vToolbelt – July 2022

byArron King 07.08.2022 vToolBelt

Hot Topics

  • vSphere 6.5 and 6.7 are heading into End of General Support in just a few months – October 15th, 2022.  If your environment is still running these versions – now is the time to plan your upgrade.  Check out this Upgrade Planning Guide to help you get started.

Upcoming Events

VMware Explore
August 29 – September 1, 2022
In-Person at the Moscone Center
San Francisco, California

Same event – new name!  VMworld has become VMware Explore!

Check out the Content Catalog to start planning your sessions!

Important Date

  • July 19th – Breakout Session scheduling begins

Learn more and Register

Product Support Watch

The following products are nearing the End of General Support.  You can find the full list on the VMware Lifecycle Product Matrix.

vSphere – vCenter and ESXi

  • 6.5 – 10/15/22
  • 6.7 – 10/15/22

vSAN

  • 6.5, 6.6, 6.7 – 10/15/22

NSX 

  • NSX-V (all versions) – General Support ended January 16, 2022 – Customers should migrate to NSX-T

Continue reading “vToolbelt – July 2022”

DRS in Maintenance Mode feature not supported by license

byArron King 06.17.2022 vSphere

I was helping a customer with a question they ran into after upgrading from vSphere 6.7 to 7.0 U3.  Their VMware vSphere environment upgrade was complete. They had just upgraded their licenses in the VMware Customer Connect portal.  When they applied these license keys to their vSphere hosts

DRS in Maintenance Mode License Validation Warning

they received a warning that the DRS in Maintenance Mode feature was not supported with their vSphere Enterprise Plus license.

This made me dig into my memory banks a bit and I wanted to document it so I would remember.  Maybe it will help a few others along the way…

vSphere License Keys and Upgrades

vSphere upgrades from 6.5 to 6.7 or 7.0 to 7.0 U3 are considered “point upgrades” and do not require license key upgrades

Major upgrades (from 6.x to 7.x) do require license key upgrades.

Major Upgrades and VMware Licenses

When you perform a major upgrade in vSphere, the installer triggers a short Evaluation mode that provides customers time to login to the Customer Connect portal and update license keys.

These Evaluation mode licenses include every feature available.  When a new license key is applied, and there are features that will not be supported by the license,  a prompt appears informing customers of any features that will not be available when the new license key is applied.

DRS in Maintenance Mode

DRS in Maintenance Mode refers to a feature released in vSphere 6.7 U2 for the ROBO Enterprise edition of vSphere.  This feature:

  • Automatically migrates VMs to other hosts when it enters maintenance mode
  • Creates VM-Host affinity rules.  These rules are used to automatically move the VMs back to the original host when it exits maintenance mode

vSphere Enterprise Plus licenses include the DRS and Maintenance mode capabilities.  DRS in Maintenance Mode is a separate feature entirely and this prompt can be safely ignored.

 

vToolbelt – May 2022

byArron King 05.10.2022 vToolBelt

Hot Topics

  • vSphere 6.5 and 6.7 are heading into End of General Support in just a few months – October 15th, 2022.  If your environment is still running these versions – now is the time to plan your upgrade.  Check out this Upgrade Planning Guide to help you get started.
  • VMware Explore (VMworld renamed) is now open for registration.  Learn more and Register

Upcoming Events

May VMware TAM Customer Webinar – Project Ensemble
Date: Thursday,  May 12, 2022
Time: 11am EST

Project Ensemble, announced at VMworld in 2021, will seek to unify and simplify cloud management services and data into a common data model and add intelligent and actionable business insights focused on application centric views and customized for personas who support those applications. In this webinar you will get an overview of the platform with live demonstrations of the UI and API.
Guest speaker:
John Dias – Senior Staff Technical Marketing Architect

Register

Missed a recent TAM Webinar?  You can view the last 3 webinars in the archive

Indianapolis VMUG UserCon
June 29th, 2022

The Indianapolis VMUG/UserCon is one of the largest VMware events outside of VMworld/VMware Explore. For 2022 – this event is back live and in-person!  For those in the western half of Ohio – or anyone looking to get to a live event  – make sure you check this out!

Learn more and Register

Continue reading “vToolbelt – May 2022”

Support ending for vSphere 6.5 and 6.7 in Six Months

byArron King 04.15.2022 vSphere

It may be hard to read; but the end of the road is coming for vSphere 6.5 and 6.7 in terms of General Support. These versions were released in 2016 and 2018.  vSphere 6.5 and 6.7 will run into End of General Support on 10/15/2022.  You can search for end of support dates for any VMware product on the VMware Product Lifecycle Matrix. ?

