By replacing the certificate, your browser will not warn you anymore because of untrusty certificate and you get stronger security.

Requirements

To follow this topic, you need a working PKI based on AD CS. The root and intermediate certificates must be distributed on your computer. You need also a working vCSA 6.5u1 with SSH and bash enabled.

Generate a certificate request

First of all, connect to the vCSA by using SSH and launch the bash by typing Shell. Then run /usr/lib/vmware-vmca/bin/certificate-manager. On the first prompt, choose option 1.

Enter administrator credentials and choose again the number 1.

Then specify the following options:

• Output directory path: path where will be generated the private key and the request
• Country: your country in two letters
• Name: The FQDN of your vCSA
• Organization: an organization name
• OrgUnit: type the name of your unit
• State: country name
• Locality: your city
• IPAddess: provide the vCSA IP address
• Email: provide your E-mail address
• Hostname: the FQDN of your vCSA
• VMCA Name: the FQDN where is located your VMCA. Usually the vCSA FQDN

Once the private key and the request is generated, type the following command in order to connect with WinSCP to your vCSA.

Download WinSCP from this location and install it. Configure the connection as the following:

Once connected to your vCSA, download the vmca_issued_csr.csr file.

Sign the request with ADCS

Open the certification authority console and right click on the name of your CA. Select All Tasks | Submit new request…. Then select the CSR file you have downloaded from vCSA.

Then navigate to pending request and right click on the request. Select All Tasks | Issue.

Now navigate to issued certificate and double click on the certificate you just issued. Then navigate to Details | Copy to file.

Export the certificate in Base-64 encoeded X.509 format.

With WinSCP, copy the signed certificate and the CA certificate to the vCSA.

N.B: If your PKI is based on a multi-tier (Root CA and Sub Cas), you need to concatenate each CA certificate of the certification chain in a .PEM file.

Replace vCSA 6.5u1 certificate

Run again /usr/lib/vmware-vmca/bin/certificate-manager and select option 1. Specify administrator credentials and this time select option 2.

Then specify the signed certificate, the private key and the CA certificate (or a concatenated PEM file with all CA certificates, in case of multi-tier PKI).

If the certificate is good, you should see that each service is updated. When all service is updated, the vCSA restart.

N.B: I have seen in production that the certificate replacement doesn’t work because of plugin. In this case, you’ll see which service make the issue. Disable the plugin and try again.

Once vCSA has restarted, connect to the Web Service by using a Browser. You should see your custom certificate as below:

The post Replace vCSA 6.5u1 certificate by an ADCS signed certificate appeared first on Tech-Coffee.

To follow this topic, you need a Windows vCenter Server 5.5 or 6.0 to migrate. You need also the latest VMware vCenter Server Appliance (at the time of writing this line, it is vCSA 6.5 update 1). You need also enough storage and compute resource.

Step 1: Run VMware migration assistant

Before beginning the migration, you must run the VMware Migration Assitant on the source vCenter server (I mean the Windows vCenter Server). You can find this tool in the vCSA ISO that you have previously downloaded in <Drive Letter>:\migration-assistant\VMware-Migration-Assistant.exe. This tool starts a web service on the Windows vCenter Server to communicate with the vCSA install program.

Step 2: Deploy the vCSA

Once you have executed the VMware Migration Assistant on the source, you can mount the vCSA ISO on your favorite Windows computer or server (it must have access to your vSphere infrastructure) and run <DriveLetter>:\vcsa-ui-installer\win32\installer.exe. You can also run the installer from Mac or Linux but I prefer Windows :). In the first window, just click on Migrate.

The next screen introduces the migration process. Just click on Next.

On the next screen, accept the license agreement and click on Next.

Then specify the source Windows server (by using an IP or FQDN). The VMware migration assistant must run otherwise you’ll have an error. Specify also the administrator’s credentials to connect to source vCenter.

Next, you have to specify the information about the target. Because I migrate the only one vCenter I have, I set credentials and FQDN of an ESXi node (be sure to disable DRS while migration).

Then provide the name of the new vCenter Appliance VM and its root password. Be sure to not indicate the same VM name than the source vCenter. You can rename the source VM name by adding suffix _old for example.

In the next window, choose a deployment and storage size. These settings depend on the vSphere infrastructure you have. The table indicates which deployment you should choose depending on the number of hosts and VMs to manage from the vCenter.

Next choose the datastore where you want to store the vCenter VM files. You can also deploy the vCSA VM in thin provisioning mode.

Then specify temporary network information. These settings will be used when the source Windows vCenter Server and target vCSA will be powered up at the same time.

To finish this step, please review the setting that you have specified and click on Finish to run the deployment.

A progress bar shows you the deployment status. It can take a while to deploy the target vCSA.

Once it is finished, you can click on continue to start the stage 2. If you close this window or if there is a network issue, you can connect later to the appliance to run the step 2 at https://<ip or vCSA FQDN>:5480.

Step 3: Configuration and data migration

The first screen of the stage 2 introduces what happen in this step. Just click on Next. Then the wizard runs a pre-migration check.

Next the pre-migration check shows warnings and issues. It can indicate which components cannot be migrated (such as plugin or Update Manager baseline).

