Versions Compared

Old Version 9

changes.mady.by.user Dick Visser

Saved on

compared with

New Version 10

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

But again, SURFnet comes to the rescue, because several of their NTP servers are IPv6-enabled. I picked chime3.surfnet.nl, which, according to the web interface, appears to be a Meinberg NTP server. Windows digs it all-right:

 

RDP

To manage the server, Remote Desktop Protocol (RDP) is used, which supports IPv6 without any configuration.

Windows Update

Unfortunately the Microsoft Update servers are also available only on IPv4 (sad).

...

Details of the proxy and the Windows configuration process are described on a separate page.

 

 

Exact Software

I phoned up Exact Software Netherlands to see if Exact Globe would support IPv6, but the help desk could not provide me with a definitive answer. So then, time for some testing. 

...

That software supports IPv6 just fine, but I was more afraid a bit wary of potential client side issues. All users in accounting all run Windows 7, so the operating system itself shouldn't be a problem.

While testing I quickly found out that the Exact application was using ODBC, which did support IPv6 right away, so the application works on IPv6 (smile).

 

Delta software

This is another piece of proprietary software, this time made by Dutch company BCS HRM en Salarisadministratie B.V..

Recently we bought a server license, and after some research I found out that is made up of a network share with files, and a database component.

 The network share can do IPv6 as mentioned earlier. The database component turns out to be an instance of Sybase SQL AnyWhere version 11.

Again the vendor had no clue what IPv6 was, so I did some research myself, and it actually looked good right away.

Apparently Sybase does support IPv6 already for years. The earliest doc I could find was for version 10 (from 2006).

Version 11 and 12 support it explicitly. These links were handy, because the software needed some custom connection options.

After opening up TCP port 2638 to the appropriate IPv6 addresses, the software worked (smile)

 

 

Crypto

I wasn't really sure if the SQL Server traffic was plain text or not, and after running Wireshark it turned out that is wasn't...

Because we are part of the TERENA Certificate Service, we have access to 'free' SSL certificates from SURFnet.

Generating key

...

material

I did this on a host with OpenSSL. Also possible on the Windows host but I will write about that later.

Code Block
openssl req -new -keyout server.key -out server.csr -subj /CN=hayek.terena.org/

...

Code Block
cp server.pem all.pem
cat chain.pem >> all.pem
openssl pkcs12 -export -inkey server.key -in all.pem -out server.pfx

Adding the key and

...

materials

Copy this file to the Windows server, and run mmc, then add the Certificates snap-in.

When it asks for who to manage certificates, select an account that the SQL Server has access to.

...

After fixing that the certificate showed up in the SQL Server Network Configuration. Then I forced encryption, checked again with Wireshark and indeed no more plain text queries (smile)

 

 

RDP Crypto

Since we now have a nice server certificate in the Windows Certificate Store, I figured I might as well use it to secure more services that run of this machine. The most obvious service is of course the channel by which the machine is managed: Remote Desktop Protocol (RDP). Based on the docs for Remote Desktop Services (RDS), this service does support SSL (TLS1.0). The installed certificate can be configured with the Remote Desktop Session Host Configuration. While at it, I also selected to only use SSL (TLS 1.0), and High Encryption level:

...

Using Wireshark it is again easy to spot that the session is encrypted.

 

Then I noticed one thing. Up until now I would always get this warning upon connecting to a Windows server:

 

Image Added

 

After installing a real certificate, this warning isn't shown any more, and a nice little lock is shown on the RDP status bar, which shows the certificate information if clicked:

 

Image Added

 

 

 

Service monitoring

All of this stuff is very nice, but it's no good without monitoring.

We run a Nagios 3.x instance in a remote data center, and ideally I'd want to monitor all services that this hosts runs.

Host alive

Modified version of the default host alive check, with IPv6 flag. From /etc/nagios3/commands.cfg:

 

Code Block
themeMidnight
languageperl
# Changed to include IPv4 flag - DV 2010-12-04
define command{
        command_name    check-host-alive6
        command_line    /usr/lib/nagios/plugins/check_ping -H '$HOSTADDRESS$' -6 -w 5000,100% -c 5000,100% -p 1
}

 

Disk usage

This can be done with the standard check_disk_smb_host_user, because that relies on the smbclient binary, which is part from the samba-3.4.7 package, which supports IPv6.