Creating certificate requests and certificates for vCenter Server 5.x components

December 11th, 2013

Configuring CA signed SSL certificates for vCenter components in vSphere 5.x

Note: Here I’m used Vmware certificate tool for custom certificate generation,Also we can use open SSL, below are the associated download link.

a ) Vmware  Certificate Automation Tool  Click

b ) Open SSL  Click

1) Run updater.bat from the automation tool bundle. From the SSL Certificate Automation tool, select Option 2 to Generate Certificate Requests.

Custom Search

 

2) Select the option for the service you are generating the certificate request for.

 

3) Enter the information requested for the certificate request. By default the SSL Certificate Automation tool automatically populates much of the information required.

 

4) Save the CSR and the KEY on to the computer.

 

Repeat steps 2,3 and 4 until you have the CSR and KEY file for all the vcenter server components.

 

At the end of step 4, you should have the rui.csr and rui.key files located in each of the respective directories as specified for the different services.

 

5) After the certificate request is created, it must be given to the certificate authority for generation of the actual certificate.

 

For obtaining the certificate using the CSR file, please refer to “Obtaining the certificate” section in the following knowledge base article :

 

http://kb.vmware.com/kb/2044696

 

At the end of this step, we should have rui.crt for all the vcenter components along with root cert(Root64.cer) and intermediate certs(Root64-1.cer) if any.

 

6) Install the root certificate into the Trusted Root Certificate Authorities > Local Computer certificate store on each Windows system which has a service installed or which will be used to connect a client to the services.  If you are using intermediate certificates you should install them into the Intermediate Certificate Authorities > Local Computer certificate store.

 

7) Create chain.pem file using the following steps :

 

a) Copy Root64.cer and Root64-1.cer to all the folders of the vcenter server components.

b) Open command prompt and navigate to the directory where the certificate file each vcenter component is saved.

 

For example : For single-sign ON, if the cert is located in c drive, then open command prompt and navigate to c:\certs\SSO

 

c) Run the following command to concatenate the certificate, intermediate certificate and root CA certificate to chain.pem.

 

Copy rui.crt+Root64.cer+Root64-1.cer chain.pem

 

This will create Chain.pem file in the following format :

 

—–BEGIN CERTIFICATE—–

MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK<—–Certificate

SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm

ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih

4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG

GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Intermediate Certificate

/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC

TLqwbQm6tNyFB8c=

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG

GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Root Certificate

/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC

TLqwbQm6tNyFB8c=

—–END CERTIFICATE—–

 

Now we have all the necessary files to deploy the SSL certs. Run the plan from the automation Tool. Provide required inputs as indicated by the plan and we should be able to deploy the certs without any problem.

 

For your future reference, you can also refer to the following knowledge base articles :

 

http://kb.vmware.com/kb/2034833 – Implementing CA signed SSL certificates with vSphere 5.x

http://kb.vmware.com/kb/2061934 – Creating certificate requests and certificates for vCenter Server 5.5 components

http://kb.vmware.com/kb/2057340 – Deploying and using the SSL Certificate Automation Tool 5.5

http://kb.vmware.com/kb/2044696 – Generating certificates for use with the VMware SSL Certificate Automation Tool

Thanks and Regards

Techvault.in

 

Delegate Administrator Privileges in Active Directory

April 30th, 2012

How to Delegate Administrator Privileges in Active Directory server

 

Microsoft Active directory services have the facility of delegating active directory roles to normal users or groups, such as user creation, users modification and deletion etc… This feature is very useful for owner of the server. It will be reduce the burden of ADS administration.  Mainly delegated privilege can be given to normal users, below are the some example of common delegation privileges has been followed most of the IT organization.

 

  • ADS object creation.
  • Object attributes modification
  • User Account unlock, password reset. Etc

 

Here I’m demonstrating user’s accounts unlock and password reset delegation privilege to normal user. (Server platform is windows 2008 R2 Enterprise). I created one group named EUS and two users (test1, test2) for delegating above mentioned privilege. And make sure both users (test1, test2) have the group membership of EUS group

Step 1:- Use “low level Active Directory Services Interface editor” ADSIEDIT.MSC.

 

Step 2:- Then connect your domain through adsiedit.msc tool. here I connected Techvault.in domain.

Step 3:- Then go to the containers (OU) that have contained organization users. In my case all the users are concentrated in “Users” OU  Hence I selected USERS container.

Step 4:- Add the required group into the permission tab, Here I have added the “EUS” group into permission tab.

Step 5:- Then go to “Edit” tab and select the property for respective group. After that select “Apply to”  tab and select the value to “Descendant User Objects

Step 6:- After above settings tick the check box below mentioned..

