Open vSwitch Network Monitoring Using sFlow and sFlow-RT

This post describes how to use Open vSwitch and sFlow collector for monitoring network traffic and for building VM-to-VM traffic matrix. The instruction aims at traffic monitoring for VMs connected to a software Bridge and is described based on an OpenStack setup environment (VMs are connected to br-int on each compute host).

Configuration Steps

1. On each physical host that the software bridge (Open vSwitch) is installed, define the following environment variables in the shell:

COLLECTOR_IP=192.168.99.1
COLLECTOR_PORT=6343
AGENT_IP=eno1
HEADER_BYTES=128
SAMPLING_N=64
POLLING_SECS=10

COLLECTOR_IP is the IP address of the host which is responsible for collecting monitoring data and sFlow-RT is installed. Port 6343 (COLLECTOR_PORT) is the default port number for sFlow-RT. If you are using the sFlow collector other than sFlow-RT, the appropriate port for that particular collector should be set. Setting the AGENT_IP value to eno1 indicates that the sFlow agent sends traffic through the IP address associated with this network interface. The other values indicate settings regarding the number of bytes in the packet header and frequency of sampling that sFlow should perform.

2. Now you should create sFlow agent for the bridge using the following command:

$ ovs-vsctl -- --id=@sflow create sflow agent=${AGENT_IP} target="${COLLECTOR_IP}\:${COLLECTOR_PORT}" header=${HEADER_BYTES} sampling=${SAMPLING_N} polling=${POLLING_SECS} -- set bridge br-int sflow=@sflow

Note down the UUID of the sFlow agent returned by this command; this value is necessary to remove the sFlow configuration. You can also see the list of sFlow agents  using the following command:

$ ovs-vsctl list sflow

To remove sFlow agent configuration from a bridge, in our case br-int, run the following command

$ ovs-vsctl remove bridge br-int sflow <UUID>

where UUID is the id of the sFlow agent returned in the earlier configuration.

3. Now you should download and install sFlow-RT as an engine for collecting stream from sFlow Agents embedded in the software switch. sFlow-RT converts monitoring streams into metrics accessible through the REST APIs.  To download, install and run sFlow-RT use the following command on the collector host (COLLECTOR_IP).

wget http://www.inmon.com/products/sFlow-RT/sflow-rt.tar.gz
tar -xvzf sflow-rt.tar.gz
cd sflow-rt
./start.sh

For more info on sFlow-RT installation click here.

4. Now use a web browser to connect to http://192.168.99.1:8008 to interact with the REST API. You can define flows using the flows tab to match packets or transactions that share common attributes and compute rate information. For example, the following flow  defines a flow called VMS that captures the source and destination IP addresses of VMs connected to the bridge and calculates bytes per second for each flow:

sflowrt

The following Python code defines the same flow using the REST API:

#!/usr/bin/env python
import requests
import json

flow = {'keys':'ipsource,ipdestination','value':'bytes','log':True}
requests.put('http://192.168.99.1:8008/flow/VMS/json',data=json.dumps(flow))

To get your defined flow now you can use the following REST API:

requests.get('http://192.168.99.1:8008/activeflows/ALL/VMS/json')

Please leave your feedback and question on this article.
In case you found any bugs, please leave comments.

Advertisements

Installing OpenStack on a small cluster using CentOS and RDO

The Cluster

Below is our cluster setup. Please note that we are constrained by the devices we have and the service provider we are using. Your configuration might be different. Different network topologies might require some changes in the following instructions. Please be aware of what you are doing.

openstack

CentOS 7 Installation

  1. Install CentOS 7 with the following configuration on the head node of your cluster:
    You need a minimal version of CentOS and you can download the .iso file here (https://www.centos.org/download/).
           hostname: controller
           password: YOURPASSWORD
    choose “manually configure partition”, delete all the existing partitions, and then click “automatically generate partitions”. Adjust the amount of capacity assigned to the root and make it as large as possible. You can remove /home partition if you are not going to use it at all and allocate its space to /root.
  2. Do the same for all other nodes in the cluster and set the hostnames as follows:
          hostname: compute2,compute3, compute4, compute5, compute6, compute7
          password: YOURPASSWORD
    For partitioning choose “Use All Space” and check “Review and modify partitioning layout” then you can remove lv_home (/home) partition and add all the free space to lv_root (/).

