The maintenance network is used by OpenVOS for monitoring several devices including the RAID and SAN disk arrays. This network also allows you access for making configuration changes, debugging problems and general monitoring. However, when accessing these devices from the OpenVOS module you can only use the command line interface (CLI); the friendlier, graphical user interface (GUI), used via a web browser is not available.
The lack of a GUI interface has led some of you to connect the maintenance network to another externally available network. This requires that all the devices on the network and the Stratus interface be renumbered. It also means that the devices on the maintenance network will be accessible to anyone with access to the network and the monitoring functions done over the network will be subject to the problems of a much larger network environment. This is something that Stratus strongly urges you not to do.
This post will discuss three ways of allowing you to use the web browser GUI interface to manage these devices while still keeping the maintenance network restricted to just the Stratus module’s environment. The first assumes that you want to gain access from a browser located on the same subnet as one of the Stratus module’s IP interfaces. The next two approaches use SSH tunneling.
For these examples the Stratus module has an interface numbered 22.214.171.124/24 and the maintenance network address is 10.10.1.0/24. The device I want to access has an IP address of 10.10.1.20.
Approach #1 – routing changes on your workstation
The first approach is the simplest, set up a route on your workstation with a destination of either a single address or the entire 10.10.1.0/24 subnet and a gateway of the Stratus module’s 126.96.36.199/24 interface (see figure 1). In the example I set up a route to the entire 10.10.1.0/24 subnet so I can reach any host on that subnet via the Stratus module. This approach will only work if the Stratus module is configured to allow forwarding and the workstation running the browser is also on the 188.8.131.52/24 subnet. You then access the devices via their IP address (see figure 2). Note that enabling forwarding is seen by some as a security risk. Also modules running OpenVOS releases 17.1.0 thru 17.1.0bl are subject to bugs stcp-3050 and stcp-3072 and should not have forwarding enabled.
With this approach, if you wish to access a device on the maintenance network of a different Stratus module you must delete the existing route and add a new one with the new Stratus’s IP address as the gateway.
Approach #2 – setting up an SSH tunnel from your workstation
The second approach sets up an SSH tunnel between your workstation and the Stratus module. This requires that SSH is running on the Stratus module and that your workstation has an SSH client that supports tunneling. Any SSH client that supports tunneling can be used but of course the configuration will vary with the client. I will describe two free clients that run in the MS Windows environment, PuTTY and OpenSSH run under Cygwin.
PuTTY can be found at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. The version available at the time I wrote this was beta 0.62 and was released on 2011-12-10. Don’t let the “beta” or the “0.” worry you. The original release was Beta 0.45 back in January of 1999. Lots of people use this code without any problems.
Once you have installed PuTTY click on the putty.exe icon to get the configuration dialog. The first step is to enter the IP address or host name of your module, in my case 184.108.40.206. The port number should be 22 and the connection type should be SSH.
Now select the “Tunnels” entry under SSH and fill in the “Source port” and “Destination” boxes. The destination is the IP Address of the target device on the maintenance network that you want to connect to. This is followed by a colon and the port number which will be 80. The source port can be any port on your workstation that you are not using. I have a standard formula which I use, NNHHP. 2 digits from the network address of my target, 2 digits from the host number, and 1 digit from the port number. So 10.10.1.20 port 80 becomes 10208; but as I said, any number not in use will work.
After pressing the “Add” button the information moves to the “Forwarded ports” box. Now press open.
You will get what looks like a command or terminal window. It should prompt you with a “login as” for a user name and then for a password. After you enter these, assuming you are authenticated, it will appear to hang. If you do this a lot I suggest you configure public/private keys so you can skip the prompts. Your next step is to open a browser and for the destination you will type 127.0.0.1:NNHHP, which is the “Source Port” value you entered in the PuTTY configuration. At this point you should see the login screen for the device on the maintenance network that you want to connect to.
If you don’t wish to use PuTTY you can use download Cygwin. This is an environment that allows you to run native Linux apps on a Windows platform. It can be found at http://www.cygwin.com, the version at the time of this writing is 1.7.17-1. OpenSSH is in the “Net” package, which does not install by default, so be sure to select it for download and installation.
Once installed you can use either the Cygwin command window which opens a bash shell or the native Windows command shell. Change directory to the c:cygwinbin and execute the SSH command “ssh -2TNx -L 10208:10.10.1.20:80 firstname.lastname@example.org”. The “nd” is my user name alias, you will of course need to use your own. At this point things look a lot like PuTTY, you will be prompted for a password and then the window hangs. You open a browser and point it at 127.0.0.1:10208 and you should be there.
If you are using a Linux distribution instead of Windows you probably already have OpenSSH installed, you can bring up a terminal window and enter the exact same SSH command “ssh -2TNx -L 10208:10.10.1.20:80 email@example.com”, answer the same prompts and open your browser in exactly the same way.
One nice thing about this approach is that you can do it from anywhere; your workstation does not need to be on the same subnet as one of the Stratus’s interfaces. In addition all your communication is encrypted.
Approach #3 – setting up an SSH tunnel on the Stratus module
My third approach also uses SSH but this time only on the module. Using your favorite terminal emulation you login onto the Stratus module and then use almost exactly the same SSH command. The only difference is the “g” argument that allows connections from outside the module, “ssh -2TNxg -L 10208:10.10.1.20:80 firstname.lastname@example.org″. Once you are logged in you point your browser at the module instead of 127.0.0.1, but the port number is still 10208 (or whatever was the first number of the -L argument).
Like the second approach this approach can be used from any workstation that can reach the module. Unlike the second approach where SSH was run on the workstation, this approach does NOT encrypt your connection between workstation and module. On the other hand it does not require that anything special be installed on the workstation. Finally it is possible to run the SSH command from a started process, you can start one process for each device when the module is booted so they are always available. NOTE that ANYONE that reach the module can connect to these ports and be forwarded to the target device, they are not authenticated by the module so this could be a security issue.
And just to repeat myself, Stratus strongly recommends that you maintain the isolation of the maintenance network. If you wish to use the administrative GUI interface instead of the CLI use one of these approaches.