Categories
Uncategorized Virtualization Vmware

VMware vCenter vVOLs Host Certificate issues

As of late I have been running into a few issues with VMware vSphere and vVOLs. I could go on for hours about my hatred of SSL certificates and how much of a pain that they have been for me in the past. But that is not what you are here for (at least I hope not).

This post is going to be a little bit different from my normal “How To” posts that I normally do. In this article I will focus more on the things that I have learned, and steps that need to be taken when working with VMware’s vSphere and vVOLs.

Here is a little back story on what a vVOL is and how it integrates with vSphere. To be completely honest with you, I am not an expert on the subject by any means. I would say that everything that I learned from this technology is either self taught or from VMware Support. Speaking of VMware Support, on numerous occasions I have been told by their Level 2 and 3 storage engineers that they know very little about how it actually works. This actually makes sense and let me explain.

A vVOL or Virtual Volume is a block of storage that gets presented from the storage provider (SAN usually) and vCenter just connects to it as a subscriber. From there vCenter replicates the connections to the ESXi hosts which these connections are independent of the vCenter connection. All of the actual provisioning and managent is actually done on the storage array. So unlike a VMDK where you have to mount the LUN and then format it. A vVOL gets connected to vCenter by via the VASA Provider screen and create a vVOL in vCenter which then gets “trickled” down to the ESXi hosts that you want to be able to see it.

Now here is where the tricky parts come in. At least in the case of Pure Storage only 1 vCenter may connect to a particular Storage controller at one time unless you are using a CA issued certificate. Which lets face it, half the time IT teams barely use DNS and you expect them to use SSL certs if it is not client facing. The good news is, Pure thought of this and that is why when you connect to the storage controller from vCenter the storage controller will issue a self signed certificate which will be used for the connection. The bad news is, the SSL cert is only good for a year and vCenter starts to alert that the certificate is expiring after 100 days or something like that.

As long as everything is good connectivity wise, renewing the certificate is as easy as logging into vCenter >clicking on the vCenter object > going to configure and clicking on storage providers > finding your Certificate and clicking refresh. From there vCenter sends a request to the storage controller and the storage controller will generate a new certificate and send it to vCenter and that is it.

Well sort of, see if it was that easy, I would not be writing this post. A few months back I had gone through the above process and it worked just fine. All was well for about 2 weeks, and then I started getting alerts (little yellow triangles in the vCenter console) saying that the storage paths to the vVOLs lost their redundancy. I opened a case with VMware support and they looked at it and said it was not a them issue it was an issue with the storage. Now to cut a long support story short, my case ended up getting routed to the VMware certificates team after my hosts started disconnecting from storage and I had to escallate the case to a P1.

The Certificates engineer saw something in the logs saying there was a certificates mismatch and wondered if that could be part of the issue. By that point things had gone too far and the fix was to delete the storage provider and add it back in manually and that brought it back up. However a few months after that on a completly different vCenter I started to see the same thing. I again opened a case and got the same engineer as before. They showed me a little trick which is to right click on the hosts that are connected to the vVOLs, go to Certificates, and click renew certificates and refresh CA certificates and that fixed the issue!!

So here is my understanding of what happened here. Even though I refreshed the vVOL certificate on the vCenter, something happened which did not allow the certifcate to propagate down to all the vCenters which required manual intervention before the ESXi hosts terminated their connections with the vVOLs.

So now going forward my process is to renew the Certificate from the VASA Providers > Refresh the host Certificates > and Renew the CA certificates on the ESXi hosts.

I hope you found this post helpful and I apologize for it being so wordy. Hopefully this will help someone in the future which is the whole purpose of this blog.

Categories
Uncategorized Virtualization Vmware

vCenter – Unable to login with WinSCP

Hey all it has certainly been a while since I have posted anything, but I am back now and I have quite a few things in the pipeline including a walk through of my new home lab!! For now lets get down to business with being unable to login with WinSCP.

Today I wanted to cover an issue that has been plaguing me quite a bit the last few months. As I am sure you are all aware, VMware vSphere and ESX 6.7 has been out of support since October 2022. Back in August of 2022, my team members at the company I work for worked dilligently to upgrade all of the vCenters and ESXi hosts in out environment.

If you are not aware, upgrading a VCSA appliance from 6.7 to 7.0 involves deploying a new 7.0 appliance and migrating your settings from one to another. Our Friends at VMware have done an amazing job with building a wizard that does most of the work for you. Perhaps as part of my new lab I will try do a guide on the upgrade process as I am sure there are many companies out there who have yet to do the upgrade. In fact I might even go as far as upgrading to 8.0!! Tune in for more.

