Learning VSAN:Part-3- Storage Policies and VSAN

In our last 2 posts of this series we discussed about VSAN Architecture and walked through steps needed to configure VSAN. If you have missed earlier posts of this series you can read them from here:

1: Overview and Architecture of VSAN

2: Installation and Configuration

In this post we will discuss Storage Policies and its role in a vSAN environment.

Storage policy based management and implementation is an important part of software defined storage and software defined datacenter. VMware vSAN is one of the most robust and most complete implementation of storage policy based management.

When you use Virtual SAN, you can define virtual machine storage requirements, such as performance and availability, in the form of a policy. The policy requirements are then pushed down to the Virtual SAN layer when a virtual machine is being created. The virtual disk is distributed across the Virtual SAN datastore to meet the requirements.

When you enable Virtual SAN on a cluster, a single Virtual SAN datastore is created which represents all the storage in vSAN cluster. In addition, enabling Virtual SAN configures and registers Virtual SAN storage providers.

You can locate vSphere storage providers by navigating to vCenter server > Manage > Storage Providers

This is where we see a VASA enabled/capable disk array. With vSAN this is supposed to have automatically been done for each of the Esxi hosts that are part of vSAN cluster.

VM storage profiles allows for the capabilities of the underlying storage to be presented to administrators for easier assignment to virtual machines.

Note: if you are ruuning older version of vSAN, then there was a known bug where vCenter Server and vSAN cluster get out of sync causing VASA providers did not get created automatically. And becuase of that you cannot create storage policies. To remediate this you have to manually create the entries for the storage providers.

The process to create storage provider entries is fairly simple. Navigate to vCenter Server > Manage > Storage Providers.

Click on green + button and add the entries as below:

Name: Name for the storage provider

URL : http://esxi-fqdn:8080/version.xml

Username: root

Password: Password of root user on esxi host

vsan-1

In my case Storage Providers were already listed as I am using latest version of vSAN in my lab

vsan-2.PNG

Note: Only one of the providers will be active, and rest others will be standby.

vsan-4.PNG

If you select your storage providers and look into storage System details section, it will tell you that it is providing support for policy based management profile.

vsan-5.PNG

No Once you create storage providers, you can go ahead with creating storage policies

Before Proceeding with creation of new Storage Policies, lets understand the capabilities offered by vSAN first:

vSAN Storage Capabilities

vSAN storage capabilities can be divided into 5 major categories:

Number of failures to tolerate – This option allows admins to configure the number of failures to tolerate. A failure can be network, disk failure or host failure within the vSAN cluster. This value is important when design for the resiliency of your cluster.

Number of disk stripes per object – When designing for the performance of a specific VM or group of VMs you can determine if you need to allow for additional capacity by striping the data across additional disk spindles. By default the value is a single spindle. If a read or write cannot be handled from cache it will resort to the spindle, by using more than one it can increase performance as needed.

Flash read cache reservation – There is the option to explicitly reserve an amount of flash capacity on the SSD for read cache on a per object basis. This is configured as a percentage of the virtual machine disk.

Object space reservation – You can also reserve a percentage of the VM disk space on the hard drives during provisioning. This would be similar to thick provisioning on a standard datastore.

Force provisioning – If a policy is created with any of previous options and it vSAN cannot provide the service, this option will forcefully provision the VM. If the resources become available at a later time, vSAN will attempt to bring the VM back into compliance.

Let’s jump into creating storage policy now.

1: To create Storage Policies, navigate to vCenter Server home screen and click on VM Storage Policies

vsan-6.PNG

On the VM storage Policy page click on  icon icon to create a new policy.

On the Create New VM Storage Policy wizard page, provide a name and description for the policy and hit next.

vsan-8

Next is to create Rule Set.

In this example we are going to create a policy for high availability of a VM.

Click on <Add Rule> and select Number of failures to tolerate

Number of Failures to Tolerate indicates resiliency against host, network, or disk failures in the cluster. Increasing this number will cause VSAN to create copies of the object on additional hosts, up to 4 copies total that would allow for three concurrent failures without data loss

vsan-10.PNG

 

Click on Next to continue.

