WilliamLam.com

Search Results for: ovftool

Default hashing algorithm changed in OVFTool 4.2 preventing OVF/OVA import using vSphere C# Client

by // 11 Comments

After upgrading my home lab recently to vSphere 6.5, I also updated some of the related utilities such as the various SDKs and CLIs. One of the CLIs that I had updated was the latest version of OVFTool which is now at 4.2. I use OVFTool extensively to automate various Virtual Machine deployments (import/export). While testing out a new OVA that I had been working on, I needed to verify that it also worked with previous release of vSphere like vSphere 6.0 Update 2. I happen to have the vSphere C# Client open and connected to a vCenter Server and when I tried to import the newly created OVA, but it failed with the following error message:

The following manifest file entry(line1) is invalid: SHA256

screen-shot-2016-11-17-at-7-37-47-am
I was pretty surprised by this since I went through this exact same workflow a couple of days ago without any problems. The only change that had happened was OVFTool and error seems to indicate an issue with the hashing algorithm. I ran OVFTool again using just the --help option to check what the default SHA hashing algorithm was, it was SHA256. I then compared that to an older version of OVFTool and it looks like the default had changed from SHA1 to SHA256.

From a security standpoint, this is a positive change as SHA1 is no longer considered a secure hashing algorithm and a stronger version should be used. It also turns out that the vSphere C# Client can only support SHA1 which is why I received the error after upgrading to the new version of OVFTool. Luckily, this is NOT a problem when using the vSphere Web Client or the vSphere HTML5 Client and only affects the vSphere C# Client. If you do need to use the vSphere C# Client for importing OVF/OVAs exported from the latest version of OVFTool, the workaround is quite simple, just override the default hashing algorithim when exporting by adding the additional CLI option:

--shaAlgorithm=sha1

Quick Tip - Using ovftool to connect to vCloud Director behind a 2-Factor Authentication portal

by // 2 Comments

A couple of months back I ran into an issue while trying to upload a couple of files to VMware's internal OneCloud environment which uses vCloud Director. The issue that I encountered was that our OneCloud environment no longer supported basic username/password authentication, which I hoping to automate using ovftool. Instead, it is now front-ended with VMware Application Manager which requires 2-Factor Authentication (2FA) and once authenticated, a SAML token is then passed to vCloud Director which then automatically logs you in.

ovftool-vcloud-director-SAML-authentication-0
The problem with this is that ovftool can not be used to directly login to vCloud Director as it does not have support for 2FA, which makes automating operations against our OneCloud environment pretty difficult. After spending a few days looking for an alternative and not having any luck, my last hope was to reach out to the ovftool developers to see if they had seen this before.

After a few email exchanges, although ovftool does not support 2FA, you can however get this to work using session ticket authetnication which it does support using either the --I:sourceSessionTicket or --l:targetSessionTicket option. To get more details on these options, you can run the following ovftool command:

ovftool --help integration

In order to use this session ticket mechanism to authenticate into a 2FA environment, you must first login manually using a web browser. Once you have successfully logged in, you will need to either use browser developer tool or something like Firebug to record the authenticated vCloud Director cookie which will then be passed to ovftool.

In this example, I am using Chrome and you can find the Developer Tools by going to Options->More Tools->Developer Tools. Next, refresh the webpage so you are able to see the web requests between your browser and vCloud Director. Now navigate to Network->Cookies option and select any one of the requests to the left of the screen such as "amf".

ovftool-vcloud-director-SAML-authentication1
What you will be looking for is the value to the cookie named "vcloud_session_id" which is is the authenticated session that we will use to provide to ovftool. Once you have that value, you can then specify the connection to ovftool using the following:

ovftool --I:targetSessionTicket=[VCLOUD_SESSION_ID_VALUE] vcloud://...

