The first thing you need to do is look in the server’s computer certificate personal store for your IIS certificate. In my case I’m looking for the StoreFront.contoso.net certificate. Since I knew I’d be exporting the whole certificate (including the private key), I made sure when I was requesting the certificate to allow the private key to be exported. You can request certificates from your MS CA a variety of ways, so I’ll assume you can find the option to allow private key export.

Exporting the Certificate

1. Right click on the certificate select All Tasks then select Export. You should be presented with the option to export the private key. If not, then your certificate’s private key is “stuck” in the computer’s store and you can’t get it out. Issue a new certificate with the private key export option.

2. Assuming you can export the private key you are now given some options for the PKCS#12 certificate file. You shouldn’t need to select any of the options.

3. Select a strong password to protect the file with. Remember it.

4. Chose an appropriate filename for the certificate. I strongly suggest using the FQDN of the certificate, because the NetScaler will store the files with the name you choose. So don’t do something like “cert.pfx” since you will have no clue what site it is for. In my case I chose StoreFront.contoso.net.pfx.

5. Run through the same export wizard again, but this time select No, do not export the private key.

6. Select Base-64 encoding for your certificate.

7. Again, I suggest using the FQDN of the certificate for the filename (e.g. StoreFront.contoso.net.cer). Make sure the file ends in “.cer”.

8. At this point you should have two certificate files, both with the FQDN, and one ending in .PFX and the other in .cer.

Importing Certificates into NetScaler

1. Logon to your Citrix NetScaler and open the root SSL page. Under Tools click Import PKCS#12.

2. In the import window click on Browse next to the PKCS12 filename (NOT the output file name). Browse to your pfx file. Type in the password you entered during the certificate export process. Enter a new password to protect the private key on the Netscaler (PEM passphrase). In the Output File Name use the FQDN of the certificate and add a .key suffix. Change the encoding format to DES3. The NetScaler will automatically extract the private key from the PFX file and put it into the .key file.

3. Click on Manage Certificates / Keys / CSRs. Upload your .cer file. You should now see three certificate files with your certificate’s FQDN.

4. At this point you can delete the .pfx file if you wish, since we no longer need it. I suggest you do remove it, to reduce clutter on your NetScaler.

5. In the left pane under SSL click on Certificates then in the middle pane click on Install.

6. Enter the FQDN of your certificate in the Certificate-Key Pair Name. For the Certificate FIle Name select the .cer file you uploaded. For the Private Key File Name select your .key file. Enter the password you entered back in step 2.

7. If all goes well you will now have a new certificate from IIS installed on your NetScaler with no command line effort or manual modification of certificate files.

The post Import IIS SSL Certificate to Citrix NetScaler appeared first on Derek Seaman's Blog.

For a VDI project I am looking at a software storage appliance to offload a lot of the IOPS from our back end storage system, to increase performance and reduce costs. One feature the our particular solution has is called “fast clone”, which allows the storage appliance to create a VM clone in just a few seconds, instead of several minutes using the vCenter clone method. Internally it adjusts some pointers to the VMDK, and de-dupes, so it doesn’t have to copy every block when you create a new VM. In fact, very few blocks are copied during the cloning process.

However the “fast clone” process literally cloned the master VM and did not have any method to trigger vCenter customization specs. As a result all the Windows hostnames were the same as were the SIDs. I certainly did not want to run sysprep manually on hundreds of VMs. The vendor workaround was far too complex and cumbersome to consider. So I developed the script below which automates the major tasks which the vCenter customization specifications perform and easier (IMHO) than what the vendor suggested.

Script Features

• Copies an existing sysprep unattend XML file to the VM via the VMware tools VIX interface
• Each unattended XML file is automatically customized with the VM’s name as it appears in vCenter, so sysprep will change the Windows hostname appropriately
• Deletes the residual unattended XML files which may contain sensitive passwords or product keys
• Auto-joins the VM to the domain assuming an appropriately configured unattend XML file and DHCP is available
• Accepts a command line argument for easy testing against one VM, but it will also read a CSV file for mass processing

It’s up to you to supply an appropriately configured Windows sysprep unattended XML file for the operating system in question. If you include domain join parameters then it will join the VM to the domain as well, all without prompting for a username or password. To delete the residual XML files, the script will upload a setupcomplete.cmd file to c:\windows\setup\scripts. It will not over-write any existing file, so make sure it doesn’t exist. Windows knows to automatically run that script after the sysprep process.

In order to customize the unattended XML file with the VM’s hostname, the script does a simple replace on a string called “CHANGEHOSTNAME”. When you create your XML file be sure to use this name for the machine name, so the search and replace will work properly. Otherwise all the VMs will have the same hostname!

Using the Script

When you want to run the script against several machines, use the csv option. The csv file must have the vCenter VM name, one VM per line, without any header or empty lines at the end. There’s limited error checking, so I would urge you to take a snapshot of your target VM so you can revert back until you work out the kinks with your unattend file. In the vCenter console you will see some authentication errors when sysprep kicks off and invoke-script can no longer connect to the VM , but those are harmless messages.

In the example below I executed the script on the vCenter server using a PowerCLI console. I had configured the CSV input file with two hostnames. First I entered my password (for my current user account), then the administrator credentials for the guest VM. The script assumes all VMs have the same credentials as you will only be prompted once.

If you watch the vCenter console you will see a bunch of entries. As I mentioned earlier, once sysprep kicks off vCenter is unable to connect to the guest so some authentication errors appear.

After minute or so the VM rebooted and the sysprep process kicked off. A few minutes later my VM was joined to the domain with its new name and ready for use. Depending on the complexity of your unattended sysprep file you do could a lot of customization within the guest, install software, etc. the sky is really the limit. This script just gives you an easy way to run sysprep against dozens or hundreds of existing VMs if you can’t use vCenter customization specifications.

