Wednesday, March 29, 2017

Disable TLS v1.0 and v1.1 in vSphere 6.0

This is a very rough post with the base information - I will make this part of a series soon. 

This quick post only focuses on the use of the TLS tool in vSphere 6.0 in a very simple environment (VCSA with embedded PSC, hosts in the 3 situations used in the tool) for demonstration purposes. 

Also, note that only port 443 is tested, but both vSphere and ESXi have many other ports, some even outside of the TLS tool configuration.

This post focuses on only leaving TLS 1.2 enabled. Other posts which helped me and constitute good reading are: by GaneshSekarbabu by DanRaymond65

We will basically put in practice KB 2148819:

Before we start, make super sure you are running at least 6.0 Update 3 and your vCenter and hosts are on the same release! Also download the rpm version of the TLS tool from the same location where the VCSA is downloaded from.

If you are going to do the whole environment, the basic order is:

1) vCenters
2) hosts
3) PSCs

Steps needed to be able to run the tool:

#Open SSH (or use the VCSA console). You may need to follow this if it's not enabled already

#It's always a good idea to verify the SSH keys match

#Now execute these commands. Enable Bash shell:
shell.set --enable True

#Launch the "Bash" shell which is really a "pi shell":

#Change shell to Bash so SCP works (doesn't otherwise, not explained in the KB)
chsh -s "/bin/bash" root

*Go copy the TLS RPM file to the VCSA now*

#I copied the file to /tmp (or wherever, but notice you have to change the directory to what you used)
cd /tmp

#U is upgrade (assumes install if no older version found), v is verbose, h is hash (progress display)
rpm -Uvh VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

#Change directory to where TLS Reconfigurator was installed to
cd /usr/lib/vmware-vSphereTlsReconfigurator/

vCenter and PSC steps

#Switch to vCenter tool directory 
cd VcTlsReconfigurator

#Take a backup as per the KB
./reconfigureVc backup

*Go copy the backup directory to a safe place. Why? WHY NOT?*

Note a scan of port 443 before running the tool using sslscan (from a windows executable) shows TLS 1.0 and 1.1 are active:

#Do some damage! I mean, set TLS v1.2 as the only accepted protocol
./reconfigureVc update -p TLSv1.2

#Type a "y" to proceed. It doesn't really re-start the whole appliance, just the services

#Note it actually takes another backup. Gotta protect GSS :)

#Finally you will get a status report which confirms that only TLS v1.2 is configured

#The vSphere Client service takes a little longer to start than the rest. You can monitor it via the shell with
service vsphere-client status

#Note a scan of port 443 after running the tool shows only TLS 1.2 is now enabled:

ESXi steps

#Hosts MUST be rebooted after these commands for all changes to take effect!!

#Switch to ESX tool directory 
cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

You have 3 options for host changes - by cluster, by host joined to this vCenter, or standalone hosts.

#If you are doing hosts joined to a vCenter inside a Cluster (this does the whole cluster)

#./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
./reconfigureEsx vCenterCluster -c MyCluster -u administrator@vsphere.local -p TLSv1.2

#It asks for the user's passwords and executes

#Don't forget to reboot the host!
#Scan before change

#Scan after change and reboot

#If you are doing one host joined to a vCenter

#./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
./reconfigureEsx vCenterHost -h -u administrator@vsphere.local -p TLSv1.2

#It asks for the user's passwords and executes

#Don't forget to reboot the host!

#Scan before change

#Scan after change and reboot

#If you are doing a host that is not joined to a vCenter

#./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.2
./reconfigureEsx ESXiHost -h -u root -p TLSv1.2

#Note this uses a local ESXi account since this host is not in this vCenter

#Don't forget to reboot the host!

#Scan before change

#Scan after change and reboot

Hope this helps. I'll go into a bit more detail as soon as I have some time! Ping me on twitter if you have any comments please.

Tuesday, February 28, 2017

PowerShell and PowerCLI - scripted addition to "getting started"

In my first post on Powershell/PowerCLI I had ventured the guess that many of the tasks to setup PowerShell/PowerCLI could be scripted. Today I present the script:

Set-ExecutionPolicy Bypass -force

mkdir $env:userprofile\Documents\WindowsPowerShell

mkdir "C:\PowerCLI codes"

$fixPS = @"

Set-Location "C:\PowerCLI codes"

if (`$psISE)



Write-Host 'You can do this!'



$fixPS | Out-File -FilePath $env:userprofile\Documents\WindowsPowerShell\profile.ps1 -Encoding ASCII

You can change the directory for your codes and the startup message, and add or remove things, but this will at least create the proper file to set your working directory, and write all lines to the profile.ps1 file.

So to use this:
1) Find powershell on your computer
2) right click, run as administrator
3) paste and execute. This should not prompt you for any questions
4) close that window
5) Use ISE or powershell like your normally would from now on

Let me know if you found this useful. I needed it since I have several jumpboxes and create new VMs, and figuring out where stuff needs to be changed takes much more time than copy pasting my setup in a script :)

Tuesday, January 24, 2017

Learning about vSphere Flash Read Cache

I'm looking at vSphere Flash Read Cache in case that Pernix FVP does not release an update for vSphere 6.5 (after being bought by Nutanix). Using vFRC is a bit different right off the bat, since it doesn't do write acceleration, but since I already have the required vSphere licensing and hardware, there is no cost to enable.

The biggest problems I see so far are:

1) not a lot of reported users, at least that I could find, although it's been kept as a feature by VMware since it was announced so there has to be quite a few. However, I didn't find lots of operational blogs, just feature announcement types.
2) more rigid implementation steps compared to Pernix FVP, which takes some reading to figure out

Biggest differences with Pernix FVP apart from the obvious:

Known KB’s
There are two known issues, and they are easily avoidable as patches were released already, so just make sure you are running latest before enabling 

Documentation << particularly useful  << cool read

Blog posts