Month: October 2015

Lesson Learnt While Working With SSL Certificates

Manish Jha

From last 2 days I was working on using signed certificates for my vSphere lab and was determined to replace my self-signed certificate with signed certificate generated by my CA server.

I have written a blog post on how to setup CA server and how to generate signed certificates and how to replace them. If you have missed earlier post of this series you can read them from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware

4: Replacing vSphere SSL Certificates

I must say this journey of learning use of signed SSL certificates were not easy for me and I did made a few mistakes before setting everything up right. But I guess it was for my own good that I made these mistakes because then I had to do a lot of troubleshooting to set things correctly and learned quite few things while doing so.… Read More

Setup SSL Certificate For vSphere Lab-Part-5-Creating and Replacing vRealize SSL Certificates

Manish Jha

In last post of this series we learnt how to replace SSL certificates for different vSphere Components like SSO, Inventory Service, vCenter Server and Web-Client. In this post I am going one step further and will demonstrate how to replace vRealize SSL Certificates.

If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware

Prerequisites

The following prerequisites must be met before jumping into action:

1: Microsoft Enterprise CA server deployed along with IIS installed.
2: Web-Certificate Template created for vSphere components.
3: Download and install Win32 OpenSSL from Here

I have downloaded and installed Win32 Open SSL software on the same server where my vCenter Server is installed and I have added the path up to bin directory in my environment variables so that I can run openssl command from anywhere.… Read More

Setup SSL Certificate For vSphere Lab-Part-4-Creating and Replacing vSphere SSL Certificates

Manish Jha

You have observed that whenever you connect to vCenter Server using vSphere Client or connect via web-client you receive a warning that the certificate presented is not trusted and bla bla bla.

For lab environments or small environments Self-Signed certificates works just fine, but knowing how to use Signed Certificates is invaluable.

In this post we are going to cover how to create SSL Certificate request and how to replace them. If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware

Prerequisites

There are certain prerequisites that must be met before performing the SSL certs creation and replacement. These are listed as below:

1: Microsoft Enterprise CA server deployed along with IIS installed.
2: Web-Certificate Template created for vSphere components.
3: Download and install the vCenter Certificate Automation Tool from VMware.… Read More

Setup SSL Certificate For vSphere Lab-Part-3-Creating SSL Web Certificates Template for VMware

Manish Jha

In this post we are going to cover the SSL Web Certificate creation for VMware. If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

Lets begin with creating SSL Web certificates for VMware.

1: Launch the Certificate Authority MMC and navigate to Certificate Templates folder. Right click the folder and select Manage.

ssl-38

2: From the displayed list of templates, select Web Server template and right click on it and select Duplicate Template.

ssl-39

3: Select the Server 2008 Enterprise option. You can also choose Server 2003 option if you are looking for backward compatibility. Hit OK.

ssl-40

4: Provide a new name for this template. Modify the validity period and renewal period if you want longer period of time for this option and don’t want to go with default time period. Hit Apply OK.… Read More

Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

Manish Jha

In our last post Setup SSL Certificate Authority For vSphere Lab we saw how to add CA Server Role to a windows server 2008 machine. In this post we will see how to generate certificates.

1: Launch Certificate Authority console from Administrative Tools.

ssl-20

2: Right Click on Certificate Template and click Manage.

ssl-21

3: Select the Windows Authentication Template and right click on it and select Duplicate Template.

ssl-22

4: Select Windows server 2008 Enterprise and hit OK.

ssl-23

5: Give the new certificate template a name. Also we need to change some of the properties of the new template.

I have changed the validity period to 5 years and selected Publish certificate in AD and Do not automatically reenroll option.

ssl-24

6: Go to Security tab and  change the “Domain Computers” permissions to read and autoenroll the certificate.

ssl-25

7: Go to Extensions Tab and change the Application Policies to include both Client and Server Authentication.… Read More

Setup SSL Certificates For vSphere Lab-Part-1-Configuring CA Server

Manish Jha

This week I was looking for setting up CA Server for generating SSL certificates which can be used in my vSphere Home Lab. Using Self-Signed certificates usually work in a lab environment, but its good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign.

Having your own CA is useful for testing SSL and other services that require certificates without the need to purchase certificates from a third party.  However, these certificates will not be automatically trusted by computers external to your AD domain, so there are some limitations.

In this post I am going to share the steps needed to configure a Windows 2008 R2 Server as Certificate Authority.

Prerequisites

  • Active Directory Domain already setup and configured
  • Server 2008 installed and joined to domain

Lets begin with configuring Server 2008 as CA server.… Read More

Configuring Port Binding Using CLI

Manish Jha

In my last post Configuring Multipathing for Software iSCSI Using Port Binding we saw how to configure port binding and achieve multipathing for software iSCSI using GUI. In this post we will learn how to achieve the same using CLI.

I have posted an article Managing vSphere Network From Command Line sometime back and we will be using some commands to configure the network first. So lets begin.

1: Verify number of uplinks available on Esxi host

# esxcli network nic list

icli-1

2: List all Standard vSwitch along with associated uplink

# esxcli network vswitch standard list

icli-2

So we have 3 uplinks on Esxi host here: vmnic0,vmnic1 and vmnic2. Out of this vmnic0 is connected to vSwitch0 and providing the management network. We will create a new vswitch and use vmnic1 and vmnic2 as uplink to that vswitch.

