How to configure vCenter 6.5 as a Subordinate CA

After getting super annoyed with clicking “Advanced” and then “Proceed to vCenter (unsafe)” every single time I needed to go to the vSphere Web Client it was time for me to solve this once and for all.

 
Subordinate CA

Let’s get started!

Pre-requisites

  • Configured Microsoft CA (link)
  • vSphere and vCenter Certificate Templates (link)
  •  

    Generate Certificate Signing Request (CSR)

    SSH to your vCenter Server when using vCenter with the Embedded Platform Service Controller (PSC) or SSH to PSC when using the external PSC.

    Enable the BASH shell and set it to the default shell (link).

    Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 2.

    (more…)

    Read More

    Host Profiles : Number of network stack instances don’t match

    Today was a nice and peaceful day onsite, until I had the “pleasure” to configure vSphere Host Profiles and getting all the hosts compliant. After battling with some PSP path selection “Compliance Failures” an annoying “Number of network stack instances don’t match” failure appeared.

     
    Host Profiles

     
    This is not the first time I got this failure and I knew how to solve it, but there is not much information online how you can solve it so I thought lets dedicate a small post about it.

    The Host Profiles fix

    First open a SSH connection to the reference host and run the following command :

    Then open a SSH connection to the hosts that won’t get it and refuses to get compliant with the Host Profile and run the last command show above again. Compare the two results, if it is correct there is another netstack shown on the not compliant host. Write down the netstack name and run the following command :

    After this go back to the vSphere Host Profiles and click on “Check Profile Compliance”, the host should be “Compliant” when the check is completed!

     
    HostProfiles02
     

    Enjoy! 🙂

    Read More

    VMware vCenter Certificate Automation Tool 5.5 Error

    Yesterday I was updating the SSL certificates of a vCenter 5.5 deployment with the VMware vCenter Certificate Automation Tool 5.5 and ran into an annoying error :

     
    vCenter Certificate
     
    Oh great “errorlevel is 1” no further information no nothing… So after double checking everything from DNS to the certificate requests it was time for some Google voodoo.

    Because this wasn’t my first rodeo with SSL certificates for VMware products and I knew that the requests were OK, I could focus on the PKI. During my search I came across the blog post of Sean Massey (link) stating :

    Note: If you use the walkthrough to set up your PKI environment, you will need to alter the configuration file to remove the AlternateSignatureAlgorithm=1 line. This feature does not appear to be supported on vCenter and can cause errors when importing certificates.

    So then I compared the settings of the current PKI with one were it did work and voila the AlternateSignatureAlgorithm did had the setting 1 on the not working side.

    Luckily this is quite easy to change by editing the registry on the issuing CA. Look for the following value :

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm

    And set it to 0. If you remove this value completely it uses the default setting and that is 1. So be sure to set it to 0! Also when the value is not there just create the value and set it to 0.

    Restart your issuing CA (better safe then sorry) and resubmit your certificate requests and follow the procedure for updating the vCenter SSL certificates again and behold :

    vCenter Certificates

    No more errors and the SSL certificate update completed successfully!

    Some background information about the AlternateSignatureAlgorithm value (link).

    Read More

    VMware vCenter 6 plugin errors after upgrade

    Last week I upgraded a customers vSphere 5.5 environment to vSphere 6. Everything went smooth, upgraded VSAN to v2 and even Veeam picked up the new vCenter 6 appliance without a hitch. But when I opened the vSphere Client (yeah I still use it sometimes… sorry for that) there were two plugin errors.
     
    vCenter-Plugin
     

    VMware vCenter Storage Monitoring Service

    The plug-in failed to load on server(s) xxxxx due to the following error: Could not load file or assembly ‘VI, Version=5.5.0.0, Culture=neutral, PublicKeyToken=xxxxx’ or one of its dependencies. The system cannot find the file specified.

    This is an expected behaviour in VMware vCenter 6 because the “Storage Views” tab is no longer available in the vSphere 6.0 Client.

    The cure is easy, just uninstall the old vSphere 5.x client(s) and the “error” is gone!

    Auto Deploy

    The following error occurred while downloading the script plugin from https://xxxxx:6502/vmw/rbd/extensions.xml: The request failed because of a connection failure. (Unable to connect to the remote server)

    There are 2 ways to solve this issue :
    (more…)

    Read More

    Put the vCenter Appliance embedded database in a consistent state

    One of my customers asked me to backup and replicate their VMware vCenter 5.5 Appliance using the embedded database with Veeam Backup & Replication. To achieve this the vCenter embedded database, which is a vPostgres database, must in a consistent state before it can be backed up and replicated properly.

    vCenter-Backup

    There is a KB article from VMware about Backing up and restoring the vCenter Server Appliance vPostgres database. But the downside on this is that every time the backup runs the vPostgres database is dumped on the disk and the database is not consistent when it replicated. So when the replicated vCenter on the DR side is started bad things will happen…

    To put the vCenter Appliance embedded database in a consistent state we need to tell the vPostgres database before the Backup / Replication job starts to prepare for performing an on-line backup. This can be done by creating 2 scripts which put the vPostgres database in a on-line backup mode and afterwards exits this state. These two scripts are triggered by the VMware tools when the Backup and Replicate job runs when the “Guest Quiescence” option is enabled.

    For the VMware vCenter 6.0 Appliance this is not necessary because these scripts are already in place by default!

    Let’s get started!

    Fist enable SSH on the vCenter (if you’ve not done that already).

    Login the VAMI of the vCenter Appliance and go to the Admin tab and change “Administrator SSH login enabled” to Yes.

    Now start your favourite SSH client and login the SSH session of the vCenter Appliance.
    And create the first script for “freezing” the vPostgres database.

    And and the following content :

    Make the script executable.

    Then create the second script for “releasing” the vPostgres database.
    (more…)

    Read More