WilliamLam.com

How to generate a pre-authenticated HTML5 VM console link in vSphere 5.5 that works on all OSes!

by // 79 Comments

One of the coolest feature that I have been personally looking forward to is the ability to access a virtual machine's remote console on a Mac OS X system which is now available as part of the vSphere 5.5 release. When you launch the VM's remote console using the vSphere Web Client on a Mac OS X system, instead of using the regular VMRC, it launches an HTML5 based console for your VM.

One thing that you might have noticed when performing this same action on a Windows desktop using the vSphere Web Client is that VMRC is used instead of the HTML5 console (notice the generated URLs are different). My understanding is that the VMRC is currently more performant than the HTML5 console and hence it is preferred when possible. I have been using the HTML5 based console for quite sometime now and I have not had any issues with it. I really hope to see us use the HTML5 console as the default console in the future!

Having said all this, there is a way for all users can benefit from this new HTML5 based VM console which is to automatically generate the URL which can then be loaded into any HTML5 supported web browser on either a Mac OS X, Windows or even Linux system. I used a similar method in generating the VM Remote Console for the vSphere Web Client which is VMRC specific.

UPDATE (07/26/17): I have just published a PowerCLI script called GenerateVMConsoleURL.ps1 which runs against a vSphere 6.5 environment and supports generating the HTML5 VM Console, Standalone VMRC and WebMKS URLs. As noted by several folks in the comments below, the pre-auth mechanism no longer works post-6.0, so you will need to have logged already for the console to automatically load OR you will be prompted to login before being re-directed. For those that wish to generate VM Console URLs for older vSphere versions, you can modify the script to handle those other scenarios.

The really cool part about this solution is that you can provide a one time pre-authenticated HTML5 based VM console URL that can then be given to your end users to access their VM. This of course can be automatically generated through a custom portal without needing to provide direct access to the vSphere Web Client.

Here is an example of what the HTML5 VM console URL looks like in vSphere 5.5:

http://reflex.primp-industries.com:7331/console/?vmId=vm-23&vmName=VCSA&host=reflex.primp-industries.com&sessionTicket=cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07&thumbprint=4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07

In vSphere 5.5 Update 2, the HTML5 VM Console now defaults to a secure connection and the two components of the URL that needs to be modified is from HTTP to HTTPS and from port 7331 to port 7343. The script has been updated to support a new command-line option called isvSphere55u2 which by default is set to false but can be set to true to generate an updated URL if you are running vSphere 5.5 Update 2

There are basically seven important components to the URL:

  • Hostname of the vCenter Server - reflex.primp-industries.com
  • The HTML5 console port, default is 7331 but can automatically change depending on available ports on the system (for vSphere 5.5 Update 2 the port has changed to 7343 for a secure connection)
  • The MoRef ID of the virtual machine - vm-23
  • The virtual machine name - VCSA
  • The vCenter Server advanced setting "VirtualCenter.FQDN" - reflex.primp-industries.com
  • The session ticket generated from vCenter Server - cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07
  • The vCenter Server SHA1 SSL Thumbprint - 4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07

Disclaimer: The HTML5 VM console URL format/behavior is not guaranteed and may change in the future. The only officially supported method of accessing the console is by launching it through the vSphere Web Client.

Here is a vSphere SDK for Perl script called generateHTML5VMConsole.pl that given a VM name as input, will automatically generate a one-time pre-authetnicated HTML5 VM console URL that can be loaded into any supported web browser.

Note: To ensure the URL is valid, you will need to make sure your application is setup to run like a daemon or agent. To simulate this in my sample script, I just sleep for 60 seconds before disconnecting the session. I also used the openssl utility to extract the SHA1 thumbprint, so you will need a system that has that installed along with the vSphere SDK for Perl if you wish to use the script. The quickest way is to leverage vMA.

To load the HTML5 VM console, take the URL that is generated and point it to a browser:

Since this is an HTML5 based VM console, I can even load this into my iPad!

Hopefully this article will give you new ideas on how you can leverage and integrate the new HTML5 VM Console within your environment and hopefully this will be the defacto console in the future!