Back to the matter at hand, When you deploy a new vCenter one of the issues you may run into is not being able to log in with WinSCP. For those of you that do not know, WinSCP is a free application (donations are accepted and appreacated) that allows you to transfer files using the SCP protocol (among others) on a Windows PC and it gives you a nice graphical user interface. You can download a copy of WinSCP here. You can also download it using Chocolatey if that is your thing.

When you try to connect to vCenter using WinSCP you may get this message:

Host is not communicating for more than 15 seconds. If the problem repeats, try turning off ‘Optimize connection buffer size’.

This can be particularly annoying when you need to add or remove a file from vCenter and because like me you probably don’t add or remove files from vCenter all that often so most times you forget that this could be an issue.

To solve the issue you will need to log into vCenter using SSH as root and run this command:

chsh -s /bin/bash root

and press enter.

Once you have done this you can then retry connecting via WinSCP and the issue should be resolved. If you don’t have the root credentals, please check out this article to find out how you can get around that.

Categories
Uncategorized Virtualization Vmware

How to enable BASH shell on vCenter 6.0

According to VMware’s KB articles they claim that this settings change is no longer needed when logging into VCSA Appliances in 6.5 – 7.0. However I am not 100% certain that that is true as, to be honest I always log in as root and have never had to do it. Do have some collegues who claim that they need to do this when they are using their AD Authenticated credentials.

While logged into vCenter as you not root account you will need to type (or copy and paste) this into your SSH session:

shell.set –enable True

In reality, you could also just log into the VAMI and start the BASH service there which I think is what I normally do anyway and thus why I have never had to run this command.

Categories
Virtualization Vmware

vCenter 6.5 – Unable to Authenticate

Happy Monday everyone! I hope you all had a great weekend and Holiday. Guess what happened to me this morning? I came into the office (virtually of course) and discovered that our VDI vCenter environment was inaccessible. Now this is an older environment on its way out the door so I am not too concerned with it. However it would make our lives easier to have vCenter working for the decommissioning process.

When I tried to log into this VCSA Server I would receive the following message in a red banner across the top of the screen:

[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: ‘Trusted root certificates’ value should not be empty.

When I said this environment is old, it was upgraded from 5.5 and is now comprised of a VCSA appliance and an external PSC. Although the database has been migrated to a vPostgress DB instead of the SQL database that is started on, we have still noticed issues as time has gone one.

We tried to log in both with AD credentials and the local administrator user and both failed. Which was very concerning as we did have an issue with a DNS a few months back which knocked out AD authentication and all of our hosts in a different environment. Resolving that issue required a ticket to be opened with VMware.

I logged into the VAMI on both the PSC and the vCenter server (AD Authentication on both) and I did not see any issues there. Everything looked health and good. Since this environment is going away we decided to see if a good old reboot would fix it since we could not remember when the last reboot on this system occurred.

After rebooting the VCSA appliance everything seemed okay. In fact the vCenter console logged me in automatically. We plan to look into this more, however with this environment being decommissioned in the next few days I don’t think we will find anything of value.

If I do find a root cause for this one I will make sure to post a update on this.

Categories
Virtualization Vmware

vSphere 6.7 U2 & later CPU Scheduler modes:…

vSphere 6.7 U2 & later CPU Scheduler modes:…

This post will be focussing specifically on working of CPU scheduler in Default, SCA v1 and SCA v2 modes in 6.7 U2 and later. VMware vSphere 6.7 U2 added new scheduler options (SCA v2) which provides security for L1TF vulnerability, while retaining as much performance as possible. Note: SCA is […]


VMware Social Media Advocacy

Categories
Virtualization Vmware

What is VMware vSphere 7 Assignable Hardware?

What is VMware vSphere 7 Assignable Hardware?

A dive into ‘What is VMware vSphere 7 Assignable Hardware?’ Let’s take a look at what this is, why it is needed, and a closer look at how assignable hardware is implemented in VMware vSphere 7.


VMware Social Media Advocacy

Categories
PowerCLI Virtualization Vmware

PowerCLI – Datastore Report

I recently was working in an environment where they are still running vSphere 6.0. While doing some storage expansions I discovered that the Flash Client and the C# Client were not reporting the same size on the Datastore. This can be very frustrating as you are not sure which one you can trust. So as a tie breaker I decided to turn to my good friend PowerCLI.

It turns out that the PowerCLI and the C# client were reporting the same thing. So I decided to create a PowerCLI Script to assist me in my work. You can find the script there on my Github:

https://github.com/kenbshinn/PowerCLI-Scripts/blob/master/VM_Datastore_Report.ps1

I hope you found this post helpful and will share it with your friends.

