SlideShare a Scribd company logo

Exploring Solaris Autoregistration

Download as ODP, PDF
Tom Kranz
Tom Kranz

This is a presentation I gave to a LOSUG meeting at Oracle on 2011-11-17, exploring the new autoregistration feature in Solaris, and also delving into hacking about with service tags.

Technology
1 of 24
Exploring Solaris Auto-Registration An irreverant look at evaluating new Solaris management tools Tom Kranz http://www.gaeltd.com
Some background first To manage infrastructure: You need to know what all the bits are You need to know what they do You need to know why they do it You need to know how they do it Then you can start tuning/scaling/hacking New features/tools/applications/traps upset all of this http://www.gaeltd.com
Here there be dragons So, an apparently new tool in the OS comes along 'secure' Internet upload of data? From expensive bits of kit tucked away behind firewalls? I think not, chaps New bit of infrastructure, doing new things in new ways? Time for a poke around! http://www.gaeltd.com
Why, Larry, why? Oracle need to make money from Solaris Oracle need to enforce their licensing Oracle need to know how and where Solaris is being deployed Oracle want to know what other products you're using Larry broke the mast on his yacht :-) http://www.gaeltd.com
Fair's fair, though As a windsurfer, I'm totally with Larry wanting more cash from clients Masts and sails are pricey (more so for yachts than windsurfers) I'd totally gouge my clients for more windsurfing kit and time sailing As a sysadmin, I'm less impressed What next? Clippy the Paperclip? “Hi, I see you're deploying Oracle Solaris!” http://www.gaeltd.com
So why mess with it? To know what's going on in my infrastructure Is it secure? Is it sensible? Will it break something? Also, auto-reg broke my Jumpstart setup Having it enabled by default irritated me So I got hacking about to find out more http://www.gaeltd.com
How does it work? The release notes are pretty good here It collects 'service tags' and uploads them to My Oracle Support More on Service Tags at http://wikis.sun.com/display/ServiceTag/Sun+Service+Tag+FAQ Full list of data in a Service Tag is at: https://inventory.sun.com/inventory/data.jsp http://www.gaeltd.com
“We fear change” Actually, this existed before in Sun Inventory: https://inventory.sun.com/inventory/ And Service Tags plugged into Ops Centre And no-one really used it, because Explorer was all we cared about for support http://www.gaeltd.com
“In the grim future, there is only OEM” OEM will consume all! Sun Ops Center has been absored into Oracle Enterprise Manager OEM doesn't just manage databases anymore OS patch levels Application deployments Like The One Ring, OEM Ops Center brings them all together and binds them http://www.gaeltd.com
Simplify infrastructure management Everything gets linked in together with a coherent management platform CTOs love this stuff Beancounters don't – it costs a lot up front But you get the OEM bits by default when deploying Oracle databases This is the antithesis of system administration to a scruffy hacker like me http://www.gaeltd.com
Argh! Make it stop OK, how to turn it all off? In Jumpstart: Add autoreg=disable to sysidcfg JET 4.8 has new template variables – key one: base_config_sysidcfg_auto_reg=disable Interactive installs: Get to da choppa^Wterminal! Regadm disable Or kill the SMF service svc:/application/autoreg:default http://www.gaeltd.com
What about Solaris 11? Check out the 'Register Oracle Solaris' icon on the desktop It calls /usr/bin/os-register Which is a python script which talks to inventory.sun.com It uses stclient, which is the CLI for service tag management http://www.gaeltd.com
This all poses some issues I'm not really in the habit of deploying Solaris boxes in a corporate data centre with direct Internet access Or via a proxy for that matter And not if they're running RAC or similar critical loads SunInventory has a laptop client Nasty cludge I suspect it would make IDSs very unhappy too http://www.gaeltd.com
Stclient Back in the days of Sun One, doing test installs of (eg.) Directory Server were problematical If you deleted it and tried to re-install it, you couldn't It used some sort of Java registry, and you had to delete the keys to re-install Egads! stclient! http://www.gaeltd.com
Et tu, OpenIndiana? bash-4.0$ uname -a SunOS grond 5.11 oi_147 i86pc i386 i86pc bash-4.0$ which stclient /usr/bin/stclient /usr/bin/stclient -x dumps 4 service tags Yes, Alasdair is Mad Larry's stooge ;-) http://www.gaeltd.com
Wait, it gets worse? Don't think that 'registering' will turn this off The SMF service stays enabled after registration After each boot, it scans for new service tags Then tries to upload them again http://www.gaeltd.com
Let's hack about with it Stclient can remove service tags, so you can install something and delete the 'evidence' This assumes the 'something' is not clever enough to respond to a subnet scan from another Solaris host We can also use stclient to make up totally bogus products that have been installed http://www.gaeltd.com
The America's Cup is mine! bash-3.00# stclient -a -p "Mad Larry's Yacht" -e "2.0 + mast patch" -t 30b26c7d-15eb-4d81- f546-dacc66b3aba3 -P Oracle -m Oracle -A trimaran -z The_Sea -S A_Shipyard Mad Larry's Yacht 2.0 + mast patch added Product instance URN=urn:st:8986657f-b561- c918-fafb-fa3de59e82c6 http://www.gaeltd.com
Now let's break HTTPS You'll be wanting ParosProxy for this Nifty little Java proxy from www.parosproxy.org Extract it and run with java -jar paros.jar Configure regadm to use it: Regadm set -n http_proxy -v localhost Regadm set -n http_proxy_port -v 8080 Then kick off a registration request Regadm auth -u leo.apotheker@hp.com http://www.gaeltd.com
Abbreviated message body POST https://inv- cs.sun.com/SCRK/ClientRegistrationV1_1_0 HTTP/1.1 Content-Disposition: form-data; name="VERSION" 1.1.1 Content-Disposition: form-data; name="SOA_ID" leo.apotheker@hp.com Content-Disposition: form-data; name="SOA_PW" password Content-Disposition: form-data; name="ASSET_ID" 341214851 <and a public key attached here as well> http://www.gaeltd.com
And the response? TYPE=ERROR CODE=4 MESSAGE=Cannot authenticate: leo.apotheker@hp.com -- com.sun.scn.cs.usermgmt.client.NotFoundExce ption: Not Found exception; method=POST; key=session/leo.apotheker@hp.com? source=SCRK; return code=404 http://www.gaeltd.com
Is it really that bad? You need to be root to mess with regadm/stclient The whole setup seems open to MITM attacks Denial of service against a competitor? “Death by Oracle licensing?” Will the service tag scanning set off IDSs? Inventory management means licensing revenue – customers want some support advantage to this stuff too http://www.gaeltd.com
Are these the end times that were foretold? It's clear the future of Solaris involves Stricter licensing Tighter integration into Oracle's software stack And this means more integration into management tools like OEM Ops Center Still bummed nothing seems to be leveraging Explorer though http://www.gaeltd.com
Questions? Or you can applaud, or throw coins, or something http://www.gaeltd.com