# This script will copy a sysprep unattend XML file to the guest VM and execute it,
# using the VM's vCenter name. Input can be a single arguement on the command line,
# or a csv file. The CSV must have one VM name per line and no blank lines or header.
# The setupcomplete.cmd deletes the two copies of the unattend XML file, which may
# contain sensitive passwords or product keys.
#
# Derek Seaman derekseaman.com
#
# Your vcenter server name
$vCenter = "vcenter.domain.com"
# Your master sysprep unattended file. It will not be modified.
$MasterSysprep = "d:\sysprep-master.xml"
# Optional CSV input file. Only called if no VM argument is provided.
# One vCenter VM name per line with no header
$CSV_File = "D:\vms.csv"
# "Hostname" in the master unattended sysprep file that will be replaced for each VM
$ReplaceHost = "CHANGEHOSTNAME"
# Resulting sysprep file with the custom hostname, overwritten for each VM. Do not change.
$CustomSysprep = "D:\sysprep.xml"
# Don't change anything below here
#
#Validates VMware PowerCLI snap-ins are loaded
$xPsCheck = Get-PSSnapin | Select Name | Where {$_.Name -Like "*VMware*"}
If ($xPsCheck -eq $Null) {Add-PsSnapin VMware.VimAutomation.Core}
if ($args[0] -eq $null ) {$list = import-csv $CSV_File -header name} else { $list = $args[0] }
# Function to mask password input
function Read-HostMasked([string]$prompt="Password") {
$password = Read-Host -AsSecureString $prompt;
$BSTR = [System.Runtime.InteropServices.marshal]::SecureStringToBSTR($password);
$password = [System.Runtime.InteropServices.marshal]::PtrToStringAuto($BSTR);
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR);
return $password;
} # function Read-HostMasked([string]$prompt="Password")
# Connects to vCenter
$currentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).Name
$currentUsePassword = Read-HostMasked "Enter the password for the current user"
Connect-VIServer -Server $vCenter -User $currentUser -Password $currentUsePassword | out-null
# Guest OS administrator credential input
$guestuser = read-host "Enter guest administrator username"
$guestpassword = read-HostMasked "Enter guest administrator password"
Foreach ($vm in $list) {
# Cleans up prior local sysprep output file and replaces hostname in sysprep.xml
remove-item $CustomSysprep -ErrorAction SilentlyContinue
$content = Get-Content $MasterSysprep
$content | foreach { $_.Replace($ReplaceHost, $VM.name) } | Set-Content $CustomSysprep
write-host $vm.name Custom sysprep file created
# Creates setupcomplete.cmd file to delete sysprep XML files post-sysprep. File must not already exist.
$Script1 = "echo `"del /F /Q c:\windows\panther\unattend.xml c:\windows\system32\sysprep\sysprep.xml`" | out-file -encoding ASCII c:\windows\setup\scripts\setupcomplete.cmd"
invoke-vmscript -scripttext $script1 -VM $VM.name -guestuser $guestuser -GuestPassword $GuestPassword | out-null
write-host $vm.name setupcomplete.cmd uploaded
# Copies sysprep.xml to guest and executes asynchronously
$script2 = "c:\windows\system32\sysprep\sysprep.exe /generalize /oobe /unattend:c:\windows\system32\sysprep\sysprep.xml /reboot"
copy-vmguestfile -source $CustomSysprep -destination c:\windows\system32\sysprep -VM $VM.name -localtoguest -guestuser $guestuser -guestpassword $guestpassword
invoke-vmscript -scripttext $script2 -VM $VM.name -guestuser $guestuser -GuestPassword $GuestPassword -scripttype bat -runasync | out-null
write-host $vm.name Sysprep executed
}

The post Automate Sysprep on vSphere w/o Custom Specs appeared first on Derek Seaman's Blog.

You no longer have to manage separate computing and storage devices. Multiple OmniCubes can be federated for high-availability and remote data replication. Two key tenants of the platform are simplicity and cost efficiency. It was a high level session, so it didn’t delve into a lot of technical details. But I did grab a few notes from the presentation:

The Promise of Convergence

• Consolidation, greater flexibility, Ease of use
• VMware enables convergence, but it’s not all roses. Increased complexity, siloed management (storage, network, compute)

Efficient Data Management Features of the OmniCube:

• Data efficiency - De-dupe and compression
• Data mobility- Rapid clones, replication
• Management – vCenter plug-in, globally managed
• Deployment – Simple install, VMware integrated, scale out
• Obsolete – LUN provsioning, RAID

SimpliVity OmniCube

• 3x lower acquisition cost, power and operating costs
• Combines compute, networking, storage (SSD and SATA)
• Real-time inline data dedupe/compression
• Global management
• Each cube has a standard configuraiton of memory, disk, CPUs

This looks like an interesting product for certain use cases. Could be great for branch offices where you may not have highly skilled engineers, or smaller shops that want to virtualize but don’t have virtualization and storage gurus. Or maybe departments in large companies that need to do their own thing, and want something easy, affordable, and fully converged.

The post San Diego VMUG: Infrastructure Convergence with SimpliVity appeared first on Derek Seaman's Blog.

Virtualization Tailwinds

• What’s driving the push to virtualize tier-1 applications?
• Implementing a “virtual first” policy
• Consolidate IT infrastructure
• “90% of all enterprise applications will be virtualized within the next two years” – VMware
• Virtualization Journey: Capex savings, Opex Saving, Self-service (IT as a service)

Virtualization Headwinds

• Design challenges: High SLAs, security, Governance, Large Data, Performance
• Five domains within the archtiecture: Data protection, storage management, high availability, security, archiving

Tier-1 App Platform Design Objectives

• Ensuring SLAs for performance, scalability and availablity can be met. Parity with physical or better.
• Support large databases
• Provide non-disruptive, off host backups for all types of storage (VMDK, RDM)
• Enable fast granular recovery of files
• Reduce infrastructure and management costs
• Security and compliance

Required Capabilities

• Pools of fast, resilient, dynamic storage
• Thin provisioning, thin reclamation, snapshots
• SAN or iSCSI connectivity with multi-pathing
• Support VMDK and RDM devices
• Provide visibility, monitoring, reporting, management and chargeback
• Provide visibility, reporting and management of availability across all application tiers
• Security needs to harden, protect, and monitor the systems against unauthorized access and changes
• Automatically archive historical data onto less expensive storage

TOGAF – The Open Group Architecture Framework. It is an excellent framework to properly document your IT architecture in a simple but meaningful manner.

Symantec Reference Architectures for SQL 2008, Exchange 2010, SharePoint 2010 is here:

• Tested and validated by VMware on HP hardware (ProLiant servers and 3PAR storage)
• Tested HA, disaster recovery, data protection, thin provisioning, security, reporting
• Key products: NetBackup, VMware HA, Application HA, Veritas Cluster Server

Find out more at: Symantec.com/Virtualization

The post San Diego VMUG: Overcome Challenges with Tier-1 Apps appeared first on Derek Seaman's Blog.

• Pre-Reqs – One cell per vCenter, NTP across all devices, one vCNS per vCenter, one provider vDC per vSphere Cluster

Planning

• There is no one size fits all solution
• There are some things very challenging to change post-development
• Allocation models: Changing may require powering down VMs to apply limits/reservations
• Storage tiering is important (capacity, tiers, I/O requirements, fast provisioning [don't use it everywhere])
• Networking: Configure external network first, then configure DVS first
• IP addressing withing the VM will require power cycle if changed
• VXLAN: Plan for it and prepare vCNS with it first
• Use distributed switches for everything

vCloud Director Use Cases

• Hosted/Public Cloud – Customer isolation, catalog isolation
• Development – Consistency, on-demand environments
• Testing – Dev, IT, vendor packages, etc.
• QA – Pre-prod clean environments
• Support desk – Test in isolated environment
• Private/Hybrid Clouds

Resources

• Storage gets used quickly
• Services: DHCP, DNS, NTP, etc.
• Who is responsible? Administrators, organization admins, template maintenance, firewalls, remote access, etc.
• Access to VMs? Jump box, remote console, SSH, etc.

