Use PowerShell v3 to Keep a CookieJar and POST to a Web Form That Prohibits XSS

In my previous post, I outlined how to use PowerShell v2 to keep a CookieJar and POST to a Web Form that Prohibits XSS. The code was 35 lines long. Upon seeing my post, Lee Holmes suggested using PowerShell v3′s Invoke-WebRequest instead to get my code down to 1/5th of its original size.

I’m astounded at how easy Invoke-WebRequest made this task. It took care of knowing what type of authentication is required (Basic, in my example), and the cookie jar/session. So now I’m down from 35 lines of code to this:

Bravo, PowerShell team :D

Posted in PowerShell

Use PowerShell to Keep a CookieJar and POST to a Web Form That Prohibits XSS

I recently had a project that required I log into a site and submit a form. Initially, I had a Start-Process that launched iexplore but then I decided it would be best to..

My initial attempts to automate this process failed with the server response “403 Forbidden.” As it turns out, the web server which is some modified version of jetty (I believe) was hardened to prevent XSS attacks. I knew that I had to use cookies, but doing so in PowerShell turned out to be a bit more challenging than it was in VBScript.

I like this script because it covers a lot of ground, from bypassing the SSL warning, to getting credentials to submitting a form. It took about a day to figure out, but ultimately, I was able to:

  1. Authenticate using BASIC authentication
  2. Bypass SSL warnings
  3. Keep cookies
  4. Submit the information from a hidden field in the form

There are additional steps in between each of those, which include

  • Prompting for the website credentials
  • Associating those credentials to the website
  • Placing cookies in the cookie jar
  • Parsing the form for the information I needed
  • Passing back the information

Essentially, I create a web request using System.Net.HTTPWebRequest (using webclient proved too messy), create a response stream, “upload” the data as bytes, get the second response. You can modify this to submit other portions of a form, or just parse from page to page. Hope you find it useful!

Thanks to Captain Abstraction for breaking this whole down and making it way easier to understand than most of the webpages I visited.

Posted in PowerShell

Summary Post: Update VMware vSphere SSL Certs

After speaking with a colleague today, I expect this list will grow as I work more with the vSphere suite. But until then, here is a consolidated list of posts and scripts that I’ve written to ease the replacement of SSL certificates on Windows-based vSphere related products using PowerShell and a Windows Domain Certificate Authority.

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update VMware Horizon View SSL Certs with your own Windows Domain CA Certificates using PowerShell

Well, this script was different. Unlike the other posts in this series, I was required to use only Microsoft command line tools instead of OpenSSL. Not that I’m opposed to using certreq and certutil — I actually started this whole cert automation project to see if it was possible to use only these tools and PowerShell, but ultimately it appeared that for whatever crypto reason, OpenSSL was required for the replacement of vSphere SSL certs.

So it was especially surprising to me that no matter how I imported/exported the OpenSSL generated keys, nothing worked until I used certreq and certutil. If anyone knows the reasons, I’d love to hear them.

ReplaceSSL-View.ps1 backs up the old certificate found in your Machine Certificate Store, adds a new one with the proper FriendlyName “vdm” and restarts all View services.

Download ReplaceSSL-View.ps1

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update VMware Site Recovery Manager SSL Certs with your own Windows Domain CA Certificates using PowerShell

Next in the series of replacing vSphere related SSL scripts is the VMware Site Recovery manager script.

This script generates the SSL certificates based off of the WebServer Certificate Template and runs a batch file to perform the actual replacement.

Once you run the script, the batch file requires two inputs from you: the password for the specified vCenter Server admin variable and the PFX certificate password, “vmwaresrm”

To reduce the likelihood of errors, the script also places the certificate password into your clipboard, so you can just right-click, paste and hit enter.

Download ReplaceSSL-SiteRecoveryManager.ps1

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update VMware View Composer SSL Certs with your own Windows Domain CA Certificates using PowerShell

Next in the series of replacing vSphere related SSL scripts is the VMware View Composer script. This one is rather simple, and uses certutil and certreq to generate the certificates, as opposed to OpenSSL.

It also generates a batch script which calls SviConfig.exe. You just gotta put in a few variables, run the script and choose the new cert (I couldn’t automate that part).

Download ReplaceSSL-Composer.ps1

Thanks to Tomas Fojta for the easy-to-understand tutorial.

