Using a Dell DRAC5 with a modern browser and OS

The DRAC5 is a remote access card, letting you control a server such as the PowerEdge 300. With it, you can simulate physical access to the machine, viewing the screen on boot, entering commands and cycling power.

Unfortunately, Dell has neglected this aging product. Trying to use it today will lead to errors in modern browsers and Java implementations. Fortunately, they can be worked around.

Clear space on the DRAC5

Before getting started, we want to ensure there is sufficient free space on the remote access card. If there is not sufficient space, the card will fail in strange ways (such as the web interface not loading).

Log in to the remote access card using SSH. Clear the logs:

racadm clrraclog

Restart the device:

racadm racreset

Update the DRAC5 firmware

Download version 1.65 of the firmware. Get the “hard drive” update package. If you’re on a Mac or Linux, you can decompress the .exe with the unzip command:

unzip f_drac5v165_A00.exe

You’ll get one file: firmimg.d5.

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password. Click OK.
  3. On the left-hand side menu, click Remote Access.
  4. Click Choose File. Select firmimg.d5.
  5. Click Update.
  6. Wait for the update to complete and the DRAC card to reboot.

Install a TLS (SSL) certificate

Before you can install a certificate, you need to create a Certificate Signing Request (CSR). By default the Dell DRAC5 uses short, less secure keys for its certificates. This can be fixed with a CLI command.

Log in to the DRAC5 using SSH. Run the following:

racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048

You should see:

Object value modified successfully

Now, let’s generate CSR and obtain and install the certificate:

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password.Click OK
  3. On the left-hand side menu, click Remote Access.
  4. Click the Configuration tab
  5. Click SSL.
  6. “Generate a New Certificate Signing Request (CSR)” will be selected. Click Next.
  7. Fill out the form and click Generate.
  8. A file named csr.txt will download. Open it up. It will start with -----BEGIN CERTIFICATE REQUEST-----. Ensure the next line starts with MIIC, indicating a 2048-bit key. (If it starts with MIIB, you have a 1024-bit key, and need to run the racadm config command again.)
  9. Go to sslforfree.com. This will let you get a certificate using Let’s Encrypt without having to run your own website.
  10. Enter the hostname of your DRAC5 card. Click Create Free SSL Certificate.
  11. Click Manual Verification (DNS).
  12. Click Manually Verify Domain.
  13. Add the TXT record they specify.
  14. Verify the TXT record.
  15. Check the “I Have My Own CSR” box.
  16. Read the warning and click OK.
  17. Paste the contents of csr.txt in to the text field.
  18. Click “Download SSL Certificate.”
  19. Click “Download All SSL Certificate Files.” A file named sslforfree.zip will be downloaded.
  20. Create an account to get reminded by SSLForFree when the certificate expires (in 90 days).
  21. Unzip sslfofree.zip. You’ll see three files:

    private.key
    ca_bundle.crt
    certificate.crt

  22. Repeat steps 1-5 above.
  23. Click Upload Server Certificate. Click Next.
  24. Click Choose File. Select certificate.crt.
  25. Click Apply. You should see:

    The certificate was uploaded successfully. The DRAC will now reset and the browser will close. Wait for a few minutes before logging back into the DRAC

  26. Click OK.
  27. Wait for DRAC card to reboot.

Downgrade Java security to allow remote access

Modern Java implementations disable older encryption algorithms. Unfortunately, because the DRAC5 does not support modern encryption, you need to manually enable these older method to use the DRAC5 remote console.

To do this, you need to edit the java.security text file. Its location will vary depending on which version of Java you have installed.

On macOS, you will find it in Internet Plug-Ins:

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/conf/security/java.security

The path will vary depending on your version of Java. Java 9.0.4+11 uses conf/security/java.security.

Edit this file. Comment out two lines (add a # at the beginning)

Change:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40

To:

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# EC keySize < 224, DES40_CBC, RC4_40

Change:

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

To:

#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

Remember to uncomment those lines when you’re done with the DRAC5 remote console.

Add Security Exceptions

  1. Go to System Preferences > Java
  2. In the Java Control Panel, click the Security tab
  3. Click “Edit Site List”
  4. Add both https://hostname and http://ipaddress
  5. Click OK
  6. Click OK

Access remote console

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password. Click OK.
  3. Click the Console tab.
  4. Click Connect. A file named vkvm.jnlp will download.
  5. In Terminal, type javaws vkvm.jnlp.

