VMware vSphere Web Client Tips – Multi vCenter Shared SSO

A great feature of the vSphere Web Client comes when you have two separate vCenter servers that share a common Single Sign-on  (SSO) server.  In this scenario you can see all vCenter servers connected to the shared SSO server – logging into the vSphere Web Client for either vCenter (or having a single web server running the Web Client bits) you can see any/all vCenter servers using the shared SSO server.

As you can see in the screenshot below, I have VC1 and VC2, along with all of the resources you would expect to have access to (including the awesome related objects tab) but I only have to log into one client!

Multiple vCenter Servers in the vSphere Web Client with a shared SSO server

Multiple vCenter Servers in the vSphere Web Client with a shared SSO server

Update EMC ViPR SRM licenses after they have expired

If you are running EMC ViPR SRM, and your license key expires you will no longer be able to log into the UI where you could have installed a new license key.  Instead you will need to update the license(s) via the command line.  The directions I had found had a mistake were unclear, so thought I’d publish the steps that worked for me here.

First and foemost, obtain your new license key by submitting a SR (Service Request) via support.emc.com and follow the steps below.

  1. Launch WinSCP or your file copy tool of choice
  2. Connect to your ViPR SRM front end server and login in as a user who can elevate privileges (Default root/Changeme1!)
  3. Navigate to /opt/APG/
  4. Upload the license key zip file (which may have multiple license files
    1. If not already, name the file licenses.zip – It gave me an error when it was  not named that
  5. SSH to your ViPR SRM FE server
  6. Login as  a user who can elevate privileges
  7. Run:

/opt/APG/bin/manage-licenses.sh install /opt/APG/licenses.zip

/opt/APG/bin/manage-modules.sh service restart tomcat

You should now be able to log in

ViPR SRM Dashboard

ViPR SRM Dashboard

Now that I was able to log in, I still had to upload my licenses through the UI and synchronize my licenses. Click on Administration in the upper right corner, then click on Licenses Management. Click the Upload button and re-upload the license zip file.  Now click the Synchronize button and OK.  You should now be able to use all licenses again.

EMC ViPR SRM Administration >> Licenses Management

EMC ViPR SRM Administration >> Licenses Management

VMware vSphere Web Client Tips – Work in Progress sidebar

In the Windows vSphere Client, when a wizard comes up, you need to finish or cancel that current task – not so in the Web Client!  When start a wizard in the vSphere Web Client you can click outside of the wizard window back into the vSphere Web Client and your wizard window will disappear.  Let’s take a look at an example, below is a screenshot of my lab, highlighted in red is the Work in Progress sidebar:

vSphere Web Client Work in Progress sidebar

vSphere Web Client Work in Progress sidebar

Now I can start a task, in this case the New Virtual Machine wizard

vSphere Web Client New Virtual Machine wizard

vSphere Web Client New Virtual Machine wizard

Now, in the Windows C# classic vSphere client I would need to either finish, or cancel this task if I wanted to do something else.  In the web client, however I can simply click off the wizard back into main UI.  As you can see here, my New Virtual Machine wizard has been minimized into the Work in Progress side bar.

vSphere Web Client New Virtual Machine wizard minimized to Work in Progress

vSphere Web Client New Virtual Machine wizard minimized to Work in Progress

Instead of having to restart the the wizard, I can minimize it to the Work in Progress sidebar, then click on the link in the work in progress window to bring it back, right where I left off.

Weekend Lifehack Edition – Separate laundry before washing

I know, totally random right?  I’ll throw this into the section Igor Bril inspired – A page for aspiring VMware admins who cant balance a checkbook, hate grocery shopping, dont know whether to buy a condo or know how to use Twitter.

So here is the basic lifehack, my wife and I have always just thrown our laundry in a hamper/basket/pile on the floor depending on where said hamper is.  It’s all inter mingled, goes in the washing machine intermingled and comes out intermingled.  Then when we are putting it away it has to be sorted out which takes like forever and is possibly the worst part of doing the laundry.  So, what’s a person to do?

Keep your laundry sorted in the hamper/basket/floor pile.  Now, when my wife or I do the laundry all of her clothes go in at once and come out at once.  When we take it out of the dryer its coming out already somewhat sorted making the put away task go much quicker.  When you take it out of the dryer group the clothes together like you would putting them away.  For example all the socks or t-shirts that go in a drawer or on a shelf together so you can take them out all at once and put them away.  Boom – I can put all our laundry away in just a couple of minutes.

VMware vSphere Web Client Tips – Getting Started Pages Go Away

So you’ve made the plunge into the vSphere Web Client after learning about how awesome the Related Objects tab can be but now you keep getting these pesky Getting Started Pages.

vSphere Web Client Getting Started Page

vSphere Web Client Getting Started Page

I mean sometimes they are useful but after a while they are just in the way.  Don’t worry, there is an easy way to get rid of them.

Once you are logged into the vSphere Web Client click on the Help menu on the upper right corner (near search) and select Hide All Getting Started Pages.

Help >> Hide All Getting Started Pages

Help >> Hide All Getting Started Pages

Now they are gone, forever!  Well not forever, if you want them back just click on Help >> Show All Getting Started Pages

No Getting Started Pages

No Getting Started Pages

VMware vSphere Web Client Tips – Love Related Objects Tab

So, here we are, almost 2015 and folks are STILL complaining about the web client.  Yes, in 5.1 it sucked.  Yes the fact that it is written in Flash is not ideal.  Yes VMware added the ability to manage hardware version 10 VMs back to the C# client.  And yes there were rumors about at VMworld that the C# client will in fact live into the next version of vSphere.  But, folks, its time.  I was where you are not to long ago; loving the warm coziness of the C# client for my day to day work but then three things happened.  The 5.5 web client actually rocks, I switched to a Mac and I wrote a book and didn’t want to be that person using with screenshots of the C# client in a book where the focus was vSphere 5.5.

