Simple Network Mapping using VMware tools and Netstat

This post was originally published on this site

Network Mapping I had fun working out a simple way to extend application discovery using VMware tools,  following a retweet or two (or 17) it seems like a lot of folks enjoyed reading about it too.  So fresh from putting together a simple method to interrogate application data, helped by some very clever engineering from […]

The post Simple Network Mapping using VMware tools and Netstat appeared first on

Urgent & Important – Rotate Your Amazon RDS, Aurora, and DocumentDB Certificates

This post was originally published on this site

You may have already received an email or seen a console notification, but I don’t want you to be taken by surprise!

Rotate Now
If you are using Amazon Aurora, Amazon Relational Database Service (RDS), or Amazon DocumentDB and are taking advantage of SSL/TLS certificate validation when you connect to your database instances, you need to download & install a fresh certificate, rotate the certificate authority (CA) for the instances, and then reboot the instances.

If you are not using SSL/TLS connections or certificate validation, you do not need to make any updates, but I recommend that you do so in order to be ready in case you decide to use SSL/TLS connections in the future. In this case, you can use a new CLI option that rotates and stages the new certificates but avoids a restart.

The new certificate (CA-2019) is available as part of a certificate bundle that also includes the old certificate (CA-2015) so that you can make a smooth transition without getting into a chicken and egg situation.

What’s Happening?
The SSL/TLS certificates for RDS, Aurora, and DocumentDB expire and are replaced every five years as part of our standard maintenance and security discipline. Here are some important dates to know:

September 19, 2019 – The CA-2019 certificates were made available.

January 14, 2020 – Instances created on or after this date will have the new (CA-2019) certificates. You can temporarily revert to the old certificates if necessary.

February 5 to March 5, 2020 – RDS will stage (install but not activate) new certificates on existing instances. Restarting the instance will activate the certificate.

March 5, 2020 – The CA-2015 certificates will expire. Applications that use certificate validation but have not been updated will lose connectivity.

How to Rotate
Earlier this month I created an Amazon RDS for MySQL database instance and set it aside in preparation for this blog post. As you can see from the screen shot above, the RDS console lets me know that I need to perform a Certificate update.

I visit Using SSL/TLS to Encrypt a Connection to a DB Instance and download a new certificate. If my database client knows how to handle certificate chains, I can download the root certificate and use it for all regions. If not, I download a certificate that is specific to the region where my database instance resides. I decide to download a bundle that contains the old and new root certificates:

Next, I update my client applications to use the new certificates. This process is specific to each app and each database client library, so I don’t have any details to share.

Once the client application has been updated, I change the certificate authority (CA) to rds-ca-2019. I can Modify the instance in the console, and select the new CA:

I can also do this via the CLI:

$ aws rds modify-db-instance --db-instance-identifier database-1 
  --ca-certificate-identifier rds-ca-2019

The change will take effect during the next maintenance window. I can also apply it immediately:

$ aws rds modify-db-instance --db-instance-identifier database-1 
  --ca-certificate-identifier rds-ca-2019 --apply-immediately

After my instance has been rebooted (either immediately or during the maintenance window), I test my application to ensure that it continues to work as expected.

If I am not using SSL and want to avoid a restart, I use --no-certificate-rotation-restart:

$ aws rds modify-db-instance --db-instance-identifier database-1 
  --ca-certificate-identifier rds-ca-2019 --no-certificate-rotation-restart

The database engine will pick up the new certificate during the next planned or unplanned restart.

I can also use the RDS ModifyDBInstance API function or a CloudFormation template to change the certificate authority.

Once again, all of this must be completed by March 5, 2020 or your applications may be unable to connect to your database instance using SSL or TLS.

Things to Know
Here are a couple of important things to know:

Amazon Aurora ServerlessAWS Certificate Manager (ACM) is used to manage certificate rotations for this database engine, and no action is necessary.

Regions – Rotation is needed for database instances in all commercial AWS regions except Asia Pacific (Hong Kong), Middle East (Bahrain), and China (Ningxia).

Cluster Scaling – If you add more nodes to an existing cluster, the new nodes will receive the CA-2019 certificate if one or more of the existing nodes already have it. Otherwise, the CA-2015 certificate will be used.

Learning More
Here are some links to additional information:



Discover, Visualize, Optimize: How vRealize Network Insight Helps You Manage Kubernetes Clusters

This post was originally published on this site

Contributors Alka Gupta, Director, Strategic Technical Alliance Pravin Goyal, Product Line Manager Eric Railine, Technical Product Line Manager VMware vRealize Network Insight helps you build an optimized, highly available, and secure network infrastructure across hybrid and multi-cloud environments. It provides network visibility and analytics to accelerate micro-segmentation, minimize risk during application migration, optimize network performance,

The post Discover, Visualize, Optimize: How vRealize Network Insight Helps You Manage Kubernetes Clusters appeared first on Cloud Native Apps Blog.

vSphere Support for Intel FPGA

This post was originally published on this site

Since VMware vSphere 6.7 Update 1, VMware expanded its array of supported hardware accelerators by introducing support for the Intel® Arria® 10 GX Field Programmable Gate Array (FPGA) devices. This blog post zooms in on what an FPGA is, what the generic FPGA architecture looks like and how to expose an Intel® Arria® 10 GX

The post vSphere Support for Intel FPGA appeared first on VMware vSphere Blog.

