VMware Archives - VIRTUALIZATION IS LIFE!

Category Archives: VMware

Veeam on the VMware Cloud Marketplace Protecting VMware Cloud on AWS Workloads

Posted on 09/10/2018 by Anthony Spiteri Leave a comment

At VMworld 2018, myself and Michael Cade gave a session on automating and orchestrating Veeam on VMware Cloud on AWS. The premise of the session was to showcase the art of the possible with Veeam and VMware that resulted in a fully deployed and configured Veeam platform. We chose VMware Cloud on AWS for the demo to showcase the power of the Software Defined Datacenter with Veeam, however our solution can be deployed onto any vSphere platform.

Why Veeam with VMware Cloud on AWS:

I’ve have spent a lot of time over the past couple of months looking into VMware Cloud on AWS and working out just where Veeam fits in terms of a backup and recovery solution for it. I’ve also spent time talking to VMware sales people as well as solution providers looking to wrap managed services around VMC and the question of data protection is often raised as a key concern. There is a good article here that talks about the need for backup and how application HA or stretched clustering is not a suitable alternative.

Without prejudice, I truly believe that Veeam is the best solution for the backup and recovery of workloads hosted on VMware Cloud on AWS SDDCs. Not only do we offer a solution that’s 100% software defines it’s self, but we can extend protection of all workloads from on-premises, through to the SDDC and also natively in AWS covering both backup, replication as well as offering the ability to use Cloud Connect to backup out to a Veeam Cloud and Service Provider. I’ll go into this in greater detail in a future post.

Veeam on the VMware Cloud on AWS Marketplace:

At the same time as our session on the Monday there was another session that introduced the VMware Cloud Marketplace that was announced in Technical Preview. As part of that launch, Veeam was announced as an initial software partner. This allows for the automated deployment and configuration of a Veeam Backup & Replication instance directly into a deployed SDDC and also configures an AWS EC2 EBS backed instance to be used as a Veeam Repository.

The VMware Cloud Marketplace will offer the ability to browse and filter validated third-party products and solutions, view technical and operational details, facilitate Bring Your Own License (BYOL) deployments, support commercial transactions, and deliver unified invoices. We plan to open Cloud Marketplace to a limited Beta audience following VMworld and are working on additional features and capabilities for future releases. We envision the Cloud Marketplace will quickly expand, introducing new third-party vendors and products over time and becoming the de-facto source for customers to extend the capabilities of VMware Cloud on AWS and VMware Cloud Provider Partner environments.

Compared to what Michael and I showcased in our session, this is a more targeted vanilla deployment of Veeam Backup & Replication 9.5 with Update 3a into the SDDC. At the end of the process, you will be able to access the Veeam Console, have it connected to the VMC vSphere endpoint and have the EC2 Veeam repository added.

This is done via CloudFormation templates and a little bit of PowerShell embedded into the Windows Image.

Being embedded directly into the VMware Cloud Marketplace is advantageous for customers looking to get started quick with their data protection for workloads running on VMware Cloud o AWs. Look out for more collateral from myself, Veeam and VMware on protecting VMC with Veeam as well as a deeper look at our VMworld session which digs into the automation and orchestration of Veeam on VMware Cloud on AWS using Chef, Terraform, PowerShell and PowerCLI.

References:

Introducing VMware Cloud Marketplace

https://cloud.vmware.com/cloud-marketplace

https://marketplace.vmware.com/vsx/solutions/veeam-availability-suite-for-vmware-cloud-on-aws-9-5?ref=search#summary

VMworld 2018 Recap Part 2 – Community and Veeam Recap

Posted on 09/05/2018 by Anthony Spiteri Leave a comment

VMworld 2018 has come and gone and after a couple of days recovery from the week that was, i’ve had time to reflect on what was a great week and an another great VMworld in Las Vegas. For me, the dynamic of what it is to be at a VMworld has changed. The week is not just about the event, the announcements or the sessions…but more about what myself and my team are able to achieve. While we are participants of VMworld we are also working and need to be adding value on all fronts.

This year I left Las Vegas with a sense of achievement and the belief that the week was extremely successful both personally and from a Veeam Product Strategy point of view. In this post (which is Part 2 of my VMworld 2018 recap) I am going to go over what went down with the VMware community during the event and close off with a quick Veeam roundup.

Community:

I felt like the community spirit was in full effect again at VMworld. Between all the sessions, parties and events my overall feeling was that there was a lot of community activity going on. Twitter it’s self came to life and everyones timelines where filling up with #VMworld media. The grass roots community still fuels a lot of VMware’s success and you can’t underestimate the value of influence and advocacy at this level. Certainly, Veeam and other vendors understand this and cater to supporting community events while looking after members with vendor branded swag.

One important thing I would like to highlight is the power of the local community and how something small can turn into something huge. My good friend from Australia, Tim Carman had an idea last year to create an As Built PowerShell Documentation script. He first presented it at his local VMUG…then a few months later he presented it at the Melbourne VMUG UserCon and last week, he presented it with Matt Allford in front of 500 plus people at VMworld. Not only that, but the session was voted into the daily top ten and is currently the second most downloaded via the online session download page!

Just posted some stats on the Top 20 #VMworld Session by Views (so far) @ https://t.co/6pGRD1CdET

Nice job @tpcarman & @mattallford for being #2 I’m a bit skeptical of #1 but who knows, maybe 2018 is the #YearOfVDI pic.twitter.com/TebWaT63Ci

— William Lam (@lamw) September 4, 2018

Hackathon:

Another amazing thing that happened at VMworld was the team that I was lucky enough to be a member of took out the Hackathon. Aussie vMafia 2.0, lead by Mark Ukotic took out the main prize on the back of an idea to put a #PowerShell terminal in the #vSphere (H5) Client and running #PowerCLI commands. Again, what I was most pleased about with Mark, Tim and Matt’s success was exposure from the sessions and Hackathon win. They are great guys and well deserving of it. It goes down as one of my best VMworld highlights of all time!

