Kategoriarkiv: VMware

Limitations when using Workspace One Access for “free” with vRSLCM?

Workspace One Access or vIDM “Content Catalog” vRealize shortcuts with SSO login

When you install vRealize Suite Lifecycle manager It comes with the Workspace One Access (VMware Identity Manager) And in this appliance you get a lot of options and no limitations in any way. So it is up to you to avoid using any features that you are not allowed to use. If you do then you might be in breach of the EULA.

So I went on a google search for answers to this question and boy I can tell you that it is not straight forward. I have also tried to get VMware to give me a statement or point me to the correct documentation where they say what I can and can’t do.

Why is this an issue?

As I said you are not limited in any way and you could use all its functionality. But if you do you would then be in breach og the EULA according to an VMware Product Manager. So a problem arises, you could easily be in a breach without knowingly doing so.

After some investigation I was pointed to the VMware Product Guide where the following is stated.

Official documentation

Workspace ONE Access feature. A license to use VMware NSX Data Center (any edition) or NSX Cloud (any edition) includes an entitlement to use the Workspace ONE Access feature, but only for the following functionalities:

  • directory integration functionality of Workspace ONE Access to authenticate users in a user directory such as Microsoft Active Directory or LDAP
  • conditional access policy
  • single-sign-on integration functionality with third party Identity providers to allow third party identityproviders’ users to single-sign-on into NSX
  • two-factor authentication solution through integration with third party systems. VMware Verify,VMware’s multi-factor authentication solution, received as part of Workspace ONE Access, may not beused as part of NSX, and
  • single-sign-on functionality to access VMware products that support single-sign-on capabilities.

A license to use VMware vRealize Log Insight includes an entitlement to use the Workspace ONE Access feature, but only for the following functionalities:

  • directory integration functionality of Workspace ONE Access Standard to authenticate users in a user directory such as Microsoft Active Directory or LDAP
  • conditional access policy
  • single-sign-on integration functionality with third party Identity providers to allow third party Identityproviders’ users to single-sign-on into vRealize Log Insight
  • two-factor authentication solution through integration with third party systems. VMware Verify,VMware’s multi-factor authentication solution, received as part of the Workspace ONE Access feature,may not be used as part of vRealize Log Insight, and
  • single-sign-on functionality to access VMware products that support single-sign-on capabilities.

So is this now solved?

The quick answer is NO, when you look at the text I would interpret it to only apply if I have NSX and or Log insight license. Not for vRA, vRops, vRNI, vRB and vRSLCM. I would also argue that there is a problem with the wording. If you look at point 4 and 5 and the inclusion of , and at the end, does it imply that point 5 is also not allowed?

And what about when they first saybut only for the following functionalities and then inside a point they say may not be used What may not be used?

That I may not use single sign on with anything else than NSX and vRLI?
single-sign-on functionality to access VMware products that support single-sign-on capabilities

I honestly don’t know that to get out of this other than it doesn’t apply to this use case and that it is a shoehorn attempt to make a text fit something it is not meant to fit.

Other Clues?

When you look at the VMware download page for Identity Manger 3.3.1 it clearly stated what it can be used for. But it doesn’t go into details.
Download VMware Identity Manager 3.3.1 (for vRA, vRops, vRLI, vRB, vRNI, NSX only)

If any of you have any insight on this please give me an update.

To be continued…..

VMware løsninger som ikke lenger er supportet i 2020?

2019 er over og et nytt år er på trappene. Hva som vil skje i 2020 og hvilke nyheter som kommer er vanskelig å spå, men noen ting er i hvert fall sikkert. Som blant annet hvilke VMware produkter som går ut i 2020 og ikke lenger vil være supportert under “General Support”

