In this walk-through we will be deploying a logical router and configuring routing between (2) logical networks that we created in an earlier post. Logical routers consist of two components.  A virtual appliance that is deployed into your vSphere environment.  In the MoaC lab all routers are deployed to our management cluster and the vSphere Kernel module.  Remember the host preparations we performed as part of the NSX installation?  That was installing the NSX kernel modules.

The NSX Logical Routers Perform East-West (VM-VM) routing as well and North-South Routing.  The East-West routing performed by the Logical Routers afford you some extra efficiencies by allowing VM-VM communications across different subnets to happen at the vSphere Kernel when those vm’s reside on the same host.  You can also gain efficiencies when communicating between vm’s on different hosts as well.  Traffic for the communications will traverse host to host instead of needing to go out to a physical router on the network and then to the other vm.  In the post you will witness this as we place a virtual machine on each of the logical switches we created and the Logical Router performs routing between the two networks right in the hosts kernel. Although this specific post focuses on the East-West routing within the Logical Router we will be covering the North-South routing configuration in another post.

[Ream More]

The results are in for the  "Hands-On Labs and CloudCred - 2014 EMEA VMworld Labs Contest and Giveaways".

In an amazing turnout, CloudCred saw over 1000 new players over the course of the show!  CloudCred Lab Champions had the opportunity to win a GoPro Camera, a 1 TB Hard Drive, a GoLite Battery Pack, and the Grand Prize - a Dell Inspiron 15 Laptop.

A hearty Congratulations to our Winners!

1st 800 "deeabson"  Dee Abson, @deeabson

2st 750 "Scohol" Scott Holliday @sjholliday

3st 625 Harold Buter @hbuter

4st 500 "smkillen" Sean Killen

5st 300 "Guyver" Frank van Egmond

6st 200 "Bert" Bert D’hont

7st 200 "diego" Diego Brianza

8st 200 "JanLD" Jan L. Dam

9st 200 Jens Hennig

This contest might be over, but there are always new tasks and challenges waiting for you at CloudCred. And if you didn't make it to 2014 VMworld, all the Hands-On Labs will be available at CloudCred. Play today at http://CloudCredibility.com

One of the most frequent asks when using vCAC is, “How do I deploy machines using my company’s hostnaming standards automatically using vCAC?”  Since the out-of-the box hostnaming only provides a way to do prefix-suffix, the answer to this question usually is that it will require customization.

This solution is intended to provide a way to implement this functionality by using a small, highly versatile custom extension which can handle 95% of use cases without writing custom code.

The rest of this article contains instructions on installing and configuring the vCAC Custom Hostnaming Extension.  This extension allows administrators to model very specific custom hostnaming schemes for their vCAC virtual machines, multi-machine services, and vCloud Director vApps using vCAC custom properties, with dynamic creation of stock machine prefixes and index tracking for each unique hostname combination.

This extension is proof-of-concept or demo grade.  While it runs well and consistently, it has not been put through a formal quality assurance process, so please use with caution.  Please see the disclaimer and other information in the readme.txt file in the package.

[Read More]

A common extension requested for vCloud Automation Center is the ability to pre-create computer account objects in Active Directory in a specific Organizational Unit, and also to decommission the accounts in different ways along with the virtual machine. Without a custom workflow, you can have the computer join the domain during the customization phase, but this will only create the computer account in the default Computers container. Also, while there is an out-of-the box AD machine cleanup plugin which can be enabled, it will likely never support the multi-tenancy introduced in vCAC 6.0. vCO does not support it today either, but it is more likely to gain support in the near future.

This solution implements these functions using vCenter Orchestrator and its plugins for vCAC and Active Directory.

The rest of this article contains instructions on installing and configuring the vCAC AD Computer Account Management Extension. This extension allows administrators to model very specific OU structures for their AD machine accounts using vCAC custom properties, and supports dynamic OU Distinguished Name building based on combinations of properties derived from different areas of vCAC (compute resources, reservations, groups, blueprints, etc.).

This extension is proof-of-concept or demo grade. While it runs well and consistently, it has not been put through a formal quality assurance process, so please use with caution. Please see the disclaimer and other information in the readme.txt file in the package.

[Read More]

So far we have deployed (2) Logical Switches and (1) Distributed Logical Router and deployed a VM on to each logical switch.  Our VM’s can communicate with each other across the Distributed Logical Router, but they can’t communicate to anything else.  What we now need to do is deploy an Edge Gateway that we will configure to communicate upstream to the physical network and downstream to the logical network.  Where we could technically just connect the Distributed Logical Router upstream to your physical network, it’s not really a best practice approach and it’s not a supported approach when integrating with vCAC.

[Read More]

So far we have deployed (2) Logical Switches and (1) Distributed Logical Router and deployed a VM on to each logical switch.  Our VM’s can communicate with each other across the Distributed Logical Router, but they can’t communicate to anything else.  What we now need to do is deploy an Edge Gateway that we will configure to communicate upstream to the physical network and downstream to the logical network.  Where we could technically just connect the Distributed Logical Router upstream to your physical network, it’s not really a best practice approach and it’s not a supported approach when integrating with vCAC.

[Read More]

What is the cloud client you ask?  The CloudClient is a verb based command-line utility aimed at simplifying interactions with multiple product api’s.  The CloudClient also provides common security, exception handling, json, & CVS support.  Currently vRealize Automation (vRA)( Formerly vCAC), Site Recovery Manager (SRM), & vRealize Orchestrator (vRO)(Formerly vCO).

Getting Started with vRealize Cloud Client 3.0

1. First you need to get the Cloud Client which you can download here.

[Read More]

This article builds on my previous article Deploying an Edger Gateway.  In this article we are going to connect the Edge router we deployed in my previous post to the Logical Router we deployed in the post Deploying Logical Distributed Routers.  In order to link these together we will need to deploy a Logical Switch to be used as a transit network between the Edge Gateway and the Logical Router.

