WilliamLam.com

Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

by // 3 Comments

Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.

A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.

Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:


Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:


As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".

[Read more...]

New VMware Configuration Maximum Tool

by // 1 Comment

VMware has just released a new web-based tool that will enable customers to easily view and compare product configuration maximums across different VMware product versions. You can access the easy to remember URL by going to: https://configmax.vmware.com

In this first release of this tool, customers will have the ability to look up configuration maximums for vSphere (includes VSAN) which will initially support vSphere 6.0, vSphere 6.5, vSphere 6.5 Update 1 & the recently released vSphere 6.7 as well as comparing across versions. To view the existing vSphere configuration maximum, simply click on the "Get Started" button.


As you can see from the screenshot below, you now have a single place where you can view the vSphere configuration maximums across different versions. Once you have selected the target version, you can either view all maximums or you can selectively choose the sections you are interested in.


The other really neat feature is the ability to compare the configuration maximums across different vSphere versions. This is really useful for customers to be able to quickly tell what improvements and enhancements have been made, especially as customers plan for vSphere upgrades. To begin, simply click on the "Compare Limits" button at the top. Next, select  the target vSphere version and then you can add one or more versions to compare against.


Once you click on the Compare button, a new window will popup providing you the comparison between the target and selected vSphere versions. You can quickly see how the maximums have changed across these vSphere versions. You can even export the results to Excel by click on export option on the upper right hand corner and you be prompted to save a CSV file.


I can tell you, this definitely beats having to manually Google for the correct vSphere configuration maximum document since I can never remember the long URL to the static PDF documents! I am excited to see the improved user experience when consuming our product maximums and I know the team will be working on adding more products and features in the future. Definitely keep an eye on this site and also be sure to update your bookmarks. If you have any feedback or things you would like to see, feel free to leave a comment and I will make sure it reaches the Product and Development teams.

Workarounds for deploying PhotonOS 2.0 on vSphere, Fusion & Workstation

by // 2 Comments

PhotonOS 2.0 was just released last week and it includes a number of exciting new enhancements which you can read more about here. Over the last few days, I had noticed quite a few folks having issues deploying the latest PhotonOS OVA, including myself. I figure I would share the current workarounds after reaching out to the PhotonOS team and seeing the number of questions both internally and externally.

Deploying PhotonOS 2.0 on vSphere

If you are deploying the latest OVA using either the vSphere Web (Flex/H5) Client on vCenter Server or the ESXi Embedded Host Client on ESXi, you will notice that the import fails with the following error message:

The specified object /photon-custom-hw13-2.0-304b817/nvram could not be found.


This apparently is a known issue with the vSphere Web/H5 Client bug with exported vHW13 Virtual Machines. As I understand it, the actual fix did not make it in the latest vSphere 6.5 Update 1 release, but it should be available in a future update. After reporting this issue to the PhotonOS team as I ran into this myself, the team quickly re-spun the vHW11 OVA (since that image also had a different issue) which can now be imported into a vSphere environment using any of the UI-based Clients and/or CLIs. For now, the workaround is to download PhotonOS 2.0 "OVA with virtual hardware v11" if you are using vSphere OR you can install PhotonOS using the ISO.

Deploying PhotonOS 2.0 to Fusion/Workstation

UPDATE (11/08/17) - The PhotonOS team just published an additional OVA specifically for Fusion/Workstation which uses LSI Logic storage adapter as PVSCSI is currently not supported today. You can easily import latest PhotonOS 2.0 without needing to tweak the OVF as mentioned in the steps below, simply download the OVA with virtual hardware v11(Workstation and Fusion) and import normally via UI or CLI.

If you are deploying either of the vHW11 or vHW13 OVA to Fusion/Workstation, you see the following error message:

Invalid target disk adapter type: pvscsi


The reason for this issue is that neither Fusion/Workstation currently support the PVSCSI storage adapter type which the latest PhotonOS OVA uses. In the meantime, a workaround is to edit the OVA to use the LSI Logic adapter instead of the PVSCSI. Below are the steps to convert the OVA to OVF and then apply the single line change.

Step 1 - Use OVFTool (included with both Fusion/Workstation) to convert the OVA to an OVF which will allow us to edit the file. To do so, run the following command:

ovftool --allowExtraConfig photon-custom-hw13-2.0-304b817.ova photon-custom-hw13-2.0-304b817.ovf

Step 2 - Open the photon-custom-hw13-2.0-304b817.ovf using a text editor like Visual Studio Code or VI and update the following line from:

<rasd:ResourceSubType>VirtualSCSI</rasd:ResourceSubType>

to

<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>

and save the change.

Step 3 - Delete the OVF manifest file named photon-custom-hw13-2.0-304b817.mf since the contents of the file has been updated

Step 4 - You can now import the modified OVF. If you wish to get back the OVA, you can just re-run Step 1 and use the .ova extension to get back a single file

Upgrading from Photon 1.x to 2.0

I also noticed several folks were asking about upgrading from Photon 1.0 to 2.0, you can find the instructions below:

Step 1 - You may need to run the following if you have not done so in awhile:

tdnf distro-sync

Step 2 - Install the PhotonOS upgrade package by running the following command:

tdnf install photon-upgrade

Step 3 - Run the PhotonOS upgrade script and answer 'Y' to start the upgrade:

photon-upgrade.sh