The #vMafia Aussie crew speaking to the @virtspeaking podcast today about their hackathon win at this years #VMworld @tpcarman I hear was the brains behind it. pic.twitter.com/OBVT6tDcET

— Michael Cade (@MichaelCade1) August 29, 2018

Veeam Highlights and Sessions:

Finally to wrap things up, it was a great VMworld for Veeam. I spoke to a lot of customers and partners and it’s clear that our Availability Platform that’s driven through our strong ecosystem alliances is still very much resonating and seen to be leading the industry. Being hardware agnostic and software only carries massive weight and it was pleasing to have that validated by talking to customer and partners during the course of the event.

In terms of our sessions, we had two different breakouts. One covering some of the brilliant new features in Update 4 of Backup & Replication 9.5 presented by Danny Allan and Rick Vanover.

What’s new in Veeam Availability Suite 9.5 Update 4 (VIN3703BUS)

And myself and Michael Cade presented on automation and orchestration of Veeam on VMware Cloud on AWS. Michael talks about the session here, but in a nutshell we came up with a workflow that orchestrates the deployment of a Veeam Backup & Replication Server with Proxies onto a vSphere environment (VMC used in this case to highlight the power of the SDDC) and then deploys and configures a Veeam Linux Repository in AWS, hooks that into a VeeamPN extended network and then configures the Veeam Server ready to backup VMs.

Veeam and VMware – Intelligent Data Management for the Hybrid World (HYP3704BUS)

Finally…it wouldn’t be VMworld without a Veeam party, and this year didn’t fail to live up to expectation. Held at the Omnia nightclub on Tuesday night it was well received and we managed to fill the club without the need to pull in a headline act. And as I tweeted out…

We do not need a headline!!! WE ARE THE HEADLINE!!! @Veeam #VMworld pic.twitter.com/2naGJoEiU4

— Anthony Spiteri (@anthonyspiteri) August 29, 2018

Wrap Up:

Overall, VMworld ticked a lot of boxes and was well received by everyone that I came across. IT’s been a good run of three VMworld’s in a row in Vegas, however it’s time to move back to where it all started for me in 2012 in San Fransisco. It’s going to be interesting going back to the Mascone Center and a city that hasn’t got the best reputation at the present moment due to social issues and the cost of accomodation is astronomical compared to Vegas. However, location is one thing…it’s what VMware and it’s ecosystem partners bring to the event. This year it worked! Hopefully next year will be just as successful.

VMworld 2018 Recap Part 1 – Major Announcement Breakdown!

Posted on 09/04/2018 by Anthony Spiteri Leave a comment

VMworld 2018 has come and gone and after a couple of days recovery from the week that was, i’ve had time to reflect on what was a great week and an another great VMworld in Las Vegas. In this post I wanted to break down what I saw as the major announcements at the 2018 event and highlight some of the cool stuff VMware is bringing out for their customers, partners and technology partners.

VMware have kept up the momentum from last years VMworld and have continued on their pivot from a hyper-visor company to one that truly spans a multi-platform ecosystem of partners and other technologies. This post again is all about VMware at VMworld…i’ll focus on the Veeam happenings and my community experiences at VMworld in part 2.

VMware Cloud on AWS:

I’m a believer! I am personally excited with what VMware have delivered here. The focus of my session on Automating and Orchestrating Veeam was around VMware Cloud on AWS (VMC) utilising a Single Node SDDC for our live demo. Having presented at VeeamON with Emad Younis on VMC and Veeam I have since had my head deeply in the offering. VMware seem to be addressing the pricing concerns myself and others have and are now allowing smaller host deployments (from three to two later down the track) along with more flexible licensing.

The M5 release will feature NSX-T which offers a lot more hard core networking capabilities which will directly connect to AWS Direct Connect. The announcement of high-capacity storage option built into the vSAN cluster using Amazon EBS is an interesting one and an example of the mushing together of VMware and AWS technologies.

With all that said, I’m still not sure where this offering sits when compared to VCPP hosted IaaS and how it has the potential to impact that side of VMware’s business. That maybe a topic for a dedicated blog post…but not now.

Amazon Relational Database Service (RDS) on VMware:

This came as a surprise, but is in itself an interesting announcement. Having the ability to run RDS on-premises with the ability to migrate/move the workloads to and from AWS opens up a number of possabilities. With support Microsoft SQL Server, Oracle, PostgreSQL, MySQL, and MariaDB databases it’s covering a lot of existing use cases. No doubt this is a mechanism for complete cloud transition, but the choice to run this on-premises or in a hybrid setup is genius.

vCloud Provider Announcements:

Having been on the beta program for the next version of vCloud Director I knew what was coming, but I didn’t think it would be announced at VMworld. Suffice to say the next version of vCD will be another significant one. Version 9.5 continues to build on the momentum of the 9.x releases and continues to enhance the platform as the flagship Cloud Management Platform for Service Providers.

New innovations include cross-site networking improvements powered by deeper integration with NSX and Initial integration with NSX-T. A full transition to an HTML5 UI for the cloud tenant with improvements to role-based access control. There is also going to be a virtual appliance option. I’m looking forward to this dropping later in the year and continuing to #LongLivevCD!

One thing to touch on as well is the native integrated data protection capabilities using Avamar. This is directly integrated into the vCD HTML5 UI via the extensibility plugin. I’ve had a lot of requests from service providers who use Veeam as their trusted availability platform for vCD if we will release similar functionality. At this stage, we can’t make any promises but it’s something getting face time at the top levels of our R&D and Product Management and Strategy teams.

There was also a new VMware Cloud Foundation version announced. Details here.

vSphere and vSAN:

vSAN continues to evolve and improve and there is also a lot to look forward to in the vSphere 6.7 Update 1. There is a new quickstart wizard that walks you through the setup of a cluster that includes a number of tasks that where previously not hard to install…but not as well thought out in terms of ease of use. Operationally, dealing with vSAN Firmware and driver updates has always been painful, but again this update looks to streamline that process by moving the functionality into the HTML5 vSphere Update Manager.

There has also been enhancements to maintenance mode activities, improved health checking and diagnostics as well as TRIM/UNMAP support that uses less storage through the process of automatic space reclamation. This can automatically reclaim capacity that is no longer used, reduces the capacity needed for workloads without administrator interaction.

In terms of vSphere, all administrative functions have been completed for the vSphere Client so in theory there should be no more switching between the old Flex and HTML5 clients. vSphere Platinum is a new edition of vSphere that combines vSphere Enterprise Plus along with AppDefense which is their SaaS based security product built to alert and remediate against anything that looks out of the norm. It seems like most vendors are releasing SaaS based offerings with Machine Learning behind them in this space as security tools…I do wonder if the market is flooded?

Other Notables:

Project Dimension looked interesting, but as with any VMware project I tend to wait for more concrete announcements closer to release. And it seems as though Edge computing is here to stay as a term. Remote offices are now the Edge!

Project Dimension will extend VMware Cloud to deliver SDDC infrastructure and hardware as-a-service to on-premises locations. Because this is will be a service, it means that VMware can take care of managing the infrastructure, troubleshooting issues, and performing patching and maintenance. This in turn means customers can focus on differentiating their business building innovative applications rather than spending time on day-to-day infrastructure management.

Speaking of the Edge, I did like the sound of the announcement around ESXi on 64bit ARM. VMware demonstrated ESXi on 64bit ARM running on a windmill farm at the Edge. VMware sees an opportunity to work with selected embedded OEMs to scope and explore opportunities for focused, ARM-enabled offering at the edge. This is the current 64bit ARM CPU architecture used on Apple TV 4 so we could have ESXi on AppleTVs in the near future!

References:

https://ir.vmware.com/overview/press-releases/press-release-details/2018/AWS-and-VMware-Announce-Amazon-Relational-Database-Service-on-VMware/default.aspx

https://blogs.vmware.com/virtualblocks/2018/08/27/whats-new-in-vsan-6-7-update-1/

https://blogs.vmware.com/vcloud/2018/08/vmware-vcloud-director-9-5.html

https://ir.vmware.com/overview/press-releases/press-release-details/2018/VMware-Previews-Technology-Innovations-at-VMworld-2018/default.aspx

http://vmblog.com/archive/2018/08/27/aws-and-vmware-announce-amazon-relational-database-service-on-vmware.aspx

Released – NSX-v 6.4.2 – What’s in it for Service Providers (Networking Enhancements)

Posted on 09/03/2018 by Anthony Spiteri Leave a comment

The week before VMworld, VMware released version 6.4.2 (Build 9643711) of NSX-v. There is a lot of enhancements that Service Providers can take advantage of in this release. The focus seems to be on edge and distributed network services which translates to more power for service providers to create features upon while also meaning they can take advantage of the same enhancements to improve performance and efficiencies within their our virtualised network.

In terms of interoperability, for the moment the latest vSphere 6.7 and 6.5 U2 releases are supported, however vCloud Director is not support at all. Interestingly, only 6.4.0 is supported through the main vCloud Director installs presently installed on service provider platforms.

Networking and Edge Services:

Multicast Support: Adds ability to configure L3 IPv4 multicast on Distributed Logical Router and Edge Service Gateway through support of IGMPv2 and PIM Sparse Mode
Default Limit of MAC identifiers: Increases from 2048 to 4096
Hardware VTEP: Added multi PTEP cluster capability to facilitate environments with multiple vCenters

Security Services:

Context-Aware Firewall: Additional Layer 7 Application Context Support (EPIC, MSSQL, BLAST AppIDs)
Firewall Rule Hit Count: Monitor rule usage and easily identify unused rules for clean-up
Firewall Section Locking: Enables multiple security administrators to work concurrently on the firewall
NSX Application Rule Manager: Improved scale to 100 vNICs per session, further simplifying the process of creating security groups and whitelisting firewall rules for existing applications.

Operations and Troubleshooting:

Authentication & Authorization: Introduces 2 new roles (Network Engineer and Security Engineer). Adds ability to enable/disable basic authentication.
NSX Scale Dashboard: Provides visibility into 25 new metrics. Adds ability to edit usage warning thresholds and filter for objects exceeding limits.
NSX Controller Cluster Settings: Specify common settings (DNS, NTP, Syslog) to apply to NSX Controller Cluster
Support for VM Hardware version 11 for NSX components: For new installs of NSX 6.4.2, NSX appliances (Manager, Controller, Edge, Guest Introspection) are installed with VM HW version 11.

Also as promised, the improvements to the HTML5 NSX user interface continues. TraceFlow, User Domains, Audit Logs, Events & Tasks have been added to the HTML5 vSphere Client. The other pleasing thing to see is that comparatively speaking the number of resolved issues is much lower than previous releases. This points to the 6.4.x code being a lot more stable and bug free than previous iterations…which is pleasing to see.

There are some changes to consider as well in the 6.4.2 release. Starting with version 6.4.2, when you install NSX on hosts that have physical NICs with ixgbe drivers, Receive Side Scaling (RSS) is not enabled on the ixgbe drivers by default. You must enable RSS manually on the hosts before installing NSX. There is also a change to the API call to set Syslog against the controller. That said, it’s still worth looking through the Known Issues section in the release notes.

Those with the correct entitlements can download NSX-v 6.4.2 here.

References:

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/rn/releasenotes_nsx_vsphere_642.html

NSX
VMware

Released – Runecast Analyser 2.0

Posted on 08/23/2018 by Anthony Spiteri Leave a comment

Earlier this week, Runecast released into General Availability version 2.0 of their vSphere analyser platform. I’ve been a keen follower of the progress of Runecast since their inception a couple of years ago. There was a space in the market to be filled and they have been able to improve in the initial release by releasing new functionality often. It wasn’t that long ago that they added vSAN support…and more recently NSX support.

This release brings the following new functionalities:

Ability to store and display all detected and resolved issues over time for every connected vCenter.
The completely new monitoring dashboard with The Most Affected hosts and trending.
Automation of PCI-DSS VMware rules and new PCI-DSS profile UI
Support for vSphere 6.7 HTML5 plugin
Usability, performance and security improvements for increased ease of use.
Latest VMware Knowledge Base updates.

First thing to notice in the new release is the new Dashboard that has been improved and for mine is now more logically laid out. But for me the biggest feature added in this release is the enhancement to Historical Trending and a new analysis function. As someone who spent a time managing and operating vSphere platforms over the years, the ability to see trends is crucial in troubleshooting.

Historical Analysis is new in version 2.0 and aims to help isolate the root cause of a reported incident as fast as possible and detect new problems caused by product update or configuration changes. 2.0 will store at least 3 months worth of vCenter, vSAN and NSX-V scan results, including issue description. This provides trending information on the dashboard.

