DefinIT Because if IT were easy, everyone would do it…

30Aug/14Off

Fixing a couple of search/inventory service related errors with vCenter appliance 5.5 update 1c

Posted by Simon Eady

VMware.jpg

So recently I came across an error in the vSphere windows "fat client" when trying to use the search field.

login_to_query

 

 

 

 

 

So a quick look at the VMware knowledge base brought up the following article

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2063020

So I went ahead and followed the KB artricle and then tried to search again.. the following error was generated.

unable_to_connect_to

 

 

 

 

 

Also while logging into the vSphere web client the following error appears.

client_not_authen

 

 

 

 

I had access to the SSO components etc.. but vCenter and related objects were null, now I have seen this issue before when the in use domain account has not been added to the vCenter as an admin so I re-logged with the [email protected] account (which had no errors when logging in) and browsed through to the vCenter server permissions tab and I could see all of the appropriate accounts listed with the correct permissions.

23Jul/14Off

Installing SRM VNXe SRA – Failed to load SRA, ‘queryInfo’ didn’t return a response

Posted by Sam McGeown

Quick post to cover a fix for installing the VNXe SRA when you encounter the below error:

Failed to load SRA from 'C:/Program Files/VMware/VMware vCenter Site Recovery Manager/storage/sra/EMC VNXe SRA'. SRA command 'queryInfo' didn't return a response.

The components installed (in this order) are:

  1. vSphere 5.5
  2. SRM 5.5
  3. UNISphere CLI 1.5.4.1.0027-1
  4. VNXe SRA 5.0.0

The root cause is that the system locale is EN-GB rather than EN-US, however even changing the locale does not resolve the issue. The Java installation will still try and load an en_GB module and fail. The solution is as follows:

Edit “<SRM Install>\storage\sra\EMC VNXe SRA\command.pl” in notepad and replace:

system("jre/bin/java -jar EmcVNXeSra.jar");

with

system("jre/bin/java -Duser.country=US -Duser.language=en -jar EmcVNXeSra.jar");

Rescan the SRAs within SRM to load the VNXe adapter details.

23Jul/14Off

Configuring vCenter Orchestrator (vCO) with PowerShell over HTTPS with Kerberos Authentication

Posted by Sam McGeown

vCenter Orchestrator (vCO)As a PowerShell fan I find using the vCO PowerShell plugin makes my life a whole lot easier. What isn't easy however, is  the configuration of vCO and a PowerShell jump host. Having done it a few times, this is my method for ensuring a secure working connection using HTTPS and Kerberos.

Configure the Orchestrator Appliance

Since we’re planning on using Kerberos authentication, we’d better ensure that the time is correct AND syncs to the same source as the domain.

image

In order to configure Kerberos on the Orchestrator appliance you need to SSH in to the box and log in using your root credentials.

Create a new krb5.conf file under /usr/java/jre-vmware/lib/security/ using the following command:

vi /usr/java/jre-vmware/lib/security/krb5.conf

Enter the following, substituting your domain details, and the local domain controller for “kdc =”. Case is important here, so use caps where I have:

[libdefaults] 
        default_realm = DEFINIT.LOCAL 
[realms] 
        DEFINIT.LOCAL = { 
                kdc = dc-01.definit.local 
                default_domain = definit.local 
        } 
[domain_realms] 
        .definit.local=DEFINIT.LOCAL 
        definit.local=DEFINIT.LOCAL 
[logging] 
        kdc = FILE:/var/log/krb5/krb5kdc.log 
        admin_server = FILE:/var/log/krb5/kadmind.log 
        default = SYSLOG:NOTICE:DAEMON

Configure the PowerShell host

I’m configuring to use HTTPS with Kerberos authentication, so the first thing I need is a certificate with the Server Authentication (1.3.6.1.5.5.7.3.1) key usage. If you’re running a Microsoft PKI, the default Computer certificate template is perfect for this.

Open MMC and add the Certificates snap in for the Computer account, find your certificate and double-click to open. Select the Details tab and scroll to the bottom – copy the thumbprint value to use in the below command.

image

Enable WinRM with the following command:

winrm quickconfig

Increase the amount of memory allowed to be allocated to each executing PowerShell:

winrm set winrm/config/winrs @{MaxMemoryPerShellMB="2048"}

Create an HTTPS listener using the thumbprint and the following command:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="host_name";CertificateThumbprint="certificate_thumbprint"}

 

 

image

Finally, enable Kerberos authentication:

winrm set winrm/config/service/auth @{Kerberos="true"}

The PowerShell host is now listening on port HTTPS 5986 authenticated by Kerberos!

Test the WinRM connection

Using another computer on the same domain, run the following command to execute NSLookup on the PowerShell host:

winrs –r:https://mgmt-01.definit.local:5986 nslookup google.com

image

Adding a PowerShell host

The final step is to add a PowerShell host to Orchestrator. Open (or install first and then open) the Orchestrator client and connect to your vCO appliance. Make sure you’re connecting using your domain account (i.e. you need to pass your domain identity to the vCO appliance to use for authentication to the PowerShell host).