Select the compatible datastore from the list and hit Next.

vsan-11.PNG

On Ready to complete page, review your settings and hit Finish to close the wizard.

vsan-12.PNG

Select the newly created policy and click on Summary tab, you will see its shows 0 Non-Compliant VM’s, 0 Complaint VM’s and 0 unknown VM’s. This is because we have not applied this policy to any VM yet

vsan-13.PNG

Now since our policy has been created, let’s apply this policy to one of the VM.

To apply storage policy to the VM, select the VM and right click on it and select VM Policies > Edit VM Storage Policies

Change the VM storage policy from Datastore Default to one which your created (Tier-1 in our example) and hit OK

vsan-15

If you go to VM Storage Policies again and click on summary page, it will tell you the VM to which you applied the storage profile is compliant or not. IF you are seeing a non-complaint VM it means vSAN doesn’t support the capabilities defined by you in the storage profile.

vsan-111.PNG

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

 

Posted in Vmware | Leave a comment

Learning VSAN:Part-2-Installation and Configuration

In our last post Overview and Architecture of VSAN we learnt what vSAN is. Why one should use vSAN in their environment and what is the architecture of vSAN.

In this post we will look at how to install and configure VSAN in lab/production environment.

Note: I am using vSAN 6.X in my lab.

Installation Requirements:

VMware KB-2106708 list all the requirements for installing VSAN 6.X in a greater details. Here are the minimum requirements to build a VSAN Lab:

1: Minimum of 3 ESXi 6.0 host that will contribute to storage.

2:At least one SSD and one Hard Disk per host

3: VMkernel port configured for VSAN traffic

4: 1 GB network for small environment Lab/test (For Production VMware recommends 10GB)

vSAN uses Esxi hosts locally attached storage to create a clustered datastore. vSAN is a software feature which is built into the hypervisor (Esxi).

VSAN can be used in 2 mode: hybrid or all-flash.

In hybrid mode we need to associate at least one HDD and one SSD in each of the Esxi host participating in the vSAN cluster. The SSD typically don’t contribute to the storage capacity. The SSD are doing just read caching and write buffer. The aggregation of HDDs from each server in the vSAN cluster forms a vSAN datastore. SSD disks of the Esxi hosts is used as read cache and write buffer in front of the HDDs. The HDDs are there to assure the persistent storage.

The below diagram typically explains the hardware requirements for vSAN

vsan-hw

Lab Preparation

1: Make sure you have created Port Group for VSAN and configured appropriate uplink for this portgroup

vsan-1

2: Host should be associated with this portgroup

vsan-2.PNG

3: vSAN traffic allowed on VMkernel portgroup designated for vSAN

vsan-3-2

4: Make sure you have at least 3 esxi hosts in the cluster

vsan-3.PNG

5: Each Esxi host have at least one SSD and one normal HDD

vsan-3

6: Your infrastructure is licensed for vSAN

Note: if you are running Nested Esxi hosts in your lab, then check this Article by Vladan Seget on how to fake a disk as SSD disk.

Now it’s time to enable vSAN on our cluster.

Note: Disable HA on the cluster before enabling vSAN.

To enable vSAN on the cluster ,login to vSphere WebClient and Select Cluster > Manage > Virtual SAN > Genneral

A: Click on configure button to enable VSAN on cluster.

vsan-6

B: Select manual for Disk Claiming and hit Next.

vsan-7.PNG

C: On Network validation page, hit next if everything looks green.

vsan-8.PNG

D: Select Host on Group by option and select the individual disks from host for capacity Tier and cache Tier. Hit next after making your selection

vsan-9

E: On ready to complete page hit Finish to complete the installation wizard.

vsan-10

With this installation of vSAN has been completed. We will explore vSAN more in upcoming posts of this series.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Posted in Vmware | 3 Comments

Learning VSAN:Part-1-Overview and Architecture of VSAN

This week a new program “VSAN vExpert” was launched for vExpert’s and I was all excited to be a part of the VSAN vexpert community. I was thinking about learning VSAN since a while but due to time constraints I was not able to do so. Launch of this vExpert program provided me an opportunity to finally test my hands on highly talked VSAN.

