Stikkordarkiv: vRSLCM

Backup your vRealize Operations dashboards with vRealize Suite Lifecycle Manager

vRealize Suite Lifecycle manager contains a feature called Content Management, this can among others be used to backup the content of your vRealize Operations Management Appliance. Like dashboards, views, alerts, super metrics, reports and other customizable content.

How to setup

Dette bildet mangler alt-tekst; dets filnavn er contentmanagement4.jpg
Add endpoint in vRealize Suite Lifecycle Manager

First you need to go to content management in your Lifecycle Manager Dashboard and add a “New Endpoint” Choose vRealize Operations from the “Choose endpoint type” menu.

As you can see it is also possible to add other endpoints as well.

You would then need to add the following details (Name, FQDN, admin and root passwords for your vROps Appliance. Click next and configure policy settings.

Add vRealize Operations Manager as new endpoint.
Policy options

In the policy setting you can configure some details about your endpoint. For capturing dashboard we only need “Allow content to be captured from this endpoint”

Capture

When that is done go to the content menu and click add content, choose your newly added vRealize Operations endpoint. Capture is selected as action by default. click proceed.

List of content that can be captured

On the capture details page, click the dropdown “select capture endpoint” and select your newly added vROps endpoint. Select what content you want to capture and click done. You must also add a comment before you can hit and hit next and submit.

Now you can watch the progress under content pipelines and under content you will see a list of all the content captured.

If you click on the content, you’ll get to see more details and the option to deploy the content to your endpoints.

Deploy

Once you have captured your content you can from the content menu deploy it back to the same vROps instance or to another one if you have multiple environments.

Summary

Backup of your customized content is nice if something should happen to it or your vROps environment. This is just one small part of what the content management feature in vRSLCM can be used for.

Issues

During my testing of this feature I got some issues when I tried to capture dashboards owned by other users than the admin user. I’m not sure why this is but I was not able to get it to work.

20.04.2020 I have now tested this with a new clean installation on 8.1 and the issue is the same. It leads me to believe it is a “feature”

Error message was: "Dashboard <dashboardname> not found for user admin"

Documentation

VMware Docs, Content Management

vRealize Suite Lifecycle Manager

VMware har mange produkter, faktisk så mange at det er vanskelig å holde oversikten på alle. Når jeg som konsulent syntes det er mange betyr nok det at de fleste sliter med å holde oversikten. Og ikke minst sørge for at alle VMware produktene man har i datasenteret er oppdatert. Her kommer vRSLCM inn i bildet. Dette er et produkt for de kundene som har vRealize Suite lisenser og brukes blant annet til å kontrollere alle produktene i vRealize porteføljen.

Hva er nytt i vRealize Suite Lifecycle Manager 8.0

Hva er vRealize Suite Lifecycle Manager

vRSLCM er navet i vRealize løsningen din, den benyttes til å håndtere oppdateringer, sertifikater, passord, konfigurasjon, management packs, content packs, AD integrasjon, single sign-on m.m. Om du har flere datasentre med separate vRealize installasjoner er vRSLCM et genialt overbygg for å kunne administrere disse fra ett sted.

Workspace One Access (tidligere kjent som VMware Identity Manager)

Som en del av vRSLCM følger Workspace ONE Access med. Den kan knyttes mot ett eller flere domener, og håndterer single sign-on for alle de andre produktene i vRealize Suite, I tillegg til vRealize Network insight og NSX-T. Men vær obs på at du ikke bruker flere funksjoner i produktet enn du har lov til da det ikke er lagt inn noen begrensninger.

vRealize Suite Lifecycle Manager visualisering av oppsett

Logisk design av en vRSLCM implementasjon hentet fra VMware validated designs

Produkter som er støttet i versjon 8.0

  • Workspace One Access
  • vRealize Operations Manager
  • vRealize Log Insight
  • vRealize Automation
  • vRealize Network Insight
  • vRealize Business for Cloud
  • NSX for Datacenter (NSX-T)

NSX-T Manager er ikke støttet direkte av vRSLCM, men Identity Manager som følger med trengs for å oppnå RBAC i NSX-T.

Locker

I versjon 8.0 introduserte VMware «locker» i vRSLCM, denne kan inneholde lisensnøkler, sertifikater samt brukernavn og passord. Innholdet her benyttes igjen ved deployment av vRealize komponentene.

