Runecast 3.1 with German BSI Grundschutz compliance monitoring

Runecast Analyzer scans VMware infrastructures for known issues against the VMware-KB, checks hardware compatibility against HCL and compares current settings with VMware best-practice-guidelines and security baselines like DISA STIG, PCI DSS or HIPAA. The most recent version 3.1 now contains baselines from German Federal Office for Information Security (BSI). Germany is an important market for Runecast, so including BSI IT-Grundschutz (BSI IT-Baseline) was an important step to win new customers – especially in the public sector. One of the key selling points of Runecast in that market is its ability to work completely offline. No need to send any data into the cloud. You may update the appliance or get new signatures online, but you can also do this offline by mounting an ISO-image. Yes, Germany is special in that respect, but we had some…. issues.

To demonstrate all new features, Runecast will have a webinar on October 23rd 2019 at 10.00 am (CEST). Registration is free but priceless. Stanimir Markov (CEO) and Robert Berger will talk about BSI IT-Grundschutz Automation within Runecast Analyzer 3.1.

Continue reading “Runecast 3.1 with German BSI Grundschutz compliance monitoring”

Setting timezone in Photon-OS

Many of VMware’s appliances are based on Photon OS. Sometimes these appliances aren’t using suitable timezones for your current location, which makes it difficult to match logs and results.

If that appliance has no GUI, you have to adjust it on the shell. Use SSH or the appliance’s console to login as ‘root’. To get a list of all available timezones issue the command below.

ls -lsa /usr/share/zoneinfo | more

Some timezones are divided into sub-zones. For example “Europe”.

ls -lsa /usr/share/zoneinfo/Europe | more

We’re piping the results to the ‘more‘ command in order to achieve better readability. It’s optional. Once you’ve found your timezone, you can set it. In my example it’s “Europe/Berlin”.

Set Europe/Berlin timezone

Next we’ll create a symbolic link from localtime to “Europe/Berlin”.

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Finally we can check settings with the ‘date’ command. Date and Time is correct and also the timezone CEST.

NSX-V 6.4 End of Support extended until 2022

NSX for vSphere )NSX-V) is about to be replaced by its successor NSX-T (Transformers). Current version NSX-V 6.4 is GA since January 2018 and will be the last version. Just recently the End-of-Support (EoS) date has been shifted from January 2021 to January 2022 (16-01-2022). That date is only valid for NSX-V 6.4. Version 6.3 will reach its EoS on 02-02-2021. Details on support can be found in VMware Lifecycle Product Matrix.

What does “End of Support” mean?

To be precise, it’s called “End of General Support”. Between “General Availability” (GA) and EoS lies the “General Support Phase”. During that phase VMware will provide:

  • Updates and Upgrades
  • Security patches
  • Bug fixes
  • Support for new hardware
  • Updates for server, client and guest-OS
  • Customer support by phone or web
  • Web self service
  • Access to knowledgebase

After End-of-Support (EoS) has been reached, the “Technical Guidance” phase begins. Customer support is only available by web interface. There will be no more upgrades or updates, no bug fixes and no security patches. You can find details in VMware Lifecycle Summary.

Plan your migration

Even though EoS was postponed for NSX-V, you should start planning migrations from NSX-V to NSX-T now. NSX-T is equipped with a migration tool, but still it’s a complex task that will require a lot of testing.

T or V ?

If you’re planning a greenfield implementation of NSX today you should really consider NSX-T, because for NSX-V the end of the road isn’t far ahead.

PowerCLI error – Invalid server certificate

On client systems with fresh PowerCLI installations I often get an error when trying to run scripts.

Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you’d like to connect once or to add a permanent exception for this server

The reason is that PowerCLI refuses to run scripts with invalid certificates. If you’re running your own scripts, you can switch off that feature.

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false