The introduction of PCI-DSS checks is something that will assist in compliancy situations. As someone who has had the pain of going through compliancy, any tool that makes the process easier is welcomed.

Im looking forward to meeting up with the guys at VMworld 2018 in Las Vegas next week and I would recommend and vSphere admin to take a look at Runecast!
You can download Runecase 2.0 from here and take it for a spin: https://runecast.biz/profile

Veeam @VMworld 2018 Edition…

Posted on 08/20/2018 by Anthony Spiteri

VMworld 2018 is less than a week away, and I can’t wait to fly into Las Vegas for my sixth VMworld and second with Veeam. It’s been an interesting year or so since the last VMworld and the industry has shifted a little when it comes to the backup and recovery market. Data management is the new buzz and lots of vendors (us included) have jumped onto the messaging around data growing at more than exponential rates…sprawling to more platforms than ever before and finally…being more critical than ever. The criticality and power of data is real and VMware still have a lot to say about where an how that data is processed and stored!

VMworld is still a destination event and Veeam recognises VMware’s continued influence in the IT industry by going all in at VMworld 2018. The ecosystem that VMware has built over the past ten to fifteen years is emense and though challenged a few years ago, came back with a bang in 2017. I’m looking forward to seeing VMware’s continues evolution at this years event! Like VMware,

Veeam is evolving as well, and we are building out own own strong ecosystem based on a software first, hardware agnostic platform that results in the greatest flexibility in the backup and recovery market. We continue to support VMware as our number 1 technology partner and this year we look to build on that with support for VMware Cloud on AWS and enhanced VMware features sets built into our core Backup & Replication product as we look to release Update 4 of 9.5 later in the year.

Veeam Sessions @VMworld:

Officially we have two breakout sessions this year, with Danny Allan and Rick Vanover presenting a What’s New in Update 4 for Veeam Backup & Replication and Michael Cade and myself presenting a session on Automation and Orchestration of VMware and Veeam on VMware Cloud on AWS. There are also a couple of vBrownBag Tech Talks where Veeam features including talks from Michael Cade and Michael White while Dave Russell will be presenting a Partner Spotlight session.

https://my.vmworld.com/widget/vmware/vmworld18us/uscatalog?search=Veeam

Veeam @VMworld Solutions Exchange:

This year, as per usual we will have significant presence on the floor, with a Main Booth Area doing demo’s prize, giveaways, having an Experts Bar and acting as sponsor of the opening night hall crawl. We also have an in booth Theatre where I will be presenting on our new vCloud Director integration with Veeam Cloud Connect.

Veeam Community Support @VMworld:

Veeam still gets the community and has been a strong supporter historically of VMworld community based events. This year again, we have come to the party are have gone all-in in terms of being front and center in supporting community events. Special mention goes to Rick Vanover who leads the charge in making sure Veeam is doing what it can to help make these events possible:

Opening Acts
VMunderground
vBrownBag
Spousetivities
vRockstar Party
Vanguard Takeover

Party with Veeam @VMworld:

Finally, it wouldn’t be VMworld without attending Veeam’s seriously legendary party. This year we are looking to top last years event at Hakkasan nightclub by taking over one of the hottest club in Vegas… Omnia Nightclub! If it’s anything like the VeeamON 2015 Party that I attended it’s going to go off!! I know how hard it is to plan evening activities at VMworld and there is no doubt that there are a lot of decent competing parties on the Tuesday night…however whatever you do, you need to make sure that you at least stop by Caesars Casino and party in green. RSVP here.

https://www.eventbrite.com/e/veeams-legendary-vmworld-party-2018-tickets-45869296300

Final Word:

Again, this year’s VMworld is going to be huge and Veeam will be right there front and center of the awesomeness. Please stop by our sessions, visit our stand and attend our community sponsored events and feel free to chase me down for a chat…I’m always keen to meet other members of this great community. Oh, and don’t forget to get to the party!

Automating the Creation of AWS VPC and Subnets for VMware Cloud on AWS

Posted on 08/14/2018 by Anthony Spiteri

Yesterday I wrote about how to deploy a Single Host SDDC through the VMware Cloud on AWS web console. I mentioned some pre-requisites that where required in order for the deployment to be successful. Part of those is to setup an AWS VPC up with networking in place so that the VMC components can be deployed. While it’s not too hard a task to perform through the AWS console, in the spirit of the work I’m doing around automation I have gotten this done via a Terraform plan.

The max lifetime for a Single Instance deployment is 30 days from creation, but the reality is most people will/should be using this to test the waters and may only want to spin the SDDC up for a couple of hours a day, run some tests and then destroy it. That obviously has it’s disadvantages as well. The main one being that you have to start from scratch every time. Given the nature of the VMworld session around the automation and orchestration of Veeam and VMC, starting from scratch is not an issue however it was desirable to look for efficiencies during the re-deployment.

For those looking to save time and automate parts of the deployment beyond the AWS VPC, there are a number of PowerShell code example and modules available that along with the Terraform plan, reduce the time to get a new SDDC firing.

I’m using a combination of the above scripts to deploy a new SDDC once the AWS VPC has been created. The first one actually deploys the SDDC through PowerShell while the second one is a module that allows some interactivity via commandlets to do things such as export and import Firewall rules.

Using Terraform to Create AWS VPC for VMware Cloud on AWS:

The Terraform plan linked here on GitHub does a couple of things:

Creates a new VPC
Creates a VPC Network
Creates three VPC subnets across different Availability Zones
Associates the three VPN subnets to the main route table
Creates desired security group rules

https://github.com/anthonyspiteri/vmc_vpc_subnet_create

[Note] Even for the Single Instance Node SDDC it will take about 120 minutes to deploy…so that needs to be factored in in terms of the window to work on the instance.

Creating a Single Host SDDC for VMware Cloud on AWS

Posted on 08/13/2018 by Anthony Spiteri

While preparing for my VMworld session with Michael Cade on automating and orchestrating the deployment of Veeam into VMware Cloud on AWS, we have been testing against the Single Host SDDC that’s been made available for on demand POCs for those looking to test the waters on VMware Cloud on AWS. The great thing about using the Single Host SDDC is it’s obviously cheaper to run than the four node production version, but also that you can spin it up and destroy the instance as many times as you like.