If the source Windows vCenter Server is joined to Active Directory, the wizard asks you credentials to join the vCSA to the same Active Directory domain.

Next you can select the data to migrate: just the configuration or configuration, events, tasks and performance metrics.

In the next window, you can choose to join the CEIP or not.

To finish, review your settings. If all is good, you can check the box saying that you have backed up the source vCenter Server and click on Finish.

A warning indicated you that the source vCenter Server will be powered off once the network configuration is set on the destination vCenter Server. If you are sure, just click on OK.

A progress bar indicates you the migration status. It can take a while depending on the data to migrate and the speed of your network and vSphere infrastructure. Once the data is migrated, you should be able to connect to the vCenter again and it should be converted into a vCSA :).

The post Step-by-step: Migrate Windows vCenter server to vCSA 6.5u1 appeared first on Tech-Coffee.

The VMware vCSA upgrade is done in 2 steps:

• The vCSA deployment
• The data migration from source to destination

Before beginning you need the following:

• A new name for the new VM or rename the old vCenter VM Name with _old prefix for example
• A temporary IP address
• Enough storage for the appliance
• Enough compute resources to run the appliance

Step 1: Deploy a new appliance

Once you have mounted the ISO, open <ISO Drive Letter>\vcsa-ui-installer\win32\installer.exe. Then choose Upgrade.

The next screen introduces the steps to follow to upgrade your appliance from vCSA 5.5 or 6.0 to vCSA 6.5u1. Just click on Next.

Once the next screen, just accept the license agreement and lick on Next.

In the next window, specify the vCenter FQDN or IP address and password to connect to. Then specify the ESXi name which hosts the vCenter Appliance. I specify the ESXi instead of the vCenter because I want to upgrade this vCenter server. When the upgrade will occur, the current vCSA will be shutdown.

Then choose the deployment type and click on next.

Then specify an ESXi or vCenter name. Because I migrate the only one vCenter I have, I choose to specify the ESXi name and credentials to connect to.

Next choose a destination VM folder and click on Next.

Then choose an ESXi in the list.

Next specify a VM name and the root password for the target vCSA.

In the next window, regarding your needs, choose the right appliance size. In the table, you have information about supported number of hosts and VMs.

Next choose the datastore where you want to store the vCSA VM file. You can also deploy the appliance in thin provisioning.

Next specify the temporary IP address. This IP is used only during the data migration step.

In the next screen, you can review the settings you apply previously. When you have reviewed the settings just click on Finish to run the vCSA deployment.

Once the appliance deployment is finished, you can click on continue to process the step 2.

Step 2: Migrate configuration for vCSA 5.5 to vCSA 6.5

The next screen introduces the step2 which consists of copying data from source vCenter Server Appliance to the new appliance.

The next step runs some verifications to check if the configuration can be migrated. For example, in the below screenshot is indicated that a plugin cannot be migrated and to check if DRS is not enabled on the ESXi which host the new appliance. If the DRS is enabled, the new appliance can be migrated and so the wizard will be not able to contact this VM anymore (we have specified the ESXi in step 1).

In the screen, the wizard asks you which data you want to migrate.

Then you can choose to join the CEIP or not.

Next you can review the settings before run the data copies. To run the migration, just click on Finish.

Once the migration is finished, you can connect to the vCenter by using the web client and enjoy the new web interface (either flash or html). The source appliance should be shutdown.

The post Step-by-Step: Upgrade VMware vCenter Server Appliance 5.5 to 6.5u1 appeared first on Tech-Coffee.

Step 1: upgrade your vCenter Server Appliance

In my lab, I have deployed a vCenter Server Appliance. So, to update the VCSA I’m connecting the Appliance Management (https://<IP or DNS of VCSA>:5480). Then, I navigate to update. Click on check updates from repository.

Once the update is installed, click on summary tab and reboot the VCSA. You should have a new version.

Step 2: Update ESXi nodes

Manage patch baseline in Update Manager

My configuration consists of two ESXi 6.5 nodes and one vSAN witness appliance 6.5. To update these hosts, I use Update Manager. To create / edit a baseline open the Update Manager from “hamburger” menu.

I have created an update baseline called ESXi 6.5 updates.

This baseline is dynamic which means that patches are added automatically regarding criteria.

The criteria are any patches for the product VMware ESXi 6.5.0.

Update nodes

Once the baseline is created, you can attach it to the nodes. Navigate to Hosts and Clusters and select the cluster (or a node) and open the update manager tab. In this tab, you can attach the baseline. Then you can click on Scan for Updates to verify if the node is compliant with the baseline (in other words, if the node has the last patches).

My configuration is specific because it is a lab. I run a configuration which is absolutely not supported because the witness appliance is hosted on the same vSAN cluster. To avoid issues, I manually set to maintenance mode the node I want to update and I move VM to the other node. Then I click on Remediate in Update Manager tab.

Next I select the baseline and I click on next.

Then I select the target node.

Two patches are not installed on the node. These patches are related to vSAN 6.6.

I don’t want to schedule later this update so I just click on next.

