svcadm disable -st nms\:default
2. svcadm enable -rs nms\:default

It took a couple of minutes for the commands to finish, but they eventually gave the command prompt back.  If the disable command does not want to come back, run the following to clear its status:

svcadm clear nms\:default

That should cause the disable command to complete and allow you to run the enable command.
After the nms service was restarted, I then checked the web interface and it came right up.  It would not have been a good start to my week had I needed to reboot the file server.  Thankfully, a simple service disable and enable did the trick.

The Case of the Disappearing SSL Server Certificate

I received a request last week to purchase and install a SSL certificate for one of our new websites.  This should be a piece of cake as I've been through this process so many times, right?  Well, this actually turned out to be an unexpected pain in the ass this morning.  I did the following:

1. Logged into one of my IIS servers
2. Generated a CSR
3. Purchased a SSL certificate from godaddy.com 
4. Generated and downloaded a godaddy-signed certificate for the previously-created CSR.
5. Installed the intermediate certificate onto my IIS server.
6. Completed the certificate request for that CSR on (inadvertently) a different IIS server.
7. Observed the certificate appear in the list of Server Certificates.
8. Went to the bindings setting for said website to setup a https binding to use that signed certificate and the damn thing didn't appear in the list of certificates!
9. Went back to the list of Server Certificates only to find that the newly-completed certificate was gone - POOF - like magic.

I kept my cool and didn't panic.  There has to be an explanation, right?  So I retraced my steps during the whole process.  Thankfully I quickly found the "smoking gun."  What did I do wrong?  

I generated the CSR on IIS server 1 (where the public and private keys for the certificate live when it generated the CSR) and then tried to run Complete Certificate Request on IIS server 2.

For what are (hopefully) obvious reasons, one cannot Create Certificate Request on an IIS server and then try to Complete Certificate Request on a different IIS server.  The whole process must be completed on the same IIS server.  Once that process is complete, then the certificate can be exported on the originating IIS server and imported to another IIS server.

Admin Horror has a New Home!

I am constantly striving to find ways to save myself money.  For the last couple of years, I've been hosting my sites at a shared-hosting company and paying about $10/month.  I figured there must be a way to host my sites at no cost somewhere else.  Seeing as my blogs have been running on WordPress, I thought it would make sense to have them running on WordPress.com hosting.  But they won't let bloggers use a custom domain name for free.  Enter Google Blogger. I discovered that I can import my blogs and run them on Google Blogger with my custom domain names at no cost.  What a no-brainer!  So here you have it.  adminhorror.com is now running on Blogger.

Windows 7 Screensaver Shortcut Key

I'm all about using keyboard shortcuts. Any shortcuts that keep one from having to reach for the mouse is a plus. Recently, for some reason, I have found it necessary to be able to use a keyboard shortcut to activate the screensaver. I found a fantastic article for doing this:

http://www.dummies.com/how-to/content/how-to-create-a-screen-saver-boss-key-in-windows-7.html

I'm not actually using it as a "boss" key. Honestly. Really.

Websites Should Disable SSL 2.0

In my previous post Enable TLS 1.1 and TLS 1.2 in IIS, I discussed how to enable TLS 1.1 and TLS 1.2. Now I want to take that a step further by disabling SSL 2.0 as it is an old (1995) and vulnerable protocol - not to mention that you cannot obtain PCI compliance if your web servers allow it. I found an excellent post that describes how to disable SSL 2.0 in IIS. The procedure is very simple but unfortunately requires a reboot of the server - a small price to pay for increasing the security of your website.

Enable TLS 1.1 and TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

You are probably aware that SSL has been hacked - that is versions of SSL before 3.2 and TLS 1.1 are vulnerable. Thankfully Windows Server 2008 R2 comes with the capability to support TLS 1.1 and TLS 1.2; however, they are not enabled by default. I found some decent information on how to enable TLS 1.1 and TLS 1.2, but no straightforward instructions on how to do so. The bottom line is you have to edit the registry then reboot the server.

Update: This tool should make this job much easier: https://www.nartac.com/Products/IISCrypto/Default.aspx

But feel free to use the following information to do the job...

Here are the straightforward steps to enable TLS 1.1 and TLS 1.2 on a Windows Server 2008 R2 server:

1. Please backup your registry.
2. Start the registry editor (regedit)
3. Browse to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
   
4. Add the following keys:
   TLS 1.1 and TLS 1.2
5. Within each of the TLS 1.1 and TLS 1.2 keys (they look like folders), add these keys: Client and Server
6. Within each of the Client and Server keys, create the following DWORD values:
   
   • DisabledByDefault with a value of 0
   • Enabled with a value of 1
7. Reboot the server.

You should now have registry settings that look like:

I tested the new settings by configuring Internet Explorer 9 to only use TLS 1.2 and connected to a secure page on one of the websites on my server. Here is where you configure IE9 to do this:

Do your customers a favor (and thus yourself) by allowing them to use a more secure version of SSL/TLS on your website. Configure your IIS server to use TLS 1.1 and TLS 1.2. Hopefully all web browsers will support these versions in the very-near future - but at least Internet Explorer 9 already does.

Installing and Running a Virtual Machine (VM) within a VM

Using virtualization technology has helped me reduce I.T. costs within an office and development/production website environments.  I primarily use VMware products such as Workstation, Player and ESXi Server.  I find these applications simple to install and manage and they are quite robust and stable.  Yesterday I found myself needing to install a Linux VM within an Amazon EC2 Windows Server 2008 VM by using VMware Player.  Don't ask why, it just had to be done and not for academic entertainment.  I have never tried to install a VM within a VM before so I was initially quite surprised that Player wouldn't allow me to power on the VM I created to install Linux.  The message it gave me was:

You are running VMware Player via an incompatible hypervisor. You may not power on a virtual machine until this hypervisor is disabled.

I knew there had to be a way to get this to work, so a Google search on that message led me to a VMware Community article that discusses running a VM within a VM.  Thankfully the solution was easy to spot, even though it was at the very bottom of the article.  To get this VMware Player VM running inside an Amazon EC2 instance, all I needed to do was edit the instance.vmx file and add the following line to it:

vmx.allowNested = TRUE

I am now successfully running a CentOS 5.7 Linux VM within an Amazon EC2 Windows Server 2008 VM. Cheers to VMware!