By Thomas Burger

Question about using Trusted End Node Security (TENS) on VM for Mac When I'm using TENS in the VM I can't access the military websites (AKO, enterprise, my pay) says I don't have the credentials. Anyway to circumvent this?

Introduction

Virtualization technology is possibly the single most important issue in IT and has started a top to bottom overhaul of the computing industry. The growing awareness of the advantages provided by virtualization technology is brought about by economic factors of scarce resources, government regulation, and more competition.

Virtualization is being used by a growing number of organizations to reduce power consumption and air conditioning needs and trim the building space and land requirements that have always been associated with server farm growth. Virtualization also provides high availability for critical applications, and streamlines application deployment and migrations. Virtualization can simplify IT operations and allow IT organizations to respond faster to changing business demands.

The socio-political ramifications of global warming requiring good corporate citizens to meet greenhouse gas reduction targets, creates an added incentive for virtualization.

The availability of better virtual machine isolation through new Intel® Virtual Technology hardware support in commodity systems together with the broad availability of virtualization software provides a level of efficiency to meet these demands.

This paper discusses what virtualization is, how Intel technologies improve it, and how organizations can benefit from adopting virtualization into future IT plans.

What is Virtualization?

Virtualization is a combination of software and hardware engineering that creates Virtual Machines (VMs) - an abstraction of the computer hardware that allows a single machine to act as if it where many machines.

• Without VMs: A single OS owns all hardware resources
• With VMs: Multiple OSes, each running its own virtual machine, share hardware resources
• Virtualization enables multiple operating systems to run on the same physical platform

Figure 1 - Non Virtual Machine and VM Configurations

Virtual Machine Monitor (VMM)

The VMM is the control system at the core of virtualization. It acts as the control and translation system between the VMs and the hardware.

The VMM challenge is the efficient controlling of physical platform resources; this includes memory translation and I/O mapping. Until recently the VMM used software methods of Binary Translation and Paravirtualization to achieve this. With the complex, time consuming operations involved to create and run them, virtual machines, until now, showed significant performance reductions compared to dedicated physical machines.

Intel Virtual Technology

Intel was first in providing hardware specifications to VMM vendors that significantly reduced the overhead of VMM operations and greatly improve the speed and abilities of the VMM. Intel® Virtual Technology (Intel® VT) is a specification that has been included in Intel hardware shipped since 2005. It provides a flexible set of hardware primitives to aid VMM software and has the broadest hardware and software support.

Intel VT not only speeds the operations of VMs, but it also reduces the complexity and provides a standard platform for the development of even more capable VMMs. Intel VT also contains a research component that works with VMM vendors to provide the future functionality they require. As an example, VMMs are taking advantage of Intel hardware and a virtual machine can now be created that uses four CPUs in a multiprocessor configuration.

Intel VT Goals:

• Close hardware “virtualization holes” by design
• Reduce need for device-specific knowledge in VMM

• Provide new control over device DMA and interrupts

• Provide support for legacy (unmodified) guest OSes
• Enable pass-through access to I/O devices (where appropriate)

• Eliminate unnecessary transitions to VMM
• New address-translation mechanisms (for CPU and devices)[1]
• Reduce memory requirements (translated code, shadow tables)

• VT-x for the IA-32 and Intel®64 Architecture - Available in all Intel-based processors (server, desktop, mobile)
• VT-i for the Intel® Itanium® Architecture - Available in Intel® Itanium® processor-based servers since 2005
• VT-d for Directed I/O Architecture - Intel is working with VMM vendors to deliver software support with systems in 2007.
• Secure Virtualization Core™ Micro-architecture support for Intel® Trusted Execution Technology - A set of hardware extensions that provide creation of multiple separated execution environments (partitions) that help protect the confidentiality and integrity of data stored or created on the PC.

Table 1 - Intel® Virtualization Technology Benefits

Advantages of Using Virtualization

Today’s IT intensive enterprise must always be on the lookout for the latest technologies that allow businesses to run with fewer resources while providing the infrastructure to meet today and future customer needs. Virtualization utilizing Intel Virtualization Technology is the cutting edge of enterprise information technology. Intel is closely working with VMware, XENSource, Jaluna, Parallels, tenAsys, VirtualIron, RedHat, Novell and other VMM developers.

Server Consolidation

It is not unusual to achieve 10:1 virtual to physical machine consolidation. This means that ten server applications can be run on a single machine that had required as many physical computers to provide the unique operating system and technical specification environments in order to operate. Server utilization is optimized and legacy software can maintain old OS configurations while new applications are running in VMs with updated platforms.

Although a server supporting many VMs will probably have more memory, CPUs, and other hardware it will use little or no more power and occupy the same physical space reducing utilities costs and real estate expenditures.

