virtuallyGhetto

vcsa

Default Password for vCenter SSO Admin Account on VCSA

by 12 Comments

I thought I share this quick tidbit about the VCSA (vCenter Server Appliance) default password for the vCenter SSO Administrator account as I was just asked about it today and this was something I had research just earlier in the week. In the Windows version of vCenter SSO installation, users are prompted during the install to select a password for this account, you might have seen it show up as [email protected]. For the VCSA, vCenter SSO is already installed and you might be wondering what the default password is?

Well, the answer is ... there is no default password. During the installation process, there is a random password that is generated and once the installation is complete, the password is then immediately removed. This is a good thing from a security perspective, by not having a default password set. This account is not only a vCenter SSO Administrator but it also the only account that has access to the internal RSA IMS system. You should definitely go in and set a password for this account after setting up your VCSA which can only be done through the vSphere Web Client.

Here are the steps:

1. Click on the Administration tab on the left hand side of the vSphere Web Client navigation bar.

2. Next click on "SSO Users ad Groups" and you should see the admin user account.

3. Lastly, you just need to right click and edit the user or select the pencil icon and set a password for the admin user account. Be sure to use a strong password, as there is a password validation before the system accepts the change.

Big thanks goes out to Michael Haines for helping me track down this answer about the default (or not so default) password for the admin account on the VCSA.

Automatically Join Multiple VCSA 5.1 using New vCenter SSO (Single Sign-On)

by 11 Comments

You may have recently heard about the new vCenter SSO (Single Sign-On) feature that is now part of the latest release of vSphere 5.1 which provides centralized authentication and directory services (supports multiple identify sources) across your vCenter Servers. vCenter SSO also provides a true single pane of glass for managing and viewing all your vSphere infrastructure and solutions, unlike it's predecessor Linked Mode feature, which many used to get a centralized view of all their vCenter Servers but without the true single-sign on capabilities.

Note: If you would like to learn more about the new vCenter SSO, I would recommend you take a look at the What's New vCenter Server 5.1 whitepaper by Justin King. 

I really love the new vCenter SSO feature, especially in my home lab where I have several vCenter Server 5.0 and 5.1 hosts running and I can view all of them in a single interface! One thing I tend to do a lot in my lab is automated deployments (you probably might have already guessed) and though the configuration web interface for vCenter Server is pretty easy to use, there is still a lot of clicking involved (as you know, I hate clicking a lot).

Just like with automating VCSA 5.1 deployments, I also looked into automating the joining of a VCSA to an existing vCenter SSO server. The example below will outline configuring a single VCSA to act as the primary vCenter SSO server and then configure two additional VCSA which will then connect to this primary vCenter Server providing them SSO capabilities.You can also run through this manually through the configuration web interface for each VCSA, but as mentioned earlier, it is manual and did I forget to mention ... tedious!

Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.

Step 1 - Configure your primary VCSA which will be the main SSO server. You will be leveraging the same script as shown in this article

Step 2 - Next, you will need to configure you secondary and tertiary (or n-others) VCSA using a similar script as in Step 1, but instead of configuring for an embedded SSO server, it will connect to the external SSO server which is specified by the IP Address or hostname of your primary VCSA.

Here is a script with the minimal commands needed for configuring your additional VCSA:
Note: Make sure you update the PRIMARY_VC variable to reflect the IP Address or hostname of your primary VCSA that was configured in Step 1

You will notice the output to be very similar, but it actually queries for the primary VCSA's lookupservice SSL thumbprint to configure the VCSA to use an external SSO server.

Once you have successfully deployed and configure your additional VCSA servers, you should now be able to login to your primary VCSA and view all your vCenter Servers in the inventory.

Is this not a cool feature!? You no longer have to manage dozen of vSphere C# Clients to get a view of your vSphere infrastructure!

How to Register a vCenter Server 5.0 with Admin Tool on VCSA 5.1 Using SSH Port Forwarding

by 2 Comments

The new vSphere Web Client in vSphere 5.1 supports both vCenter Server 5.0 and 5.1, but before you can connect to a 5.0 system, you will need to manually register the vCenter Server with the vSphere Web Client Admin Tool. In the previous release, you could register a vCenter Server using the Admin Tool which was available by connecting to the localhost web application as outlined here or by performing the same operation via the command-line using /usr/lib/vmware-vsphere-client/scripts/admin-cmd.sh on the VCSA.

It looks like with the latest release, the admin script no longer function ("Cannot connect to vSphere Web Client administration tool.") and since the VCSA does not contain a full blown desktop with a browser like it's ugly Windows cousin ... you will not be able to register any of your existing vCenter Server 5.0 systems. Luckily, you do not need a browser running on the VCSA to perform the registration, you can use the browser on your desktop by simply using SSH port forwarding.

In the example below, I am connecting to my VCSA 5.1 from my iMac via terminal. You will need a system that can reach your VCSA that has a web browser which will be used to access the Admin Tool.

Step 1 -  SSH to your VCSA using the following command, be sure to replace "172.30.0.194" with the IP Address or hostname of your VCSA:

ssh [email protected] -L 9443:127.0.0.1:9443 -N

If the port forward was established correctly, the prompt will just sit there as denoted by the screenshot below.

Note: If you wish for the prompt to return, you can specify the -f flag after "ssh" but this ensures you remember you have a port forwarded.

Step 2 - Open a web browser on your local desktop and connect to the following address:

https://localhost:9443/admin-app

This should launch the vSphere Web Client Admin Tool and allow you to register your vCenter Server 5.0 hosts.

Even though I was able to get this to work, I personally would still prefer to be able to perform this operation via the command-line. I am still hoping that I might have missed something, but I have been told this might be expected 🙁

Automating VCSA 5.1 (vCenter Server Appliance) Configurations

by 15 Comments

If you have seen my previous article on Automating VCSA (vCenter Server Appliance) 5.0, you will notice the existing script will not work on latest VCSA 5.1, without a minor tweak. The reason for this is due to the new vCenter SSO (Single Sign-On) configuration that is now part of the initial setup.

Note: If you would like to learn more about the new vCenter SSO, I would recommend you take a look at the What's New vCenter Server 5.1 whitepaper.

Luckily, the change is quite simple and in the example below, you will be configuring vCenter Server SSO to run in the embedded mode on the VCSA. I have also enhanced the script to include the joining of an Active Directory domain if you wish to have the VCSA backed by AD.

Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.

Here is a script with the minimal commands needed for running an embedded configuration:

Note: By default the script will not join an AD domain, you will need to change the JOIN_AD variable to 1 and ensure you specify all the Active Directory configurations including the FQDN of your vCenter Server as this is required for properly join your VCSA to your AD domain. If you choose to join an AD domain, make sure you have proper forward/reverse DNS configured on the VCSA and you will also need to reboot the VCSA for the changes to take effect.

To run the script remotely (you do not need to copy it to VCSA), use the following command:

# ssh [email protected][vcsa-ip] < configureVCSA.sh

You can now quickly deploy and configure your VCSA in just minutes versus spending 5-10 minutes clicking around and waiting for the web interface. Once you have tried this script, you will never go back to manually configuring the VCSA using the web interface!

Forwarding vCenter Server Logs to a Syslog Server

by 24 Comments

I was recently asked if it was possible to forward vCenter Server logs to a regular syslog server and if so, how difficult would it be to setup? I had researched this topic several years back, but did not find an ideal solution as vCenter Server was only available on the Windows platform and vCenter Server itself did not provide any syslogging capabilities. With the release of vSphere 5.0, VMware introduced the VCSA (vCenter Server Appliance) and realized I never revisited this question for the VCSA.

After a bit of digging, I found that the VCSA comes installed with syslog-ng by default which is used to provide the vSphere Syslog Collector functionality as well as the local syslog client for the VCSA itself. Given this information, it was pretty trivial to source the local /var/log/vmware/vpx/vpxd.log (symlink to latest vCenter Server log as well as other important vCenter logs) and automatically forward that to a remote syslog server.

VCSA Syslog Configuration

You will need to edit the following configuration file on the VCSA - /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

Note: If you are interested in more details about "sourcing" a local log, take a look at this article here which I used as a reference.

Once you have saved the configuration file, you just need to restart the syslog client by running the following command:

service syslog restart

If you login to your remote syslog server, you should now see that your VCSA is forwarding it's vpxd logs over. Pretty simple, right? 🙂 You can of course forward over other vCenter Server logs by adding additional source files. The main key is that there is a symlink that automatically points to the latest log file which you map as the source file.

I am sure many of you are probably asking what about vCenter Server for Windows? Well, I did also looked into a similar solution but it's a bit more complex than just adding a few configuration entries.

Windows vCenter Server Syslog Configuration

Disclaimer: This is not supported by VMware, please use at your own risk.

There are a few challenges with the Windows version, by default there are no syslog clients installed and there is no automatic symlink to the latest vCenter Server log. Having said that, you can still get the above solution working using the free syslog-ng, but it takes a few more steps. The solution will be leveraging Cygwin, so we can run the free version of syslog-ng on a Windows system.

Step 1 - Install Cygwin and configure syslog-ng service on your vCenter Server as described in this article. You will need to add an additional package which is "Admin/Cron" that will be used in the subsequent steps. In the example, I ran syslog-ng under default system account, but if you need to run it under a different user, you may find these two articles to be helpful

  • http://linux.subogero.com/894/cron-on-cygwin/
  • http://www.davidjnice.com/articles/cygwin_cron-service.html

Step 2 - Just as before, we will need to edit /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

You will notice this time, we are accessing the Windows C drive by using the /cygdrive path

Step 3 - As mentioned earlier, there is no symlink that points to the latest vCenter Server log, which makes it difficult to map to static log file. What we can do is basically identify the latest vpxd-#.log and automatically create a symlink and that is what is being monitored by syslog-ng to forward the log. We will be using a cronjob and a very simple shell script.

You can place the script in the current home directory /home/Administrator (or whatever default user you happen to have installed Cygwin on)

Here is the shell script which I have called latest.sh:

Make sure to set the script to be executable: chmod +x latest.sh

Step 4 - Create a cronjob which will run every minute (you might be able to set a longer delay depending on your environment and it's rotation frequency) by editing the following file /var/cron/tabs/Administrator or using crontab -e
Step 5 - Start or restart syslog-ng by running one of the following commands:

Start - cygrunsrv -S syslog-ng
Restart - cygrunsrv -E syslog-ng;cygrunsrv -S syslog-ng

If everything was successful, you should start seeing your vCenter Server logs from your Windows system forward to your remote syslog server. When the latest vpxd-#.log changes, the cronjob will automatically take care of re-linking to the latest vpxd-#.log to ensure you continue forwarding your vCenter Server logs.

As you can see, it is not trivial to set this up for the Windows vCenter Server as it is for the VCSA, but you now have a way to centrally store all your important vCenter Server logs for archival or analysis purposes without having to manually copy them off to a remote volume.

Few additional notes:

  • I believe the paid version of syslog-ng supports file globbing, so you do not need to setup a cronjob and just watch for all vpxd-*.log, but in this example, I went with a completely free solution
  • You might also be able to leverage Splunk to monitor vCenter Server logs as noted in this Splunkbase entry, but I have not verified and I am not sure if you have to pay for this feature in Splunk
  • Here is an easier way of forwarding vCenter Server logs on Windows using Snare by Raphael Schitz.

Automating vCenter Server Appliance 5.0 (VCSA) Configurations

by 2 Comments

I recently had a need to deploy half a dozen or so vCenter Server Appliance (VCSA) in my home lab and even though it is one of the easiest appliances to setup, going through the web management interface can still be time consuming. I was looking to see if there was a way to automate some of the configurations and while digging in some of the vCenter logs I came across /var/log/vmware/vpx/vpxd_cfg.log which provided the answer I was looking for.

If you watch the log as you configure the VCSA through the web management interface, you will see a series of commands calling /usr/sbin/vpxd_servicecfg. This utility is actually just a shell script wrapper for the configuration of vpxd (vCenter Server Daemon) and it's respective services.

As you can see there is a warning message about the use of the tool, so I will also re-iterate with my own disclaimer:

Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.

For my lab, this was exactly what I was looking for to quickly spin up VCSA and configure all the necessary services to start the vCenter Service. In my lab, I was able to get the VCSA booted up via DHCP and execute a simple shell script remotely via SSH to VCSA and then connect to vCenter Server after the process was completed.

Here is script with the minimal commands needed for running an embedded configuration:

To run the script remotely (you do not need to copy it to VCSA), use the following command:

# ssh [email protected][vcsa-ip] < configureVCSA.sh

The script accepts the EULA, configures the database as embedded configuration and then starts up the vCenter service. A return code is provided upon each command execution which has VC_CFG_RESULT=N where N can be 0 which is a successful execution and any other value means there is an error. To figure out what the code means, there is a section in the shell script that lists all the codes and their meaning. In general, you should be getting 0 for all commands

Here are some other useful commands that I tested with:

Configure Active Directory:

/usr/sbin/vpxd_servicecfg ad write [AD_USERNAME] [AD_PASSWORD] [AD_DOMAIN]

Re-initialize vCenter DB *** PLEASE BE VERY CAREFUL WHEN USING THIS COMMAND, AS DB IS WIPED***

ensure vpxd has stopped

vpxd_servicecfg stop

re-init DB

vpxd_servicecfg db initialize

You can also configure an external database for vCenter, NIS directory service and even replace SSL certificates but I will leave that to the reader for some exploration.