Redundancy and Maintenance

• Load balance cells
• VMware vCenter heartbeat
• Consider VMware FT/HA for vCNS
• Use maintenance mode when doing maintenance on a cell
• Use “Display debug information” to dig deeper into error messages
• Configure syslog to capture all the activities centrally

Using vCD

• Set HA host failures to a percentage instead of N+1
• Use VMware Orchestrator to automate common tasks
• When using fast provisioning, end users should have a limited lifecycle for vApps.

The post San Diego VMUG: vCloud Director Best Practices appeared first on Derek Seaman's Blog.

Tips for efficient VM Backups

• Take a modern approach
• We have a robust platform with vSphere, use it
• Seek an approach built for virtualization – Remove burdens of agents inside VMs, easy on VM administrator, and scalable
• Do not put the backup data where the VMs are running (e.g. SAN). Storage can fail.

Disk-Based Backup Flexibility

• Many people do disk-to-disk backups with VMs
• vSphere gives you a framework with many options (VDDK, VADP, direct SAN access, etc.)
• Hardware dedupe appliances are more efficient than backup software dedupe

Upgrades with preparation

• A virtual lab can help you ensure that a critical upgrade will go smooth as planned
• Restore VMs to a sandbox and test upgrades without affecting production

Know where Bottlenecks Exist

• Backuping up VMs have many moving parts
• It’s important to know what may be slowing down your backups
• Source storage, network, disk target, CPU resources, backup window

Veeam Explorer for Exchange

• Restore Exchange items directly from the Veeam backup
• Search and browse across one or more Exchange databases
• Recover emails, contacts, calendar items, tasks, etc.
• No agent needed, free in all editions of Veeam Backup and Replication

The post San Diego VMUG: VMware Backup Tips from Veeam appeared first on Derek Seaman's Blog.

Proximal Data Company profile:

• Vision: I/O Intelligence in the hypervisor is a universal need
• Near term value is in making use of flash in virtualization

Overview: Proximal Data AutoCache

• I/O caching software for ESXi 4.x to 5.x
• Up to 2-3x VM density improvement
• Business critical apps accelerated
• Transparent to ESXi value like vMotion, DRS, etc.
• Converts a modest amount of flash
• Simple to deploy: Single “VIB” installed on each ESXi host
• vCenter plug-in: Caching effectiveness, cache utilization by guest VM

Case Study

• Month end processing report now takes 6.5 hours instead of 36.5 hours
• Eliminated need to vMotion other guests off during month end processing
• Tripled VM density on database servers
• Decreased SAS analytics report time by 85%

Flash – The Good

• Much faster than disks for random I/O – Sequential I/O performance difference is not as dramatic
• Cheaper than RAM

Flash – The Bad

• More expensive than spinning disks
• Slower than RAM
• Asymmetric read/write characteristics – Reads are much faster, writes cause a lot of wear
• Wears out/limited lifespan

Flash – The Ugly

• Must be erased to be written
• Erase granularity is not the write granularity
• Typical write granularity is 512 bytes, typical erase granularity is 32K, 64K or 128K
• Write/erase characteristics have lead to complexity (Flash translation layers, fragmentation, garbage collection, write amplification)

Flash – Not all are equal

• Steady state performance of controllers – as much as 50% performance loss in steady state vs new (stay with Intel, Micron, LSI, Sandforce, not third-tier)
• MLC is much cheaper and higher density and is the future, but not as robust and wear out faster than SLC

Flash – Ideal Usage

• Random I/O requests – greatest performance gains
• A lot more reads than writes
• Write in large chunks
• Avoid small writes to same logical locations
• If data is critical use SLC
• Read caching is an ideal use of flash

Caching is Everywhere

• Disks have caches, array/RAID controllers, HBAs, OS, application

Caching Basics

• Working set of data is likely a subset of the data
• Caches are used to manage the “working set” in a resouce that is smaller, faster and more costly than the main storage resource
• Cache works best when data flows from a slower device to a faster one
• Read caches primarily help read bound systems
• Write-back cache primarily help bursty environments
• Caches will continue to exist in all layers of the infrastructure

Flash in a Hypervisor

• Most caching algorithms developed for RAM caches – No consideration for device asymmetry
• Hypervisors have very dynamic I/O patterns
• Hypervisors are I/O blenders
• Must consider shared environment (latency, allocations, etc.)

Complications of Write-Back Caching

• Writes from VMs fill the cache
• Cache ultimately flushes to disk
• Cache over runs when disk flushes can’t keep up
• If you are truly write-bound, a cache will not help
• Write-back cache handles write bursts and benchmarks well but is not a panacea

Disk Coherency

• Cache flushes MUST preserve write ordering to preserve disk coherency
• Hardware copy must flush caches
• Hardware snapshots do not reflect current system state without a cache flush

Evaluating Caching

• Results are entirely workload dependent
• Benchmarks are terrible for characterizing devices. You can make IOmeter say anything you want.
• Run your real storage configuration for meaningful results
• Beware of caching claims of 100s or 1000x times improvements

Flash Caching Perspective

• Flash will be pervasive in the enterprise
• Chose the right amount (as little as 200GB can provide a large boost)
• The closer the cache to the processors, the better the performance

The post San Diego VMUG: The Power of Server Side Caching appeared first on Derek Seaman's Blog.

• Software is taking over the world
• The shifting landscape: Delivery methods (cloud), devices (tablets), applications, work style (anywhere any time)
• CIOs are on a quest to make infrastructure to just work
• IT must compete for the company’s IT business (vice outsouring to public cloud providers)
• Specialized software is replacing specialized hardware in the datacenter
• Waves of change in IT: Mainframe, mini-computer, PC, networked/distributed computing, virtual/cloud computing
• Apps Drive Platforms
• Current datacenters are a conglomeration of past IT decisions (mainframe, Unix, RISC, etc.)
• The price for computing power continues to drop at a rapid rate
• Abilitity now to virtualize almost all applications
• Ability to virtualize almost all hardware components (networking and storage)
• Today it can take 5 days to approve and configure a VM, but in the future the software defined datacenter could get that down to three minutes
• Future: Pools of compute, memory, storage, networking.
• Abstract, pool, automate
• SDDC is taking pool of resources and divvying them up appropriately, even though they share common hardware
• Multiple virtual datacenters each with its own workloads and requirements on the same hardware (e.g. Finance, R&D)
• Key: This has to apply to any and all applications (not just a few or most). Must work across the board (tier-1, SAP, Exchange, SQL, etc.)
• Check out the vCloud Suite Editions
• What about end user computing (EUC)? It’s not just about VDI these days.

