WilliamLam.com

vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations

by // 4 Comments

A common request that I have heard from customers is to have the ability to automate vCenter Single Sign-On configurations from a programmatic standpoint. Unfortunately, this is currently not possible today as a public API does not exist for SSO. Having spent some time exploring the underlying vmdir database which is just an LDAP-based system (here & here) and learning about a way to update a particular key per KB2070433 within the vmdir database which I have shown here and I have found here, I wanted to see if it was possible to query for these specific SSO Admin configurations and also be able to update these properties.

Disclaimer: Please take extreme caution when connecting to the vmdird database. You should take extreme care in making changes while in the database else you can negatively impact your environment.

There are three main sections to the SSO Admin configurations that can be seen from the vSphere Web Client:

  • Password Policies
  • Lockout Policy
  • Token Policy

For each section, I have provided the specific ldapsearch query (please refer to this article as per-requisite) which can either be run directly on the VCSA if you are using that or a system that includes the ldapsearch command. You will need to replace the text highlighted in blue with your own environment details.

Password Policies & Lockout Policy

To view the following set of configurations, here is the ldapsearch query to use:

/opt/likewise/bin/ldapsearch -h 192.168.1.70 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=password and lockout policy,dc=vghetto,dc=local"

automate-sso-configuration-3
Here is a screenshot of the Password Policies as seen in the vSphere Web Client and their corresponding LDAP property names:

automate-sso-configuration-0

UI Setting LDAP Attribute Name
Maximum lifetime vmwPasswordLifetimeDays
Restrict reuse vmwPasswordProhibitedPreviousCount
Maximum lenght vmwPasswordMaxLength
At least special character vmwPasswordMinSpecialCharCount
At least alphabetic character vmwPasswordMinAlphabeticCount
At least uppercase character vmwPasswordMinUpperCaseCount
At least lowercase character vmwPasswordMinLowerCaseCount
At least numeric character vmwPasswordMinNumericCount
Identical adjacent Characters vmwPasswordMaxIdenticalAdjacentChars

Here is a screenshot of the Lock Policy as seen in the vSphere Web Client and their corresponding LDAP property names:

automate-sso-configuration-1

UI Setting LDAP Attribute Name
Maximum number of failed login attempts vmwPasswordChangeMaxFailedAttempts
Time interval between failures vmwPasswordChangeFailedAttemptIntervalSec
Unlock time vmwPasswordChangeAutoUnlockIntervalSec

Token Policy

To view the following configuration, here is the ldapsearch query to use:

/opt/likewise/bin/ldapsearch -h 192.168.1.70 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"

automate-sso-configuration-4
Here is a screenshot of the Token Policy as seen in the vSphere Web Client and their corresponding LDAP property names:

Token Policy

automate-sso-configuration-2

UI Setting LDAP Attribute Name
Clock tolerance vmwSTSClockTolerance
Maximum token renewal count vmwSTSRenewCount
Maximum token delegation count vmwSTSDelegationCount
Maximum bearer token lifetime vmwSTSMaxBearerTokenLifetime
Maximum holder-of-key token lifetime vmwSTSMaxHolderOfKeyTokenLifetime

Now that we know how to query for a particular SSO Configuration, here is how you can modify one of these properties. In the example below, we will be changing the life time of a password which dictates the frequency in which you need to change an SSO user's password. Using the "Password Policies" table above, we can see the that property name is called vmwPasswordLifetimeDays

To modify an LDAP entry, we will need to first create a file that contains the change, in the example here we are going to name it change.ldif and it should contain the following where the "replace" keyword shows which property is getting modified and the next line after shows the value that it will be changed to.

dn: cn=password and lockout policy,dc=vghetto,dc=local
changetype: modify
replace: vmwPasswordLifetimeDays
vmwPasswordLifetimeDays: 30

To apply the change, we will now run the following ldapmodify command and specifying our change.ldif configuration file:

/opt/likewise/bin/ldapmodify -f change.ldif -h 192.168.1.70 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

automate-sso-configuration-5
If the change was successful, you can confirm by either querying the property again using the ldapquery command or just refreshing the SSO Configurations using the vSphere Web Client.

