Sunday, 2 August 2015

Getting started with NexSan E60VT - Installing & Initial configuration

Physically installing the E60

Hello, this is just a quick note to say that I will not go into the physical installation of this beast - other than to suggest that you pick somewhere LOW DOWN as you are not going to want to lift this past shoulder height!
It's also worth pointing out that the E60 version that I have sticks out of the back of our rack by quite a bit, this is to be expected as the length of the unit is 1026mm (including the front panel).  Inside the box was the E60, rack mount kit, instructions CD, Power cables and a serial cable.

Configuring the NexSan E60

The instruction CD comes with manuals for a variety of products so make sure to pick the correct one.

The guide for setting up the system is the Nexsan RAID Storage User Guide which is in itself a catch all for Nexsan SATABoy, SATABEAST and E Series models.

When I first started trying to connect to the SAN, I could not find the NexSan on the network - I had neglected to press the miniscule sw0 switch next to the MGMT COM port, shown below


Configuring the IP address
We need to install the NexsanTools_x.x.x.exe to "find" the new SAN on the network, this can be found on the supplied CD in the Tools folder (or you can download NexsanTools_x.x.x.exe from nexsansupport.imation.com/article/AA-00322/0/Nexsan-Storage-Tools.html ).  I installed all of the Nexsan tools features on a server that I was going to connect the SAN to (multipathing features require that NexSan Tools be installed on the server in any case).  A restart might be required after installation.
Search for IP Configuration Tool in the windows start menu and screen and you should find the NexSan IP configuration tool. You can then configure the IP address of the device

Logon to web interface
Browse to the IP that you configured for the SAN
I was taken straight to the "checklist" tab which prompted me to register the device with NexSan which I did.  I decied to then follow the rest of the steps in the quick start in order:
  1. Set the admin password (strongly advised) and the user password
  2.  Set the "friendly" RAID system name (this appears in email communications and the webinterface to help identify the device)
  3. I was prompted to add a second network cable for the second management port and assign an IP so I did that
  4. Set the E-Mail SMTP server settings - it was not immediately obvious where to setup recipients - to configure these click configure in the far right column of the recipients table, not sure why but I missed that the first 2 times I looked at that screen
  5. Setup time settings via the NTP server on our network
  6. Setup SNMP settings
  7. Setup my volumes using the Quickstart method as part of the "checklist" I had 20x 2TB disks to use for our backup solution so opted for RAID6 + 2 pool hot spares
  8. Setup the "Default Access" to Deny as opposed to R/W!
Performing all of those actions gave me nice green ticks next to all checklist items.
Nice!
It is possible to get back to the checklist screen by clicking on the Home tab on the left hand side and clicking on the Review Checklist Button
Configure fibre connection to a Server 2012 R2 host
Make sure that the Multipath I/O feature is installed (I believe that this is installed automatically when NexSan tools are installed).
I assume that you have physically installed the fibre card and cables (ideally with redundant connections so that your host access tab on the NexSan looks like this:
On the SAN:
Click Configure Host Access on the left hand pane
Click on the hosts tab - you should see the fibre connections to your server
I then clicked on the Groups tab and created a new group (with my severname as the group name) I added both of the hosts into the group
You can add a more friendly name for each host connection (Recommended)
 Next you can click on the access tab
On the far right next to each of the host names click the Access button
Set the required access to each of the volumes you have created (in my case R/W)

On the server
It should now be as simple as going into the Disk Managment MMC snapin and clicking on rescan disks in the Action menu
 
You should see the Unkown offline disks, make them online, Initilise them (right click and click initilise) and partition them as required!

Done.

Tuesday, 7 April 2015

Lotus Traveler - Handy Commands

Resetting Sync Data to resolve issues

Sometimes users complain that folders are not syncing correctly e.g. inbox read marks are not transferring and moving documents to folder does not occur.  Or in worst cases folders not appearing on the iPhone at all.

In several cases I have found that running the below will suffice (note that you can use * for deviceid to reset sync data for ALL devices belonging to a user).

tell traveler reset <deviceid> <username>

Deleting Devices/Users

The guide below will show you how to delete a specific device from a user, to delete all devices or to remove a user completely from traveler please follow that guide a little lower down this post

Command
tell traveler delete <deviceid> <username>

Usage
Open the traveler web interface and find the device that you want to remove from the user and open its properties, you can find the info that you need for the command here.  You can copy and paste this into a notepad file before pasting into the domino console.
Example command
tell traveler delete ApplD1231231232131  Allan Crumpton/My-Domain 

Delete a Traveler User Completely
1)  Run:    tell traveler security delete * <username> 
2)  Run:    tell traveler delete * <username> 
3)  Open ntsclcache.nsf and delete all entries for that user. 

Tuesday, 3 March 2015

Using Kemp Load balancer for SSL offloading for perfect forward secrecy and TLS1.x (A rating on SSL labs)

You may have already seen in my previous post how to perform SSL offloading to a Kemp Load Balancer but another usefull feature is setting up the ciphers available to each Virtual Service to get a good "A" rating on the SSL labs vulnerability scan of your site

To set Ciphers on Windows for IIS requires a bit of powershell scripting and there is a guide available here

However to update the SSL ciphers that we are using on a Virtual Service (VS) in the load balancer is much easier.  Once you have assigned an SSL cert do the following to update the ciphers

  • Click Virtual Services
  • Click View/Modify Services
  • Select the VS to update
  • You will note that SSL acceleration is Enabled and there is a Cihpers list which by default just contains the default ciphers.
  • On the left column are the available ciphers - ticking the various options in the "Selection filters" check boxes on the right filters this list
  • Options required to filter the list
  • Tick "Perfect Forward Secrecy", "No RC4"" and "TLS 1.x Ciphers Only"
  • Highlight all of the available ciphers in the now filtered list
  • Click on the > button to move the selected ciphers over to the "Assigned Ciphers" list and be sure to click the "Set Ciphers" button to confirm the new ciphers

Test the SSL configuration at here: https://www.ssllabs.com/ssltest/ but make sure to tick the box to not sure the results of your test on the results board!  You should get an A rating on your SSL configuration.

How to enable SSL offloading on a Kemp Load Balancer

I love the 2 Kemp Load balancers that we have at work.  As well as the obvious job of directing traffic to multiple application front-ends it can also perform SSL offloading.

This means that we can have a single portal through which to manage our SSL certificates rather than having to update on individual IIS computers.

To start you need an SSL certificate and any intermediate certificate that is required.

Logon to the Kemp load balancer
Select Certificates > SSL Certificates
Click "Import Certificate"
Click "Browse" to select your certificates
Fill in the Pass Phrase and add a Certificate Identifier (this can be anything as its a friendly name that you can use to identify it in the web UI)

You can now add Virtual Services to the assigned list for the certificate - you need to make sure that your VirtualService listens on port 443 and you might want to disable SSL on the real servers and have the load balancer and the real server communicate over port 80 without SSL unless you are concerned about the security of your internal network communications.

Monday, 2 February 2015

Citrix XenServer XAPI Not running

Issue

A XenServer node is not available in the pool - all VM's running on the server have stopped/migrated to other nodes.

When logging into the server via the DRAC card the following message is displayed:

"The XenA API xapi is not running. This console will have reduced functionality."


Resolution - lifted from http://support.citrix.com/article/CTX128316

  •  The most common cause is that the XenServer disk has ran out of space.  Usually because a log file has grown especially large.
  • Open the console via Putty/any SSH terminal (The server will not be available in XenCenter)
  • Typr df in the console - this will show you the current disk use - you will see a "Use%" listed as the 5th column, if this shows at or very near 100% then disk space is probably the issue
My usage is at 54%

    • The most common cause of disk space being used is the logs in /var/log so do the following:
    • cd /var/log
    • Run the following command to see the size of all the files in the current directory; narrow down your search by specifying one file, if needed:
    • du –ksh *.*
    • If you see an excessively large file, run the following command to delete the file:
    • rm <filename>.log.
  • Restart the XenServer to recreate the log file and it restarts XAPI automatically.