Monthly Archives: December 2008

VMware Server 2.0 – using your own SSL certificate

Posted on by
1

The default installation of VMware Server 2.0 uses a self-signed certificate for the web-based management console, VMware Infrastructure Web Access. (Notice how they copied the Microsoft fashion of naming the web based tool, like Outlook Web Access and Project Web Access.)

But you may want to use a different certificate. One that browsers in your organisation will actually recognise. I couldn’t find any information on the web, so went hunting in the config files.

The location of the certificate and key are specified in the file /etc/vmware/hostd/config.xml. The default location is /etc/vmware/ssl/.

You may want to create your own certificate authority (CA). I followed the Ubuntu Server Guide‘s instructions, but apart from file locations, those instructions will probably do for any installation of OpenSSL.

Once I had set up the new certificates, I had to reboot the machine. Restarting VMware didn’t do it, but that was probably because I didn’t restart the right service. Rebooting definitely worked.

With my new certificate, IE7 still prompts me for a client certificate to present, but pressing cancel to that box gives you a proper secure session without the ugly red security warning by the address bar. With Firefox it works fine.

I haven’t investigated the prompt for a client certificate in IE yet, but if you know and want to save me the trouble of figuring it out for myself, please post a comment!

Cloning VMware machines loses network connection

Posted on by
Reply

I have been setting up a whole swag of virtual machines to do my bidding. Ideally I would use ESXi but it doesn’t support my choice of server – my old laptop (Toshiba Tecra M5).

So I am back to using VMware Server. Since I last used it, VMware Server 2.0 has been released. It features a web-based management interface, which is quite good, though it uses a self-signed certificate that causes browsers to complain. I will eventually figure out how to replace it with a real certificate (or rather, one that my personal trusted certification authority has issued) and post the instructions here.

But that’s not what this post is about. My operating system of choice at the moment is Ubuntu Server 8.04 LTS. Yes, 8.10 is out, but I don’t want to download another CD image. I am in New Zealand, the land of data caps, after all. I have created a base install of Ubuntu, and want to clone it and use it as a base for other virtual machines.

Installation is simple.

Copying the virtual machine is simple:

cp -r [source_directory] [destination_name]

Then it’s a matter of renaming the virtual disk (for consistency’s sake – it’s not mandatory):

vmware-vdiskmanager -n [source_file.vmdk] [destination_file.vmdk]

Following that, I edit the .vmx file, and change references to the .vmdk file and the virtual machine name that is displayed in the management interface. Otherwise you’ll end up with multiple machines with the same name, and that gets confusing.

Once you add the machine to the inventory, VMware Server will realise that it’s a clone of an existing machine, and will ask you to confirm that. If you say it is a copy, it will regenerate some IDs, like the NIC’s MAC address. And this is where we run into trouble.

With a new MAC address, the system thinks there’s a new device in there. Which is virtually true. It leaves the existing configuration (from the base image) as eth0, and sets up the “new” NIC as eth1. Which is fine. But eth0 will never work, and it’s better (I think) for the first NIC to be eth0.

I found a solution here:

Re: Eth0 disapears in VMware and Ubuntu Server

I think that the best thing is delete the eth0 line from /etc/udev/rules.d/70-persistent-net.rules and change eth1 to eth0 in the eth1′s line

I mean, my file was

# This file was automatically generated by the /lib/udev/write_net_rules

# program, probably run by the persistent-net-generator.rules rules file.

#

# You can modify it, as long as you keep each rule on a single line.

# PCI device 0×1022:0×2000 (pcnet32)

SUBSYSTEM==”net”, DRIVERS==”?*”, ATTRS{address}==”00:0c:29:b0:1a:59″, NAME=”eth0″

# PCI device 0×1022:0×2000 (pcnet32)

SUBSYSTEM==”net”, DRIVERS==”?*”, ATTRS{address}==”00:0c:29:38:15:ba”, NAME=”eth1″

but now is

# This file was automatically generated by the /lib/udev/write_net_rules

# program, probably run by the persistent-net-generator.rules rules file.

#

# You can modify it, as long as you keep each rule on a single line.

# PCI device 0×1022:0×2000 (pcnet32)

SUBSYSTEM==”net”, DRIVERS==”?*”, ATTRS{address}==”00:0c:29:38:15:ba”, NAME=”eth0″

Salute

Frank Abel

Thanks Frank – that fixed it.

Some other things to think of:

You will want to change the host name of your new virtual machine, probably. You do that by editing the /etc/hostname file. But if you do that, and the new host name isn’t resolvable by DNS, you may run into troubles, especially using sudo on a default installation of Ubuntu (and probably other distros as well). So, before you change the hostname, it’s advisable to add an entry in /etc/hosts for the new host name.

I have run into trouble by changing /etc/hostname and then being unable to edit any other file, including /etc/hosts, because sudo requires that your machine’s hostname be resolved. It’s for this reason that my new rule is to create a password for root as soon as the OS is installed:

sudo passwd root

Other things I need to do when cloning the machine are editing network settings in /etc/network/interface (I am using static IP addressing) and DNS servers in /etc/resolv.conf. Then reboot and you have a clean system with its own “identity”.

Phone + Fire Eagle + Google Maps = high tech spy tracking system

Posted on by
Reply

Fire Eagle is a service from Yahoo! that gives you access to location information. It’s not very sophisticated. You tell Fire Eagle where you are, and then applications (after the appropriate authorisations have been made) can use your location data.

Of course, you don’t want to be typing in your location into a web site every time you move, so there are a lot of applications that figure out your location and tell Fire Eagle. There are many of them, and the one that I have used on my Nokia E71 is the Fire Eagle mobile updater for J2ME. Every minute, it checks my phone’s GPS and sends its location to Fire Eagle.

With my old Palm Treo 750V, I used Mologogo, which tried to guess my location based on cell tower information. Its accuracy isn’t that great (usually to within a kilometre) but it’s good enough to play around with.

More mobile updaters are available here.

So Fire Eagle knows where I am. What use is this?

Well, I built a Google Maps-based tracking system. You authorise Fire Eagle accounts with the application, and then every minute or so the map will update showing the location of those people.

It’s not a very effective spy tool, because you’ll either need to spend a few hundred dollars on a GPS-enabled device and plant it on your target, or gain access to the target’s phone, put a Fire Eagle updater on it and then authenticate that user with the application. But it’s still possible. And cool.

I wrote it the backend (which is pretty simple) in .NET because that’s what I’m good at, but seeing that this server isn’t Windows, I have rewritten it in PHP, and added simple site registration so that anyone can use it and become a spy. (I wrote that paragraph before I had actually done the PHP version – took about 4 hours in the end.)

So, go to http://arunstephens.com/spy/ to become a spy!

If any government agencies find this useful, please let me know!