In host remediation options tab, you can change the VM Power state. I prefer to not change the VM Power state and run a vMotion.

In the next screen, I choose to disable the HA admission control as recommended by the wizard.

Next you can run a Pre-check remediation. Once you have validated the options you can click on finish to install updates on the node.

The node will be rebooted and when the update is finished you can exit the maintenance mode. I do these steps again for the second node and the witness appliance.

Note: in a production infrastructure, you just have to run the update manager from the cluster and not for each node. I add the node to maintenance mode and I move manually the VM because my configuration is not supported and specific.

Step 3: Upgrade disk configurations

Now that nodes and vCenter are updated, we have to upgrade the disk format version. To upgrade these disks, select your cluster, navigate to configure and general. Then run a Pre-check Upgrade to validate the configuration.

If the Pre-Check is successful, you should have something as below. Then click on Upgrade.

Then the disks are upgrading …

Once all disks are upgraded, disks should be on version 5.0.

That’s all. Now you can enjoy VMware vSAN 6.6.

The post Upgrade VMware vSAN to 6.6 appeared first on Tech-Coffee.

• A Software to be deployed on a Windows Server (physical or virtual)
• A virtual appliance that is based on Linux (vCenter Server Appliance: VCSA)

Since vSphere 6, the VCSA can manage more hosts and more VM and is more robust and scalable. With vSphere 6.5, the VCSA support the simplified native vCenter High Availability which is available only for the VCSA (not for Windows).

The below table introduces the Windows versus VCSA scalability (vSphere 6.0 information):

As you can see, there is no advantage anymore to use Windows vCenter. Moreover, with vSphere 6.5, the update manager is integrated to vCenter. You don’t need Windows for that anymore. The VCSA is free where you have to pay a license for the Windows vCenter. The only con of VCSA is that it is a black box.

In this topic, I’ll show you how to deploy a standalone VCSA 6.5 from a client computer.

Requirements

To deploy your VCSA 6.5 you need the following:

• A running ESXi host reachable from the network
• The ISO of VCSA 6.5 (you can download it from here)
• At least 4GB on your host and 20GB on a datastore

Step 1: Deploy the VCSA on an ESXi

Once you have downloaded the VCSA 6.5 ISO, you can run vcsa-ui-installer\win32\installer.exe

When you have run the installer, you can see that you have several options:

• Install: to run the VCSA installation (I choose this option)
• Upgrade: if you want to upgrade an existing VCSA to 6.5 version
• Migrate: to migrate a Windows vCenter Server to vCenter Server Appliance
• Restore: to recover the VCSA from a previous backup

In the next screen, the wizard explains you there is two steps to deploy the VCSA. In the first step, we will deploy the appliance and in the second one, we will configure it.

Next you have to accept license agreement and click on next.

Then choose the deployment model. You can select to embed the Platform Services Controller (PSC) with the vCenter Server. Or you can separate the role as explain in the below schema. PSC manages SSO, certificate stores, licensing service and so on. The second deployment model is recommended when you want share these services between multiple vCenter Server instances. For this example, I choose the first one and I click on next.

Then specify the ESXi or the vCenter Server where the appliance will be deployed. I specify a running ESXi, the management port and the root credential.

Next I specify the VM Name and the root password for the VCSA.

In the next screen, you can choose the appliance size. More the virtual infrastructure is huge, more the VCSA needs vCPU, RAM and storage.

Then choose a datastore where the VM will be deployed and click on next.

In the next screen, specify the network configuration of the VCSA. If you specify a FQDN in system name, be sure that the entry exists (with the right IP address) in the DNS server. Otherwise you will have an error message.

To run the appliance deployment, click on finish in the below screen.

While the deployment occurs, a progress bar will show you where you are in the deployment process.

If you connect to the ESXi from the web interface, you can see that the VM is well deployed.

When the deployment is completed, you should have the below screen.

Click on continue to process in the step 2.

Step 2: Configure the appliance

In the step 2, we will configure the appliance. In the first screen, just click on next.

Then, specify some NTP server to synchronize the time.

In the next screen, provide SSO information to manage your vSphere infrastructure.

Next you can accept to join the VMWare’s Customer Experience Improvement Program (CEIP) or not.

To finish, click on finish to run the configuration.

During the configuration, you should have a progress bar to inform you where you are in the process.

Once the configuration is finished, you should have the below screen.

You can now connect to the vSphere Web Client. The URL is indicated in the above screenshot.

Appliance monitoring

The VCSA provides an interface for the monitoring. You can connect from https://<SystemName>:5480. You can use root credential.

As you can see in the below screenshot, you can have the overall health status from this interface.

You can also monitor the CPU and memory of the appliance.

And you can also update the appliance from this interface.

Conclusion

Since vSphere 6.0, the VCSA is really highlighted by VMware. Moreover, since vSphere 6.5, the Update Manager (VUM) is integrated in vCenter. In my point of view there is no advantage to use Windows vCenter Server anymore compared to VCSA. As you have seen in this topic, the VCSA deployment is really turnkey and easy.

The post Step-by-Step: Deploy vCenter Server Appliance (VCSA) 6.5 appeared first on Tech-Coffee.