Read Lockout Time
Write LockOut Time

 Above mentioned settings will delegate unlock privilege to normal user.

 Read pwdLastSet
Write pwdLastSet

Above settings will delegate the “password rest” privileges to normal users those have the EUS group membership.

After completion of all the above settings refresh the ADS DB and login with test1/test2 user through RSAT tool or directly logged to ADS server. And check the provided delegated privilege.

 

Thanks.. <img src="http://techvault.in/wp-content/plugins/wp-smiley-switcher/noktahhitam/icon_smile.gif" alt="" />

 

 

 

 

 

 

 

 

 


How to Recreate Corrupted VMDK file

April 26th, 2011

rebuild the vmdk file from the -flat file

Today one of my friend ask one doubt regarding VMware virtual hard disk (vmdk).question is “Is it any way to recreate VMDK file?”

Yes…! Its very simple process to Recreate VMDK files.

Before going to recreation, need to understand the virtual machine files extensions and purpose of each files of ESX virtual machine

VMware ESX server files extensions details

image fromtechtarget.com

1) vmdk - virtual disk

2) vmx - Configuration file

3) NVRAM – Bios for VM

4) .log – Individual log file for a VM

5) REDO – file used to capture changes to an original vmdk

6) vmss – suspend file for an individual VM, state of VM when suspended

7) vswp – swap file used when ESX is in a memory over commitment situation

8.) vmtd - Virtual Center template, the actual data file(s)

9) vmtx - Virtual Center template header

10) *–flat.vmdk file – This is the actual raw disk file that is created for each virtual hard drive. Almost all of a .vmdk file’s content is the virtual machine’s data, with a small portion allotted to virtual machine overhead. This file will be roughly the same size as your virtual hard drive.

11) *–delta.vmdk file – This is the differential file created when you take a snapshot of a VM (also known as REDO log).

VMware Workstation Files (http://www.vmware.com/support/ws55/doc/ws_learning_files_in_a_vm.html)

I believe you got overall idea about virtual machine files. Next here I’m explain the VMDK recreation steps.

Before start the process, you want to know the existing machine (corrupted VM) disk specification

Step:-1 Identify the existing virtual machine VMDK hard disk space size. If you have multiple hard disk on your virtual machine, you need to know all hard disk space.

Go to virtual machine Edit settings and check with hard disks “provisioning size”

Step :-2 The next we  need to create  same size of hard disks. So I just created temporary virtual machine on my esx server. No need to install Operating system just creates basic configuration with exact size of hard disk (What was the size of your corrupted vm. The same size you need to create)

Step:-3 After creating the dummy virtual machine in your esx then copy the VMDK files to corrupted machine data store by using putty or winscp whatever you have.(only need to copy VMDK files

Step:-4 After copying delete the old vmdk files (corrupted vmdk file and note the name of that vmdk file) and rename the new vmdk file to old vmdk file name.

Then you need to edit new vmdk file, In vmdk configuration there was one object named “Extent description” This object explain where is the atual vm data located so we need to define actual VM data file name. So you just update the corrupted machine FLAT.VMDK fine name. If you have multiple hard disk so you need to update orderly.

Step:-5 After completing above steps start the virtual machine and work on it J

Let me know if you need any assistance

Thanks

Jinto Antony <img src="http://techvault.in/wp-content/plugins/wp-smiley-switcher/noktahhitam/icon_smile.gif" alt="" />

ESX Host XXX “currently has no management network redundancy”

November 27th, 2010

Remove “has no management network redundancy” notification on VMware HA cluster Environment

This notification message appears ESX services console does not have network redundancy configuration properly

To avoid this notification message, must configure network redundancy properly. VMware recommends that you add a second service console on a different vSwitch and subnet. Alternatively, you can add a second vmnic to the service console vSwitch.

Below steps will help you guys to removing this notification.

Step:-1 Open Vcenter HA cluster configuration settings.

Step:-2 In VMware HA tab open advanced option.

Step:-3 In advanced HA option there are two columns one is “options” and “value” Then add the given entries according to the snaps..

In option tab add the “das.ignoreRedundantNetWarning” entry and Value tab add the value”true”

Step:-4 After updating above entries turn off the “VMware HA”

Moreover, check with the status of disabling HA

At last, again turn on VMware HA feature on your cluster. You can see there was no notification on your VMware HA cluster

All the best

VMware Disk provisioning thin and thick conversion

October 22nd, 2010

VMware Disk provisioning thin and thick conversion

Mainly VMware esx/esxi host support two type Disk provisioningthin” and “thick”. Below is the brief note for disk provisioning and also here I’m explain how to convert thin to thick and thick to thin.

*Image from www.vmware.com
  • Thick (or preallocated)

While we creating thick provisioning disk, whole defined space  allocated on physical disk, for examples we planning to allocate 50GB disk space to new virtual machine that 50GB disk space fully consumed on your physical drives.

  • Thin (or dynamically)

In thin disk provisioning system only dynamically consume the space for physical disk. For examples, if you create a 100GB disk but only use 20GB of that disk, the actual disk consumption on your physical drives will be 20GB.

*Image from www.vmware.com

How to check your disk type

Go to DC virtual machine properties (edit settings) and navigate the disk on hardware tab. See the difference:-

Thin Disk provisioning


Thick disk provisioning

CONVERSION THIN TO THICK AND THICK TO THIN DISK

Step:-1 Go to VMware vSpher Client and open your DC. And navigate the particular machine you want to change disk type. The right click the virtual machine and select “merge” option.

Step:-2 then go to merge configuration and select “change datastore” option and next.

Step3:- Select the datastore you would like to keep your virtual machine.

Step4:- then select the Disk provisioning type as you like to convert like thin to thick or thick to thin.

Step5:-Then finish the configuration and also check with the status of the conversion task  (on “recent tasks”)

Step6:-After completion of the process check with the disk type on virtual machine properties.

For more information Click here

Thanks

jinto Antony <img src="http://techvault.in/wp-content/plugins/wp-smiley-switcher/noktahhitam/icon_smile.gif" alt="" />

Enabling Anonymous LDAP operations on windows 2003

October 20th, 2010

Anonymous LDAP operations in Windows 2003 AD

By default Microsoft doesn’t permit anonymous LDAP operation. If we can enable anonymous access need to edit ADS configuration.

The following steps will help to enable anonymous operation on active directory LDAP 2003 server

Step -:1

Go to edit active directory by using “A low level Active Directory Services Interface editor.” ADSI Edit

Step :-2

Run “adsiedit.msc”

Step:-3 In the ADSI Edit window, navigate to Configuration, CN=Configuration, CN=Services, CN=Windows NT and right click CN=Directory Service and click on Properties.

Then navigate the “Configuration”

Then take the properties in “Directory services ”

Then navigate the “dsHeuristics” value

Step:-3

Find dsHeuristics and click on Edit.

Step:- 4

Set the value of dsHeuristics to 0000002. If a previous value already exists, set the seventh character of the previous value to 2

Enough, Anonymous LDAP operation enabled on your 2003 Server.

How to quickly Expand VMware Virtual Machine Hard Drive

October 15th, 2010

Expanding a drive within a VMWare image

Mainly two type of hard disk configuration are supported windows operating system. First one basic and dynamic. A basic disk contains basic volumes, such as primary partitions, extended partitions, and logical drives. In dynamic disk initialize dynamic storage , That means we can dynamically extend the disk space. A dynamic disk contains dynamic volumes, such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5.So if you want to expand VM ware image disk there are many ways here I’m explained how to expand virtual machine hard disk by using dynamic disk method.

Step:-1 If your machine have basic disk then need to convert dynamic

Go to computer management (run “compmgmt.msc) in “disk management options“convert existing basic disk into dynamic

If you have multiple disks select the right one

Conformation window for the disk conversion and required to restart the virtual box.

Step:-2 after completing the conversion power off the virtual box settings and expand the disk space how much you want.

Go to virtual box and edit settings then change the size of the hard disk. Her I’m changing my virtual hard disk 50GB to 60GB

Note: - If your virtual box have snapshot you can’t change the hard disk space via vi client virtual box property

Step: 3 after completing above step login to virtual machine then go to disk manager and navigate the disk then right click the disk and extend the hard disk.

Note if you’re using XP and 2003 operating system you want to use some third party tool for extending hard disk size on virtual box.

Thanks

Jinto Antony

VMware Hot-Add CPU/Memory

October 12th, 2010

VMware vSphere’s hot-add RAM and hot-plug CPU functions allow you to add additional virtual hardware to running virtual machines. The benefit of being able to do this is the ability to provide more resources to your machines without bringing servers down to add the additional resources. Simply put, this is additional capacity without downtime.

Following Microsoft operating system support hot add feature:-

Check list for hot add configuration

  •   Check with ESX licensing (http://www.vmware.com/products/vsphere/upgrade-center/licensing.html)
  •   Check with total number of processor on ESX server
  •   Check with virtual operating system Hot add support

Hot add /hot plug not compatible with fault tolerance.

