WilliamLam.com

Automating SSL Certificate Expiry Validation for vCenter Server + ESX(i) Hosts

by // 4 Comments

As many of you know, it is a best practice to replace VMware's self-signed SSL certificates that are included in the vCenter Server (Windows & VCSA) and ESX(i) hosts to prevent or help reduce MiTM (Man in The Middle) attacks. If you are looking for more details on how to replace the default SSL certificates, you should take a look at the fantastic articles written by Michael Webster who details the process, provides some troubleshooting steps and best practices for SSL certificate replacement.

Replacing the default self-signed SSL certificate is just one part of the process, but you also need to check to ensure the certificates are still valid and have not expired. If you already have a process in place or a system that automatically does this for you, that is great. If you do not, you should definitely validate that your SSL certificates are valid on a regular basis.

I recently stumbled onto a nifty open source tool called ssl-cert-check that can help with validating expiration of SSL certificates found on vCenter Server(s) and ESX(i) hosts or any other SSL enabled host for that matter. This utility is just a shell script (specifically bournce shell) wrapping the common openssl utility found on most UNIX/Linux systems and does not require any login credentials to the remote hosts to validate the SSL certificate.

To use the script, you can visit the website here and download it to a system that has openssl installed (in my home lab, I used vMA).

It took me awhile to find the script, but it's located on the right side of the screen where it says "Website". You can also download it from the command-line using wget if you have direct/proxy access to the internet:

wget http://freecode.com/urls/353b752faa208fca12bc0091c742f764 -O ssl-cert-check

Note: Don't forget to set the execute permission on the script (chmod +x ssl-cert-check) else you will get permission denied when trying to run the script.

The script can be executed interactively by specifying the -s option for server and -p for the port. You can also specify the issuer of the certificate by using the -i option. Below is a screenshot of running the ssl-cert-check against a vCenter Server:

You can also run the script in batch mode by specifying -f option which accepts a list of servers in FQDN along with the port number. Using this feature of the script, you can easily run this script against all your vCenter Server(s) and ESX(i) hosts to ensure that their SSL certificates are still valid.

If you already have a list of hosts you want to check, then you can easily create a new file with the hostname and port. Though if you do not have one handy, I wrote a quick vSphere SDK for Perl script called generateESXiHostsList.pl that helps automate the creation of the output file containing all ESX(i) hosts when connecting to a vCenter Server. To use the script, you just need to have vCLI installed on a system or use vMA.

The script accepts one options which is --output which specifies the name of the output file to be created:

If we "cat" the file out, we can see it looks like the following:

vesxi50-1.primp-industries.com 443
vesxi50-2.primp-industries.com 443
vesxi50-3.primp-industries.com 443
vesxi50-4.primp-industries.com 443

Let's now run the ssl-cert-check against the list of ESX(i) hosts using the -f option and see if we have any hosts with expired certificates:

Uh oh, it looks like we have two hosts with some problems. We can see one host that already has an expired SSL certificate and another one that will be expiring in 10 days. We better take a look at these and get them replaced soon!

There are additional options in the ssl-cert-check script including the ability to email the results or run as a nagios check. You can easily schedule a cron job to automate this script to run every week and grepping for the keyword "Expiring" to alert you of any hosts that have expiring SSL certificates. As you can see, it is not only important to replace the default self-signed SSL certificates in your environment, but you need to validate on a routinely basis your your certificates are still valid.

How to Run WSX as a Standalone

by // 3 Comments

This weekend I got chance to deploy the new Workstation Technology Preview 2012 in my lab and specifically play with the new WSX feature, which allows you to access your virtual machines from anywhere with just a browser. Currently WSX is only available for the Linux version of Workstation and is bundled together as part of the installer. I wanted to run WSX in one of my management VMs, and did not want the large disk footprint that came with Workstation. I did some digging and found it was quite easy to extract the WSX bits and run it on another Linux system, and in my case I tried it with vMA.

Disclaimer: This is mainly for educational and testing purposes as this is not officially supported by VMware.

The main prerequisite to install WSX is a Linux system that has Python 2.6 installed. You will still need to perform a full installation of Workstation to extract the WSX components, as recommended you can use the latest Ubuntu image.