The post San Diego VMUG: Software-Defined Datacenter Brief appeared first on Derek Seaman's Blog.

Now back to your regularly scheduled blog….

The post Whoops..Blogspot redirection now working again… appeared first on Derek Seaman's Blog.

If you use HP ProLiant servers, then using the HP customized ISO is strongly recommended, or even required (Gen8), for a properly functioning host. Baked in a tested drivers and HP management tools that enable full ProLiant functionality with VMware ESXi. The HP ESXi 5.1 update 1 custom ISO is your one stop shop for an optimized ProLiant server.

Remember, as always, to keep your HP ProLiant server firmware up to date with supported versions. That is very important for ESXi hosts, as the firmware and drivers are tested together in bundles. For maximum stability, performance, and best practices you need to ensure your servers are under a supported recipe. You can download the latest HP Service Pack for ProLiant here.

HP Provider Features

• Report installed licenses for HP Dynamic Smart Array Controller.
• Report New memory properties.
• Support for IP Address encoding in SNMP traps.
• Support SMX MemoryModuleOnBoard association.
• HP Dynamic Smart Array Controller split cache support.
• Report New RAID levels for storage volume fault tolerance.
• HP Smart Cache support.
• Update reporting of Smart Array Cache Status to align with firmware and iLO.

HP AMS features

• Report running SW processes to HP Insight Remote Support.
• Report vSphere 5.1 U1 SNMP agent management IP and enable VMware vSphere 5.1
• U1 SNMP agent to report iLO4 management IP.
• IML logging for NIC, and SAS traps.
• Limit AMS log file size and support log redirection as defined by the ESXi host parameter:
• ScratchConfig.ConfiguredScratchLocation

SR-IOV Support

• Updated Intel 10Gb network driver to enable SR-IOV for the HP 560FLB, 560M, 560 SFP+, and 560FLR-SFP+. (Note: ESXi Enterprise Plus is required for SR-IOV)

Other Enhancements

• FCoE on Emulex CNAs
  To support FCoE on Emulex CNAs on vSphere 5.1 U1, HP recommends using the versions of the vSphere 5.1 U1 Emulex drivers as defined in the HP ProLiant server and option firmware and driver support recipe document available here.
• iSCSI on Emulex
  iSCSI on Emulex is now supported on vSphere 5.1 U1 using the versions of the Emulex drivers defined in the October HP ProLiant server and option firmware and driver support recipe document available here.

References:

HP VMware vSphere 5.1 U1 Customized Image, April 2013, Release Notes
HP VMware vSphere 5.1 U1, April 2013, Driver VIBs
April 2013 VMware Firmware and Software Recipe
HP Custom Image for ESXi 5.1 Update 1 Install CD
HP ProLiant Server VMware Support Matrix

The post HP ESXi 5.1 Update 1 Custom ISO Released appeared first on Derek Seaman's Blog.

VMware vSphere 5.1 Update 1 has a laundry list of improvements, support for new Microsoft products, and a lot of bug fixes. If you are still on vSphere 5.0 or tried 5.1 in the past and ran into problems, you definitely need to check out vSphere 5.1 Update 1. If you want a complete vSphere 5.1 installation guide, check out my 15-part blog series here. I will be updating it in the near future for Update 1. If you are running vSphere 5.1, there are a number of security vulnerabilities addressed in the update so start planning your upgrade.

Known Issues with vSphere 5.1 Update 1

Today VMware posted a new KB warning about a vSphere 5.1 Update 1 bug, which may affect customers. The problem prevents you from logging into the vSphere Web Client using an AD account, if you AD account is a member of approximately 19 or more domain groups and the SSO service is configured with multiple domains. The KB states until a hotfix is released, DO NOT upgrade to vSphere 5.1 Update 1. In many enterprise environments a vSphere administrator may be in dozens of groups, depending on how access is controlled within the domain. Fewer customers will probably have SSO configured for multiple domains, so the impact of this issue is probably limited to larger enterprises. Additional issues include:

• If you are using the vSphere Storage Appliance, you MUST upgrade to vSA 5.1.3 after you upgrade the rest of your infrastructure to vSphere 5.1 Update 1. vSA 5.1.1 is NOT compatible with vSphere 5.1 Update 1.
• You can NOT use the simple installer to upgrade from prior 5.1 versions to 5.1 Update 1. You must utilize the individual installers.
• Windows Server 2012 failover clusters are NOT supported on ESXi 5.1 Update 1. The cluster validation wizard gets stuck in an endless loop and you are unable for form the cluster.

What got updated in vCloud Suite 5.1 Update 1?

• ESXi 5.1 Update 1 Build 1065491
• vCenter Server 5.1 Update 1 Build 1065152
• vSphere Data Protection 5.1.10.32
• vSphere Replication 5.1.1
• vSphere Storage Appliance 5.1.3
• vCenter Orchestrator Appliance 5.1.1
• vCloud Director 5.1.2
• vCenter Site Recovery Manager 5.1.1
• vSphere 5.1 Update 1 Virtual Disk Development Kit
• vSphere CLI 5.1 Update 1
• VMware Converter Standalone 5.1 (Download here)
• VMware vCenter Server Heartbeat 6.5 Update 1
• VMware vSphere Management Assistant (5.1.0.1 - April 4, 2013)
• HP Custom Image for ESXi 5.1.0 Update 1 Install CD

You can find all of these downloads in the usual place, My VMware. You can download the updated documentation archive ZIP bundle here. The full documentation page is here.

vCenter Server 5.1 Update Release Notes

vCenter 5.1 Update 1 is more than just bug and security fixes, it incorporates a number of newly supported operating systems and database back-ends. You can find the full release notes here. Below is just a tiny faction of the new features and bugfixes.

What’s New?

• vCenter Server can be installed on Windows Server 2012
• vCenter can use Microsoft SQL Server 2012 and SQL Server 2008 R2 SP2
• Guest operating customization support for Windows 8, Windows Server 2012, Ubuntu 12.04 and RHEL 5.9
• Removed vRAM usage limit of 192GB on vSphere Essentials and Essentials Plus

Resolved Issues

A lot of bug fixes are included, but a few highlights include:

• Better error reporting when accidentally updating the Admin or STS service with incorrect protocol parameters. It will now tell you what you botched up.
• Number of security patches including Java, tcServer, vCSA remote code vulnerability
• Upgrade issues from 5.1.0a to 5.1.0b

VMware ESXi 5.1 Update 1 Release Notes

• Mirrors the new guest OS support in vCenter 5.1 Update 1. Full 200+ page OS compatibility matrix is here.
• Contains several security patches (glibc, libxslt, libxml2)
• Resolved: Long running vMotion operations might result in unicast flooding
• Windows Server 2012 failover clustering is not supported

You can find the ESXi 5.1 Update 1 full release notes here.

vCloud Director 5.1.2 Release Notes

Like vCenter 5.1 Update 1, vCloud Director has some new features and many resolved issues. Full release notes is here. The full vCloud Director 5.1.2 documentation set is here.