Here is an example of what the URL looks like for vSphere 5.1 & 5.5:

https://reflex.primp-industries.com:9443/vsphere-clien/vmrc/vmrc.jsp?vm=urn:vmomi:VirtualMachine:vm-1506:EE26E7F6-591B-4256-BD7A-402E5AC9E0A8

There are basicallythree important components to the URL:

  • Hostname of the vCenter Server - reflex.primp-industries.com
  • The vCenter instanceUUID which used to uniquely identify a vCenter Server - EE26E7F6-591B-4256-BD7A-402E5AC9E0A8
  • The MoRef ID of the virtual machine - vm-1506

Check out the new and improved VMware Developer Center!

by // 2 Comments

One common piece of feedback that we have heard from customers and partners over the years is how difficult it can be to get started with using VMware's API and SDKs. The biggest challenge is not actually using the API and SDKs, but actually finding out what is available for a particular product or the solution you are trying to develop. The other challenge of course is where to download the API/SDK, language support and their corresponding documentation.

In the past, this information would be scoured throughout VMware's website and Google searches will usually lead folks to the VMware Developer Center. The site has been in need of a major revamp for awhile now and I am glad to see that VMware has taken this feedback very seriously as I have provided similar feedback when I was a customer as well as employee.

I am happy see that we have re-launched the VMware Developer Center which now contains a wealth of useful information that has never been available before! I was one of the lucky few who received early access to the new VMware Developer Center to help provide feedback on how we can better improve our user experience with the site. This will continue to be a work in progress based on on-going feedback from customers and partners.

Here are a few things worth checking out ...

Development & Certification

The first thing I think everyone will just LOVE is that VMware is now listing EVERY single API/SDK that is available which includes public API/SDKs as well as what is known as "Gated API/SDK" that usually are available to partners only. The reason this is a big deal is if you are a new partner, how do you know what is available to you and how can you add value on top of the VMware eco-system? You now can get a list of all VMware API/SDKs under the Developement & Certification section and it provides you with a high level of what each API/SDKs provides. For gated API/SDK, you will see a tiny lock symbol next to it. When you login to MyVMware and you are supposed to have access to these API/SDKs, the icons will be unlocked and you will be able to get more details including downloads and documentation. You can also filter the views by specific API/SDKs as well as scripting/programming language.

vCloud Suite Library

Earlier I mentioned that it was quite difficult for someone to figure out exactly what API/SDKs are available for a particular product, especially within the vCloud Suite. One really neat feature is under the "Library" section which provides you with a high level diagram of the VMware vCloud Suite and it is an interactive diagram which you can hover over and it provides information about each product. If you click on one of the products, it will provide more information on the API/SDKs that can be used to integrate or access that particular product. This is a great way to learn about VMware products from a scripting/programmatic perspective and we also have one for the Horizon Suite.

VMware Standards

One other cool page to visit is the "Standards" page which currently just contains the UX design standards for the vSphere Web Client. If you want to learn more about the design principles used to create the vSphere Web Client or looking to build your own vSphere Web Client plugin, you may be interested in this section. I suspect over time we will be publishing more design standards that can be shared with the general community and hopefully useful for our partners and integrators.

Be sure to explore the rest of the site, though this is only the initial release of the VMware Developer Center, if you have any feedback feel free to leave a comment either on my blog or in the VMTN community forums. I know the team responsible for the VMware Developer Center has so much more planned including more sample code for each of our API/SDK as well as more content and interactions from each of the engineering teams. So stay tuned and check back often!

How to clear the ARP cache in ESXi prior to vSphere 5.5

by // 3 Comments

Yesterday, I wrote an article about a new ESXCLI command that will be available as part of the soon to be released vSphere 5.5 release which allows a user to clear the ARP cache on an ESXi 5.5 host. It was my understanding that with past releases of ESXi, that it is not possible to clear the ARP cache. While working on that article, I came across an internal thread and learned that it was possible to clear ARP entries prior to ESXi 5.5, however the method is not as ideal as using the new ESXCLI command.

Disclaimer: This is not officially supported by VMware, please use at your own risk

In ESXi 5.1, you can list the current ARP entries for an ESXi host by running the following ESXCLI command:

esxcli network ip neighbor list

To clear a particular ARP entry, you will need to use the unsupported vsish interface. To delete a specific ARP entry, you will need to run the following command:

vsish -e set /net/tcpip/v4/neighbor del [IP-ADDRESS]

Here is a screenshot of listing the current ARP entries using ESXCLI and then deleting one of entries using vsish:

As mentioned in my previous article, I am glad we have made this into an official command in ESXCLI 5.5, but if you are in a crunch you can still clear an ARP entry if you are not running ESXi 5.5 using vsish.