Testing and development

Use of a VM enables rapid deployment by isolating the application in a known and controlled environment. Unknown factors such as mixed libraries caused by numerous installs can be eliminated. Severe crashes that required hours of reinstallation now take moments by simply copying a virtual image.

Dynamic Load Balancing and Disaster Recovery

As server workloads vary, virtualization provides the ability for virtual machines that are over utilizing the resources of a server to be moved to underutilized servers. This dynamic load balancing creates efficient utilization of server resources.

Disaster recovery is a critical component for IT, as system crashes can create huge economic losses. Virtualization technology enables a virtual image on a machine to be instantly re-imaged on another server if a machine failure occurs.

Virtual Desktops

Multinational flexibility provides seamless transitions between different operating systems on a single machine reducing desktop footprint and hardware expenditure.

“…Parallels Desktop for Mac, a virtual machine application. Instead of Boot Camp's dual-boot approach, Parallels Desktop runs Windows XP directly on the Mac OS desktop (in what Parallels calls 'near-native performance')--allowing you to run both OSs simultaneously and switch back and forth seamlessly.” Daniel A. Begun, CNet: Heresy: Windows XP performance on a Mac.

Improved System Reliability and Security

Virtualization of systems helps prevent system crashes due to memory corruption caused by software like device drivers. VT-d for Directed I/O Architecture provides methods to better control system devices by defining the architecture for DMA and interrupt remapping to ensure improved isolation of I/O resources for greater reliability, security, and availability.

Summary

Industry will continue to adopt virtualization for many reasons: collections of inefficient servers can be replaced with fewer machines; software can be tested while isolated in harmless virtual partitions; and data centers can gracefully (and virtually) conform to shifting work models, new technologies and changing corporate priorities.

The future of enterprise IT management will be based on virtual computing. Intel VT makes it possible to maximize computer utilization while minimizing all associated overheads of management, power consumption, maintenance and physical space.

Intel Virtualization Technology provides a comprehensive roadmap to address virtualization challenges and includes support for CPU and I/O virtualization and a strong VMM ecosystem. Intel was the first and is the leading provider of hardware support for virtualization technologies.

More Information

Intel® Virtualization Technology Web Site

Architecture
Intel Technology Journal: Special issue on virtualization technology, Volume 10, Issue 03: http://www.intel.com/technology/itj/

More about Intel® Trusted Execution Technology for safer computing, formerly code named LaGrande Technology: Intel® Trusted Execution Technology: http://www.intel.com/technology/security/

News & Events

Technical book from Intel Press: Applied Virtualization Technology by Sean Campbell and Michael Jeronimo: http://www.intel.com/intelpress/sum_vpio.htm

About The Author

Thomas Wolfgang Burger is the owner of Thomas Wolfgang Burger Consulting. He has been a consultant, instructor, writer, analyst, and applications developer since 1978. He can be reached at twburger@gmail.com.

[1] PCI SIG approved the new Address Translation Services spec as of February 15, 2007. See: I/O Virtualization Address Translation Services 1.0 specification at www.pcisig.com/specifications/iov/ats

The Air Force download sites below require you to login with your CAC

Windows 10 users click here for information on how to use your CAC on your computer.

DO NOT follow instructions below

Windows 8.1 users click here for information on how to use your CAC on your computer.

DO NOT follow instructions below

Windows users can download ActivID 7.2 from:

They also recommend Trusted End Node Security (TENS) formerly known as Lightweight Portable Security (LPS)

Personnel who utilize VMware Horizon need to update their client

Here is the link:

1. You can use LPS to download ActivClient.

4. Your only other option is to purchase ActivClient. See vendors who sell this software here.

WINDOWS 10 & 8.1 USERS:

Read more about the older CACs and how to replace them

If you are unsure whether you have a 32 or 64 bit version, here is how to find out:

Windows 8.1 & 10, Right click the Windows logo (lower left corner of screen), select System, Under System, System type you will see 32 or 64-bit.

Here are more options for you (if the above didn't work)

ACTIVCLIENT INSTALLATION PROBLEMS AND SOLUTIONS

Air Force users, download Lotus forms from:

Download 'AFDPO Releases Updated IBM Lotus Viewer_DSign_3.5.1.333.exe' under Software link

OTHER AIR FORCE SPECIFIC PROBLEMS:

Problem 1: Receiving 'Your CA was not recognized. You should contact your CSA/LAN support team for assistance with DoD certs on this computer. You can install the latest DoD certs from..' error message when attempting to access the AF Portal

Information:The Cross Cert remover tool removes certificates which cause the cross-certificate chaining issue from Microsoft Local Computer and User Certificate stores. This will prevent your certificate from appearing to be issued by roots other than DoD Root CA 2 and being denied access to DoD websites. Some computers may have the Federal Bridge Certificate Authority's DoD Root CA 2 certificate installed. This conflicts with the DoD's DoD Root CA 2. You must remove the DoD Root CA 2 signed by the DoD Intermediate Root CA 1 in order to use the AF Portal with your CAC.