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update NetApp Virtual Storage Console SSL Certs with your own Windows Domain CA Certificates using PowerShell

Ahhh, it seems like replacing SSL certificates in vSphere is a never-ending process. My vSphere farm was not prompting me about untrusted SSL certs until I installed the NetApp Virtual Storage Console. Using the template from my previous posts, however, I was able to quickly update VSC’s certs using a combination of the practical admin’s post and NetApp’s KB (login required).

The pratical admin post kept VSC’s keystore password encrypted, but with vSphere keystore passwords being so easily available on the Internet and NetApp’s KB suggesting to place the password on the filesystem in plain-text, I did it the easy way and kept the password (netapp) in clear text in the config file. I’ve tested this script on both VSC 4.1 and 4.2 and it worked quite well.

You can copy and paste the code below, or download the script directly here.

Note: this script uses the Windows CA default WebServer Certificate Template. It also makes backups of your original certificates.

Done!

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update vSphere 4.1U3 and 5.0 SSL Certs with your own Windows Domain CA Certificates using PowerShell

While it took quite awhile to figure out how to replace vSphere 5.1 and 5.1U1′s SSL certs, converting that script to work with 4.1U3 and 5.0. It probably helps that SSO doesn’t exist (or I couldn’t find it — I haven’t used vCenter on a regular basis since about 2006, but I’ve learned quite a bit from these SSL replacement scripts in my lab environment.)

I was surprised to find that that vSphere 4.1 and 5.0 are far more architecturally similar than 5.0 and 5.1. The 5.0 script required just one extra line of code to adjust for a different registry entry, then it worked very well on 4.1U3.

So without further ado, you can download ReplaceSSL-vSphere41U3-50.ps1, modify the variables as necessary and run it on each of your farm servers. This script requires you to modify just 9 variables as seen in the snippet below:

# Place the certs on a network location if your farm is larger than one server
$basedir = "\\fileserver\share\Certs"

# Enter your Windows Certificate Authority information below.
# Make sure it responds to certutil and web requests.
$rootCA = "dc.base.local"
$rootCAName = "BASE-DC-CA"
$email = "[email protected]"
$org = "NetNerds"
$city = "Kaplan"
$state = "LA"
$country = "US"

# Make sure you follow Derek Seaman's instructions
# to create a new certificate template @ http://goo.gl/m98FE
$certTemplate = "CertificateTemplate:VMware-SSL"

# Enter the path of your openssl.exe (0.x and 1.x are supported).
# If you don't have OpenSSL already, the script will download it for you.
$openssldir = "C:\OpenSSL-Win32"



If you are interested in the approximate steps taken, you can browse the vSphere 5.1 SSL replacement post. Just be aware that the SSO section does not apply.

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update ESX SSL Certs with your own Windows Domain CA Certificates using PowerCLI

Replacing ESX SSL is the easiest of all the vSphere components, in my opinion. Unlike vSphere 5.1, you can use Microsoft’s Web Server SSL template, and there’s no need to use the Java keytool or reregister the service with SSO.

Below is a script I use in conjunction with my vSphere/PowerShell Replace SSL script.

This is the first time I’ve actually used PowerCLI so I’m unsure if this script follows Best Practices, but hey, it worked for me in my lab environment ;)

“What it does..”

  • Creates the certificate directory if it does not exist
  • Logs into specified vSphere Server
  • Automatically downloads Root64.cer from the CA’s web service
  • Downloads and extracts OpenSSL if the files do not exist in the specified path
  • Generates all SSL certificates for each of the services on the server.

If $upsateesx is set to true..

  • Downloads Putty SCP
  • Checks to see if SSH is running on the esx host. If not, it temporarily enables it
  • Prompts for and validates credentials
  • Backs up all SSL Certs on the server
  • Uploads the new certs
  • Returns SSH to previous state

Once the new certs have been uploaded, you will have to restart the ESX host, or set it into maintenance mode and restart the Management services.

Download ReplaceSSL-ESX.ps1

Note that you will have to re-add ESX to vCenter because the host’s SSL thumbprint has changed. Regarding updating ESX’s SSL, Derek Seaman suggests:

If your ESXi host is already managed by vCenter, the HA agent can get very confused by the new SSL certificate thumbprint. I would strongly suggest you first put your host in maintenance mode, remove it from the vCenter inventory, update the SSL certificate, reboot the ESXi host, then re-add it to the vCenter inventory.

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware

Update vSphere 5.1 SSL Certs with your own Windows Domain CA Certificates using PowerShell

One month ago when I finally got my vSphere lab set up, I had no idea that getting rid of those annoying untrusted SSL errors would be such a colossal undertaking. I have my own domain CA and thought it would be easy to automate the process of replacing the self-signed vSphere SSl certs with my own trusted certs.