[Read More]

vRealize Log Insight 2.0 には、デフォルトで

vSphere 環境のログ解析に特化したダッシュボードが含まれています。

今回はその中の Security ダッシュボードを利用して、

ためしに私自身の vCenter ログイン履歴を見てみようと思います。

※今回も、Log Insight 2.0 を使用しています。

Log Insight についてはこのあたりもどうぞ。

vCenter Log Insight のデプロイ。

今回やってみること

• 自分がどれくらい vSphere 環境にアクセスしていたのか見てみる。
• vSphere 環境を操作するログインでは、vmad\administrator ユーザだけ使用している。
• ログイン元の PC は 1台（IP アドレスは 192.168.0.2）だけ。
• vCenter へのログイン履歴だけ見てみる。ESXi などを見ることも可能だが今回は無視。
• 1か月分のログイン情報を見てみる。（2014年 9月1日～30日）

vCenter へのログイン回数を見てみる

まず Log Insight の Web UI にログインします。

Dashboard → General → 「VMware - vSphere」を開きます。

vSphere 環境用にカスタマイズされたダッシュボード群が表示されました。

「General - Security」を表示します。

ログの表示期間を「Custom time range」にします。

期間を 2014年 9月1日～30日にして「Update」します。

選択した期間のログ解析結果が表示されます。

アクセス元ごとの、vCenter へのログイン履歴

「vCenter Server successful logins by user and source」を見てみます。

vmad\administrator ユーザのログイン履歴だけ注目してみます。

期間中に、私の PC（192.168.0.2）から の vmad\administrator ユーザログインは

55回ぐらいあったようです。

他のサーバから

vmad\administrator ユーザの大量ログインが発生していますが、

これは Log Insight サーバからの vCenter ログインでした。

※Log Insight への vCneter 接続ユーザを別にした方がよかった気もします。

127.0.0.1（ループバックアドレス）による vCenter のサーバ内からの

ログインも結構ありますが、今回は気にしません。

日ごとの ログイン履歴を見てみる

ここからは、

私の PC のログインがいつあったのか、日ごとに見てみようと思います。

対話形式の分析（Interactive Analytics）ができる画面を見てみようと思います。

表示されているチャートのうち、分析したい部分をクリックして、

「Interactive Analytics」をクリックします。

Interactive Analytics の画面に切り替わり、少し待つと、チャートが表示されます。

チャートを表示されたら、少し調整します。

• ログの発生した回数「Count」にする。
• 時系列で表示したいので「Time series」を選択して「Apply」。

もう少し調整します。

• チャートの横軸を、1日単位「1 day」にする。
• チャートの種類を、棒グラフ「Column」にする。

こんな感じになります。

画面の中段には、ログの抽出条件（Filter）、

画面下には実際のログも表示されます。

29日間で、13日に何かしらログインしていたようです。

29日間・・・・ 2014-09-30 00:00 までではなくて

2014-09-30 23:59 や2014-10-01 00:00 にすべきでした。

それにしても、思ったよりもログインしていない日が多いような。

しかし、あえて、このまま、つづく・・・

Friends , this is a late post sharing my VCAP-DCD experience since i passed the exam in the month of July. I was engaged on my personal works that kept away from my laptop :-).

About the exam:- Tough yes, I am an administrator basically and not a designer, it took some time for me to sit for design exam since last October I cleared my VCAP-DCA to prepare myself to look at things like a designer. I think the time i took is good and I recommend not to rush, for me the slow transition worked out.

By this time all would have known with the structure and the pattern of the exam VDCD510  so there is nothing new i could say. But one important bug i noticed in the exam visio tool is " while i revisited to see the corrections i made with my design, BOOM BOOM My corrections was not there. still it was showing the old status" I had this on 2 design scenario's I worked. Not sure if this has fixed, So be careful and to revisit twice to see if the corrections you have made persist.

Obviously there is no end to say this preparation is enough for the exam, below are the materials i choosed and sticked to it & did not go vein.

• VMware vSphere Design 2nd Edition Mar 2013 by Forbes Guthrie and Scott Lowe
• VMware design workshop student manual
• Train-signal videos on Designing VMware Infrastructure
• Brown-bag video series
• Talking about compute,network,storage designs with the design experts, Luckily i got a chance to sit for a small environment design.

I've started my preparations for VCDX. I learned that it needs tremendous amount of effort & knowledge, but I hope to achieve it.

Finally I wish you all the very best for the exam & good luck.

Regards,

Arvinth.

Virtualization:

It is a technology that transforms hardware in to software.

VMware V sphere:

It’s an infrastructure Virtualization suits that provides virtualization management, resource optimization application availability operation automation capability.

Virtual Machine:

It is describe set of file for esxi perspective like .vmdk, .nvram,.swap,.log, .vmsn,VMSD ,.vmx …

From user perspective it s just like physical machine.

Movement of p machine is difficult.

Cost benefit

More man power required

We can migrate VM from one location to other

VMware componenet :

ESX,ESXI,VCENTER, Vmware,  virtual SMP , Vmware storage ,VMFS ,Vmware WEB access client.

Subnetting :

Dividing physical network in to logical network by entering one string in the subnet mask

(broad cast IP, Network IP, Network iD ,HOST ID, 32 bit ,)

FSMO: (Flexible Single Master Operation):

There are 5 ROLS available in Active Directory:

1. 1. Schema Master
2. 2. Domain Naming master
3. 3. PDC emulator
4. 4. RID Master
5. 5. Infrastructure Master

First 2 are Forest wide roles and other three are domain wide roles.

In the forest there should be a one Domain control have all 5 five roles that is called as (ROOT Domain) the roles can be moved to other addition domain in the tree

Sub domain has 3 roles each

Root domain roles can move to any one of the domain

Sub domain 3 roles can be move only the same domain.