Running PowerShell Core Commands Directly on Ansible Localhost

This post was originally published on this site

Previously I’ve written about Running PowerShell Core Commands in a Linux Target from Ansible . In this article, we’ll look at a similar topic, but instead the PowerShell commands will be executed directly on the local Ansible host, not on a Linux based remote target. In my lab I’m running AWX in containers. The cross-platform … Continue reading Running PowerShell Core Commands Directly on Ansible Localhost

Learn Docker and Kubernetes – Cleveland VMUG – January 2020

This post was originally published on this site

Interested in learning about Docker and Kubernetes?  Do you like getting your hands dirty and fingers on they keyboard while you learn about new technology?  Plan to attend the Learn Docker and Kubernetes on a Boat event by the Cleveland […]

The post Learn Docker and Kubernetes – Cleveland VMUG – January 2020 appeared first on Cybersylum.

vRealize Network Insight Search Poster for SD-WAN & VeloCloud

This post was originally published on this site

Continuing our Search Poster series, we’ve arrived at the SD-WAN & VeloCloud search poster! Using the search engine inside VMware vRealize Network Insight can be a revealing experience. It has every single bit of data you ever wanted to see about anything in your infrastructure and it’s available at your fingertips. Because of the vast

The post vRealize Network Insight Search Poster for SD-WAN & VeloCloud appeared first on VMware Cloud Management.

How to sign PowerShell ps1 scripts

This post was originally published on this site

By reading the article subject first question rose to the mind why you should sign PowerShell scripts? The answer is whenever we download powershell script or we receive it from another users, The digital signature allows the user to confirm the validity of the certificate used to sign the script. It also allows the user to ensure that the script hasn’t been tampered with since it was signed. Also you can curb the uses of malicious or foreign scripts which are not validated by your company, It is a best practice all script should be. This article is a next part of Creating an internal PowerShell module repository, using the same commands modules can also be digitally signed.

Line No. 1: The first command I run is to configuring PowerShell execution policy for scripts, without correct policy, it will not verify the digital signature and still execute script even if script is modified, below are the policies which you need to set, By default RemoteSigned configured on Windows 10/ windows 2016 servers and above. I changed it and set it to AllSigned so all the .ps1 scripts are verified whether script source is authenticate.

  • AllSigned: All script which you run are require to be digitally signed.
  • RemoteSigned: All remote scripts (UNC) or downloaded need to be signed.

To set execution policy for a scope you can check article Powershell execution policy setting is overridden by a policy defined at a more specific scope, you can also use Group Policy to configure execution policy for your infrastructure.

  • MachinePolicy: The execution policy set by a Group Policy for all users.
  • UserPolicy: The execution policy set by a Group Policy for the current user.
  • Process: The execution policy that is set for the current Windows PowerShell process.
  • CurrentUser: The execution policy that is set for the current user.
  • LocalMachine: The execution policy that is set for all users.

You can download complete script here, it is also available

Set-ExecutionPolicy AllSigned -Force                                      #Configure script execution policy to all script must be signed

$scriptPath = ''               #This is share path, Where all scripts will be hosted
$certStoreLocation = 'Cert:CurrentUserMy'                               #This is local certification store
$certificateName = ''   #This is certificate to give to users

#Create a code-signing, self-signed certificate
$selfSignedCertInfo = @{
	Subject = ' Code Signing'
	Type = 'CodeSigning'
	CertStoreLocation = $certStoreLocation 
$cert = New-SelfSignedCertificate @selfSignedCertInfo

#View the newly created certificate
Get-ChildItem -Path $certStoreLocation -CodeSigningCert | Where-Object {$_.SubjectName.Name  -Match $_.$selfSignedCertInfo.Subject}

#Create a simple script
$scriptCode = @"
#Demo Script for Testing
Write-Host "ComputerName: $env:COMPUTERNAME" -BackgroundColor Green
$scriptCode | Out-File -FilePath $scriptPath

#View the files
Get-ChildItem -Path $scriptPath

#Sign the Script
$codeSignInfo = @{
	Certificate = $Cert
	FilePath = $scriptPath
Set-AuthenticodeSignature @codeSignInfo

#View the files
Get-ChildItem -Path $scriptPath

#Test the signature
Get-AuthenticodeSignature -FilePath $scriptPath | Format-List *

#Export certificate to file on sharepath
Export-Certificate -Cert $cert -FilePath $certificateName

#Import it to users trusted root certificate autorities
Import-Certificate -FilePath $certificateName -CertStoreLocation 'Cert:CurrentUserRoot' -Confirm:$false

#Import certificate to Trusted publisher store location
Import-Certificate -FilePath $certificateName -CertStoreLocation 'Cert:CurrentUserTrustedPublisher' -Confirm:$false

#Re-sign with a trusted certificate
Set-AuthenticodeSignature @codeSignInfo

#Check the script's signature
Get-AuthenticodeSignature -FilePath $scriptPath | Format-List

Line No 03 to 05: Configure the variables, for Script file path (Share path), Certificate store location ‘Cert:CurrentUserMy’ and Certificate name to export, All the files are store on shared path.

