DefinIT Because if IT were easy, everyone would do it…

23Jul/14Off

Configuring vCenter Orchestrator (vCO) with PowerShell over HTTPS with Kerberos Authentication

Posted by Sam McGeown

vCenter Orchestrator (vCO)As a PowerShell fan I find using the vCO PowerShell plugin makes my life a whole lot easier. What isn't easy however, is  the configuration of vCO and a PowerShell jump host. Having done it a few times, this is my method for ensuring a secure working connection using HTTPS and Kerberos.

Configure the Orchestrator Appliance

Since we’re planning on using Kerberos authentication, we’d better ensure that the time is correct AND syncs to the same source as the domain.

image

In order to configure Kerberos on the Orchestrator appliance you need to SSH in to the box and log in using your root credentials.

Create a new krb5.conf file under /usr/java/jre-vmware/lib/security/ using the following command:

vi /usr/java/jre-vmware/lib/security/krb5.conf

Enter the following, substituting your domain details, and the local domain controller for “kdc =”. Case is important here, so use caps where I have:

[libdefaults] 
        default_realm = DEFINIT.LOCAL 
[realms] 
        DEFINIT.LOCAL = { 
                kdc = dc-01.definit.local 
                default_domain = definit.local 
        } 
[domain_realms] 
        .definit.local=DEFINIT.LOCAL 
        definit.local=DEFINIT.LOCAL 
[logging] 
        kdc = FILE:/var/log/krb5/krb5kdc.log 
        admin_server = FILE:/var/log/krb5/kadmind.log 
        default = SYSLOG:NOTICE:DAEMON

Configure the PowerShell host

I’m configuring to use HTTPS with Kerberos authentication, so the first thing I need is a certificate with the Server Authentication (1.3.6.1.5.5.7.3.1) key usage. If you’re running a Microsoft PKI, the default Computer certificate template is perfect for this.

Open MMC and add the Certificates snap in for the Computer account, find your certificate and double-click to open. Select the Details tab and scroll to the bottom – copy the thumbprint value to use in the below command.

image

Enable WinRM with the following command:

winrm quickconfig

Increase the amount of memory allowed to be allocated to each executing PowerShell:

winrm set winrm/config/winrs @{MaxMemoryPerShellMB="2048"}

Create an HTTPS listener using the thumbprint and the following command:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="host_name";CertificateThumbprint="certificate_thumbprint"}

 

 

image

Finally, enable Kerberos authentication:

winrm set winrm/config/service/auth @{Kerberos="true"}

The PowerShell host is now listening on port HTTPS 5986 authenticated by Kerberos!

Test the WinRM connection

Using another computer on the same domain, run the following command to execute NSLookup on the PowerShell host:

winrs –r:https://mgmt-01.definit.local:5986 nslookup google.com

image

Adding a PowerShell host

The final step is to add a PowerShell host to Orchestrator. Open (or install first and then open) the Orchestrator client and connect to your vCO appliance. Make sure you’re connecting using your domain account (i.e. you need to pass your domain identity to the vCO appliance to use for authentication to the PowerShell host).

Specify a name for the PowerShell host (the hostname of the server is fine), the FQDN (best to use FQDN with Kerberos) and the port that we created the listener on – 5986 by default.

image

Select WinRM as the host type, HTTPS and do not accept all certificates, finally select Kerberos authentication.

image

Select “Session per user” to configure the remote host to use the workflow user’s identity. You can enter credentials for a shared session, but this could pose security risks if running as an elevated user.

image

Finish the wizard and wait until the workflow completes:

image

Now we have a PowerShell host added to vCO, we can run a PowerShell script against it over HTTPS and authenticated with Kerberos.

Running a Hello World PowerShell script in vCO

Firstly, lets create “Say-HelloWorld.ps1” script and save it in c:\SCRIPTS on the PowerShell host.

return “Hello World”

Next switch back to the Orchestrator client and select “Design” mode. Create a new folder to contain your workflows (mine is called “DefinIT”) and then create a new workflow (“Test-PowerShell-Hello-World”).

Select the “Workflow” tab and then expand “All Workflows” > Library > PowerShell, then drag the “Invoke an external script” onto the workflow editor:

image

Click on the “Setup” button:

image

Select the value radio button for the “host” binding and then click to select the PowerShell host from the inventory. Select value for the “externalScript” binding and enter the path to the hello world script we created earlier. Select script for the arguments, as we don’t have any. Leave the output binding as is.

image

Now we can run the workflow and select the “Logs” tab to see the output – you can see the “Hello World” that we returned is echoed in the logs.

image

Hopefully this has been a helpful kick-starter into using vCO PowerShell over HTTPS with Kerberos Authentication

22Nov/12Off

VCP5 – vSphere 5 Configuration Maximums Quiz in PowerShell

Posted by Sam McGeown

I've been learning my vSphere 5 config maximums before my upcoming VCP5 exam, so in a supreme effort of procrastination I thought I'd write a PowerShell quiz script: here it is!

