WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / VMware Cloud / How to audit vCenter Cloud Gateway & vCenter Server Registrations for vSphere+

How to audit vCenter Cloud Gateway & vCenter Server Registrations for vSphere+

04.24.2023 by William Lam // 2 Comments

The vSphere+, vSAN+ and the VCF+ Cloud Service all leverage the vCenter Cloud Gateway (VCGW) to provide secure connectivity between your on-premises VMware infrastructure and the VMware Cloud (VMC) Console. The process to setup the VCGW is made up of the following two steps:

  1. Connect your VCGW to the VMC Console
  2. Register your vCenter Server or SDDC Manager (VCF+) to your VCGW

We had an interesting question from one of our vSphere+ customers that wanted to better understand who within their organization was performing the VCGW and vCenter Server registrations for the vSphere+ Cloud Service?

Unlike some of the other VMware Cloud services such as VMware Cloud on AWS (VMC-A), vSphere+ currently does not integrate with the VMware Cloud Activity Log service, which can easily provide you with this type of information. With that said, the information about these two distinct vSphere+ operations is still available to our customers, it is just in a different part of the VMware Cloud Console.

First, make sure you are an Organization Admin and then navigate to your Organization settings by clicking on your user name on the upper right hand corner and select the View Organization option. From here, click on OAuth Apps and you will find a unique OAuth application entry for each VCGW or vCenter Server/SDDC Manager registration, including the details to the who, what and when for a given registration.


Note: Do not edit or modify any of the OAuth Apps that have been created by VMware as part of the VCGW and vCenter Server registration or this will negatively affect your environment.

vCenter Cloud Gateway Registration

For a VCGW registration, you will find the App Name listed as "Onprem Gateway", which is pretty generic but you will see when the operation was performed and by which user within your organization. To identify the specific VCGW within your environment, you will need to click into the item which will then show you details about the OAuth application. Make a note of the AppID which will be a unique ID that is generated from a given VCGW registration.


To map this specific VCGW registration to a specific VCGW, which is deployed in your on-premises environment, you will need to SSH to your VCGW(s) and look at /var/vmware/aca/identity-agent/csp.properties to see if there is a match to cspClientId property.

Here is a quick snippet you can run on your VCGW which will output both the OrganizationID as well as the cspClientId property:

cat /var/vmware/aca/identity-agent/csp.properties|jq .orgId,.cspClientId


If you only have a single VCGW deployed, then this will most likely match. If you have more than one VCGW deployed, then you will need to login to each VCGW and compare the value. I think it would be a nice enhancement if we did not use a generic label like "Onprem Gateway" but rather the FQDN of the VCGW to easily help our customers easily associate the VCGW registration, this will be something I share with the vSphere+ Product Management team.

vCenter Server Registration

Luckily, the vCenter Server registration is much more straight forward as the FQDN of the vCenter Server is in the OAuth application name and you can clearly identify that with the vCenter Server you have deployed in your on-premises environment along with the individual and date/time of when it was performed.

vCenter Cloud Gateway to vCenter Server Associations

If you want to see the specific vCenter Server(s) that is registered to a specific VCGW, you currently will need to login to each of your VCGW (https://vcgw-fqdn:5484/registervc/list?locale=en) to view the list of registered vCenter Server(s).

In the future, this will be simplified directly within the VMC Console, which I recently came to learn about with an upcoming enhancement which you can get a sneak peak below. A new Cloud Gateways tab will be available in the VMC Console which not only lists all VCGW that has been registered within the Organization, but it will also provide a list of all the vCenter Server(s) that is associated with that VCGW when you click on the VCGW for more details.

More from my site

  • Frequently asked scenarios about Subscription & Entitlement for vSphere+, vSAN+ and VCF+
  • Frequently asked scenarios about Global Inventory for vSphere+, vSAN+ and VCF+
  • Frequently asked scenarios about Cloud Consumption Interface (CCI) for vSphere+, vSAN+ and VCF+
  • Frequently asked scenarios about VM Provisioning & Management for vSphere+, vSAN+ and VCF+
  • Frequently asked scenarios about vCenter Lifecycle Management for vSphere+, vSAN+ and VCF+

Categories // VMware Cloud, VSAN, vSphere Tags // VMware Cloud, VSAN, vSphere

Comments

  1. *protectedGBMaryland says

    04/24/2023 at 8:59 am

    I’d be very curious to see how DoD STIGs are audited for the vSphere+ / vSphere environments.

    You want to be a hero amongst men, THAT would be a heck of an article. Especially, for local private clouds using vSphere!

    Reply
    • William Lam says

      04/24/2023 at 1:39 pm

      I don’t believe vSphere+ has been certified for DoD STIG

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...