Configuring HP ILO Settings and TLS Certificates With Powershell

by Ryan 6. February 2015 17:02

I've been configuring HP ILOs lately. And of course, the cardinal rule in I.T. is that if you're going to do something more than once, then you must start automating it.  And of course, if you want to automate something, then you fire up Powershell.

Luckily, HP is playing ball with the HP Scripting Tools for Windows Powershell. The cmdlets are not half bad, either. Essentially, what I needed to do was configure a bunch of ILOs, including renaming them, setting some IPv6 settings, and putting valid SSL/TLS certificates on them.

First, let's save the ILOs address (or hostname,)  username and password for future use:

[String]$Device   = '10.1.2.3'
[String]$Username = 'Admin'
[String]$Password = 'P@ssword'

Next, let's turn off IPv6 SLAAC and DHCPv6 (for ILO 3s, firmware ~1.28 or so, and above):

Set-HPiLOIPv6NetworkSetting -Server $Device `
                            -Username $Username `
                            -Password $Password `
                            -AddressAutoCfg Disable

Set-HPiLOIPv6NetworkSetting -Server $Device `
                            -Username $Username `
                            -Password $Password `
                            -DHCPv6Stateless Disable

Set-HPiLOIPv6NetworkSetting -Server $Device `
                            -Username $Username `
                            -Password $Password `
                            -DHCPv6Stateful Disable

Next I wanted to set the FQDN to what I wanted it to be... it was important that I turned DHCP off first, because the ILO wanted to set the domain name using DHCP and thus locked it from being edited, even though no DHCP server was actually on the network:

Set-HPiLOServerName -Server $Device `
                    -Username $Username `
                    -Password $Password `
                    -ServerName 'server1-ilo.contoso.com'

Now I wanted to put a valid SSL/TLS certificate on the ILO. So, I needed to first generate a Certificate Signing Request (CSR) on the ILO:

Get-HPiLOCertificateSigningRequest -Server $Device `
                                   -Username $Username `
                                   -Password $Password

IP                          : 10.1.2.3
HOSTNAME                    : server1-ilo.contoso.com
STATUS_TYPE                 : OK
STATUS_MESSAGE              : OK
CERTIFICATE_SIGNING_REQUEST : -----BEGIN CERTIFICATE REQUEST-----
                              a1b2c3d4e5A0B1C2D3F4E5
                              3ba43+/evnokaDvzG9nbs3
                              a1b2c3d4e5A0B1C2D3F4E=
                              -----END CERTIFICATE REQUEST-----

Nice... now copy and paste the entire CSR text block, including the -----BEGIN and END------ bits, and submit that your certificate authority.  Then, the administrator of the certificate authority has to approve the request.

This is the one piece where automation breaks down, in my opinion, and some manual intervention is necessary. This is not a technical limitation, though... it's by design.  The idea is that the entire basis of SSL/TLS public key cryptography is that it's based on trust.  And that trust has to come from other sources such as the Certificate Authority administrator phoning the requestor and verifying that it was actually them making the request, or getting some additional HR info, or whatever.  If, at the end of the day, there was no extraordinary measure taken to really verify the requestor's identity, then you can't really trust these certificates.

Anyway, once the CA has signed your CSR, you just need to import the signed certificate back into the ILO:

Import-HPiLOCertificate -Server $Device `
                        -Username $Username `
                        -Password $Password `
                        -Certificate (Get-Content C:\mycert.cer -Raw) 

Assuming no errors were returned, then you're done and your HP ILO will now reboot, and when it comes back up, will be using a valid SSL certificate.

Also, HP ILOs cannot read certificates if they are using PKCS #1 v2.1 format. Add that to the huge pile of devices that cannot read an X509 standard that came out in 2003.

NTHashTickler_CUDA v1.0

by Ryan 24. October 2014 11:10

I've ported my NTHashTickler program to NVIDIA CUDA... poorly.

As before, my motivation for writing this program is not because I really care about finding NT hashes per se, but just teaching myself more about multithreaded programming and in this case, NVIDIA CUDA. If you know anything at all about CUDA, please feel free to criticize my work and tell me what I'm doing wrong. (Source code is on Github.)

