cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7698
Views
14
Helpful
37
Replies

Cisco NAC, CAM & CAS New certificate. agents needs to be updated.

syedaltaf.shah
Level 1
Level 1

Hello there.

we have installed new temporary certificate on our CAM & CAS, but now the clients (Agents) needs to be updated with the same certificate.

every time i restart PC it asks for certificate and i have to accept and install the new certificate on each PC, we have 4k PCs.

is there anyway to push this certificate on all agents from CAM ?

37 Replies 37

Thanks tarik,

to summarize it. i did the following.

1. Create CSR on both CAS & CAM.(in both CSR the Domain name or IP will be CAM IP Address)

2. Export only the CSR File (Selecting the first check box) not the key for sending to CA.

3. Send both the files to CA to get Certificates.

4. after receiving the Certs from CA, edit the Certificate file in text editor (Paste the Private Key & certificate of CA) and save the file. in this way there will be 3 things in this file (Certificate (generated from CSR by CA),  CA Certificate & Private key). Repeate the same for CAS & CAM.

5. Import the Certificate chain files created to CAS & CAM Respectively (means import to CAS the CAS file & to CAM the CAM file created)

Please correct me if there is something i am missing?

Syed,

You should not have to paste the private key in the ceritifcate. All you need to do is import the root ceritifcate in the CAM and CAS trusted CA store.

You should be able to get the certificates installed after you import the root certificate.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik,
Now the CAS is connected to CAM and Both CAS are in HA working. but the only problem is users are not aunthenticating with AD, when the PC restarts the user goes to unauthenticated VLAN and the NAC Popups for username and Password, when i put NAC local user and password it works, but Domain user and Password is not working. in CAM Authentication screen i can see Active Directory SSO Server "Started"

When you generated the certificates did you use ip address (if so did you use the VIP) if hostname (did you use the hostname only).

Before ADSSO was working just fine but after you updated the certs ADSSO doesnt work?

If you can not logn with AD credentials then that is a seperate issue and you will have to add an LDAP auth provider in the CAM and configure the user login page to set the defautl auth provide as LDAP.

Check your unauthenticated role to make sure that there arent any DC that may have been missed.

Please make sure that the certs are in the right place and the dns resolves just fine.

Tarik Admani
*Please rate helpful posts*

Tarik,

Thanks again for quick reply,

ADSSO Was working fine before Certificates expired. i have generated certificate request using IP addresses.

and yes it is VIP.

the Auth Servers configured as "Active Directory SSO".

there has been nothing changed beside certificate import & exports.
what else could be the issue ?

Syed,

The only thing i can think of is if for some reason the wrong cert may have been installed on either the active CAM or the active CAS.

Also make sure you are not in a active/active scenario on either one of the appliances....

From the CLI please run "/perfigo/common/bin/fostate.sh" make sure there are both in active/standby.

Thanks,

Tarik Admani
*Please rate helpful posts*

on CAM running this command gave me.

My node is active, peer node is dead

on CAS

my node is active, peer node is standby.

is there anyway to verify the certificates?

or should i import the certificates again removing the key ?

Syed,

Please ssh into the peer CAM and run the same command. It could be that the other CAM thinks is the active node and the communication could be bouncing around.

To make this easy on the primary CAM that has the cert export all the private key and the entire cert chain and import that in to the peer CAM, that should be put the secondary CAM back to standby.

Also did you reboot any of the devices after making the ceritificate change? Please do so in the order that brings up the active nodes that you want up first.

Thanks,

Tarik Admani
*Please rate helpful posts*

on secondary CAM it says.

my node is dead, peer node is unknown.

i cannot access the web CPanel of 2nd CAM but i can ssh into it.

How to import the certificates into this 2nd unit from ssh or command line ???

The easiest thing to do is to issue a "service perfigo config" and force the option to install a self signed cert.

Once the UI comes back up then import the cert back in.

Thanks,

Tarik Admani
*Please rate helpful posts*

by install a self signed cert you mean Generate Temporary SSL Certificate?
i just did it. and rebooted, lets see

Yes, also what version is your clean access on?

Tarik Admani
*Please rate helpful posts*

Dear Tarik,

NAC Manager version 4.8.0
Agent Version 4.8.0.32

Windows Comliance Module Version 3.4.21.1

Also, after reboot, the CAM Seconday (After generating temp cert) it came up and it was Ok for a while, after some time it went back to Dead State.
below the message from /var/log/message file.