What’s new?

• Ability to delegate creating, reverting, and removing snapshots
• You can install vCloud Director on Red Hat Enterprise Linux 6.3
• You can install vClould Director using Microsoft SQL Server 2012 databases
• Supports customization of Windows Server 2012 guest operating systems

Resolved Issues

• Security vulnerabilities addressed by updating Java to 1.6.0_37
• Multiple bug fixes, see full release notes

vCenter Converter Standalone 5.1 Release Notes

The new version of Converter has added a number of great new features and broader operating system support. You can find the full release notes here.

• Supports VM hardware version 9
• Guest operating system support for Windows 8 and Windows Server 2012
• Guest operating system support for Red Hat Enterprise Linux 6
• Support for machine sources that use GPT partition tables
• Support for systems that use UEFI
• Support for EXT4 file system

vCenter Server Heartbeat 6.5 Update 1 Release Notes

No major changes here, but incremental support for the latest VMware products. Full release notes are here.

• Support for vCenter 5.1 Update 1
• Support for View Composer 5.2

vSphere Data Protection 5.1.20 Release Notes

More than just bug fixes, VMware added many new features to this build. Full release notes are here. A subset of the new features:

• Integration with vCenter alarms and alerts notification system
• Ability to clone backup jobs
• New filters to restore tab
• Expands capacity up to 8TB per appliance
• Supports the ability to expand existing datastores
• Supports guest-level backups of Microsoft SQL Servers
• Supports guest-level backups of Microsoft Exchange Servers

vSphere Storage Appliance 5.1.2 Release Notes

Like vSphere Data Protection, the vSphere Storage Appliance has many new features. The full release notes are here.

• Support multiple VSA clusters managed by a single vCenter Instance (about time)
• Ability to run vCenter Server on a subnet different from the VSA cluster
• Support for running the VSA on one of the ESXi hosts in the VSA cluster
• Ability to install the VSA on an existing ESXi host that has running VMs
• Ability to increase the storage capacity of a VSA cluster
• Up to 24TB of storage per node
• Multiple RAID types (RAID 5, RAID 6, RAID 10)

Summary

vSphere 5.1 Update 1 will be a welcomed upgrade to customers already running vSphere 5.1. After a rocky start of vSphere 5.1 GA, VMware has clearly been working on stability, bug fixes, and supporting the latest Microsoft operating systems and SQL databases. The vCloud Suite is ever expanding, so when you go to download all the components you will see over two dozen downloads you can choose from. If you’ve been hesitant to move up to vSphere 5.1, give 5.1 Update 1 a whirl in your lab and see if it’s stable enough for you.

The post VMware vSphere 5.1 Update 1..is it for you? appeared first on Derek Seaman's Blog.

Having never heard of Virsto before, I really had no background in what they did except a vague idea they did something with virtualization and storage. VMware had acquired them literally just weeks before the VMUG presentation, so it was great to hear the CEO’s presentation.

VMware Virsto is, in short, a virtual appliance that acts as an I/O intermediary between the VMs and your physical storage. You can think of it as software defined storage (SDS). The secret sauce is what Virsto does to the I/O to increase performance, decrease latency, mitigate snapshot performance issues, and reduce storage space.

The VMware Virsto VSA is presented RDMs from your physical storage array (NFS stores from your physical array are NOT supported), which it formats with a proprietary file system. The VSA then presents the virtualized storage via a NFS share, which the ESXi host mounts as a datastore. Your VMs then go into the NFS datastore, not a VMFS LUN. I borrowed the diagram below from a Virsto PDF  you can find here. In this case a picture is worth a thousand words, so check out the diagram.

Virsto currently supports Hyper-V and vSphere. They also have a vCenter plug-in which has hooks for View and XenDesktop, to accelerate VM provisioning. Whether VMware will kill off the Hyper-V and XenDesktop support is anyone’s guess. I would suspect those features will be retired at some point.

Mark Davis ran through the slides pretty darn fast, and there was a lot of technical content. But I did take some notes:

Software Defined Storage (SDN)

• Virsto for vSphere and Hyper-V
• In deployment since 2009, 75 customers (mostly on Hyper-V)
• Recently released Virsto for VMware (primary market was Hyper-V)
• Storage is the weak link in the virtualization stack

VMware Virsto Software Defined Storage

• Negatives for storage
  • Inefficient disk capacity because of VMDK and LUN mismatch (wasted space)
  • Data services tied to LUNs and not VMs (many VMs on a LUN that may have different requirements)
  • Multitude of device specific management tools
  • Can’t use server based SSD and HDD without losing VM mobility
  • Hypervisor is a storage I/O blender that makes I/O requests highly random
    • Primary cause of storage I/O problems
• Virsto for VMware
  • Pure software, VM-centric. HCL is any server that is on the VMware list. Works with any block storage (SAS, SATA, FC, iSCSI, etc.) from any vendor.
  • Demonstrated customer value: 9.7x to 56x peak performance increase
  • Max storage reduction: 60% – 94%
  • Workloads include VDI, SQL server, Oracle (no special modules for VDI/server workloads…does it all)
  • Does not require solid state drives, but works with them
  • Can make 10s of thousands of new VMs without breaking a sweat (efficient cloning)
  • Ideal use cases: VDI, database virtualization, test & dev
  • Virsto will remain a separate product for the time being and cost $ (will not be rolled into a vSphere SKU)
  • Licensed per TB of used storage space (after de-dupe)
• Virsto Eliminiates  Performance Degregration
  • One traditional VMware snapshot cuts I/O performance in half
  • Virsto provided 416% to 199% improvement in latency and IOPS when it does the snapshot (just a pointer in time)
• Customer Example
  • 16 hosts, 300TB storage, SQL Server Databases, 1.5 billion transactions a day
  • Storage hardware cost went from $4500 to $1200 (per storage unit was not mentioned)
• Virsto Internal Architecture
  • (Today) Installs one VM per host plus a separate management server per datacenter
  • Will not talk to NFS, but can use any block storage via RDMs
  • A log LUN (vLog) (10s of GBs) per host accepts all the IOs (makes is all sequential) and later destaged to physical disk. Writes are acklowledgfed instantly

Summary

There are lot of VSAs on the market which try and address the storage performance issues that virtualization causes. Atlantis Computing ILIO is aimed at VDI (now expanding to servers), plus several others. Virsto takes an interesting approach, and is designed for all workload types. Mark mentioned that now they have access to the VMware source code they’ve had had some ‘ah ha’ moments, wondering why some of the ESXi APIs were behaving the way they were. So I can only imagine that over the next several releases that their performance and integration will increase.