Single Host SDDC is our low-cost gateway into the VMware Cloud on AWS hybrid cloud solution. Typically purchased as a 4-host service, it is the perfect way to test your first workload and leverage the additional capability and flexibility of VMware Cloud on AWS for 30 days. You can seamlessly scale-up to Production SDDC, a 4-host service, at any time during the 30-days and get even more from the world’s leading private cloud provider running on the most popular public cloud platform.

To get started with the Single Host SDDC, you need to head to this page and sign up…you will get an Activation email and from there be able to go through the account setup. This big thing to note at the moment is that a US Based Credit Card is required.

There are a few pre-requisites before getting an SDDC spun up…mainly around VPC networking within AWS. There is a brilliant blog post here, that describes the networking that needs to be considered before kicking off a fresh deployment. The offical help files are a little less clear on what needs to be put into place from an AWS VPC perspective, but in a nutshell you need:

An AWS Account
A fresh VPC with a VPC Networking configured
At least three VPC Subnets configured
A Management Subnet for the VMware Objects to sit on

Once this has been configured in the AWS Region the SDDC will be deployed into the process can be started. First step is to select a region (this is dictated by the choices made at account creation) and then select a deployment type followed by a name for the SDDC.

The next step is to link an existing AWS account. This is not required at the time of setup however it is required to get the most out of the solution. This will go off and launch an AWS CloudFormation template to connect the SDDC to the AWS account. It creates IAM role to allow communication between the SDDC and AWS.

[Note] I ran into an issue initially where the default location for the CloudFormation template to be run out of was not set to the region where the SDDC was to be deployed into. Make sure that when you click on the Launch button you take not the the AWS region and change where appropriate by change the URL to the correct region.

After a minute or so, the VMware Cloud on AWS Create an SDDC page will automatically refresh as shown below

The next step is to select the VPC and the VPC subnets for the raw SDDC components to be deployed into. I ran into a few gotcha’s on this initially and what you need to have configured is the subnets configured to size as listed in the user guides and the post I linked to that covers networking, but you also need to make sure you have at least three subnets configured across different AWS Availability zones within the region. This was not clear, but I was told by support that it was required.

If the AWS side of things is not configured correctly you will see this error.

What you should see…all things being equal is this.

Finally you need to set the Management Subnet which is used for the vCenter, Hosts, NSX Manager and other VMware components being deployed into the SDDC. There is a default, but it’s important to consider that this should not overlap with any existing networks that you may look to extend the SDDC into.

From here, the SDDC can be deployed by clicking on the Deploy SDDC button.

[Note] Even for the Single Instance Node SDDC it will take about 120 minutes to deploy and you can not cancel the process once it’s started.

Once completed we can click into the details of the SDDC, which allows you to see all the relevant information relating to it and also allows you to configure the networking.

Finally, to access the vCenter you need to configure a Firewall rule to allow web access through the management gateway.

Once completed you can login to the vCenter that’s hosted on the VMware Cloud on AWS instance and start to create VMs and have a play around with the environment.

There is a way to automate a lot of what i’ve stepped through above…for that, i’ll go through the tools in another blog post later this week.

References:

Selecting IP Subnets for your SDDC

Workaround – VCSA 6.7 Upgrade Fails with CURL Error: Couldn’t resolve host name

Posted on 07/10/2018 by Anthony Spiteri

It’s never an issue with DNS! Even when DNS looks right…it’s still DNS! I came across an issue today trying to upgrade a 6.5 VCSA to 6.7. The new VCSA appliance deployment was failing with an OVFTool error suggesting that DNS was incorrectly configured.

OVFTool[30736] [Originator@6876 sub=Default] Curl_perform error code 6 (Couldn't resolve host name)
OVFTool[14004] [Originator@6876 sub=Default] Closing image source and targets
OVFTool[14004] [Originator@6876 sub=Default] CURL error buffer: Could not resolve: tpm00-104.aperaturelabs.biz (Domain name not found)

OVFTool[30736] [Originator@6876 sub=Default] Curl_perform error code 6 (Couldn't resolve host name)

OVFTool[14004] [Originator@6876 sub=Default] Closing image source and targets

OVFTool[14004] [Originator@6876 sub=Default] CURL error buffer: Could not resolve: tpm00-104.aperaturelabs.biz (Domain name not found)

Initially I used the FQDN for source and target vCenter’s and let the installer choose the underlying host to deploy the new VCSA appliance to. Even though everything checked out fine in terms of DNS resolution across all systems I kept on getting the failure. I triple checked name resolution on the machine running the update, both vCenter’s and the target hosts. I even tried using IP addresses for the source and target vCenter but the error remained as it still tried to connect to the vCenter controlled host via it’s FQDN resulting in the error.

After doing a quick Google search and finding nothing, I changed the target to be an ESXi host directly and used it’s IP address over it’s FQDN. This time the OVFTool was able to do it’s thing and deploy the new VCSA appliance.

The one caveat when deploying directly to a host over a vCenter is that you need to have the target PortGroup configured as an ephemeral…but that’s a general rule of bootstrapping a VCSA in any case and it’s the only one that will show up from the drop down list.

While very strange given all DNS checked out as per my testing, the workaround did it’s thing and allowed me to continue with the upgrade. This didn’t find the root cause…however when you need to motor on with anupgrade, a workaround is just as good!

Adding Let’s Encrypt SSL Certificate to vCloud Director Keystore

Posted on 06/28/2018 by Anthony Spiteri

For the longest time the configuring of vCloud Director’s SSL certificate keystore has been the thing that makes vCD admins shudder. There are lots of posts on the process…some good…some not so good. I even have a post from way back in 2012 about fronting vCD with a Citrix NetScaler and if I am honest, I cheated in having HTTPS at the load balancer deal with the SSL certificate while leaving vCD configured with the self signed cert. With the changes to the way the HTML5 Tenant Portal deals with certs and DNS I’m not sure that method would even work today.

I wanted to try and update the self signed certs in both my lab environments to assist in resolving the No Datacenters are available issue that cropped up in vCD 9.1. Instead of generating and using self signed certs I decided to try use Let’s Encrypt signed certs. Most of the process below is curtesy of blog posts from Luca Dell’Oca and it’s worth looking at this blog post from Tom Fojta who has a PowerShell script to automate Let’s Encrypt SSL certs for us on NSX Edge load balancers.