NTHashTickler_CUDA

NTHashTickler_CUDA

So CUDA is basically like standard C, but with a few extensions.  The challenge is that you have "host" code, and you have "device" code comingling, with host code only being able to run on your CPU and access your main memory, while "device" code can only run on your GPU and only access GPU memory.  What this means is that you are totally on your own when you're writing device code to run on your GPU. You can't even use C standard library functions like memcmp or strtol, etc.  And you definitely cannot call something as luxurious as a Windows API function from device code. The sole exception as far as I know is that CUDA does allow you to use printf from within device code for debugging purposes...

Traditionally, you could only transfer data from the host to the device through CUDA API calls such as cudaMalloc, etc., but in CUDA compute capability 3.0 they introduced what I like to call "CUDA Easy-Mode," or essentially, variables that can be seamlessly accessed by both host and device simultaneously, making your code look a lot cleaner and simpler.  These are the __device__ __managed__ variables.  They provide what CUDA calls a "unified" view of memory.  I'm guessing it's probably just the CUDA runtime doing the dirty work for you under the hood that you used to have to do yourself.  You can still cause the same kind of problems reading and writing to the variables from different threads that applies to any multithreaded code, but it's still so much easier to work with than cudaMalloc, cudaFree, etc.

So the idea is that if you have a problem that can be parallelized sufficiently, it can take advantage of your GPU's ability to run thousands of parallel threads, instead of your CPU's mere 4 or 8 simultaneous threads.

In practice though, when I finally got the code working, I get about 750,000 hashes per second of throughput, which is slower than the ~ 5 million hashes/second of throughput by my previous version in C that just ran on the CPU!

So I'm definitely doing something wrong.  I think I should be seeing a billion hashes/sec of throughput or better.  I have a lot more work to do.

Luckily, the CUDA Toolkit comes with some really amazing profiling and tracing tools, and I think that's a good place to start looking for optimization opportunities.

(Source code is on Github.)

notdd v1.0

by Ryan 9. July 2014 14:07

[Update: I renamed the program to be more unique.]

Hi again,

I started writing boot loaders in x86 assembly the other day, and I needed something that was capable of writing to the first sector of a storage device in order to test my creations.  I searched around the web, downloaded some old image burning software like it was 1999 all over again, and promptly got myself a malware/adware infection.  This pissed me right off, so after reinstalling my OS, I immediately set out to write my own.

notdd is what I came up with.


If you've ever wanted the complete, unbridled freedom of $&#%ing up your storage media on your own terms, then have I got the program for you!

And it also works for planting a custom boot sector on a disk.

Today's Thoughts on Windows 8.1 (Will Do Server 2012 R2 Next)

by Ryan 13. September 2013 19:40

Guten abend!

So thankfully, Microsoft reversed their earlier decision to not release Windows 8.1 and Server 2012 R2 RTM on TechNet or MSDN until October 18th. Both products popped up on TechNet a few days ago. So, I downloaded both and have been playing with them in my lab the past few days. (Which is likely the last good thing I will be able to get from TechNet.  Rest in peace, you final bastion of good will from Microsoft to IT professionals.)

Windows 8.1 has gone onto the following test machine:

  • Intel Core i5-2500k
  • 16GB RAM
  • 256GB Samsung SSD
  • NVidia GTX 670 2GB

Needless to say, it screams. My experience has been that you will typically have a better time with Win 8 if you set it up with your Microsoft Live ID from the beginning, and not a domain account. In fact, it's almost impossible to install Windows 8.1 with anything other than your Microsoft Live ID. (Although you're free to join a domain later, after the install. But good luck installing with a local account.) I would say that this will be a barrier for Windows 8 adoption in the enterprise, however, the actual Win 8.1 Enterprise SKU has not been released yet, so the installer for that edition should be tweaked for easier installation in an AD domain in an enterprise environment. (And I admittedly have not even tried custom deployable images as you would with an enterprise environment.)

That looks weird.