I hope to turn this into a regular series, with small tips on how to get he most out of the web client for those still clinging to the C# client.  So here we go; The Related Objects tab.  The Related Objects tab might just be one of the most useful areas of the web client; regardless of what yo are looking at you can see a list of… you guessed it, related objects.  For example If I am looking at a Data Center I can see all of the hosts, clusters, VMs, datastores, switches etc… right from the Related Objects tab

vSphere Web Client Related Objects Tab

vSphere Web Client Related Objects Tab

The wonderful thing about the Related Objects tab – its everywhere and changes context based on what you are looking at.  For example if I click on my Cluster >> Related Objects I won’t see information about other clusters, just items related to that specific cluster.  If I click on a VM/vApp I will see information about that VM.  I can continue to drill down in the Related Objects tab.  It’s not only information but I can make setting changes right there, no need to bounce back and forth to different screens.  If I need to make a change to the vSwitch/Portgroup my VM is connected to, right click and edit – boom all done!

New VCP-DCV VCP550D Delta Exam…what’s different?

News of the new VCP5-DCV delta exam (VCP550D) was bitter sweet for me.  Not minutes before the announcement I decided it couldn’t push back my VCAP-DCA any longer or risk needing to re-take the VCP exam to remain certified for 2 more years…now I have another excuse not to dive in.  However, after carefully reviewing the blueprint published at https://mylearn.vmware.com/mgrReg/plan.cfm?plan=51919&ui=www_cert I found that they blueprints are almost idential – I actually had to look several times to make sure I wasn’t looking at the wrong blueprint!

So, what’s new?

  • Objective 3.3 – Configure and Administer Software Defined Storage:  This objective is focused entirely on VSAN

Yup…that’s it – one new section in the blueprint.  This feels a bit more like a new version of the 5.5 VCP, time will tell once I take the “delta” exam.  Of course this exam is intended for differences between 5.0 and 5.5 yet is still 65 questions.  Curious if anyone has already taken the plunge?

Configure rsyslog in vCAC / vRA appliance to send to a syslog server

One option not available in the vCloud Automation Center (vCAC) appliance VAMI is the ability to send logs to a syslog server, such as Splunk or LogInsight (does anyone know if this has been exposed in vRA 6.1?), thankfully since the appliance is built on linux, its just a matter of configuring rsyslog.  If you are using LogInsight you can use the LogInsight Content Pack.  While I have LogInsight, I want to do this manually to send logs as if I were using a generic syslog server.  As you can see here, none of my vCAC logs are here (my appliance is named vcacapp)

vcacapp-loginsight-search

 

Here is how to configure the vCAC appliance to send logs:

  • SSH to your vCAC / vRA appliance
  • Type vi /etc/rsyslog.conf
  • At the end of the file enter
*.*    loginsight.fqdn.tld:port
  • For example loginsight.test.lab:514
  • Save the file and restart syslog by typing
service syslog restart

Now if you go back to LogInsight or whatever syslog server you are using you can see logs being collected.  Logging, like monitoring involves a bit of science instead of just dumping logs into your syslog server.  If you have LogInsight, check out their content packs as that would be the preferred option in my opinion.

vcacapp-loginsight-search-setup

Linux Bash bug exists in at least some VMware appliances #bash #shellshock

**Update 9/29:  VMware has released KB 2090740 (http://kb.vmware.com/kb/2090740) with more information about ShellShock and affected appliances however as of this update I do not yet see updated virtual appliances available for download.**

**Update 10/1:  VMware has started to release patches for selected appliances.  As of 1:30P EST LogInsight and the vCenter Server Appliance has been updated.  You can find patches at https://www.vmware.com/patchmgr/findPatch.portal**

**Update 2 10/1:  The VCSA patch is not yet available via VAMI (Thanks Christian for checking, and Mike for looking into it) but you can download a new appliance, so new deployments will be patched**

As I actually expected, the bash bug seems to affect VMware virtual appliances such as the vCO appliance and vCAC appliance.  I’d imagine things like the vCenter server appliance and others are also vulnerable but I don’t have others in my lab right now to test.  Hopefully VMware is quick to release patches that can be applied via VAMI.

vco-bash-bug

vCenter Orchestrator Appliance

vcac-appliance-bash-bug

vCAC Appliance

vCAC / vRA Tenant Identity Store – User and Group search DN base

I am in a course this week and a question came up about how to configure the Group and User search base DN and its effect on access within vCAC / vRA.  Ultimately permission will be granted as a combination of both fields.  First and foremost when configuring vCloud Automation Center for vRealize Automation tenants this will control which users or groups you can assign tenant administrator or infrastructure administrator roles.  Let’s look at some examples; if my domain is test.lab and I set my User and Group search base DN to dc=test,dc=lab I will be able to assign either of those roles to any user or group in the entire Active Directory, regardless of what organization unit or container they may be in.  Easy enough, but that starts to open things up pretty wide.

vcac-is-tld

 

In the real world I am likely to have an OU for groups or in a large enough AD groups spread across multiple OUs so you’ll need to consider your AD structure to set the base DN appropriately.  For example if you have ou=groups,dc=test,dc=lab as your Group search base DN but you have some groups created in ou=sales,dc=test,dc=lab you will not be able to assign permissions to the groups in the Sales OU.

You may have noticed from the screenshot that only the Group search base DN is required, personally I prefer to assign permissions to groups so that is great – what happens if I leave the User search base DN empty and set a more restrictive Group search base DN such as ou=groups,dc=test,dc=lab like so?

Continue reading