vCenter Server 6 – Saurav Issar

Migrating from vCenter Server Embedded PSC to External PSC in vCenter Server 6

August 20, 2017 by saurav116, posted in Uncategorized, vCenter Server 6, VMware, vSphere 6, vSphere Distributed Switch, vSphere Web Client

For the past few weeks i am working on enhancing my VMware home lab setup to be more scalable and enterprise grade , which gave me an opportunity to migrate the embededd PSC to external to extend my vCenter Single Sign-On domain with more vCenter Server instances to support multi site NSX and SRM use cases, you can reconfigure and repoint the existing vCenter Server instance to an external Platform Services Controller.

Few things to note before starting the migration :

The process is relatively straightforwad but remember there is no coming back once you migrate the embedded PSC to external .
Make Sure to take the snapshot of vCenter Server , in case anything gone wrong during the migration you can revert back vCenter to the last working state
Non Ephemeral virtual port groups are not supported by the PSC , as a workaround we need to create a new Ephemeral port group in the same VLAN (if using VLANs) as vCenter server network for the sake of deployment of new PSC . You can migrate the PSC network to non ephemeral port group after the migration completes successfully .

This is what I am running in my lab currently , a vCenter server appliance with embedded PSC:

I want to achieve the below topology with External PSC:

Lets start this by installing the external Platform Services Controller instance as a replication partner of the existing embedded Platform Services Controller instance in the same vCenter Single Sign-On site.

Mount the VCSA ISO and start the installation .

Enter the credentials of the ESXi host where you are planning to deploy the PSC appliance.

Acceppt the self sigh certificate .

Here select “Install Platform Service Controller” .

Select Join an SSO domain in an existing vCenetr PSC:

Join the exsiting site and select the SSO site name:

As I have explained before e, if you have not created a Ephemeral virtual port group you will not be able to select a network to deploy the new PSC.

Go back to vCenter and create a Distributed port group with Ephemeral port binding which will be used for the PSC Deployment.

Enter the standard networking parameters and complete the deployment wizard.

Click on finish and wait for the deployment completion . This process will take approx: 8-10 minutes.

You will get the below screen once PSC deployed successfully.

Now , Log in to the vCenter Server instance with an embedded Platform Services Controller.Verify that all Platform Services Controller services are running by executing the below command:

service-control –status –all

The final step is to run the below command to repoint the embedded PSC to new deployed external PSC:

cmsso-util reconfigure –repoint-psc psc_fqdn_or_static_ip –username username –domain-name domain_name –passwd password [–dc-port port_number]

Use the –dc-port option if the external Platform Services Controller runs on a custom HTTPS port. The default value of the HTTPS port is 443.

If you have followed all the instructions mentioned above, you will get the below success message: “vCenter Server has been successfully reconfigured and repointed to the external PSC 172.18.36.17 .

That was it , PSC has been successfully migrated from Embedded to external! I hope it was helpful .

ESXi Certificates in vSphere 6

March 23, 2016 by saurav116, posted in ESXi6, Uncategorized, vCenter Server 6, VMCA, vSphere 6

Starting from vSphere 6.0, VMCA (VMware Certificate Authority) provisions each new ESXi host with certificates when they are added to the vCenter Server system.

In contrast to vCenter Server Certificates, ESXi certificates are not stored in VECS (VMware Endpoint Certificate Store). Instead they are stored locally on each host in /etc/vmware/ssl

An upgrade to ESXi 6.0 replaces existing thumbprint certificates with VMCA signed certificates, custom certificates are retained. However if you select renew certificates in vSphere web client, VMCA pushes a fresh VMCA signed certificate to the host and overwrites any existing certificate even a custom certificate.

To prevent overwriting custom certificate, you can change the certificate mode from vSphere Web Client. There can be three kind of certificate mode in vSphere 6.0:

Thumbprint mode: To accommodate any legacy host
VMCA Mode: Which uses VMCA as a root CA
Custom Mode: To use only third party certificate

To set certificate mode in vSphere web client, go to vCenter Server – Manage – Settings – Advance Settings – click edit

In the filter box, enter “certm” to display only certificate management keys.

Change the value of “vpxd.certmgmtmode” to custom, if you intend to manage you own certificate and thumbprint if you want to use thumbprint mode and click OK.