Utfordring: Når du først har lagt inn brukernavn og passord i locker kan det ikke redigeres eller slettes via GUI. Dette må gjøres via API

Sertifikater

Jeg kjenner ingen som like å bytte sertifikater, men med vRSLCM går det som en lek. Siden du allerede har lagt inne sertifikatene i LOCKER kan du enkelt via få klikk bytte sertifikat på et produkt. Dessverre er det ikke 100% feilfritt enda, når jeg skulle bytte sertifikat på den inkluderte instansen av vIDM fikk jeg problemer. Hvordan jeg løste det kan du lese om her

Marketplace

Marketplace er hvor man henter ned management og content packs til de forskjellige løsningene.

Oppdateringer

Med vRSLCM går oppdateringen som en lek, da man i vRSLCM får varsel når oppdateringer for dine produkter og management / content packs er tilgjengelig. Og man kan fra vRSLCM gjennomføre oppgradering av alle produktene som er støttet av løsningen.

Installasjon

Bruk av Easy Installer

Når man installere vRSLCM 8.0 for første gang kan man benytte en easy installer som installere vRSLCM, vIDM og eventuelt vRA for deg. Det er vel og bra, men en av utfordringene her er at vIDM appliancen blir plassert i et “Default_datacenter” med lokasjon i Palo Alto, California, US og et environment kaldt “globalenvirnoment”. Disse kan ikke endres og er “by design” i følge VMware. Det må man inntil videre bare leve med, og isteden opprette et nytt environment objekt hvor man plasserer produktene man ønsker å installere eller importere. Dette skal være endret i 8.0.1 (men jeg har ikke testet dette)

Import vs Installasjon

vRSLCM støtter import og ny installasjon av produktene. Så visst du har noen av disse fra før er det enkelt importere dem inn og styre dem videre fra vRSLCM.

Fordeler med vRSLCM

Det er ikke alltid at slike løsninger gir en enklere hverdag om miljøet ikke er stort nok. Dette gjelder også for vRSLCM. Har du et lite miljø med få av produktene blir det uten tvil en overhead ved å skulle legge inn to nye for å håndtere de andre bedre. Men når det er sagt finnes det mange gode grunner for å benytte vRSLCM. Her er noen av mine punkter.

  • Oppgradering og håndtering av vRealize produktene blir lettere og alt kan gjøres fra ett sentralt sted.
  • Integrasjonen med Identity manager er utrolig praktisk, du slipper å knytte alle direkte mot AD (ikke alle støtter det en gang.)
  • Sertifikat håndtering.
  • Single Sign-on mot alle vRealize produktene og samling av alle linker et sted.
  • Passord håndtering.
  • Du blir varslet når nye oppdateringer er tilgjengelig for dine produkter, management og content packs.

Linker

Dokumentasjon, Produktside

Broken connection between vRSLCM and vRops

vRSLCM “Trigger Inventory Sync” failed

Not long ago the connection between vRealize Lifecycle Manager and vRealize Operations Manager “failed” or to be more specific when I trigger an inventory sync of vRops from vRSLCM. It failed with the error LCMVROPSYSTEM25000

If you have the same issue, here a workaround.

First access your vRops master node https://IPaddressOFvrops/casa/node/config
Login with the same credentials used by vRSLCM (admin user) You should get an error message like this:

{“error_message_key”:”general.failure”,”error_arguments”:[“1″,”Note: Forwarding request to ‘systemctl is-enabled’.\n”],”error_message”:””}

Log into your vRops nodes with root user and run the following command

systemctl list-unit-files

sshd.service status

You should se that sshd.service is listed as disabled. Then run the following command

systemctl enable sshd.service

Do this on all vRops nodes, then go back to vRSLCM and try trigger inventory sync. You should now see that the request goes through.

vRSLCM “Trigger Inventory Sync” success

Limitations when using Workspace One Access for “free” with vRSLCM?

Workspace One Access or vIDM “Content Catalog” vRealize shortcuts with SSO login

When you install vRealize Suite Lifecycle manager It comes with the Workspace One Access (VMware Identity Manager) And in this appliance you get a lot of options and no limitations in any way. So it is up to you to avoid using any features that you are not allowed to use. If you do then you might be in breach of the EULA.

So I went on a google search for answers to this question and boy I can tell you that it is not straight forward. I have also tried to get VMware to give me a statement or point me to the correct documentation where they say what I can and can’t do.

Why is this an issue?

As I said you are not limited in any way and you could use all its functionality. But if you do you would then be in breach og the EULA according to an VMware Product Manager. So a problem arises, you could easily be in a breach without knowingly doing so.

After some investigation I was pointed to the VMware Product Guide where the following is stated.