There are 4 Partition available in the Active Controller:

1. 1. Schema directory partition
2. 2. Configure directory partition
3. 3. Domain directory partition
4. 4. Application directory partition

LDAP port no : 386

Global catalog  Port No 3268 It s contain full write replicate of domain directory partition of the host domain and practical read replica of domain directory partition in the forest.

Schema partition is nothing but CLASS and OBJECTS

Port Group

Segregate type of communication

VLAN:

Logically configured on the switch port to segment of IP traffic .for this happen port must be trunked with correct VLAN id.

Active Directory Service:

It’s and centralize data base.

Workgroup:

We can only change few machine user names password. Objects store in local DB

KDC- Key distribution center. ( For password Attribute)

KERBOSE protocol – For password

Domain:

Collection of computers sharing the same database.

1. NTDS.dit — Active directory DB.

Domain controller:

The Server running a active directory services is called domain controller.

ACL –Access control List

ACE – Access Control entity (read, write,Change)

Groups in Active directory:

1. 1. Global group

The Group can access any resource and any domain but the member can be a local domain

1. 1. Domain local group

The domain local group can have member any domain in the forest but access resource only in the local domain.

1. 1. Universal group

Can have member from any domain resource in the forest and can access any resource in the forest.

Active Directory Backup:

1> User data backup

2> System static backup

Backup type:

1. 1. Full back up  (Normal backup)
2. 2. Copy backup
3. 3. Increment backup (remove attribute)
4. 4. Differential backup (cumulative Backup)
5. 5. Daily backup