For the time being the product will be standalone, and require additional expenditure. Mark said this was needed to ensure product development, and that the features won’t be rolled into a vSphere SKU anytime soon. He hinted pieces of it might make it to the base platform, but by in large if you want Virsto you will be paying for it. It is licensed on a per-TB (post de-dupe) basis.

The post VMware Virsto Acquisition: VMUG Presentation appeared first on Derek Seaman's Blog.

Please update your bookmarks for my site to reflect the new URL: www.derekseaman.com

Please update your RSS post feeds to: feeds.derekseaman.com/derekseaman

I have redirects configured, so the transitions should be seamless. But even so I would urge RSS followers to change the URL so they aren’t dependent on redirection that may be retired in the future.

The biggest gotcha I found during the post migration from blogger was that all backslashes were stripped from the import. So code, directory paths, etc. are missing backslashes. I’m putting them back in popular posts as I have time.

Please feel free to leave feedback and report any problems with posts or links that you find. I’m excited about the new coat of paint on my content. I look forward to being able to take advantage of some cool WordPress plug-in features down the road.

The post ATTENTION: Blog is now at www.derekseaman.com appeared first on Derek Seaman's Blog.

So now that my blogging is gaining a wider audience some big changes are in store in the very near future that will allow me to produce better content and enable better branding:

• I’ve already redirected the not-so-professional BlogSpot subdomain Derek858 to my own domain, http://www.derekseaman.com/.
• I’m working on a completely new hosted WordPress site that will be easier to read and allow me to more easily post scripts and customize the look at feel to my liking. I had no idea there were so many plug-ins and how easy it is to configure.

My WordPress site is still under construction, but will go live at http://www.derekseaman.com/ in the very near future. I’m pretty excited about the transition and the new features it will bring me and the community. Should everything go well, redirection for all old links and RSS feeds will happen automatically for most people.

I’ve also migrated my RSS feed to FeedBlitz as well, and you can find that at feeds.derekseaman.com/derekseaman. If you are an RSS subscriber I suggest you update the URL for future proofing.

If you’ve bookmarked my site in your favorite browser I’d also suggest you change the site to http://www.derekseaman.com/. All permalinks will stay the same and will re-direct to my WordPress site, so most people won’t even realize the move except for the totally different look and feel of the new site.

I can’t wait to put the final touches on my site and flip the big switch in the sky (um I mean DNS server).  Stay tuned…..a new begging is near!

The post Attention! My blog is moving! appeared first on Derek Seaman's Blog.

1. Pressing 5 takes us back to the main menu. Now we press 6 to enter the web client and log browser update process. Pre the pre-planning guide we need option 1. I enter the SSO administrator username and password.

Several minutes later the process was a success.

Step 11 of the pre-planning guide is complete. Check!

2. Now we need to press 2, to trust the inventory service.

Several minutes later the process was a success.

Step 12 of the pre-planning guide is complete. Check!

3. Now we need to press 3, to trust the vCenter server.

Step 13 of the pre-planning guide is complete. Check!

4. Now we need to press 4, to update the web client SSL certificate. Again, the presented paths and files were correct. Enter the SSO administrator username and password.

Step 14 of the pre-planning guide is complete. Check!

5. Next up is pressing 5, to enable the log browser service to trust SSO.

Step 15 of the pre-planning guide is complete. Check!

6. Now press 6, to update the log browser SSL certificate. Again, the certificate and paths looked good. Enter the SSO username and password.

Step 16 of the pre-planning guide is complete. Check!

At this point, since I’m using the vCenter FQDN for the VUM configuration, I am not able to use the v1.0 of this tool to update the VUM certificates. You can check out Part 12 of my vSphere 5.1 Install series for the manual method to update the VUM SSL certificate.

7. To validate some of the certificates I launch the vSphere web client. Using my web browser I view the SSL certificate and validate that my new certificate is being used. I also open the log browser and pull down the logs from an ESXi host to verify that works as well.

Minus the VUM “known issue”, the tool worked flawlessly for me and certainly helped ease the SSL burden. I’m hoping future versions of the tool have the following enhancements:

• Automated execution of the pre-planning steps, so I don’t have to keep referring back the 18 step list and checking off each one (assuming an all-in-one server).
• Ability to create CSRs, submit to a Microsoft online CA, and download the certificates.
• Ability to create CSRs for an offline/commercial CA, and use the resulting certs
• Automatically build and verify the CA chain files, to reduce human error and confusion
• Provide a full GUI with detailed logging, to make the processes even easier
• Perform full certificate validation to ensure unique DNs
• Fix the VUM FQDN “known issue”
• Back-port the tool to work with vSphere 5.0
• Perform SQL database password validation
• Cache in memory all required passwords (flushed upon error or exiting)
• Configure all ODBC/JDBC SQL connection strings to use SSL (if SQL supports SSL)

I think the tool is a decent first stab at helping with the SSL configuration nightmare that 5.1 unleashed on the community. The process could be more fully automated, so I hope future versions can improve on this useful utility.

The post Using the VMware vCenter Certificate Automation Tool: Part 4 (Web Client and Log Browser) appeared first on Derek Seaman's Blog.

1. Per the pre-planning guide step 4 I exit back to the main menu by pressing 5, then press 4. vCenter needs to trust the SSO certificate, so I press 1. The default path and file are correct, so I press enter. Success!

Step 4 of the pre-planning guide is complete. Check!

2. From the same menu I press 2, to update the vCenter SSL certificate. Again, the default paths and files were correct so I accepted them. Now I’m prompted for the vCenter administrator name and password. Next I’m asked to enter the original vCenter server database password, with all kinds of scary warnings if I input the wrong password since no validation is done. I’m also asked to enter the SSO administrator username and password.

After several minutes of chugging away I see a successful message.

Step 5 of the pre-planning guide is complete. Check!

3. Per the pre-planning guide I now must select option 3, to trust the inventory service SSL certificate.

Step 6 of the pre-planning guide is complete. Check!

4. Pressing 5 I get back to the main menu. And I need to go back into the inventory service, so I press 3.  Finally, we now configure the inventory service to trust vCenter by pressing 2.

Step 7 of the pre-planning guide is complete. Check!

5. Pressing 5 I get back to the main menu. I now press 5, to update vCO. Per the pre-planning guide I need to configure vCO to trust SSO, so I press 1. The default SSO filename is correct so I press enter.

Step 8 of the pre-planning guide is complete. Check!

6. Now vCO needs to be told to trust vCenter server, so I press 2 and validate the path is right.

Step 9 of the pre-planning guide is complete. Check!

7. Next up is updating the vCO SSL certificate, so I press 3 and validate the path.

Step 10 of the pre-planning guide is complete. Check!

Check out Part 4 where we update the Web Client and Log Browser SSL certificates.

The post Using the VMware vCenter Certificate Automation Tool: Part 3 (vCenter and Orchestrator) appeared first on Derek Seaman's Blog.