Quick Tip - Using HTTP(s) proxy for connecting to 3rd party Content Library in vSphere 6.0

by // 11 Comments

A couple of weeks back I was asked by a customer who was interested in subscribing to my 3rd Party Content Library which hosted several of my Nested ESXi and VSAN OVF Templates. The problem was that in his environment, like many others, he did not have direct access internet access from within vCenter Server for the Content Library subscription to be created. The customer was wondering if the Content Library feature supported a proxy server which is a very common method for Enterprise customers to provide access to external sites requiring internet access. The Content Library Service does provide a way to configure a proxy server and below are the instructions for configuring both the VCSA and vCenter Server for Windows.

UPDATE (09/27/17): As of vSphere 6.5 Update 1, the Proxy Configurations for the Content Library has been pulled directly into the service itself and you no longer have to manually edit the Java wrapper.conf files. You can now access the proxy configurations by using the vSphere Web Client going to Administration->System Configuration->Services->Content Library Service->Transfer Service as shown in the screenshot below. For 6.0 and 6.5, you will need to continue to follow the instructions below on editing the wrapper.conf file.

vCenter Server Appliance (VCSA)

The configuration file that you will need to edit is /usr/lib/vmware-vdcs/wrapper/conf/wrapper.conf and below are the three lines to add:

wrapper.java.additional.20=-Dhttps.proxySet=true
wrapper.java.additional.21=-Dhttps.proxyHost=proxy.server.com
wrapper.java.additional.22=-Dhttps.proxyPort=8080

Once you have saved your changes, you will need to restart the Content Library service for the changes to go into effect by running the following command:

/etc/init.d/vmware-vdcs restart

The proxy server will now be used and assuming the proper ACL's have been added on the proxy server itself to allow traffic from your vCenter Server to the appropriate destination site, you should now be able to use the Content Library to subscribe to my 3rd Party Content Library.

vCenter Server for Windows

The configuration file that you will need to edit is C:\Program Files\VMware\vCenter Server\vdcs\wrapper\conf\wrapper.conf and below are the three lines to add:

wrapper.java.additional.20=-Dhttps.proxySet=true
wrapper.java.additional.21=-Dhttps.proxyHost=proxy.server.com
wrapper.java.additional.22=-Dhttps.proxyPort=8080

Once you have saved your changes, you will need to restart the Content Library service for the changes to go into effect by going to the Windows services panel.

content-library-service

vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird

by // Leave a Comment

Last week I demonstrated how you can connect to the VMware Directory Service (vmdird) in vSphere 6.0 using JXPlorer, a graphical LDAP browser to extract useful information such as all the deployed vCenter Servers and Platform Services Controllers in your environment. I have also shown in past articles on how you can also retrieve this information programmatically which I have described here and here. Since vmdird is an LDAP-based system, we can also easily retrieve this information using simple LDAP commands that you may already be familiar with.

Disclaimer: Please take extreme caution when connecting to the vmdird database, this is primary for educational purposes. You should take extreme care in making changes while in the database else you can negatively impact your environment.

For performing search queries within an LDAP system, we can use the ldapsearch command which is available among other commands within the VCSA as well as other *NIX based system including Mac OS X. You can use this command to connect to both Windows and the VCSA running either an Embedded deployment or just the Platform Services Controller services.

Below are three useful ldapserach queries for identifying all deployed vCenter Servers and Platform Services Controllers including the SSO Site Name. The parameters highlighted below in blue will need to be modified based on your environment. The -h parameter specifies the Hostname/IP Address of your PSC, the -w parameter is the SSO Administrator password and the dc property is the name of SSO Domain.

Finding all deployed vCenter Servers:

/opt/likewise/bin/ldapsearch -h psc-01.primp-industries.com -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "ou=Computers,dc=vghetto,dc=local" -s one "objectclass=computer" cn

useful-ldapqueries-to-platform-services-controller-0
Finding all deployed Platform Service Controllers:

/opt/likewise/bin/ldapsearch -h psc-01.primp-industries.com -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "ou=domain controllers,dc=vghetto,dc=local" -s one "objectclass=computer" cn

useful-ldapqueries-to-platform-services-controller-1
Finding SSO Site Name:

/opt/likewise/bin/ldapsearch -h psc-01.primp-industries.com -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Sites,cn=Configuration,dc=vghetto,dc=local" "objectclass=container"

useful-ldapqueries-to-platform-services-controller-2