Transferring Time-based One-time Passwords to a New Smartphone

Abstract Smartphone authenticator apps such as Google Authenticator and Authy implement software tokens that are “two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password algorithm (HOTP)” Smartphone TOTP, a form of Two-factor authentication (2FA), displays a 6-digit code derived from a shared secret, updating every thirty seconds. The shared secret is presented only once to the user, typically with a QR (Quick Response) Code which is scanned by the authenticator app. ...

January 21, 2019 · 5 min · Brian Cunnie

Troubleshooting Obscure OpenSSH Failures

Abstract By using tcpdump to troubleshoot an elusive error, we uncovered a man-in-the-middle (MITM) ssh proxy installed by our information security (InfoSec) team to harden/protect a set of machines which were accessible from the internet. The ssh proxy in question was Palo Alto Network’s (PAN) Layer 7 (i.e. it worked on any port, not solely ssh’s port 22) proxy, and was discovered when we observed a failure to negotiate ciphers during the ssh key exchange. ...

November 28, 2018 · 6 min · Brian Cunnie

Safely Upgrading PAS 2.2 with NSX-T Load Balancers

When customers with vSphere+NSX-T-based foundations apply a stemcell update, update a tile, or upgrade PAS (Pivotal Application Service) from 2.2 to 2.3, their Cloud Foundry may become unreachable as their NSX-T static load balancer server pools have been emptied. This blog post describes a method to ensure availability during upgrades. We use a combination of customized Operations Manager resource configs and BOSH VM Extensions. The sample workflow in this post is for upgrading PAS 2.2 to PAS 2.3 with an Operations Manager upgrade; however, it can also be adapted to stemcell or tile upgrades as well. ...

September 6, 2018 · 8 min · Brian Cunnie

How to Install a TLS Certificate on vCenter Server Appliance (VCSA) 6.7 [Updated for vCenter 7]

The following section is the new Quickstart for installing a TLS certificate on vCenter 7 vCenter 7 Quickstart On your vCenter, navigate to Menu → Administration → Certificates → Certificate Management On the __MACHINE_CERT tile, click Actions, select Generate Certificate Signing Request (CSR). Enter the appropriate info; for inspiration, this is what we entered: ...

May 9, 2018 · 10 min · Brian Cunnie

Benchmarking the Disk Speed of IaaSes

0. Overview [Disclaimer: the author works for Pivotal Software, of which Dell is an investor. Dell is also an owner of VMware] It’s helpful to know the performance characteristics of disks when selecting a disk type. For example, the performance of a database server will be greatly affected by the IOPS of the underlying storage. Similarly, a video-streaming server will be affected by the underlying read throughput. 0.0 Highlights: If you need a fast disk, nothing beats a local vSphere NVMe drive. Nothing. Whether its IOPS, read throughput, or write throughput, NVMe is the winner hands down. Google’s SSD (Solid State Drive) storage has 22× the IOPS of its standard storage. For general purpose use, always go with the SSD; however, if you’re doing streaming (long reads or writes), the standard storage may be the better (and cheaper) choice. AWS’s io1 disk is a waste of money unless you need an IOPS > 4k (the gp2 disk has an IOPS of ~4k). AWS’s now-deprecated standard storage has a decent IOPS of ~2k. The key to getting IOPS out of Azure is to enable Host Disk Caching, which can catapult an anemic 120 IOPS to a competitive 8k IOPS. 0.1 Metrics, IaaSes, and Results In this blog post we record three metrics: ...

March 16, 2018 · 22 min · Brian Cunnie