I had known that ovftool supported session based tickets, however I did not realize it could be used to authenticate behind a 2FA solution like VMware Application Manager. For folks interested in using ovftool and session based tickets directly with vSphere, check out this awesome post by my good friend Jake Robinson who demonstrates this using PowerCLI, ovftool and the AcquireCloneTicket() vSphere API method.

Quick Tip - How to upload files to vCloud Air On-Demand using ovftool?

by // 4 Comments

I have recently spent some time playing around with the new vCloud Air On-Demand offering and with the free $300 credit promotion which I am currently using, it is an easy and painless way of evaluating vCloud Air. A common operation that many of you will most likely be performing when you first get setup is uploading content to be used within vCloud Air. You can do this by either using the UI in vCloud Director OR you can use one of my favorite command-line tools called ovftool.

To assist with using ovftool, I have created a simple shell script called upload-to-vca.sh which wraps ovftool and you simply just need to fill out a couple of required variables and the script will automatically handle the rest.

Note: Though the script is is specifically for a *nix/Mac OS X environment, the ovftool syntax is exactly the same for a Windows based environment. You just need to change the variable type and can then easily get this working on a Windows system using a simple batch or PowerShell script.

There are four pieces of information that you will need to pull from your vCloud Air On-Demand environment which will map to the following variables:

  1. VCA_URL - This is the vCloud Director URL found when logging into your vCloud Air On-Demand instance
  2. VCA_ORG_NAME - This is the name of your Organization for your vCloud Air On-Demand, it will be in a UUID type format
  3. VCA_ORG_VDC_NAME - This is the name of your Virtual Datacenter that you would need to create when initially logging int
  4. VCA_CATALOG_NAME - This is the vCloud Director Catalog name, by default it is called "default-catalog" unless you go into vCloud Director to create a custom one

To find the VCA_URL you just need to look at the base of the URL when logged into your vCloud Air On-Demand instance, in my example it is us-california-1-3.vchs.vmware.com and to find the VCA_ORG_VDC_NAME you will look under the "Virtual Data Centers" section as seen in the screenshot below. In my example, it is called vGhetto-VDC

using-ovftool-to-upload-to-vcloud-air-on-demand-0
To find the next two variables, you will need to open up the vCloud Director UI. To do so, just right click on the name of your VDC and select "Manage Catalogs in vCloud Director". Once logged in, you can find the VCA_ORG_VDC_NAME by looking at the URL after the /org/ entry (which you can copy/paste) but it is also displayed at the upper left corner when you first log in. In my example, it is the b51b26... Finally, to find the VCA_CATALOG_NAME you just need to click on the Catalogs tab and by default vCloud Air will use default-catalog as the name of your private Catalog. If you decide to create a new one, then you will need to use that name instead.

using-ovftool-to-upload-to-vcloud-air-on-demand-1
Once we have all four of the variables filled out based on our vCloud Air On-Demand instance, we also need to specify within the script whether we want to upload an ISO/floppy image or an OVA/OVF. There are two examples in the script and just un-comment the one you wish to run. Once you have completed editing the script, you can go ahead and run it and it will prompt you for your vCloud Air credentials which is what you used to initially sign into vchs.vmware.com.

Here is an example of uploading an OVF to my vCloud Air On-Demand VDC:

using-ovftool-to-upload-to-vcloud-air-on-demand-2
In my environment, I have uploaded both a Nested ESXi OVF template which should be stored under the vApp Tempalates tab as well as an ESXi 6.0 ISO which will be stored under the Media & Other section as shown in the screenshots below.

using-ovftool-to-upload-to-vcloud-air-on-demand-3

using-ovftool-to-upload-to-vcloud-air-on-demand-4
At this point, I can now consume both my OVF and ISO either directly in the vCloud Director UI or I can jump back to my vCloud Air UI and consume it that way as shown in the screenshot below.

using-ovftool-to-upload-to-vcloud-air-on-demand-5
If you have a lot content to upload or just prefer using the CLI (like I do), then this is a great way to easily upload content so that it is accessible in vCloud Air.