Home > Blogs > VMware Consulting Blog > Category Archives: How-to

Category Archives: How-to

Control-Alt-Delete in the World of VDI

by Mike Erb

When I was still working as an Escalation Engineer for VMware® Global Support, there was a time-honored tradition among the Broomfield center’s EUC support group: If you left your computer unlocked and walked out of eyesight, you’d always come back to a surprise.  The HR folks would probably be unhappy at such an unauthorized use, but a quick flip of the screen with Ctrl-Alt-Up and a dash back to your desk, leaving their display inverted and the surrounding engineers glancing over for the inevitable reaction, was worth the risk.

Continue reading

VMware Horizon 7 – Associate Instant Clone Virtual Machines

Matt_freyby Matt Frey

Being a field consultant affords me the opportunity to get in the nitty gritty with many of our customers. One of my favorite aspects of this role is helping customers address their business’s needs in a hands-on fashion. During one of my recent engagements, a customer asked, “How do I identify which parent VMs belong to which Instant Clone Desktops?” Since I’m sure that question will be asked by many others, I thought I would take some time to show how that process is carried out.
Horizon 7 - Associate IC VMs

 I hope that this article helps in shining light on the relationship between the various Instant Clone components. If your team needs additional resources I recommend you check out our Horizon Certification courses as well as the many Hands On Labs.

=======

Matt Frey is a Consultant in the End User Computing branch of Professional Services with over 15 years’ experience in the IT industry. He currently holds a VCP6-DTM and VCAP6-DTM and specializes in bringing enhanced value to customers by leveraging VMware’s strong EUC portfolio.

VMware User Environment Manager and ADMX Settings

JeffSmallby Jeffrey Davidson

In this blog entry, I will walk through how to configure ADMX settings within the VMware® User Environment Manager™ Management Console. Additionally, I will discuss how User Environment Manager ADMX settings work together with existing Group Policy configurations.

In this example, I will be setting Google Chrome as the default browser using the ADMX settings.

Continue reading

Supporting Always On Availability Groups (SQL Server) with App Volumes

Ma_Mark2By Mark Ma

With the recent release of App Volumes 2.12, we officially support Microsoft SQL Server Always On Availability Groups.

SQL Always On Availability Groups is a great way to provide high availability and disaster recovery because live copies of your databases reside on secondary servers. By integrating SQL Always On with App Volumes, we ensure the most popular application layering product can be enjoyed by users in any situation.

Continue reading

vRO Architecture Considerations When Digitally Signing Packages

Spas KaloferovBy Spas Kaloferov

In this blog post we will take a look at how digitally signing packages in VMware vRealize® Orchestrator™ (vRO) may affect the way you deploy vRO in your environment.

In some use cases, digitally signing workflow packages may affect your vRO architecture and deployment. Let’s consider a few examples.

Use Case 1 (Single Digital Signature Issuer)

Let’s say you have vRO ServerA and vRO ServerB in your environment. You’ve performed the steps outlined in How to Change the Package Signing Certificate of a vRO Appliance (SKKB1029) to change the PSC on vRO ServerA , export the keystore, and import it on vRO ServerB. This will allow the following:

  • vRO ServerA can digitally sign workflow packages, and vRO ServerB can read packages digitally signed by vRO ServerA.
  • vRO ServerB can digitally sign workflow packages, and vRO ServerA can read packages digitally signed by vRO ServerB.

Now what happens when you add vRO ServerC?

Continue reading

Securing Your PowerShell Execution and Password in VMware vRealize Orchestrator

Spas Kaloferovby Spas Kaloferov

In this blog post we will look at how to secure your end-to-end PowerShell Execution from VMware vRealize® Orchestrator™ (vRO)—including how not to show passwords when using the Credential Security Support Provider (CredSSP) protocol in a double-hop authentication scenario.

Let’s look at a few common use cases regarding the configuration of vRO, the PowerShell host, the Windows Remote Management (WinRM) protocol, and the PowerShell script/command, and how we can best secure all of them.

Web Services (WS)-Management encrypts all traffic by default, and this is controlled by the AllowUnencrypted client and server WinRM configuration parameter—even if you only work with HTTP (the default configuration) and not with HTTPS. Prior to Windows Server 2003 R2, WinRM in an HTTP session was not encrypted.

Continue reading

How to Configure vRealize Orchestrator to Use SSL to Connect to a SQL Server Database

Spas Kaloferovby Spas Kaloferov

Microsoft® SQL Server® can use Secure Sockets Layer (SSL) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application.

SSL can be used for server validation when a client connection requests encryption. If the instance of SQL Server is running on a computer that has been assigned a certificate from a public certification authority, identity of the computer and the instance of SQL Server is vouched for by the chain of certificates that lead to the trusted root authority. Such server validation requires that the computer on which the client application is running be configured to trust the root authority of the certificate that is used by the server.

For the purposes of this article, the client application that will be configured with an encrypted connection to the database is VMware® vRealize® Orchestrator™. I will show you how to configure vRealize Orchestrator Appliance™ to use an SSL connection when communicating with a Microsoft SQL Server database.