Network Configuration

In our scenario, controller node has two interfaces, interface 1 (eno1) is connected to the public network and interface 2 (eno2)  is connected to a local switch that connects all the nodes in the cluster.

1. Controller (compute1 and gateway):

  1. Login with root username and password
  2. Stop the first network interface (eno1) from being managed by the NetworkManager daemon
    vi /etc/sysconfig/network-scripts/ifcfg-eno1
    
    NM_CONTROLLED=no

    save and exit.

  3. Set a static private IP address for the controller (192.168.0.1)
    vi /etc/sysconfig/network-scripts/ifcfg-eno2
    
    BOOTPROTO=static
    IPADDR=192.168.0.1
    METMASK=255.255.255.0
    ONBOOT=yes
    NM_CONTROLLED=no

    save and exit.

  4.  Restart the network service.
    systemctl restart network
  5. Check if you have the internet connection is working!
    ping www.google.com
  6. Update your repository and install openssh-server openssh-clients nano and wget
    yum -y update
    yum install -y openssh-server openssh-clients nano wget net-tools
  7. Change the state of SELINUX to permissive:
    nano /etc/selinux/config
    SELINUX=permissive
  8. Set the domain name for compute nodes.
    nano /etc/hosts
    192.168.0.1 controller compute1 gateway
    192.168.0.2 compute2
    192.168.0.3 compute3
    ...
  9. Disable Network Manager and firewall to avoid conflicts with OpenStack
    systemctl stop firewalld
    systemctl disable firewalld
    systemctl stop NetworkManager
    systemctl disable NetworkManager
    systemctl enable network
    systemctl restart network

 

2. NAT Configuration on the Controller Node:

To provide Internet access to other machines in the cluster, you should enable NAT. If all machines in the cluster are getting public IPs by default you can skip this step.

  1. Enable the NAT forwarding from iptables to give Internet access to compute hosts by executing the following commands:
    yum install -y iptables-services
    
    chkconfig iptables on
    
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
    iptables -A FORWARD -i eno2 -j ACCEPT
    iptables -A FORWARD -o eno2 -j ACCEPT
    service iptables save
    service iptables restart
  2. Check if iptable has been properly configured:
    iptables -S

    The output should include these:
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -A FORWARD -i eno2 -j ACCEPT
    -A FORWARD -o eno2 -j ACCEPT

  3.   To make sure you do not lose iptables configuration do the following:
    vi /etc/sysconfig/iptables-config
    
    IPTABLES_SAVE_ON_RESTART="yes"
    IPTABLES_SAVE_ON_STOP="yes"
    service iptables restart
  4.  Enable forwarding
    nano /etc/sysctl.conf
    
    net.ipv4.ip_forward=1
  5. Reboot the controller machine and make sure the changes are persistent.

3. Compute Nodes

  1. Login with root username and password
  2. Set a static private IP address for each node
    vi /etc/sysconfig/network-scripts/ifcfg-eno2
    
    NM_CONTROLLED=no
    BOOTPROTO=static
    IPADDR=192.168.0.2 (192.168.0.3)
    METMASK=255.255.255.0
    GATEWAY=192.168.0.1
    ONBOOT=yes
  3. Define some nameservers for your compute nodes
    vi /etc/resolv.conf
    
    nameserver 128.250.66.5 #this is our first private DNS server
    nameserver 128.250.201.5 #this is our second private DNS server
    nameserver 8.8.8.8
  4. Restart your network service.
    service network restart
  5. Update your repository and install openssh-server openssh-clients nano and wget
    yum -y update
    yum install -y openssh-server openssh-clients nano wget net-tools
  6. Change the state of SELINUX to permissive:
    nano /etc/selinux/config
    SELINUX=permissive
  7. Set the domain name for compute nodes.
    nano /etc/hosts
    192.168.0.1 controller compute1 gateway
    192.168.0.2 compute2
    192.168.0.3 compute3
    ...
  8. Disable Network Manager and firewall to avoid conflicts with OpenStack Networking Service.
    systemctl stop firewalld
    systemctl disable firewalld
    systemctl stop NetworkManager
    systemctl disable NetworkManager
    systemctl enable network
    systemctl restart network
  9. Reboot all machines to make sure the changes are persistent.

