Month: December 2019

Home / Month: December 2019

Installing SANnav Management Portal 2.0

22/12/2019 | SAN | 1 Comment

In our previous article, we have gone through the installation steps of RHEL/CentOS, and the basic configuration of SANnav. This article will further focus on implementing the prerequisites and installing SANnav Management Portal.

Before we start, make sure to read Preparing RHEL / CentOS Server for SANnav and SANNav Management Portal guide.

Implementing prerequisites

    1. If you are not the owner of the server, make sure to have the root privileges on your Linux system.
    2. Uninstall other applications from your server.
    3. If you have previously installed Docker, uninstall it.
    4. ‘Ensure that the entire physical server (boot, log, and data) runs on a single partition. In my case, I have 3 partitions and an LVM but I’m using virtual disks on the underlying layer.

 

  • Ensure that lsof and nslookup packages are installed on the server.

 

    1. To install, use the command:
yum install lsof, bind-utils

 

  • The ‘umask’ for the root user must be set to 0022.

 

    1. By default root has already this value, if not use the following command to change it:
umask 0022
  1. Open /etc/security/limits.conf and add the following line at the end: elasticsearch – nofile – 65536
    vi /etc/security/limits.conf
  2. Port 22 is by default in use for SSH. You either keep it for SSH and use it for SANNav repository or change it to another port. To change the default SSH configuration, open /etc/ssh/sshd_config, uncomment #port 22 and change it to 8022.
    Restart SSHD service using the command:

    systemctl restart sshd
  3. Port 80 must also be available. If you are using a firewall in your environment, make sure to open the ports. I would recommend to disable the firewall during installation and enable it after implementing SANnav. See also firewall requirements on the guide.
  4. It is required to have IP forwarding enabled. You can verify using the following command:
    /sbin/sysctl net.ipv4.ip_forward

    To enable IP Forwarding permanently, open the /etc/sysctl.conf file and add the following lines:
    # Enable IP Forwarding for SANnav
    net.ipv4.ip_forward = 1

  5. Ensure that hostname -i resolves to an IP address. If your server is in your domain, hostname -f must resolve to an FQDN.
  6. Ensure that nslookup is successful when launched against other servers.
    If not, verify that /etc/hosts, /etc/nsswitch.conf and that your network card interface is valid.

Installing SANnav Management Portal

I have already downloaded the .tar.gz (compressed packaged) file of SANnav. Using WinSCP I transferred it from my Windows computer to the /root/ directory of the RHEL server.

  1. Locate the file you downloaded and extract it using the command:
    tar -xvzf Portal_2.0.0-distribution.tar.gz
  2. Inside the /bin/diag there is a script which tests the prerequisites. Go to Portal_2.0.0_rc_bld204/bin/diag/ and launch preinstall_system_check.sh

    Verify SANNav Prerequisites
    Verify SANNav Prerequisites
  3.  On the screenshot above, the check claims that nslookup failed but it’s a false positive warning. Didn’t check further but it’s probably due to the package name having another name under RHEL. Launching nslookup commands towards my hosts works like a charm.
  4. To start the installation script, go to /<copied folder>/bin and launch install-single-node-server.sh.

    SANnav installation script
    Installing SANnav using the single-node installation script
  5. On the following screen, accept the License Agreement to continue the installation.
  6. Once the installation of Docker is completed, the setup will proceed with SANnav installation.
  7. At a certain point, you are asked to select the method of communication between SANnav Management Portal and SAN Switches. If you don’t plan to use https and your switches are not configured, select 0 for http. If your switches are already using https connections, select option 1. Optionally you can also select 2 which is https then http.

    SANnav port configuration
    SANnav port configuration
  8. The setup will continue for about 20 minutes. Once it has completed you can launch the client web page on http://<your sever ip>

    SANnav Management Portal 2.0
    SANnav Management Portal web interface.

If you are considering to install a CA-signed certificate, make sure to follow the steps from SANnav: Installing CA signed SSL.