At first, I attempted to use strictly Windows commands (certutil, certreq, etc) and PowerShell, but eventually gave in and incorporated OpenSSL into my script. Generating the certs were just the beginning, though.

Replacing the certificates in an automated fashion and getting each service to behave after the change was an extremely time-consuming task. VMware’s documentation and KB articles leave a lot of room for improvement, but fortunately, Derek Seaman‘s blog was able to provide a lot of information that was either easy to miss, or missing entirely.

Numerous articles suggested using VMware’s Certificate Automation Tool but the tool wasn’t automated enough for my liking, even with supplemental scripts provided by other bloggers. I looked into guts of the Certificate Automation tool and, after a good bit of trial and error, replicated many of its techniques using PowerShell. Using these techniques, and following the suggestions found on forums and blogs, I was able to create a script that can replace the SSL certs of all of my vSphere lab servers in under 20 minutes, a majority of which is spent watching PowerShell stop and start services.

This script requires you to enter less than 15 variables as seen in the snippet below:

# SSO Server FQDN
$ssoserver = "vcenter.base.local"

# Place the certs on a network location if your farm is larger than one server
$basedir = "\\fileserver\share\Certs"

# Enter your SSO master password below. You will be prompted for your vCenter Server
# credentials at runtime.
$masteradmin = "admin@System-Domain"
$masterpass = "Fakepass.123"

# Enter your Windows Certificate Authority information below.
# Make sure it responds to certutil and web requests.
$rootCA = "dc.base.local"
$rootCAName = "BASE-DC-CA"
$email = "[email protected]"
$org = "NetNerds"
$city = "Kaplan"
$state = "LA"
$country = "US"

# Make sure you follow Derek Seaman's instructions
# to create a new certificate template @ http://goo.gl/m98FE
$certTemplate = "CertificateTemplate:VMware-SSL"

# Enter the path of your openssl.exe (0.x and 1.x are supported).
# If you don't have OpenSSL already, the script will download it for you.

$openssldir = "C:\OpenSSL-Win32"
$openssl = $openssldir+"\bin\openssl.exe"


You can see that the SSO admin username and password are in plain text. Unlike vCenter credentials, there was no easy way to validate the SSO username/password and the pros of placing the username and password there in plain text outweighed the cons. vCenter credentials were easier to validate and more of a priority for me to protect since they’re usually Windows credentials.

Also, note that the default “Web Server” SSL certificate template is no longer sufficient. Please visit Derek Seaman’s blog for instructions on how to create a certificate template which will work for all of the vSphere services.

“What it does..”

Start up

  • If the server running the script is not the SSO server, it ensures the remote SSO Server’s SSL certs have been updated first
  • Checks the registry to see which vSphere services exist on the server running the script and sets service variables
  • Creates the certificate directory if it does not exist
  • Backs up all SSL Certs on the server
  • Validates vCenter authentication if vCenter or VUM exist on the server
  • Automatically downloads Root64.cer from the CA’s web service
  • Downloads and extracts OpenSSL if the files do not exist in the specified path
  • Generates all SSL certificates for each of the services on the server. Uses server name + service name as the OU so that each cert can be distinguished.

If SSO service exists

  • Stops SSO Service
  • Generates new SSO keystore using the newly created SSO SSL certificate
  • Copies Root64.cer to %programdata%\VMware\SSL\ca_certificates.cer
  • Creates new hash file in %programdata%\VMware\SSL
  • Updates SSO using rsautil.cmd
  • Starts SSO Service
  • Automatically builds service.properties and service_id files and stores them in %programdata%\VMware\ServiceIDs
  • Reregisters all services using new root certificate
  • Restarts SSO, and if they exist Log Browser, Web Client and Inventory services.

