RSA AM 7.1 SP3 Replication - 'Needs Action'

After a SAN outage and a restart of our RSA infrastructure, the replication status of the Replica Instances from Primary to Replica was showing the status of 'Needs Action'. It appeared that RSA believed that it had not replicated in almost 3 weeks.

In order to reinitialise replication use the following command from the command line on the Primary Instance

rsautil manage-replication -a resume

After a few minutes and a refresh of the 'Check Replication Status' screen, the 'Data Transfer Status' should show as 'Complete'.

Unrestricting users of RSAUTIL.CMD

I'm using rsautil manage-backups to perform scripted backups of our RSA AM 7.1 SP3 database in conjunction with the disabled password prompt that I posted yesterday. Although when initially trying to run it under a separate service account from that which I used to install the product, I received the following error.

Error: Cannot run as user 'serviceaccount'. 'rsautil' can only be run by 'myusername' user

I contacted support and received the following response, which was very simple to implement.

• Use Windows Explorer to locate rsaenv.cmd in the ACEUTILS directory
• Open   rsaenv.cmd  in WordPad (or other editor)
• Locate the line set CLU_USER={username} where {username} is the user name of the user who installed the RSA Authentication Manager 7.1 software and comment out the line (this will preserve the user name)
• Add this line after the commented out line in point 3 "set CLU_USER=%USERNAME%"
• Save the change

Now any user who is a member of the local Windows Administrators group can use rsautils.cmd

Disable RSA AM 7.1 SP3 Backup Password Prompt

It looks like RSA have realised what a nightmare it is to backup their Authentication Manager product and have therefore eased the burden somewhat by allowing the disabling of the password prompt when ruinning a command line backup using "rasutil manage-backups".

to disable the prompting for the password when running a backup using rsautil manage-backups run the following as documented in the RSA PDFs.

rsautil manage-backups --action disable-pwd-prompt

Once entered, the RSA Master password is required to apply the change.

Preparing an AD Domain for SCOM 2007 using MOMADADMIN.EXE

I've been preparing one of our domains for use with a Gateway Server recently and consequently I've needed to use MOMADMIN.EXE to publish the Service Connection Points into AD, so that the Agents can automatically detect the SCOM settings for Management Groups and Servers.

Below is the syntax for using the command



MomADAdmin.exe <Management Group> <SCOM Admin Group> <Management Server name> <Domain name>


In my instance, the Management server was actually the name of the Gateway server in the domain as opposed to the RMS or MS.

Integrating ISA 2006 with RSA AM 7.1 SP2

I've just finished testing RSA SecurID Token  authentication with FBA on ISA Server 2006, below are the steps that I followed.

We followed some notes at the MS TMG Technet Blog for the actual ISA Rule base configuration which is pretty straightforward.

Register ISA Servers as Authentication Agents in RSA AM 7.1


Open the RSA AM Security Console and go to 'Access', 'Authentication Agents' and 'Add New'.

Complete the details for the ISA Server as an 'Authentication Agent' including the FQDN and IP Address. I also set the 'Agent Type' to 'Web Agent' (Unlike in the screenshot).

Generate RSA AM Config File

In the Security Console go to 'Access', 'Authentication Agents' and 'Generate Configuration File'.

Check the setting and then click the 'Generate Config File' button to download the configuration file.

 Click 'Download Now' to start the configuration file download.

Download and extract the sdconf.rec from the AM_Config.zip once downloaded

Copy sdconf.rec to C:\Windows\System32\ and C:\Program Files\Microsoft ISA Server\sdconfig\ on all relevant ISA Servers.

Set Node Secret for each Authentication Agent (ISA Server)

In the RSA Security Console, go to  'Access', 'Authentication Agents' and 'Manage Existing'.


Click the arrow next tot he appropriate ISA Server and select 'Manage Node Secret...'

On the RSA AM server Locate agent_nsload.exe and copy to each ISA Server in the array

Set a node secret in RSA AM interface on each Agent entry and download .zip files when requested

Extract the NODESECRET.REC file from the supplied .zip and place with the agent_nsload.exe

To import the node secret to the ISA Server(s), run the following command

agent_nsload.exe -f <path to nodesecret.rec>  -p <node secret password>

A 'securid' file should then be created in C:\Windows\System32\ (note the lack of file extension). This file should then be copied to the "C:\Program Files\Microsoft ISA Server\sdconfig\"

That was enough to get ISA working with RSA 7.1 SP2.