HOWTO register for a Verizon online account for your business land line

TLDR: Be sure to enter only the first 13 digits of your 16-digit account number. Use hyphens when entering the phone number.

I recently had to register for a verizon.com account for the Verizon account for our landline. This process was more difficult and took way longer than it should have, due to:

  • poor website usability
  • poor staff training

Registration process overview

You go Verizon’s website. You confirm your email is valid. You show ownership of the account by entering the account’s phone number, account number and zip code.

  1. Go to verizon.com/mybusiness, which redirects you to https://business.verizon.com/MyBusinessAccount/?CMP=DMC-SMP_S_ZZ_ZZ_E_BM_N_X00007:
  2. Click Register. You’ll see the following:
  3. Enter your phone number and zip code, using the format 718-555-1212. Click Continue.

    If you use 718 555 1212, it gets rejected with a misleading error (“The information you entered does not match the information we have on file”), and both the phone number and zip code are erased:

  4. Once that’s done, you’re prompted to enter your account number.

    At the top of your bill, you’ll see your phone number (718-555-1212) and your account number (718 555 1212 678 90 1). You may be tempted to enter the entire 16-digit account number. The text field will let you do so (it lacks a maxlength attribute). If you do that, registration will fail with a generic “information does not match” error.

After trying and failing to register multiple times with different browsers (using standard and incognito windows) and failing, I reached out to Verizon for help.

I tried:

  • DMing @VZWSupport on Twitter. Turns out that is Verizon wireless support.
  • DMing @VerizonSupport. They bounced me to chat support.
  • Chat support. Gets my account number. Doesn’t mention the length issue. Asks many irrelevant questions.
  • Phone support. Called. Spoke to a rep who solved the problem in three minutes. Thanked her. Thanked her to her manager. Had a nice conversation with her manager about how broken this process is.

Verzion: if you’re reading this: follow Postel’s law: (“Be liberal in what you accept, and conservative in what you send”). Writing 10 lines of code to allow phone numbers (regardless of formatting) and account numbers (regardless of length) will save you hundreds of thousands a year in support costs.

Fixing git-svn on OS X El Capitan

When you install a new version of Mac OS X, git svn breaks. This happened with Mountain Lion and Mavericks, it happened with Yosemite. It happens again with El Capitan.

Unfortunately, the old solutions no longer work due to El Capitan’s System Integrity Protection:

$ sudo ln -s /Applications/Xcode.app/Contents/Developer/Library/Perl/5.18/darwin-thread-multi-2level/SVN /System/Library/Perl/Extras/5.18/SVN
ln: /System/Library/Perl/Extras/5.18/SVN: Operation not permitted

While you can disable SIP, that’s unnecessary in this case.

Here’s how you get git-svn working:

sudo mkdir /Library/Perl/5.18/auto
sudo ln -s /Applications/Xcode.app/Contents/Developer/Library/Perl/5.18/darwin-thread-multi-2level/SVN /Library/Perl/5.18/darwin-thread-multi-2level
sudo ln -s /Applications/Xcode.app/Contents/Developer/Library/Perl/5.18/darwin-thread-multi-2level/auto/SVN /Library/Perl/5.18/auto/

You can’t write to /System, but you can still write to /Library.

Talking to the MTA is like talking to a brick wall

Last week, I was on a cold train. A really cold train.

I sent the MTA a note about it. To make this complaint actionable, I gave them the train line, approximate time and car number.

It is way too cold on trains. Please turn off the AC.

I was on a southbound 2/3 train. I got off at Borough Hall around 7:20. I was in car 1383.

They sent me an automated reply:

Your email has been received. You will receive a response as soon as possible; however, some responses can take up to 15 business days.

Please do not reply to this email, as it will go to an unattended email box.

15 business days? That’s crazy. Fortunately, I didn’t have to wait that long. After 48 long hours, I received this thoughtful and detailed reply:

This is to acknowledge your e-mail to MTA New York City Transit.