3: Create a standard vSwitch by name iscsi-vSwitch

#  esxcli network vswitch standard add -v iscsi-vSwitch -P 256

4: Add vmnic1 and vmnic2 as uplink to “iscsi-vSwitch”

# esxcli network vswitch standard uplink add -u=vmnic1 -v=iscsi-vSwitch

# esxcli network vswitch standard uplink add -u=vmnic2 -v=iscsi-vSwitch

icli-3

5: Make the uplinks as active

#  esxcli network vswitch standard policy failover set -a vmnic1,vmnic2 -v iscsi-vSwitch

6: Add 2 portgroups (iscsi-PG1 and iscsi-PG2) to iscsi-vSwitch

# esxcli network vswitch standard portgroup add -p=iscsi-PG1 -v=iscsi-vSwitch

# esxcli network vswitch standard portgroup add -p=iscsi-PG2 -v=iscsi-vSwitch

icli-4

7: Associate the uplinks with the correct portgroups

# esxcli network vswitch standard portgroup policy failover set -a vmnic1 -p iscsi-PG1

# esxcli network vswitch standard portgroup policy failover set -a vmnic2 -p iscsi-PG2

icli-5

8: Create the VMkernel interfaces and associate them with the portgroups iscsi-PG1 and iscsi-PG2

# esxcli network ip interface add -p iscsi-PG1 -i vmk1

# esxcli network ip interface add -p iscsi-PG2 -i vmk2

# esxcli network ip interface ipv4 set -i vmk1 -I 192.168.0.161 -N 255.255.255.0 -t static

# esxcli network ip interface ipv4 set -i vmk2 -I 192.168.0.162 -N 255.255.255.0 -t static

icli-6

9: Enable and Configure the iSCSI Software Adapter

# esxcli iscsi software set -e true

icli-7

10: Configure IP addresses of the iSCSI targets

# esxcli iscsi adapter discovery sendtarget add -a 192.168.0.90:3260 -A vmhba33

icli-8

Configure Port Binding

11: Bind the VMkernel network adapter to the iSCSI adapter

# esxcli iscsi networkportal add –nic vmk1 –adapter vmhba33

# esxcli iscsi networkportal add –nic vmk2 –adapter vmhba33
icli-11

Note: Binding details can be verified by using the following command:

# esxcli iscsi networkportal list –adapter vmhba33

iSCSI Re-login

If you have an already established iSCSI session before port binding configuration, you can remove the existing iSCSI sessions and log in again for the port binding configuration to take effect.… Read More

Configuring Multipathing for Software iSCSI Using Port Binding

Manish Jha

In this post we will learn how to achieve multipathing when using software iSCSI adapters to connect to Storage Array.

What is Multipathing?

Multipathing is having more than one path to storage devices from your server. At a given time more than one paths are used to connect to the LUN’s on storage device. It provides the ability to load-balance between paths when all paths are present and to handle failures of a path at any point between the server and the storage. Multipathing is a de-facto standard for most Fibre Channel SAN environments.

Multipathing for software iSCSI

For environments which uses software iSCSI to connect to Storage Array, multipathing is possible at the VMkernel network adapter level, but it is not the default configuration. The default iSCSI configuration creates only one path from the software iSCSI adapter (vmhba) to each iSCSI target.

To enable failover at the path level and to load-balance I/O traffic between paths, we have to configure port binding to create multiple paths between the software iSCSI adapters on Esxi servers and the storage array.… Read More

Diving Deep into VMware Fault Tolerance

Manish Jha

Today I was reading a whitepaper on VMware FT and came across some cool facts. In this post I am going to share some excerpts from that whitepaper.

Server virtualization has become very popular and grown very fast in last few years and enterprise started to use virtualization more and more to gain the benefits provided by virtualization such as:

1: Higher server consolidation ratios.

2: Better resource utilization (Using DRS).

3: Lower power consumption (Leveraging DPM).

4: Increased workload mobility via technologies such as vMotion and svMotion.

Features such as Distributed Resource Scheduler (DRS) and Distributed Power Management (DPM) are giving organizations a flexibility to go for a even higher consolidation ration than ever before. DRS is now a very trusted feature and almost all organizations are happy to use it in fully automated mode which was not the case earlier when DRS was introduced by VMware.

DRS and DPM complement the hardware evolution trends by applying dynamic resource allocation to lower the capital and operating costs in a datacenter.… Read More

ESXi Configuration Backup- Free tool for your lab

Manish Jha

This week I decided to test some software’s which can take configuration backup of my Esxi hosts and possibly vCenter Server also. I found one very good tool named Esxi Configuration Backup . I will demonstrate how to use this tool here. This tool can be pretty handy for lab environments and also for small environments where you don’t have large number of Esxi hosts.

ESXi Configuration Backup is a tool which can take backup of multiple ESXi  host configurations. It can also backup the vCenter Server database if database and vCenter are installed on same machine. There is a default retention policy set up for 2 weeks.

We can also create a windows scheduled tasks  for automating the backup or can go with the manual method.

Following are the features of Esxi Configuration Backup tool

  • Automatically backup multiple Esxi 4, 5 and 6 configurations.
  • Backup of any local Microsoft SQL Databases.
Read More