VMware produkter som går ut i 2020

End of General Support

App Volumes 2.14, 2.15vCloud Director for Service Providers 9.1, 9.5
AppDefense Plugin 2.1, 2.2, 2.3 for Platinum EditionvCloud Usage Meter 4.1
Cloud Provider Pod 1.0. 1.5VMware Enterprise PKS 1.6
Essentials PKS 1.13.4vRealize Automation 7.4, 7.5
ESXi 6.0vRealize Business for Cloud 7.5
Fusion 11vRealize Configuration Manager 5.8.4, 5.8.5
Identity Manager 3.3vRealize Log Insight 4.7, 4.8
Integrated OpenStack 5.0, 5.1vRealize Network Insight 4.0, 4.1, 4.2
NSX for vSphere 6.3vRealize Operations for Horizon 6.6
NSX-T DataCenter 2.4vRealize Operations Manager 6.6.1, 6.7
Pulse IoT Center 1.0vRealize Orchestrator 7.4, 7.5
SDDC Manager 2.3, 3.7vRealize Suite Lifecycle Manager 1.3. 2.0, 2.1
Site Recovery Manager 6.0, 6.1vSAN 6.0, 6.1 and 6.2
Smart Assurance 9.5vSphere Data Protection 6.0, 6.1
Smart Experience 3.1vSphere Integrated Containers 1.5
User Environment Manager 9.3, 9.4, 9.5, 9.6vSphere Replicator 6.0, 6.1
vCenter Application Discovery Manager 7.1Workspace ONE UEM Console 9.5, 9.6, 9.7, 1810, 1811, 1902, 1903
vCenter Server 6.0Workspace ONE UEM Console 1904, 1905 (SaaS Only)
vCenter Update Manager 6.0Workstation 15 P ro and Workstation 15 Player
vCloud Availability for Cloud-to-Cloud DR 1.x

VMware produkter som gikk ut i 2019

End of General Support

AirWatch Console 9.2, 9.3 vCloud Director Extender 1.0, 1.1
App Volumes 2.13vCloud Director for Service Providers 8.20, 9.0
AppDefense Plugin 2.0 for Platinum Edition Fusion 10vCloud Usage Meter 3.6.1
Horizon 6 for Linux 6.1.1vRealize Automation 7.3, 7.4, 7.5
Horizon DaaS On Prem Platform 7.0 vRealize Business for Cloud 7.3, 7.4
Horizon FLEX Policy Server 1.xvRealize Code Stream 2.4
Horizon View 6.xvRealize Configuration Manager 5.8, 5.8.3
Identity Manager 3.0, 3.1, 3.2vRealize Hyperic 5.8.4 – 5.8.6 
Integrated OpenStack 4.0, 4.1vRealize Log Insight 4.6
Mirage 5.9vRealize Network Insight 3.7, 3.8, 3.9
NSX-T 2.0, 2,1vRealize Operations for Horizon 6.5
NSX-T Data Center 2.2vRealize Operations for Published Applications 6.5
Photon Platform 1.xvRealize Operations Manager 6.6, 6.7
SDDC Manager 3.0vRealize Orchestrator 7.3
ThinApp 4.7.3vRealize Suite Lifecycle Manager 1.0, 1.1, 1.2
User Environment Manager 9.2vSphere Integrated Containers 1.4 
vCenter Chargeback Manager 2.7.x Workspace ONE UEM Console 9.4
vCenter Converter Standalone 6.2Workstation 14 Pro and Workstation 14 Player 
vCloud Availability for vCloud Director 2.0 

Hva betyr de forskjellige support typene?

Se listen hentet fra VMWare over hva de forskjellige fasene inneholder

FeaturesGeneral Support PhaseTechnical Guidance PhaseEnd of Support Life Phase End of Availability
Maintenance updates and upgradesX
New security patchesX
New bug fixesX
New hardware supportX
Server, Client and Guest OS updatesX
File a Support RequestPhone and WebWeb only
Existing security patchesXX
Existing bug fixesXX
Workarounds for low-severity issue (severity 2, 3, and 4)XX
Self-help web-based supportXX
Access to Knowledge BaseXXX

Om du ønsker å fordype deg finnes detaljert info hos VMware hvor denne listen er hentet fra.
Data I denne artikkelen er basert på info hentet fra VMware Lifecycle Product Matrix

How to configure SSO web links in VMware Identity Manager Catalog for vRealize Suite Lifecycle Manager imported products

When you deploy a product from vRSLCM its single sign-on link is automatically created in the Identity manager catalog. But if you import an existing vRealize product it will not. Bummer! Or that being said I have not tested importing solutions that already had vIDM configured for authentication without the catalog entry.

Anyways if you have imported an existing product into vRSLCM and you are missing the SSO link in your catalog. This is how I fixed it (don’t know if this is the official way)

First you need to enable login with identity manager for the product you want to configure SSO for. When that is done and working do the following for the different products.

vRealize Network Insight

Right click on the login button and copy the URL. You will get something like the url listed under. You just need to fix the URL in the end to be like mine but with your vRNI link.

https://YOUR.IDENTITYMANAGER.FQDN/SAAS/auth/oauth2/authorize?response_type=code&client_id=YOURID_auth_grant&scope=openid+user+email&redirect_uri=http://YOUR.VRNI.FQDN/#home

vRealize Operations Manager

For the vROPS I was not able to use get the correct URL in the same way, here I used F12 in Google Chrome and recorded my login. I found the correct URL on the first line “authorize?response_type=…………..” and It should look something like this.

https:/your.identitymanager.fqdn/SAAS/auth/oauth2/authorize?response_type=code&client_id=yourid&redirect_uri=https://your.vrops.fqdn/ui/vidmClient/vidm

Add SSO weblink to Identity Manager Catalog

When you got the URL go into your Identity managers Administrator Console and under Catalog and Web Apps create a new web link.
In the Configuration menu choose Authentication TypeWeb Application Link” and in Target URL insert the URL you copied from vRealize Network Insight login screen.