Following steps will help you guys for configuring hot add feature on virtual operating system:-

CPU Hot Plug

Enabling hot add feature on esx server

If your virtual machine haven’t configured “Hot add” option, then it required to powering off your virtual machine. In default it already enabled

Before you starting check with the hot plug option configured or not . If you want to configure given below the detailed steps:-

Step:-1

Open vSpher client and select the qualified operating system and edit the settings. In setting window and select the “option tab” ,In option tab you can see “memory/CPU hot plug”

Step:-2 Add the additional CPU in qualified virtual machine.

Go to virtual machine properties and add the additional CPU.

Step:-3 Login to virtual machine and open “windows task manager” in performance tab you can see additional CPU .

Step:-4 At last check with new added CPU are working perfectly. Open task manager and navigate the “Processes Tab” and right click any processes and set the priority (Affinity) of CPU

Step:-5

Select the cpu for allowing the corresponding process execution.

Step:-6

And identifying the changes CPU Usages.

Memory Hot Plug

For upgrading memory on virtual process  its simple process:- Detailed steps are given below:-

Step:-1 Check with the hot plug feature has enabled or not (check with above step)

Step:-2 Change the

  • Right click on virtual machine
  • Click Edit Settings
  • In memory configuration menu change the “memory size” what much you want to upgraded

Step:-3 And login to virtual machine and check with the total size of memory.

Jinto Antony

How To Reset A Forgotten Root Password on ESX server

August 7th, 2010

How to Reset your VMware ESX Server root password

Recently I’m faced one series issues on our Esx server, for fogote root password, I’m wondering how to happen this ? Unfortunately right password doesn’t permit to log in  Esx server. at last I found some solution on vmware communities. Following are the steps will help you guys for facing the same wonder issues.

For resetting Esx root password is very simple. Below are the steps:-

Step 1:-  We want Esx physical box console window and restart your Esx server. And select the WMware esx server entry

Step2:-

VMware software provide single mode interface for maintain basic problems like resetting password boot option settings etc…  So please type “a “to enter single user mode, in this mode not required authentication.

 If we enter single user mode press “a” for the boot menu window. Following snap shot will help you

Step3:-After pressing “a”,you can show one command prompt like ending with “quiet”  and remove the word (quiet) and enter word “single”

Step4:- After typing the word “single ” press Enter. Then you will get singel user command prompt. In that command prompt you can reset the password. below are the commands..

Step5:-

Type the command "passwd"
Enter new password "......."
Retype the new password "......"
reboot

That’s enough your Esx password was reset then login to your ESX server with password <img src="http://techvault.in/wp-content/plugins/wp-smiley-switcher/noktahhitam/icon_smile.gif" alt="" />

How to access Esx/esxi server from putty, Ssh, winscp..

July 9th, 2010

SSH, Putty, Winscp, Access configuration on Esx/Esxi server.

In VMware Esx/Esxi server doesn’t running SSH (Secure Shell) services as default. If we need the services support we need to configure manually. The following steps will help, how it enable the SSH access on Esx/Esxi server.

*This issues has been resolved the new version of ESxi 4.1. So below steps requiredonly  previous versions of Esxi.

Esx server configuration

Step1:-

Login to Esx server and take consol windows press Alt+F1, Returen to main windows Alt+F11, in console window login to root user.

Step2:-

Edit ssh configuration file “vi /etc/ssh/sshd_config” And edit line number 39

Comment the line

vi /etc/ssh/sshd_config
#PermitRootLogin no

After editing Save and exit conf file ( press Esc  and type :wq!)

Step3:-

After that restart the SSH services by using following commands “/etc/init.d/sshd restart”

Than restart your Esx server,Now you can access Esx server via putty, winscp etc.

Esx server configuration

If you are using Esxi server the ssh services little bit different for Esx. I’m here Mentioned that configuration also.

Step1:-Log on to your esxi server, physically from the Esxi box. In system customization windows you can setup root password (Press F2 and configure the password.)

Step2:-From System customization windows you can enter to technical support login by using Alt+F1

Note: – In tech support mode you cant view any prompt .So please beware of the configuration are we done perfectly in the mode because of we can’t revert back anything for we done, So very carefully configure the changes in this mode.

Step3:-In cursor point  type the “unsupported” and press enter

"unsupported"

Step4:- Type the root password again enter

At the prompt you can enable SSH access on “inetd.conf” file

Step5:- Then edit the inetd.conf file

VI /etc/inetd.conf

And scroll down by using down arrow key and you would see two line starting with ssh , remove the # for each line.

Step6:- Then press Esc key and type “wq!” (Save and exit)

Now you will back to the prompt then restart the services by using

Services.sh restart

Step7:- Then restart your Esxi server after you can login to Esxi from SSH, Putty, winscp etc.

If you need more visual support. below videos help you to more.

Cheers!

Jinto  Antony


Powered by Google Talk Widget