But in a home setting, the reason I think it's awesome to go ahead and use your Live ID to install Windows 8.1 is because:

  • Your Skydrive sets itself up. It's already there waiting for you. It's integrated into Explorer already, and the coolest part is it initially takes up no room on your hard drive. It all stays online but browsable from within Explorer, and you only pull a file down from the cloud when you open it. But if you have some need to have it available offline? Just right-click the file, folder, or your entire Skydrive and choose "Make available offline" and it will all be downloaded locally. If you used Skydrive before 8.1, you should love this improvement. If you did not use Skydrive before 8.1 then you may find that this added feature only gets in the way. 
  • All your OS settings from Windows 8 are synchronized and brought into 8.1, even if you performed a clean install of 8.1. As soon as the installation finished, I landed on a Windows desktop and my wallpaper is already what I had on my last PC, because the wallpaper was stored on Skydrive. Furthermore, all my settings like 'folder view settings' were automatically sucked into the new installation as well. Ever since Windows 95, every time I would install the OS on a new machine, the first thing I did was go to the folder view settings and uncheck the "Hide File Extensions" option. I always hated that Windows would hide the file extension of files. Well, now that setting stays with me on every Win 8 machine I move to and I no longer have to worry about it.
  • IE11 seems great so far. Very fast, although, that could also be attributed to my beefy hardware. However, I have experienced one compatibility problem so far with IE11. I know that the user agent string for one thing changed dramatically in IE11. But in a pinch, hit F12 for the developer tools and you can emulate any down-level version of IE that you need. No big deal. I'll resist the urge to rant against web developers here.
  • (Though seriously, web developers, if you're listening, you are ruining the web.)
  • Boot to desktop and the ability to show your desktop wallpaper as your Start Screen background are welcome features. The resurrection of the classic Start Button on the taskbar, however, I don't care about one way or the other. I never really missed the old Start Menu from old versions of Windows. I pretty much don't care about the 'Modern,' 'Metro' interface either way, but I'm not bitter about it, because I know it wasn't made for me. It was made for phones and tablets. I have a desktop PC, and as such, I have no need for the Modern UI. End of story. Use what works for you. The OS now has a new feature now that I'm not really interested in, but who cares, the rest of the underlying OS is still there, and it's still good.
  • The Remote Server Administration Tools for Win 8.1 Preview installs on and works in Win 8.1 RTM, which I am using to set up a full Server 2012 R2 lab environment, which I shall talk about shortly in an upcoming blog post!

Processor Shopping for SQL Server 2012

by Ryan 19. April 2013 12:35

AMD vs. IntelI almost never talk about SQL Server here, which is a shame, because I think SQL Server is amazing.  If you're planning on deploying SQL Server 2012, and you haven't picked out your hardware yet, then I hope this post finds you in time and helps you make your decision about what processor architecture to choose.  (I hope the graphic doesn't give it away...)  Also, keep in mind the date in which this is written - computer hardware changes rapidly.

 

 

You know you pretty much have two choices in CPUs: Intel or AMD.  There are several factors to weigh here: performance, hardware cost, and licensing cost.  So let's break those down and compare:

Performance: Keep in mind that we're designing a SQL Server here.  Different SQL Servers are under different types of workloads, but OLTP (online transaction processing) is one very common type. The TPC (Transaction Processing Performance Council) introduced the TPC-E benchmark in 2007, which simulates an OLTP workload on a SQL server.  What we end up with is a pretty solid method for benchmarking SQL servers of varying hardware configurations running identical workloads.  If you visit the website, it's pretty hard not to notice that the top 10 highest-performing servers and the top 10 best price/performance all belong to Intel processors with no exception.  But just for fun, let's see the numbers:

System Processor TPC-E Sockets Total Cores Score/Core
HP Proliant DL380 G7 Intel Xeon X5690 1284.14 2 12 107.01
IBM System x360 M4 Intel Xeon E5–2690 1863.23 2 16 116.45
HP Proliant DL385 G7 AMD Opteron 6282SE 1232.84 2 32 38.53
HP Proliant DL585 G7 AMD Opteron 6176SE 1400.14 4 48 29.17
IBM System x3850 * 5 Intel Xeon E7–4870 2862.61 4 40 71.57
NEC Express 5800/A1080a Intel Xeon E7–8870 4614.22 8 80 57.68

The trends evident from that table are that AMD prefers more cores per socket, AMD cores tend to perform much worse per core than Intel cores on an OLTP workload, and that crazy numbers of processor cores present with diminishing returns regardless of the manufacturer.  So far things are not looking good for AMD.  AMD can pack more cores on a die, but that just simply does not make up for their gap in single-threaded performance.

Hardware Cost: Let's get right down to some hardware prices. I'm going to price only the processors themselves, not the entire servers, because there are so many customizable options and accessories to choose from when speccing out an entire server and that would take me way longer than what I wanted to spend on this blog post.

