Tuesday, April 26, 2011

Howto configure Apache with SSL (CentOS):

Configuring Apache server with SSL is an easy task when you know what you're doing ;) 
I decided to make one easy-to-understand quick tutorial that will serve as a memory refresher, In my case I used CentOS 5.5 x64.

So...here we go:

1.Make sure Apache is installed:
#rpm -qa|grep httpd

if no, install it:
#yum install httpd

2.Install mod_ssl module for Apache 2 to enable SSL support:
#yum install mod_ssl

3.Generate the certificate request and send the request (contents of server.csr) to your CA (such as Verisign for example):
#openssl req -nodes -newkey rsa:2048 -keyout myserver.key\
-out server.csr

Grant read permissions only to root on your private key:
#chmod 0400 myserver.key

4. After receiving the public key + bundle from your CA, unzip and put them in the same directory as your private key, in my case I used "/etc/ssl/crt":
#mv myserver.key /etc/ssl/crt/
#mv my_server_org_il* /etc/ssl/crt

There is a neat way to check if public key mathes private key, go to the directory with your certificates and execute the following commands:
For public key:
# openssl x509 -noout -modulus -in hostcert.pem | openssl sha1
4e9d47dec86984789b15db10d204faa5e7aa7777
For private key:
# openssl rsa -noout -modulus -in hostkey.pem | openssl sha1
4e9d47dec86984789b15db10d204faa5e7aa7777

As you can see the output is the same - means we're good to go.


5.Before making any change, backup both configuration files:
#cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
#cp /etc/httpd/conf/http.conf /etc/httpd/conf/http.conf.bak

Edit ssl.conf:

#vi /etc/httpd/conf.d/ssl.conf

Now, it's up to you to decide whether you will be using VirtualHost block or not (http://httpd.apache.org/docs/trunk/mod/core.html#virtualhost), anyway the configuration should include the following lines:
 
ServerAdmin root@localhost
DocumentRoot /var/www/html/support
ServerName support.mydoimain.com
ErrorLog logs/support_mydoimain_com-error_log
CustomLog logs/support_mydoimain_com-access_log common
SSLEngine on
SSLCertificateFile /etc/ssl/crt/support_mydoimain_com.crt
SSLCertificateKeyFile /etc/ssl/crt/myserver.key
SSLCACertificateFile /etc/ssl/crt/support_mydoimain_com.ca-bundle


6. For proper URL redirection  - you can use this line to redirect all incoming http traffic to your https server, add it to: httpd.conf

RedirectPermanent / https://support.mydomain.com/


7. Restart httpd service:
#/etc/init.d/httpd restart

Make sure Listen 443 line is located in ssl.conf
Make sure Listen 80 line is located in httpd.conf

To check the web-server is listening on both ports run:
#lsof -i :80
#lsof -i :443

Basic configuration is done, try to access the server from the browser:
http://support.mydomain.com

Thursday, April 14, 2011

Howto Connect NetApp iSCSI to XenServer 5.6 FP1


Since iSCSI is a great choice as a SR for your XenServer, in terms of performance and scalability, I've decided to created a straight forward and easy to understand guide of how to connect NetApp iSCSI based storage to XenServer, read on...
On the NetApp side:
1) Enable iSCSI service on the filer:











2) Create the desired LUN:
·        










3) Dedicate a separate NIC for iSCSI traffic, be sure the filer iSCSI dedicated NIC is assigned with a proper IP address:

·        









4)From the XenServer copy it's iscsi FQN:














5)Add the new initiator:













6)Map the new LUN to the new initiator:














On the XenServer side:
1)      Be sure you have a NIC assigned to iSCSI traffic.


2)      Right click on the XenServer -> New storage-> Software iSCSI












Click on Discover IQNs, it should find the NetApp IQN.
Next, click on Discover LUN's, it should find the available LUN's.

Click "Finish" to attach the SR.

Your newly created LUN should be successfully attached to XenServer at this point.


Wednesday, April 6, 2011

Howto rescan NICs on XenServer

1. First list the physical NIC's:
#xe pif-list

2. After making a note of the information, run the following command for each one of the new NIC's that appear as disconnected:
#xe pif-forget uuid=UUID


3. Next, have the system scan for the correct uuids, you will need the uuid of your server (find it with "xe host-list" ):
#xe pif-scan host-uuid=UUID

4. List the NICs again to see what we have found:
#xe pif-list

5. You should see the correct UUID's of your NICs. 
Then, run the following command for each one of the new NIC's to add them back:
#xe pif-plug UUID

At this point your new NICs should appear as connected.

Sunday, April 3, 2011

Howto Backup VM's in XenServer

I found this technique to be the easiest and most efficient, importing the whole virtual machine to *xva file. Though it's not the quickest method it worked flawlessly for me.

1. At XenServer console as root, mount some SR (CIFS or NFS) to a folder:
#mount -t cifs //myfiler01/ntfs_share /backup/

2. Check the mount:
#mount |grep backup

3. To find the VM you want to export Run:
#xe vm-list


4. Run the export VM command:
#xe vm-export vm=centos5 filename=/backup/centos5_backup.xva

That's it, the VM exported as *.xva file which is easy to import in case of failure. 

In case you want to import the VM, run:

#xe vm-import vm=centos5 filename=/backup/centos5_backup.xva