1. In case things go Tango Uniform, I strongly urge you do a full backup of all vCenter databases (SSO, vCenter, and VUM), plus snapshot/backup your vCenter VM(s). If you hose up the certificate replacement process you may be left with a smoking vCenter hole. Backup before proceeding!

2. On your vCenter server run the ssl-updater.bat script. They have a built-in planner which tells you which steps to perform and in what order, depending on what services you want to update. To access the planner type 1.

3. Since we want to update all our services, I pressed 8.

The result of pressing 8, was the following text:

1. Go to the machine with Single Sign-On installed and – Update the Single Sign-On SSL certificate.
2. Go to the machine with Inventory Service installed and – Update Inventory Service trust to Single Sign-On.
3. Go to the machine with Inventory Service installed and – Update the Inventory  Service SSL certificate.
4. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Single Sign-On.
5. Go to the machine with vCenter Server installed and – Update the vCenter Server SSL certificate.
6. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Inventory Service.
7. Go to the machine with Inventory Service installed and – Update the Inventory  Service trust to vCenter Server.
8. Go to the machine with vCenter Orchestrator installed and – Update vCenter Or chestrator trust to Single Sign-On.
9. Go to the machine with vCenter Orchestrator installed and – Update vCenter Or chestrator trust to vCenter Server.
10. Go to the machine with vCenter Orchestrator installed and – Update the vCenter Orchestrator SSL certificate.
11. Go to the machine with vSphere Web Client installed and – Update vSphere Web  Client trust to Single Sign-On.
12. Go to the machine with vSphere Web Client installed and – Update vSphere Web  Client trust to Inventory Service.
13. Go to the machine with vSphere Web Client installed and – Update vSphere Web  Client trust to vCenter Server.
14. Go to the machine with vSphere Web Client installed and – Update the vSphere  Web Client SSL certificate.
15. Go to the machine with Log Browser installed and – Update the Log Browser trust to Single Sign-On.
16. Go to the machine with Log Browser installed and – Update the Log Browser SSL certificate.
17. Go to the machine with vSphere Update Manager installed and – Update the vSphere Update Manager SSL certificate.
18. Go to the machine with vSphere Update Manager installed and – Update vSphere Update Manager trust to vCenter Server.

As you can see, we have to perform 18 steps to fully update all SSL certificates. Due to the “Known Issues” with VUM and using a FQDN, I shall not be performing steps 17-18 since that is not a supported configuration.

4. Getting back to the main menu by pressing 9, I now want to start updating the SSL certificates in the prescribed order per the pre-planner. So I press 2 to start with SSO.

To perform the certificate update I press 1. At this point you can opt to sacrifice a chicken over your vCenter VM to appease the SSL gods and make this go smoother.

After pressing 1 it then asks me where my SSO SSL chain file is stored. And it also wants to know where the SSO private key is, as well. Since we previously configured the environment script, the paths and files it listed were correct. I then typed in my SSO master password (you do remember it, right?). My install did not involve load balancers, so I told the installer no.

At this point the black magic starts, and my heart was thumping hoping that my chicken sacrifice worked. And a minute later….all seems to be well. Chicken worked!

Step 1 of the pre-planning guide is complete. Check!

5. Now that the SSO certificate appears to be successfully updated, it’s time to march on to the inventory service. So I press 3 to return to the main menu. On the main menu I press 3 to update the inventory service. I’m now presented with a plethora of options.

Per the pre-planning guide I need to select option 1. After 30 seconds of disk activity, I get a successful message.

Step 2 of the pre-planning guide is complete. Check! 16 left to go.

6. Slightly illogically the next step is to select option 3, per the pre-planning guide. Again, the certificate paths and files are pre-populated and are correct. Now it wants to know the SSO administrator user. If you aren’t sure what this is, open the Web Client and login. If you can access and modify the Sign-On and Discovery settings, you probably have the right username. In my case this is “sysadmin”, but it will surely be different for you.

A little whirring of my disk drive, and I get a successful message.

Step 3 of the pre-planning guide is complete. Check! 15 left to go.

Next up in Part 3 is continuing the march towards completing all 18 steps by updating the vCenter and Orchestrator certificates.

The post Using the VMware vCenter Certificate Automation Tool: Part 2 (SSO and Inventory) appeared first on Derek Seaman's Blog.

My 15-part vSphere 5.1 series goes into all of the gory details of the manual replacement process, and closely follows the associated VMware KB articles but in a more understandable format that people seem to appreciate. But, now the process can be made easier and less painful.

So what’s new on the vSphere 5.1 SSL front? Late last week VMware released their first stab at easing the SSL certificate replacement torture in vSphere 5.1 with a basic command line tool which helps automate the process. I covered the announcement here. Since I’m pretty familiar with the pain and suffering vSphere 5.1 certificates has caused me, I wanted to see if this tool would make life easier.

Since the process is a bit long and only semi-automated, I’ve broken down the process into a series of posts:

Part 2 (SSO and Inventory)
Part 3 (vCenter and Orchestrator)
Part 4 (Web client and Log Browser)

–

UPDATE 5/18/2013: I’ve included some certificate and chain.pem validation steps. The certificate tool is very picky about the formatting and contents of the chain.pem files. If you get the certs in the wrong order or have too many certs, the tool produces cryptic error messages. I strongly urge you validate your certificates and chain.pem files or you may be opening a support case with VMware.

—

Before you begin this process, you MUST read through all of the limitations (“Known Issues”) of the v1.0 tool. The list is pretty extensive, and there was one biggie that jumped out at me. If during the vCenter VUM installer you elect to use the server FQDN instead of the IP address (which I would argue is a best practice), then you can’t use this tool to replace the VUM certificate. Really? Ouch. The tool also doesn’t help you generate any of the certificates, or a new requirement of certificate chain files for each of the seven services. So you still have a lot of pre-work to get to the point of even trying to use the tool. This is not a fully automated end-to-end tool that is wizard driven, which we desperately need.

Going into this with my eyes wide open, and somewhat tempered expectations of what it will do for me, I decided to give it a whirl. VMware’s KB article on the tool guides you through the process, but as usual, I think the process can use a bit more elaboration and screenshots.

In my case I have a Windows Server 2012 CA, and all of the vCenter services are installed on a single Windows Server 2008 R2 VM. My vCenter databases are on an external SQL 2008 R2 VM.

Prerequisites

Since this tool doesn’t help you create the certificate request files, generate the certificates, or the new PEM chain files we must do that prior to using the tool. I’ve updated my vCenter 5.1 U1 Installation: Part 2 (Create vCenter SSL Certificates) to address the new requirements and the addition of the Orchestrator certificate. So open up that post and follow through the entire certificate generation process, except for creating the JKS keystore. The script at the end of that post has been updated to create the newly required chained PEM files for each service. So if you’ve used that script before, grab the updated version and run it.