Specify a name for the PowerShell host (the hostname of the server is fine), the FQDN (best to use FQDN with Kerberos) and the port that we created the listener on – 5986 by default.

image

Select WinRM as the host type, HTTPS and do not accept all certificates, finally select Kerberos authentication.

image

Select “Session per user” to configure the remote host to use the workflow user’s identity. You can enter credentials for a shared session, but this could pose security risks if running as an elevated user.

image

Finish the wizard and wait until the workflow completes:

image

Now we have a PowerShell host added to vCO, we can run a PowerShell script against it over HTTPS and authenticated with Kerberos.

Running a Hello World PowerShell script in vCO

Firstly, lets create “Say-HelloWorld.ps1” script and save it in c:\SCRIPTS on the PowerShell host.

return “Hello World”

Next switch back to the Orchestrator client and select “Design” mode. Create a new folder to contain your workflows (mine is called “DefinIT”) and then create a new workflow (“Test-PowerShell-Hello-World”).

Select the “Workflow” tab and then expand “All Workflows” > Library > PowerShell, then drag the “Invoke an external script” onto the workflow editor:

image

Click on the “Setup” button:

image

Select the value radio button for the “host” binding and then click to select the PowerShell host from the inventory. Select value for the “externalScript” binding and enter the path to the hello world script we created earlier. Select script for the arguments, as we don’t have any. Leave the output binding as is.

image

Now we can run the workflow and select the “Logs” tab to see the output – you can see the “Hello World” that we returned is echoed in the logs.

image

Hopefully this has been a helpful kick-starter into using vCO PowerShell over HTTPS with Kerberos Authentication

10Jul/14Off

HTTP Error 500 installing vCAC IaaS Model Manager Data

Posted by Sam McGeown

This was a fun little error, whilst installing the distributed IaaS roles I couldn’t seem to get the IaaS components to install – when I got the Website and Model Manager Data install it would fail with the following message:

##InitializeRepo Registering solution user in the VA, initializing Repository MetaModel and Authorization 
"C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe\Vcac-Config.exe" RegisterSolutionUser -url https://vcloud.definit.local --Tenant "vsphere.local" -cu "[email protected]" -cp ******  --FileName "C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe\Vcac-Config.data" -v 
    VMware.Cafe.HtmlResponseException: Internal Server Error (500) 
    at VMware.Cafe.JsonRestClient.<HandleErrorResponse>d__8d`1.MoveNext() 
  --- End of stack trace from previous location where exception was thrown --- 
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
     at VMware.Cafe.JsonRestClient.<CreateResource>d__2d`1.MoveNext() 
  --- End of stack trace from previous location where exception was thrown --- 
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
     at VMware.Cafe.ComponentRegistryClient.<CreateSolutionUserAsync>d__5.MoveNext() 
  Http response: 
  StatusCode: 500, ReasonPhrase: 'Internal Server Error', Version: 1.1, Content: System.Net.Http.StreamContent, Headers: 
  { 
    Vary: Accept-Encoding 
    Vary: User-Agent 
    Connection: close 
    Date: Thu, 10 Jul 2014 23:20:43 GMT 
    Content-Length: 3784 
    Content-Type: text/html; charset=utf-8 
  } 
  Warning: Non-zero return code. Command failed. 
C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DeployRepository.xml(556,5): error MSB3073: The command ""C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe\Vcac-Config.exe" RegisterSolutionUser -url https://vcloud.definit.local --Tenant "vsphere.local" -cu "[email protected]" -cp ******  --FileName "C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe\Vcac-Config.data" -v" exited with code 1. 
Done Building Project "C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DeployRepository.xml" (InitializeRepo target(s)) -- FAILED. 
Build FAILED.

image

I’ve pasted it in here because I couldn’t find anything through google that referred to my error messages – hopefully if you’re reading this you’ve found it because you’re looking for it!

I tried all sorts of things before noticing the HTTP header – specifically the Date – which showed an incorrect time. I jumped on the VCAC appliances via SSH and checked the time using “date”. One of my appliances was indeed out of skew - somehow the NTP service had been stopped after I configured it previously.

I edited the ntp.conf (vi /etc/ntp.conf) and checked I had entries in there – e.g. “server 0.uk.pool.ntp.org” and then started the NTP daemon using “rcntp start”, then sync’d using “rcntp ntptimeset”

The moral of the story - check time sync on ALL vCAC components - it's important!

Filed under: vCloud, VMware 2 Comments
1Jul/14Off

Slow or failed logon to VCSA 5.5 with vCOps in the environment

Posted by Sam McGeown

vsphere logoRecently I encountered this problem in a customer site whereby the logon to VCSA 5.5 would either time out, or take 3-5 minutes to actually log on.

Running a netstat on the VCSA during the attempt to logon showed there was a SYN packet sent to the vCOps appliance on port 443 that never established a connection. Another check was attempting to connect using curl https://<vCOpsIP> –k  - this would time out.

Ensuring connectivity to the vCOps appliance over port 443 fixed the logon timeout issue – presumably a the connection attempt holds up the logon process (single threaded?!) which causes a timeout in the logon process.

Page 3 of 4712345...102030...Last »