Well, in recent weeks we have often talked about how to heal vCenters from the log4j vulnerability. I guess the first thing we all thought was “What a show VMware support released scripts to run to solve the problem …” and then every one to use WinSCP or similar tools/commands to copy the file …. but many will have found it impossible to copy files using the Root user …. but how SSH works but the SCP command does not work! Well, the problem comes from the shell associated with the Root user. It is not the classic BASH but the APPLIANCESH. Then we proceed as follows:
Let’s connect in SSH to the vCenter Virtual Appliance
We access the Bash SHELL with the command SHELL
We enable BASH as the default shell for the root user
Whenever we installed a new vCenter the activity always included integration with Active Directory and normally IWA (Integrated Windows Authentication) was used. Since vSphere 7.0 version this possibility has been deprecated so it is good to start with the integration of the vCenter with Active Directory via LDAP. In our case, we will use LDAPS which uses a certificate
For first the step we need to create the certificate:
Copy the certificate output with —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–
Past on Notepad and save with .crt extension
Now we will go to configure the Identity Sources on vCenter:
Login as Single Sign-On Administrator to vCenter
Navigate to Menu > Administration > Single Sign-On > Configuration
In the Identity Provider tab, open Identity Sources
Click ADD
Select Active Directory over LDAP or OpenLDAP, depending on your directory type.
Fill out the remaining fields as follows: Identity Source Name: Label Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: “DC=pollaio,DC=lan”. Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches. Domain name: Your domain name. Example: “pollaio.lan” Domain alias: Your NetBIOS name. Example: “pollaio.lan” Username: Domain user with at least browse privileges. Example: “pollaio\administrator”. Connect to: “ldaps://<DC FQDN>”.
Click Browse next to SSL Certificate
Select the .cer file created in before step
Now we are ready to login to the vCenter with domain user (remember to assign the correct permission to domain group or user group)
If you want check the correct use of SSL certificate on the authentication to Active Directory with LDAP connection check the websso.log:
VMware has had a product for a while now called VMware Skyline that provides proactive monitoring, analysis, and support for your VMware environment. It monitors your VMware installation and will notify you when issues arise.
Skyline Advisor will be available to customers and partners with active Production and Premier Support, VMware Success 360 and vRealize Cloud Universal subscriptions at no additional cost.
Create a Cloud Services Organization
Login with My VMware account associate to Production and Premier Support on the site:
https://console.cloud.vmware.com/
After clicking Get Started, a new web browser page, or tab, will open. You will be asked to sign-in
with your VMware account. If you have an existing My VMware account, you can use those same
account details (email address/password) to sign in to Cloud Services.
If you are existing VMware Cloud Services customer, you can choose an existing Cloud Services
Organization for Skyline. If you have never used VMware Cloud Services, click Create New
Organization.
Enter a Organization Name.
Name your Organization something meaningful, that can be easily
referenced by both you, and VMware. For example, name your Organization after you Company, or
Business name. You can also append a line-of-business, division, or team, to the end of your
Company or Business name.
The following are example Organization Names:
The company, LOB, Company LOB, Company-vSphere, Company-Desktop
Enter an Address for your Organization.
Click Add Address. You can also choose an existing
address if one was found for your account. If you choose an existing address, skip to substep f.
During the creation of your Cloud Services Organization, your country currency, and Tax ID, may be
displayed. The displaying of this information is a construct of Cloud Services. Skyline is available at
no additional cost, and you will not be required to enter any payment details while adopting Skyline.
Select a Country from the drop-down menu.
Enter your street address on Address Line 1, and Address Line 2 (optional).
Enter your City.
Enter your State/Province.
Enter your Zip/Postal Code.
Review the Cloud Services Terms of Service. Click the checkbox to agree to the Terms of Service.
Click Continue.
Now on service, we have Skyline Advisor, click on this service
Link the Entitlement
Now, after clicking on LINK, we have the correct status LINKED
Deploy Skyline Collector and configure the connection to Cloud Services
Copy and paste the token on Skyline Connect and register it.
Add source Data to Skyline Advisor
After complete the step 5 and 6 (I suggest to enable the auto-upgrade), we can access to skyline collector to configure the connection to vCenter (or multiple vCenter)
One of the conveniences of administering VMware solutions is being able to use code to create scripts to perform repetitive tasks or automate processes
One of the vSphere Web Client features that can help those new to the PowerCli is the Capture Code, it basically allows you to list and save the Powercli commands of the actions you are doing with the vSphere Web Client.
To activate it just access the vSphere Web Client, from the Menu select Developer Center
Select Code Capture and enable it by placing the “Enable Code Capture” flag on the right (which turns green)
At this point, a space will appear in our frame where the commands will be listed with some operations, such as Clear and start another, Copy and Download
Where the Download option generates you the ps1 file with the Powercli commands of the recorded operations
To start and stop a recording session you can use the buttons:
Or the red button that appears at the top of the WebClient once “Enable Code Capture” is enabled
Imagine you have a vSAN infrastructure and at some point, a diskgroup fails but errors are reported on the disks. With this tool, we can analyze the logs exported from the ESXi host on which the diskgroup resides and identify on which physical disks I / O errors have been highlighted
vSphere use TLS Certificates for protect and security communication from vCenter to ESXi host and when the user access to vCenter WEB GUI.
There are many possible configurations:
Full Managed Mode -> All certificates are managed from VMCA
Hybrid Mode -> The communication certificates for traffic from vCenter to ESXi are managed from VMCA. The Admin user import from Private PKI only the SSL certificate for Access to WEB GUI
Subordinate CA Mode -> Configure the VMCA as a Subordinate CA of Private PKI
Full Custom Mode –> All Certificates are generated and managed from the local Private PKI
The best solution is Hybrid Mode for correct balance of Security and effort for implementation.
Uno degli aspetti che mi spingono a proporre di aggiornare le infrastrutture VMware vSphere alle versione 6.7u3 è anche la presenza dello skyline health. Strumento indispensabile per monitorare lo stato della infrastruttura
Le informazioni che possiamo velocemente individuare analizzare sono relative a oggetti come i singoli host ESXi, il vCenter e lo stato della vSAN.
Che informazioni possiamo trovarci? Dalle vulnerabilità di sicurezza presenti nella nostra infrastruttura a versioni di firmware da aggiornare. Ovviamente correlate da collegamenti a pagine della KB VMware con informazioni specifiche su come gestirle.
Per poter avere queste informazioni è necessario abilitare il CEIP (Customer Experience Improvement Program).
VMware investe da sempre nella soddisfazione dei clienti e per cui tutto il flusso di gestione e assistenza con l’avvento di skyline ha guadagnato ulteriormente in efficienza.
