PowerCLI

Disabling vCenter Lifecycle Manager automatic download using vSphere API

10.02.2023 by William Lam // Leave a Comment

By default, vCenter Server will automatically check and download the latest ESXi updates that can then be used by either the deprecated vSphere Update Manager (VUM) or its replacement which is vSphere Lifecycle Manager (vLCM), both of which can be managed under the Lifecycle Manager section in the vSphere UI.

Interestingly, I have had a number of inquiries about disabling the automatic download setting using automation, as I assume users have setup Update Manager Depot Service (UMDS) instance for consolidated and/or offline access.

Disabling the automatic download in the vSphere UI is very straight forward by going to Lifecycle Manager->Settings->Administration->Patch Downloads and clicking on the Edit button to enable or disable the setting.

Because the Lifecycle Manager section combines functionality for both VUM and vLCM, it can sometimes be confusing on which vSphere API to use and this is important becauase VUM does not have any public API and only subset of its functionality can be automated using specific VUM PowerCLI cmdlets. This is another benefit to using vLCM, not only is it the replacement for VUM going forward, but all of its functionality is available using both the vSphere UI or vSphere REST API.

With that said, the automatic download setting is actually a VUM-based configuration and as mentioned earlier, there are no public APIs for managing these settings. However, I recently found a clever workaround that would allow users to automate disabling this setting.

[Read more...]

Exploring the new vSphere Privilege Recorder in vSphere 8.0 Update 1

09.13.2023 by William Lam // Leave a Comment

Determining the minimum vSphere privileges that is required to perform a given vSphere operation (UI/API) has been a huge customer challenge to say the least. Strategies have included guessing along with trial and error by creating a custom vSphere Role and slowly removing privileges until you have identified the minimum required privileges. If you are familiar with the vSphere API and know exactly which API methods and properties are consumed, then you can use the vSphere API Reference since every method and property includes the specific privilege required in the documentation, but this method is pretty tedious and time consuming.

If only we had a way to record all the vSphere privilege that was used for a specific set of operation(s) in vCenter Server ... 🤔

Apparently I missed the initial news, but this was actually one of the new features that was introduced in vSphere 8.0 Update 1 called the vSphere Privilege Recorder! 😆

[Read more...]

Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API

09.11.2023 by William Lam // 4 Comments

In the vSphere UI, users can easily view and manage all of their vCenter Server certificates by navigating to Administration->Certificate->Certificate Management as shown in the screenshot below.

There are four types of vCenter Server certificates: Machine SSL, VMware Certificate Authority, STS Signing Certificate and the Trusted Root. On the main summary view, we can see the validity of the certificate, which is useful to quickly determine if you need to plan on replacing a specific certificate. We can also get more information about a specific certificate by clicking on the "View Details".

A question recently came up internally asking whether there is a vSphere API to retrieve all of this information programmatically, especially the validity of the certificate?

[Read more...]