By Jerad Forcier, Senior Consultant – Management, Security, Compliance, and Monitoring, VMware Professional Services
Here’s how to make sure your vCM Compliance Badge shows up in vCenter Operations
When I work on projects that integrate VMware vCenter Configuration Manager badges into the dashboard in vCenter Operations Management Suite, I often hear the same questions over and over. Whether you are doing the integration yourself or helping a client through the process, I hope this post will help answer some of your questions.
Let’s start with a little background: These two products use different methods for obtaining, storing, and retrieving information. The vCenter Operations Management Suite works by collecting several metrics related to utilization and performance from vCenter Server and stores them in a database. This data is displayed in user-friendly views, or “dashboards.”
The vCenter Configuration Manager (vCM) is an agent-based product that collects current configuration settings from virtual as well as physical machines. This configuration data is stored in a SQL database, and the views of this data are queried from the database using an SSRS reporting structure.
As you can imagine, the information these products collect provides important insights—put them together and you get a more complete view of your environment. It is one thing to recognize that a single VM has dramatically increased utilization and something else to correlate it to the configuration change that caused that increase.
For tying together products that have external or dissimilar databases, VMware provides adapters, which tell the vCenter Operations Manager database that it can get more information over in the secondary database. To demonstrate this, we will use the vCM database and its associated adapter. This particular adapter is a built-in option in vCOps 5.6 and higher.
I’ve been reminded of the value of this integration with one of the clients I’m working with right now. They’ve been using vCenter Configuration Manager for years for compliance, but previously had to create their own custom dashboard to show a roll-up of the environment with the compliance status within it. That’s a very tricky process, so it breaks often and provides inconsistent data.
At end of this month, they are getting audited for compliance. To prepare, we’re installing the newest version of vCM, moving all their compliance jobs over to it, and setting up the vCenter Operations Manager and vCenter Infrastructure Navigator, products within vCenter Operations Management Suite to replace their custom-built dashboard. This way it’s all built-in, and they are just leveraging something they have already invested in.
One of the most common questions I’m asked is, “How can I see immediate results from the integrated of vCOps and vCM, without spending weeks sifting through various documentations and articles?” Here are three steps to achieve that.
1. Configure the adapter for vCenter Configuration Manager
- Open the vCOps custom UI
- Navigate to Environment/Configuration/Adapter Instances
- Under the Adapter Instances header, click the icon with the green plus
- Fill in your info about the vCM SQL server
- When you get to Credential, click the Add button
- Fill in the log on details, click OK, and your new credentials will now show
- Lastly, click the Test button and hope for a success message. If it is unsuccessful, check out my troubleshooting tips below.
The most common problem in this step is with database login to SQL. If you are using Active Directory authentication, the newest versions of vCM and vCOps, and you’ve deployed the vCOps virtual appliance, there may be issues getting the databases to talk. To save yourself some time, follow these steps:
1. Use mixed mode SQL authentication and create a separate vCOps account in SQL.
2. Give it read access to the vCM and vCM_UNIX databases.
Pretty simple! If you end up on the long and lonely highway of failed adapter tests, older versions of both vCOps and vCM had some tricks to get them to work (or not, depending on your setup with vCM). The out-of-the-box solution in the adapter documentation is a good base, but in every environment there seems to be a legacy policy with some weird quirks that can cause all of your hair to fall out prematurely.
If you still want to try out Active Directory authentication, you basically have three options: First, try the built-in. If that doesn’t work, your second option is to tweak it to force NTLM authentication. How do we do this if the first one didn’t work? We trick the JDBC adapter by sneaking this into the configuration where it’s not looking! When you set the database name, (vCM by default), follow the name with the required auth method (so it should look like this “VCM;useNTLMv2=True”).
If the second option fails, try option three: SQL might already be in mixed mode on the vCM instance. Add another account to it as mentioned above, allow network log on, and test from your vCOps adapter.
For other 5.6 adapter tricks, check out this helpful post by John Dias. If you need further information on troubleshooting, check out this video. If you run into something I haven’t mentioned here, I’d love to hear about it!
2. Create a Scheduled Compliance Collection and Template run job.
Now vCenter Operations is connected to vCenter Configuration Manager, but there isn’t any data in vCM for the operations management suite to display…so let’s go get some! We will now go into vCM and create specific jobs you want to run. If you are already using vCM to run compliance tasks, skip past the compliance template portion of this step.
If you have no compliance collections, let’s set up a quick job that you’ll revisit once everyone sees this. Using a compliance template, make sure you’re running compliance against a machine or two that actually exist in vCOps. If you have no compliance templates, you can use the Content Wizard Tool on the collector (Start/All Programs/VMware vCenter Configuration Manager/Tools/Content Wizard Tool).
For the demo, I am grabbing 2, the vSphere 5.1 Hardening Toolkit – Complete, and the CIS Windows Benchmarks.
Once complete, we need to collect the data that the compliance template is looking for. If we do not change anything in the template yet, we know that the result will not be accurate, but it is a good starting point to demonstrate this.
From vCM, open the Compliance slider. Expand Virtual Machine Compliance, and select the appropriate template. Once the template is selected, click Run Template. When this is complete, refresh the view and verify you now have data. Next, we will set up the mapping. This converts the percentage of compliance per object into a scored badge that vCOps can display.
In the compliance slider, expand vCenter Operations Manager Badge Mapping, and select Mappings.
Now click the Add button. We are going to add two mappings, the first is for Windows compliance, the second is for vSphere 5.1
For Windows:
- Name: Windows Compliance
- Badge: Risk – Compliance
- Roll Up Type: Simple Percentage
- Select Group Context: Machine Group Compliance
- Click Next
- Machine Group: All Windows Machines
- Click Next
Select the CIS Comprehensive Windows Benchmarks template, or your selected template(s).
- Click New and create the same type of mapping for vSphere 5.1
- Name: vSphere 5.1
- Badge: Risk – Compliance
- Roll Up Type: Simple Percentage
- Select Group Context: Virtual Object Group Compliance
- Click Next
- Machine Group: All Virtual Objects
- Click Next
- Select the VMware vSphere 5.1 Hardening April 2013 – vSphere Controls template, or your selected template(s)
- Click Finish
Next, we will set up scheduled jobs and vCM automated tasks so we can “set it and forget it!”
- Open the Administration slider
- Expand Job Manager
- Click Scheduled
In the scheduled job manager, we will click Add. Below is what your jobs could look like if you’re following this.
- Job 1
- Job type: Collection
- Job Name: Compliance Collect
- Filter Sets: CIS Benchmarks Filters-Windows, VMware vSphere 5.1 Hardening Guide Filters
- Machine Groups: All Machines
- Occurs: Weekly
- Weekly: Every 1 week on Sunday
- Time of Day: Occurs once 5:00 a.m.
- Select the start date as whatever the date is the next Sunday
- Click Next and Finish
And we might as well set up our compliance run as a scheduled job, since we’re already here.
- Click New
- Job Type: Compliance
- Name: Windows Compliance
- Templates: Center for Internet Security Comprehensive Windows Benchmarks
- Select: Do not enforce template at this time
- Click Next
- Select: All Windows Machines
- Click Next
- Scheduler:
- Occurs: Weekly
- Weekly Every: Sunday
- Time of Day: 7:00 am
Do the same for vSphere.
- Click New
- Job Type: Compliance
- Name: vSphere Compliance
- Templates: VMware vSphere 5.1 Hardening April 2013 – vSphere Controls
- Select: Do not enforce template at this time
- Click Next
- Select: All Virtual Objects
- Click Next
- Scheduler:
- Occurs: Weekly
- Weekly Every: Sunday
- Time of Day: 7:10 am
Next we need to set up a badge mapping job. There is no “instant” job, so it must be a scheduled job. The intent is that your compliance template would be a recurring scheduled job. If you would like to see that your compliance is increasing or decreasing without having to manually update, go ahead and set up these jobs in the scheduler to run one after the other.
- Job type: vCenter Operations Manager Compliance Badge Mapping Run
- Job Name: Windows Badge Run
- Filter Sets: Center for Internet Security Comprehensive Windows Benchmarks
- Machine Groups: All Windows Machines
- Occurs: Weekly
- Weekly: Every 1 week on Sunday
- Time of Day: Occurs once 8:00 a.m.
- Select the start date as whatever the date is the next Sunday
- Click next and finish
- Job type: vCenter Operations Manager Compliance Badge Mapping Run
- Job Name: vSphere Badge Run
- Filter Sets: VMware vSphere 5.1 Hardening April 2013 – vSphere Controls
- Machine Groups: All Virtual Objects
- Occurs: Weekly
- Weekly: Every 1 week on Sunday
- Time of Day: Occurs once 8:10 a.m.
- Select the start date as whatever the date is the next Sunday
- Click next and finish.
For demo purposes, we are going to expect to check compliance on Monday mornings. On Sunday, starting at 5 a.m., our first scheduled job will be to collect the compliance template data. At 6 a.m. we will run the compliance template. At 7 a.m. we schedule the badge mapping run, and by 8 a.m. we’ve converted the results to visible badges. Within 5 minutes, vCOps will poll the vCM database and our badges will be available in the vCOps dashboards. (We DO need some stinkin’ badges!)
3. View the badge in vCenter Operations
Until the badge is created in vCenter Configuration Management, there will be an empty hole in the vCenter Operations dashboard. After performing the steps above, your vCM badge should appear. (Just like unlocking an invisible feature in a game!)