The vSphere+, vSAN+ and the VCF+ Cloud Service all leverage the vCenter Cloud Gateway (VCGW) to provide secure connectivity between your on-premises VMware infrastructure and the VMware Cloud (VMC) Console. The process to setup the VCGW is made up of the following two steps:
- Connect your VCGW to the VMC Console
- Register your vCenter Server or SDDC Manager (VCF+) to your VCGW
We had an interesting question from one of our vSphere+ customers that wanted to better understand who within their organization was performing the VCGW and vCenter Server registrations for the vSphere+ Cloud Service?
Unlike some of the other VMware Cloud services such as VMware Cloud on AWS (VMC-A), vSphere+ currently does not integrate with the VMware Cloud Activity Log service, which can easily provide you with this type of information. With that said, the information about these two distinct vSphere+ operations is still available to our customers, it is just in a different part of the VMware Cloud Console.
First, make sure you are an Organization Admin and then navigate to your Organization settings by clicking on your user name on the upper right hand corner and select the View Organization option. From here, click on OAuth Apps and you will find a unique OAuth application entry for each VCGW or vCenter Server/SDDC Manager registration, including the details to the who, what and when for a given registration.
Note: Do not edit or modify any of the OAuth Apps that have been created by VMware as part of the VCGW and vCenter Server registration or this will negatively affect your environment.
vCenter Cloud Gateway Registration
For a VCGW registration, you will find the App Name listed as "Onprem Gateway", which is pretty generic but you will see when the operation was performed and by which user within your organization. To identify the specific VCGW within your environment, you will need to click into the item which will then show you details about the OAuth application. Make a note of the AppID which will be a unique ID that is generated from a given VCGW registration.
To map this specific VCGW registration to a specific VCGW, which is deployed in your on-premises environment, you will need to SSH to your VCGW(s) and look at /var/vmware/aca/identity-agent/csp.properties to see if there is a match to cspClientId property.
Here is a quick snippet you can run on your VCGW which will output both the OrganizationID as well as the cspClientId property:
cat /var/vmware/aca/identity-agent/csp.properties|jq .orgId,.cspClientId
If you only have a single VCGW deployed, then this will most likely match. If you have more than one VCGW deployed, then you will need to login to each VCGW and compare the value. I think it would be a nice enhancement if we did not use a generic label like "Onprem Gateway" but rather the FQDN of the VCGW to easily help our customers easily associate the VCGW registration, this will be something I share with the vSphere+ Product Management team.
vCenter Server Registration
Luckily, the vCenter Server registration is much more straight forward as the FQDN of the vCenter Server is in the OAuth application name and you can clearly identify that with the vCenter Server you have deployed in your on-premises environment along with the individual and date/time of when it was performed.
vCenter Cloud Gateway to vCenter Server Associations
If you want to see the specific vCenter Server(s) that is registered to a specific VCGW, you currently will need to login to each of your VCGW (https://vcgw-fqdn:5484/registervc/list?locale=en) to view the list of registered vCenter Server(s).
In the future, this will be simplified directly within the VMC Console, which I recently came to learn about with an upcoming enhancement which you can get a sneak peak below. A new Cloud Gateways tab will be available in the VMC Console which not only lists all VCGW that has been registered within the Organization, but it will also provide a list of all the vCenter Server(s) that is associated with that VCGW when you click on the VCGW for more details.
I’d be very curious to see how DoD STIGs are audited for the vSphere+ / vSphere environments.
You want to be a hero amongst men, THAT would be a heck of an article. Especially, for local private clouds using vSphere!
I don’t believe vSphere+ has been certified for DoD STIG