If you did not use my script which creates the chain.pem files, don’t worry. I’ve included steps later in this article on how to manually create them. Now that you’ve run through that long post to create all the certificate files, you should have a directory structure that looks like the screenshot below. I have these folders residing under D:\certs.

Inside each of the seven folders you should have the same set of files, as shown below with the appropriate configuration file. Again, if your chain.pem file is not present, I’ve included steps below on how to create and validate them.

You will also need the following accounts and passwords handy to complete the process:

• SSO administrator and password
• vCenter administrator and password
• Original vCenter database password

Configuring the Tool

1. Download the SSL Certificate Automation Tool from My VMware.

2. Copy it to your vCenter server and unzip it to a safe place, such as D:.

3. Open the ssl-environment.bat  file and fill in all of the missing paths. In my case I set the following:

set sso_cert_chain=D:\certs\sso\chain.pem
set sso_private_key=D:\certs\sso\rui.key
set sso_node_type=single
set sso_admin_is_behind_lb=
set sso_lb_certificate= set sso_lb_hostname=
set is_cert_chain=D:\certs\inventory\chain.pem
set is_private_key_new=D:\certs\inventory\rui.key
set vc_cert_chain=D:\certs\vCenter\chain.pem
set vc_private_key=D:\certs\vCenter\rui.key
set ngc_cert_chain=D:\certs\WebClient\chain.pem
set ngc_private_key=D:\certs\WebClient\rui.key
set logbrowser_cert_chain=D:\certs\LogBrowser\chain.pem
set logbrowser_private_key=D:\certs\LogBrowser\rui.key
set vco_cert_chain=D:\certs\Orchestrator\chain.pem
set vco_private_key=D:\certs\Orchestrator\rui.key
set vum_cert_chain=D:\certs\UpdateManager\chain.pem
set vum_private_key=D:\certs\UpdateManager\rui.key
set sso_admin_user=admin@system-domain
set vc_username=contoso\svc-vctr02-001
set last_error=
set ROLLBACK_BACKUP_FOLDER=%~dp0backup
set LOGS_FOLDER=%~dp0logs

4. Open an elevated command prompt and run the ssl-environment.bat script.

Creating PEM Files

If you used my script to automate the minting of your certificates then you already have the required chain.pem files. If you decided to go the more manual route, then you probably don’t have the required chain.pem files. They are easy to create, but also easy to screw up as the tool is very picky. Inside each service directory you need to have a chain.pem file. That file is comprised of the service’s certificate, intermediate CA (if you have one) and root CA certificates.

The VMware vCenter Certificate automation tool is very picky about whether your certificates are minted from a root CA or a subordinate CA. To find out which situation applies to you, open one of the certificates you’ve minted. If you only see one CA and the name of your vCenter server then then you don’t have a subordinate CA. If you see two or more CAs, then the one at the top is the root and the second one is the subordinate.

From inside each service directory you can use the following command to create the chain.pem file (assuming a subordinate CA):

copy /B rui.crt + D:\certs\root64-2.cer + D:\certs\root64-1.cer chain.pem

Repeat this process for every service directory. If you only have a root CA then the command would look like:

copy /B rui.crt + D:\certs\root64.cer chain.pem

Validate Chain.pem Files

You really should validate that the chain.pem files are properly configured. Having the certificates in the wrong order, or including an intermediate CA when your certificates are issued from a root CA will all cause the tool to #fail. Below is a truncated example of my root CA certificate file. I like to look at the last few characters of the cert, since they are very likely unique. Yours will of course be different.

Root64-1.cer (Root)

Root64-2.cer (Intermediate)

Opening one of the chain.pem files, if you are using an intermediate CA, shows that the service certificate is at the top, intermediate is in the middle, and the root is at the bottom. This is the correct order, and there must not be any blank lines before or after any certificate.

The certificate headers should also look exactly the same as below, with no extra information present. Even if your environment has an intermediate CA, if your certificates are issued from the root, do NOT include the intermediate CA. In that case you’d only have the service certificate at the top and the root at the bottom. Only include the CAs shown in your minted certificate, no more, no less.

If you jack up the order of the certs in the file you will get:

ERROR: One or more required parameters are not set or have invalid values: Certificate chain is incomplete: the root authority certificate is not present and cannot be detected automatically. The presence of the root certificate is required so the other service can establish trust to this service. Try adding the authority certificate manually.

Or if you include an intermediate CA but your certs are issued from the root:

ERROR: One or more required parameters are not set or have invalid values: The certificate chain file does not contain a valid certification path. PKIX path validation failed with: Could not validate certificate signature. (at certificate #1)

So please double check that your files are properly formatted, as the tool’s error messages are not that enlightening and don’t deal well with extra CA certificates.

Now that we have generated all of the required certificate files and set the environmental variables, we can walk through the planner and then actually replace the certificates. Replacing the SSO and Inventory SSL certificates are covered in Part 2.

The post Using the VMware vCenter Certificate Automation Tool: Part 1 (Pre-reqs and Config) appeared first on Derek Seaman's Blog.

The new tool is called vCenter Certificate Automation 1.0, and will replace the certificates for:

• vCenter Server
• vCenter Single Sign On
• vCenter inventory service
• vSphere web client
• vCenter log browser
• VMware Update Manager
• vCenter Orchestrator

VMware has a KB article which goes into great detail about how to use the tool and the known issues. It’s critical you read the Know Issues section, as there’s a long list of issues to be aware of. One of the biggies to me is the unsupported case of registering VUM to vCenter using the FQDN. This is standard practice in all of my configurations, so for now v1.0 of this tool won’t be a complete solution. There are also some roll-back issues as well, so just to be safe I would make sure you have a complete backup your server and related databases, in case things go sideways.

It’s great to see VMware try and ease the pain they’ve created in the methodology they’ve employed to use SSL certificates. I hope in future versions that under the covers they do some major re-work of the SSL architecture to not require such complex and tedious steps or specialized tools to implement what I consider basic modern security. The Horizon View team got certificates “right” starting with 5.0.

You can find a four part series on using the tool in the real world here. I encourage everyone to check out that series, so you can get a feeling for how the process works.

The post VMware vCenter Certificate Automation Tool 1.0 Released appeared first on Derek Seaman's Blog.

There are some great first timers on the list, such as Cormac Hogan which has stellar storage related blog articles. And of course Mike Webster (Long White Clouds), focusing on security and SSL certificates. I’m honored to be a first timer on the list, and broke into the top 25 at #24! I also made the Favorite Independent Blogger at #11, just after Julian’s Great blog (WoodITWork).

You can check out the whole list at vSphere-Land here. But here’s a snippet of the Top 25 Virtualization Bloggers for 2013. Thanks for everyone that voted, I’m honored!

Top 25 Virtualization Bloggers

The post Voted into the Top 25 Virtualization Bloggers for 2013 appeared first on Derek Seaman's Blog.