In my case, I wanted to install the cert directly into the vCD Cell Keystore. The manual end to end the process is listed below. I intend to try and automate this process so as to overcome the one constraint with using Let’s Encrypt…that is the 90 day lifespan of the certs. I think that is acceptable and it ensures validity of the SSL cert and a fair caveat given the main use case for this is in lab environments.

Generating the Signed SSL Cert from Let’s Encrypt:

To complete this process you need the ACMESharp PowerShell module. There are a couple of steps to follow which include registering the domain you want to create the SSL cert against, triggering a verification challenge that can be done by creating a domain TXT record as shown in the output of the challenge command. Once submitted, you need to look out for a Valid Status response.

PS C:\ProgramData\ACMESharp\sysVault> New-ACMEIdentifier -Dns vcloud.aperaturelabs.biz -Alias aplabs2

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : vcloud.aperaturelabs.biz
Uri            : https://acme-v01.api.letsencrypt.org/acme/authz/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8
Status         : pending
Expires        : 7/4/2018 1:38:28 PM
Challenges     : {, }
Combinations   : {1, 0}

PS C:\ProgramData\ACMESharp\sysVault> Complete-ACMEChallenge aplabs2 -ChallengeType dns-01 -Handler manual

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : vcloud.aperaturelabs.biz
Uri            : https://acme-v01.api.letsencrypt.org/acme/authz/********H92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8
Status         : pending
Expires        : 7/4/2018 1:38:28 PM
Challenges     : {, manual}
Combinations   : {1, 0}

PS C:\ProgramData\ACMESharp\sysVault> (Get-ACMEIdentifier aplabs2).Challenges

ChallengePart          : ACMESharp.Messages.ChallengePart
Challenge              :
Type                   : http-01
Uri                    : https://acme-v01.api.letsencrypt.org/acme/challenge/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8/5331328098
Token                  :********g5cYoQcUaUhHiAA2qIMAvq_CTpMV-X5AE
Status                 : pending
OldChallengeAnswer     : [, ]
ChallengeAnswerMessage :
HandlerName            :
HandlerHandleDate      :
HandlerHandleMessage   :
HandlerCleanUpDate     :
HandlerCleanUpMessage  :
SubmitDate             :
SubmitResponse         :
ChallengePart          : ACMESharp.Messages.ChallengePart
Challenge              : ACMESharp.ACME.DnsChallenge
Type                   : dns-01
Uri                    : https://acme-v01.api.letsencrypt.org/acme/challenge/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8/5331328099
Token                  :********ko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM
Status                 : pending
OldChallengeAnswer     : [, ]
ChallengeAnswerMessage :
HandlerName            : manual
HandlerHandleDate      : 6/27/2018 9:38:42 AM
HandlerHandleMessage   : == Manual Challenge Handler - DNS ==
                           * Handle Time:      [6/27/2018 9:38:42 AM]
                           * Challenge Token:  [********_Zko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM]

                         To complete this Challenge please create a new Resource
                         Record (RR) with the following characteristics:
                           * RR Type:  [TXT]
                           * RR Name:  [_acme-challenge.vcloud.aperaturelabs.biz]
                           * RR Value: [********uK6sTtuXdYOZ87IZr1KF0Z_3NTtgfg8AH8]
                         ------------------------------------
HandlerCleanUpDate     :
HandlerCleanUpMessage  :
SubmitDate             :
SubmitResponse         :

PS C:\ProgramData\ACMESharp\sysVault> Submit-ACMEChallenge aplabs2 -ChallengeType dns-01

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : vcloud.aperaturelabs.biz
Uri            : https://acme-v01.api.letsencrypt.org/acme/authz/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8
Status         : pending
Expires        : 7/4/2018 1:38:28 PM
Challenges     : {, manual}
Combinations   : {1, 0}

PS C:\ProgramData\ACMESharp\sysVault> (Update-ACMEIdentifier aplabs2 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}

ChallengePart          : ACMESharp.Messages.ChallengePart
Challenge              : ACMESharp.ACME.DnsChallenge
Type                   : dns-01
Uri                    : https://acme-v01.api.letsencrypt.org/acme/challenge/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8/5331328099
Token                  :********_Zko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM
Status                 : valid
OldChallengeAnswer     : [, ]
ChallengeAnswerMessage :
HandlerName            : manual
HandlerHandleDate      : 6/27/2018 9:38:42 AM
HandlerHandleMessage   : == Manual Challenge Handler - DNS ==
                           * Handle Time:      [6/27/2018 9:38:42 AM]
                           * Challenge Token:  [********_Zko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM]

                         To complete this Challenge please create a new Resource
                         Record (RR) with the following characteristics:
                           * RR Type:  [TXT]
                           * RR Name:  [_acme-challenge.vcloud.aperaturelabs.biz]
                           * RR Value: [********uK6sTtuXdYOZ87IZr1KF0Z_3NTtgfg8AH8]
                         ------------------------------------
HandlerCleanUpDate     :
HandlerCleanUpMessage  :
SubmitDate             : 6/27/2018 9:53:22 AM
SubmitResponse         : {StatusCode, Headers, Links, RawContent...}

100

101

PS C:\ProgramData\ACMESharp\sysVault> New-ACMEIdentifier -Dns vcloud.aperaturelabs.biz -Alias aplabs2

IdentifierPart : ACMESharp.Messages.IdentifierPart

IdentifierType : dns

Identifier : vcloud.aperaturelabs.biz

Uri : https://acme-v01.api.letsencrypt.org/acme/authz/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8

Status : pending

Expires : 7/4/2018 1:38:28 PM

Challenges : {, }

Combinations : {1, 0}

PS C:\ProgramData\ACMESharp\sysVault> Complete-ACMEChallenge aplabs2 -ChallengeType dns-01 -Handler manual

IdentifierPart : ACMESharp.Messages.IdentifierPart

IdentifierType : dns

Identifier : vcloud.aperaturelabs.biz

Uri : https://acme-v01.api.letsencrypt.org/acme/authz/********H92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8

Status : pending

Expires : 7/4/2018 1:38:28 PM

Challenges : {, manual}

Combinations : {1, 0}

PS C:\ProgramData\ACMESharp\sysVault> (Get-ACMEIdentifier aplabs2).Challenges

ChallengePart : ACMESharp.Messages.ChallengePart

Challenge :