What does this mean?

vSphere is a term that generally refers to the combination of vCenter Server and the ESXi Hypervisor.  After 10/15/22, these products will transition from General Support to Technical Guidance.  In this state, support for VMware products centers around web-only support that focuses on providing links to known workarounds for less critical issues.  Phone and Zoom-based support are not available.  For the more information, refer to the VMware Product Lifecycle Policies.

If you haven’t already started planning the upgrade of your environment – now is the time to do so.  Continue reading for a few helpful tips!

Continue reading “Support ending for vSphere 6.5 and 6.7 in Six Months”

vToolbelt – April 2020

byArron King 04.06.2022 vToolBelt

Spring weather greetings from Ohio!   Anyone who lives in a climate that shifts significantly in seasons will relate – we have had 70 degree days and snow in the same week!

A lot of our schools are on spring break so the news this month is light.

Product Support Watch

The following products are nearing the End of General Support.  You can find the full list on the VMware Lifecycle Product Matrix.

  • Dynamic Environment Manager 10/2006 – 8/11/22
  • App Volumes 4 – 7/9/22
  • App Volumes 2.18 – 9/16/22
  • Identity Manager 3.3.3 – 5/11/22
  • Identity Manager 3.3.4 – 8/4/22
  • Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22
  • Workspace ONE UEM Console 2011 – 7/15/22
  • Workspace ONE Access 20.10 – 5/2/22
  • Workspace ONE UEM Console 2101 (SaaS Only) – 7/22/22
  • vRealize Automation 7.6 – 9/1/22
  • vRealize Orchestrator 7.6 – 9/1/22
  • vRealize Operations 8.1.1 – 7/9/22

 

Notes from the Field

If you are looking to get started with NSX – Check out the NSX-T Easy Adoption Guide.

Continue reading “vToolbelt – April 2020”

vToolbelt – March 2022

byArron King 03.01.2022 vToolBelt

Welcome to March everyone!  For those of us in the mid-western US, this is the moment we start looking forward to nice weather!  It’s also a time when all VMware products have LOG4J patchesavailable.  VMworld’s call for papers will be coming soon and there is generally a need and a feeling for a fresh start!

Hot topics

Product Support Watch

The following products are nearing the End of General Support.  You can find the full list on the VMware Lifecycle Product Matrix.

Horizon View / Workspace ONE

  • Dynamic Environment Manager 9.9 – 3/17/22
  • Dynamic Environment Manager 9.11 – 3/17/22
  • Dynamic Environment Manager 10/2006 – 8/11/22
  • App Volumes 4 – 7/9/22
  • Horizon 7.10 ESB – 3/17/22
  • Identity Manager 3.3.3 – 5/11/22
  • Identity Manager 3.3.4 – 8/4/22
  • Workspace ONE UEM Console 2008 – 3/15/22
  • Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22
  • Workspace ONE UEM Console 2011 – 7/15/22
  • Workspace ONE Access 20.10 – 5/2/22
  • vRealize Automation 7.6 – 9/1/22
  • vRealize Operations 8.1.1 – 7/9/22

 

Notes from the Field

The VMware Communities forum has been redesigned to provide a better experience- check it out today at  communities.vmware.com.

New version of RVTools is available – If you have never used this free tool, you should check it out.  It can be used to gather a quick inventory of your environment with some very good detail.  It also provides a quick health check tab that calls out information about long running snapshots, VMs that were removed from inventory but not from disk.  The 20 minutes it would take for you to use this tool (from download to run to review) could save you quite a bit of time and help tidy up your environment.

Continue reading “vToolbelt – March 2022”

Using OpenSSL to create certificate signing request with Subject Alternative Names

byArron King 02.28.2022 Before I Forget Certificates

Now that I had replaced the self-signed certificates in my vSphere environment, I started to wonder what other parts of my homelab could use the same treatment. While I worked on this, I learned how to use OpenSSL to generate a certificate signing request with Subject Alternative Names – and solved a problem.  Read on for the details!

LIke most homelabs, I had a number of applications and devices

  • vSphere
  • VMware Skyline
  • Realize Suite
  • Synology NAS
  • Ubiquiti Manager
  • Webmin

The vSphere environment was already done.  I was able to figure out the vRealize Suite fairly easily.    Next up was one of the NAS devices I had, and this is where I ran into trouble.  I was able to use the tools built into the Synology to generate a CSR and request a certificate from the Microsoft CA I had setup. The new certificate seemed to install fine; but the site was still showing as not trusted in my browser.  I kept seeing the error : NET::ERR_CERT_COMMON_NAME_INVALID – even though the certificate was showing up as valid.

Continue reading “Using OpenSSL to create certificate signing request with Subject Alternative Names”

Setup vCenter as Subordinate CA and Replace Host Certificates

byArron King 02.24.2022 Certificates VCSA

Updated – 3/23/22:   Added some notes to regarding Certificate Chain Ordering after working working with a customer using a certificate exported directly from the Microsoft Certificate Management Console.

I was trying to replace the self-signed certificates in my vSphere environment – for both the vCenter Server Appliance and the ESXi hosts.  The VCSA includes a Certificate Authority (VMCA) to helpSecured by SSL automate this process for larger VMware environments.

I had trouble getting it to work until I found Adrian Costea’s writings on the topic.  His blog helped clarify the process of configuring the VCSA as a subordinate CA.  Through a bit of trial and error, I was able to learn how to get vCenter to replace the certificates on ESX hosts using the newly configured CA in vCenter.

Notes: 

The steps listed here were performed against the VCSA using  vCenter Server 6.7 U3 with an Embedded PSC.  It was also tested against vCenter 7.0 U3.

There are security considerations for this approach.  This method will turn the Certificate Authority in vCenter (VMCA) into a Subordinate CA based on your Enterprise CA.   This is useful; but does come with risk.

Benefits

  • vCenter will have certificates based on your Enterprise Certificate Authority.  No more Untrusted Certificate warnings.  No more typing “this is unsafe”  #IYKYK
  • All hosts in your vCenter(s) will have the trusted certificates – managed automatically

Risks

  • Your vCenter will contain a special type of certificate which is authorized to issue certificates that are trusted by your Enterprise.  This could enable a bad actor or rogue employee to potentially issue certificates with that trust – possibly for nefarious purposes.

For most production environments this risk outweighs the benefit.  

Hybrid vSphere SSL Certificate Replacement is an option that provides trust that access to vCenter is secure without the Subordinate CA Risk.  This is the method recommended by VMware for use in Production environments.  Access to vCenter would be covered by the trusted certificate deployed using the Hybrid method.  vCenter is where admins should be spending 99% of their time.   Your ESX hosts would have a self-signed certificate issued by vCenter.   If you like, you can import that root certificate into your administrative computers which can help identify any certs that have been altered.  Check out KB 2108294 for steps.

For my purposes (homelab) – the risk and potential impact is small.   You should review both options and choose what is most appropriate in light of the security policies in your organization.

Before you begin

It’s always a good idea to take a snapshot of vCenter before making significant changes like this.  Make sure you are taking a snapshot of vCenter the right way.  While you are at it – take a few moments and configure your vCenter Server Backup.

Continue reading “Setup vCenter as Subordinate CA and Replace Host Certificates”

VMware Horizon LOG4J Remediation – did you apply the right patch?

byArron King 02.10.2022 Horizon View

I have heard some confusion from customers about the proper way to remediate Horizon environments for LOG4J.  I wanted to review the highlights for you.

If you operate a VMware Horizon environment please take a moment and review the following notes:Horizon View logo

  • Verify your installed Horizon releases are from December 19th – The Apache software foundation released updated guidance after VMware initially published a release for Horizon on December 16th.  The new guidance required updates which were made available on December 19th.
  • Verify you have updated all affected Horizon components – The components affected will vary based on the version you are running (as not all versions used the LOG4J component).  Affected components can include:
    • Connection Server / Security Server
    • HTML Access
    • Universal Access Gateway
    • Horizon Agents for Windows and Linux
    • Cloud Connector
    • vRealize Operations for Horizon Desktop Agent

All of this information is covered in detail by KB 87073.

For links to guidance on all VMware products affected by LOG4J – please refer to the VMware Security Advisory – VMSA-2021-0028.

vToolbelt – February 2022

byArron King 02.02.2022 vToolBelt

Hot topics

Product Support Watch

The following products are nearing the End of General Support.  You can find the full list on the VMware Lifecycle Product Matrix.

Horizon View / Workspace ONE

  • Dynamic Environment Manager 9.9 – 3/17/22
  • Dynamic Environment Manager 9.11 – 3/17/22
  • App Volumes 4 – 7/9/22
  • Horizon 7.10 ESB – 3/17/22
  • Identity Manager 3.3.3 – 5/11/22
  • Workspace ONE UEM Console 2008 – 3/15/22
  • Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22

Continue reading “vToolbelt – February 2022”