To enable https protocol on your Brocade switches, use the steps as described on Enable HTTPS protocol on Brocade switches.

 

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list.

RHEL running on Hyper-V

This article will mainly focus on the preparatory steps and the requirements needed for installation of SANnav Management Portal 2.0.0. We will implement pre-requisites on the virtual machine, create the host, install the OS and configure some important services. As of December 2019, Broadcom supports SANnav on RHEL or CentOS only as bare metal installation or as virtual machine running on ESXi, however it should also be running on Hyper-V.

My configuration consists of a Microsoft Hyper-V environment using Failover Clustering on Windows 2012 R2 for HA purposes.
My guest host will use Red Hat Enterprise Linux version 7.6. Before starting, make sure to do the bookkeeping: reserve an IP address, write down the network mask and gateway. Also create the host name record in DNS.

Consider to read the SANnav Management Portal Guide for a better understanding of the requirements.

RHEL Virtual Machine in Hyper-V

Creating Virtual Machine

  1. Open Hyper-V Manager, right click on the physical host, select New, Virtual Machine…
  2. Specify name and location where you VM will reside
  3. Keep the defaults on generation of the virtual machine, I chose Generation 1 but you can choose Generation 2 according to your needs
  4. Assign at least 48 GB or RAM memory – this is the minimum RAM you need to select
  5. Configure a network card for your VM
  6. Create a new virtual hard disk and assign minimum 700GB of size
  7. On the Installation Options, keep the defaults – Install an operating system later
  8. Review the summar and click Finish to complete the wizard

You can accomplish the same on a quick way using Powershell. This time we’ll just skip Powershell classes and continue with the core.

At this point our VM container is created, but we still need to make some finetuning in order to be ‘compliant’ with SANnav. One of the requirements is that the VM has at least 2 sockets. In VMWare, we select the sockets during the creation of the VM. Microsoft doesn’t offer this option by default.

  1. Open Hyper-V Manager or Failover Cluster Manager if you have clustered your VM role, right click and select Settings
  2. Under Processors, select at least 16 processors
  3. Expand Processors and click on NUMA
  4. We will divide the Maximum number of processors by 2 (sockets). If you are planning to use 16 processors, type 8 and the VM will get 2 sockets.
    This is an important step, otherwise the setup of SANnav will not succeed.
  5. At this point we will attach the .ISO file of the RHEL package. Under SCSI Controller, click on DVD Drive and attach the .ISO file.
  6. Under Firmware, make sure to move DVD Drive up as the first boot device.

Installing RHEL

After we have configured the basic settings of our VM container, we will power on the VM and proceed with the installation of RHEL.

  1. Use the arrows to move up to Install Red Hat Enterprise Linux 7.6 and hit Enter to continue
  2. Select your preferred language.
  3. Under Localization, click on Date and Time and enter the locales.
  4. Optional: Enable Network Time and add your own time servers. Hit Done to close.
  5. Under Software, keep the defaults for Installation Source as it will automatically detect the attached .ISO file.
  6. Use Software Selection to select the preferres installation features. I will perform a Minimal Install with the following add-ons:
    Debugging Tools
    Security Tools
    System Administration Tools
  7. Under System, click on Destination and select I will configure partitioning.
  8. Create disk partitioning according to your needs. However make sure to follow the mimimum requirements of Broadcom for SANNav. For a single node installation of 3000 ports the minimum disk size is 600. Hit Done to continue.
    RHEL Partitions
    Partitions used in Red Hat for SANnav implementation

    For /boot /boot/efi and swap file, I’ve created separate partitions.
    For the / root I’m using LVM for sizing flexibility.

