Following on from my previous blog post where I mentioned that we’ve discovered a bug in the Hyperic 5.8.4 client (on both Windows and Linux), I think it’s only fair that I share our findings. It’s a bug that we discovered whilst deploying a very large vRealize Suite (two maximum sized global clusters of vROPS, vRLI, Hyperic and vRA/vRO).
Whilst carrying out some testing in my lab surrounding the impact of replacing SSL certificates in Hyperic, I noticed that if for whatever reason authentication between the Hyperic agent and Hyperic server fails, the Hyperic agent increases CPU utilisation of the client machine it’s running on to between 85% and 100%. At first I thought that it’s an anomaly, but I was then able to reproduce the symptoms a further 3 times in proving to VMware GSS that the issue really does exist. A long story short
vSphere 6 makes managing SSL certificates a lot easier than previous releases. It ships with its own Certificate Authority, (VMCA) that issues certificates for all components on your behalf, rather than having to replace each service certificate manually, or relying on self-signed certificates. This new VMCA comes with the Platform Services Controller (PSC) that can be installed as a separate appliance, or embedded within the vCenter Server installation or Appliance.
By default, the VMCA will self-sign its own certificate to be used as a CA certificate that will sign all requests for certificates. This self-signed CA certificate can be replaced by a certificate that is signed by a 3rd party root CA or your own root CA. Any certificate signed by the VMCA, which is an intermediate CA to your root CA, can then be validated by clients with the root CA and VMCA certificates installed.
I’ve been thinking about retiring my old home lab server hardware for some time now. I’ve had two little HP ProLiant ML110 G5 servers for 5+ years. They’ve been good little machines and didn’t cost too much to run, but I can now tell that time has taken its toll on them. They each have a dual core Intel Xeon processor and maxed out at 8GB of RAM. With the management components of products such as vSphere, vCAC, vCD, etc. nowadays requiring at least 8GB per appliance, these machines have basically been made obsolete by the requirements of most enterprise applications today.
I remember struggling to get my head around Apache Webserver file permissions. It's a common issue, and I've seen forum posts this weekend with users struggling to get it right. That s what's prompted this post.
To allow the Apache web server process (httpd) to access and serve files from virtual host directories, httpd requires at least read access. However, with content management systems, httpd might also require write access to virtual host directories.
I recently had to renew my self-signed SSL certificate used to publish my Outlook Web Access with Microsoft ISA Server 2004. As it’s been a while since I’ve done OWA publishing, I found myself scrambling for information on the internet until I eventually managed to compile this document. As I would like to use this again in the future, I though I'd post it here for reference.
I always used to use the Microsoft Windows Certification Authority to sign my own SSL certificates, but as I don’t really like the way the Windows Certification Authority does things, and I do like the way OpenSSL does things, so I opted to use OpenSSL on good old trustworthy openSUSE Linux to:
Create a new Certification Authority that I can use for all my private sites
Create a new x509 SSL Certificate to replace the current soon-to-expire SSL certificate in use by my OWA setup.