Microsoft Powershell Set-ExecutionPolicy allsigned -force variable pscode certificate ssl certificate store powershell sign code script.png

Line No 08 to 13: To sign a ps1 scripts, there is a special code-signing certificate is required, cert type (Enhanced key usage) must be CodeSinging. This command creates self-signed certificate to given certificate store location, CurrentUsers >> Personal, which is already defined in the variable on the line no 4. Since your can easily access your own CurrentUsers cert store no special privileges are required.

Line No 16: Verify self -signed certificate is created and its matching subject line.

Interesting Artcle 
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy

microsoft powershell code signing self signing certificate certstorelocation new-selfsignedcertiificate currentuser get-childitem codesigningcert where-object match psparentpath currentuser my.png

Line No 19 to 24: This is a demo script I am creating, If you already have script these steps are not required. I will create a quick and small .ps1 script file with the few PowerShell cmdlets, on this created new file I can assign digital certificate key.

Line No 27: Verify the script file and list the file to check the length / size of file also Open it in notepad and check the content of Powershell script file.

Microsoft powershell windows create a sample script write-host backgroundcolor $env COMPUTERNAME get-childitem sharepath lastwritetime Windows Powershell script ps1.png

Line no 30 to 34: I am using earlier created self-signed ssl certificate to apply code digital signature, This Adds an Authenticode (/windows-hardware/drivers/install/authenticode) signature to a PowerShell script or other file. New digital code is applied, but status shows UnknownError.

Line no 37: List the file again with dir command and check the length/ Size of file is increased, open the file in notepad digital signature is added to code in the bottom. 

Line no 40: When you check complete information of assigned authenticode, verify certificate thumbprint. It also reveals the error status message. ‘A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider‘. 

Microsoft Windows Powershell set-authenticodesignature remotesigning executionpolicy get-childitem get-authenticodesignature filepath format-list signercertificate unknownerror.png

If I try to execute the script, it shows me the same error ‘A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider‘. In the next commands I will resolve this issue.

microsoft powershell ps1 cannot be loaded a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.png

Line no 43: The Export-Certificate cmdlet exports a certificate from a certificate store to a file. All the variable are already mentioned on the top of the few lines, they will be used as parameters.

Line no 46: The Import-Certificate cmdlet imports one or more certificates into a certificate store. I am importing it to CurrentUserTrusted root certificate authority certificate location. This popups security warning as below. Make sure sha1 thumbprint and subject is the matching, press Yes to continue.

You are about to install a certificate from a certification authority (CA) claiming to represent: Code Signing

Windows cannot validate that the certificate is actually from " Code Signing". You confirm its origin by contacting " Code Signing". The following number will assist you in this process.

Thumbprint (sha1): 8043C9C1 73EE1222 0A5C08CA FB056C13 DCC18AEF

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. if you click "Yes" you acknowledge this risk. 

Do you want to install this certificate?

Microsoft powershell export-certififate cert filepath directory import-certificate thumbprint subject certificate currentuser root certification authoritiy ca claiming to represent install cert security warning.png

Line no 49: Import the same certificate to one more cert store location to CurrentUsers’s Trusted Publisher. You can verify the same on MMCCertificates GUI.

Microsoft powershell Import-certificate certstorelocation trusted publisher confirm psparentpath currentuser mmcconsoe codesinging powershell ssl security hardening subject

Verify the script again by executing, this time it will be successful. You can re-verify script signature again buy using Get-AuthenticodeSignature, it will show the digital signature status is valid now.

Microsoft powershell new script code singing autheticoate code tesing all singing code powershell certificate chain powershell code error ssl.png

The next thing I will do is open script ps1 in notepad and modify the piece of code, and try executing the script. This time it shows some other error “ps1 file cannot be loaded. The contents of file might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. for more information, run Get-Help about_Signing.

If I check AuthenticodeSignature, it shows the status is HashMisMatch, It can be corrected again by running Line no 30 to 34.

Get-Authenticodesignature hashmismatch unauthorized, beacause the hash stored in the digital signature  the script cannot run on the specified system get-help about_signing authenticode .png

Useful Articles
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
Powershell Trick : Execute or run any file as a script file
Set Powershell execution policy with Group Policy
Powershell execution policy setting is overridden by a policy defined at a more specific scope

vSphere Replication 8.x

This post was originally published on this site

vSphere Replication (VR) is VMware’s replication tool to replicate VM’s between vCenters. VR supports various Business Continuity and Disaster Recovery scenarios and can also be used as a backup solution as replications can use the same vCenter for both source and destination. VR is free to anyone running Essentials Plus and is deployed as an […]