vRealize Log Insight はログ分析ツールなので、

当然ながら、収集したログを対話的に分析することができます。

今回も、引き続き自分のログイン履歴を見てみようと思います。

※「対話的に」というのは、UI で期間や条件を変えながら検索できるといった意味合いです。

※今回も、Log Insight 2.0 を使用しています。

前回の話はこちら。

Log Insight で vSphere ログイン監査。第1回（Security Dashboard から Interactive Analytics）

対話その1： ログの抽出期間（集計期間）を変更してみる。

当然ながら、Interactive Analytics の画面でもログの抽出 / 集計期間を変更することができます。

ただ、すこしわかりにくいところにある気もします。

例として期間設定を

2014-09-30 00:00 までから、

2014-10-01 00:00 に変更してみます。

Interactive Analytics 画面では、

下記の赤枠のあたりで検索期間を変更できます。

期間を入力後、Enter キーを押すか、検索ボタン で反映されます。

期間が 2014-10-01 00:00 までに変更されたことがわかります。

実は見落としているログイン履歴が 2件あったことに気づきました。

Log Insight の場合、vSphere 環境のログであれば必要なものはだいたい収集しているようなので、

このような見落とし対処などで便利かなと思いました。

対話その2： ログのフィルタをいろいろ変更してみる。

これまで自分の vCenter ログイン履歴を見てきましたが、

思っていたよりもログイン回数が少ない気がしました。

他にも、見落としているログがあるのかもしれません。

そこで、Interactive Analytics 画面で

ためしに見ていたログイン履歴の見方が妥当そうか確認してみようと思います。

まず、vCenter に確実にログインした記憶がある期間に限定して、ログを検索してみます。

2014-10-18 の1日からログ抽出してみたところ、

→なぜかログインのログが見つかりませんでした。No result です。

しかし、Web Client にログインして vCenter のイベント情報を見ると、確かにイベントログが残っています。

ただ、よく見ると、私の PC （192.168.0.2）からではなく、

ローカルホスト（127.0.0.1）からのログインになっています。

これは、vCenter と同じサーバにインストールされている Web Client & vCenter SSO から

vCenter にアクセスするので、ログイン元が 127.0.0.1 になってしまっていたようです。

Log Insight の画面に戻り、ログの抽出条件を変更してみます。

これまで、自分の PC (192.168.0.2)がログイン元であるログに絞っていましたが、

いったん、自分の PC 以外（does not contain）のログ抽出にして何かないかみます。

そうすると、Web Client にログがあったタイミングに

127.0.0.1 からのログイン履歴を見つけることができました。

チャートの、該当する部分をダブルクリックするとドリルダウンしてみることができます。

ドリルダウンしていくと、それらしいログを見つかりました。

ログファイル（text）のタイムスタンプは UTC でも、

timestamp では自動的に日本時間に変換してくれているようです。

ちなみに、私の環境では Web Client で vCenetr を2つ管理しているので、

近い時間帯で 2つのログインがあります。

それでは、ログイン履歴の集計を調整してみます。

まず、ドリルダウンの時にチャートをクリックすることで追加された

Filter を「×」ボタンで削除します。

ログイン元としてに「127.0.0.1」を含む(contains)ようにします。

2つのアドレスを条件に含めるので「,」で区切っています。

そして、ログの集計期間も

2014-09-01 00:00 ～ 2014-10-01 00:00 の1ヶ月間にしてみました。

そうすると、下記のような結果になりました。

今度は 10/1 ～ 10/6 あたりに 1日あたり250件ほどの謎の大量ログインを発見しました・・・

セキュリティダッシュボードを見直してみると、

たしかに vmad\administrator ユーザは 127.0.0.1 からのログインが多いようです。

そこで、127.0.0.1 からの vmad\administrator ユーザログインを

このダッシュボードでドリルダウンしてみます。

ダッシュボードに Filter が追加され、目的のログイン情報だけが表示されました。

少し下の方をみると「vCenter Server logins by type」があり、

どのような方法でログインしたのか集計されています。

Web Client からとみられる「vim-java 1.0」からのログイン件数はそこそこです。

前掲 の Web Client ログインのイベントにもこの文字列があったので、

これが Web Client からの vCenter へのログインなのでしょう。

もう一つの「java/1.7.0_40」は

おそらく最近やった vSphere BDE（Serengeti）検証で

大量に自動ログインさせたときに発生したものと考えられます。

※見づらくなるので、今回は除外してしまいます。

ノイズにになっていた「java/1.7.0_40」を除外するとこのようになりました。

だいたい期待通りの結果になりました。

1か月のうち 26日に、何らか の vCenter ログインしていたようです。

もう少し詳細にログインを分類したい場合は

Group by に Java の除外でも指定した「vmw_vc_auth_type」を含めると、

どのような方法でログインしたのか見当がつくようになります。

このように、ログイン元と、ログイン方法

（Web Client、vSphere Client、PowerCLI ・・・）

でグループ化され、色分けして表示されるようになります。

ただし、PowerCLI でも mozila～ などと表示されてしまうので、

最初は vCenter のタスク情報などからアタリをつける必要があります。

これまでの感想。

• 人間がログインして作業するユーザと、システム利用ユーザ（LogInsight や、VCOPS からの接続など）は別にしておかないと、ログイン監査も大変になる。
• ログイン監査をするときは、色々なログインを試して、ちゃんと監査できるか妥当性を確認したほうがよい。
• localhost（127.0.0.1）はログ出力したサーバ自身なので、どのサーバかわかりにくい。
  どこが生成したログなのか確認するには、ログにあるアドレス以外の情報も必要になることが多そう。
• とりあえずログを収集しておけば、後から「やっぱりこれも検索」ができる。

まだつづく・・・

Re-Activate this...just installed 14.10, thinking about buying VMware Workstation.  Wondering what happens if my hard drive fails. Can I re-install or what?

Would like to share about the incident where this tool gave great hand :-)

previously we can capture packets only to the kernel interfaces using tcpdump-uw & cannot capture frames at the uplinks, or vSwitch levels, now it is possible for us to capture packets at VM virtual switch port level, physical uplinks level connected to any type of virtual switches using pktcap-uw utility.

how it is useful in a real time scenario ?

we had a very big problem that a critical app VM was suspected to have connectivity issues, client connections to the application VM was dropping & initially was not sure where it is happening, as usual severity raised with us for analysis. we used the pktcap utility to get the report @ virtual switch port level, and on the uplinks connected to the virtual switch level, and on reading the report using wireshark clearly proved that the client packets has not even reached physical uplink level and obviously nothing observed at virtual switch port level for the App VM.

its was a great help that the tool gave a way to isolate the issue is not within the virtual environment later it was passed on to network team and it was the firewall culprit. not digging much with the issue that we had, just want to emphasis that this tool came in handy to isolate that issue is with or not with vmware end.

below is the vmware KB providing end to end steps on how to execute it.

http://kb.vmware.com/kb/2051814

One point the way VMware listed to get the VM port id is lengthy using esxtop, instead easy way is using the esxcli way of getting it will list the port id as well the associated virtual  NIC mac connected to it, so as you make sure you are running the report for the right Virtualnic.

esxcli network vm list -> To get VM’s World ID

esxcli network vm port list -w 10930 --> to get the virtual port id and associated MAC of the virtual NIC

single line to capture packets at virtual switch port along with 2 uplinks connected to it as below.

"pktcap-uw --switchport 12345678 -o /vmfs/volumes/Testesx-Localstorage/VMname.pcap & pktcap-uw --uplink vmnic8 -o /vmfs/volumes/Testesx-Localstorage/Testesx_vmnic0.pcap & pktcap-uw --uplink vmnic9 -o /vmfs/volumes/Testesx-Localstorage/Testesx_vmnic1.pcap"

From above (switport , report storage location & uplinks alone to be changed) running this in a single go , we should have 3 reports VMname.pcap, Testesx_vmnic0.pcap & Testesx_vmnic1.pcap in the local storage of the esx host that is pointed in the command.

Important point: utility may not stop by pressing ctrl+c or ctrl+z so to stop it run the process kill command given in the article.

Regards,

Arvinth.

Hello everyone,

With the video tutorial I made for the implementation of CA signed certificate on vSphere, I am writing a tutorial to have a quick view of what you need to do instead of watching the video again and again. Let’s begin!

Prerequisite:

• Download VMware Certificate Toolkit: https://sourceforge.net/projects/vmwarecertificatetoolkit/
• Download SSL Automation Tool, available on the vSphere Installation ISO
• Any kind of certificate authority to create the CA Certificate, this can be Active Directory Certificate Authority, OpenTrust….
• A working vSphere platform, my tool has been tested on vSphere 5.1 and 5.5

Part 1: Creating the certificate requests and RSA keys

     1. To begin, you just need to open VCT (I am currently using the version 0.1.5), and click on the PKCS10 button:

To implement CA signed certificate on a vSphere platform, you need to update the following services:

• Single Sign On
• Inventory Services
• vCenter Server
• Web Client
• Log Browser
• Update Manager
• Orchestrator

For each of those service you are going to create a certificate request with the CSR format and RSA key. Those file will be created with VCT without the need of OpenSSL.

     2. Specify a destination folder by clicking on the “Options” tab, click on Browse and select a repository:

     3. Let’s create the SSO certificate Request. Back to the Request Costumization tab, you now have to enter the information needed for the certificate:

Select the size of the RSA key, it can be 2048 or 4096, depending on the security policies of your company.

The SubjectAltNAme are the different name of the server that will be protected by the certificate, you can specify the shortname, FQDN and IP address of your SSO server.

Then specify the country code, the name of the country, the city and the name of your company.

Select the service you want to update, in your case it is SSO

Specify the CommonName which is the principal name that will identify the certificate. The common name has to be one of the name you specified in the SubjectAlternativeName field.