  9. Keep the default setting for KDUMP (enabled)
  10. Click on Network & Host name and turn on the Ethernet (eth0) card
  11. At the bottom enter the hostname and click Apply
  12. On the same screen click on Configure and enter the network settings. Disable IPv6 if not used
  13. Keep the defaults for Security Policy
  14. Hit Begin Installation to start the installer
  15. While installtion you’ll be prompted to create a root password and create a user
  16. Congrats! At this point you have a semi-compliant RHEL VM for SANnav Management Portal

 

Any suggestion or question? Leave a reply below, or feel free to contact us.

Make sure to subscribe to our mailinglist to get the latest. No spam. Promise!

This article will focus on implementing CA-signed certificates and enabling the HTTPS protocol on Brocade switches. I assume you already have a Certificate Authority implemented and you can sign certificates requests.

Required/used freeware

Putty: Used to connect to the switch.
Alex’s FTP Server: Used to upload and download files from or onto the switch.
OpenSSL: Used to convert and test certificate files.
Dos2Unix: Used to convert Windows-created filed to Unix/Linux files.

Deprecated commands:
secCertUtil
secCertUtil CLI will be deprecated. Use secCertMgmt for Certificate related operations.

The command seccertUtil is replaced by secCertMgmt.

It is highly recommended to back up your switch configuration before performing any changes. For tracing purposes, I have configured my Putty terminal to log every session. It will also flush the log file frequently.

Generating Certificate Signing Request (.csr) file

To list available certificates on the switch use the command:

secCertmgmt show -all

To create the .csr file in interactive mode type

seccertmgmt generate -csr https
Generate the Certificate Signing Request
Generate certificate signing request file on Brocade switch

Generate the file and export it locally. Accordingly, request your CA to have it signed.

The following command exports the .csr file in an interactive mode:

seccertmgmt export -csr https -protocol ftp
Export Certificate Signing Request
Export Certificate Signing Request (.csr) file using FTP

Preparing certificates for import

I signed the client’s certificate and got it in a .cer file. I also have the Root and Intermediate certificates in my possession.

Brocade switches require to have root and intermediate certificates merged into one file. The merge order is also important, first the Root certificate then the Intermediate. Work your way up the chain to the root certificate.

Before merging the certificates we will convert them to .pem files. To convert them from .cer to .pem file format use the following command

openssl x509 -in <certificate path & file name> -out <certificate path & file name>
Convert certificate .cer to .pem file
Converting certificate .cer files to .pem file format
Convert certificate files from .cer to .pem format
Converting certificate .cer files to .pem file format

Combining Root and Intermediate certificate

To merge the certificates use the Windows copy command. The /B parameter prevents Windows to append ASCII characters (CTRZ – Z) to the file.

copy /B <file name path 1> <file name path 2> <destination file name path>
Merge certificate files
Merging root and intermediate certificate files

Converting Windows files to Unix

Files created in Windows are sometimes incorrectly read in Unix/Linux. It’s because of Windows handling i.g. newlines and carriage returns in a different way.

In order to “clean” the certificates, we will use the tool dos2unix to convert them into Unix files.

dos2unix.exe <file name>

The file is rewritten and the output is saved under the same location.

Convert windows to unix files
Use dos2unix to convert Windows files to Unix-readable files

Testing certificates

Additionally, we can test the certificate chain and our client certificate using the following command.

openssl verify -verbose -purpose sslserver -CAfile <root certificate.pem> <switch certificate.pem>
Test certificate
Testing client certificate compatibility with the certificate authority chain

Importing certificates

First, we will import the root certificate using the command below.

seccertmgmt import -ca -server https
Importing CA root certificate
Importing CA chain certificate onto the switch

Finally, we can import the switch certificate file.

seccertmgmt import -cert https
Importing client certificate
Importing the client’s certificate onto the switch

We have enabled the switch to communicate over HTTPS protocol and HTTP requests are redirected to HTTPS.

I’ve noticed my Brocade Network Advisor claims that the switch is unreachable after installing the certificate. Finally, I got this resolved by performing a hareboot. The hareboot restarts the web linker daemon which is responsible for web communication.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.