Configure and manage VMware Endpoint Certificate Store

Manish Jha

VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.

VECS Default Stores

1: Machine SSL Store (MACHINE_SSL_CERT)

This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.Read More

Replacing vSphere 6.0 certificates using VMCA as a Subordinate CA

Manish Jha

vSphere 6.0 brought many enhancements with it and one of the most significant among them was VMware Certificate Authority which is VMware’s own CA and it eases the pain of certificate management in vSphere 6.

VMCA is itself a fully functional CA and can be used to issue certificates to all vSphere 6 components (vCenter and ESXi hosts) in your environment. VMCA dont have any graphical interface like Microsoft CA and is totally command line driven.

VMCA is part of Platform services controller and there are various deployment model available for configuring VMCA including:

  • VMCA as Root CA
  • VMCA as Subordinate CA to an External Enterprise CA
  • External CA
  • Hybrid mode

Derek Seamen has explained about these deployment options in greater detail here

By default, the VMCA self-signs its own certificate which is used by vCenter server and Esxi hosts. If  your organization policy don’t allow using self-signed certs then you can replace the certs generated by VMCA and sending them to an enterprise CA for signing.Read More

Backup and Restore Resource Pool Configurations

Manish Jha

When DRS is disabled on a cluster, it removes all the resource pools that are part of the cluster and the resource pool hierarchy and affinity rules are not re-established when DRS is turned back on. 

Now if you really want to disable DRS (for any maintenance activity) and want to save yourself from the pain of re-creating resource pools and configuring share/limits etc, you can take backup of resource pools and and restore it later post completing the maintenance and enabling DRS again.

In my lab I created a resource pool named “RP-Edge” and placed one VM in this resource pool.

rpbkp-0.PNG

When you disable DRS on a cluster, vSphere gives you an opportunity to save the resource pool tree in a file which can be used later to restore the resource pool hierarchy.

Just click on yes on the warning window presented.

rpbkp-1

save the file on your local PC.

rpbkp-2

At this point, the resource pool is gone and the Win-DR-Test VM is out of the resource pool.… Read More

Backup and Restore vDS Configurations

Manish Jha

You can export vSphere distributed switch and distributed port group configurations to a file. The file preserves valid network configurations, enabling distribution of these configurations to other deployments.

This functionality is available only with the vSphere Web Client 5.1 or later. However, you can export settings from any version of a distributed switch if you use the vSphere Web Client or later.

To export vSphere Distributed Switch configurations using the vSphere Web Client:
 
1: Browse to a distributed switch in the vSphere Web Client navigator and Right-click the distributed switch and click Settings > Export Configuration
 

vds-bkp-1.PNG

2: Select the Export the distributed switch configuration or Export the distributed switch configuration and all port groups option.

vds-bkp-2.PNG

3: Click Yes to save the configuration file to your local system. 

vds-bkp-3.PNG

Select a location your computer where you want to save the backup file and also provide a name for the backup file.

vds-bkp-4

You now have a configuration file that contains all settings for the selected distributed switch and distributed port group.Read More

Troubleshooting vSphere Replication plugin missing from vCenter Server

Manish Jha

Last week I upgraded my VR appliance from 6.1.1 to 6.1.2 and registered VR to vCenter and to my surprise VR plugin was missing after I reloaded my vSphere Web Client. I tried logoff and login to Web Client a couple of times, but luck was not with my side. 

vrplugin-1.PNG

While configuring VR, I saw a succesful configuration message, So easily I can rule out issues with VR > VC registration. 

vrplugin-2.PNG

I even restarted Web Client service followed by bouncing vCenter server node but VR has decided to give up on me that day and still the plugin was missing from Web Client. This was a bit strange for me as I have deployed VR in my lab 3-4 times and never encountered this issue.

On googling the issue, I came across VMware KB-2149560 which clearly mentions that this is a known issue with VR 6.1.2. The KB has all the steps listed in order to fix the issue. … Read More

vSphere Replication & Multi Point in Time Snapshots

Manish Jha

When configuring replication of a virtual machine, you might have noticed the option “Point in time instances” aka PIT. This setting allow for some snapshots to be maintained at the DR site for the replicated VM at certain intervals.  

During replication, vSphere Replication replicates all aspects of the virtual machine to the target site, including any potential viruses and corrupted applications. The benefit being that if a guest is corrupted, we have multiple points in time to failover from in case the corruption already replicated across sites

vSphere Replication retains a number of snapshot instances of the virtual machine on the target site based on the retention policy that you specify. vSphere Replication supports maximum of 24 snapshot instances. After you recover a virtual machine, you can revert it to a specific snapshot.

mpit-1

Multiple Point In Time (MPIT) recovery was first introduced in vSphere replication 5.5 and it enables an administrator to recover a virtual machine to the latest replicated copy at the target site and then revert, or “roll back,” that virtual machine to a previous point in time.Read More

Replicating VM between sites using vSphere Replication

Manish Jha

Once your primary and DR site is ready, you can start replicating VM’s between the sites and test the failover/failback etc to ensure your disaster recovery plans are functioning well and you will be protected when actual disaster happens in your on-premise datacenter.

In this post we will learn how to replicate VM from one vCenter to another which is in DR site. Lets get started.

Navigate to VM and template view in vCenter server in your source site and select the VM which you want to replicate to the DR site. Right click on the VM and chose All vSphere Replication Actions > Configure replication

config-9

vSphere Replication can be used to replicate VM’s to the local DR site as well as to a cloud provider side such as vCloud Air . In our example we are going for a local DR site replication so I chose Replicate to a vCenter Server. Read More

vSphere Replication 6.0 Compression Method

Manish Jha

With vSphere Replication 6.0, VMware added a new feature named “Network Compression” and you have noticed this while configuring replication for a virtual machine. 

data compression-0.PNG

What is Network Compression?

It is a method for compressing the replication data that is transferred through the network which helps in saving network bandwidth and might help reduce the amount of buffer memory used on the vSphere Replication server. However, compressing and decompressing data requires more CPU resources on both the source site and the server that manages the target datastore.

Do you really need network compression in your infrastructure?

vSphere Replication uses CBT technique to replicate changed blocks to a DR site (which commonly exists in cloud these days) and the DR site is usually connected to primary site via a WAN link. These WAN links typically have limited bandwidth or high latency. Network compression can save your precious WAN bandwidth.

VR data compression support

vSphere Replication 6.0 supports end-to-end compression when the source and target ESXi hosts are also version 6.0.Read More

Isolating vSphere Replication Traffic

Manish Jha

Prior to vSphere 6, the replication traffic was sent and received using the management interfaces of ESXi and VRA appliances. With vSphere 6 it is possible to send the replication traffic over a separate dedicated interface.

By default, the vSphere Replication appliance has one VM network adapter that is used for various traffic types.

  • Management traffic between vSphere Replication Management Server and vSphere Replication Server.

  • Replication traffic from the source ESXi hosts to the vSphere Replication Server.

  • Traffic between vCenter Server and vSphere Replication Management Server.

  • NFC (Network File Copy) traffic which is used to copy VM replication data from the vSphere Replication Server appliance at the target site to the destination datastores.

VR Traffic Flow

We will use below image for understanding the flow of replication traffic

VR-Traffic-Flow-2.png

Typically these are the sequence of events that take places when a VM is configured for replication and initial sync has completed:

  • As data is written to VM disks, the writes pass through the vSCSI filter on the host where the VM is running
  • The vSCSI filter monitors all I/O to the VMs disks and tracks those changes.
Read More

vSphere Data Protection-Part 5: Configuring Backup Replication

Manish Jha

In last post of this series we learnt how to configure a backup verification job and test wether or not a taken backup is restoreable. In this post we will learn how to configure data backup replication so that in case of disaster, if source site is completely down,even then data can be restored from secondary location.

If you accidently landed on this post and have missed earlier post of this series, you can read them from below links:

1: Introduction to vSphere Data Protection

2: Installing & Configuring vSphere Data Protection

3: Backup And Restore VM’s using VDP

4: Configure a Backup Verification job

Lets get started with some theoretical concepts about replication before jumping into lab and actually configuring and testing it. 

About VDP Replication

Replication enables you to avoid data loss if the source VDP appliance fails because copies of the backups are available on the destination target. Read More