Format RDX Cartridges for Linux

To format an RDX (e.g. Dell RD1000) drive cartridge for Linux for use with Eclipse backups:

Identify the drive’s device name (e.g. /dev/sdc) using the following command:

lsscsi

After you’ve identified the proper device, format the partition (e.g. /dev/sdc1):

CAUTION: This will destroy all data on the specified partition, so make sure you’ve identified the correct partition before proceeding.

mkfs -t ext4 -v -L RD1000 /dev/sdX1

Mount the drive:

mount /mnt/rd1000

Create the rsync directory:

mkdir -p /mnt/rd1000/rsync

The drive cartridge is now ready for use.

POODLE SSLv3 Security Alert October 2014

Summary

Epicor has been keeping apprised of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected.

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

Because it’s a vulnerability in the protocol, not a bug in the implementation, there is no “patch,” so SSLv3 should be disabled in all client and server software.

Epicor’s Response

There are functions of the Eclipse server software that initiate HTTPS connections to external servers (e.g. for credit card processing). Those connections previously allowed SSLv3, so we have updated the code to explicitly require TLS connections. The patch (DNV616) can be applied manually, or it will be included by default in the customer’s next point upgrade.

We have also reviewed the Eclipse application server and confirmed that SSLv3 is already disabled in the release, which uses TLS by default.

Recommended Customer Actions

We recommend that customers request the patch or a point upgrade to a release of Eclipse with SSLv3 client functionality disabled.

We also recommend that any customers running external web servers (e.g. web commerce, mobile) disable SSLv3 on IIS using Microsoft’s “fix it” tool.

FAQ

Q. How can I verify that my Solar application server (or any other secure web service) is not vulnerable?
A. Run the command below:

openssl s_client -connect HOSTNAMEORIPADDRESS:PORT -ssl3

For example, the following output, run against a the Solar application server running on the local server, shows that the service is not vulnerable:

[root@rs6k ~]# openssl s_client -connect localhost:2443 -ssl3
CONNECTED(00000003)
25211:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:

Upgrading from RHEL 5 to 6

Here are answers to some common questions regarding upgrades from RHEL 5 to 6:

When I update the software using “yum,” will it upgrade me to the newest version?

It will only update you to the latest “minor” version (e.g. 5.9 to 5.10). It will not upgrade you to a new major version (e.g. 5.9 to 6.5).

Why would I want to upgrade to RHEL 6?

If you are on RHEL 5, you may stay on RHEL 5. Red Hat will provide technical support and updates for RHEL 5 until 3/31/17, and UniVerse will support it through 11.2.

If you are on RHEL 5, but you are moving to a new server, we recommend that you use the opportunity to migrate to RHEL 6 on the new server.

Can I perform an “in place” upgrade from RHEL 5 to 6?

No. Here’s Red Hat’s policy on “in place” upgrades:

Red Hat does not support in-place upgrades between any major versions of Red Hat Enterprise Linux. A major version is denoted by a whole number version change. For example, Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.5 are both major versions of Red Hat Enterprise Linux.
In-place upgrades across major releases do not preserve all system settings, services or custom configurations. Consequently, Red Hat strongly recommends fresh installations when upgrading from one major version to another.

The recommended procedure is to perform a clean installation of RHEL 6, followed by clean installations of the Eclipse software packages (e.g. UniVerse, VSI-FAX), and finally restore the OS configuration data (e.g. users, passwords, printers, email relay settings) and database.

For more information, see these Red Hat articles:

I need to upgrade to RHEL 6 for another reason. Can Eclipse help?

If you need to upgrade from RHEL 5 to 6 for some reason (e.g. backup software requires RHEL 6), and you are not moving to a new server, the Eclipse team can help with the upgrade process. Please contact your account manager for more information.

Heartbleed and Eclipse FAQ

Q: Is Eclipse affected by Heartbleed?
A. The short answer is no.

Q: What Eclipse products use SSL?
A. Eclipse uses SSL in its application server, JBoss, and its external web server, IIS.

Q: Is the JBoss application server used by Eclipse affected by Heartbleed?
A: No. JBoss is a Java application, and it uses Java’s own SSL implementation. For more details, see this statement by the lead security architect for JBoss: http://anil-identity.blogspot.com/2014/04/jbosswildflyas-openssl-heartbleed.html

Q: Is the IIS web server used by Eclipse affected by Heartbleed?
A: No. IIS uses Microsoft’s own SSL implementation. For more details, see Microsoft’s official statement: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx

Q: Have you tested the Eclipse software to make sure that it’s not vulnerable?
A: Yes, we have tested both JBoss (Solar, Job Management) and IIS (Web Order Entry) using the open-source heartbleeder tool, and all of the Eclipse software passed the tests.

Q: How can I test my own servers for the vulnerability?
A: The easiest way to test an external, Internet-accessible web server is through a website like this one. If you need to test an internal server, you can download the heartbleeder tool, which is a simple, command-line utility that runs on multiple platforms.

Q: I know it doesn’t run on my Eclipse server, but is the Element credit card payment processing service vulnerable?
A: As far as we can tell, no, but we have yet to receive an official statement from Element. We have tested all of the web services used by Eclipse for Element payment processing (https://certtransaction.elementexpress.com, https://certreporting.elementexpress.com, https://certservices.elementexpress.com), and none of them are vulnerable.

Q: I run Red Hat Enterprise Linux, and OpenSSL is installed by default. Is my server affected?
A: Maybe. If you are running Red Hat Enterprise Linux 6.5 or above, you may be running an affected version of the openssl software. RHEL versions 6.4 an below, and all version of RHEL 5 are not affected. If you are running RHEL 6.5 or above, we recommend that you run “yum update openssl” and rebooting your server as soon as possible to install the patched version of openssl. For more information, see this article from Red Hat: https://access.redhat.com/site/solutions/781793

Q: What is Heartbleed?
A: There are many resources available on the Internet, but we suggest starting with the “official” homepage (http://heartbleed.com/) or watching this video.

Q: How do you recommend that I keep my servers secure in the future?
A: Please review our list of best practices, which includes the recommendation to update your server’s software and firmware on a regular basis.

Q: You didn’t answer all of my questions!
A: Please feel free to leave a public comment below, or open a support request with our systems team.

Reset APC UPS

Hard Reset of the Smart-Ups microprocessor

(Referred to by APC support as the Brain Dead Procedure)

Problem: An APC SMT or SMX unit will not have all the menu options. It could also have a bank of power sockets on the rear are not operational. Other oddities may also be occurring.

Resetting to Factory Defaults does not resolve the issue(s).

Solution: Perform a Hard Reset by following the steps below.

  1. Turn off UPS via control panel on front of unit.
  2. Unplug UPS from the wall.
  3. Disconnect the battery. This is a plug on the rear of the unit labeled “ BATTERY CONNECTOR” (You  may hear an audible click from the UPS)
  4. Reconnect the battery
  5. Turn on UPS
  6. Plug UPS into the wall
  7. Test for original failing condition.