Recommended

FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE LabMiguel González
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Create an Amazon Redshift Cluster with FlyData!
Create an Amazon Redshift Cluster with FlyData!Create an Amazon Redshift Cluster with FlyData!
Create an Amazon Redshift Cluster with FlyData!FlyData Inc.
 

Recommended

FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE LabMiguel González
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Create an Amazon Redshift Cluster with FlyData!
Create an Amazon Redshift Cluster with FlyData!Create an Amazon Redshift Cluster with FlyData!
Create an Amazon Redshift Cluster with FlyData!FlyData Inc.
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Automated Deployment using Open Source
Automated Deployment using Open SourceAutomated Deployment using Open Source
Automated Deployment using Open Sourceduskglow
 
Presentation automating failover with data guard in the cloud
Presentation automating failover with data guard in the cloudPresentation automating failover with data guard in the cloud
Presentation automating failover with data guard in the cloudxKinAnx
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?smattoon
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
SalesDesktop FAQ
SalesDesktop FAQSalesDesktop FAQ
SalesDesktop FAQInvisibleCRM
 
1. Scaling PHP/MySQL...Presentation from Flickr
1. Scaling PHP/MySQL...Presentation from Flickr 1. Scaling PHP/MySQL...Presentation from Flickr
1. Scaling PHP/MySQL...Presentation from Flickrakshat
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF ServersColdFusionConference
 
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache TuscanyApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache TuscanyJean-Sebastien Delfino
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway ServerDashamir Hoxha
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scalingsmattoon
 
Whats new in Oracle Trace File analyzer 18.3.0
Whats new in Oracle Trace File analyzer 18.3.0Whats new in Oracle Trace File analyzer 18.3.0
Whats new in Oracle Trace File analyzer 18.3.0Sandesh Rao
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

More Related Content

Similar to Exploring Solaris Autoregistration

Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Automated Deployment using Open Source
Automated Deployment using Open SourceAutomated Deployment using Open Source
Automated Deployment using Open Sourceduskglow
 