Continue reading

How to Add a Linux Machine as PowerShell Host in vRO

By Spas Kaloferov

Introduction

In this article we will look into the alpha version of Microsoft Windows PowerShell v6 for both Linux and Microsoft Windows. We will show how to execute PowerShell commands between Linux , Windows, and VMware vRealize Orchestrator (vRO):

  • Linux to Windows
  • Windows to Linux
  • Linux to Linux
  • vRO to Linux

We will also show how to add a Linux PowerShell (PSHost) in vRO.

Currently, the alpha version of PowerShell v6 does not support the PSCredential object, so we cannot use the Invoke-Command command to programmatically pass credentials and execute commands from vRO, through a Linux PSHost, to other Linux machines, or Windows machines. Conversely, we cannot execute from vRO –> through a Windows PSHost –> to Linux Machines.

To see how we used the Invoke-Command method to do this, see my blog Using CredSSP with the vCO PowerShell Plugin (SKKB1002).

In addition to not supporting the PSCredential object, the alpha version doesn’t support WinRM. WinRM is Microsoft’s implementation of the WS-Management protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that enables hardware and operating systems from different vendors to interoperate. Therefore, when adding a Linux machine as a PowerShell host in vRO, we will be using SSH instead of WinRM as the protocol of choice.

The PowerShell v6 RTM version is expected to support WinRM, so we will be able to add the Linux PSHost with WinRM, and not SSH.

So, let’s get started.

Continue reading

The Anatomy of an Instant Clone

By Travis Wood

If you’ve used Horizon View over the last few years, then you most likely have come across linked clones. Linked clones use a parent image, called a “replica,” that serves read requests to multiple virtual machines (VMs), and the writes in each desktop are captured on their own delta disk. Replicas can also be used to change desktop update methodologies; instead of updating every desktop, you can update the parent image and recompose the rest of the desktops.

Horizon 7 has introduced a new method of provisioning with Instant Clones. Instant Clones are similar to linked clones in that all desktops read from a replica disk and write to their own disk, but Instant Clone takes it one step further by doing the same thing with memory. Instant Clones utilize a new feature of vSphere 6 where desktop VMs are forked (that is, Instant Clones are created) off a running VM—instead of cloning a powered-off VM—which provides savings for provisioning, updates, and memory utilization.

Golden Image

With Instant Clones you start with your golden image, in a way that is similar to linked clones. The golden image is the VM you install the operating system on, then join to the domain, and install user applications on; you follow the same OS optimizations procedures you would use for Instant Clones.

When you’re done, release its IP address, shut it down, and create a snapshot. Now you are ready to create your Instant Clone desktop pool. This VM should have VM Tools installed, along with the Horizon Agent with the Instant Clone module. It is NOT possible to have the Instant Clone and Composer modules co-installed, so you will always need different snapshots if using Instant Clones and linked clones from the same golden image. Reservations can be set on the golden image and they will be copied to the Instant Clones, reducing the size of the VSwap file. It is important to note that the golden image must be on storage that’s accessible to the host you are creating your Instant Clone desktop pool on.

Template

When you create your pool, Horizon will create a template. A template is a linked clone from your golden image, created on the same datastore as the golden image. It will have the name cp-template, and will be in the folder ClonePrepInternalTemplateFolder. Template disk usage is quite small, about 60 MB. There will be an initial power-on after the template is created, but it will then shut off.

TWood_Horizon Template

Replica

Next, Horizon will create a replica, which is the same as a Linked Clone replica. It is a thin-provisioned, full clone of the template VM. This will serve as the common read disk for all of your Instant Clones, so it can be tiered onto appropriate storage through the Horizon Administrator console, the same way it is done with Linked Clones. Of course, if you are using VSAN, there is only one datastore, so tiering is done automatically. Horizon will also create a CBRC Digest file for the replica. The replica will be call cp-replica-GUID and will be in the folder ClonePrepReplicaVmFolder. The disk usage of the replica will be depend on how big your Gold Master is, but remember, it’s thin provisioned and not powered on, so you will not have VSwap functionality.

TWood_Horizon Replica

Parent

Horizon will now create the final copy of the original VM, called a parent, which will be used to fork the running VMs. The parent is created on every host in the cluster; remember, we are forking running VMs here, so every host needs to have a running VM. These will be placed on the same datastore as the desktop VMs, where there will be one per host per datastore. Because these are powered on, they have a VSwap file the size of the allocated vMEM. In addition, there will be a small delta disk to capture the writes booting the parent VM and the VMX Overhead VSwap file, but this—and the sum of the other disks—is relatively small, at about 500 MB. These will be placed in ClonePrepReplicaVmFolder.

TWood_Horizon Parent

Something you’ll notice with the parent VM is that it will use 100% of its allocated memory, causing a vCenter alarm.

TWood_vCenter Alarm

TWood_Virtual Machine Error

Instant Clones

OK! At this point, we are finally ready to fork! Horizon will create the Instant Clones based on the provisioning settings, which can be upfront or on-demand. Instant Clones will have a VSwap file equal to the size of the vMEM—minus any reservations set on the Gold Master, plus a differencing disk.

The amount of growth for the differencing disk will depend on how much is written to the local VM during the user’s session, but it is deleted on logout. When running View Planner tests, this can grow to about 500 MB, which is the same as when using View Planner for Linked Clones. The provisioning of Instant Clones will be fast! You’ll see much lower resource utilization of your vCenter Server and less IO on your disk subsystem because there is no boot storm from the VMs powering on.

TWood_vCenter Server

Conclusion

Instant Clones are a great new feature in Horizon 7 that take the concept of Linked Clones one step further. They bring the advantages of:

  • Reducing boot storms
  • Decreasing provisioning times
  • Decreasing change windows
  • Bringing savings to storage utilization

Instant Clones introduce a number of new objects: replicas, parents, and templates. It is important to understand not only how these are structured, but also their interrelationships, in order to plan your environment accordingly.


Travis is a Principal Architect in the Global Technology & Professional Services team, specializing in End User Computing.  He is also a member of the CTO Ambassadors program which connects the global field with R&D and engineering.

How to Change the Package Signing Certificate of a vRealize Orchestrator Appliance (7.0.1)

 

By Spas Kaloferov

In this post, we will take a look at how to change the Package Signing Certificate (PSC) in a vRealize Orchestrator appliance.

To change the PSC, let’s review a few steps first:

ŸIssue a certificate to meet the company’s requirements. The certificate must have:

  • ŸDigital Signature and Key Encipherment Key Usage attributes
  • ŸServer Authentication Extended Key Usage attribute
  • ŸAssurance that the certificate has a private key

ŸUse the keytool to:

  • ŸCreate new keystore; the keystore type must be JCEKS.
  • ŸImport the certificate into the keystore.
  • ŸChange the alias of the certificate to _dunesrsa_alias_.
  • ŸGenerate a Security Key and place it in the keystore.
  • ŸChange the alias of the Security Key to _dunessk_alias_.

ŸUse the Control Center interface to:

  • Ÿ Import the keystore you created.
  • Ÿ Restart the Orchestrator server.

Here is a screenshot of the original PSC certificate:

SKaloferov_PSC Certificate

Changing the Package Signing Certificate

First, you must obtain a PFX Certificate Package (containing your PSC Certificate) issued from the Certificate Authority (CA).

SKaloferov_Package Signing Certificate

SKaloferov_Package Signing Certificate 2

SKaloferov_Certificate Path

Note that the certificate has the Digital Signature and Key_Encipherment Key Usage attributes as shown above. It also has the Server Authentication Extended Key Usage attribute.

Copy the PFX certificate package to any Linux appliance.

SKaloferov_Certificate Signing vRO

Using the OpenSSL tool, enter the following commands to create a new keystore and import the PFX certificate package at the same time.

keytool -importkeystore -srckeystore "/etc/vco/app-server/security/rui.pfx" -srcstoretype pkcs12 -srcstorepass "dunesdunes" -deststoretype jceks -destkeystore "/etc/vco/app-server/security/psckeystore" -deststorepass "dunesdunes"

SKaloferov_PFX Certificate

Enter the following command to change the alias of the certificate:

keytool -changealias -alias rui -destalias _dunesrsa_alias_ -keystore "/etc/vco/app-server/security/psckeystore" -storetype jceks -storepass "dunesdunes"

Next, enter this command to generate a security key:

keytool -genseckey -alias _dunessk_alias_ -keyalg DES -keysize 56 -keypass "dunesdunes" -storetype jceks -keystore "/etc/vco/app-server/security/psckeystore" -storepass "dunesdunes"

Notice I’ve used the DES algorithm and 56 key size in the above command, but you can also use the 3DES (DESese) algorithm and 168 key size.

Enter the following command to list the contents of the store.

keytool -list -storetype jceks -keystore "/etc/vco/app-server/security/psckeystore"

Copy the keystore file to your Windows machine.

Open Control Center and navigate to Certificates > Package Signing Certificate.

Click Import > Import from JavaKeyStore file.

Browse the keystore file, and enter the password.

SKaloferov_Current Certificate

Click Import to import the certificate.

Go to Startup Options and restart the Orchestrator service.

Navigate back to Certificates > Package Signing Certificate.

You should now see the new certificate.

SKaloferov_New Certificate

Open your vRealize Orchestrator appliance client, and navigate to Tools > Certificate Manager.

SKaloferov_vRO

You should now see the certificate shown below. The common name can differ, but if you compare the thumbprints, it should match the private key entry in your keystore.

SKaloferov_Keystore

I hope this post was valuable in helping you learn how to change the Package Signing Certificate in a vRealize Orchestrator appliance. Stay tuned for my next post!


Spas Kaloferov is an acting Solutions Architect member of Professional Services Engineering (PSE) for the Software-Defined Datacenter (SDDC) – a part of the Global Technical & Professional Solutions (GTPS) team. Prior to VMware, Kaloferov focused on cloud computing solutions.