Official documentation

Workspace ONE Access feature. A license to use VMware NSX Data Center (any edition) or NSX Cloud (any edition) includes an entitlement to use the Workspace ONE Access feature, but only for the following functionalities:

  • directory integration functionality of Workspace ONE Access to authenticate users in a user directory such as Microsoft Active Directory or LDAP
  • conditional access policy
  • single-sign-on integration functionality with third party Identity providers to allow third party identityproviders’ users to single-sign-on into NSX
  • two-factor authentication solution through integration with third party systems. VMware Verify,VMware’s multi-factor authentication solution, received as part of Workspace ONE Access, may not beused as part of NSX, and
  • single-sign-on functionality to access VMware products that support single-sign-on capabilities.

A license to use VMware vRealize Log Insight includes an entitlement to use the Workspace ONE Access feature, but only for the following functionalities:

  • directory integration functionality of Workspace ONE Access Standard to authenticate users in a user directory such as Microsoft Active Directory or LDAP
  • conditional access policy
  • single-sign-on integration functionality with third party Identity providers to allow third party Identityproviders’ users to single-sign-on into vRealize Log Insight
  • two-factor authentication solution through integration with third party systems. VMware Verify,VMware’s multi-factor authentication solution, received as part of the Workspace ONE Access feature,may not be used as part of vRealize Log Insight, and
  • single-sign-on functionality to access VMware products that support single-sign-on capabilities.

So is this now solved?

The quick answer is NO, when you look at the text I would interpret it to only apply if I have NSX and or Log insight license. Not for vRA, vRops, vRNI, vRB and vRSLCM. I would also argue that there is a problem with the wording. If you look at point 4 and 5 and the inclusion of , and at the end, does it imply that point 5 is also not allowed?

And what about when they first saybut only for the following functionalities and then inside a point they say may not be used What may not be used?

That I may not use single sign on with anything else than NSX and vRLI?
single-sign-on functionality to access VMware products that support single-sign-on capabilities

I honestly don’t know that to get out of this other than it doesn’t apply to this use case and that it is a shoehorn attempt to make a text fit something it is not meant to fit.

Other Clues?

When you look at the VMware download page for Identity Manger 3.3.1 it clearly stated what it can be used for. But it doesn’t go into details.
Download VMware Identity Manager 3.3.1 (for vRA, vRops, vRLI, vRB, vRNI, NSX only)

If any of you have any insight on this please give me an update.

To be continued…..

How to configure SSO web links in VMware Identity Manager Catalog for vRealize Suite Lifecycle Manager imported products

When you deploy a product from vRSLCM its single sign-on link is automatically created in the Identity manager catalog. But if you import an existing vRealize product it will not. Bummer! Or that being said I have not tested importing solutions that already had vIDM configured for authentication without the catalog entry.

Anyways if you have imported an existing product into vRSLCM and you are missing the SSO link in your catalog. This is how I fixed it (don’t know if this is the official way)

First you need to enable login with identity manager for the product you want to configure SSO for. When that is done and working do the following for the different products.

vRealize Network Insight

Right click on the login button and copy the URL. You will get something like the url listed under. You just need to fix the URL in the end to be like mine but with your vRNI link.

https://YOUR.IDENTITYMANAGER.FQDN/SAAS/auth/oauth2/authorize?response_type=code&client_id=YOURID_auth_grant&scope=openid+user+email&redirect_uri=http://YOUR.VRNI.FQDN/#home

vRealize Operations Manager

For the vROPS I was not able to use get the correct URL in the same way, here I used F12 in Google Chrome and recorded my login. I found the correct URL on the first line “authorize?response_type=…………..” and It should look something like this.

https:/your.identitymanager.fqdn/SAAS/auth/oauth2/authorize?response_type=code&client_id=yourid&redirect_uri=https://your.vrops.fqdn/ui/vidmClient/vidm

Add SSO weblink to Identity Manager Catalog

When you got the URL go into your Identity managers Administrator Console and under Catalog and Web Apps create a new web link.
In the Configuration menu choose Authentication TypeWeb Application Link” and in Target URL insert the URL you copied from vRealize Network Insight login screen.

How to delete locker password entries in vRealize Suite Lifecycle Manager

In vRealize Lifecycle Manager 8.0 VMware introduced “Locker” this is where you store certificates, licenses and passwords. If you for some reason add a password that is wrong or you want to delete an old one you are in trouble. There is no way to delete entries through GUI or CLI. But you can do it through the API!