Presentation automating failover with data guard in the cloud
Presentation automating failover with data guard in the cloudPresentation automating failover with data guard in the cloud
Presentation automating failover with data guard in the cloudxKinAnx
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?smattoon
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
1. Scaling PHP/MySQL...Presentation from Flickr
1. Scaling PHP/MySQL...Presentation from Flickr 1. Scaling PHP/MySQL...Presentation from Flickr
1. Scaling PHP/MySQL...Presentation from Flickrakshat
 
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache TuscanyApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache TuscanyJean-Sebastien Delfino
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway ServerDashamir Hoxha
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scalingsmattoon
 
Whats new in Oracle Trace File analyzer 18.3.0
Whats new in Oracle Trace File analyzer 18.3.0Whats new in Oracle Trace File analyzer 18.3.0
Whats new in Oracle Trace File analyzer 18.3.0Sandesh Rao
 

Similar to Exploring Solaris Autoregistration (20)

Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal Security
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Automated Deployment using Open Source
Automated Deployment using Open SourceAutomated Deployment using Open Source
Automated Deployment using Open Source
 
Presentation automating failover with data guard in the cloud
Presentation automating failover with data guard in the cloudPresentation automating failover with data guard in the cloud
Presentation automating failover with data guard in the cloud
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
SalesDesktop FAQ
SalesDesktop FAQSalesDesktop FAQ
SalesDesktop FAQ
 
1. Scaling PHP/MySQL...Presentation from Flickr
1. Scaling PHP/MySQL...Presentation from Flickr 1. Scaling PHP/MySQL...Presentation from Flickr
1. Scaling PHP/MySQL...Presentation from Flickr
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache TuscanyApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
ApacheCon NA 2010 - Developing Composite Apps for the Cloud with Apache Tuscany
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway Server
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
Whats new in Oracle Trace File analyzer 18.3.0
Whats new in Oracle Trace File analyzer 18.3.0Whats new in Oracle Trace File analyzer 18.3.0
Whats new in Oracle Trace File analyzer 18.3.0
 