Restart the vCenter server service. The mode always apply to all the host managed by vCenter server system that uses that mode.

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

February 18, 2016 by saurav116, posted in Security Token Service, STS, vCenter Server 6, vSphere Web Client

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

This blog is one of the shortest blog i have written so far , however i have seen a lot of confusion around certificates in vSphere 6 so thought of writing a quick one on this.

The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens.

You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.

Procedure

1 Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

2 Browse to Administration > Single Sign-On > Configuration.

3 Select the Certificates tab, then the STS Signing sub tab, and click the Add STS Signing Certificate icon.

4 Click Browse to browse to the key store JKS file that contains the new certificate and click open.

If the key store file is valid, the STS certificate table is populated with the certificate information.

5 Click OK.

The new certificate information appears on the STS Signing tab.

Now you should Restart the vSphere Web Client service. You can find all services in the System Configuration area of Administration.

Working with vSphere Management assistant

January 18, 2016 by saurav116, posted in ESXCLI, ESXi6, vCenter Server 6, vSphere 6, vSphere Management Assistant

Before I talk about the various commands we can use with VMA , first let me explain bit about VMA.”vSphere Management Assistant enables administrators to run scripts or agent that interact with ESXi host and VMware vCenter server systems without authenticating each time. VSphere Management Assistant is easy to download and install, and configure through vSphere Web Client.

vSphere Management assistant is a virtual appliance that consist of following components:

– SUSE Linux Enterprise Server

– vmware tools

– vSphere SDK for Pearl

– vSPhere CLI

– Java JRE Version 1.6

– vi-fastpass , an authentication component for the appliance

vSphere Management Assistant requires ESXi Host that supports 64-bit virtual machines. The CPU on the ESXi host must be AMD opetron , rev E or later, or an Intel processor with EM64T support with VT enabled.by default vSphere Management Assistant uses 1 vCPU , 600 MB RAM and 3 GB of virtual disk. VSphere Management Assistant is used with vSphere 5.x or 6.

Let’s get started now.

Start SSH and vSphere ESXi Shell Services on the ESXi host you want to manage from vSphere Management assistant
Login to VMware vSphere Management Assistant, You use PuTTY to establish an SSH session to the VMware vSphere Management Assistant appliance.
using vi-admin as the user name and password that you have set during the initial power on the appliance
Now we need to add vCenter Server systems and ESXi hosts as vSphere Management Assistant target servers to simplify commands
Add the vCenter Server system as a server target.
vifp addserver vc01.vclass.local –authpolicy fpauth –username administrator@vsphere.local
Any user with sufficient vCenter Server privileges can be specified, including VMware vCente Single Sign-On users. The vSphere administrator user name is used here because it is the default vCenter Server Appliance administrator account.
When prompted for a password, enter the password you have set
When prompted to store the user name and password in the credential store, enter yes.
Add the ESXi host as a server target.
vifp addserver esxi01.vclass.local –authpolicy fpauth –username root
When prompted for a password, enter password yo have set
List the configured target servers.
vifp listservers
vCenter Server system and the ESXi host appear in the list.vc01.vclass.local and esxi01.vclass.local must be listed
Now I will add ESXi host thumbprint to the certificate store on the vCenter Server system so that a trust relationship exists between the host and the server. This trust relationship is necessary to run ESXCLI commands.
Let me show what happens when I run the command without adding ESXi host thumbprint to the certificate store on the vCenter Server system
Add the ESXi host thumbprint to the vCenter Server certificate store.
/usr/lib/vmware-vcli/apps/general/credstore_admin.pl add -s esxi01.vclass.local -t thumbprint
thumbprint is displayed in the last command. You can copy the thumbprint into the command by selecting and right-clicking it.
Now you can use ESXCLI commands to query the ESXi host properties , I will show you some important command that you can use in day to day administration of vSphere environment
Set the ESXi host as the current target server.
vifptarget -s esxi01.vclass.local
As a result of running the command, the name of the target server appears as part of the command prompt.1.Display the CPU characteristics of the ESXi host.
esxcli hardware cpu list
Use the command output to determine CPU characteristics.
Number of CPUs installed on the host
Brand of the first CPU
Family and model of the first CPU
Core speed of the second CPU
2.Display the ESXi host memory.
– esxcli hardware memory get
Use the command output to determine memory characteristics.
Amount of physical memory
NUMA node count
3.Display the platform on which the ESXi software is installed.
esxcli hardware platform get
Use the command output to determine platform characteristics.
Product name
IPMI supported status
4.List the software version of ESXi that is installed on the host.
esxcli system version get5.Display the time and date on the host.
esxcli hardware clock get
6.Determine the system host name.
esxcli system hostname get
7.Determine the system’s boot device.
esxcli system boot device get 8.Last command i want to highlight is vicfg-ntp commands in the vSphere Management Assistant which you can use to query and configure Network Time Protocol (NTP) settings.
(i) List the NTP servers that are configured onesxi01.vclass.local.
vicfg-ntp –list
NTP servers are not yet configured.
(ii) top the NTP service.
vicfg-ntp –stop
(iii) Add an NTP server.
vicfg-ntp –add 172.20.10.5
(iv) List the configured NTP server.
vicfg-ntp –list
(v) Start the NTP service.
vicfg-ntp –start