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: ACPI: PCI Interrupt 0000:01:04.2[B] -> GSI                                                                              22 (level, low) -> IRQ 90

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: ACPI: PCI Interrupt 0000:0b:00.0[A] -> GSI                                                                              16 (level, low) -> IRQ 169

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: eth2: (PCI Express:2.5GB/s:Width x4) 00:24                                                                             :81:82:b2:c4

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: eth2: Intel(R) PRO/1000 Network Connection

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: eth2: MAC: 0, PHY: 4, PBA No: d51930-006

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: ACPI: PCI Interrupt 0000:0b:00.1[B] -> GSI                                                                              17 (level, low) -> IRQ 177

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: eth3: (PCI Express:2.5GB/s:Width x4) 00:24                                                                             :81:82:b2:c5

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: eth3: Intel(R) PRO/1000 Network Connection

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: eth3: MAC: 0, PHY: 4, PBA No: d51930-006

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: floppy0: no floppy controllers found

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: Floppy drive(s): fd0 is 1.44M

Sep 23 10:55:59 MOI-NAC-MGR02 kernel: floppy0: no floppy controllers found

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: lp: driver loaded but no devices found

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: ACPI: Power Button (FF) [PWRF]

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: md: Autodetecting RAID arrays.

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: md: autorun ...

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: md: ... autorun DONE.

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: device-mapper: uevent: version 1.0.3

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: device-mapper: ioctl: 4.11.5-ioctl (2007-1                                                                             2-12) initialised: dm-devel@redhat.com

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: device-mapper: multipath: version 1.0.5 lo                                                                             aded

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: EXT3 FS on cciss/c0d0p2, internal journal

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: kjournald starting.  Commit interval 5 sec                                                                             onds

Sep 23 10:56:00 MOI-NAC-MGR02 racoon: INFO: respond new phase 1 negotiation: 192                                                                             .168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: EXT3 FS on cciss/c0d0p1, internal journal

Sep 23 10:56:00 MOI-NAC-MGR02 racoon: INFO: begin Identity Protection mode.

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: EXT3-fs: mounted filesystem with ordered d                                                                             ata mode.

Sep 23 10:56:00 MOI-NAC-MGR02 racoon: INFO: received Vendor ID: DPD

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: Adding 4192956k swap on /dev/cciss/c0d0p3.                                                                               Priority:-1 extents:1 across:4192956k

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: bnx2: eth0: using MSI

Sep 23 10:56:00 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:0 SubjectName:/C=AE/ST=AUH/L=ABU-DHABI/O=MOI/OU=NetworkSecurity/CN=172.                                                                             17.9.60

Sep 23 10:56:00 MOI-NAC-MGR02 kernel: bnx2: eth0 NIC Copper Link is Up, 1000 Mbp                                                                             s full duplex

Sep 23 10:56:01 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:1 SubjectName:/DC=ae/DC=moi/CN=MOI-CA

Sep 23 10:56:01 MOI-NAC-MGR02 kernel: bnx2: eth1: using MSI

Sep 23 10:56:01 MOI-NAC-MGR02 racoon: INFO: ISAKMP-SA established 192.168.0.253[                                                                             500]-192.168.0.254[500] spi:68631893b8b5fdcd:a8ea55b28fc426ef

Sep 23 10:56:01 MOI-NAC-MGR02 kernel: bnx2: eth1 NIC Copper Link is Up, 1000 Mbp                                                                             s full duplex, receive & transmit flow control ON

Sep 23 10:56:01 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:56:01 MOI-NAC-MGR02 kernel: pkp_drv: module license 'CAVIUM' taints ke                                                                             rnel.

Sep 23 10:56:01 MOI-NAC-MGR02 kernel: ACPI: PCI Interrupt 0000:10:01.0[A] -> GSI                                                                              24 (level, low) -> IRQ 138

Sep 23 10:56:01 MOI-NAC-MGR02 kernel: NET: Registered protocol family 15

Sep 23 10:56:01 MOI-NAC-MGR02 kernel: Software Watchdog Timer: 0.07 initialized.                                                                              soft_noboot=0 soft_margin=600 sec (nowayout= 0)

Sep 23 10:56:02 MOI-NAC-MGR02 racoon: INFO: initiate new phase 2 negotiation: 19                                                                             2.168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:56:10 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:56:10 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:56:20 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:56:20 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:56:30 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:56:30 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:56:32 MOI-NAC-MGR02 racoon: INFO: IPsec-SA expired: ESP/Transport 192.                                                                             168.0.254[0]->192.168.0.253[0] spi=183342106(0xaed941a)

Sep 23 10:56:32 MOI-NAC-MGR02 racoon: WARNING: the expire message is received bu                                                                             t the handler has not been established.

Sep 23 10:56:32 MOI-NAC-MGR02 racoon: ERROR: 192.168.0.254 give up to get IPsec-                                                                             SA due to time up to wait.

Sep 23 10:56:35 MOI-NAC-MGR02 racoon: INFO: initiate new phase 2 negotiation: 19                                                                             2.168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:56:40 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:56:40 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:56:41 MOI-NAC-MGR02 sshd[3530]: Accepted password for root from 193.24                                                                             .100.130 port 58081 ssh2

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: INFO: respond new phase 1 negotiation: 192                                                                             .168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: INFO: begin Identity Protection mode.

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: INFO: received Vendor ID: DPD

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:0 SubjectName:/C=AE/ST=AUH/L=ABU-DHABI/O=MOI/OU=NetworkSecurity/CN=172.                                                                             17.9.60

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:1 SubjectName:/DC=ae/DC=moi/CN=MOI-CA

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: INFO: ISAKMP-SA established 192.168.0.253[                                                                             500]-192.168.0.254[500] spi:676deddbd5acefa8:97be06ff732ff6ee

Sep 23 10:56:54 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:56:55 MOI-NAC-MGR02 racoon: ERROR: none message must be encrypted

Sep 23 10:57:04 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:57:04 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:57:05 MOI-NAC-MGR02 racoon: INFO: IPsec-SA expired: ESP/Transport 192.                                                                             168.0.254[0]->192.168.0.253[0] spi=263082827(0xfae534b)

Sep 23 10:57:05 MOI-NAC-MGR02 racoon: WARNING: the expire message is received bu                                                                             t the handler has not been established.

Sep 23 10:57:05 MOI-NAC-MGR02 racoon: ERROR: 192.168.0.254 give up to get IPsec-                                                                             SA due to time up to wait.

Sep 23 10:57:07 MOI-NAC-MGR02 racoon: INFO: initiate new phase 2 negotiation: 19                                                                             2.168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:57:14 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:57:14 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:57:24 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:57:24 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:57:34 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:57:34 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:57:37 MOI-NAC-MGR02 racoon: INFO: IPsec-SA expired: ESP/Transport 192.                                                                             168.0.254[0]->192.168.0.253[0] spi=199021670(0xbdcd466)

Sep 23 10:57:37 MOI-NAC-MGR02 racoon: WARNING: the expire message is received bu                                                                             t the handler has not been established.

Sep 23 10:57:37 MOI-NAC-MGR02 racoon: ERROR: 192.168.0.254 give up to get IPsec-                                                                             SA due to time up to wait.

Sep 23 10:57:39 MOI-NAC-MGR02 racoon: INFO: initiate new phase 2 negotiation: 19                                                                             2.168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:57:49 MOI-NAC-MGR02 racoon: ERROR: none message must be encrypted

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: INFO: respond new phase 1 negotiation: 192                                                                             .168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: INFO: begin Identity Protection mode.

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: INFO: received Vendor ID: DPD

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:0 SubjectName:/C=AE/ST=AUH/L=ABU-DHABI/O=MOI/OU=NetworkSecurity/CN=172.                                                                             17.9.60

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:1 SubjectName:/DC=ae/DC=moi/CN=MOI-CA

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: INFO: ISAKMP-SA established 192.168.0.253[                                                                             500]-192.168.0.254[500] spi:306f0f046b9b85da:64a071f86b7e88f3

Sep 23 10:57:58 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:57:59 MOI-NAC-MGR02 racoon: ERROR: none message must be encrypted

Sep 23 10:58:08 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:58:08 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:58:09 MOI-NAC-MGR02 racoon: INFO: IPsec-SA expired: ESP/Transport 192.                                                                             168.0.254[0]->192.168.0.253[0] spi=29324785(0x1bf75f1)

Sep 23 10:58:09 MOI-NAC-MGR02 racoon: WARNING: the expire message is received bu                                                                             t the handler has not been established.

Sep 23 10:58:09 MOI-NAC-MGR02 racoon: ERROR: 192.168.0.254 give up to get IPsec-                                                                             SA due to time up to wait.

Sep 23 10:58:11 MOI-NAC-MGR02 racoon: INFO: initiate new phase 2 negotiation: 19                                                                             2.168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:58:18 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:58:18 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:58:28 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:58:28 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:58:38 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:58:38 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:58:41 MOI-NAC-MGR02 racoon: INFO: IPsec-SA expired: ESP/Transport 192.                                                                             168.0.254[0]->192.168.0.253[0] spi=244142706(0xe8d5272)

Sep 23 10:58:41 MOI-NAC-MGR02 racoon: WARNING: the expire message is received bu                                                                             t the handler has not been established.

Sep 23 10:58:41 MOI-NAC-MGR02 racoon: ERROR: 192.168.0.254 give up to get IPsec-                                                                             SA due to time up to wait.

Sep 23 10:58:43 MOI-NAC-MGR02 racoon: INFO: initiate new phase 2 negotiation: 19                                                                             2.168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:58:53 MOI-NAC-MGR02 racoon: ERROR: none message must be encrypted

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: INFO: respond new phase 1 negotiation: 192                                                                             .168.0.253[500]<=>192.168.0.254[500]

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: INFO: begin Identity Protection mode.

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: INFO: received Vendor ID: DPD

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:0 SubjectName:/C=AE/ST=AUH/L=ABU-DHABI/O=MOI/OU=NetworkSecurity/CN=172.                                                                             17.9.60

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: WARNING: unable to get certificate CRL(3)                                                                              at depth:1 SubjectName:/DC=ae/DC=moi/CN=MOI-CA

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: INFO: ISAKMP-SA established 192.168.0.253[                                                                             500]-192.168.0.254[500] spi:28d0412cb753ff15:25c14fa399f98a26

Sep 23 10:59:02 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:59:03 MOI-NAC-MGR02 racoon: ERROR: none message must be encrypted

Sep 23 10:59:11 MOI-NAC-MGR02 logger: ERROR: Unable to get the master secret fro                                                                             m remote CAM. Aborting database sync and stopping perfigo service.

Sep 23 10:59:11 MOI-NAC-MGR02 logger: Sending SNMP alert: node is shutting down

Sep 23 10:59:12 MOI-NAC-MGR02 racoon: NOTIFY: the packet is retransmitted by 192                                                                             .168.0.254[500].

Sep 23 10:59:12 MOI-NAC-MGR02 racoon: ERROR: ignore information because the mess                                                                             age is too short

Sep 23 10:59:13 MOI-NAC-MGR02 racoon: INFO: IPsec-SA expired: ESP/Transport 192.                                                                             168.0.254[0]->192.168.0.253[0] spi=42612911(0x28a38af)

Sep 23 10:59:13 MOI-NAC-MGR02 racoon: WARNING: the expire message is received bu                                                                             t the handler has not been established.

Sep 23 10:59:13 MOI-NAC-MGR02 racoon: ERROR: 192.168.0.254 give up to get IPsec-                                                                             SA due to time up to wait.

Sep 23 10:59:17 MOI-NAC-MGR02 racoon: INFO: caught signal 15

Sep 23 10:59:18 MOI-NAC-MGR02 racoon: INFO: racoon shutdown

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: Starting reconfiguration

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: Swapping defaults

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: service login deactivated

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: login: svc_release with 0 count

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: service shell deactivated

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: shell: svc_release with 0 count

Sep 23 10:59:19 MOI-NAC-MGR02 xinetd[2303]: Reconfigured: new=0 old=0 dropped=2                                                                              (services)

Sep 23 10:59:19 MOI-NAC-MGR02 logger: Sending SNMP alert: node became standby

No problem,

What you can do at this point (if you can afford a few minutes of down time) is export the cert private key from the active CAM.

Stop the services on the active CAM.(issue a "service perfigo stop") Issue a "service perfigo start" on the secondary CAM, once the services are started then import the private key and the cert chain.

Once that is done stop the services on the secondary CAM, "service perfigo stop" at this point both cams will be down, bring up the primary that you extracted the cert from "service perfigo start" then 5 mins after bring up the secondary "service perfigo start" and verify if they come up as active/standby.

Then continue to monitore the ADSSO services and see.

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: