Category Archives: Professional

This is for posts that are categorized as Professional.

Creating Virtual Floppies with El Capitan

If you’re like me and deploy a lot of Cisco Collaboration software in a virtualized environment, you may not know this yet but, the changes to Disk Utility in El Capitan pretty much destroy the ability we used in previous versions of OS X to create a ‘virtual’ floppy disk for the Answer File.  Below is a quick summary on what you need to do to create those cool little floppy images to keep on building.

        1. Launch Terminal and create the new virtual floppy:
          hdiutil create -sectors 2880 -fs “MS-DOS FAT12” -layout NONE -volname “floppy” floppy
        2. Mount the new virtual floppy via Terminal:
          hdid -nomount floppy.dmg
        3. Open Disk Utility & Format the Imagevirt_floppy_diskutil_1of3

          Disk Utility Screenshot 2 of 3

          Disk Utility Screenshot 3 of 3
        4. Place your platformConfig.xml file on the Virtual Floppy
        5. Eject the Virtual Floppy
        6. Rename via Terminal: mv floppy.dmg floppy.flp

I hope this helps someone out. I wasted two hours of a TAC Engineer’s time last night while figuring out my issue was self-inflicted.

OpenSSL & IANA TLS Cipher Suites

I have been working with OpenVPN, OpenSSL and OpenSSH for the past couple of weeks on my Raspberry Pi running Debian “Wheezy” which has been fun and frustrating at the same time.

Due to the version of OpenVPN included with “Wheezy” and OpenVPN that I was running on my client, I was having a heck of a time getting the TLS Cipher to match up between Server and Client in configuration.

I found a software patch written by someone on the OpenVPN Dev team  and within it, it had a nice table showing the OpenSSL Cipher Suite Name and corresponding IANA Cipher Suite Name.  Since I wasted hours trying to figure this out, I hope it will help someone else out and save them time.

TLS OpenSSL Cipher Suite Name TLS IANA (IETF) Cipher Suite Name
ADH-SEED-SHA TLS-DH-anon-WITH-SEED-CBC-SHA
AES128-GCM-SHA256 TLS-RSA-WITH-AES-128-GCM-SHA256
AES128-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256
AES128-SHA TLS-RSA-WITH-AES-128-CBC-SHA
AES256-GCM-SHA384 TLS-RSA-WITH-AES-256-GCM-SHA384
AES256-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA256
AES256-SHA TLS-RSA-WITH-AES-256-CBC-SHA
CAMELLIA128-SHA256 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
CAMELLIA128-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
CAMELLIA256-SHA256 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
CAMELLIA256-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
DES-CBC3-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA
DES-CBC-SHA TLS-RSA-WITH-DES-CBC-SHA
DH-DSS-SEED-SHA TLS-DH-DSS-WITH-SEED-CBC-SHA
DHE-DSS-AES128-GCM-SHA256 TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
DHE-DSS-AES128-SHA256 TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
DHE-DSS-AES128-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA
DHE-DSS-AES256-GCM-SHA384 TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
DHE-DSS-AES256-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
DHE-DSS-AES256-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA
DHE-DSS-CAMELLIA128-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
DHE-DSS-CAMELLIA128-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
DHE-DSS-CAMELLIA256-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
DHE-DSS-CAMELLIA256-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
DHE-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
DHE-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA
DHE-DSS-SEED-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA
DHE-RSA-AES128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
DHE-RSA-AES128-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
DHE-RSA-AES128-SHA TLS-DHE-RSA-WITH-AES-128-CBC-SHA
DHE-RSA-AES256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
DHE-RSA-AES256-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
DHE-RSA-AES256-SHA TLS-DHE-RSA-WITH-AES-256-CBC-SHA
DHE-RSA-CAMELLIA128-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
DHE-RSA-CAMELLIA128-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
DHE-RSA-CAMELLIA256-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
DHE-RSA-CAMELLIA256-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
DHE-RSA-DES-CBC3-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
DHE-RSA-DES-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA
DHE-RSA-SEED-SHA TLS-DHE-RSA-WITH-SEED-CBC-SHA
DH-RSA-SEED-SHA TLS-DH-RSA-WITH-SEED-CBC-SHA
ECDH-ECDSA-AES128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
ECDH-ECDSA-AES128-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
ECDH-ECDSA-AES128-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
ECDH-ECDSA-AES256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
ECDH-ECDSA-AES256-SHA256 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256
ECDH-ECDSA-AES256-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
ECDH-ECDSA-AES256-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
ECDH-ECDSA-CAMELLIA128-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256
ECDH-ECDSA-CAMELLIA128-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA
ECDH-ECDSA-CAMELLIA256-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256
ECDH-ECDSA-CAMELLIA256-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA
ECDH-ECDSA-DES-CBC3-SHA TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
ECDH-ECDSA-DES-CBC-SHA TLS-ECDH-ECDSA-WITH-DES-CBC-SHA
ECDH-ECDSA-RC4-SHA TLS-ECDH-ECDSA-WITH-RC4-128-SHA
ECDHE-ECDSA-AES128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
ECDHE-ECDSA-AES128-SHA384 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384
ECDHE-ECDSA-AES128-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
ECDHE-ECDSA-AES256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256
ECDHE-ECDSA-AES256-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
ECDHE-ECDSA-AES256-SHA TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
ECDHE-ECDSA-CAMELLIA128-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256
ECDHE-ECDSA-CAMELLIA128-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA
ECDHE-ECDSA-CAMELLIA256-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256
ECDHE-ECDSA-CAMELLIA256-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA
ECDHE-ECDSA-DES-CBC3-SHA TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
ECDHE-ECDSA-DES-CBC-SHA TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA
ECDHE-ECDSA-RC4-SHA TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
ECDHE-RSA-AES128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
ECDHE-RSA-AES128-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
ECDHE-RSA-AES128-SHA384 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384
ECDHE-RSA-AES128-SHA TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
ECDHE-RSA-AES256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ECDHE-RSA-AES256-SHA256 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256
ECDHE-RSA-AES256-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
ECDHE-RSA-AES256-SHA TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
ECDHE-RSA-CAMELLIA128-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
ECDHE-RSA-CAMELLIA128-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA
ECDHE-RSA-CAMELLIA256-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
ECDHE-RSA-CAMELLIA256-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
ECDHE-RSA-DES-CBC-SHA TLS-ECDHE-RSA-WITH-DES-CBC-SHA
ECDHE-RSA-RC4-SHA TLS-ECDHE-RSA-WITH-RC4-128-SHA
ECDH-RSA-AES128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
ECDH-RSA-AES128-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
ECDH-RSA-AES128-SHA384 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384
ECDH-RSA-AES128-SHA TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
ECDH-RSA-AES256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
ECDH-RSA-AES256-SHA256 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256
ECDH-RSA-AES256-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
ECDH-RSA-AES256-SHA TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
ECDH-RSA-CAMELLIA128-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256
ECDH-RSA-CAMELLIA128-SHA TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA
ECDH-RSA-CAMELLIA256-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256
ECDH-RSA-CAMELLIA256-SHA TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA
ECDH-RSA-DES-CBC3-SHA TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
ECDH-RSA-DES-CBC-SHA TLS-ECDH-RSA-WITH-DES-CBC-SHA
ECDH-RSA-RC4-SHA TLS-ECDH-RSA-WITH-RC4-128-SHA
EDH-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
EDH-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA
EDH-RSA-DES-CBC3-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA
EXP-DES-CBC-SHA TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA
EXP-RC2-CBC-MD5 TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
EXP-RC4-MD5 TLS-RSA-EXPORT-WITH-RC4-40-MD5
NULL-MD5 TLS-RSA-WITH-NULL-MD5
NULL-SHA256 TLS-RSA-WITH-NULL-SHA256
NULL-SHA TLS-RSA-WITH-NULL-SHA
PSK-3DES-EDE-CBC-SHA TLS-PSK-WITH-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA TLS-PSK-WITH-AES-128-CBC-SHA
PSK-AES256-CBC-SHA TLS-PSK-WITH-AES-256-CBC-SHA
PSK-RC4-SHA TLS-PSK-WITH-RC4-128-SHA
RC4-MD5 TLS-RSA-WITH-RC4-128-MD5
RC4-SHA TLS-RSA-WITH-RC4-128-SHA
SEED-SHA TLS-RSA-WITH-SEED-CBC-SHA
SRP-DSS-3DES-EDE-CBC-SHA TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
SRP-DSS-AES-128-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
SRP-DSS-AES-256-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-RSA-AES-128-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-RSA-AES-256-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA

Source: [PATCH 5/5] Switch to IANA names for TLS ciphers.

Restore a UCM Publisher from a Subscriber

This week I was hit by the perfect storm. I came across an environment that had two issues occur that created a nightmare, which I lost sleep over. Had these events occurred separately I would have had no problems and navigated them quite easily. Well, if our jobs were easy we would be bored and easily replaced by computer subroutines. And for those of us who are consultants we wouldn’t get those nice perks that come with our job. So, this week I dropped everything, cried a little, asked my boss if I could quit and faced the nightmare like a good consultant. Enough bloviating, let’s get to it.

First this environment runs on the, now EOS/EOL MCS 7845-I3, which in itself is a great teacher of patience with its (what feels like) 20 minute uEFI boot times. The Publisher started displaying that amber light we’ve all seen before on one of the hard drives. No big deal right? I logged in and discovered that the Publisher’s filesystem went into read only mode. Great. After a ‘show hardware’ it was discovered three of the four hard drives were gone. 1 failed and 2 in imminent failure mode.  TAC case opened to get the drives replaced, done. Next step grab the last successful DRS backup to prepare for a Publisher restore. Life’s OK.

Here is where I started to get upset and our second event occurs: DRS had been failing for months. Only the Publisher showed as complete. At this point I’m like great, I have to attempt a restore from an incomplete backup which I’ve never seen work but this is me so it’ll work this time right? So the drives come in and I go through the forever process of installing UCM on the Publisher, which was easy. During this time I remembered why I love UCS and Collaboration in a virtualized environment, pondered life and attempted to formulate the plan on rebuilding a production cluster from scratch, if this restore didn’t work.  Four or so hours later I got to attempt the restore and wait, what? DRS will only restore CDR from those incomplete backups. Great, I called it a night and went to bed, seriously.

After a sleepless night I reached out to Cisco TAC and one of the best Collaboration SEs I’ve ever worked with, who is also a CCIE.  Affer a few minutes the SE shares this document on how to restore a Publisher from a Subscriber with no previous DRS  backups. First, I felt like he should have delivered that to me in a LMGTFY link and then second, I was thankful for all of those previous cases opened by people who were screwed by lazy consultants or bad network engineers who never cared to make sure backups were set up.  After three hours I was able to successfully restore the Publisher without impacting call processing.  I chose this moment to set up those pesky RSA IMM boards and update the server firmware as well, so I did cause brief outages but this document worked great.

Some notes:

  • I knew the cluster Security Password, if you don’t I believe you’re out of luck
  • The Publisher was glass housed

Here is the document: CUCM Publisher Node Restoration from Subscriber Database without Prior Backup or Root Access

If you ever find yourself in this situation, follow it to the letter.