Lets begin with Introduction of VSAN and we will look into its architecture and will see why it is becoming so popular among administrators these days.

What is VMware VSAN?

VMware Virtual SAN (VSAN) is a hypervisor-converged storage solution for your vSphere environment. It was built to be extremely easy to use and administrator, high performance and expandable.

VMware Virtual SAN is a new software-defined storage tier for VMware vSphere, bringing the benefits of the software defined data center to storage. By clustering server hard disk and solid state drives (HDDs and SSDs), Virtual SAN creates a flash-optimized, highly resilient shared datastore designed for virtual environments.

Why one should chose VSAN?

One of the main benefits of using VSAN is the simplified storage management, while delivering more performance. Using VSAN Administrator’s gets visibility into the storage layer through the virtual layer. It enables both compute and storage to be delivered to the VMs through a common virtualized platform.

VSAN can be setup as either hybrid or all-flash. In the hybrid setup the SSDs act as a cache. In the all-flash setup the SSDs act as both a cache and as data persistence enable overall better performance.

VSAN Architecture

VSAN is embedded in the vSphere kernel and optimized the I/O path to minimize the impact on CPU. Because it sits directly in the I/O data path, the product is able to deliver the highest levels of performance, scalability, and resilience without taxing the CPU with additional overhead.Administrators only need to create policies and assign them to VMs, VSAN automatically takes care of the rest and any changes will be applied by VSAN as well.

Virtual SAN has its own policy based approach to storage management. This management architecture enables administrators to specify storage attributes— such as capacity, performance, and availability—in the form of simple policies on a per-VM basis. These policies, governed by service-level agreements (SLAs), dynamically self-tune and load-balance the system so that each virtual machine has the right level of resources. The system can adapt to ongoing changes in workload conditions to ensure that each virtual machine has the storage resources it needs.

vsan

Graphic Thanks to VMware.com

Virtual SAN distributed architecture leverages enterprise grade SSDs for high-performance read/write caching and HDDs for cost-effective data persistence. Using server-side storage, Virtual SAN delivers unmatched price/performance compared to other Virtual Storage Appliances (VSA) or midrange hybrid arrays in the market today. The Virtual SAN datastore granularly scales up by adding more disks or scales out by adding more hosts, allowing users to configure the system to meet their needs flexibly.

To know more about architecture of VSAN, I would recommend reading this Blog

Thats its for this post. There is a lot to talk about VSAN and we will cover it in our upcoming posts of this series.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

 

 

Posted in Vmware | 3 Comments

vCloud Air Pricing Calculator

If you are looking for vCloud Air solution but don’t know about about vCloud Air offerings and associated prices, don’t worry. VMware has solution to this problem.

The vCloud Air Pricing Calculators below are available to help you estimate your costs of using various vCloud Air services. Configure the type of service and features you’re looking for and get pricing information quickly.

vCloud Air offers many solution including Virtual Private Cloud, Dedicated Cloud and Disaster Recovery. To know more about service offerings login to vCloud Air Portal and select service offerings to see list of all services offered.

vca-0

Once you have selected a suitable service for your organization, you can calculate how much that service is gonna cost you . To do a self calculation login to Public Configurator website.

Select the appropriate program type. Recently VMware has switched the pricing method to SPP credits. Hit continue after selecting the program type.

vca-1

Next is to select your Country and Customer Type. Continue after making the selection.

vca-2

Select VMware vCloud Air and hit continue.

vca-3

Select your region and service type

vca-4.PNG

Select storage type, number of months for which you want to use the service and billing type. After making the selection, hit Next to continue.

vca-5.PNG

If you want to add any Add-On to your selected service type, you can do so from below page.

vca-6

After making the selection, you can see a consolidated view of selected services/Add-On and total price for your selection.