How to delete locker password entries in vRealize Suite Lifecycle Manager

Update 10.2020: In version 8.2 you can finally manage and delete passwords from the GUI

In vRealize Lifecycle Manager 8.0 VMware introduced “Locker” this is where you store certificates, licenses and passwords. If you for some reason add a password that is wrong or you want to delete an old one you are in trouble. There is no way to delete entries through GUI or CLI. But you can do it through the API!

Here is how

First you might need to install a software to do the API calls. I used Postman and you can download it here.

When you have installed or if you already have postman, you need to do the following

Authenticate

First you need to insert your credentials in the Authorization tab inside postman and send this POST command. Remember to insert your vRSLCM FQDN address.

POST 
https://vrslcm.your.fqdn/lcm/authzn/api/login

If login is successful you will get “Login Successfully” in return.

In versjon 8.0.1 of vrslcm and you also need to copy the Authorization Key Value found under Headers and Temporary Headers in postman.

Example: YWRtaW5AbG9jYWw6Vk13YXJlMTIzIQ
GET the list of all entries
GET 
https://vrslcm.your.fqdn/lcm/locker/api/passwords/

The GET command will give you a list of all the passwords and they’re vmid. Copy the vmid that you want to delete and use it instead of “vmid” below when you send DELETE command.

Update:
It appears that in version 8.0.1 this command is no longer possible.

Only for Pre 8.0.1 versions

DELETE the entries
DELETE http://vrslcm.your.fqdn:8080/lcm/locker/api/passwords/vmid

Run the GET command again to see that the password has been removed or refresh the locker page in the GUI of vRSLCM.

For 8.0.1 and possible later versions

Delete the entries

Login with root user to your vRSLCM appliance through SSH. and run the following command.
Remember to replace the IDs in bold with your own. First ID with the vmid from the GET passwords command. And the last ID with the Authorization KEY Value.

curl -X DELETE 'http://localhost:8080/lcm/locker/api/passwords/5581b687-a26c-4495-a8ed-11486c79fd81' -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW5AbG9jYWw6Vk13YXJlMTIzIQ ' -k

How to re-establish trust between vRealize Suite Lifecycle Manager and VMware Identity Manager after replacing self-signed certificate

Im currently working on a deployment of vRealize Suite Lifecycle Manager 8.0 It was deployed using Easy Installer method. And it has given me a few headaches to be honest. Here is the recipe on how to solve one of those issues.

Replace self-signed certificate

In vRSLCM you can easily replace the self-signed certificate on the vIDM appliance if you have previously imported it into the locker. Just go through the “Replace Certificate” prosess and do the included precheck.

Replace Certificate precheck
vIDM Replace Certificate precheck
LCMCOMMON30007

You will probably get the same warning as I did. If you click finish it will replace the certificate and everything looks fine until you try “Trigger Inventory Sync” from vRSLCM. It will fail with the following error:

Error message

com.vmware.vrealize.lcm.util.exception.SshAuthenticationFailureException: Cannot execute ssh commands. Please verify the ssh login credentials 
at com.vmware.vrealize.lcm.util.SshUtils.execute(SshUtils.java:393)
at com.vmware.vrealize.lcm.util.SshUtils.runCommand(SshUtils.java:307)
at com.vmware.vrealize.lcm.util.SshUtils.runCommand(SshUtils.java:290)
at com.vmware.vrealize.lcm.util.SshUtils.runCommand(SshUtils.java:333)
at com.vmware.vrealize.lcm.drivers.commonplugin.task.VerifySshConnectionTask.CheckForSshConnection(VerifySshConnectionTask.java:165)               
at com.vmware.vrealize.lcm.drivers.commonplugin.task.VerifySshConnectionTask.execute(VerifySshConnectionTask.java:125)               
at com.vmware.vrealize.lcm.drivers.commonplugin.task.VerifySshConnectionTask.retry(VerifySshConnectionTask.java:282)               
at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:43)           
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)    
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Cannot create session for ssh://root@xx.xx.xx.xx
at com.vmware.vrealize.lcm.util.SessionHolder.newSession(SessionHolder.java:57)       
at com.vmware.vrealize.lcm.util.SessionHolder.<init>(SessionHolder.java:37)        
at com.vmware.vrealize.lcm.util.SshUtils.execute(SshUtils.java:346)      
… 10 more
Caused by: com.jcraft.jsch.JSchException: Auth fail at com.jcraft.jsch.Session.connect(Session.java:519)    
at com.vmware.vrealize.lcm.util.SessionHolder.newSession(SessionHolder.java:53)       
… 12 more

