WilliamLam.com

Adventures with HP SAM and Win2008 R2 domains

by // Leave a Comment

For the past two years or so we have been testing out VDI in our residence hall student labs at UCSB which consist of about twenty or so thin clients split between two locations. Now what made all of this feasible was:

1) Advancements in remote display protocols
and
2) our ghetto-link-clones script (http://communities.vmware.com/docs/DOC-9020)

We picked HP's RGS as our remote display protocol because it was the only protocol we found at the time that ensured a "rich desktop user experience". I still prefer it today over the software implementation of PCoIP but that is a topic best left for another day.

Naturally, the only broker that pooled RGS-enabled machines at the time was HP's Session Allocation Manager (today Leostream and others can broker it). Despite bad experiences with some HP software in the past, SAM actually worked out very well for us, both on the server side as well as the client side. I still have yet to see a broker package that allows you to customize the client like HP SAM (this feature is definitely stamped as RAD in my book).

SAM was not perfect though and had the occasional hiccup (e.g. machines being listed as unavailable, annoying but only occurred once in a while and was remedied with a resync operation) until the day came: management decided to upgrade the domain from Win2k3R-something to Win2k8R2. SAM completely stopped working; it was an interesting situation to say the least.

After some testing (with profanity and throwing of objects included), we of course determined that the fault was in SAM (3.0, the latest release at the time in early January did not work). HP's response? No official timeframe to release a fix. This equated to a week of scrambling around looking for competing and "compatible" products (ala Leostream) which just ended up complicating things. The solution? An aggravating night biking back and fourth between the two labs switching the entire VDI environment over to View. Whatever it takes right?

So long story short, if you have an existing HP SAM installation that is running on a pre-Win2k8R2 domain, make sure you update to the latest revision of SAM (3.01) that was just released a couple weeks ago before migrating your domain to Win2k8R2.

For a short description of our VDI environment, please refer to:
http://communities.vmware.com/docs/DOC-9201

Script - hostops-lamw.pl

by // 1 Comment

I recently noticed a question on the ESXi forum about trying to add a host to a vCenter server that had the "SSL host certificate verification" enabled while using the vSphere SDK for Perl Utility hostops.pl on vMA. The user encountered the following error when trying to add the host:

Error:
SOAP Fault:
-----------
Fault string: Authenticity of the host's SSL certificate is not verified.
Fault detail: SSLVerifyFault

The SSL host verification is a feature that came with the release of vSphere that provides a security measure to verify the validity of a host before adding it to your VMware infrastructure. This feature is disabled by default, but when it is enabled, a user will need to accept a dialog box to confirm the SHA1 thumbprint of the host in question.

This particular use case was not handled properly by hostops.pl which caused the error message to be thrown. With a small tweak to VMware's canned script, the new and improved hostops-lamw.pl now supports adding an ESX or ESXi host into vCenter with SSL host verification enabled. You'll still be expected to verify the SHA1 thumbprint, but now you can pass this as an additional parameter which will tell vCenter that you have verified the host and add to vCenter management.

Scott Lowe originally wrote an article on how to verify the SHA1 thumbprint for both an ESX and ESXi host.

On ESX you can run the following:

openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout
-fingerprint

On ESXi, the only real way to verify is by looking at the DCUI's "View Support Information":

However, if you truly trust the ESX or ESXi host that you're going to add to vCenter, there is an alternative way of retrieving the SHA1 thumbprint using the vCLI's vifs and the modified hostops-lamw.pl.

By default, you'll be able to point your web browser to https://[hostname]/host/ssl_cert to see actual SSL certificate on your host, assuming this functionality is not disabled. What you can do is download the ssl_cert to vMA or system with vCLI installed and query for the SHA1 hash and provide that as input to hostops-lamw.pl.

Download: hostops-lamw.pl

Step 1. Download hostops-lamw.pl to either vMA or system running vCLI copy it to the following path:

vMA or Linux host /usr/lib/vmware-cli/apps/host
Windows C:\Program Files\VMware\VMware vSphere CLI\Perl\apps\host

Step 2. Download the ssl_cert to vMA:

[vi-admin@scofield ~]$ vifs --server esxi4-1.primp-industries.com --username root --get "/host/ssl_cert" esxi4-1.primp-industries.com-ssl_cert
Enter password:

Downloaded file to esxi4-1.primp-industries.com-ssl_cert successfully.

Step 3. Get the SHA1 thumbprint from the ssl_cert you downloaded:

[vi-admin@scofield ~]$ openssl x509 -sha1 -in esxi4-1.primp-industries.com-ssl_cert -noout -fingerprint
SHA1 Fingerprint=79:BB:39:09:F6:E5:91:BD:B0:C3:F3:09:B4:38:50:FB:ED:9C:53:A5

Step 4. Use the modified hostops-lamw.pl and the new --sslthumbprint providing the SHA1 thumbprint (remember to double quote it) along with the other required input to add the host to vCenter:

[vi-admin@scofield ~]$ ./hostops-lamw.pl --server reflex.primp-industries.com --username primp --operation addhost --target_host esxi4-1.primp-industries.com --target_username root --target_password 'password' --sslthumbprint "79:BB:39:09:F6:E5:91:BD:B0:C3:F3:09:B4:38:50:FB:ED:9C:53:A5" --cluster virtual-cluster
Host 'esxi4-1.primp-industries.com' added successfully

Script - Updated vSphere Health Check 4.0.8

by // Leave a Comment

Check the latest update to popular vSphere Health Check Script which has now gone to v4.0.8!

One new change that you'll notice is the two additional menu options at the top of the report when you running the report against a vCenter server.

VPX Settings - All configured vCenter settings

VMware/3rd Party Applications - Display any registered VMware/3rd party applications running within a VM

For a list of other changes, please take a look at the vSphere Health Check Script change log.

Give the new script a try and let me know if have any problems or would like to see other features included in a future release.