Categories
Virtualization Vmware

How to unlock and reset SSO password in vSphere 6.x (2146224)

So I have a bit of a embarrassing confession to make. I forgot to record the Administrator password for my VCSA Appliance. Total disclosure, I was freaking out and I really thought I was going to have to start from scratch. I did some research I was surprised to find out that you can actually reset the Administrator account on a VCSA appliance as long as you have the root password for the appliance and you have access to the VCSA Console. Below are a list of the links to the KB Articles from VMware.

Resetting SSO Administrator Password
https://kb.vmware.com/s/article/2034608
Resetting SSO Administrator – VCSA 6.x

Below is the PUTTY session as an example.

[email protected]:~$ ssh [email protected]
ssh: Could not resolve hostname devvcsa01.xxx.xxxxx: Name or service not known
[email protected]:~$ ssh [email protected]
The authenticity of host ‘172.26.44.18 (172.26.44.18)’ can’t be established.
ECDSA key fingerprint is SHA256:7E4K1HVpg2ExWz+vEkkRdJ0M5jUYftb3HZw6OSDKFEICSOEPWWKYERe4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.26.44.18’ (ECDSA) to the list of known hosts.

VMware vCenter Server Appliance 6.5.0.21000

Type: vCenter Server with an embedded Platform Services Controller

Password:
Connected to service

    * List APIs: “help api list”
    * List Plugins: “help pi list”
    * Launch BASH: “shell”

Command> shell.set –enabled true
Command> shell
Shell access is granted to root
[email protected] [ ~ ]# /usr/lib/vmware-vmdir/bin/vdcadmintool

==================
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
6. Get vmdir state
7. Get vmdir log level and mask
==================

3
  Please enter account UPN : [email protected]
New password is –
/a+p|8M?vRl`%”p4*+oZ

==================
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
6. Get vmdir state
7. Get vmdir log level and mask
==================

Once you go through all these steps you are now able to log into VCSA with that temporary password that you are given and you are also able to reset it as well.

I hope you find this post helpful, and if you do please share it out to your friends.

Categories
PowerCLI Virtualization Vmware

Getting past Certificate issue in Power CLI

So I recently started working more with PowerCLI. After my time at VMWorld 2019 (which I will cover in another post) I realized how powerful that PowerCLI actually is (pun not intended). In starting to work with PowerCLI I came across the following message whil: trying to connect to my vCenter

Connect-vIServer : xx-x-xxxx xx:xx:xx Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you’d like to connect once or to add a permanent exception for this server.

I did some googling and I found this article,so shout out to Ivo Beerens for his article.

https://www.ivobeerens.nl/2018/07/18/quick-tip-powercli-invalid-server-certificate-error/

In his article he goes on to share this command

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

After putting that into PowerShell and pressing enter you will no longer get the Invalid Certificate message.

I hope you found this post helpful, I will be posting about some of the scripts that I have been posting on my Github. Please share with your friends if you found this helpful. 
Categories
Virtualization Vmware

All vCenters not showing up after adding a new one to an SSO Domain

As I have mentioned before, the company I work for had a disaster event that took place almost a year ago and because of that we have had  some of our infrastructure duct taped together.

Today I am proud to say that I had the opportunity to rip off another piece of that duct tape and actually move our Virtual Infrastructure forward.

You see, Pre-Disaster we had a single vCenter appliance which managed 3 sites. (Yes I know… yuck)

But, because of the disaster we had to move all of our services from the 1 site to the other 2. In the middle of the DR event I had to create 2 VCSA appliances to be able to manage the 2 sites, and due to a lack of sufficient network connectivity at the time, they were just islands. I even set them up a separate SSO Domains.

Fast forward to today, and I have now consolidated these 2 SSO Domains down to 1 and I must say it is pretty slick.

I did however run into a bit of an anomaly, which is the purpose of my post today. You see on the VCSA appliance that was added to the existing SSO domain, I discovered that I could see the first VCSA Appliance in the vSphere Web Client as well as it’s inventory which was awesome!

However on the vSphere Web Client of the Original VCSA Appliance, I can only see the 1 VCSA Appliance.

I consulted Dr. Google but found nothing at first, until I came across this post on the IBM Cloud for VMware Solutions site.

It turns out that you need to restart the vSphere Web Client in order for the new vCenter server to appear.

Just encase the link dies I will post the resolution here:

This is a known VMware 6.5 issue.

To resolve the problem, you must restart the vSphere Web Client:

Using the root account, connect over ssh to the vCenter VM (virtual machine) of the previously ordered instance.
Type shell to enter the bash shell.
Enter service-control –stop vsphere-client to stop the client.
Enter service-control –start vsphere-client to restart the client.
After the vSphere Web Client of the previously ordered instance is restarted, confirm that the vCenter Server system for the newly added secondary instance is visible in the vSphere Web Client.

NOTE: Rebooting the VCSA Appliance will also resolve your issue.

I hope you found this helpful, and if so please let me know and share with your friends.