Here is how

First you might need to install a software to do the API calls. I used Postman and you can download it here.

When you have installed or if you already have postman, you need to do the following

Authenticate

First you need to insert your credentials in the Authorization tab inside postman and send this POST command. Remember to insert your vRSLCM FQDN address.

POST 
https://vrslcm.your.fqdn/lcm/authzn/api/login

If login is successful you will get “Login Successfully” in return.

In versjon 8.0.1 of vrslcm and you also need to copy the Authorization Key Value found under Headers and Temporary Headers in postman.

Example: YWRtaW5AbG9jYWw6Vk13YXJlMTIzIQ
GET the list of all entries
GET 
https://vrslcm.your.fqdn/lcm/locker/api/passwords/

The GET command will give you a list of all the passwords and they’re vmid. Copy the vmid that you want to delete and use it instead of “vmid” below when you send DELETE command.

Update:
It appears that in version 8.0.1 this command is no longer possible.

Only for Pre 8.0.1 versions

DELETE the entries
DELETE http://vrslcm.your.fqdn:8080/lcm/locker/api/passwords/vmid

Run the GET command again to see that the password has been removed or refresh the locker page in the GUI of vRSLCM.

For 8.0.1 and possible later versions

Delete the entries

Login with root user to your vRSLCM appliance through SSH. and run the following command.
Remember to replace the IDs in bold with your own. First ID with the vmid from the GET passwords command. And the last ID with the Authorization KEY Value.

curl -X DELETE 'http://localhost:8080/lcm/locker/api/passwords/5581b687-a26c-4495-a8ed-11486c79fd81' -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW5AbG9jYWw6Vk13YXJlMTIzIQ ' -k

How to re-establish trust between vRealize Suite Lifecycle Manager and VMware Identity Manager after replacing self-signed certificate

Im currently working on a deployment of vRealize Suite Lifecycle Manager 8.0 It was deployed using Easy Installer method. And it has given me a few headaches to be honest. Here is the recipe on how to solve one of those issues.

Replace self-signed certificate

In vRSLCM you can easily replace the self-signed certificate on the vIDM appliance if you have previously imported it into the locker. Just go through the “Replace Certificate” prosess and do the included precheck.

Replace Certificate precheck
vIDM Replace Certificate precheck
LCMCOMMON30007

You will probably get the same warning as I did. If you click finish it will replace the certificate and everything looks fine until you try “Trigger Inventory Sync” from vRSLCM. It will fail with the following error:

Error message

com.vmware.vrealize.lcm.util.exception.SshAuthenticationFailureException: Cannot execute ssh commands. Please verify the ssh login credentials 
at com.vmware.vrealize.lcm.util.SshUtils.execute(SshUtils.java:393)
at com.vmware.vrealize.lcm.util.SshUtils.runCommand(SshUtils.java:307)
at com.vmware.vrealize.lcm.util.SshUtils.runCommand(SshUtils.java:290)
at com.vmware.vrealize.lcm.util.SshUtils.runCommand(SshUtils.java:333)
at com.vmware.vrealize.lcm.drivers.commonplugin.task.VerifySshConnectionTask.CheckForSshConnection(VerifySshConnectionTask.java:165)               
at com.vmware.vrealize.lcm.drivers.commonplugin.task.VerifySshConnectionTask.execute(VerifySshConnectionTask.java:125)               
at com.vmware.vrealize.lcm.drivers.commonplugin.task.VerifySshConnectionTask.retry(VerifySshConnectionTask.java:282)               
at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:43)           
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)    
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Cannot create session for ssh://root@xx.xx.xx.xx
at com.vmware.vrealize.lcm.util.SessionHolder.newSession(SessionHolder.java:57)       
at com.vmware.vrealize.lcm.util.SessionHolder.<init>(SessionHolder.java:37)        
at com.vmware.vrealize.lcm.util.SshUtils.execute(SshUtils.java:346)      
… 10 more
Caused by: com.jcraft.jsch.JSchException: Auth fail at com.jcraft.jsch.Session.connect(Session.java:519)    
at com.vmware.vrealize.lcm.util.SessionHolder.newSession(SessionHolder.java:53)       
… 12 more

How to fix the issue

1. SSH to vIDM and log in as sshuser. Run the following command to become the root user.
su root
2. Edit the file /etc/ssh/sshd_config and change the value of PermitRootLogin to yes
PermitRootLogin yes
3. Run the following command to restart the sshd service.
service sshd restart

“Trigger Inventory Sync” and it will complete successfully