You can also export the result to Excel.

vca-9.PNG

Note: You can also use this link to use the pricing calculator for various service offerings from vCloud Air.

vca-10.PNG

 

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Posted in vCloud Air, Vmware | Leave a comment

Using Custom Certificates in vSphere Replication

In this post we will be working on using a custom signed certificates (CA Signed) on vSphere Replication Appliance.

Unlike vCenter Server, there is no automated way of replacing the default certificates on VR appliance and all it needs a bit of manual effort. VMware has outlined the steps in the official KB-2080395 to do so.

Before performing these steps, make sure you have already replaced the default certificates on your vCenter Server.

vSphere Replication appliance ships with openssl and you can use this to generate the certificate signing requests for the vSphere Replication appliance

Perform following steps to replace the default certs with CA signed certs:

1: Create openssl config file

SSH to your VR appliance and create an configuration file for Replication Appliance. Contents of this file would look like as shown below. You need to change the fields marked in bold.

vrs01:~ # vi vrs01.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vrs01, IP: 192.168.109.40, DNS: vrs01.alex.local

[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
0.organizationName = Alex.Co
organizationalUnitName = Cloud
commonName = 192.168.109.40

2: Generate the certificate signing request:

vrs01:~/certs # openssl req -new -nodes -out vrs.csr -keyout vrs-orig.key -config vrs01.cfg

Generating a 2048 bit RSA private key
……………………………+++
…………………………………………………………………+++
writing new private key to ‘vrs-orig.key’
—–

3: Convert the key to the RSA format:

vrs01:~/certs # openssl rsa -in vrs-orig.key -out vrs01.key
writing RSA key

You will now see following files created in your current directory

vrs01:~/certs # ll
-rw-r–r– 1 root root 1675 Jun 24 14:14 vrs-orig.key
-rw-r–r– 1 root root 1171 Jun 24 14:14 vrs.csr
-rw-r–r– 1 root root 581 Jun 24 14:09 vrs01.cfg
-rw-r–r– 1 root root 1675 Jun 24 14:15 vrs01.key

4: Generate a signed certificate

Copy the vrs.csr file to your certificate authority and receive the signed certificate back.

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Click Web Server when selecting the Certificate Template and click Submit to submit the request.
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.
  • save the certificate as vrs-ca.cer

transfer vrs-ca.cer to your VR appliance using winscp selecting Text Mode or ASCII mode to avoid the issue of special characters.

5: Convert the .cer file to .crt format

vrs01:~/certs # openssl x509 -in vrs-ca.cer -out vrs_01.crt

6: Convert the signed certificate to PKCS#12 format

vrs01:~/certs # openssl pkcs12 -export -in vrs_01.crt -inkey vrs01.key -name “vrs01” -passout pass:XXXXXX -out vrs01.p12

7: Add your certificate to the HMS trust store

By default vSphere Replication verifies remote server certificates using the thumbprint only. If you select the Accept only SSL certificates signed by a trusted Certificate Authority option in the VAMI, this causes vSphere Replication to verify the validity of the certificate as well as the thumbprint.

This means that the certificate authority that issued the certificates for vSphere Replication and vCenter Server must be trusted by vSphere Replication. By default, vSphere replication trusts all certificate authorities that the Java Virtual Machine trusts.

To do so perform the following steps:

7a: Download CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”. Click on Download CA certificate and save the downloaded file as Root64.cer

7b: Copy Root64.cer file to the VR appliance using winscp in Text or ASCII mode transfer settings

7c: Run below command to import the certificate into the HMS truststore:

/usr/java/default/bin/keytool -import -trustcacerts -alias root -file /root/certs/Root64.cer -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass Jf4HXhRTLERSgT10

Note: If you get this error “keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect” while running the above command, then run below command to find the truststore password

/opt/vmware/hms/bin/hms-configtool -cmd list | grep truststore

On successful completion of command you will see something like below:

Owner: CN=CASRV-CA, DC=alex, DC=local
Issuer: CN=CASRV-CA, DC=alex, DC=local
Serial number: 52e164a699c8b0a54887123a7f602a14
Valid from: Fri Jun 10 19:15:52 IST 2016 until: Thu Jun 10 19:25:51 IST 2021
Certificate fingerprints:
MD5: D2:4E:87:97:13:DD:E4:C2:2E:B1:93:22:71:A1:8A:B9
SHA1: F7:5B:70:29:C6:8C:8F:F7:25:99:49:03:95:07:44:EF:D6:4D:17:13
SHA256: 2D:CA:2E:65:BF:69:13:36:7E:83:77:01:94:06:C3:5D:84:52:2B:B7:3E:D0:6B:58:29:E0:D2:F0:F8:AA:B7:B7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 …C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 …

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 2E D1 3C 87 92 D1 85 78 05 70 49 EE 57 45 30 ;..<….x.pI.WE0
0010: 4D E4 CC 3F M..?
]
]

Trust this certificate? [no]: Yes
Certificate was added to keystore

7d: Run below command to verify the certificate is now present in the HMS truststore:

vrs01:~/certs # /usr/java/default/bin/keytool -list -v -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass Jf4HXhRTLERSgT10

You will see following as output

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: root
Creation date: Jun 25, 2016
Entry type: trustedCertEntry

Owner: CN=CASRV-CA, DC=alex, DC=local
Issuer: CN=CASRV-CA, DC=alex, DC=local
Serial number: 52e164a699c8b0a54887123a7f602a14
Valid from: Fri Jun 10 19:15:52 IST 2016 until: Thu Jun 10 19:25:51 IST 2021
Certificate fingerprints:
MD5: D2:4E:87:97:13:DD:E4:C2:2E:B1:93:22:71:A1:8A:B9
SHA1: F7:5B:70:29:C6:8C:8F:F7:25:99:49:03:95:07:44:EF:D6:4D:17:13
SHA256: 2D:CA:2E:65:BF:69:13:36:7E:83:77:01:94:06:C3:5D:84:52:2B:B7:3E:D0:6B:58:29:E0:D2:F0:F8:AA:B7:B7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 …C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 …

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 2E D1 3C 87 92 D1 85 78 05 70 49 EE 57 45 30 ;..<….x.pI.WE0
0010: 4D E4 CC 3F M..?
]
]

*******************************************
*******************************************

8: Replace certificates on vSphere Replication Appliance

Connect to VR appliance VAMI console and log in as root: https://VRM IP:5480

Navigate to the Configuration tab.

Select Browse next to the Upload PKCS#12 (*.pfx) file and locate the certificate file you created.

vrs02.PNG

Click Upload, Install and enter the certificate password when prompted to install the new certificate.

As soon as new certificate is installed, VAMI will generate a message that it is going to kick you out of the console and you have to login again to pick the new certificate. You will see the green lock button telling you that it’s a trusted certificate.

vrs04.PNG

Thats it.  The new certificate is now applied

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Posted in SSL Certficates, vSphere Replication | Leave a comment

Replacing vSphere 6 Solution user certificates with CA signed certificates

In our last post Replacing Esxi 6 SSL Certificates we learned how to replace Esxi host default certificates with CA signed certificates. In this post we will learn how to replace vSphere 6 solution user certificates with customer certificates signed by CA.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

6: Replacing Esxi 6 SSL Certificates

Solution Users use SSL Certificates for internal communication and endpoint registration in vSphere 6. For vCenter with embedded PSC, there are four Solution User Certificates:

  • machine
  • vpxd
  • vpxd-extension
  • vsphere-webclient

We will be replacing certificates for all the solution user in this post.

Follow below steps to replace the solution user certificates:

1: Creating Certificate Signing Request

Launch the certificate manager utility

Press 5 to select “Replace solution user certificates with custom certificates”

Provide password of SSO account

Select option 1 “Generate Certificate signing Request(s) and key(s) for solution user certificates”

sol-1

Provide path to directory where you want to store the .csr files

sol-2.PNG

You will see following files created in the provided directory

sol-3

4: Get the signed certs from your CA server

Copy machine.csr, vpxd.csr,vpxd-extension.csr and vpshere-webclient.csr files to your CA server and repeat following steps foe each csr file

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Select  vSphere6 when selecting the Certificate Template and hit Submit to submit the request. For certificates templates please follow VMware KB-2112009
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

Save the files as machine.cer, vpxd.cer,vpxd-extension.cer and vpshere-webclient.cer respectively.

