Connecting the world…

manager

HP Virtual Connect Manager

While change the configuration of within a HP Virtual Connect Manager I noticed that I didn’t have any options to delete server profiles, Ethernet Networks or Shared Uplink Sets within the web browser.

I needed to change the configuration dramatically from an active / standby configuration to an active / active configuration. I also needed to change the complete server profile configuration and Ethernet Networks configuration.

I noticed that I can also connect through SSH to the HP VC Flex-10 Enet modules. This presents a CLI with different command options. And of course I had more options within the CLI compared to the web interface.

——————————————————————————-
HP Virtual Connect Management CLI v3.18
Build: 3.18-3 (r46087) Apr  1 2011 17:45:49
(C) Copyright 2006-2011 Hewlett-Packard Development Company, L.P.
All Rights Reserved
——————————————————————————-

GETTING STARTED:

help           : displays a list of available subcommands
exit           : quits the command shell
<subcommand> ? : displays a list of managed elements for a subcommand
<subcommand> <managed element> ? : displays detailed help for a command

->?

Through the CLI I had the option to remove the server profiles, Ethernet Networks and the configured Shared Uplink Set. The help command (?) is very useful to check the command syntax to remove different configuration settings. You have to remove the different items in the correct order. I used the following order:

  1. 1. Server Profile : remove profile <profile_name>
  2. 2. Ethernet Networks : remove network <enet_name>
  3. 3 Shared Uplink Set : remove uplinkset <sus_name>

When you try to delete the items in the wrong order you will receive an error message on the console, like shown below.

->remove uplinkset SUS1
ERROR: Operation not allowed : The requested shared uplink set is currently in use by one or more networks

After deleting the configuration I configured my desired setup. The configuration can be a lit bumpy, which depends on the firmware used with the Virtual Connect Manager. I found a very good article on configuring HP Virtual Connect Manager in conjunction with ESX, Windows Hyper-V.

HP Virtual Connect Ethernet Cookbook: Single and Multiple Enclosure Domain

TIP: when configuring or changing Ethernet network settings on a Server Profile, first unassigned the profile from the bay. Changing settings on an unassigned profile is much faster than on an assigned profile.

eSafe Proxy with NTLM v2.0

Today I am playing with eSafe 8 operating in eSafe Proxy with NTLM authentication mode. Configuring eSafe Proxy with NTLM authentication is very straightforward and not difficult. The authentication settings are configuring using the eSafe Appliance Manager web interface, like shown below.

eSafe_proxy

I did some testing with multiple browsers and single sign-on with NTLM authentication is working perfectly. The system administrator was also testing, but he was complaining that he couldn’t authenticate. A pop-up box is received and when you enter the appropriate credentials, they aren’t accepted by eSafe. I found out that the customer is using Windows 7 and I was testing with Windows XP and Windows Server 2003.

Windows Vista, Windows 7 and Windows Server 2008 R2 and higher use NTLM v2.0-only by default. eSafe Proxy uses NTLM v1.0. The default setting within Windows can be changed to operate in a mode which is backwards compatible with eSafe Proxy. Take the following steps to change the NTLM settings:

  1. 1. Open the Group Policy Editor with gpedit.msc;
  2. 2. Go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options;
  3. 3. Go to the setting: Network security: LAN Manager authentication level
  4. 4. Change this setting to: Send LM & NTLM – use NTLMv2 session security if negotiated
  5. 5. Apply the policy with gpupdate /force

ntlmv2

The picture shows the policy setting within Windows. This should solve the problem with single sign-on on Windows Vista, Windows 7 and Windows Server 2008 R2 and higher.

RSA Authentication Manager 7.1 on VMware

I had to install and configure RSA Authentication Manager 7.1. Looking at the Supported Platforms I couldn’t find VMware ESX as supported platform. VMware ESX was supported for RSA AU6.1. So I thought by myself, let’s give it a try. What I noticed first was the size of the installer. The installation file for RSA AM 7.1 is about 2.5Gb, which I think is a lot compared to the 300Mb for RSA AM 6.1.

I installed a server with the following specs:

  • 2 x Intel Xeon 2.0 Ghz processor
  • 2Gb of RAM
  • 60 Gb partition, solely for RSA
  • 2Gb Paging file

The installation of RSA Authentication Manager 7.1 took 1,5 hours to install, so I really started doubting the installation under VMware. After the installation I wasn’t able to open the management console, which runs webbased in this new version. To be sure, I restarted the server after the installation. Now it took 45 minutes to pass the Applying computer settings and Applying personal settings.

I called RSA and the engineer told me that there are no known issues for running RSA Authentication Manager 7.1 under VMware. The only important thing he told me was the usage of 4Gb RAM and a 4GB Paging file, when running under VMware. I upgraded the memory from 2Gb RAM to 4GB RAM and I configured two 4Gb paging files.

You maybe already guess the following lines of text, but the upgrade didn’t work out. The boot process still took approximately 45 minutes. After booting the server, the performance was really bad. The memory usage was steadily running on 4.2 Gb!!!!

I called RSA a second time and the next engineer took my doubts away. The told that RSA Authentication Manager 7.1 is NOT OFFICIALE supported by RSA. The performance problems are probably caused by the new Oracle database and the different Java instances, which are running on the server. Because RSA had to run in a virtual environment, I downloaded RSA AM 6.1. The installation AND configuration of the complete environment took about 2 hours.

So at the time of writing this blog post:

DO NOT INSTALL RSA AUTHENTICATION MANAGER 7.1 UNDER VMWARE!!!!

ADD ON August 15th 2009

RSA 7.1 is now supported under ESX 3.5. Check the updated article on this matter.

Maybe you also want to check this article about configuring On-Demand with RSA 7.1.

ID Control

Ictivity received via via an e-mail about strong authentication products from ID Control. Strong authentication is authentication were you need multiple factors (what you have, what you know, what you are) to actual authenticate to a system, network or something else. We, as Connectivity Consultant, were asked to look at the different products and start a discussion about these products. Are they interesting for us or some of our customers??

The main focus is on three different authentication products. In this post you can read MY OPINION about the three different authentication items.

HandyID

HandyID is the leading mobile authentication method which provides a One Time Password (OTP) token-based, two-factor authentication solution on your mobile phone (handy), PDA, Blackberry and/or smart phone. HandyID turns your mobile device into a hardware token enabling a cost-effective, easy, convenient and user-friendly strong authentication solution for online banking, government and ecommerce. In combination with ID Control Server the set up and deployment is easy and fast.

Reading the text above I am thinking what HandyID brings extra in comparison to tokens like the ones from RSA. In my opinion I only see disadvantages. According to ID Control, you can use HandyID on every mobile device. I will not run it on my device, because the Nokia I am using isn’t that stable. I see crashing mobile phones, mobile phones with empty batteries and no charger nearby. I see incompatibilities with some tropical applications. In general, I like the concept of HandyID, but I would prefer a decent token from RSA (RSA SecurID).

KeystrokeID

KeystrokeID is the biometric solution based on behaviour traits that are acquired over a certain time period the user is typing on his or her keyboard (versus a physiological characteristic or physical trait). KeystrokeID monitors and analyses all keyboard behaviour performed by the user during his/her access. Based on this keystroke behaviour performed in comparison to the user’s normal behaviour access is granted when this user is also authorized.

Huh?? So reading this, the keyboard is learning the way you type and grants you access on that process. Sounds cool, but again I see a lot of customers having problems accessing the stuff they would like to access. I can image that KeystrokeID would work for a private secretary who finds the keys blindly on the keyboard, but what about people who cannot type that well and what when you are typing at night in bed, without decent light. I guess you won’t type the same as during normal day time. Summarizing, I would advise OUR customers to use KeystrokeID, because I THINK that the product brings more authentication problems than solving authentication problems.

USB Token

ID Control’s USB Token is a portable end-user authentication token that can replace user name and password for workstation, website, VPN, file, email, network, file and/or disk access security. ID Control USB Token plugs into any standard USB port and can even run without any software.

After reading the documentation about USB Token, I definitely imagine advising USB Token to customers and even use one for my own. The USB Tokens ease of use looks really better in comparison to smart-cards or biometrics. Nowadays USB keys are common usage and the price for USB keys won’t be that high. Another advantage of the USB Token is that you only need an enabled USB port on a workstation and that’s it. For smart-cards and biometrics, you normally need extra equipment before you can actually use the smart-cards.

The USB Token can be used for different reasons like Secure VPN Authentication, File and Disk Encryption, Web (Application) Sign-on, Secure Password Manager, Computer and Network Sign-on, Email Encryption & Signing and PKI. I would definitely use the USB Token for File and Disk Encryption and Secure Password Manager. In my line of work and our customers, I can also imagine using the USB Token for Secure VPN Authentication.