     4. Click on Generate Certificate Request:

You can see that VCT create a VCT folder called VCTcerts and two files: rui.csr and rui.key

Those two files should like this:

     5. Repeat this process for the other services

If all the service are on the same server, you just need to change the OrganizationalUnitName and click on “Generate Certificate Request”. If not you need to change the informations in SubjectAltName, OrganizationUnitName and CommonName.

At the end you should have something like this in the VCTcerts folder:

And on each folder a unique rui.key file and a rui.csr with the correct CommonName, SubjectAltName and OrganizationalUnitName.

Part 2: Create CA Signed Certificate

This step is normally accomplished by the security team of your company but it is interesting to see how it’s made.

     6. Connect to your certificate authority, in my case this is Microsoft Active Directory Certificate Services:

     7. Click on “Request a certificate

     8. Click on “Advanced certificate request”

     9. Select the VMware Template

If you don’t have the template you can follow the KB2062108: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2062108

     10. Go to the SSO folder in the VCTcerts folder and copy the content of the rui.csr:

     11. Paste the content of the request

     12. Click on the “Submit” button

     13. Select “Base 64 encoded

     14. Click on “Download certificate”

     15. Put the downloaded certificate in the SSO folder on VCTcerts and rename it to rui.crt

The content of the SSO folder should look like this, then you can open the certificate to verify that this is a valid certificate.

     16. Repeat the steps from 7 to 15 from the other services. At the end, the VCTcerts folder must have service folders that contains 3 files: rui.key  -  rui.csr -  rui.crt

Part 3: Creating the chain files

To update a service with a new certificate, you need a chain file that will contain the certificate signed by the certificate authority, the intermediate certificate of the authority if you have one, and the root certificate of the authority.

     17. Download the intermediate and the root certificate of the authority by using Microsoft Active Directory Certificate Services, click on “Download a CA certificate, certificate chain, or CRL”

     18. In my case, I don’t have intermediate certificate authority. Select a Base 64 certificate and click on “Download CA certificate”. Place this certificate in the VCTcerts folder and rename it if you want:

     19. Open VCT and click on the “Chain .pem” button, specify the path to the root certificate of the authority and the VCT folder path:

     20. Click on the load button, if everything is ok you should see that VCT loaded all the certificate as shown on the picture below:

     21. Click on the “Generate Chain” button, you will see on the log panel that VCT created a .pem file for each service:

At the point, the content of one of the service you want to update should look like this:

Part 5: Creating the SSL Environment file

1. On VCT, click on the “SSL-environment” button, specify the path to the VCTcerts folder and click on load:

1. Scroll down, specify the SSO Admin User, the vCenter Admin User and the destination folder which is going to be the VCTcerts folder:

1. Click on “Generate SSL Environment file”. A .bat file has been created in the VCTcerts folder. This file is used by SSL Automation tool and contains all the path to the certificates and keys so you don’t to waste time to type it.

The VCTcerts folder now should look like this:

Part 6: Implementing the certificates

1. Connect to you vCenter server using Terminal Service and transfert the VCTcerts folder. I created the VCTcerts folder on the C drive of my laptop with VCT, on the server, place the VCTcerts folder in the same location, the C drive.
2. Transfert also the SSL Automation tool to the vCenter Server next to the VCTcerts folder:

1. From the VCTcerts folder, copy the ssl-environment file to the “SSL automation tool” folder and replace the original file by the new one.
2. Open a “cmd” prompt with administrator right and go to the “SSL automation tool” folder.

1. Execute “ssl-environment.bat” to load the environment variables
2. Execute “ssl-updater.bat”

1. At this point you just need to follow step by step the procedure to update all the service for your infrastructure:

Update Procedure Step By Step

1. 1. Go to the machine with Single Sign-On installed and - Update the Single Sign-On SSL certificate.
2. 2. Go to the machine with Inventory Service installed and - Update Inventory Service trust to Single Sign-On.
3. 3. Go to the machine with Inventory Service installed and - Update the Inventory Service SSL certificate.
4. 4. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Single Sign-On.
5. 5. Go to the machine with vCenter Server installed and - Update the vCenter Server SSL certificate.
6. 6. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Inventory Service.
7. 7. Go to the machine with Inventory Service installed and - Update the Inventory Service trust to vCenter Server.
8. 8. Go to the machine with vCenter Orchestrator installed and - Update vCenter Orchestrator trust to Single Sign-On.
9. 9. Go to the machine with vCenter Orchestrator installed and - Update vCenter Orchestrator trust to vCenter Server.
10. 10. Go to the machine with vCenter Orchestrator installed and - Update the vCenter Orchestrator SSL certificate.
11. 11. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to Single Sign-On.
12. 12. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to Inventory Service.
13. 13. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to vCenter Server.
14. 14. Go to the machine with vSphere Web Client installed and - Update the vSphere Web Client SSL certificate.
15. 15. Go to the machine with Log Browser installed and - Update the Log Browser trust to Single Sign-On.
16. 16. Go to the machine with Log Browser installed and - Update the Log Browser SSL certificate.
17. 17. Go to the machine with vSphere Update Manager installed and - Update the vSphere Update Manager SSL certificate.
18. 18. Go to the machine with vSphere Update Manager installed and - Update vSphere Update Manager trust to vCenter Server.

1. I am going to show you the Single Sign-On update, type 3 “Update Single Sign-On”
2. Type 1 “Update the Single Sign-On SSL Certificate”
3. You can see that all the path to the certificate are already loaded, so just press “Enter” for the chain and the private key, type the SSO password and type “no” for the load balancer.
4. Then you just have to follow the Update Procedure, it can take a while to update the services because you have to restart the services multiple time. When arrived to the step 18 of the Update Procedure, the whole infrastructure is updated with CA signed certificates
5. If you have any errors, this might be a certificate problem, please check one by one the CRT file and the chain file.
6. Hope it will help you to update you infrastructure, you can still watch the video if you feel there is something wrong during this process. Feel free to leave me comments and share this tutorial or on VMware Certificate Toolkit

これまで、vRealize Log Insight を使用して

ためしに自分のログイン履歴を見てみました。

今回は、Interactive Analytics での分析結果を、ダッシュボードに追加してみます。

※今回も、Log Insight 2.0 を使用しています。

前回までのポストは・・・

Log Insight で vSphere ログイン監査。第1回（Security Dashboard から Interactive Analytics）

Log Insight で vSphere ログイン監査。第2回（Interactive Analytics での対話）

Interactive Analytics からのダッシュボード新規作成とチャート追加

Interactive Analytics のチャートをダッシュボードに追加するには、

画面左上の「Add to Dashboard」をクリックします。

今回は「New Dashboard」を選択して、ダッシュボード自体も新規作成します。

新規作成するダッシュボードの名前を入力して、「Save」します。

ダッシュボード名は、日本語でも大丈夫そうです。

作成したダッシュボードが選択されています。

今度は、追加するチャートの名前を入力します。チャート名も、日本語が使えました。

Notes には、なんとなくチャートの説明を記載してみます。

「Add」ボタンで、チャートが追加されます。

追加したダッシュボードを見てみる。

チャートを追加したダッシュボードを見てみます。

「Dashboard」 →画面の「VMware ‐ vSphere」のあたり →「My Dashboards」 を開くと

自分で作成したダッシュボードが表示されます。

My Dashboards を開いたら、

作成したダッシュボード（今回は「ログイン監査ダッシュボード」）をクリックします。

追加した「自分のログイン履歴」チャートが見られました。

このチャートは、横幅を広げたり、タイトルバーをドラッグして並べ替えることもできます。

ためしに、例の赤枠のあたり（Click to expand widget）をクリックして

チャートの幅を広げてみます。

広がりました。

チャート追加の時に入力した「Notes」は、「i」 マークをクリックすると表示されます。

追加したチャートは、表示期間を変更したり、

「Add Filter」 で集計するログの抽出条件を追加してすることができます。

下の例では、ためしに表示期間を変更してみました。

ダッシュボードへのチャート追加。

さらに、ウィジェット（ダッシュボードにチャートやログの抽出結果など）を追加してみます。

赤枠のあたりのボタンのからでも、ウィジェットを追加することができます。

※ちなみにこれは、前回のポストで作成した分析結果の画面です。

チャート(Chart) ウィジェットとして追加したり・・・

Interactive Analytics 画面の下にあるように、

ログの抽出結果を表形式（Field Table）で追加したりできます。

上記の2つのウィジェットを追加して、ウィジェットの幅を調整するとこのようになります。

簡易的な、ログイン監査ダッシュボード っぽいものができました。

表示されていた分析結果をもとに「Interactive Analytics」の画面を開いて、

更に分析をすることもできます。

チャートの虫眼鏡のマークをクリックすると・・・

「Interactive Analytics」の画面が開きました。

今回のポストでは、vCenter へのログイン履歴しか見ていませんでしたが、

工夫次第で、たとえば ESXi や BDE（Serengeti）などのログイン履歴なども

一つのダッシュボードにまとめてログイン監査したりできそうです。

Log Insight については、下記もどうぞ。

vCenter Log Insight のデプロイ。

vCenter Log Insight に VC 追加登録。

vCenter Log Insight を VCOPS と統合してみる。

以上、Log Insight でログイン履歴を見てみる話でした。

In my previous NSX articles we covered installing and configuring NSX, We discussed deploying/configuring Transport Zones, Logical Switches, Logical Routers,  Edge Gateways, and connecting the Logical and Edge Gateways.  With all these completed we now have an environment that with the appropriate routes and transport traffic from our physical network to our logical networks that we deployed.  The missing price is the routes.  We could go and configure a bunch of static routes throughout all the NSX routers and our physical routers, but that wouldn’t be fun.  It also wouldn’t be automated.  In this post I am going to walk through configuring the NSX routers to use OSPF for route distribution.

[Read More]

Hi all

A few days ago, I finished a project at one of my customers, a medium-size one. This project was about migrating his Virtual Infrastructure in his Manufacturing Plant site from vSphere 4.0 (BN 721907) to vSphere 5.x.

Fortunately, I came up with a plan to migrate all of his Infrastructure online -although he was planning for a downtime- and it went successfully. So, why not to share it with you all ..?!

Infrastructure:

Infrastructure consists of 3 HP hosts with aggregate memory of 32GB of RAM and aggregate CPU of 6 sockets with 4 cores each. In addition, FC SAN was used as back-end storage of 2 TBs. Single cluster with HA/DRS enabled and Tier 2 applications hosted as well as single critical Document Server.

Requirements:

• Migrate all of Virtual Infrastructure from vSphere 4.0 (BN 721907) to vSphere 5.x.
• Migration to be in weekends (he thought that migration will be offline).
• Removing old vCenter Server and Build new fresh vCenter 5.x Server Windows VM.
• Document Server must be online ASAP even at the cost of all other VMs to be offline.

My Initial Plan and Decisions:

Although the environment seemed to be really small, this customer was really worried. That Document Server was really critical for him and he had a bad experience with similar migration process done in HQ.

I decided to plan for making it online during working hours for a couple of reasons:

• Environment was really small, no need for shutting down all services without need.
• Customer has Enterprise License which gave me many features to use and why not using it..??
• I worried about shutting down that Document Server and powering it up (It was legacy document server).
• No network advanced configuration used, i.e. simple Standard vSwitches without any special configuration.
• No worries about upgrading VMFS datastores used from VMFS 3 to VMFS 5 online. Any drawback in upgraded VMFS datastore -regarding preserving block size- will not affect future business.
  

I began to plan for migration and make conceptual migration on papers. One thing made things little easier was that he'll burn down his old vCenter which was physical machine, so no need for P2V phase. Another thing was that he used simple network configuration as mentioned before. I decided that the plan will be something like:

• Upgrading certain host and build new vCenter on it to build new DRS cluster.
• Leveraging vMotion and DRS capabilities for migrating all VMs from old host to new one and then upgrade all old hosts one by one.
• Upgrading datastores used to VMFS 5 online.
• VMs HW Level and VMware tools to be upgraded according regular Maintenance Windows.
• After total migration is finished, decompose old vCenter Server.

I chose to upgrade to vSphere 5.1 U2, as I'm really familiar to it and customer doesn't need any features of vSphere 5.5.

Plan Phases:

Phase 1: Preparation Phase:

In this phase, all software needed is downloaded and moved to the far Plant. All VMs are backed up for purposes of safety of any unknown sudden failures or circumstances.

Phase 2: vSphere 5.1 Host Deployment:

For simplicity, let's name the hosts: Host 1,2 and 3.

1-) on old vSphere 4 Cluster, I reviewed and recorded any network or storage configuration needed before beginning and there was nothing special.

2-) I started by choosing Host 1 and making it into Maintenance Mode, so all VMs are surely migrated by DRS to the other hosts.

3-) After evacuating the host, I removed Host 1 from vCenter 4 Cluster and rebooted it into vSphere 5.1 U2 installation.

4-) After installing vSphere 5.1 U2 on it, I re-configured Host 1 for networking and storage. Now, Host 1 has similar portgroups as old Host 2 and 3 and attached to the same datastores as well as vMotion is enabled.

5-) I created a new VM with hardware level 9 for the new vCenter Sever. On this VM, I installed Windows 2k8 r2, updated it and antivirus agent is installed following Customer's Policy.

6-) On that VM, I installed vCenter Server 5.1 U2 with embedded DB as there're no need for further expansions beyond its limit.

7-) After successful installation, I created new cluster with HA/DRS enabled.

8-) I re-added online all hosts (1, 2, 3) to the new Cluster (It through a false warning about removing hosts from old vCenter, but nothing to worry about ).

9-) I re-balanced the cluster using DRS to make sure that every VM was working perfectly till now and migrations of VM were smooth between these different hosts. Fortunately everything was just fine !!

Phase 3: Upgrading the Remaining Hosts:

1-) I make Host 2 it into Maintenance Mode, so all VMs are surely migrated by DRS to the other hosts.

2-) After evacuating the host, I removed Host 2 from vCenter 5.1 Cluster and rebooted it into vSphere 5.1 U2 installation.

3-) After installing vSphere 5.1 U2 on it, I re-configured Host 2 for networking and storage. Now, Host 1 has similar portgroups as old Host 2 and 3 and attached to the same datastores as well as vMotion is enabled.

4-) I re-added Host 2 to vCenter 5.1 and the new cluster.

5-) I re-balanced the cluster using DRS to make sure that every VM was working perfectly till now and migrations of VM were smooth.

6-) I repeated steps from 1-5 again with Host 3.

7-) I made sure that all Virtual infrastructure were properly licensed with the new license.

Phase 4: Storage Upgrade:

I upgraded the two datastores online from VMFS 3 to VMFS 5 by just one click. I made sure that everything till now was working fine.

Now the only thing remaining was to upgrade VMware tools and VM HW Level of VMs. Customer states that he'd do it regularly during his Maintenance Windows.

It took me only 2 days to finish that project and customer was above the clouds .

Subsidiary Notes:

1-) In case of using Distributed Switches version 4, I managed to test that in my home lab and I found that the best way is to create temp Standard vSwitches, add VMs to them to make vMotion really easy and then migrate all VMs netowkring to a new Distributed Switch 5.1. The reason is that, I discovered that vMotion operation can be done if only VMKernel ports of source and destination hosts on the same LAN segment. VMKernel portgroups don't affect vMotion, i.e. if they're differently named, it doesn't prevent vMotion. Unfortunately, vMotion requires VM portgroups to be identical on the source and destination hosts, hence Distributed switch can't be used in that migration plan, as you can't create a host to two Distributed Switches, then create two portgroups on these distributed switches with the same name on the same host. For more information read the following article by Chris Wahl:

http://wahlnetwork.com/2013/07/23/workload-migrations-across-clusters-with-non-shared-vmotion-port-groups/

This may introduce some limited downtime.

2-) In case you need to know the difference between upgraded VMFS 5 datastores and newly-created ones, refer to the following article by Jason Boche:

http://www.boche.net/blog/index.php/2011/07/21/vmfs-5-vmfs-3-whats-the-deal/

If you want to re-create your VMFS datastores on VMFS 5, you should have at least two shared datastores and Enterprise License. Use Storage vMotion to move VMs from one datatsore to the other one, re-format the empty datastore then re-create it using vCenter 5.1 or ESXi Hosts 5.1. Repeate that for the other datastores till you finish. Also, keep in mind SCSI Reservation Issue -in case no VAAI available- that VMs on a single datastore should not be high to cause SCSI Reservation Conflicts (Usually 10-15 VMs per datatsore).

Waiting for your feedback .

Share the Knowledge .

Sometimes it might be necessary to do a mass change of all the IPs of all the vms, specially if the underlying infrastructure is being moved to a different datacenter. Along with the IPs the vlans might change. This is a script where new network labels have been created on a distributed switch and all the vms will need to be updated to the new label and IP. I found it easier to first update the IP and then the label instead of the other way round.

• First a CSV file (list.csv) containing list of servers to be updated. It has the Name of the vm, the new IP, the Gateway address and the new Network label already created in the Vcenter server. Assuming that it's a /24 network address space, the subnet mask of 255.255.255.0 is hard-coded in the script. Different IPs can be part of the same script. The DNS server IPs are also hard-coded in.

name,ip,gw,label
server01,10.10.100.10,10.10.100.1,VMNet_100
server02,10.10.100.11,10.10.100.1,VMNet_100
server03,10.10.100.12,10.10.100.1,VMNet_100
server04,10.10.100.13,10.10.100.1,VMNet_100
server05,10.10.100.14,10.10.100.1,VMNet_100
server06,10.10.200.10,10.10.200.1,VMNet_200
server07,10.10.200.11,10.10.200.1,VMNet_200
server08,10.10.200.12,10.10.200.1,VMNet_200
server09,10.10.200.13,10.10.200.1,VMNet_200
server10,10.10.200.14,10.10.200.1,VMNet_200

• And here is the actual Windows Powershell script. To run from  vSphere PowerCLI, remove "Add-PSSnapin VMware.VimAutomation.Core" at the beginning of the code. After powering on the vms, it sends out an email with the list of vms.

• It first checks if VMware Tools are running on the vm. All vms will need VMware Tools installed and running else the script will skip that vm and the name of the vm will be added to "issues.txt" file. Successful names will be added to "report.txt" file.

• This assumes the vm has only one nic. Also do not include VCenter server in the list, that IP should be changed manually.

#Add-in necessary modules
Add-PSSnapin VMware.VimAutomation.Core
Set-PowerCLIConfiguration -InvalidCertificateAction ignore -ProxyPolicy NoProxy -Confirm:$False
#Connect to vcenter server
$vcenter = "<FQDN or IP of vcenter server>"
connect-viserver $vcenter
#Import list of vms
Import-csv C:\list.csv |
foreach {    $computer = $_.name    $ip = $_.ip    $gw = $_.gw    $label = $_.label    #Check if VMware Tools are running in the vm without which most of the following commands will not work    $toolstatus = (Get-VM $computer | Get-View).Guest.ToolsStatus    if ($toolstatus -eq 'toolsOk'){        Write-Host (Get-Date).DateTime        Write-Host -ForegroundColor Green "$computer is up."        #Read current network settings, needs Domain Admin credentials        $vmguestnic = Get-VM -Name $computer | Get-VMGuestNetworkInterface -GuestUser '<Domain Admin>' -GuestPassword '<Domain Admin Password>'  -ToolsWaitSecs 30            #Add current network settings to local text file        Write-Host -ForegroundColor Green "Current network settings are being added to report.txt file."        "`r`n`r`n"+ (Get-Date).DateTime + "`r`n Current settings:  " +$computer+", "+ $vmguestnic.Ip +", "+$vmguestnic.DefaultGateway | Out-File C:\report.txt -Append        #Set new IP settings, needs Domain Admin credentials. Double check Subnet Mask and DNS IPs.        Set-VMGuestNetworkInterface -GuestUser '<Domain Admin>' -GuestPassword '<Domain Admin Password>' -VmGuestNetworkInterface $vmguestnic -IPPolicy Static -Ip $ip -Gateway $gw -Netmask 255.255.255.0 -Dns 10.10.10.2,10.10.10.3        Write-Host -ForegroundColor Green "Changing IP address."        #Change port group label which needs to be created before-hand in the Vcenter server.        Write-Host -ForegroundColor Green "Changing network label."        Get-VM -Name $computer | Get-NetworkAdapter  | Set-NetworkAdapter -NetworkName $label -connected:$true -StartConnected:$true -confirm:$false        #Ping the server till it's successful        do {            Write-Host -ForegroundColor Green "Could not ping server $computer, sleeping for 5 seconds."            sleep 5        } while (((Get-WmiObject win32_pingstatus -Filter "address='$ip'").statuscode) -eq 1)        #Add current network settings to report text file        Write-Host (Get-Date).DateTime        Write-Host -ForegroundColor Green "$computer ping was successful, writing new settings to report.txt file."        "`r`n New Settings" | Out-File C:\report.txt -Append        $nic = Get-VM -Name $computer | Get-VMGuestNetworkInterface -GuestUser '<Domain Admin>' -GuestPassword '<Domain Admin Password>'  | Select Ip,SubnetMask,DefaultGateway,Dns,Mac        $nic | Out-File C:\report.txt -Append        (Get-Date).DateTime | Out-File C:\report.txt -Append        "`r`n-------------------------------------------------------------------------------------------------------------"| Out-File C:\report.txt -Append     } else {        Write-Host (Get-Date).DateTime        Write-Host -ForegroundColor Green "$computer - cannot ping server, check if it's running. "        #Add server to issue text file        "`r`n" + (Get-Date).DateTime + "`r`n" + $computer | Out-File C:\issues.txt -Append    }
}
#Disconnect from vcenter server
Disconnect-viserver $vcenter -Confirm:$False

VMware LabsにHorizon View関連の新しいツールが公開されました。

View Auditing PortalというツールでView Administratorの拡張ウェブポータルとして設置し利用できます。

ツールの名前から分かるように監査情報が確認できるもので具体的には、

• View ClientのOSとバージョン
• Linked Cloneプールの親仮想マシンとスナップショット情報
• 仮想デスクトップとRemoteAppのセッション情報

といった情報が確認できます。

このツールの利用可能なHorizon Viewのバージョンは6.0以上で、インストール方法は。。。という程でもありません。

ここからファイルをダウンロードし、viewauditing.warというファイルを以下のフォルダに移すだけです。w

C:\Program Files\VMware\VMware View\Server\broker\webapps

ファイルを移動後、以下のURLにアクセスするとログイン画面が表示されます。

https://View Connection Server名/viewauditing/

リンククローンの仮想マシンとスナップショットの情報が確認できます。

View ClientのOSとバージョンの情報が確認できるページです。

接続中の仮想ですクトップとRemoteAppのセッション情報が分かるページです。

より詳しい内容はここをご参照ください。