Aria Suite Lifecycle Manager Appliance Custom Certificate Replacement

The Aria Suite Lifecycle Manager is the one-stop shop for managing, configuring, and lifecycling your Aria suite. You can read more on VMware’s site ‘What is VMware Aria Suite Lifecycle‘

In the homelab I deployed the Aria Suite LCM Easy Installer using the Windows Installer. Once the appliance is up, this is a website accessed using FQDN. I’m going to install a custom CA from an internal Active Directory Certificate Service.

Because Aria LCM helps manage all kinds of settings such as DNS, NTP, Product binaries, repositories, and even certificates. We will begin by accessing ‘Locker’ from the Services menu

You will find that Locker is used to maintain Certificates, Passwords, and Licenses. In our case, we will select Certificates >> ‘Generate CSR’ so that we can generate a certificate request.

Complete the request

Once the certificate request is generated a *.pem file that contains the certificate request along with the private key. I’m using Notepad++ to edit the file so I can have it ready.

The next step will be to access my method of obtaining a certificate from Active Directory Certificate Services

The Certificate Template used is a ‘Web Server’ template that I created. I did follow some VMware KBs to assist with creating templates and even using them for vCenter appliances. KB2112009 & KB2112014

Copy the first part in the *.pem file downloaded from the appliance, select the template, and click ‘Submit’

When you download the certificate from the top link it should download in a *p7b file.

The next step is you can open a new file in a text editor that will allow you to save in certificate format and you will want to copy that entire string first in the file.

The second part of the string will be the root certificate from your CA and finally the last one will be the Private Key which was generated from Aria Suite LCM earlier in the *.pem file.

The following is an example of how it would be laid out. Save the file and next step will be importing it into Aria LCM

Go back to Aria LCM >> Locker >> Certificates and click ‘Import.

Look for the new *.pem file containing all 3 digital signatures and add it, if successful it should populate the 2 fields and give the certificate a unique name as this will be the name it’s saved in the system.

Click Import.

Our Cert is in

Next step will be to update the certificate on the actual appliance, up until now this was all generating and adding the cert to a repository.

From Aria LCM ‘My Services’ select ‘Lifecycle Operations’

From the far-right click ‘Settings’ and then ‘Change Certificate’

Click ‘Replace Certificate’

The ‘Replace Certificate’ wizard will appear, click Next.

From the drop-down menu, you will have the certificate imported earlier. Select that and click ‘Next’

The final step will be a Precheck option, click that and give it a moment to run, once it’s Passed, click Next.

The final step I took, close out of all browsers and access the appliance web interface again and no more warning message, we now have a secure connection to the appliance validating via certificate to our internal AD CA.

Enable SSH Service on NSX Controllers Using API w/ Postman

In my home lab, I try to find little tasks and find a way I can repeat these tasks quicker, easier, and perhaps even more securely. Everything I share can be performed in many different ways, my importance is finding a new way every time.

As a security measure, I chose to leave SSH disabled when deploying my NSX Controllers and now I need to access my managers so that I can perform some commands. Rather than typing in a long complicated password in a VMware console, I wanted to execute this via API using Postman. (This also allows me to dig in and learn more about Postman)

If you browse out to the VMware By Broadcom Developer site, API reference documentation is available, simply bring up the site below and you can do a search for ‘SSH’ and you will find the SSH-related API calls.

NSX-T Data Center REST API – VMware API Explorer

The following call will get the status of SSH on an individual NSX manager.

GET https://<nsx-mgr>/api/v1/node/services/ssh/status

If you want to review the properties of the SSH configuration, run the following

GET https://<nsx-mgr>/api/v1/node/services/ssh

For the final step, we want to finally enable SSH on the controller by running

POST https://<nsx-mgr>/api/v1/node/services/ssh?action=start

and we are in

Reference the API Documentation listed at the beginning of the article, the commands are relatively the same just have parameters for ‘stop’, ‘start’, or ‘restart’

Reclaim Capacity Using VMware Aria Operations 8.14.1 [Video]

When I work with a customer for a health check of their VMware environment we have a set of internal tools we can leverage in our TAM organization. What is a TAM you may ask?, check out VMware Technical Adoption Manager

If a customer has VMware Aria Operations stood up, that is one of the first places I like to start to get an understanding of what we could find to clean up the environment. Think of it as getting rid of clutter so you can obtain a better visual. When I refer to waste, I’m talking about; PoweredOff virtual machines, virtual machines provisioned, left on and were never used for an intended purpose, snapshots! and finally orphaned disks, (aka Zombie VMDKs) as referred to by RVTools.

While Aria Operations is not the only tool that can achieve these tasks, it does make for a nice integration and the ability to track and report against it.

Check out a quick YouTube tutorial on using the ‘Reclaim’ feature in Aria Operations.

Creating & Remediating Image Based Clusters with VMware PowerCLI

My time as a Systems Administrator came to an end 3 years ago, I had the self-realization that automation was not in my arsenal and the time needed to learn was not always there. HOWEVER..the relentless side of me still wants to learn a few new things.

While everything I did in the following blog could’ve been performed by a few single clicks within vSphere Client, performing the processes at scale or repetitive for any testing, automating makes much more sense.