How to fix the issue

1. SSH to vIDM and log in as sshuser. Run the following command to become the root user.
su root
2. Edit the file /etc/ssh/sshd_config and change the value of PermitRootLogin to yes
PermitRootLogin yes
3. Run the following command to restart the sshd service.
service sshd restart

“Trigger Inventory Sync” and it will complete successfully

Kom i gang med VMware Skyline

Innlegget finner du også på Atea bloggen

Som konsulent jobber jeg med forskjellige kunder og måter å drifte et VMware miljø på. Mye er likt, men ingen er like. Jeg opplever at mange er flinke til å holde miljøet oppdatert og vedlikeholdt, andre mindre flinke. Dersom du ikke jobber med VMware sine løsninger til daglig blir det fort en utfordring å holde oversikt over nye versjoner, beste praksis og sårbarheter. For å hjelpe på dette har VMware lansert Skyline. I slutten av 2018 ble det sluppet en oppdatert versjon som samtidig ble gjort tilgjengelig for norske kunder.

Hva er Skyline?

VMware Skyline ™ er en proaktiv støttetjeneste tilpasset VMware Global Support Services. VMware Skyline samler, aggregerer og analyserer produktdata, som proaktivt identifiserer potensielle problemer, og hjelper VMware Technical Support Engineers til å forbedre løsningstiden.

Hvilke verdi gir Skyline?

Selv om Skyline ikke nødvendigvis gir alle like mye verdi i dag vil jeg likevel anbefale å sette det opp. VMware planlegger nemlig å legge inn støtte for alle sine systemer i fremtiden. Og tiden det tar å sette opp og vedlikeholde er liten. Om den ikke skulle finne noe får man i hvert fall verifisert at “alt” er i orden. Se informasjonsvideo fra VMware under.

Hva trenger du for å sette opp Skyline?

  • Du trenger en aktiv VMware lisens med Production Support.
  • Installere Collector VM, en OVF med følgende spesifikasjoner: 2vCPU, 8GB Minne og 87.1GB Disk.
  • vCenter Server 6.0 eller nyere.
  • ESXi 6.0 eller nyere.
  • Tilgang ut på port 443 til vcsa.vmware.com og app-updates.vmware.com
Fra TilProtokollPort
Collector VMvcsa.vmware.com
app-updates.vmware.com
TCP/IP443

Hvilke VMware produkter er i dag støttet?

Skyline Advisor er en sky tjeneste og oppdateres fortløpende med nye features. Den har idag støtte for å vise proaktive funn for følgende produkter.

  • VMware vSphere
  • VMware NSX for vSphere
  • VMware vSAN
  • Horizon
  • vRealize Operations

Installasjon

Gå til https://skyline.vmware.com og logg inn med din VMware konto OBS! du må benytte kontoen som er knyttet til VMware lisensen. Om ditt firma ikke er registrert i VMware Cloud Services fra før får du beskjed om å opprette en organisasjon.

Når organisasjonen er opprettet blir du automatisk tatt videre til Skyline installasjonsveiledningen. Det første du må gjøre er å klikke på “Associate Support Entitlement” Om den feiler er du enten logget inn med feil konto eller mangler en aktiv production support avtale.

Følg instruksjonene gjennom steg 1 til 6. Du vil bli guidet gjennom installasjonen av Collector VM i ditt miljø og kobling mot Skyline Advisor.

Skyline Advisor Dashboard

Det tar ca 48timer fra Collector VM er ferdig konfigurert til Skyline Advisor har kvernet igjennom dataene og er klar til å presentere funnene for ditt miljø.

Skyline Dashboard

I denne videoen vises dashbordet som du får tilgang til når Skyline er satt opp og konfigurert.

vRealize Operations Management Pack for Skyline

Om du har vRealize Operations kan det være en ide å se på management pakken for Skyline

Linker til VMware sin dokumentasjon