OpenStack Installation

Make sure all nodes (controller, compute2, compute3, …) are already configured and ready. Please refer to: https://www.rdoproject.org/install/quickstart/ if you have not sure about previous steps for your cluster setup.

  1. Make sure your /etc/environment is populated:
  2. vi /etc/environment
    
    LANG=en_US.utf-8 LC_ALL=en_US.utf-8
  3.  Install RDO release:
    yum install -y https://www.rdoproject.org/repos/rdo-release.rpm
    yum update -y
  4. Install openstack-packstack, a set of scripts to install all peaces of OpenStack, and generate the default settings for packstack:
    yum install -y openstack-packstack
    packstack --gen-answer-file=~/answers.cfg
  5. Export these environment variables
    export OS_USERNAME=admin
    export OS_PASSWORD=YOURPASSWORD
  6. Edit answers.cfg based on your requirements, make sure following setting is done.
  7. CONFIG_NTP_SERVERS=ntp1.unimelb.edu.au,ntp2.unimelb.edu.au #these are our private ntp servers, use yours.
    CONFIG_CONTROLLER_HOST=192.168.0.1
    CONFIG_NETWORK_HOSTS=192.168.0.1
    CONFIG_AMQP_HOST=192.168.0.1
    # change the IP address of the controller to 192.168.0.1
    CONFIG_COMPUTE_HOSTS=192.168.0.1,192.168.0.2,192.168.0.3,192.168.0.4,192.168.0.5,192.168.0.6,192.168.0.7 # Add IP addresses of all compute nodes.
    CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan,flat,vlan
    CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
    CONFIG_NEUTRON_ML2_MECHANISM_DRIVERS=openvswitch
    CONFIG_NEUTRON_L2_AGENT=openvswitch
    CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=extnet:br-ex
    CONFIG_NEUTRON_OVS_BRIDGE_IFACES=br-ex:eno2 #Pay attention here!!
    CONFIG_CINDER_VOLUMES_SIZE=100G
    CONFIG_KEYSTONE_ADMIN_PW=YOURPASSWORD
    CONFIG_PROVISION_DEMO=n
    CONFIG_CINDER_VOLUMES_SIZE=100G
  8.  Install packstack based on your config.
    packstack --answer-file=~/answers.cfg
  9. Source the keystonerc_admin before using command line for openstack commands. You can see the admin user and password for accessing the dashboard in this file.
    source keystonerc_admin
  10. If you have a domain name for your public IP address and you want to access your dashboard with domain name follow this instruction.
    vi /etc/httpd/conf.d/15-horizon_vhost.conf
    
    ServerAlias YOURDOMAINAME
    #for example iaas.clouds.com
  11. Automate OpenStack environments sourcing on startup
    echo "source /root/keystonerc_admin" >> ~/.bashrc
  12. Now open OpenStack dashboard on your browser http://YOURDAMIN/dashboard for example http://iaas.clouds.com/dashboard/You can skip this step if you have aleardy set CONFIG_NEUTRON_OVS_BRIDGE_IFACES=br-ex:eno2. If external bridge is not properly created and you have network issues you can do it manually as explained below. Make sure you set CONFIG_NEUTRON_OVS_BRIDGE_IFACES=. first, you should create a bridge.
    vi /etc/sysconfig/network-scripts/ifcfg-br-ex
    
    NAME=br-ex
    DEVICE=br-ex
    DEVICETYPE=ovs
    TYPE=OVSBridge
    BOOTPROTO=static
    IPADDR=192.168.0.1
    NETMASK=255.255.255.0
    GATEWAY=192.168.0.1
    DNS1=8.8.8.8
    DNS2=128.250.201.5
    ONBOOT=yes
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no

