How to secure the internet side of your Citrix Netscaler

This is a two-minute guide to securify the internet side of your Netscaler. We will setup two parameters, the “Deny SSL Renegotiation” and the acceptable Ciphers.

A. Deny SSL Renegotiation

Go to Traffic Management – SSL page on your netscaler and press the “Change Advanced SSL Settings” link.

Change advanced SSL Settings

Change advanced SSL Settings

The advanced SSL settings will appear. Notice that the default value of “Deny SSL Renegotiation” property is “NO”. Change it to “FRONTEND_CLIENT”.

Deny SSL Renegotiation

Deny SSL Renegotiation

You may want to change it to the strict value “ALL” depending on your web farm structure. This setting is usually a finding after a penetration test, so set it up to avoid SSL Renegotiation Denial of Service attacks.

B. Configure the Cipher Group

Go to the SSL tab in your virtual server and select Ciphers. The configured Cipher Group is called “DEFAULT” and includes 128bit strength ciphers. Remove this value and in the available Cipher Groups pane, select “HIGH”. This group includes high strength 168bit encryption ciphers. The available ciphers pane lists the acceptable ciphers of the selected group.

All modern browser are compatible with these ciphers, so go ahead and use them.

Cipher Groups

Cipher Groups

Do the same for all your virtual servers.

Advertisements

Configuring a 2nd local partition on Citrix Xenserver 6.2

Recently, I came across a server with two storage arrays, one hdd  and one ssd. Citrix Xenserver was installed on the first storage array and the second one was not configured. I had to ssh on xenserver and run a few commands to force xenserver see the 2nd array properly.

First run fdisk -l

fdisk command

fdisk command

As you can see /dev/sda is the first storage array and /dev/sdb partition is not valid. So run pvcreate /dev/sdb to create the LVM on sdb physical storage device.

pvcreate command

pvcreate command

Finally create the local storage repository by running

xe sr-create type=lvm content-type=user device-config:device=/dev/sdb name-label="Local SSD"

sr-create command

sr-create command

Now the new storage disk will appear on xencenter under the “Local SSD” label.

Free Backup for Citrix Xenserver Live Virtual Machines

A few days ago, I was looking for a free backup solution for live Citrix Xenserver 6.2 VMs and I came across a rather old script on this page

http://www.jansipke.nl/creating-backups-of-running-vms-in-xenserver/

The script uses Xenserver’s XE commands to do the following:

  • Enumerates the VMs and finds their UUIds
  • Creates a snapshot for each live VM
  • Exports the snapshot to a xva file
  • And finally removes each snapshot

I edited the script to match my needs, for example my setup includes a pool of two Xenservers 6.2 connected to a NAS storage (running Synology‘s DSM ) that publish an iscsi and nfs shares. I wanted the Xenservers to mount the nfs share and save the backup. So I added a few more lines

cmd = "mount -t nfs 192.168.178.225:/volume1/nfs/backups /mnt/nfs"
commands.getoutput(cmd)

and

cmd = "umount /mnt/nfs"
commands.getoutput(cmd)

This script can be easily scheduled to run whenever you like. The final script is like this

#!/usr/bin/python

import commands, time

def get_backup_vms():
result = []

cmd = "xe vm-list is-control-domain=false is-a-snapshot=false"
output = commands.getoutput(cmd)

for vm in output.split("\n\n\n"):
lines = vm.splitlines()
uuid = lines[0].split(":")[1][1:]
name = lines[1].split(":")[1][1:]
result += [(uuid, name)]

return result

def backup_vm(uuid, filename, timestamp):
cmd = "xe vm-snapshot uuid=" + uuid + " new-name-label=" + timestamp
snapshot_uuid = commands.getoutput(cmd)

cmd = "xe template-param-set is-a-template=false ha-always-run=false uuid=" + snapshot_uuid
commands.getoutput(cmd)

cmd = "xe vm-export vm=" + snapshot_uuid + " filename=" + filename
commands.getoutput(cmd)

cmd = "xe vm-uninstall uuid=" + snapshot_uuid + " force=true"
commands.getoutput(cmd)
cmd = "mount -t nfs 192.168.178.225:/volume1/nfs/backups /mnt/nfs"
commands.getoutput(cmd)
for (uuid, name) in get_backup_vms():
timestamp = time.strftime("%Y%m%d-%H%M", time.gmtime())
print timestamp, uuid, name
filename = "\"/mnt/nfs/" + timestamp + " " + name + ".xva\""
backup_vm(uuid, filename, timestamp)
cmd = "umount /mnt/nfs"
commands.getoutput(cmd)

First let’s see my NFS setup

My NFS setup

My NFS setup

You may notice that my two xenservers  have read/write access to the share folder and the NAS publish the nfs folder as /volume1/nfs. The nfs storage should be configured on xencenter’s pool by right clicking on your pool and selecting New SR… Check the NFS ISO library and type in the Share Name as <ip>:/<path>, in my case 192.168.178.225:/volume1/nfs.