Type : http-01

Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8/5331328098

Token :********g5cYoQcUaUhHiAA2qIMAvq_CTpMV-X5AE

Status : pending

OldChallengeAnswer : [, ]

ChallengeAnswerMessage :

HandlerName :

HandlerHandleDate :

HandlerHandleMessage :

HandlerCleanUpDate :

HandlerCleanUpMessage :

SubmitDate :

SubmitResponse :

ChallengePart : ACMESharp.Messages.ChallengePart

Challenge : ACMESharp.ACME.DnsChallenge

Type : dns-01

Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8/5331328099

Token :********ko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM

Status : pending

OldChallengeAnswer : [, ]

ChallengeAnswerMessage :

HandlerName : manual

HandlerHandleDate : 6/27/2018 9:38:42 AM

HandlerHandleMessage : == Manual Challenge Handler - DNS ==

* Handle Time: [6/27/2018 9:38:42 AM]

* Challenge Token: [********_Zko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM]

To complete this Challenge please create a new Resource

Record (RR) with the following characteristics:

* RR Type: [TXT]

* RR Name: [_acme-challenge.vcloud.aperaturelabs.biz]

* RR Value: [********uK6sTtuXdYOZ87IZr1KF0Z_3NTtgfg8AH8]

------------------------------------

HandlerCleanUpDate :

HandlerCleanUpMessage :

SubmitDate :

SubmitResponse :

PS C:\ProgramData\ACMESharp\sysVault> Submit-ACMEChallenge aplabs2 -ChallengeType dns-01

IdentifierPart : ACMESharp.Messages.IdentifierPart

IdentifierType : dns

Identifier : vcloud.aperaturelabs.biz

Uri : https://acme-v01.api.letsencrypt.org/acme/authz/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8

Status : pending

Expires : 7/4/2018 1:38:28 PM

Challenges : {, manual}

Combinations : {1, 0}

PS C:\ProgramData\ACMESharp\sysVault> (Update-ACMEIdentifier aplabs2 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}

ChallengePart : ACMESharp.Messages.ChallengePart

Challenge : ACMESharp.ACME.DnsChallenge

Type : dns-01

Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/********xH92Xzm8ggC5ctaIrmEgQKyAjXeb6tFgVT8/5331328099

Token :********_Zko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM

Status : valid

OldChallengeAnswer : [, ]

ChallengeAnswerMessage :

HandlerName : manual

HandlerHandleDate : 6/27/2018 9:38:42 AM

HandlerHandleMessage : == Manual Challenge Handler - DNS ==

* Handle Time: [6/27/2018 9:38:42 AM]

* Challenge Token: [********_Zko5kw1tjZ6NIlOrkY0KNDCx6zp0FUD4WM]

To complete this Challenge please create a new Resource

Record (RR) with the following characteristics:

* RR Type: [TXT]

* RR Name: [_acme-challenge.vcloud.aperaturelabs.biz]

* RR Value: [********uK6sTtuXdYOZ87IZr1KF0Z_3NTtgfg8AH8]

------------------------------------

HandlerCleanUpDate :

HandlerCleanUpMessage :

SubmitDate : 6/27/2018 9:53:22 AM

SubmitResponse : {StatusCode, Headers, Links, RawContent...}

Once complete, there is a script that can be run as show on Luca’s Blog. I’ve added to the script to automatically import the newly created SSL cert into the Local Computer certificate store.

PS C:\ProgramData\ACMESharp\sysVault> C:\Users\anthonyspiteri\Documents\PowerCLI\ssl_gen_le.ps1

Press Enter to continue...:
Id                       : 10c6b280-88fa-49d0-bead-9f98046aca74
Alias                    : aplabs2-2018-06-27-09-56
Label                    :
Memo                     :
IdentifierRef            : 78828140-16c2-40e5-9932-c37b065cf291
IdentifierDns            : vcloud.aperaturelabs.biz
AlternativeIdentifierDns :
KeyPemFile               : ********-88fa-49d0-bead-9f98046aca74-key.pem
CsrPemFile               : ********-88fa-49d0-bead-9f98046aca74-csr.pem
GenerateDetailsFile      : ********-88fa-49d0-bead-9f98046aca74-gen.json
CertificateRequest       : ACMESharp.CertificateRequest
CrtPemFile               : ********-88fa-49d0-bead-9f98046aca74-crt.pem
CrtDerFile               : ********-88fa-49d0-bead-9f98046aca74-crt.der
IssuerSerialNumber       : ********0000015385736A0B85ECA708
SerialNumber             : ********4DE77F1E372768C5B307DC3B1B87
Thumbprint               : ********799A2E754C08EE3569B667F470AF61E71
Signature                : ********99A2E754C08EE3569B667F470AF61E71
SignatureAlgorithm       : sha256RSA
RevokedAt                :

PSPath                   : Microsoft.PowerShell.Security\Certificate::LocalMachine\my\9D9B264799A2E754C08EE3569B667F470AF61E71
PSParentPath             : Microsoft.PowerShell.Security\Certificate::LocalMachine\my
PSChildName              : 9D9B264799A2E754C08EE3569B667F470AF61E71
PSIsContainer            : False
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName             : CN=vcloud.aperaturelabs.biz
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 9/25/2018 8:56:55 AM
NotBefore                : 6/27/2018 8:56:55 AM
HasPrivateKey            : True
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 6, 27...}
SerialNumber             : ********77F1E372768C5B307DC3B1B87
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : ********99A2E754C08EE3569B667F470AF61E71
Version                  : 3
Handle                   : 2048481365152
Issuer                   : CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Subject                  : CN=vcloud.aperaturelabs.biz
EnhancedKeyUsageList     : {Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)}
DnsNameList              : {vcloud.aperaturelabs.biz}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :

PS C:\ProgramData\ACMESharp\sysVault> C:\Users\anthonyspiteri\Documents\PowerCLI\ssl_gen_le.ps1

Press Enter to continue...:

Id : 10c6b280-88fa-49d0-bead-9f98046aca74

Alias : aplabs2-2018-06-27-09-56

Label :

Memo :

IdentifierRef : 78828140-16c2-40e5-9932-c37b065cf291

IdentifierDns : vcloud.aperaturelabs.biz

AlternativeIdentifierDns :