.

Cure 1-1: Follow the guidance in this PDF, slide 15 has download links for the Cross Cert remover tool.

.

Cure 1-2: If [after following guidance above] you're still having problems, go from this direct link: https://www.my.af.mil

.

.

.

Problem 2: Air Force users receiving 'There was a problem with this browser accessing your CAC for authentication. You may have pressed 'cancel' button in your browser's certificate selection prompt. If you are trying to authenticate with your CAC, please clear your SSL sessions. In IE go to the Tools-Internet options. Select the content tab and press the 'Clear SSL State button.' If this does not work or you are unable to complete this close all open browser windows and try again.

.

Cure 2-1: Verify your clock settings on your computer. One person's battery had died, and his clock was set for November 2011, when it was actually August 2012.

.

.

.

Problem 3: Air Force users seeing strange error message when using Outlook Web Access 2003 with Internet Explorer 10 or 11

.

Cure 3-1: See here for solution.

.

.

.

Problem 4: Air Force users with OS X 10.9.x Mavericks and newer having problems accessing https://leave.af.mil or https://www.my.af.mil/leavewebprod/login follow same guidance as DTS users via the DTS page.

.

.

.

Problem 5: Air Force webmail constantly getting the message The page cannot be displayed

Cure 5-1: Follow this guide to find out how to add https://*.mail.us.af.mil to your trusted sites

INFORMATION FOR APPLE MAC USERS ONLY

NOTE: In order to access some of the Air Force CAC-enabled websites, you must CANCEL when it first asks for your PIN. After canceling, then choose your certificate, it will give you a second opportunity to enter your PIN. NOW enter your PIN.

Information for Air Force personnel using Apple Computers: AROWS will not continue to the login page if it identifies your browser as non-compatible. This is easily fixed by having Safari report it 'is' IE. Go to Safari->Preferences ->Advanced and ensure the 'Show develop menu' check box is ticked. Now when you open NROWS and it gives the browser error, go to the Develop menu in the menu bar and select User Agent->Internet Explorer (any version 6.0 or greater) The 'Unsupported' page will refresh, Now paste the URL below back into the web browser again, you should be back at the login screen. This should work from the air Force Portal, or directly at the URL: https://arowsr.afrc.af.mil/arows-r

Try using User-Agent Switcher for Chrome

You can try this as well for AROWS, but, you'll need Google Chrome:

NROWS sets some narrow parameters when it comes to User Agent identification. Thursby software has figured this out. You'll need to build an AppleScript and use Google Chrome as your browser:
The first step is to build the AppleScript.

1. Open Utilities > AppleScript Editor.
2. Paste the code from below.
3. Choose File > Save As…
4. Select File Format: Application.
5. Give the item a name and save.
6. Then run the app.

Code:

set myURL to 'https://arowsr.afrc.af.mil/arows-r'

tell application 'System Events'
set processList to name of every process
end tell
if processList contains 'Google Chrome' then
beep
set theReturnedItems to (display dialog 'Google Chrome is already running.' & return & 'Would you like to quit and relaunch it?' default button 'Cancel')
set theButtonName to the button returned of theReturnedItems
-- If user clicks 'Cancel', this part of the script is never executed.
end if
-- This gets the path to Google Chrome. Unfortunately, it also launches the app.
set myGoogleChromePath to POSIX path of (path to application 'Google Chrome')
tell application 'Google Chrome' to quit
delay 1
set myCommand to 'open ' & quoted form of (myGoogleChromePath)
set myAgent to '--args -user-agent='Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:2.0) Gecko/20110307 Firefox/4.0'
set myscript to myCommand & ' ' & myAgent & ' ' & myURL
do shell script myscript

Safari keeps crashing

An Air Force person emailed this fix to me: He would load his OWA, and the window would only stay open for about 10-20 seconds before OWA tried to open a calendar popup reminder. This popup would crash his Safari window, leading him to a frustrating 'Safari quite unexpectedly' error message. He could access other CAC websites like Air Force Portal, DTS, Leaveweb, and ADLS. He found a workaround while searching through Thursby forum that had the idea of going to Options, Accessibility, selecting Use the blind and low vision experience. This disabled the annoying calendar popup, now his OWA window no longer crashes Safari. He mentioned the visual experience is more basic now, but at least he can access his email.