Automation, Cloud, Powershell, Virtualization

Using PowerCLI To Answer Virtual Machine Message Questions

No Comments

pic1

 

 

 

 

 

 

 

The Virtual Machine Message I’m faced with deals with the relocation of the VM.  Via the vSphere Client, my possible choices to answer the question are “Cancel”, “I moved it”, or “I copied it”.  I don’t have the patience or desire to mouse through this hundreds of times.

pic2

 

 

 

 

 

I want to provide the same answer, “I moved it”, for every VM in inventory which has this question.  The script to accomplish this is fairly simple, even by my standards.  Once the PowerCLI connection is established to the vCenter Server or ESX(i) host, it’s a one-liner.  Following is the PowerShell script which gets the job done for my situation:

Connect-VIServer vc501.boche.lab
Get-VM | Get-VMQuestion | Set-VMQuestion -Option “I moved it” -Confirm:$false

Note that there are different types of Virtual Machine Message questions which will yield a different set of possible answers.  Be sure to query a VM having a question via PowerCLI for the possible answers to that question.  Get-VM | Get-VMQuestion -full should do it.  Once the possible answers are revealed, use Set-VMQuestion -Option to provide an answer.

Also note the script above will cycle through all VMs in inventory, and for those having a question, it will provide the same response for each VM.  Thus the assumption is made that all VMs with pending questions have the same question being asked.  To respond to explicit question types or to filter the VMs being looped through, the script would need to be refined.

For more information on the Get-VMQuestion or Set-VMQuestion PowerCLI cmdlets, use Get-Help Get-VMQuestion -full or Set-Help Get-VMQuestion -full respectively.

Thank you to Jason Boche for this article

Continue Reading

Cloud, Security & SSL, Virtualization

vCloud Director and SSL Certificates

No Comments

VCD Cell SSL Certificates

The communication between the end-user and vCloud Director cell (either GUI or API) is encrypted and by default self-signed certificates are used. The certificate replacement procedure is explained in the documentation in a few simple steps. The problem I have encountered during big vCloud deployments is that enterprise security teams have specific procedures how to create and distribute certificates which is different from those described in the documentation.

The default procedure is following:

  • create untrusted certificates (private and public key) with JAVA keytool command (this must be done for vCloud Director GUI and console proxy)
  • create certificate signing requests
  • send the certificate signing requests to your Certification Authority
  • import the Certificate Authority root certificate
  • import signed certificates

In my case the certificates were created for me by the security team and I have received the private key in a .key file. On top of that the Certification Authority which signed the certificates was intermediate and was signed by two others. The chain was following: public Root CA -> intermediate CA1 -> intermediate CA2 -> VCD certificate.

vCloud Director JAVA keytool command does not allow private key import. Also the whole trusted chain for the certificate must be built so all the intermediate certificates are presented to the client browsers and the vCloud Director certificate can be validated. This has been achieved with the following procedure:

  1. Concatenate all CA certificates to create the whole chain:
    cat CA2.cer CA1.cer RootCA.cer > chain.crt
  2. With openssl create PKCS12 keystore with the private key, certificate chain and proper alias (first for the GUI):
    openssl.exe pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:<password> -out http.pfx -chain
  3. Repeat for the console proxy:
    openssl.exe pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:<password> -out consoleproxy.pfx –chain
  4. Now we can import the two PKCS12 keystores into JAVA JCKS keystore with keytool:/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass <password>

    /opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass <password>
  5. We can check if the import was successful:
    /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass <password> -keystore certificates.ks –list
  6. Now we can import the new certificates to the vCloud Director cell. To do that we need first to stop it:service vmware-vcd stopNote this will interrupt all running VCD jobs. In order to do graceful shutdown followhttp://kb.vmware.com/kb/1033575
  7. Rerun configuration tool and point to the certificates.ks keystore created in steps 2 and 3. This will import the certificates./opt/vmware/vcloud-director/bin/configure
  8. Repeat for the other VCD cells

Special Thanks to Tom Fojta for this blog post.

Continue Reading