The article assumes someone has some familiarity with PowerShell, PowerCLI, and VMware technologies.

To obtain the latest PowerCLI package, go to PowerShell Gallery – VMware.PowerCLI. Also, visit VMware Developer Documentation – PowerCLI

As always please take precautions and test these out always in a Test/Dev environment before executing in production environments. Also, this method is not the only way, there is always room for improvement.

This script should accomplish the following tasks:

• Create a new cluster
• Add 3 new 7.x ESXi Hosts
• Place hosts in Maintenance Mode
• Configure the cluster for Image-Based
• Add VMware Tools 12.3.5 Component to the Image Cluster
• Remediate the new cluster in Asynchronous

As a start, you may want to find out what targeted ESXi version you want to go to, any Components, or even Vendor Addons. You’re essentially querying everything available in the vLCM repository. My hosts are at 7.0u3g and after remediation should be at 7.0 U3o

The following will pull all BaseImages which are ESXi 7.x builds.

Get-LcmImage -Type BaseImage -Version '7*'

The only component we want to add/update is VMTools, the following will check for the latest version.

Get-LcmImage -Type Component *tools*

Please take the time to review the code below and replace variables and any sections with your enviornment. By no means it’s perfect but a good leap forward for me.

##The following script will create a new cluster and add 3 newly created hosts to the cluster##



##Creating a variable containing the hosts to be imported into vCenter##

$ESXiHost = Get-Content C:\scripts\<File containing hostnames>.txt



##Creates a new Cluster and adds 3 newly built hosts into vCenter##

New-Cluster -Name "<Cluster>" -Location (Get-Datacenter)

foreach ($ESXiHost in $ESXiHosts) {

Add-VMHost -Server <vCenter hostname> -Name $ESXiHost -Location "<Cluster>" -User root -Password "<password>" -Force }

Set-VMHost $ESXiHosts -State Maintenance -Confirm:$false -RunAsync | Out-Null



##The following section will go through creating variables containing the Base Image and any Components.##



##Creating a variable for base image version##

$esxiBaseImage = "7.0 U3o - 22348816"



##Creating a variable which points to the Base Image in the vLCM repository##

$esxiBaseImageName = Get-LcmImage -Type BaseImage -Version $esxiBaseImage



#For VMTools we are creating a variable containing to point to vLCM Component repository

$esxiCompToolsPackage = Get-LcmImage -Type Component -Version '*12.3.5'



#This command will begin to convert the selected cluster into an Image-Based cluster, remember **This is an Unreversable action** ##

Set-Cluster '<Cluster>' -BaseImage $esxiBaseImageName -Component $esxiCompToolsPackage -Confirm:$false



#This command will begin remediation of the cluster in asynchronous

Get-Cluster -Name '<Cluster>' | Set-Cluster -Remediate -RunAsync -AcceptEULA -Confirm:$false

The hosts in this sample were nested hosts created in the environment. Please don’t hesitate to reach out with any questions or comments.

Monitoring SQL DB Instance & Services using Aria Operations Telegraf Agents

In another blog I documented how to deploy a Cloud Proxy appliance so that you can monitor Services in an operating system. You can check that out here ‘VMware Aria Operations Cloud Proxy Deployment‘

For the following post I want to demonstrate monitoring a SQL Server services on a Windows Server virtual machine.

In our test today, I’m running Windows Server 2016 with SQL Server Express LIte as a VM.

From within Aria Operations, I will want to now deploy the Telegraf agent. **Please take a snapshot and take any precautionary backups**

Locate the object you want to deploy the Telegraf agent to, select and from the ‘Actions’ menu select ‘Install’

Select the Monitoring Availability and Cloud Proxy instance below, in my case, I have a single Cloud Proxy deployed. Click Done.

You have a couple of options to ensure authentication to the VMs is taking place. Selecting the top option ‘Common username & password” will allow me to define. Selecting ‘Enter virtual machine credentials‘ will allow you to download a template and populate it with username and passwords to upload back into the appliance.

I’m defining local Administrator permissions for lab and click Next.

Screenshot missing but on the final click ‘Install’ and installation should begin and you may monitor status in Aria Operations

Not too long, you should see a successful installation

With a few minutes, the agent should start reporting in new object data from the Windows Server instance and discover services. If you go to Configure>>Application Services

If you click on the ‘discovered’ in the Microsoft SQL Server service, it should take you to a list of monitoring features.

Now that we have discovered services, we can select what we want to configure and even add from ‘Custom Monitoring’. To ensure we are alarmed if a SQL service was to fail, we will select ‘Microsoft SQL Server’ and select Activate Service

We will select ‘Microsoft SQL Server’ click Confirm

The right-pane will bring up the following configuration menu, fill it out and click ‘Save’

In order to make this work I did have to enable port 1433 on my SQL instance to get the DB Instance to communicate with the collector, please work with your server and dba teams.

Monitor the configuration

Once configuration is successful you should now find the server in inventory deployed with an agent and reporting it in application data.

You can now bring up the object in Aria Operations and find additional data being pulled in from the DB Instance

You may also dive into associated Metrics for the SQL DB instance and start monitoring.

I hope this was found helpful and please ensure you follow best practices by taking snapshots, following associated documentation for your GuestOS and VMware.