NFS Storage Setup

NFS Storage Setup

Then ssh to pool master xenserver and create a new file e.g. backup.sh (with vi), edit the aforementioned script to match your storage needs and paste it to the shell script, give execute permissions to it and run it. The output will be like this

Script Output

Script Output

the first field is the UUid of the VM and the second field is its name. During the backup process you can watch the steps of the script on XenCenter’s gui. First the ctration of vm’s snapshot.

Snapshot Creation

Snapshot Creation

Then the snapshot’s export.

VM's export

VM’s export

Finished export

Finished export

It took 12 minutes for a 4 GB snapshot, not bad for a 100Mbit LAN. Then the snapshot is erased.

No snapshot

No snapshot

Finally, let’s look the backed up files on NFS storage.

Backed up VM files

Backed up VM files

This is a free, simple, transparent and easy solution to backup your Xenserver VMs. It works with the latest 6.2 open source version. It is not that advanced to do deduplication or WAN acceleration or other fancy staff, but it works and it’s free and pretty enough for small setups or home labs.

Post Notes:

  • Due to wordpress preformatting problems, you may find the script at http://pastebin.com/5E6wJS7u
  • The mount path should exist so execute mkdir /mnt/nfs to create the nfs directory

Applying Hotfixes on Citrix Xenserver 6.2 hypervisor without XenCenter

Citrix Xenserver is a beautiful open source (from 6.2 edition and later) hypervisor that tries to grab as much as possible market share on virtualization/cloud world. It carries many years of development efforts by Citrix, many well established implementations and a broad support community.

XenMotion, High Availability and all the great features of Xenserver are available on the licensed and unlicensed versions of the hypervisor. The licensed version includes automated patches and updates through XenCenter console and 24×7 Citrix Technical Support. On the unlicensed version, the administrator should apply the xenserver patches by himself through an ssh console. XenCenter still notifies the availability of new patches.

So, on XenCenter when you goto Tools – Install Updates, you get grayed out options like this

XenCenter Upadtes Installation

XenCenter Upadtes Installation

So, first of all we should download the new patches from Citrix webserver, XenCenter will help you to do so. Then unzip the contents of the downloaded files and secure ftp them on XenServer.

Ftp the updates to XenServer

Ftp the updates to XenServer

I use filezilla to sftp the updates to XenServer in binary transfer mode and upload them to /var/tmp directory. Then ssh to XenServer (I use putty utility to do so but you can use anything you are comfortable with). Login as root and run the following command

xe patch-upload file-name=/var/tmp/<update file>

this command produces a uuid alphanumeric string. Copy it to the clipboard and on XenCenter notice the yellow down icons that appear, indicating that a hotfix or update exists but has not been applied.

XenCenter warning icon

XenCenter warning icon

Run

xe patch-pool-apply uuid=<uuid>

pasting the uuid string. You may verify the applied patches by running

xe patch-list

Verifying patches

Verifying patches

If the update has been successful, the hosts field should contain the uuids of all the hosts in the pool. Finally, run

xe-toolstack-restart

to reload the toolstack on all hosts, you may loose the connection if you run it on Pool Master.

Applying Patches

Applying Patches

Now, your XenServer is patched!

XenCenter Install Updates window

XenCenter Install Updates window

Installing Xentools on Ubuntu 13.04 desktop on Citrix XenServer 6.2 hypervisor

When I installed ubuntu 13.04 desktop on a Citrix Xenserver 6.2 hypervisor I could not use XenMotion to live migrate the vm from one hypervisor to another since the xentools could not be installed via gui. The problem solved by running the following commands on a terminal session on ubuntu desktop (this works with the server edition as well).

First mount the dvddrive to xentools.iso on xencenter gui or by executing:

sudo mount /dev/cdrom /mnt

on a terminal console. Then run:

cd <mounted path>/Linux (in our case cd /mnt/Linux)

and

ls -la (to see the included packages) and finally

sudo dpkg -i ./<the package>.deb (there are 2 different versions for i386 and amd64 architectures)

and reboot the vm.

in my example I run sudo dpkg -i ./xe-guest-utilities_6.2.0-1120_i386.deb on my i5 box.

Depackaging xentools

Depackaging xentools

Now you are ready to suspend the vm or enable xenmotion and migrate the ubuntu virtual machine to another host.

Ubuntu vm live migration

Ubuntu vm live migration