Processor CDW.COM Price
Intel Xeon X5690 $1886.99
Intel Xeon E5–2690 $2332.99
AMD Opteron 6282SE $1287.99
AMD Opteron 6176SE $1505.99
Intel Xeon E7–4870 $5698.99
Intel Xeon E7–8870 $7618.99

AMD has a bit of a price advantage here, especially when you start getting to the high-end processors, but it's all for nothing once you take into account the 3rd piece of the puzzle:

Licensing: To be frank, Microsoft SQL Server 2012 Enterprise Edition is very expensive.  SQL used to be licensed on a per-socket basis.  SQL 2012 is now licensed per physical core.  This means "logical" cores such as those created by Intel's Hyperthreading are essentially free in regards to SQL 2012 licensing.  (There is the alternative Server + CAL licensing model as seen with the Business Intelligence Edition, but that's kinda' out of the scope of this article.  Enterprise Edition is where it's at.)  Each physical socket in your SQL server must use a minimum of 4 core licenses, and then you license two cores at a time after that for any additional cores more than 4 you have on your processor.

If you're thinking ahead, you can already tell this is bad news for AMD-based servers aspiring to run SQL 2012.  AMD processors have more cores, which equals higher SQL licensing costs, with lower performance per core to boot.  Microsoft realized this, and so they did AMD a favor by specifically giving most AMD processors a 25% discount on licensing costs.  But even with that discount, the numbers still speak for themselves, and AMD still comes out way behind:

AMD Opteron 6282SE 16 $82,488 2 $164,976 Intel Xeon E5–2690 8 $54,992 2 $109,984 Intel Xeon E5–4650 8 $54,992 4 $219,968 Intel Xeon X7560 8 $54,992 4 $219,968 Intel Xeon E7–4870 10 $68,740 4 $274,960 AMD Opteron 6180SE 12 $61,866 4 $247,464 AMD Opteron 6282SE 16 $82,488 4 $329,952

Processor Cores Per Socket Cost Total Sockets Total License Cost per Server
Intel Xeon X5690 6 $41,244 2 $82,488
AMD Opteron 6282SE 16 $82,488 2 $164,976
Intel Xeon E5–2690 8 $54,992 2 $109,984
Intel Xeon E5–4650 8 $54,992 4 $219,968
Intel Xeon X7560 8 $54,992 4 $219,968
Intel Xeon E7–4870 10 $68,740 4 $274,960
AMD Opteron 6180SE 12 $61,866 4 $247,464
AMD Opteron 6282SE 16 $82,488 4 $329,952

It just got really hard for me to recommend an AMD processor for use in a SQL Server 2012 server under almost any circumstances.  Let's take our Intel Xeon X5690 and our AMD Opteron 6282SE, which both have pretty similar TPC-E benchmark scores... only the AMD costs $82,488 more to license!  This is with AMD's 25% discount!  These are full retail prices of course, but the concept is the same, regardless of your Enterprise Agreement.

So, my fellow IT pros... please do the math before you pull the trigger on that new server, and make sure your $2000 in hardware savings isn't steamrolled by $80,000 of extra licensing costs.

* Citation - these numbers are from the book Professional SQL Server 2012 Internals and Troubleshooting by Bolton, Langford, Berry, et al.

About Me

Ryan Ries
Texas, USA
Systems Engineer
ryan@myotherpcisacloud.com

I am a systems engineer with a focus on Microsoft tech, but I can run with pretty much any system that uses electricity.  I'm all about getting closer to the cutting edge of technology while using the right tool for the job.

This blog is about exploring IT and documenting the journey.


Blog Posts (or Vids) You Must Read (or See):

Pushing the Limits of Windows by Mark Russinovich
Mysteries of Windows Memory Management by Mark Russinovich
Accelerating Your IT Career by Ned Pyle
Post-Graduate AD Studies by Ned Pyle
MCM: Active Directory Series by PFE Platforms Team
Encodings And Character Sets by David C. Zentgraf
Active Directory Maximum Limits by Microsoft
How Kerberos Works in AD by Microsoft
How Active Directory Replication Topology Works by Microsoft
Hardcore Debugging by Andrew Richards
The NIST Definition of Cloud by NIST



MCITP: Enterprise Administrator

VCP5-DCV

Profile for Ryan Ries at Server Fault, Q&A for system administrators

LOPSA

GitHub: github.com/ryanries

 

I do not discuss my employers on this blog and all opinions expressed are mine and do not reflect the opinions of my employers.