Categories
System Administration

SNMPv3 Configuration for Dell PowerConnect 3500 Series

So apparently SNMP should be secured. Disable write access if you don’t need it, and use SNMPv3 instead of the other versions.

I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way.

Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain’t broke, let’s secure it.

Ideally, I’d configure it similar to the ProCurve switches, so that I can monitor it the same with Cacti and Spiceworks. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is painfully unclear:

auth-sha-key sha-des-keys — Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key
(LSB). If authentication is only required, 20 bytes should be entered; if authentication and
privacy are required, 36 bytes should be entered. Each byte in the hexadecimal character
string is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)

Dell PowerConnect 3500 Series CLI Reference Guide, p354

In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven’t the slightest idea how to make a key.

After a few hours of head scratching, here’s what I did.

You’ll need:

  • CLI access to your switch
  • A linux machine. I’m using Ubuntu Server.

Log into your switch and type:


enable
show snmp engine id

It’ll spit out an engineID. Make note of that ID.

On your linux machine, you’ll need to install the snmpkey utility. I did it with the following:


sudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perl

Then, run the following command to generate the mysterious keys:


snmpkey sha <auth_password> <engine_id> des <priv_password>

It should return an authKey and a privKey.

Back on your switch, move up to the config mode (type enable and config), then create a SNMPv3 group:


snmp-server group operatorauth v3 priv 

Then create the user and assigned it to that group:

snmp-server user snmpuser operatorauth auth-sha-key <authKey><privKey>

Make sure there’s no space between the authKey and the privKey. This will create a user named snmpuser. And you’re done!

If you’ve got snmpwalk installed on your linux server, test the connection with:


snmpwalk -v 3 -a SHA -A <auth_password> -u snmpuser -l authPriv -x DES -X <priv_password> <ip_of_switch>

With any luck, you should see a stream of OIDs.

If anyone has a smarter way to generate the keys, please let me know in the comments!

Categories
Software System Administration

Static Devices on Remote Side of a SonicWALL Site-to-Site VPN? Remember to Renegotiate!

tl;dr If you are having trouble with devices that have static IPs on the remote side of your Sonicwall Site-to-Site VPN, go to VPN and click Renegotiate under the Currently Active VPN Tunnels.

We’ve got another warehouse with a site-to-site VPN setup using SonicWALL devices. It works decently enough for what we need.

While most of the workstations at the remote site get an IP from the DHCP server at the central site, some of the devices at the other warehouse have static IPs (printers, wireless APs, etc).

Defining these static IPs in the SonicWALL is pretty easy. On the remote gateway side, go to VPN –> DHCP over VPN –> Configure –> Devices Tab and enter the IP and MAC address of your static devices under Static Devices on LAN.

However, occasionally when adding another static IP, or when updating the firmware, or when it just feels like it, the routers will have trouble passing traffic from the central side to the remote side for just the static IPs. I’m using Nagios to report on the status of most of these devices, so it starts complaining fairly quickly that it can’t access them. Usually the remote side can still see those static devices, but for printers that connect back over the VPN to a printer server, this becomes a problem.

I used to think that just deleting all the static devices listed and re-adding them would work, but I had major problems with this today.

The workaround that seems to work for me now is simply going to the VPN settings page and clicking Renegotiate under the Currently Active VPN Tunnels section.

I don’t see anything like this written up on any of the SonicWALL support pages, so if anyone else runs into this weird situation, it’s worth a shot.

Categories
Epicor

Epicor Support Resources

Looking for some help with your Vista/Vantage, Epicor 9 or other related ERP system? There’s lots of information to be had, but it seems to be tucked away in little pockets around the web. Here’s the places I know about, in no particular order:

Application Help

Epicor’s application help can be easily overlooked because it’s sitting right in front of you, but it’s fairly robust. In Vista 8.03, there are cases where some of the documentation refers to deprecated features (possibly from v6), but for the most part the info here is solid. It’s an easy place to start.

EpicWeb

Home of all things Epicor, EpicWeb contains a wealth of information and downloads for the entire line of Epicor products. Download updates, search through active calls, or peruse their knowledgebase of answers. The search function is a little crummy, and it’s not uncommon to get lots of duplicate results. But it’s better than nothing.

One thing to note is that since EpicWeb is a SharePoint site, you can take advantage of the ‘Alert Me’ feature and get email notifications when a file or something else is posted to the site. I use it to let me know when new Epicor 9 files are posted. Pretty handy.

Another important item on EpicWeb is the Epicor Support Management Contact List. It contains escalation contacts, email addresses, and phone numbers, in case you need some additional attention to your issue.

Vista/Vantage and Epicor 9 User Guides

Epicor makes available a number of printed user guides covering the base application, customization and tools. Ask your Customer Account Manager (CAM) and you can order a copy (they’re not free). However, recently they’ve made available electronic copies of the Epicor 9 user guides, freely downloadable from EpicWeb. They’re tucked away under Release 9.05.603, listed as User Guide eBooks. The larger books are broken into chunks. I’d still recommend having at least one printed copy, but the eBooks are great for quick reference or for printing out sections of the user guides to distribute to users.

Similarly, EpicWeb also has a number of technical reference guides for installation, service packs, SDKs, application tuning, etc.

Phone Support or Online Chat

Ah, the good old telephone. I’m sure you’ve all got the numbers handy. There appear to be different numbers depending on what product you’re using, but at least between Vista/Vantage and Epicor 9 there is a little overlap.

I’m a fan of using online chat when I can, since I don’t have to be actively on hold and can be doing other things until I’m at the front of the line, but it feels a little like the same team that fields phone calls also monitors the online chat, so it’s not unusual for an online chat request to time out.

Customer Matrix Viewer (SCR Search)

Software Change Requests (SCR) are an integral part of the Epicor product lifecycle. Bug fixes, enhancements, and other features are assigned an SCR and slated for service packs and patches. Recently, they’ve introduced the ability to search through SCRs through what they call the Customer Matrix Viewer. Neil McLachlan, Vice President of Product Management provides this description of the service:

The purpose of this site is to provide you with Web-based access to a listing of SCRs addressed in previous service packs and patches, as well as SCRs planned for future releases. This will help you plan your upgrades and go-live strategy for Epicor 9 with more insight into your specific requirements, risks, and issue resolutions.

It’s a fairly rudimentary search, but if you’ve been assigned an SCR for a particular issue you’ve been having, it’s a good place to get some info on the status of the fix.

If you need some specific instruction on its use, take a look at the Customer Matrix Viewer How-To Guide.

Epicor’s Vista/Vantage/E9 Users Yahoo! Group

The Epicor Yahoo! Group is my current go-to place for information outside of official Epicor channels. It’s an active community of users asking and answering a wide range of questions. However, I’m not the biggest fan of the mailing list format, and there’s only one big group for everyone to post messages, so it’s easy for your own post to get lost in the mix.

I find it easiest to get the Daily Digest email rather than receive individual emails each time someone posts to the group.

IT Toolbox Epicor Community

I learned about the existence of the IT Toolbox Epicor Community directly from an Epicor employee, who told me that there are at least a few actual Epicor employees that lurk within this community. It’s very similar to the Yahoo! Group, but there is much less monthly activity on the message board on IT Toolbox.

Epicor Users Group 

By the users, for the users. The Epicor Users Group (EUG) maintains a close relationship with Epicor to provide feedback from their members to help make their software better for all of us. It’s a paid membership, but they’re a major sponsor of Perspectives (Epicor’s user conference), and your membership gets you a hefty discount on the entrance fee to the conference. Cost to join is per company, rather than per individual, which is also helpful.

The EUG also has a LISTSERV mailing list available for their members. Their webmaster mentioned to me that they may be moving towards a forum format rather than the mailing list, if that’s more your style. Individual lists are available for a number of different Epicor products, and there are sub-groups for very specific topics. I’m not very familiar at this point with how active the lists are, but it seems fairly lively.

Additionally, this User Group has a unique feature with their Enhancement Request Portal. It allows members to submit enhancement requests that are then reviewed by Epicor when the EUG meets with them, usually on a monthly basis. Other users can amend their thoughts and comments on issues and Epicor also has an avenue to respond directly through the Portal.

Epicor Customer Forums

For the sake of completeness, I’m listing the Epicor Customer Forums, but frankly, it barely gets used. I posted questions there a few times when I first started using Epicor, and got very few responses. I also saw no way to be notified via email when someone responded to my post, which made it cumbersome to use. Not the greatest, but points in my book for being a forum over a mailing list.

Us Doing Stuff

As far as I can tell, Jose Gomez is doing some pretty great stuff, and his Epicor-related blog showcases some of that stuff. Prior to starting this blog, he’s posted some videos to YouTube through the Yahoo! Group and continues to provide useful advice and information. His team now offers maintenance packages at competitive rates, and I’ve spoken to some people that are very satisfied with his services.

Epicor Software – Spiceworks Community

Another very small community can be found within Spiceworks. I use their network monitoring software, so I stumbled across the Epicor group here. There appear to be fewer posts than the barely-used Epicor Customer Forums, so I wouldn’t count on it too heavily, but it’s there.

Progress Communitities – PSDN.com

For Progress/ABL/4GL specific questions, you might check out Progress Communities (PSDN.com). It’s pretty low level stuff and it’s not Epicor-specific, but for the more technically-minded code junkies, this is the place to be.

I should also mention the Progress 4GL Handbook and the Progress 4GL Reference PDFs which are readily available for download. Keep these on hand if you’re looking for more information on ABL/4GL code.

Final Thoughts

Let me know in the comments if there are other useful resources you’ve found in your quest for Epicor knowledge. Consultants and integrators, lets see some practical blogs covering various topics and answering common questions. Epicor, lets keep working towards comprehensive and worthwhile documentation for all aspects of your software. Happy ERPing, everyone!