vSphere Hardening – Part 1

30/07/2013

Recently, I was involved in a project and tasked with the design and implementation of a small vSphere Cluster, shared storage and a backup solution. At one day, I was asked to take care of “hardening the environment”. So my first question was, “What are the requirements?” I explained that “Hardening” is part of a much larger concept known as “Security Design”. In the process of creating a good design, you must be aware of the impact of design decisions, because most decisions are irreversible, or will cost you a lot of extra money.Hardening-P1-01
The end of the story; unknown requirements, time pressure and the customer could perform a security audit in the near future.

So time to repeat what I have learned during the “vSphere Security Design Training”, review my design and make sure we will be compliant at any time.

Over the years, VMware released documents that can help you building a secure environment. First of all, the “vSphere Security Guide”, the latest 5.1 release is here. This guide presents in-depth information on subjects like:

  • Securing the ESXi hosts, Managements interface and the ESXi shell.
  • The Lockdown mode.
  • ESXi and vCenter authentication and User management.
  • Installation of SSL certificates.
  • Securing Virtual Machines.
  • Securing vCenter Server.
  • Best Practices for Virtual Machine and ESXi host security.

Read the rest of this entry »


vCenter Server database, extreme maintenance

06/06/2013

Recently, I was asked to investigate a vCenter Server 5.0 having issues with its database. As a result, the “VMware Virtual Center Server” service stopped and vSphere Clients were losing connectivity.

The vCenter Server was running on a Microsoft SQL Server 2008 R2 Express Edition. Although not very recommended for production environments, see also my previous post, for small environments it will do. This instance worked well for over one year, unfortunately, the Server Statistics settings had recently been set to level 3, resulting in fast growing database- and transaction log files. Resetting the Server Statistics to the original settings (level 1) did not quite solve the situation.

The first idea was to purge old data from the database, as is clearly explained in KB 1025914.

So after downloading the VCDB_Purge_MSSQL.zip script and adjusting the following variables:

Read the rest of this entry »


vCenter Chargeback Manager – Part 3

15/02/2013

This is the third part in a series of posts on the vCenter Chargeback Manager (vCCM, from now on). Part 1 was all about the installation of vCCM. In Part 2, the basic configuration was discussed. In this part, I will explain some of the philosophy behind the product, and start creating reports.

I suppose you have installed and configured vCCM without any problems? Did you add a vCenter server and the vCenter Chargeback Manager Data Collector is running? Fine.

By the way, these posts come from my study notes while preparing for my VCP5-IaaS certification and cover at least parts of Objective 1.1 – Install vCloud Components and Section 3 – Configure and Administer vCenter Chargeback.

A word about vCenter Chargeback Manager Users, roles and permissions.
After the installation of vCCM has finished, there is only one user, in my case I named the account “admin”. This first user has the role of Super User.  This role has all the privileges. vCCM provides a mechanism called resource-based authorization. As such vCCM works with; Resource types, Users and Groups, Roles and Permissions.
For the sake of simplicity, I will continue to work with my “admin” account.

vCCM-03-01Figure 1 – Users

Read the rest of this entry »


vCenter Chargeback Manager – Part 2

31/01/2013

In the previous post, I have discussed the basic installation of vCenter Chargeback Manager (vCCM, from now on). In this post we will continue and show the basic configuration of the product.

I suppose you have installed vCCM without any problems and all services are running. vCCM has quite a number of services, which should  start automatically.

To log in to vCCM, you will need a supported browser, in my case IE 9 and Firefox worked well.

On the vCCM server, you launch the application from the Windows menu. From a remote workstation, provide the application URL, which was displayed after installing vCCM.

When you log in to vCCM for the first time, you will be prompted to enter a license key.

vCCM-02-01Figure 1 – License

Provide the License key and the credentials, created during the installation. When the license key has been accepted, you can log in to the application.

Read the rest of this entry »


vCenter Chargeback Manager – Part 1

23/01/2013

LAST UPDATE: 08-07-2013

The exam blueprint for the VMware Certified Professional Cloud (VCP-Cloud) certification includes several products. Of course, vSphere ESXi and vCenter Server are the basic building blocks and vCloud Director is the most discussed product. But there is another product you need to understand; vCenter Chargeback Manager (vCCM, from now on). You need to know how to install the product; also a full section of the blueprint is dedicated to configuration and administration. You need to know how to generate Reports. But before you can generate your first report, you have been through a lot of stages.

So, I expected to find a lot of posts on this subject, but I did not. For that reason, in a series of posts, I will share my experience with the vCCM. In the first part, let’s start with the installation of vCCM.

Note: In my case, I installed vCCM for training purposes. For that reason, I did not completely follow all steps and recommendations in the official documentation. So, in case, you need to install vCCM in a real-life production environment, I recommended having a look at the vCenter Chargeback Manager Installation and Upgrade Guide.

You can find the official resources here and start a free trial for 60 days. Some useful official documents are:

Read the rest of this entry »


VCAP5-DCA Objective 5.1 – Implement and Maintain host profiles

22/08/2012

VCAP5-DCA Objective 5.1 – Implement and Maintain host profiles

Objectives

  • Use Profile Editor to edit and/or disable policies
  • Create sub-profiles
  • Use Host Profiles to deploy vDS
  • Use Host Profiles to deploy vStorage policies
  • Manage Answer Files

Use Profile Editor to edit and/or disable policies

Official Documentation:
A good reading on Host Profiles is the  VMware Host Profiles: Technical Overview.

The vSphere Host Profiles Guide, covers the following aspects regarding Host profiles:

  • Creating host profiles
  • Exporting and importing a host profile
  • Editing host profile policies
  • Attaching an entity to a host profile
  • Applying a host profile to an entity attached to the host profile
  • Checking the host profile’s compliance to an entity attached to the host profile
  • Checking and updating the host profile’s answer file

Summary:
The essence of Host profiles:

Host profiles eliminates per-host, manual, or UI-based host configuration and maintains configuration consistency and correctness across the datacenter by using host profile policies. These policies capture the blueprint of a known, validated reference host configuration and use this to configure networking, storage, security, and other settings on multiple hosts or clusters. You can then check a host or cluster against a profile’s configuration for any deviations.

Workflow

You perform host profiles tasks in a certain workflow order. You must have an existing vSphere installation with at least one properly configured host.

  1. Set up and configure the host that will be used as the reference host.
    A reference host is the host from which the profile is created.
  2. Create a profile using the designated reference host.
  3. Attach a host or cluster to the profile.
  4. Check the host’s compliance to the reference host’s profile. If all hosts are compliant with the reference host, they are correctly configured.
  5. Apply the host profile of the reference host to other hosts or clusters of hosts.

Policies

A policy describes how a specific configuration setting should be applied. The Profile Editor allows you to edit policies belonging to a specific host profile.

Here, is an example how to use the Profile Editor to edit and/or disable policies

  • After Applying a previously created Host profile to a ESXi host, this output is received:

Figure 1

Read the rest of this entry »


VCAP5-DCA Objective 2.1 – Implement and Manage Complex Networking

29/06/2012

Objectives

  • Configure SNMP
  • Determine use cases for and applying VMware DirectPath I/O
  • Migrate a vSS network to a Hybrid or Full vDS solution
  • Configure vSS and vDS settings using command line tools
  • Analyze command line output to identify vSS and vDS configuration details
  • Configure NetFlow
  • Determine appropriate discovery protocol
  • CDP
  • LLDP

UPDATE: 2012-07-03

Read the rest of this entry »