Recently uploaded

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 

Recently uploaded (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 

Exploring Solaris Autoregistration

  • 1. Exploring Solaris Auto-Registration An irreverant look at evaluating new Solaris management tools Tom Kranz http://www.gaeltd.com
  • 2. Some background first To manage infrastructure: You need to know what all the bits are You need to know what they do You need to know why they do it You need to know how they do it Then you can start tuning/scaling/hacking New features/tools/applications/traps upset all of this http://www.gaeltd.com
  • 3. Here there be dragons So, an apparently new tool in the OS comes along 'secure' Internet upload of data? From expensive bits of kit tucked away behind firewalls? I think not, chaps New bit of infrastructure, doing new things in new ways? Time for a poke around! http://www.gaeltd.com
  • 4. Why, Larry, why? Oracle need to make money from Solaris Oracle need to enforce their licensing Oracle need to know how and where Solaris is being deployed Oracle want to know what other products you're using Larry broke the mast on his yacht :-) http://www.gaeltd.com
  • 5. Fair's fair, though As a windsurfer, I'm totally with Larry wanting more cash from clients Masts and sails are pricey (more so for yachts than windsurfers) I'd totally gouge my clients for more windsurfing kit and time sailing As a sysadmin, I'm less impressed What next? Clippy the Paperclip? “Hi, I see you're deploying Oracle Solaris!” http://www.gaeltd.com
  • 6. So why mess with it? To know what's going on in my infrastructure Is it secure? Is it sensible? Will it break something? Also, auto-reg broke my Jumpstart setup Having it enabled by default irritated me So I got hacking about to find out more http://www.gaeltd.com
  • 7. How does it work? The release notes are pretty good here It collects 'service tags' and uploads them to My Oracle Support More on Service Tags at http://wikis.sun.com/display/ServiceTag/Sun+Service+Tag+FAQ Full list of data in a Service Tag is at: https://inventory.sun.com/inventory/data.jsp http://www.gaeltd.com
  • 8. “We fear change” Actually, this existed before in Sun Inventory: https://inventory.sun.com/inventory/ And Service Tags plugged into Ops Centre And no-one really used it, because Explorer was all we cared about for support http://www.gaeltd.com
  • 9. “In the grim future, there is only OEM” OEM will consume all! Sun Ops Center has been absored into Oracle Enterprise Manager OEM doesn't just manage databases anymore OS patch levels Application deployments Like The One Ring, OEM Ops Center brings them all together and binds them http://www.gaeltd.com
  • 10. Simplify infrastructure management Everything gets linked in together with a coherent management platform CTOs love this stuff Beancounters don't – it costs a lot up front But you get the OEM bits by default when deploying Oracle databases This is the antithesis of system administration to a scruffy hacker like me http://www.gaeltd.com
  • 11. Argh! Make it stop OK, how to turn it all off? In Jumpstart: Add autoreg=disable to sysidcfg JET 4.8 has new template variables – key one: base_config_sysidcfg_auto_reg=disable Interactive installs: Get to da choppa^Wterminal! Regadm disable Or kill the SMF service svc:/application/autoreg:default http://www.gaeltd.com
  • 12. What about Solaris 11? Check out the 'Register Oracle Solaris' icon on the desktop It calls /usr/bin/os-register Which is a python script which talks to inventory.sun.com It uses stclient, which is the CLI for service tag management http://www.gaeltd.com
  • 13. This all poses some issues I'm not really in the habit of deploying Solaris boxes in a corporate data centre with direct Internet access Or via a proxy for that matter And not if they're running RAC or similar critical loads SunInventory has a laptop client Nasty cludge I suspect it would make IDSs very unhappy too http://www.gaeltd.com
  • 14. Stclient Back in the days of Sun One, doing test installs of (eg.) Directory Server were problematical If you deleted it and tried to re-install it, you couldn't It used some sort of Java registry, and you had to delete the keys to re-install Egads! stclient! http://www.gaeltd.com
  • 15. Et tu, OpenIndiana? bash-4.0$ uname -a SunOS grond 5.11 oi_147 i86pc i386 i86pc bash-4.0$ which stclient /usr/bin/stclient /usr/bin/stclient -x dumps 4 service tags Yes, Alasdair is Mad Larry's stooge ;-) http://www.gaeltd.com
  • 16. Wait, it gets worse? Don't think that 'registering' will turn this off The SMF service stays enabled after registration After each boot, it scans for new service tags Then tries to upload them again http://www.gaeltd.com
  • 17. Let's hack about with it Stclient can remove service tags, so you can install something and delete the 'evidence' This assumes the 'something' is not clever enough to respond to a subnet scan from another Solaris host We can also use stclient to make up totally bogus products that have been installed http://www.gaeltd.com
  • 18. The America's Cup is mine! bash-3.00# stclient -a -p "Mad Larry's Yacht" -e "2.0 + mast patch" -t 30b26c7d-15eb-4d81- f546-dacc66b3aba3 -P Oracle -m Oracle -A trimaran -z The_Sea -S A_Shipyard Mad Larry's Yacht 2.0 + mast patch added Product instance URN=urn:st:8986657f-b561- c918-fafb-fa3de59e82c6 http://www.gaeltd.com
  • 19. Now let's break HTTPS You'll be wanting ParosProxy for this Nifty little Java proxy from www.parosproxy.org Extract it and run with java -jar paros.jar Configure regadm to use it: Regadm set -n http_proxy -v localhost Regadm set -n http_proxy_port -v 8080 Then kick off a registration request Regadm auth -u leo.apotheker@hp.com http://www.gaeltd.com
  • 20. Abbreviated message body POST https://inv- cs.sun.com/SCRK/ClientRegistrationV1_1_0 HTTP/1.1 Content-Disposition: form-data; name="VERSION" 1.1.1 Content-Disposition: form-data; name="SOA_ID" leo.apotheker@hp.com Content-Disposition: form-data; name="SOA_PW" password Content-Disposition: form-data; name="ASSET_ID" 341214851 <and a public key attached here as well> http://www.gaeltd.com
  • 21. And the response? TYPE=ERROR CODE=4 MESSAGE=Cannot authenticate: leo.apotheker@hp.com -- com.sun.scn.cs.usermgmt.client.NotFoundExce ption: Not Found exception; method=POST; key=session/leo.apotheker@hp.com? source=SCRK; return code=404 http://www.gaeltd.com
  • 22. Is it really that bad? You need to be root to mess with regadm/stclient The whole setup seems open to MITM attacks Denial of service against a competitor? “Death by Oracle licensing?” Will the service tag scanning set off IDSs? Inventory management means licensing revenue – customers want some support advantage to this stuff too http://www.gaeltd.com
  • 23. Are these the end times that were foretold? It's clear the future of Solaris involves Stricter licensing Tighter integration into Oracle's software stack And this means more integration into management tools like OEM Ops Center Still bummed nothing seems to be leveraging Explorer though http://www.gaeltd.com
  • 24. Questions? Or you can applaud, or throw coins, or something http://www.gaeltd.com