Change RSA AM 7.1 SP2 Allocated Disk Space for Instance Replication

I've deployed three VMs with approx 40GB of disk space available to RSA AM 7.1 and it's database. The problem is that by default RSA AM, is configured to use a maximum of 100GB, therefore there's a chance that it could consume all of the available disk and consequently halt it's services.

The fix can be found in the Troubleshooting section of the RSA AM Administrative Guide under "Freeing Disk Space Allocated for Logging on a Replica Instance". RSA recommends allowing AM to utilise 75% of the available disk space, therefore if you have 30GB free after install then you should use 22.5GB. Unfortunately the command line doesn't appear to like the decimal point so I used 22GB.

You'll need to open a command prompt and go to the 'utils' folder in the RSA install folder and run the following command where 22 is the size that you wish to dedicate to RSA AM's logs.

rsautil manage-database -a change-max-size -f archived_trans_files -s 22

You'll be prompted to confirm your password twice and then you should receive "Done..."


That's all for now.

Installing .deb files in Ubuntu

I'm just tweaking my XBMC install and need to install some additional packages. Below is the command to drag them down and install from the hyper global mega net.

apt-get install packagename

VMware Update Manager 1.0 u3 Fix for "There are errors during the remediation operation"

We have a fairly sizeable VMware ESX environment which we use VMware's Update Manager for the patching of our Hosts and guest VMs. Occasionaly when trying to patch VM's, I've attached a Baseline, already selected 'Scan for updates' but when selecting remediate received the message "There are errors during the remediation operation".

By manually running the 'VMware Update Manager Update Download' Scheduled Task using Run and then restarting the VMware Update Manager Service, I've found that the issue disappears. I'm wondering if there's some inconsistency between the metadata download and the data that Update Manager is holding? If anyone knows, i'd love to know!

RSA Authentication Manager 7.1 on VMware ESX 3.5

I'm right in the middle of an RSA Authentication Manager 7.1 SP2 deployment onto VMware ESX 3.5 as I type and having stumbled across some "gotcha's" already, I've decided to note them as I go.

• It's perfectly acceptable for RSA AM 7.1 to take approximately 15 minutes to start up thanks to Java and the 'new' Oracle Database backend. About 13 minutes of the delay is at "Applying Computer Settings". (Even with 2vCPU's and 4GB RAM).
• Give the server 4GB of RAM if possible even though RSA only recommend 2GB, that way all the services will be able to start at boot up
• When installing a Replica Instance, you'll need the replica package creating on your Primary Instance and also a copy of your RSA License certs handy. Also make sure that there is connectivity from it to your existing Primary Instance and any other Replica instances that you may have. TCP port 2334 will need to be open if you've got a firewall or two in the way.
• I'm not really having a great deal of luck with RSA AM 7.1, I'm finding it very finicky in terms of connecting Replica instances to the Primary. I'm considering another rebuild of the VMs so that I'm happy that they're working as they should. I've also experienced my Primary Instance running out of disk space eventhough it had 30GB set aside just for Authentication Manager.
• I've rebuilt my Primary and Replica now and they seem to be a little more stable. I've noticed that by default AM will assume that there is 100GB of disk available for replication. Now apparently this can be changed by following the directions in Appendix G of the Administrators PDF. I cannot find the relevant instructions although I am wondering if it can be achieved using rsautil manage-database and resizing the database files. Update - I've found that I was referring to the old documentation for the above problem. Please see my most recent post to resolve this issue.

Associate the employeeID attributed with the user class in AD

In preparation for our new HR system, I linked the existing employeeID attributed in our AD Schema to the user class. This allows the storing of employee IDs in Active Directory for each user. A quick guide can be found here

VMware ESX 3.5 and Storage VMotion

We're in the process of expanding the capacity of our production SAN and consequently have to do some shuffling of data between disk groups and LUNs. The first step in the migration was to move the VMs on our production cluster to some newly provisioned LUNs. Initially I envisaged powering down each VM and then selecting to Migrate it and selecting to relocate it's disks as part of the migration process from within the VI client. I didn't fancy this option too much due to the time it would take and the incurred downtime and therefore it would also be more than likely have to be done at a weekend, of which I have very few of as it is.

I'm just cutting my teeth on VMware's PowerCLI so decided to see if I could at least script the process rather than drowning in GUI hell. I found that I could go one better and summon Storage VMotion using PowerCLI. The blurb in the VMware PDF states that;

VMware® Storage VMotion™ enables live migration for running virtual machine disk files from one storage location to another with no downtime or service disruption.

Sounds exactly what i'm after. You have the choice of leveraging Storage VMotion using either an unofficial VI Plugin (not ideal for production), VMware's RemoteCLI or PowerCLI. I mapped out the source and destination LUN's and moved a few VM's at a time by running the following PowerCLI command. While this took sometime to run for each VM, I didn't want to push my luck and was careful of the additonal I/O on the LUN's source LUNs.


Get-VM "VM_Name" | Move-VM -Datastore "New_DataStoreName" -RunAsync

A new task should appear in the VI Client indicating that the VM's storage is being relocated. While this is happening the VM is available and able to function as expected.

Managing Non Domain Integrated DMZ Servers in SCOM 2007 R2

First of all, it's wise to ensure that each of the servers, both the Management and Agent servers have the PKI Certificate chain installed. With an internal PKI such as MS Certificate Services, this can be downloaded from the Certificate Services web interface which is normally http:///certsrv. click the 'Download a CA certificate, certificate chain, or CRL' link, followed by the 'Download CA certificate chain'. A prompt to download the certnew.p7b file which is the certificate chain will appear. The certificate chain should be imported into each Management Server and also DMZ Server as required, using the MMC and Certificates snapin.
 
To faciliatate the mutual authentication, a new certificate template is required but this will require an Enterprise PKI configured. The MS TechNet article covers the configuration required.

Each SCOM Management Server will require an instance of the newly created OperationsManager Certificate. This can be again be requested from the MS Certiifcate Services Web interface. Navigate to the URL (Normally http:///certsrv) and select 'Request a certificate' and then 'Create and submit a request to this CA.' Select the newly created OperationsManager template from the drop down. It is important that both the 'Name' and 'Friendly Name' fields match the name either FQDN or just NetBIOS of the server. Ensure that that the certificate is installed to the Local Computer Certificate Store on each Management server.

The above step is also required for each DMZ Server which is to host an Agent. It's worth ensuring that the 'Mark keys as exportable' options is checked. This will allow the exporting of the certificate from your local machine to the destined DMZ server. Don't delete the .pfx certificate once imported into the server's local store as it's required for the MOMcertimport.exe step.

Additional steps to ensure that name resolution can take place maybe required depending upon your configuration. Due to my DMZ configuration, I used HOST file entries on the DMZ server with the Management Servers' names and IP addresses and also on the Management servers for the DMZ Servers name's and IP addresses.

In order to install the Agent, I found that MSXML 6 was required followed by the manual GUI install of the Agent. I left all options as standard as part of the install. Once finished, I then ran a second install using the command line which loosely resembled the following. This command defines the Management Group(s) and associated management server as the details cannot be retrieved from Active Directory in this case.

MsiExec.exe /i MOMAgent.msi /norestart /qn MANAGEMENT_GROUP="ManagementGroupName" MANAGEMENT_GROUP_OPERATION=AddConfigGroup MANAGEMENT_SERVER_DNS=ManagermentServer REINSTALL=ALL

In order to import the Operations Manager certificate into SCOM, the MOMcertimport.exe utility is required. While there are many published commands on the Internet, I found the following worked for me. MOMcertimport.exe "Path to the exported Cert with private key". 

Once entered you should be prompted for the Private Key password that you previously specified when exporting the certificate to the .pfx format. A successful imported message should appear. You can also check that the certificate was imported correctly by checking the registry on the server. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber should contain the Serial number of the certificate that you've imported. It's worth restarting the Agent's service to pick up the newly imported certificate.


An 'Run as Account' is required for SCOM, so that it can run tasks on the DMZ based server. This requires a Local account creating which has Administrative rights on the server. The details of the account then need creating in the SCOM Management console. A new Run As account can be created by going to 'Administration' and then under 'Run As configuration', right click Accounts and select 'Create new Run As account'. Set the options as follows in the wizard.

Run As account Type - Action Account
Display Name - Action Account
Username -
Password -
Domain -

Click 'Next' then 'Create' to finish the account configuration.

Lastly the account configuration requires configuring so that SCOM knows to use the new account when communicating with the DMZ based server. This can be done by going to 'Profiles' under Run As Configuration and finding the 'Default Action Account' option. Double click 'Default Action Account' and find the new server in the list. Double click the server and select the newly created 'Run As account' and click 'Save' and 'Close'.

It's probably best to restart the System Center Management service on the DMZ Server so that it can detect the changes made to the SCOM console. That should be it, happy DMZ Management.