The MTA is committed to providing safe, courteous, reliable, and accessible service. Please be assured that all comments, suggestions, compliments and complaints we receive from our customers are forwarded to the appropriate managerial personnel for review and any necessary action.

We encourage you to continue to e-mail us at www.mta.info , via the “Customer Self Service” link, with your comments and concerns. We look forward to serving you better now and in the future. Please note your reference number above.

Thank you for contacting us.

Sharon Adams
Customer Services

I tried to follow up — both to the general purpose mailbox, and to Sharon Adams herself (fortunately, her email and phone number are public):

Screenshot 2015-09-29 22.58.31

Turns out they don’t do email:

This mailbox is not monitored.

If you wish to respond to a previous e-mail, please create a new email using the customer service link http://mta-nyc.custhelp.com/app/ask and include your incident number in the subject line.

Thank you.

Sharon didn’t write me back, either.

HOWTO make readline and history work with irb and rails console on OS X Yosemite

Here’s how to make readline (including control-R reverse search) and command history work with both irb and the Rails console with rbenv and OS X Yosemite (10.10.4).

You need to install Readline first, as OS X ships with libedit instead. You also need to make sure rbenv knows where you put readline.

1. Install rbenv and the ruby-build plugin.

2. Download GNU Readline. Install it:

tar zxf readline-6.3.tar.gz && rm readline-6.3.tar.gz cd readline-6.3 configure && make && sudo make install cd .. rm -rf readline-6.3

3. Install Ruby using rbenv:

RUBY_CONFIGURE_OPTS="--with-readline-dir=/usr/local" rbenv install 2.2.2

3. Add these lines to your ~/.irbrc file:

require 'irb/completion' require 'irb/ext/save-history' IRB.conf[:SAVE_HISTORY] = 10000 IRB.conf[:HISTORY_FILE] = "#{ENV['HOME']}/.irb-history"

This gets everything working in irb. To make things work in Rails, you need to:

4. Install the rails and rb-readline gems:

gem install rails rb-readline

5. Add rb-readline to your Rails’ app’s Gemfile:

group :development, :test do gem 'rb-readline' end

and run bundle install.

fixing dlopen “no suitable image found” errors with node, sass and grunt

I ran in to this error today:

$ grunt css
Loading “sass.js” tasks…ERROR
>> Error: dlopen(/path/to/project/node_modules/grunt-sass/node_modules/node-sass/vendor/darwin-x64-node-0.12/binding.node, 1): no suitable image found. Did find:
>> /path/to/project/node_modules/grunt-sass/node_modules/node-sass/vendor/darwin-x64-node-0.12/binding.node: truncated mach-o error: segment __LINKEDIT extends to 1765408 which is past end of file 1765309

Running “sass:theme” (sass) task
OptionParser::InvalidOption: invalid option: –image-path=assets/img
Use –trace for backtrace.
OptionParser::InvalidOption: invalid option: –image-path=assets/img
Use –trace for backtrace.
OptionParser::InvalidOption: invalid option: –image-path=assets/img
Use –trace for backtrace.
Warning: Exited with error code 1 Use –force to continue.

Aborted due to warnings.

For those curious, this is dyld failing to open a shared library. (See man dlopen.)

I checked and the file exists:

$ file /path/to/project/node_modules/grunt-sass/node_modules/node-sass/vendor/darwin-x64-node-0.12/binding.node
/path/to/project/node_modules/grunt-sass/node_modules/node-sass/vendor/darwin-x64-node-0.12/binding.node: Mach-O 64-bit bundle x86_64

Reinstalling fixed things:

$ rm -rf node_modules/grunt-sass
$ npm install
/
> [email protected] install /path/to/project/node_modules/grunt-sass/node_modules/node-sass
> node scripts/install.js

> [email protected] postinstall /path/to/project/node_modules/grunt-sass/node_modules/node-sass
> node scripts/build.js

`darwin-x64-node-0.12` exists; testing
Binary is fine; exiting
[email protected] node_modules/grunt-sass
├── [email protected]
├── [email protected] ([email protected], [email protected])
└── [email protected] ([email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected])

Quick Cruz and Paul updates

Good news: Ted Cruz’s https homepage no longer 404s:

$ curl -I https://tedcruz.org/

HTTP/1.1 301 Moved Permanently
Server: cloudflare-nginx
Date: Wed, 15 Apr 2015 02:03:46 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d738dec08ca404d83f8aa2b5baafa66821429063426; expires=Thu, 14-Apr-16 02:03:46 GMT; path=/; domain=.tedcruz.org; HttpOnly
Location: http://www.tedcruz.org/
Set-Cookie: X-Mapping-fjhppofk=FDCC6397B2B0DC55E6AEB95E4FAB3D36; path=/
CF-RAY: 1d74136e3b2b076d-EWR

I noted Rand Paul is running PHP 5.5.9. That’s true, but there’s more to it. He’s actually running PHP 5.5.9-1ubuntu4.6. Since Ubuntu backports security fixes, he’s only a two months behind, not fourteen. (PHP 5.5.9-1ubuntu4.7 was released in March.)

Presidential candidate website tech, compared

Today, Hillary Clinton announced that she’s running for president. She also launched a new website.

Over the next year, political pundits will spend far too much time dissecting the horse race, scandals (real or imagined), the electoral college and more polls than you can shake a stick at. I’m doing none of that. I’m just looking at websites.

So, you want to run a country. Can you hire someone who can run a website? These days, that means all new sites, whether running the government or delivering news should be built over HTTPS.

Here’s how the (declared) candidates’ sites fare:

Site hillaryclinton.com tedcruz.org randpaul.com marcorubio.com Expected
HTTPS works ish [1]
HTTPS default
HSTS
Requires SNI [2]
https site.com redirects to www 404 error works works
https www.site.com works redirects to http://www.tedcruz.org works redirects to https://marcorubio.com
canonical hostname www.hillaryclinton.com www.tedcruz.org none marcorubio.com something
SSL Labs rating A [3] A A A A+
sha2
intermediate sha2
cert vendor Comodo RapidSSL RapidSSL Comodo
intermediate cert vendor Comodo GeoTrust Global CA GeoTrust Global CA Comodo
cert type Wildcard Wildcard Wildcard SAN Wildcard or Standard
CDN Fastly CloudFlare CloudFlare CloudFlare something
Server signature nginx (hc.com)
AmazonS3 (www)
CloudFlare nginx CloudFlare nginx CloudFlare nginx
Tech Python (?) [gunicorn 19.1.1 + Varnish]
groundwork [4]
WordPress 4.1.1 PHP 5.5.9
Ubuntu
WordPress 4.1.1
Registrar Network Solutions GoDaddy Fabulous.com Pty Ltd GoDaddy hopefully not GoDaddy
Whois Privacy Domains By Proxy, LLC Whois Privacy Services Pty Ltd Domains By Proxy, LLC
Origin IP ?? 64.39.8.246 [5] ?? ??
Origin Server ?? Apache/2.2 ?? ??
Mail server Gmail Gmail Gmail Gmail
IPv6
ESP (SPF) SilverPOP Systems Marketo, Sendgrid Mailgun VerveMail
SPF type TXT TXT TXT SPF TXT
robots.txt
robots details Disallow: /api/ Disallow: /wp-admin/ nothing disallowed [6]
Site hillaryclinton.com tedcruz.org randpaul.com marcorubio.com Expected

I’ll update this as more candidates declare or sites change.

Notes

  1. https://www.tedcruz.org works, but https://tedcruz.org gives a 404 error.
  2. Sites that require Server Name Indication (SNI), such as this one, are incompatible with a handful of legacy browsers.
  3. Fastly’s www.hillaryclinton.com gets a score of 90 on key exchange, while the AWS servers (hillaryclinton.com) get a score of 80. The AWS servers also have an extra cert in the chain (signed with SHA1).
  4. Groundwork appears to be a custom JavaScript web framework. It does not seem to be related to either the I Like Robots Groundwork or Groundwork CSS.
  5. Likely origin, based on server responses.
  6. Redirects to https://www.marcorubio.com/landing/stream/.

Updates

  • 2:01am EDT: Fixed randpaul.com topline.
  • 8:46am EDT: Fixed spelling of spend and fastly.
  • 11:33am EDT: marcobuio.com (now) seems to have certs signed with SHA-1.
  • 2:27pm EDT: Added robots.txt.
  • 2:35pm EDT: Added “Expected” column.