If you've had the dubious pleasure of generating and installing vCenter certificates, you’ll know that it’s not the greatest of fun. When VMware released the SSL Certificate Automation Tool, it helped hugely, especially when you use Derek Seaman’s excellent SSL toolkit. I know that there are hours and hours of work put into this script by Derek and I want to thank him for that – it’s a massive time saver. This modification is to fit a different set of circumstances – “standing on the shoulders of giants” – and should in no way be seen as me criticising or stealing Derek’s work.
This week, while using the SSL Certificate Automation Tool and Derek’s script, I encountered a couple of things I felt could be improved for a more complex environment.
- The script is not written to handle distributed setups – e.g. different vSphere components on different servers.
- The script will handle root and a single subordinate CA, but not a third level – this requires some manual fudging.
- The script still creates Java Keystore .jks files, .pfx and .p12 files and properties and ID files for the SSO – these are all no longer required for vSphere 5.5 with the SSL Certificate Automation tool.
I’ve modified the script to use an array of PSObjects for $WServices rather than listing the service names. This means I can provide an FQDN for each service as a property: these are used throughout the script to generate certificate requests for each service with the correct FQDN.
The function CreateCSR now uses the FQDN property of the $WServices array – and I have added a DNS lookup to add the IP address to the CSR automatically as an IP and DNS subjectAltName. Each generated CSR is specific to the FQDN provided at the start of the script.
Multiple Subordinate CAs
The environments I am working on have a fairly standard Microsoft Certificate Services PKI setup: at the top there’s a Root CA, under that there’s a Policy CA, and under that there are Issuing CAs.
I have modified the script to use an array variable $CAs, which contains a list of CA FQDNs. The function DownloadRoot cycles through those and attempts to download each CA’s certificate in turn. The certificates and saved as “CA64-x.cer”, where x is the number of the CA in order.
For example, the Root CA is first in the $CAs array, and is downloaded first. The file is saved as CA64-1.cer. The next CA in the list is my Policy CA, which is saved as CA64-2.cer. Finally, the Issuing CA is saved as CA64-3.cer.
The naming and ordering of the CAs and their certs is important because it’s important to get the chain correct in the .pem files used in the SSL Certificate Automation tool.
As with Derek’s original script, if you’re not able to access the CAs from the vCenter Server (or wherever you’re running the script) then you need to manually download the files and create the CA64-x.cer files and place them in the $Cert_Dir folder – they will be detected and used by the script.
Generating only required files
The only files required by the SSL Certificate Automation Tool are a .pem file containing the entire chain and a .key file containing the private key for the issued certificate.
To generate the .pem file, we need to copy the contents of the CA certificates from root to leaf, starting with the leaf certificate, then the issuing CA, any intermediate CA and finally the root CA. The image below shows the order the certificates need to be pasted into the file.
I’ve modified the CreatePEMFiles function to generate “RootChain.pem”, which is a concatenation of the root certificates in the correct order. It then cycles through the Services and copies the contents of the generated certificate file and “RootChain.pem” to create the .pem file required by the SSL Certificate Automation Tool.
I’ve removed the additional steps for the Java KeyStore (.jks) files, which were required for SSO 5.1 but aren’t actually needed for 5.5. Similarly, steps to create the .pfx and .p12 files are removed as they are no longer required.
Functionality I’ve removed
There are certain functions I’ve removed when it made no sense to keep them, for example generating certificates for the Linux appliance. This makes no sense as by definition they’ll be on the same server/FQDN.
The function VCFQDN has been removed since the FQDN of services is provided in the $WServices array.
The function DownloadSub has been removed since the DownloadRoot function has been modified to download all the CA certificates, including the Subordinate CAs.
The function WinVCCheck has been removed, this checked for the SSO install path and set up an alias to the keytool.exe installed there. These were used in functions that are no longer required.
The function CAHashes, which created the <hash>.0 files of the root certificates has been removed – again these are no longer required in 5.5.
The function CreateSSOFiles has also been removed, since the SSL Certificate Automation tool no longer requires these files to be manually generated.
Running the script
The script runs in the same way as Derek’s original – albeit with a few options removed. You need to edit the script before your first run to populate the details of your environment.
If you can’t access all the CA’s in your environment (e.g. offline root, or firewalled) then you will need to download your CA certificates as base64 encoded certs. Start at the top-most level – the root CA – and export it as CA64-1.cer. The next one should be CA64-2.cer and so on.
Other than that, the script runs as Derek’s. When it’s run, you will have a folder with the certificates in .pem format, and the matching private keys in a .key format. Copy the ssl-environment.bat in to replace the one in the folder for the SSL Certificate Automation Tool and run the tool to update your environment.
Download the script
The modified script is available to download here: http://vexpert.me/ToolkitDistributed
On the 3rd of June we had our second South West UK VMUG and I am pleased to say it went superbly well.
As before we held it at the Mshed facilities in Bristol.
