Words to live by, and as the density of those backup tapes continues to increase (Last time I used backup tapes they were 400/800GB LTO3’s), so does the station wagons bandwidth! I’ll leave it up to you to get your tapes to the vault but let’s go through what it takes to get the pertinent VCF infrastructure configuration data into a state and place where it can be backed up and restored. This will include configuration of the backups for SDDC Manager, vCenters, Exporting VDS configs, and NSX Managers, lets go!Continue reading VCF Infrastructure Disaster Protection (Yeah, backups)
Securing a VMware Cloud Foundation (VCF) environment can be a daunting task at times. There are several products that can be deployed, and each has specific things that need to be looked at. It’s especially important to think of VCF as a solution though, as actions that you may take on an individual product can impact the functionality of the solution as a whole. Today, however, this just got a bit easier…Continue reading VMware Cloud Foundation Security
While working on a project I discovered that previous powershell/curl and various rest client REST requests that would register the NSX manager with vCenter and SSO server were no longer working.
For example, against NSX 6.1.2 the following code worked fine Returning a 200:
curl -k -u admin:VMware1! -H 'Accept:application/xml' \ -H 'Content-Type:application/xml' \ -X PUT https://10.0.0.80/api/2.0/services/vcconfig \ -d '<vcInfo> \ <ipAddress>10.0.0.30</ipAddress> \ <userName>email@example.com</userName> \ <password>VMware1!</password> \ <assignRoleToUser>true</assignRoleToUser> \ </vcInfo>'
With 6.1.3 and 6.1.4 it would return a 403 error with a cryptic error:
<?xml version="1.0" encoding="UTF-8"?> <error> <details>92:4D:D6:A4:C2:C2:39:EE:81:11:AA:A9:8D:0D:1F:17:D0:33:C2:C1</details> <errorCode>226</errorCode> </error>
With help from @voltmer we were able to figure out that the returned error was the certificate thumbprint of the vCenter server. Turns out you need to pass the thumbprint along with the rest of the payload starting with version 6.1.3. With the above example, it would look like this:
curl -k -u admin:VMware1! -H 'Accept:application/xml' \ -H 'Content-Type:application/xml' \ -X PUT https://10.0.0.80/api/2.0/services/vcconfig \ -d '<vcInfo> \ <ipAddress>10.0.0.30</ipAddress> \ <userName>firstname.lastname@example.org</userName> \ <password>VMware1!</password> \ <assignRoleToUser>true</assignRoleToUser> \ <certificateThumbprint>92:4D:D6:A4:C2:C2:39:EE:81:11:AA:A9:8D:0D:1F:17:D0:33:C2:C1</certificateThumbprint> \ </vcInfo>'
Looking at the API doc’s for NSX this requirement is not noted but this is being addressed.
While I’m at it, there was a additional step required to fully integrate NSX into the WebClient that I didn’t have to do before. This would be the step of adding a SSO domain user or group and setting a role in NSX. In vCenter 6.0 if you’ve installed you know that logging in as root the first time get’s you nowhere special. The administrator@<the sso domain you created on install> has all the power nowadays. When you register the NSX manager with the vCenter it does not give the user used to register and kind of role within NSX. When you login to vCenter after registering with the API you can see the Networking and Security Icon, but are unable to see any NSX managers. Thankfully this is easily rectified by using an additional NSX API call after SSO and vSphere registration:
curl -k -u admin:VMware1! -H 'Accept:application/xml' \ -H 'Content-Type:application/xml' \ -X POST https://email@example.com??isGroup:false \ -d '<accessControlEntry> \ <role>super_user</role> \ </accessControlEntry>'<br>
Make sure you logout of the webclient and back in to be able to see the NSX manager inside of the Networking and Security -> NSX Managers menu.
FYI, the curl in this article will most likely need some modifying.. I “adjusted” it so it would read better, but don’t know if it will run as is. If you need the original drop me a line.
Hope this helps!
Links of thanks:
@voltmer (fyi, he hasn’t been active on twitter for some time)