Save the QuizMe.ps1 file into a folder and then place one or more text file in the same folder containing a comma delimited set of questions and answers. Then run QuizMe.ps1!

7Feb/12Off

PowerShell: Recursively taking ownership of files and folders and adding permissions without removing existing permissions

Posted by Sam McGeown

PowerShell LogoThis is every file server admin's nightmare: hundreds of shares, thousands of folders, hundreds of thousands of files - and custom or not inherited rights on many of them. Terabytes of data that need auditing - e.g. to find customer data, or credit card information. How do you go about accessing all the data in all the trees? What about backups failing because someone removed the System account? Of course you can seize control of the folder by taking ownership and pushing down from a top level - but how do you preserve the existing Access Control Lists?

25Jan/12Off

SCOM 2007 R2: Daily Health Check Script

Posted by Sam McGeown

An updated version of this script has been released: http://www.definit.co.uk/2012/05/scom-2007-r2-daily-health-check-script-v2/

MSFT-System-Center-logoI've been working with a Microsft SCOM PFE (Premier Field Engineer) for the last few months and part of the engagement is an environment health check for the SCOM setup. Based on this Microsoft recommend a series of health checks to for the environment that should be carried out every day. This is summarised as the following:

  1. Check the health of all Management Servers and Gateways
  2. Check the RMS is not in maintenance mode
  3. Review Outstanding Alerts
  4. Review Agent's Health Status
  5. Review Backup Status
  6. Review any Management Group Alerts
  7. Review the Pending Management status
  8. Review Database Sizes (Operations, Data warehouse, ACS)
  9. Review Volume of Alerts
  10. Review Alert Latency
  11. Document any changes 
28Oct/11Off

VMware PowerCLI – Set Path Selection Policy on all LUNs for a host

Posted by Sam McGeown

Just a quick script to set the Path Selection Policy on any LUNs on a host that do not have your target policy enabled. The script sets the server to Maintenance mode first, evacuating any VMs if you are in a full DRS automated environment. While this is not strictly necessary, it was required for my production environment just to be safe.

param( [string] $vCenterServer = $(Read-Host -prompt "Enter vCenter Server Name"),
[string] $TargetPolicy = $(Read-Host -Prompt "Enter target policy (RoundRobin, Fixed or MostRecentlyUsed)"),
[string] $TargetHost = $(Read-Host -Prompt "Enter target Host"),
[switch] $WhatIf)

# Add the VI-Snapin if it isn't loaded already
if ((Get-PSSnapin -Name "VMware.VimAutomation.Core" -ErrorAction SilentlyContinue) -eq $null ) {Add-PSSnapin -Name "VMware.VimAutomation.Core"}

Connect-VIServer $vCenterServer | out-null

Write-Host "Connected to: " $vCenterServer -ForegroundColor Green
Write-Host "Target PSP: " $TargetPolicy -ForegroundColor Yellow
Write-Host

switch ($TargetPolicy) {
RoundRobin { $DisplayPolicy = "VMW_PSP_RR"; }
MostRecentlyUsed { $DisplayPolicy = "VMW_PSP_MRU"; }
Fixed { $DisplayPolicy = "VMW_PSP_FIXED"; }
default { Write-Warning "Unknown PSP selected! Please consult the help and try again."; exit }
}

Write-Host "Setting Policy to"$TargetPolicy" on "$TargetHost -ForegroundColor Green

if($WhatIf) {
$vHost = Get-VMHost -Name $TargetHost
$vHost | Set-VMHost -State Maintenance -Evacuate -WhatIf
$vHost | Get-ScsiLun -LunType "disk" -ErrorAction SilentlyContinue | where {$_.IsLocal -eq $false -and $_.MultipathPolicy -ne $TargetPolicy} | Set-ScsiLun -MultipathPolicy $TargetPolicy -WhatIf
$vHost | Set-VMHost -State Connected -WhatIf
} else {
$vHost = Get-VMHost -Name $TargetHost
Write-Host "Setting "$TargetHost" to Maintenance Mode" -ForegroundColor White
$vHost | Set-VMHost -State Maintenance -Evacuate
$vHost | Get-ScsiLun -LunType "disk" -ErrorAction SilentlyContinue | where {$_.IsLocal -eq $false -and $_.MultipathPolicy -ne $TargetPolicy} | Set-ScsiLun -MultipathPolicy $TargetPolicy
Write-Host "Exiting Maintenance mode on"$TargetHost -ForegroundColor White
$vHost | Set-VMHost -State Connected
}
Page 1 of 3123