Password Policy for vSphere 6.0 Hosts

A complex password is a firstmost requirement for any system that simply uses username/password (no RSA, 2Factor authentication kinda thing) for authentication. For a windows or unix/linux based systems, system administrators used to push complex password requirements via AD/LDAP.

A complex password ensures that system is least vulnerable to any unauthorized attempt to login to your system and vSphere is no different than any other system in this regard. 

With release of vSphere 6, VMware enahnced their password policy and enforced to use more complex passwords with Esxi hosts and SSO. Esxi host enforces password requirements for direct access from the DCUI, Esxi Shell, SSH and vSphere web Client.  

ESXi uses the pam_passwdqc.so plug-in to set the password policy/rules. ESXi doesn’t place any complexity restrictions on the root account’s password. However, non-root accounts will be subject to the default rules defined in pam_passwdqc.so.

In previous release of vSphere, Esxi host password complexity changes were made by editing the /etc/pam.d/passwdRead the rest

Customize SSH and Esxi Shell Settings for Increased Security

The ESXi Shell provides access to maintenance commands and other configuration options. Esxi shell and SSH comes in handy when there are certain tasks that can’t be done through the Web Client or other remote management tools. 

Enabling local and remote shell access on Esxi hosts

Login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile Services and click Edit

serv-1.PNG

We can enable/dsable below services and also can change their start up method:

  • Direct Console UI
  • ESXi Shell
  • SSH

serv-2.PNG

Enabling SSH or local shell through the DCUI.

Go to the console of the host. Press F2 and enter esxi host credentials.

Select Troubleshooting Options and hit Enter on each service you want to enable/disable.

serv-3.PNG

Configuring the Timeout For the ESXi Shell

By default the timeout setting for the ESXi shell is set to disabled. The shell timeout setting allows you to specify how long an inactive session is left open.Read the rest

Enable and Configure ESXi Host Lockdown Mode

To enhance the security measures in a virtualized environment, it is often advisable to limit direct access to Esxi hosts and this is when lockdown mode concept comes into picture. Lockdown mode is used on Esxi hosts in order to improve security of the hosts which are centrally managed by vCenter server.

When the lockdown mode is enabled, the host is managed using the vSphere Client connected to the managing vCenter Server, VMware PowerCLI, or VMware vSphere Command-Line Interface (vCLI). The only difference is that access is authenticated through the vCenter Server instead of using a local account on the ESXi host.

When the lockdown mode is enabled, access to the host through SSH is unavailable except to configured exception users.

Lockdown mode in vSphere 6.0

With vSphere 6.0, VMware introduced a couple of new concepts into lockdown mode as listed below

  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users

Lets understand about these concepts one by one.Read the rest

Configure SSL Timeouts on Esxi Host

To authenticate against vCenter SSO, solution users uses certificates to establish a secure connection. A solution user presents the certificate to vCenter SSO in 3 cases:

  • When solution user authenticates against sso for very first time.
  • After a reboot, and
  • After a timeout has elapsed.

The timeout value can be set from the Web Client. The default value for this is 2592000 seconds (30 days). To change the default value, login to vSphere Web Client and navigate to  Administration > Single Sign-On > Configuration > Policies > Token Policy.

esxcert-11.PNG

On few blogs I read the following steps for configuring ssl timeouts. 

We can configure SSL timeouts for ESXi by editing a configuration file on the ESXi host.

Timeout periods can be set for 2 types of idle connections:

1: The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESXi.

2: The Handshake Timeout setting applies to connections that have not completed the SSL handshake process on port 443 of ESXi.Read the rest

Enable/Disable certificate checking on Esxi Host

The data that travels between clients and ESXi hosts is encrypted to ensure that the transactions are private and authenticated. The SSL is used to create a secure connection between the clients, ESXi hosts, and/or the vCenter Server.  SSL uses TCP/IP and allows SSL-enabled ESXi hosts and/or vCenter Server to authenticate with SSL-enabled clients. 

When an ESXi host or vCenter Server is installed, the installation includes SSL certificates. These preinstalled, auto generated certificates are not from an official certificate authority (CA), but they can be used to establish an initial connection.

The vCenter Server uses an SSL certificate when adding ESXi hosts and to connect to managed ESXi hosts whose passwords are stored in the vCenter Server database. After an authenticated encrypted connection is established, a smaller session key is encrypted and exchanged using public and private key pairs.

This shared session key is then used to encrypt and decrypt the data between client and server.Read the rest

Backup and Restore Resource Pool Configurations

When DRS is disabled on a cluster, it removes all the resource pools that are part of the cluster and the resource pool hierarchy and affinity rules are not re-established when DRS is turned back on. 

Now if you really want to disable DRS (for any maintenance activity) and want to save yourself from the pain of re-creating resource pools and configuring share/limits etc, you can take backup of resource pools and and restore it later post completing the maintenance and enabling DRS again.

In my lab I created a resource pool named “RP-Edge” and placed one VM in this resource pool.

rpbkp-0.PNG

When you disable DRS on a cluster, vSphere gives you an opportunity to save the resource pool tree in a file which can be used later to restore the resource pool hierarchy.

Just click on yes on the warning window presented.

rpbkp-1

save the file on your local PC.

rpbkp-2

At this point, the resource pool is gone and the Win-DR-Test VM is out of the resource pool.… Read the rest

Backup and Restore vDS Configurations

You can export vSphere distributed switch and distributed port group configurations to a file. The file preserves valid network configurations, enabling distribution of these configurations to other deployments.

This functionality is available only with the vSphere Web Client 5.1 or later. However, you can export settings from any version of a distributed switch if you use the vSphere Web Client or later.

To export vSphere Distributed Switch configurations using the vSphere Web Client:
 
1: Browse to a distributed switch in the vSphere Web Client navigator and Right-click the distributed switch and click Settings > Export Configuration
 

vds-bkp-1.PNG

2: Select the Export the distributed switch configuration or Export the distributed switch configuration and all port groups option.

vds-bkp-2.PNG

3: Click Yes to save the configuration file to your local system. 

vds-bkp-3.PNG

Select a location your computer where you want to save the backup file and also provide a name for the backup file.

vds-bkp-4

You now have a configuration file that contains all settings for the selected distributed switch and distributed port group.Read the rest

Troubleshooting vSphere Replication plugin missing from vCenter Server

Last week I upgraded my VR appliance from 6.1.1 to 6.1.2 and registered VR to vCenter and to my surprise VR plugin was missing after I reloaded my vSphere Web Client. I tried logoff and login to Web Client a couple of times, but luck was not with my side. 

vrplugin-1.PNG

While configuring VR, I saw a succesful configuration message, So easily I can rule out issues with VR > VC registration. 

vrplugin-2.PNG

I even restarted Web Client service followed by bouncing vCenter server node but VR has decided to give up on me that day and still the plugin was missing from Web Client. This was a bit strange for me as I have deployed VR in my lab 3-4 times and never encountered this issue.

On googling the issue, I came across VMware KB-2149560 which clearly mentions that this is a known issue with VR 6.1.2. The KB has all the steps listed in order to fix the issue. … Read the rest

vSphere Data Protection-Part 5: Configuring Backup Replication

In last post of this series we learnt how to configure a backup verification job and test wether or not a taken backup is restoreable. In this post we will learn how to configure data backup replication so that in case of disaster, if source site is completely down,even then data can be restored from secondary location.

If you accidently landed on this post and have missed earlier post of this series, you can read them from below links:

1: Introduction to vSphere Data Protection

2: Installing & Configuring vSphere Data Protection

3: Backup And Restore VM’s using VDP

4: Configure a Backup Verification job

Lets get started with some theoretical concepts about replication before jumping into lab and actually configuring and testing it. 

About VDP Replication

Replication enables you to avoid data loss if the source VDP appliance fails because copies of the backups are available on the destination target. Read the rest

vSphere Data Protection-Part 4: Configure a Backup Verification job

In last post of this series, we had a look on how to take backup and restore of VM’s using VDP and how to clone/edit existing backup jobs.

In this post we will discuss about how to configure a backup verification job to ensure integrity of backups taken by VDP. 

If you accidently landed on this post and have missed earlier post of this series, you can read them from below links:

1: Introduction to vSphere Data Protection

2: Installing & Configuring vSphere Data Protection

3: Backup And Restore VM’s using VDP

Automatic Backup Verification (ABV)
Automatic Backup Verification (ABV) is a scheduled or on-demand mechanism for verification of backups that ensures the integrity of restore points. ABV has the following characteristics:

  • Backups are restored to a temporary virtual machine with the following naming convention: VDP_VERIFICATION_<vm-name> -<unique number>
  • Backups are restored with no network conflicts, because the NIC is always disabled during the ABV operation.
Read the rest