If Inventory service exists

  • Unregisters Inventory service with SSO
  • Stops Inventory service
  • Copies new certs to the Inventory service SSL directory
  • Starts Inventory Service
  • Registers Inventory service with SSO

If vCenter service exists

  • Copies new certs to the vCenter service SSL directory
  • Using credentials previously entered, logs into vCenter service’s mob website to automatically invoke reloadSslCertificate
  • Restarts all vCenter related services
  • Reregisters vCenter with Inventory Service

If WebClient services exists

  • Stops WebClient and LogBrowser services
  • Removes all files from SerenityDB directory
  • Copies new certs to the Web Client and Log Browser service SSL directories
  • Stops vCenter and Inventory Services if they exist on the local server
  • Restarts SSO service on local or remote server
  • Starts vCenter and Inventory Services if they exist on the local server
  • Starts WebClient and LogBrowser services

If Update Manager exists

  • Stops Update Manager services
  • Copies new certs to the Update Manager service SSL directory
  • Generates new Update Manager keystore using the newly minted Update Manager Certificates
  • Updates registry entry with keystore password (testpassword)
  • Runs vciInstallUtils to update VUM using credentials previously entered
  • Starts Update Manager services

If Orchestrator exists

  • Copies new certs to the Orchestrator service SSL directory
  • Stops services if necessary
  • Generates new Orchestrator keystore using newly created Orchestrator certificates
  • Adds SSO Certificate to keystore
  • Restarts Orchestrator services then returns them to their previous state of Running or Stopped

If you have vCenter servers in linked mode and are running the Web Client, you may run into the error message “Cannot connect to Inventory Service on [server]“ when logging into the Web Client. I have not found a predictable way to fix this. Usually, it can be solved by first restarting the server running Web Client, then restarting the vCenter/Inventory server.

This script also has other limitations, many of them similar to the Certificate Automation Tool.

Limitations

Limitations specific to this script

  • Only uses Windows Domain Certificate Authorities
  • Does not account for intermediary CAs
  • Has not been tested in large environments with HA and DRS
  • Has not been tested with environments running: VMware Site Recovery Manager, vSphere Data Recovery, vCloud Director, or third-party solutions
  • Does not have a rollback feature, yet. For rollback, I relied on Snapshots and database backups.
  • Does not have advanced logging
  • I don’t recommend running this in a production environment until it’s been vetted by far more people

Limitations that exist in VMware’s tool that likely exist within this script

  • vCenter Single Sign-On Password cannot contain spaces
  • vCenter Orchestrator may fail to connect when using multiple vCenter Servers.
    • You can update add additional vCenter Server SSL certificates using the VMO Configuration Webpage (https://vmoserver:8283/ default login: vmware/vmware -> vCenter Server -> SSL Certificates.
    • Add all vCenter Certificates found in your Certs directory.
    • Note that if vCenter and VMO are running on the same server, the vCenter cert will be automatically added.
  • Client Not authenticated error when connecting to VMware Inventory service in Linked Mode Configurations. Wait 10 minutes and this should resolve itself.

Why I prefer using this script over VMware’s

  • Requires minimal information and interaction
    • Automatically downloads OpenSSL if neccessary
    • Automatically generates the certificates based off of a few variables
    • Automatically detects services and runs the SSL updates in the necessary order without user intervention
    • If vCenter or VUM exists on the server, you wil be prompted for your vCenter credentials. This is the extent of interaction that the script will require:

  • Replaces all of the same certificates: SSO, Inventory Service, vCenter, Update Manager, Web Client/Log Browser, and Orchestrator
  • Also, works on vSphere farms with multiple servers (you must update the SSO server first)
  • It’s all contained in just one (nearly 600 line) script
  • Works on 5.1 and 5.1U1

In the end, your Cert collection will look something like this:


* Note that the esx certificate output was created using this script.

And each of your services will be encrypted with trusted certificates:


     


     

And, of course, Web Client, after a couple reboots.

Getting started

  1. Ensure your Windows Domain CA certificate is trusted by members of your domain
  2. Take a snapshot of each vSphere server on which you will run this script
  3. Backup each of your databases
  4. Find a secure location on the network to store your certs (ie. \\fileserver\share\Certs)
  5. Visit Derek Seaman’s blog and create a new certificate template
  6. Shut down the following services if they exist: VMware Site Recovery Manager, vSphere Data Recovery, vCloud Director, third-party solutions that connect to vCenter.
  7. Download the ReplaceSSL-vSphere51.ps1 script
  8. Change the variables
  9. Run the script first on the server running the SSO
  10. Run the script on all other servers
  11. If the Web Client connects to multiple vCenter servers, reboot the server running Web Client, as well as the server(s) running Inventory Service and vCenter.
  12. Consider running the complimentary ESX Script

Once the scripts are complete, you can visit each of your sites to confirm the SSL Certificates have been replaced. Please note that Log Browser and the Web Client take up to 5 minutes to fully restart.

Finally, bask in the glory of your trusted SSL certificates:

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script
Posted in PowerShell, Security, VMware