    Note that you are allocating the IP address of the controller to the bridge now.
    Now, you introduce controller node as a port to this bridge.cat

    vi /etc/sysconfig/network-scripts/ifcfg-eno2
    
    TYPE=OVSPort
    BOOTPROTO=none
    NAME=eno2
    IPV6INIT=no
    DEVICE=eno2
    ONBOOT=yes
    NM_CONTROLLED=no
    DEVICETYPE=ovs
    OVS_BRIDGE=br-ex

    Restart your network to see everything’s working fine.

    service network restart

 

Virtual Network in OpenStack

For the network setup in OpenStack follow the steps in this clip.
Note that you need to create some images before perfoming these steps.

x11 forwarding in Windows using git-bash and Xming

This tutorial explains how you can get x11 forwarding working for Windows and git-bash (Not putty). Putty has another way of doing this.

  1. Install Xming: http://sourceforge.net/projects/xming/
  2. Run Xming from the programs.
  3. Open GitBash from the Start Menu.
  4. Export display environment on the bash command.
    export DISPLAY=localhost:0
  5. ssh to the target machine with x11 forwarding enabled
    ssh -XY me@myhost
  6. Try your x11 forwarding e.g. nautilus on the target machine.

How to fix “A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 789)” for Azure Point-to-Site VPN

In my previous post, I discussed on how you can configure Azure point-to-site VPNs to create a virtual network on the Azure platform. In some circumstances, you may get error 798 with the status “A certificate could not be found that can be used with this Extensible Authentication Protocol”. In the following instruction, I will go through options to resolve this issue.

After installing and configuring the Point-To-Site VPN client, sometimes the following error occurs when dialing the connection:

clip_image001_thumb2 - Copy

If you are sure the error is not related to the following problems then follow the instruction here.

  1. You did not add the client digital certificate on the computer you are trying to make the VPN connection. Check that you followed all steps in Part 3.2 Generate and install the client certificates of our instruction on how to configure Azure point-to-site VPNs.
  2. The corresponding digital certificate exists, but it has not been imported into the Personal Store. Maybe it is imported into the Computer Store of the certificate store.

The instruction is designed based on Windows 7. But other Windows versions would be very similar with minor changes.

Manual Configuration of VPN in Windows

  1. Open Control Panel> Network and Sharing Center> Set up a new connection or network
    cp
     
  2. Connect to a workplace

    cw

  3.  Use my Internet Connection (VPN)
    usevpn
  4. Now you should give a name for your connection. For the address, you should indicate the TunnelAddress to which you want to connect.
    addressTo find the address follow you should check the log file of your unsuccessful VPN connection you created based on the VPN client package downloaded from Azure.
    a) Right click on your VPN connection.Screenshot 2017-04-12 14.56.31
    b) Open properties.
    Screenshot 2017-04-12 13.13.10

    c) Open view log.
    log
    You should find something like Tunnel DeviceName =  TunnelAddress = azuregateway-59cc4…………………….d113c7e8.cloudapp.net
    This is the address.

  5. Right click on your VPN connection. You should modify properties of the Manual VPN you created. Open properities in the Security tab.
    properties
  6. Then enter the properties to choose the option “User a certificate on this computer”.smart
  7. Finally, to continue having Internet connection even when we are connected to the VPN go to the “Networking” tab and from there go to the properties of the IPv4 protocol.
    net
  8. Then we will choose the “Advanced”
    advanced
  9.  And uncheck the option “Use default Gateway on remote network”.
    default
  10. Now test the connection to Azure and it should be giving you the option to select the client certificate.
    connect
  11.  Select your Azure Client Certificate and ok.
    cert
  12. You must be already connected to Azure!!!

How to activate the “Enable Strong private key protection” option.

If you are trying to import a certificate into Personal Local Certificate store, and you face the situation that the “Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option” option is grayed out as below picture.

enable

You can follow the below instruction to resolve the issue:

a. Open the mmc.exe on run prompt

null

b. File add/Remove Snap-ins, double click on Group policy object:

null

c. Just finish and ok.

null

d. Open computer configuration> windows Settings> Security Settings> Local Policies>Security Options on the right panel. Then find System Cryptography: Force Strong key protection for user key stored on the computer and open it.

null

e. Select User is not required when keys are stored and used

nullf.

f. Apply and ok.

Configure Azure Point-to-Site VPN Connections – Azure Resource Manager (ARM)

p2s

#Part 1: create the VPN and Gateway

First You need to create your VNet and VPN gateway in Azure. You can do this using PowerShell or Azure portal. Below I provided commands for PowerShell.

Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "Your Subscription Name"
$VNetName = "Aneka-VNET-SITE"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "Adel_Aneka_Test"
$Location = "Australia Southeast"
$DNS = "8.8.8.8"
$GWName = "GW"
$GWIPName = "GWIP"
$GWIPconfName = "gwipconf"
#Create a new resource group.
New-AzureRmResourceGroup -Name $RG -Location $Location
#Create a front-end, gateway and backend subnet
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
#Create a virtual network
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer $DNS
#Specify the variables for the virtual network you just created.
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
#Request a dynamically assigned public IP address. This IP address is necessary for the gateway to work properly. You will later connect the gateway to the gateway IP configuration
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip
# Generate and upload certificates: for doing this follow the instruction after this code and copy the public key of the generated certificate here
$MyP2SRootCertPubKeyBase64 = "MIIDETCCAf2g…….j4/FrCI"
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $MyP2SRootCertPubKeyBase64
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku Standard -VpnClientAddressPool $VPNClientAddressPool -VpnClientRootCertificates $p2srootcert

# Part 2: generate a root certificate

If you are not using an enterprise certificate solution, you’ll need to generate a self-signed root certificate. The steps in this section were written for Windows 7 (Should be similar for other Windows with some minor changes). If you had issues with windows 8, 8.1 and 10 at the end of this post I will explain some tricks to resolve possible problems.

You can follow either of the following methods:

  1. Run command prompt of windows as administrator (right click on command prompt, run as administrator).
  2. Change directory to the location of makecert.exe.
    1. For my case: cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin
  3. Run this command:
makecert -sky exchange -r -n "CN=RootCertificateName" -pe -a sha256 -len 2048 -ss My "RootCertificateName.cer"

RootCertificateName is the name of the root certificate authority (CA), it can be your name. RootCertificateName.cer is the name of the file to store this certificate.

-r means to create a self-signed certificate

-ss is the certificate store name that stores the output certificate

-a and -len are used for encryption algorithm and length of the key.

By executing this command your self-signed certificate will be added to CurrentUser store location.

# Part 2.1: to get the public key

1. First, check that your certificate from the previous section is added to your personal certificates.
Run certmgr.msc, your Certificate should be there in personal certificates.

null

2. To get the public key, export the .cer file as a Base-64 encoded X.509 (.CER) file then open that file with notepad. There copy everything in between: —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—–
Make sure you remove hidden ENDOFLINE characters.

A) Right click on the RootCertificate you created> all Tasks> Export

null

B) Select No, do not export the private key

null

C) Select Base-64 encoded X.509 (.CER)

null

D) Select a path and a name for your certificate file

null

E) Next and finish.

null

F) Open the file you saved with notepad and make a single line form of the public key between —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—–

null

G) This is the public you should be copied to $MyP2SRootCertPubKeyBase64 variable in # Part 2.1 of the creation of VPN.

# Part 3: Connecting Clients to the Virtual Network

If your virtual network is created successfully (you can check in Azure portal) now you can connect clients to the virtual network. For doing so you need two things:

1) the VPN client and

2) a client certificate installed.

# Part 3.1 Download the VPN client configuration package.

1. To download the client configuration package, run the following commands in powershell. Make sure Azure Resource Manager PowerShell cmdlets is installed (You can use the Microsoft Web Platform Installer from this address: https://www.microsoft.com/web/downloads/platform.aspx)

 

Get-AzureRmVpnClientPackage -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName -ProcessorArchitecture Amd64

 

2. The PowerShell cmdlet will return a URL link. Copy-paste the link that is returned to a web browser to download the package to your computer.

You can also download it from the portal:

Resource groups>Adel_Aneka_Test>Aneka-VNET-SITE>GW- Point-to-site configuration

package

3. Install the package. You should see the VPN connection on by clicking on your network access icon on the tray.

null

# Part 3.2 Generate and install the client certificates.

Follow these steps and generate a certificate for each computer needs to be connected to the virtual network.

Look at https://docs.microsoft.com/en-in/azure/vpn-gateway/vpn-gateway-certificates-point-to-site if you are not sure what you are doing.
1. First run the following command to generate the Client certificate.

makecert.exe -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My -in "RootCertificateName" -is My -a sha256

You can generate as many as client certificate you need this way. If you do not have makecert.exe, you can install it with Microsoft Windows SDK for Windows 7 and .NET Framework 4. 


2. Run certmgr.msc Make sure the ClientCertificateName is added to your personal certificates.

3. Right click on the Client Certificate and export

null

4. Select, Yes export the private key

null

5. Leave the default selection:

null

6. Provide a password for the private key

null

7. Select a path and a name for your certificate file.

null8.

8. Next and finish.

null
9. Then copy the exported .pfx file to the target machine wants to connect to the virtual network.

10. Double click on the file on the target machine and follow the steps:

a. Next,

null

b. Leave the path as it is,

null
c. Type the password for the private key and make sure Enable strong key protection is not checked. If this option is grayed out you should follow the instruction here to make it selectable.

null

d.  Next and select place all certificates in the following store and browse and find personal.

null

e. Next and finish.

# Part 3.3 Connect to the VPN

1. Click on connect button on your VPN connection created on part 3.1.3.

null

2. Click on connect.

null

3. Click on continue and accept yes.

null

4. Select client certificate you imported and ok, if installed more than one certificate, otherwise it will connect automatically.

Congratulations!!! you finished Rostam’s Seven Labours to setup Point-to-Site VPN connection for Azure.

In case, unfortunately, you have got  the following error:

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 789)

You can try my post on How to fix “A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 789)” for Azure Point-to-Site VPN. Hopefully, you can get rid of the problem.

clip_image001_thumb2 - Copy


# Part 4: To add and remove extra Root Certificates.

You can add up to 20 root certificates to Azure. Follow the steps below to add a root certificate.
1. Create and prepare the new root certificate for upload based on method explained in #part 2, the run following PowerShell commands:

Login-AzureRmAccount
$P2SRootCertName2 = "ARMP2SRootCert2.cer"
$MyP2SCertPubKeyBase64_2 = "MIIC/zC……...m7ju"

2. Upload the new root certificate. Note that you can only add one root certificate at a time.

Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName2 -VirtualNetworkGatewayname $GWName -ResourceGroupName $RG -PublicCertData $MyP2SCertPubKeyBase64_2

3. You can verify that the new certificate was added correctly by using the following cmdlet.

Get-AzureRmVpnClientRootCertificate -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName

4. You can remove a certificate using the following cmdlet.

Remove-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName2 -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG -PublicCertData "MIIC/z……qgTWCIcb7ju"

You can also do the same in Azure Portal by copying everything in between: —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—– in the following page at the following path

Resource groups>Adel_Aneka_Test>Aneka-VNET-SITE>GW- Point-to-site configuration:

cert
Please leave comments for me if you found any bugs in the instruction.

Passwordless SSH login

Your aim

You need an automatic login from host A / user ‘a’ to Host B / user ‘b’. You don’t want to enter any passwords, maybe because you want to call ssh from a within a shell script.

How to do it

First log in on A as user ‘a’ and generate a pair of authentication keys. Do not enter a passphrase:

a@A:~> ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/a/.ssh/id_rsa):

Created directory ‘/home/a/.ssh’.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/a/.ssh/id_rsa.

Your public key has been saved in /home/a/.ssh/id_rsa.pub.

The key fingerprint is:

3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Now use ssh to create a directory ~/.ssh as user ‘b’ on B. (The directory may already exist, which is fine):

a@A:~> ssh b@B mkdir -p .ssh

b@B’s password:

Finally append a’s new public key to b@B:.ssh/authorized_keys and enter b’s password one last time:

a@A:~> cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'

b@B’s password:

From now on you can log into B as b from A as a without password:

a@A:~> ssh b@B hostname

B
ssh-copy-id -i ~/.ssh/id_rsa.pub username@mystery