Copyright © 2012 - IT Solutions 2000 Ltd and Michael Webster +. All rights reserved.
Updating CA SSL Certificates in vSphere 5
February 24, 2012
Leave a comment
Many of you will have read my articles regarding changing SSL certificates in vSphere 5 components for custom CA SSL certificates. My motivation for writing them was I felt there was little good information around that would actually help people with this process. It has also traditionally been very difficult and frustrating, not to mention error prone. The good news is that my work has not gone unnoticed with VMware and there is now work underway to improve the public KB’s and documentation that is available to assist customers. Here are some of the VMware KB’s that have been or will be updated. I’m also including links to all of my recent posts regarding SSL certificates, which I will keep updated as I add to it, so you have one index page to visit.
Categories: VMware
CA Certificates, Custom CA, SSL Certificates, vCenter 5, VMware, vSphere 5
IT Solutions 2000 Ltd Achieves VMware VBCA Competency
February 21, 2012
Leave a comment
It is great to be able to announce that today my company, IT Solutions 2000 Ltd, was one of the first in the world to achieve the VMware Virtualizing Business Critical Applications (VBCA) competency, which has only recently become available. This recognition is evidence of the quality of the work that we have been doing for quite some time with many customers around the world, that have successfully virtialized some of their most critical business applications on VMware vSphere. To gain the competency there were strict training and customer reference requirements to meet. I am very fortunate that my company has a number of fantastic customers who are willing to be a reference for the work we do.
Categories: Business Critical Applications, VMware
VBCA
Jumbo Frames on vSphere 5
February 20, 2012
9 comments
I read a great blog post a while ago from Jason Boche titled Jumbo Frames Comparison Testing with IP Storage and vMotion. The results of the tests showed at best marginal gains to be had from using Jumbo Frames with 1Gb/s NIC’s on ESXi 4.1. Based on reading this, and a lot of discussion that came out of PEX 2012 regarding Jumbo Frames I decided to conduct my own tests to see if the results were any different when using modern 10G switches and NIC’s. Some of the results were not what I expected.
Categories: VMware, Business Critical Applications
Jumbo Frames, VMware, vSphere 5
Changing vCenter Heartbeat to CA SSL Certificates
February 19, 2012
Leave a comment
In a previous post, The Trouble with CA SSL Certificates and vCenter 5, I reported that there isn’t a supported way to change out the self-signed SSL certificates that vCenter Heartbeat uses to communicate between nodes. This is quite important in secure enterprise and government environments, and in public/private clouds that are trying to meet regulatory standards. I have some good news to report.
Virtual Infrastructure Navigator breaks when vCenter SSL Cert Changed
February 16, 2012
1 comment
Like a lot of people I was quick to download and implement VMware vCenter Operations Manager 5 Enterprise when it became available. One of the great tools that is included in the suite is Virtual Infrastructure Navigator (VIN), which will discover and map all the dependencies and also DR protection status of VM’s in a linked mode group. However there is a bit of a gotcha if you want to use VIN and you also want to change the SSL Certs in vCenter and/or vSphere Web Client.
vCenter Server Virtual Appliance – Changing SSL Certs Made Easy
February 13, 2012
5 comments
I’ve been updating my vCenter and ESXi certificates recently and I ran into one particular system so far that had absolutely no documentation or KB articles to help with changing default SSL certificates for CA signed ones. The system was my vCenter Server Virtual Appliance. You might remember that I wrote about this as a means of using it as the vSphere Web Client without needing an additional Microsoft Windows License and then I used it with a load balancer to Increase vSphere Web Client Availability and Scalability. But a lack of documentation wasn’t going to stop me. Being a SLES based virtual appliance though meant things were quite different when changing the certs. If you want to save yourself a lot of time changing the SSL Certificates for the vCenter Server Virtual Appliance then read on.
Categories: VMware
CA Certificates, SSL, SSL Certificates, VCVA, VMware, vSphere Web Client
vSphere Web Client SSL Cert not updated after vCenter SSL Cert Changed
February 10, 2012
5 comments
I’ve had a few people ask me over the last couple of days why their vSphere Web Client SSL certificates are not being updated when they change the vCenter SSL Certificate as per my article The Trouble with CA SSL Certificates and vCenter 5. The normal reason for this is that the vSphere Web Client, when installed on the vCenter Server, stores it’s SSL certificates in a completely different location to that of vCenter Server. I’ve also since found out since publishing my other articles that this is true for the Inventory Service also. Why both of these services when installed on the vCenter Server don’t leverage the same SSL certificate location I’m not sure. My previous article has now been updated to include the replacement of the SSL cert for the Inventory Service, and also mentions the vSphere Web Client when installed on the same system as vCenter.
Categories: VMware
Custom CA, SSL Certificates, vCenter, VMware, vSphere Web Client
The Trouble with CA SSL Certificates and vCenter 5
February 7, 2012
14 comments
This article is a follow up to the one I posted previously regarding The Trouble with CA SSL Certificates and ESXi 5. This article will focus on successfully changing the default VMware SSL certificates on vCenter 5 and vCenter Update Manager hosts with CA signed certificates using a Microsoft CA (it will also work with public and OpenSSL CAs, but I have not tested it yet). One of the things that makes it hard for people to get this right is that like with ESXi 5 there is no one document or source of truth that explains in sufficient detail what the requirements and supported configurations are or how to implement CA signed SSL certificates in vCenter Server. I’m hoping that the information in this article will help and encourage more people to change out the default certs (to improve security), and make the process far more reliable and easier to achieve with vCenter 5. Although not covered here, vCenter Heartbeat is becoming more critical as a component in VMware Infrastructures to provide high availability to vCenter. There is currently no supported way to change the SSL certificates that vCenter Heartbeat uses. There is an unsupported method that I will test and if successful will post once I’ve configured vCenter Heartbeat in my environment.
Categories: VMware
CA Certificates, SSL Certificates, Update Manager, vCenter 5, VMware, vSphere 5
Is Lockdown Mode Really Locked Down?
February 5, 2012
Leave a comment
I read a good blog article recently about a caveat with SSH keys and Lockdown Mode in ESXi 5 by William Lam at virtuallyGhetto. Now that SSH keys are fully supported in ESXi 5, and this will allow an authorized user to continue to log into the host even when Lockdown Mode is enabled, is Lockdown Mode really locked down enough?
Categories: VMware
ESXi 5, Lockdown Mode, VMware, vSphere 5
The Trouble with CA SSL Certificates and ESXi 5
February 4, 2012
5 comments
For those of you that follow me on Twitter you’ll know that I’ve been having some fun this week with changing out the default VMware generated SSL certificates on a greenfields deployment of vSphere 5 that will be supporting a large public cloud. Changing certificates is nothing new, and in environments that are concerned with security it is common practice. However it has been my experience that changing certificates with ESX(i) and vCenter has always been a bit of a challenge (I have done it on vSphere 4.x before this). It can be very time consuming and error prone, especially if you haven’t done it before. One of the things that makes it hard for people to get this right is that there is no one document or source of truth that explains in sufficient detail what the requirements and supported configurations are or how to implement CA signed ssl certificates in ESX(i) and vCenter Server. This has tripped up many organizations both large and small. I’m hoping that the information in this article will help and encourage more people to change out the default certs (to improve security), and make the process far more reliable and easier to achieve with vSphere 5. This article will focus on successfully changing the default VMware SSL certificates on ESXi 5 hosts with CA signed certificates using a Microsoft CA (it will also work with public and OpenSSL CAs, but I have not tested it yet).
