my personal blog about systemcenter

One of the steps in creating a secure PKI infrastructure is protecting the Root CA from attacks when its not used , normally we see people exporting VM’s with the Offline Root CA to multiple external drives and then storing them in a secure location and then out of the safe once a year to refresh the CLR or whenever a Issuing CA needs to be “killed” or renewed

But often in midsize installations the Offline Root CA stays in the environment making it subject for offline attacks and loss of control of the PKI environment

In the perfect world the CA root would be secured properly or might even be a physical HSM but sometimes ease of access and reduced complexity / cost wins

This is a attempt to meet in the middle , keeping a higher security level than just leaving the VM around , and easier to manage than VM exported to a removable media

There been multiple articles on how to use Bitlocker in a hypervisor where we don’t have access to the TPM chip that might reside in the server

This example follows 2012/2012R2 VM as generation 1 , the VM was created as a gen1 to ensure that potential problems with secureboot when moving the VM through Hypervisor lifecycle would prevent a boot

http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

The above article is a example on how to enable Bitlocker on a Windows 7 Guest and we follow the same procedure

 

 

image

Through gpedit.msc enable Allow Bitlocker without a compatible TPM

 

image

Create a new virtual floppy

 

image

And attach it to the VM , this floppy files needs to be preserved in a safe as it will have the bitlocker recovery keys

image

Enable the bitlocker role on the VM

image

start manage-bde –on C: –rp –SK A: , this will enable the encryption after next reboot ,

the recovery password needs to be printed and secure with the virtal floppy ,

as this is a test enviroment created for this blog the password/key isnt pixelated

image

After reboot we can see that bitlocker is enabled

image

And verified from the gui

image

image

If we remove the virtual floppy

image

the VM wont boot so we need to virtual floppy to continue

 

Its a improvement over having a VM locally that can just be copied or stated up ,

scrubbing the data area where the virtual floppy is created to will improve further as changing encryption levels on the bitlocker drive

This is not a prefect implementation but over a VM just sitting there offline this wins every time.

As the ever brilliant Stanislav pointed out there is a new management pack in town , well new name and version number but still its new Smiley

 

http://cloudadministrator.wordpress.com/2014/06/30/hp-storefront-manager-for-microsoft-4-0-hp-storage-management-integration-with-ms-system-center/

 

We currently have the 3.1 version of the HP Storage Management Pack installed

 

image

 

And its happy and shiny showing us the state of our 3PAR installation

image

And along comes the next version of the management pack , before reading the documentation we install it in the test enviroment only to find out that a upgrade is not supported

 

image

Upgrading HP Storage Management Pack for System Center
Before installing v4.0, uninstall any previous versions of HP Storage Management Pack for System
Center.
NOTE: Upgrade to HP Storage Management Pack for System Center v4.0 is not supported.

 

And after reading the documentaion we can see thats its not supported

I get that its a free management pack but the kit we are monitoring is far from free so a litte effort for a upgrade patch would have been nice

 

 

image

So time to kill our Override Management Pack

 

image

Library and Other Storage related MP’s

 

 

image

image

And uninstall the binaries

 

image

And time to launch the installer

image

Installing locally on dedicated management servers

image

For the install we wont have the bindings to VMM so only the 3PAR MP without integration will be installed

 

image

After install start the HP Storage Management Pack User Configuration Tool

image

Add the 3PARs you want to monitor

image

We have created dedicated browser users on each 3PAR , dont really understand why they want a superuser for discovery ,

not sure if its related to the VMM integration , but for now we use a browser user until we see something that breaks

 

image

Time to override the discovery

 

image

Enable the override for the discovery

image

and 600 seconds and a bit later we have a shiny overview of our 3PAR installation , future post will cover enhancements

 

So far we had a mixed experience with ODX and HP 3PAR  , backup was painfull with locked luns , moving vm around was even more painfull with data corruption

So until now we have disabled ODX on everything 3PAR related other arrays have issue with backup , and since its software the solution so far have been a mix between HP and Microsoft

This is “only” a issue when doing backup of a CSV volume standalone host havent been affected again back to the mix between HP and Microsoft

From what we seen so far

 

 

2012 R2 with April update and http://support.microsoft.com/kb/2966407 will fix

Assume that you install update 2919355 on a Windows 8.1-based or Windows Server 2012 R2-based computer. When you try to back up some Hyper-V virtual machines that reside on cluster shared volumes, you receive an error message that indicates the backup request has failed.
Here is a sample of the error messages that you may encounter when this issue occurs:

Error(s): vss_e_unexpected_provider_error
Csv writer is in failed state with unexpected error

 

On the 3PAR side we have upgraded to 3.1.3 and will apply some more patches tomorrow and continue testing

SCOPE

Windows Server 2012 or Windows Server 2012 R2 hosts with ODX in use with HP 3PAR StoreServ Storage running HP 3PAR OS version 3.1.2 GA, 3.1.2 MU1, 3.1.2 MU2, 3.1.2 EMU2, or 3.1.2 MU3.

RESOLUTION

Upgrade the HP 3PAR OS on the HP 3PAR StoreServ Storage to 3.1.2 MU2 or later if running a lower HP 3PAR OS version. Next apply the patch as follows:

  • For 3.1.2 MU2 and 3.1.2 EMU2, apply Patch 11 followed by Patch 36.

  • For 3.1.2 MU3, apply Patch 30.

 

image

So after Windows Patches and Upgraded 3PAR we can now backup mutiple VM (was 2 before) and move data around with ODX enabled.

What remains for the next week is to move VM around with storage migration to verify that the data corruptions also is history.

So we just to a new shiny FAS 2552 for use with NetApp Shift , we wanted to setup basic monitoring to start with to ensure that everything is in working order and status that way , NetApp will alert on critical errors though autosupport but putting everything together in a single place of glass eg Operations Manager makes a good case.

Sign in to your now account and download OnCommand 4.0.1 or newest version

 

This install will cover the basics and as soon as we get the box closer to production a new post will be added with further details

 

image

The OnCommand PlugIn require a named user during install to host the webservice , the account MUST be local admin on the Operations Manager management server you install on , be aware that default Operations Manager installation will make this user full admin in Operations Manager , so ensure that the BUILINT\Administrators don’t have full admin rights to Operations Manager

 

image

Start the installer on a Operations Manager management server

image

Add Console Integration/Management Packs , for the purpose of this post we wont cover VMM integration or shell

 

image

Add the named user created before install start

image

The installer imports management packs , in our environment took less than 10 minutes

image

Sucess :)

image

In OnCommand System Manager create a user with api access and read only , this is to ensure that we keep high privilege access account to a few as possible

 

image

Onder Cluster Data OnTap Management Servers Select Manage Storage Systems

image

Add the IP/DNS name for the Cluster Node , during initial setup i got a “Value cannot be null”

This was due to no Storage Virtual Machines created as this was a brand new install

image

As this is just a test install for now i just created a SVM just with CIFS just to get beyond the error during install

image

And back to adding the Storage System to the Operations Manager

 

image

 

Sucess :)

 

image

To avoid waiting for the schedules discovery i ran a discovery task to speed up things

image

And a few minutes later we start getting info about our shift FAS box

image

And hardware status

If you install the Management Pack after configuration of the Filer you wont see the Null Error

Next step is looking at rules/monitors/reporting

 

Have Fun