We had a great day with many sessions from sponsors,vendors and community speakers alike!
Big thanks go to our speakers that day who were..
- Justin Rohan - @ - Nimble Storage - Sponsor
- James Smith - @ - PernixData - Sponsor
- Julian Regel - @ - Community session on vCD
- Adam Bohle - @adambohle - VMware - vCAC session
- Jonathan Medd - @ - Community session on PowerCLI/Automation
- Richard Munro - @ - VMware - vCHS Session
One of the South West UK VMUG leaders Barry Coombs took a fantastic time lapse video of the day which can be viewed on his blog site.
Here are a few shots from the day
I was recently sent a copy of Christian Mohn's new book "Learning Veeam Backup and Replication for VMware vSphere" to review, and as ever this is my honest opinion of this book. I am not receiving anything other than the copy of the book for this review. I don't work for a vendor, so I have no axe to grind!
The book starts of with explanations of basic backup strategies and explains principals like Grandfather-Father-Son media rotation and RPO/RTOs. From there it dives into the architecture of Veeam BR and its components. The remainder of chapter 1 covers a walk through of the installation of the product.
Chapter 2 covers the configuration of backups, and gives some background into the different types of backups within Veeam, their drawbacks, and how Veeam have addressed them. For example solving the problem of having to combine incremental backups with the last full, which Veeam solve with synthetic full backups. The chapter also covers backup proxies, and configuring backup jobs, copying to tape or remote repository, and the WAN accelerator.
The next chapter walks through performing restores with Veeam, including full VMs, VM files (like a vmx) and VMDKs, and guest OS files.
Chapter 4 covers the replication part of Veeam Backup and Replication, and after explaining the differences between backup and replication it covers the infrastructure required before stepping through the set-up of a replication job. It also covers the process for fail over and fail-back, and here is one example of where I'd like to see some comparison - e.g. with VMware's SRM, which has a similar feature set.
The fifth and final chapter covers some of the more unique features of Veeam's offering, and I thought it provided a good explanation of those features - here is where I think walk through of setup/config would be most valuable, but it reads more as a feature list than a learning guide.
I found the writing style easy to read and I thought it flowed quite well throughout the book - this is always impressive when the author's first language isn't English.
I did find that I had to keep reminding myself that the book is specifically written about a single product rather than a more agnostic approach - I felt it read more like a vendor produced document. Personally, I would have liked some comparison with other well-known backup products to ground it a little and perhaps some more real-world explanations to distinguish it from vendor install documentation.
Perhaps that's a little unfair as the book is specifically about that one product, and there is added value in the explanations provided. The introduction specifically states that it's aimed at "vSphere administrators looking for an introduction to Veeam Backup & Replication v7 for VMware" and it definitely does provide that.
Recently I had the good fortune to be invited along to a blogger briefing with Satyam Vaghani CTO and Co-founder of PernixData.
Those of you not in the know Satyam already has quite the track record, more notably for authoring 50+ patents, Principle engineer and Storage CTO for VMware (10 years). So it is safe to say he knows a thing or two about storage and related technology!
At the time of meeting Satyam, PernixData was 2 years and 2 months old and already has had a large impact on the storage industry.
FVP was of course at the forefront of discussion and how it stands unique in the storage market place by providing clustered read and write acceleration of any shared storage.
Satyam was very clear, he believes customers should be less focused on renewing/replacing your shared storage in an effort to maintain or improve existing performance but rather focus on simply increasing the overall shared storage capacity and scale out your caching system (clustered flash) to deliver that consistent predictable high performance applications and end users demand and expect. He also highlighted how right now the storage industry has never been more fluid, after 20 years of predictable changes and advances the emergence of SSD and flash has turned the industry upside down. Flash based technologies have already been proven to exceed the performance limitations of well known products like SQL Server where the code is now having to be reviewed to take advantage of the new speeds available.
Yesterday saw another fantastic London VMUG with lots of quality sessions and opportunities to network with peers and friends. The committee seem to do a fantastic job every time and this one was no exception, so thanks to Alaric Davies, Jane Rimmer, Stuart Thompson and Simon Gallagher!
One of the best things for me about the VMUG is the chance to chat with some of the smartest and most influential people in the VMware world – a trip to the coffee table provided a great opportunity to “chew the vfat” with two of the VMUG's biggest characters, Mike Laverick and Ricky El-Qasem – all before any sessions had started.
The first session of the day, after the obligatory coffee and biscuits, was presented by Itzik Reich of EMC’s ExtremIO talking about the all-flash offering. For a non-native English speaker I was thoroughly impressed with how he engaged with the audience and spoke. My main take-away was that you can’t treat flash in the same way as magnetic disk – it’s not just a faster version of the traditional spinning platter but requires a whole new approach as to how it’s used and managed. That may sound obvious but I think a lot of solutions treat flash as such, imposing magnetic disk concepts like RAID which don’t make the best use. Flash != magnetic disk, don’t treat it the same!