KeyPemFile : ********-88fa-49d0-bead-9f98046aca74-key.pem

CsrPemFile : ********-88fa-49d0-bead-9f98046aca74-csr.pem

GenerateDetailsFile : ********-88fa-49d0-bead-9f98046aca74-gen.json

CertificateRequest : ACMESharp.CertificateRequest

CrtPemFile : ********-88fa-49d0-bead-9f98046aca74-crt.pem

CrtDerFile : ********-88fa-49d0-bead-9f98046aca74-crt.der

IssuerSerialNumber : ********0000015385736A0B85ECA708

SerialNumber : ********4DE77F1E372768C5B307DC3B1B87

Thumbprint : ********799A2E754C08EE3569B667F470AF61E71

Signature : ********99A2E754C08EE3569B667F470AF61E71

SignatureAlgorithm : sha256RSA

RevokedAt :

PSPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\my\9D9B264799A2E754C08EE3569B667F470AF61E71

PSParentPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\my

PSChildName : 9D9B264799A2E754C08EE3569B667F470AF61E71

PSIsContainer : False

Archived : False

Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}

FriendlyName : CN=vcloud.aperaturelabs.biz

IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName

NotAfter : 9/25/2018 8:56:55 AM

NotBefore : 6/27/2018 8:56:55 AM

HasPrivateKey : True

PrivateKey :

PublicKey : System.Security.Cryptography.X509Certificates.PublicKey

RawData : {48, 130, 6, 27...}

SerialNumber : ********77F1E372768C5B307DC3B1B87

SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName

SignatureAlgorithm : System.Security.Cryptography.Oid

Thumbprint : ********99A2E754C08EE3569B667F470AF61E71

Version : 3

Handle : 2048481365152

Issuer : CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

Subject : CN=vcloud.aperaturelabs.biz

EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)}

DnsNameList : {vcloud.aperaturelabs.biz}

SendAsTrustedIssuer : False

EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty

EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty

PolicyId :

From here, I exported the certificate with the private key so that you are left with a PFX file. I also saved to Base-64 X.509 format the Root and Intermediate certs that form the whole chain. This is required to help resolve the No Datacenters are available error mentioned above. Upload the three files to the vCD cell and continue as shown below.

Importing Signed SSL from Let’s Encrypt into vCD Keystore:

Next, the steps to take on the vCD Cell can be the most complex steps to follow and this is where I have seen different posts do different things. Below shows the commands from start to finish that worked for me…see inline for comments on what each command is doing.

# Convert PFX to PEM
openssl pkcs12 -in vcloud.aperaturelabs.biz.pfx -out certificate.cer -nodes

# Get Private Key from file
vi certificate.cer

# Create new file with Private Key
vi certificate.key

# Recreate PFX and create Alias for http and consoleproxy
openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name http -passout pass:password -out http.pfx
openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name consoleproxy -passout pass:password -out consoleproxy.pfx
  
# Import the http and consoleproxy PFXs into the new KeyStore
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password -srcalias http -destalias http -srcstorepass password
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password -srcalias consoleproxy -destalias consoleproxy -src           storepass password

# Import the Intermediate and root files that form the chain
/opt/vmware/vcloud-director/jre/bin/keytool -importcert -alias intermediate -file le-int.cer -storetype JCEKS -keystore CERTIFICATES.ks -storepass password
/opt/vmware/vcloud-director/jre/bin/keytool -importcert -alias root -file le-root.cer -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

# List the KeyStore certificates to ensure everything is there
/opt/vmware/vcloud-director/jre/bin/keytool  -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password

# Save existing Keystore and overwrite with new
cp certificates.ks certificates.ks.old
cp ~root/CERTIFICATES.ks /opt/keystore/certificates.ks

# Assign ownership of the new KeyStore to vCloud user and group
chown vcloud:vcloud certificates.ks

# Run the vCD Configuration again to import the new KeyStore
/opt/vmware/vcloud-director/bin/configure

# Convert PFX to PEM

openssl pkcs12 -in vcloud.aperaturelabs.biz.pfx -out certificate.cer -nodes

# Get Private Key from file

vi certificate.cer

# Create new file with Private Key

vi certificate.key

# Recreate PFX and create Alias for http and consoleproxy

openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name http -passout pass:password -out http.pfx

openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name consoleproxy -passout pass:password -out consoleproxy.pfx

# Import the http and consoleproxy PFXs into the new KeyStore

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password -srcalias http -destalias http -srcstorepass password

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password -srcalias consoleproxy -destalias consoleproxy -src storepass password

# Import the Intermediate and root files that form the chain

/opt/vmware/vcloud-director/jre/bin/keytool -importcert -alias intermediate -file le-int.cer -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

/opt/vmware/vcloud-director/jre/bin/keytool -importcert -alias root -file le-root.cer -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

# List the KeyStore certificates to ensure everything is there

/opt/vmware/vcloud-director/jre/bin/keytool -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password

# Save existing Keystore and overwrite with new

cp certificates.ks certificates.ks.old

cp ~root/CERTIFICATES.ks /opt/keystore/certificates.ks

# Assign ownership of the new KeyStore to vCloud user and group

chown vcloud:vcloud certificates.ks

# Run the vCD Configuration again to import the new KeyStore

/opt/vmware/vcloud-director/bin/configure

Once that has been done and the vCD services has restarted, the SSL cert has been applied and we are all green and the Let’s Encrypt SSL cert is in play.

« Older Entries

Category Archives: VMware

Why Veeam with VMware Cloud on AWS:

Veeam on the VMware Cloud on AWS Marketplace:

Share this:

Community:

Hackathon:

Veeam Highlights and Sessions:

Wrap Up:

Share this:

VMware Cloud on AWS:

Amazon Relational Database Service (RDS) on VMware:

vCloud Provider Announcements:

vSphere and vSAN:

Other Notables:

Share this:

Share this:

Share this:

Veeam Sessions @VMworld:

Veeam @VMworld Solutions Exchange:

Veeam Community Support @VMworld:

Final Word:

Share this:

Using Terraform to Create AWS VPC for VMware Cloud on AWS:

Share this:

Share this:

Share this:

Generating the Signed SSL Cert from Let’s Encrypt:

Importing Signed SSL from Let’s Encrypt into vCD Keystore:

Share this: