Home > Blogs > VMware vSphere Blog

vSphere 6.0 Update 2 – What’s New

VMware just recently released Update 2 for vSphere 6.0. Update 2 is full of new features and bug fixes for both ESXi and vCenter Server. For a complete list of features and bug fixes make sure to review the release notes for ESXi and vCenter Server. There are few features that stood out to me in this update. The Embedded Host Client is now integrated into ESXi and fully supported as of Update 2. VSAN 6.2 is feature rich with everything but the kitchen sink in this release. Two factor authentication support for the vSphere Web Client is now available in the PSC UI. Here’s a breakdown of what’s new in vSphere 6.0 Update 2.​

ESXi

VMware Embedded Host Client (EHC)

The Embedded Host Client (EHC) started out as a fling and now is a supported product in vSphere 6.0 Update 2. The EHC is now installed as part of ESXi 6.0U2 and provides the ability to manage any ESXi host using a web browser. After a host is installed with or upgraded to 6.0 U2, open a web browser and enter https://<FQDN or IP of host>/ui.  More information on the Embedded Host Client can be found by reviewing the release notes.

vSphere 6.0 Update 2 - What's New ESXi EHC

Virtual SAN 6.2 (VSAN)

Note: VSAN is a separate product and is licensed separately

If you thought this update couldn’t get any bigger, think again. Virtual SAN 6.2 is here and Jam-packed with new features. This release of VSAN now supports compression and deduplication. When enabled on a disk group redundant copies of data are reduced to single copy. There’re also new services related to performance, space savings and health of the cluster.  The Health service monitors the VSAN cluster for issues and provides diagnostics. Performance service collects and analyzes performance statistics.  Performance service starts at the cluster down the to the disk level. You want space savings reports, that’s included. Space reporting displays information of used and free space with a detailed breakdown. These are just a few of the new features in Virtual SAN 6.2. For more information check out the Virtual Blocks blog.

vSphere APIs for I/O filtering (VAIO) Enhancement

vSphere 6.0 Update 2 also includes updates to vSphere APIs for I/O filtering (VAIO). If you are not familiar with VAIO I highly recommend you read the following blog post by Ken Werneburg.

  • VASA provider in a pure IPv6 environment
  • VMIOF 1.0 and 1.1

High Ethernet Link Speed

ESXi hosts can now support 25G and 50G ethernet speeds.

vCenter Server

Two-factor authentication for vSphere Web client

vCenter Single Sign On allows authentication to the vSphere Web Client via username and password. vSphere 6.0 Update 2 introduces two-factor authentication supporting RSA SecurID and Smart card.  RSA SecurID is configured using the SSO-Config utility. It also requires RSA Authentication Manager in your environment. Once setup, login to the vSphere Web Client with your username and RSA passcode.  Mike Foley has an excellent two part blog post walking through RSA SecurID setup.

Smart card authentication as mentioned above is also supported. Many large enterprises and government agencies use smart cards to meet security regulations. Smart Cards such as Common Access Card (CAC) are used at a machines with a smart card reader. Smart Card Authentication can be configured from the Platform Services Controller UI or using SSO-Config utility. Stay tuned as Mike Foley will be discussing Smart card authentication in a future post.

vSphere 6.0 Update 2 - What's New Smart Card

In addition to two factor authentication, the vSphere Web Client now supports the ability to add a login banner.  The Login Banner can be configured from the Platform Services Controller UI by adding a title and message.

vSphere 6.0 Update 2 - What's New Login Banner

An added layer of consent ensures the user can not login without acknowledging the Login Banner.

vSphere 6.0 Update 2 - What's New Login Banner Consent

vCenter Server Appliance update status might be stuck at 70 percent

vSphere 6.0 Update 1b had a bug when using the virtual appliance management interface (VAMI) to update. The UI would hang at 70 percent, although the update had completed. The only way to verify the status of the upgrade was by checking the update log – /var/log/vmware/applmgmt/software-packages.log. This bug has been fixed in vSphere 6.0 Update 2 displaying 100 percent in the VAMI when the update is complete.

Support to change vSphere ESX Agent Manger Logging Level

vSphere Web Client support for Windows 10 operating system

vCenter Server now supports the following external databases

  • Microsoft SQL Server 2012 Service Pack 3
  • Microsoft SQL Server 2014 Service Pack 1

vCenter Server now supports multiple embedded to multiple PSC migrations in a single SSO domain

vSphere 6.0 Update 1 introduced the ability to reconfigure and repoint using CMSSO-UTIL. This is handy when going from a vCenter with an embedded PSC to an external PSC deployment in the same SSO domain. vSphere 6.0 Update 1 would not allow having two external PSCs and trying to repoint. The result was the following error:

vSphere 6.0 Update 2 - What's New ESXi EHC Repoint Error

vSphere 6.0 U2 now allows having multiple external PSCs with the use of the repoint command. The diagram below represent two embedded deployments replicating to each other. This deployment model is considered deprecated. The term deprecated means the topology will be supported in vSphere 6.0 but not in future releases. To get out of this deprecated topology two external Platform Services Controllers have been deployed. Now we can using the reconfigure command in CMSSO-Util to remove the embedded PSC and repoint vCenter Server to the external PSC.

vSphere 6.0 Update 2 - What's New Deprecated Embedded to External PSC

As you can see vSphere 6.0 U2 is loaded with lots of new features, go download and give them a try.

Making the Most of Your Virtualized Environment

With basic virtualization technology, IT managers can consolidate physical resources and take a stand against rising CapEx costs. But the full potential of virtualization will remain elusive until you combine virtualization with a strong management platform.

In a recent survey of IT managers, Frost & Sullivan identified a number of common data center challenges: high maintenance costs, administrative complexity, poor workload performance, and minimizing downtime for applications. In each instance, a strong management capability can curb the challenge and help IT managers draw greater value from their existing resources and support private cloud deployments. But what makes for a strong management platform? Consider these characteristics:

Continue reading

Meet the New Face of Virtualization

If you’re considering virtualization as a means to consolidate your compute resources, to lower CapEx and OpEx costs, or to simplify server and application resources, you’ve got the right idea. But did you know your virtualized data center has even more to offer?

With VMware vSphere® with Operations Management™, you can realize value that extends beyond the limits of traditional virtualization.

Continue reading

Authorized Keys and ESXi 6.0 Update 2 – Changes to OpenSSH

sshWilliam Lam brought up some feedback on Socialcast the other day. The story was of a customer who updated to ESXi 6.0 Update 2 and the SSH keys he was using no longer worked. The customer was advocating for changing the file /etc/sshd_config so that he could continue to use the keys on his ESXi server. IMHO, that’s the wrong course of action.

ESXi 6.0 Update 2 has shipped with an updated version of OpenSSH. The version has been updated to 7.1p1. One of the major changes in this release is the disablement of “ssh-dss” and “ssh-dss-cert-*” (a.k.a DSA) keys. They have also announced the future deprecation of legacy cryptography. I urge you to read more about these changes as they may impact you in other places in your infrastructure.

Now, the customer had added dss keys to the /etc/authorized_keys file so that he could easily log into his ESXi system. Ok, I get that. Adding authorized keys is a supported configuration outlined in this KB.

What happened is that now that ESXi 6.0 U2 is running the new OpenSSH bits his SSH connections were refused. This is expected behavior! This issue could be remediated by generating new keys using RSA keys. As I said above, that is the wrong course of action. You put your ESXi host at risk for convenience?

Please don’t bring up the “but DSA keys are faster/less overhead/etc” argument. I’m pretty darned sure that OpenSSH is using AES-NI instructions (I looked) that are plenty fast for a simple SSH session. Performance is no longer an excuse to use less security! It’s 2016.

Bottom line, if you are using Authorized Keys on your ESXi server and they were generated with DSA keys, it’s time to be proactive and re-generate them with RSA keys.

Final note: Limit who can log into your ESXi host. Only those you trust the most should have access. If you are logging in to “run scripts and stuff” (as many customers tell me they do) then you might want to look into using tools like the vSphere API and scripting tools like PowerCLI or Python.

If you have something you CAN’T do via API or scripting, please let us know! Reply here or send email.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Top 5 Virtual SAN Posts From 2016 to-Date

Time doesn’t slow down for anybody, so it’s understandable if you miss some information here and there. Luckily, we’ve got you covered on Virtual Blocks. Take a look back on some of the most popular Virtual SAN posts from the past few months.

What’s New-VMware Virtual SAN 6.2

On February 10th, we announced VMware Virtual SAN 6.2. Updated to include robust space efficiency features by delivering deduplication and compression as well as providing RAID-5/RAID-6 support for all flash Virtual SAN environments. John Nicholson also discusses new extensions to the Virtual SAN Ready Node program.

The Use of Erasure Coding In VMware Virtual SAN 6.2

Christos Karamanolis proves one size doesn’t fit all.  In this blog, he discusses Virtual SAN’s implementation of RAID-5 and RAID-6 and advices customers to evaluate their requirements in order to gain a better understanding of what they need based on their workload.

Introducing The 4th Generation VMware Virtual SAN

Yanbing Li dives into how VMware Virtual SAN continues to build on its principal benefits: simplicity, performance, cost-efficiency, and scalability.

The Road to All-Flash VMware Virtual SAN

John Nicholson talks about why he thinks 2016 will see All-Flash VMware Virtual SAN overtake 10K RPM drive-based hybrid Virtual SAN as the most popular deployment choice.

Virtual SAN Stretch Clusters-Real World Design Practices (Part 1)

Jonathan McDonald gives us a personal account setting up stretch clusters for Virtual SAN. Here, he provides tips that will ensure a flawless experience.

Be sure to subscribe to the Virtual Blocks blog, and follow our social channels at @vmwarevsan and Facebook.com/vmwarevsan for the latest updates.

Blogger Talk Show–Pilot Episode on PowerCLI

Here at VMware we are always trying to make sure we give you the information you need in a way that you can best consume it.

With this in mind, a little while ago I was asked to take part in a pilot for a new talk show VMware is looking to gain feedback on, this gives us the chance to give you more information in a less formal way and you to learn more about a given subject.

The initial talk show is a little rough around the edges but please do take 30 minutes out of your busy schedule to check it out and perhaps learn a little more about PowerCLI and how to work with VMs in particular. Continue reading

Two Factor Authentication for vSphere – RSA SecurID – Part 2

Introduction

In Part 1 of Two Factor Authentication for vSphere – RSA SecurID, we configured RSA Authentication Manager to get it ready for adding the PSC as an Authentication Manager agent. In this post, we’ll configure the Platform Services Controller (PSC) itself by uploading the sdconf.rec file and running the appropriate CLI commands to enable RSA SecurID. We’ll also talk about other authentication options you can enable or disable as you see fit.

Configure Platform Services Controller

Continue reading

Top Ten things to consider when moving Business Critical Applications (BCA) to the Cloud (Part 2 of 3)

In the first part we looked at public, private and Hybrid Cloud and their characteristics. In this part we will look at the common characteristics of business critical applications. We will also look at how some of these characteristics relate to the different types of Cloud infrastructure.

Common Characteristics of Business Critical Applications (BCA):

Business critical applications typically have very stringent SLAs and have a direct impact on the business. These are the crown jewels of the business that need to be managed with utmost care to avoid loss of productivity, data and potential revenue. These are the major factors can have a direct impact on these applications such as the following:

Continue reading

Two Factor Authentication for vSphere – RSA SecurID – Part 1

Introduction

This is Part 1 of a 2 part blog series. In this post we’ll talk about setting up RSA SecurID Authentication Manager, some architectural assumptions and what you’ll need to take with you to Part 2.

Two Factor Authentication

Two factor authentication (2FA) has become ubiquitous nowadays. For those of you still in the Dark Ages where you have your password written on a Post-It Note stuck to the bottom of your keyboard, 2FA is “something you have”, like a hardware or software token and “something you know” which would be a secret PIN.

Continue reading

vSphere HTML5 Web Client Fling – Getting Started

vSphere HTML5 Web Client FlingUpdate 3/30/16 – Added requirement of IP Pool for vSphere Client

VMware announced the first step towards making a HTML5 Web Client a reality, the vSphere HTML5 Web Client Fling. This first release of the Fling will focus primarily on VM management, with more updates coming.  Here is a list of the features and operations available in this first release:

  • VM power operations
  • VM Edit Settings (simple CPU, Memory, Disk changes)
  • VM Console
  • VM and Host Summary pages
  • VM Migration (only to a Host)
  • Clone to Template/ VM
  • Create VM on a Host (limited)
  • Additional monitoring views: Performance charts, Tasks, Event
  • Global Views: Recent tasks, Alarms (view only)
  • Integrated Feedback Tool

Continue reading