At last download the CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”.

Click on Download CA certificate and save the downloaded file as Root64.cer.

Copy all the 5 files back to your vCenter Server.

5: Replace the certificates

Launch certificate manager again and select option 5 and then Option 2 (Import Custom certificate(s) and key(s) for Solution User Certificates).

sol-4.PNG

Provide path to the generated .cer files and respective key files to complete the certificate replacement process

sol-5

Thats it. We have now successfully replaced the defaults certs for solution users with CA signed certificate.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

 

 

Posted in Vmware | Leave a comment

Replacing Esxi 6 SSL Certificates

In our last post Replacing vSphere 6 SSL Certificates we learned how to replace Machine certificates and VMCA root certificates. In this post we will learn how to replace Esxi default ssl certificates with certificates signed by CA server.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

ESXi host uses default certificates that are created during installation. These certificates are not verifiable and are not signed by a trusted certificate authority. If using default certificates do not fall under security policy of your organization, then you need the self-signed certificates from your CA server.

Note: ESXi hosts that are upgraded from vSphere 5.x to vSphere 6.0 will continue using their Certificate Authority signed certificates if they were replaced in the previous versions. However, ESXi 5.x hosts that were running self-signed certificates and then upgraded to vSphere 6.0 will have their certificates regenerated using VMware-signed.

We will be using openssl to create the self-signed certificates and then send them over to our CA server to sign them. Instructions for configuring openssl is described Here

The steps for replacing SSL certificates on Esxi hosts are as follows:

1: Configure openssl.cfg file

openssl.cfg file is located in C:\OpenSSL\bin directory. Make a backup of this file and edit the following fields in this file:


[ req_distinguished_name ]
countryName = IN
countryName_default = IN
stateOrProvinceName = Karnataka
stateOrProvinceName_default = Karnataka
localityName = Bangalore
0.organizationName = Alex.Co
0.organizationName_default = Alex.Co
organizationalUnitName = Cloud
commonName = vcentersrv01.alex.local
emailAddress = vcadmin@alex.com

2: Generate csr and key file by executing below command

Note: Create a directory before generating the cert files and navigate to that directory so that the below command will generate the certs in the present directory created.

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config C:\OpenSSL\bin\openssl.cfg

esxi-1

3: Convert the generated key in RSA format

openssl rsa -in rui-orig.key -out rui.key

esxi-2

Verify that rui.csr and rui.key files are generated. Copy rui.csr file to your CA server.

4: Generate a signed certificate.

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Click Web Server when selecting the Certificate Template and click Submit to submit the request.
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

esxi-3

save the certificate file as Esxi01.cer

5: Convert Esxi01.cer file format

ESXi hosts requires X.509 based certificate, so change the format of certificate file using the command below:

# openssl x509 -in Esxi01.cer -out Esxi_01.crt

6: Replace Esxi host old certificates with new certificates

Enable SSH on your Esxi host and place the host into Maintenance Mode. Navigate to /etc/vmware/ssl directory and move rui.crt and rui.key file to another location say for e.g. /tmp/oldcerts

Transfer the Esxi_01.crt file generated in step 5 and rui.key file generated in step 3 on your Esxi host using WinSCP using Text Mode or ASCII mode to avoid the issue of special characters.

Now restart management agent or reboot the host for new certificates to take effect.

Remove host out of Maintenance mode.

Now if you connect to the Esxi host directly from vSphere Client, it will prompt you to accept the new certificate. If you open the properties of this new certificate, you will see that it has been issued by your CA server

esxi-5

In my case the Esxi host got disconnected from vCenter Server after replacing the certs. restarting management agents did not fixed the issue for me. All I did was just rebooted the host and it connected automatically without any issues

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Posted in SSL Certficates, Vmware | 2 Comments