vcva – Page 30

VCSA (vCenter Server Appliance) 5.1 VCDB & SSODB Password

11.19.2012 by William Lam // 2 Comments

I recently helped answer a question internally about the default credentials to the VCSA 5.1 (vCenter Server Appliance) vCenter Server and SSO (Single-Sign On) Database for troubleshooting purposes. I thought I share the details in case this might help others.

With the release of the vSphere 5.1, the VCSA now runs VMware's vPostgres database for both the VCDB and SSODB. You should also know there is no default credentials for the database as the passwords are automatically generated during the initial application install and the database password will be unique on every VCSA.

However, you can still retrieve the password for both the VCDB as well as SSODB (this took a bit of digging in the appliance).

Disclaimer: You should not have any reason to go into the actual DB of either vCenter Server or SSO other than potential troubleshooting with VMware Support. Please use caution if you do choose to connect to the DB, as you can potentially impact your system.

VCDB Credentials:
You can view the credentials for the VCDB in the following file: /etc/vmware-vpx/vcdb.properties

Here is a screenshot of the file content as well as using psql client located on the VCSA (/opt/vmware/vpostgres/1.0/bin/psql) to connect to the VCDB:

SSODB Credentials:
You can view the credentials for the SSODB in the following file: /usr/lib/vmware-sso/webapps/lookupservice/WEB-INF/classes/config.properties

Here is a screenshot of the file content as well as using psql client located on the VCSA to connect to the SSODB:

vGhetto Lab #NotSupported Slides Posted

10.17.2012 by William Lam // Leave a Comment

As promised, here are slides to my #NotSupported session at VMworld Europe which I continued the theme of home labs with my vGhetto Lab #NotSupported presentation.

The idea behind the vGhetto Lab is to easily setup a vSphere home lab without too much effort and most importantly, leveraging as little resources as possible. This is all accomplished with the following:

Physical host running ESXi 5.x
ESXi 5.x offline depot image
VCSA 5.x (vCenter Server Appliance)

In addition to the above, you will also need to download the vGhetto Lab scripts which are shown in the video.
Here are some additional details on how to quickly get setup with your own vGhetto Lab.

Step 1 - After installing ESXi 5.x on your physical host, you will need to deploy the VCSA. Make sure you add a second network interface to VCSA as shown in the presentation. In my example, I created another vSwitch with no uplinks and portgroup for Auto Deploy network

Step 2 - Once the VCSA is powered on, go ahead and SCP the scripts to virtual machine. The first script that we will need to execute is the setupNetwork.sh and you will need to edit the following variables:

VCENTER_IP_ADDRESS_1=192.168.1.150
VCENTER_NETMASK_1=255.255.255.0
VCENTER_GATEWAY=192.168.1.1
VCENTER_IP_ADDRESS_2=172.30.0.1
VCENTER_NETMASK_2=255.255.255.0
VCENTER_HOSTNAME=vcenter.primp-industries.com
DOMAIN_LIST=primp-industries.com
DNS_LIST=192.168.1.1

Note: To ensure that you do not accidentally run the script without changing out the variables, there is another variable called ACTUALLY_READ_SCRIPT that needs to be changed from "no" to "yes" else the script will not execute.

Step 3 - Next we need to configure the vCenter Server, we will need to execute the configureVCSA51.sh which will configure the embedded SSO Database as well as the database of the vCenter Server. You do not need to edit any variables in this script

Step 4 - Finally, we need to configure our DHCP, TFTP, Auto Deploy services as well extracting the ESXi offline depot image and preparing it for use with Auto Deploy. You will need to edit the following variables before running the setupvGhettoLab.sh script.

DHCP_SUBNET=172.30.0.0
DHCP_NETMASK=255.255.255.0
DHCP_START_RANGE=172.30.0.100
DHCP_END_RANGE=172.30.0.200
DHCP_INTEFACE=eth1
TFTP_SERVER=172.30.0.1
VCSA_SERVER=192.168.1.150
ESXI_OFFLINE_DEPOT=/root/VMware-ESXi-5.1.0-799733-depot.zip
ESXI_REPO_PATH=/etc/vmware-vpx/docRoot
ESXI_REPO_DIR=ESXi-5.1.0

Note: For the Image Profile and Auto Deploy rule creation, if you wish for the script to execute them automatically versus echoing to the screen, remove the "echo" statement as well as the double quotes from the following so the last three lines look like this:

pxe-profile-cmd create $(cat /tmp/VIBS) ${ESXI_REPO_DIR}
rule-cmd create -i pxe:${ESXI_REPO_DIR} ${AUTO_DEPLOY_RULE} vendor=='VMware, Inc.'
rule-set-cmd set ${AUTO_DEPLOY_RULE}

Step 5 - You are now ready to create your nested ESXi virtual machines. You can use RVC as shown in the presentation (there is a slide at the very end which lists the commands) or you can connect to vSphere Web Client and create the ESXi virtual machines the traditional way via the GUI.

After updating the DHCP configurations with the new MAC Addresses from your nested ESXi virtual machines, you should then see Auto Deploy automatically provision your ESXi hosts and join them to the VCSA you deployed earlier.

Additional Links:

vInception #NotSupported Slides Posted

Changing VCSA Failed Login Attempt & Lock Out Period

10.05.2012 by William Lam // 2 Comments

I was going through my twitter-feed this morning and came across an interesting article by @herseyc Locked out of the vCenter Server Virtual Appliance. I recommend you give Hersey's article a read as it contains some very useful information about failed login attempts to the VCSA (vCenter Server Appliance).

There was a question posed at the end of the article on how to increase the number of login attempts before an account would be locked out. The answer is to simply modify one of the PAM modules on the VCSA, specifically /etc/pam.d/common-auth

The system default for login attempts before locking out an account is 3 and you can modify this by changing the following line, where X is the number of attempts:

auth requisite pam_tally.so deny=X

You also have the option of specifying an "unlock" time which will lock the account for the specified period of time after reaching the max failed login attempts. This can useful if you do not want to manually reset a user account due to a user fat fingering a password. For more details about these parameters, you can search on Google or refer to this article.

Note: The login attempts here is specific to the OS system login on the VCSA (5.0 & 5.1) and not vCenter Server. If you successfully login before hitting the maximum attempts, the tally will automatically reset back to 0.

In vSphere 5.1, and with the use of vCenter SSO, you now have an easy way of controlling password and lock out policy using the new vSphere Web Client. Here is a screenshot of where the configurations are located at:

Note: These policies only pertain to identity sources connected to vCenter SSO and not OS system logins.