Configuring vCenter Server 6 Appliance to use Active Directory Services

January 13, 2016 by saurav116, posted in Active Directory, ESXi6, vCenter Server 6, VCSA6, vSphere 6

In this blog i will show how to configure Active directory in vCenter server appliance in vSphere 6 . i will also show how to grant the ESX Admins group in active directory right to log in to VMware vCenter Serve as administrators.

First we need to add the acitve directory to VCSA as follow:

– login to web client using administrator account.
– Point to the Home icon and select Home.
– In the left pane, click Administration and click System Configuration.

– in the left pane, click Nodes and select vc01.vclass.local.(vCenter server)

– On the System Configuration page, click the Manage tab.
– In the middle pane, click Active Directory and click Join.

– In the Domain text box, enter vclass.local.(enter your domain here)
– leave the Organizational unit text box empty.
– In the user name and password text boxes
– Click OK.– At the top of the middle pane, click Actions and select Reboot.
– In the Reboot window, enter a reason for the reboot and click OK.

– vCenter Server Appliance takes several minutes to reboot. You can refresh the vSphere Web Client page, or close the browser window and reopen it, to show when the appliance is back up.
– After the reboot you should see the domain as below:

Now i will add active directory as an identity resource in web client and grant the ESX Admins group in active directory the right to log in to VMware vCenter Server™ as administrators.

– Point to the Home icon and select Home.
– In the left pane, click Administration.
– Under Single Sign-On, select Configuration.
– Click the Identity Sources tab.
– Click the Add Identity Source (green plus sign) icon.

– In the Add identity source dialog box, select Active Directory as a LDAP Server for the Identify source type.
– In the Name text box, entervclass.local.
– In the Base DN for users text box, enter CN=Users, DC=vclass, DC=local.
– In the Domain name text box, entervclass.local.
– In the Domain alias text box, entervclass.
– In the Base DN for groups text box, enter CN=Users, DC=vclass, DC=local.
– In the Primary server URL text box, enter ldap://vclass.local:389.
– In the Username text box, enter username in domain\Administrator format.
– In the Password text box, enter password
– Click Test Connection.

– A dialog box appears indicating that the connection has been established.
– Click OK.
– Click OK to close the Add identity source dialog box.
– In the left pane under Single-Sign-On, select Users and Groups.
– Click the Groups tab.
– Under Group Name, click Administrators.
– In the bottom Group Members pane, click the Add member (blue person with green plus sign) icon.
– Select the domain you just added.
– Select the Domain Admins group and click Add.

-click OK.

i hope this blog was helpful. keep learning and keep sharing 🙂

License vCenter Server & ESXi Host in vSphere 6

January 12, 2016January 12, 2016 by saurav116, posted in vCenter Server 6, vSphere 6

This blog post is regarding assigning new licenses in vSphere 6 environment.

First thing is to add the vCenter and ESXi licenses in vSphere web client, for this:

– Log in to vSphere web client using administrator account.

-In the left pane, click Administration and click Licenses.

– In the middle pane, click the Licenses tab, in the middle pane, click the plus sign to create new licenses.

– In the text box on the Enter license keys page, enter the license keys one per line, and click next.

– On the Edit license names page, enter the new license names for vCenter Server and Enterprise Plus in the License Name dialog boxes and click Next.