Note: If you want to install Workstation Tech Preview in a VM, you may get an error for the version of VMware Tools not being up to date. You can by-pass that by running the following command:

VMWARE_FORCE_INSTALL_IN_VM=yes ./VMware-Workstation-Full-e.x.p-646643.i386.bundle

Step 1 - You will need to create a few directories on the destination system in which you will be copying the WSX files to:

mkdir -p /etc/vmware/wsx
mkdir -p /usr/lib/vmware/{setup,scripts,lib,bin}
mkdir -p /var/lib/vmware/wsx/

Step 2 - You will now copy the following directory/files to destination system using scp:

scp /usr/lib/vmware/bin/vmware-wsx-server *protected email*:/usr/lib/vmware/bin
scp /etc/init.d/vmware-wsx-server *protected email*:/etc/init.d
scp /etc/vmware/bootstrap  *protected email*:/etc/vmware
scp -r /usr/lib/vmware/setup *protected email*:/usr/lib/vmware/
scp -r /usr/lib/vmware/scripts *protected email*:/usr/lib/vmware/
scp -r /usr/lib/vmware/lib/python2.6 *protected email*:/usr/lib/vmware/lib

Step 3 - Next you need to re-create the WSX config file which will be stored in /etc/vmware/wsx/config using the following command:

/usr/lib/vmware/lib/python2.6/site-packages/wsx/vmware-wsx-server --generate_config

If you wish to change the default port of 8888, you may edit the file before starting the WSX service.

Step 4 - Finally, you are now ready to start the WSX service by running the following command:

/etc/init.d/vmware-wsx-server start

Note: I ran into an odd issue with the initial login to WSX from the browser, in which I needed to create a secondary account other than the default "vi-admin". You need to login with "vi-admin" first, clear the cookie, so you can login with another user account before you add new servers. This was mainly looking at some of the errors from the logs and performing sqlite dump of WSX db.

Here are a few screenshot of accessing WSX from browser, iPad and iPhone:

The interface was pretty easy to use and it's pretty damn cool to be able to access your desktop from any platform that has a browser! Really looking forward to see where WSX is headed and hopefully it will be available in the future as a standalone installer and also with a logout button 🙂

Datastore File Management using vCLI vifs

by // Leave a Comment

There are many useful scripts that are bundled with the VMware vCLI, one such script, that is not very well known is the vifs utility which provides datastore file management. When you right click on a datastore and browse using the vSphere Client, you can create a new folder, download/upload, delete and move files.

Using the vCLI's vifs utility, you can perform the same set of operations via the command-line and behind the scenes it uses the vSphere API fileManager to perform these operations. You can also browse datastore by just having access to a web browser, just point it to the following address: https://[ESXI_HOSTNAME]/folder and you can access the datastores by clicking through the links.

To browse the datastore using vifs, you will need vCLI installed on either a Windows/Linux system or you may use VMware vMA.

To browse a specific datastore for an ESXi host, you will need to first list the available datastores by using the following command: vifs --server [SERVER] --username [USERNAME] --listds

Once you have identified the datastore you are interested in, you will then use the --dir flag to list the contents of the directory and their sub-directories by using the following command: vifs --server [SERVER] --username [USERNAME] --dir '[DATASTORENAME]'

Note: The format of the datastore name must be in brackets '[datastorename]' which is how a datastore path is identified in the vSphere API. To list sub-directories, you will need a space between the datastore name and the directory name and do not forget to quote the parameter

Let's say you would like to download the .vmx configuration file for in the directory, you can use --get flag to by using the following command:

vifs --server [SERVER] --username [USERNAME] --get '[DATASTORENAME] somedir/somefile.vmx'

Note: In the example above, we are downloading the file in the current working directory denoted by the "." (period). If you wish to download it somewhere else or even renaming the file, you will need to specify the full path to the destination


If you wanted to automate the downloading of say all .vmx configuration files, it might be pretty tedious to run through the directory discovery, so here is a quick shell script called getVMVMX.sh that is more user friendly that allows you to easily download all .vmx configurations for a given datastore.

To use the script, you will need vCLI installed on either a Linux system or use VMware vMA and be sure to set the executable permission on the shell script. You will need to specify the credentials to the ESX(i) host and the specific datastore you wish to either "list" or "download" all .vmx configuration files.

Using the --listds flag, you will need to identify the datastore you wish to use. Next you will use the following command to "list" all .vmx configuration file: ./getVMVMX.sh [ESXI_SERVER] [USERNAME] "[PASSWORD]" [DATASTORE] list

To download all .vmx configuration file you will use the following command:

./getVMVMX.sh [ESXI_SERVER] [USERNAME] "[PASSWORD]" [DATASTORE] download [FOLDER]

where FOLDER is a directory that will automatically be created for you to store all .vmx configuration files

Note: You can easily modify the script to add an additional "for loop" at the beginning to automatically download .vmx configurations for all datastores. I will leave that as an exercise for the reader.

So if you ever need to grab a vmware.log file for a specific VM or upload an ISO to datastore, you can do so from the command-line using the vifs utility that is bundled with the vCLI.