On the Ready to complete page, click Finish.

Now that we have added the licenses to vCenter , its time to assign the vCenter server and ESXi host licenses.

Assign vCenter Server license key to the vCenter Server instance.
– In the middle pane, click the Assets tab, Click the vCenter Server systems tab and click the Assign License link.

– In the Assign License dialog box, select the vCenter Server license key.
– Click OK

Assign the vSphere Enterprise Plus Edition 6 license key to the ESXi host.
– In the center pane, click the Hosts tab and click the Assign License link.

In the Assign License dialog box, select the vSphere Enterprise Plus Edition 6 license key

Click OK.

I hope the post was helpful . keep learning and sharing 🙂

vCenter Server Enhancements in vSphere 6

August 3, 2015August 3, 2015 by saurav116, posted in vCenter Server 6, VSAN

vCenter Server Enhancements in vSphere 6

With the release of vSphere 6, there are few significant changes in vCentre server architecture and the way it will be deployed. As far as I can see I think that the deployment has been simplified compared to the previous versions.

There are two ways for the vCentre server deployment:

Embedded
External

Embedded:

As you can see below, in the embedded configuration vCenter server and Platform Service controller are installed on the same physical/virtual machine.

The approach of embedded vCenter server configuration comes with its own advantages and disadvantages. Let me cover the advantages first.

The biggest advantage is the connection between vCenter Server and the Platform Services Controller is not over the network, therefore vCenter Server is not prone to outages because of connectivity and name resolution issues between vCenter Server and the Platform Services Controller
In case you are doing a windows based vCentre server installation, you will need fewer Windows licenses
No need of a load balancer to distribute the load across Platform Services Controller
You will have to manage fewer virtual machines or physical servers

Disadvantages:

There is a Platform Services Controller for each product which might be more than required. This consumes more resources.
The model is not scalable and is suited for the small scale environment.

External:

In external configuration, vCenter server and Platform Service controller are installed on different physical/virtual machine.

Installing vCenter Server with an external Platform Services Controller has the following advantages:

Less resources consumed by the combined services in the Platform Services Controllers enables a reduced footprint and reduced maintenance.
Your environment can consist of more vCenter Server instance.

Installing vCenter Server with an external Platform Services Controller has the following disadvantages:

The connection between vCenter Server and Platform Services Controller is over the network and is prone to connectivity and name resolution issues.
If you install vCenter Server on Windows virtual machines or physical servers, you need more Microsoft Windows licenses
You must manage more virtual machines or physical servers.

With the new release, PSC (Platform service controller) is responsible for the following vCenter services:

VMware vCenter Single Sign-On
VMware Certificate Authority (CA)
License service
Lookup service
VMware Directory Services

The vCenter server will take care of reminder of the services, which are:

vCenter Server
vSphere Web Client
Inventory Service
VMware vSphere Auto Deplo
VMware vSphere ESXi Dump Collector
vSphere Syslog Collector on Windows and vSphere Syslog Service for the VMware vCenter Server Appliance

We can also install multiple instances of PSC for high availability, in this scenario the Platform Service Controller replicates information such as licenses, roles and permissions, and tags with other Platform Service Controllers , this allows for a single pane of glass of the environment with Enhanced Linked mode.

Enhanced Linked Mode:

Linked mode using Microsoft ADS/ADAM replaced with Enhanced Linked mode. Platform Service Controller’s now replicate all information required for Linked mode.

Enhanced Linked mode is now enabled by default in an environment
vCenter Appliance now supported with Enhanced Linked mode
Mixing Windows and Appliance platforms supported

VMware Certificate Authority (CA)

VMware CA is a solution to this complexity as it now acts as the Root certificate authority for vSphere to which all certificates are generated
Allows for enhanced security as all certificates for components are signed and valid
Root certificate can be replaced with one from a corporate CA to integrate vSphere into an existing infrastructure

VMware Endpoint Certificate Store

Certificate store on each Platform Services Controller or vCenter host that stores all certificates for components on the server

Individual certificate no longer required for each component

In previous releases each component (vCenter Service, Inventory Service, and so on) required a unique certificate
In vSphere 6.0 all communication is directed through the Reverse Proxy Endpoint, therefore, only a single certificate per server is required

vCenter for Windows and vCenter Appliance support the same scalability numbers and features: