Home > Blogs > VMware TAM Blog

Top 10 Tips for a Successful Horizon VDI

ryan_klumph

By Ryan Klumph

Here are my top ten tips and tricks for a smoother deployment of VMware Horizon® View™ Standard Edition. These suggestions are informed after spending several years as a Technical Support Engineer. This is not a complete list, so please refer to the official Horizon View Documentation when planning your deployment.

Continue reading

Basic VMware Security Tools and Practices

By Melba Lopez

I had the pleasure of joining my first ever internal security conference called MooseCon (Making Our Organization Security Experts Conference). There were a variety of topics discussed, but one particular talk by Noah Wasmer, Senior Vice President of Mobile Products, stayed with me the most. Noah discussed recent cyber attacks in the news, and he asked, “If you were on the front page of the Wall Street Journal because of a security breach, what would that do to your business?

MooseCon

For any company, it would have a negative financial impact and shatter the trust of customers. As a Technical Account Manager (TAM) I often advise my customers to be more security-conscious and would like to share some information and resources about VMware security tools.

Continue reading

VMware Named 2016 STAR Award Winner for Innovation in Enabling Customer Outcomes

VMware’s global Professional Services organization has played an important role in enabling customer successes. Over the last five years, as VMwaretsia-award-2-233x300 has evolved from a single product company to a multi-product solutions provider, the maturation, innovation and transformation of its professional services business has driven new and higher levels of business success and customer satisfaction.

The Technology Services Industry Association (TSIA) announced the 2016 STAR Award winners at the Technology Services World Conference held in Las Vegas. VMware Professional Services was named the 2016 STAR Award winner for Innovation in Enabling Customer Outcomes.

Now in its 26th year, the STAR Awards have become one of the highest honors in the technology services industry. The selection process is rigorous, consisting of a thorough evaluation followed by a vote by TSIA’s service discipline advisory board members.

Read the full article on the VMware Radius Blog.

Certificates for Dummies – Part One: VCSA and PSC Certificates’ Overview and Configuring PSC with Intermediate VMware Certificate Authority (VMCA)

jean_oliveira

 

By Jean Oliveira

My name is Jean Oliveira, and I’m a Technical Account Manager in Brazil. In this role, I am often asked to assist in areas where I am not an expert, which involves research. For example, I have a customer who planned to replace VMware vCenter Server and VMware vSphere hosts’ self-signed certificates with internal signed certificates. To complete this task, he wanted to use the VMware Certificate Authority service as an Intermediate CA. My goal for this post is to help others work through this same issue in their environments.

This blog is organized into two parts:

  • Part One: VCSA (vCenter Virtual Server Appliance) and Platform Services Controller (PSC) Certificates Overview and Configuring PSC with Intermediate VMware Certificate Authority (VMCA)
  • Part Two: Replacing vCenter Server Certificates with VMCA (VMware Certificate Authority)

Before entering any command or accessing a KB, I first had to understand the new architecture behind vCenter 6.x. In the previous version of vCenter Server, each component had its own certificate:

joliveira_vcenter-components

In the new VMware architecture, there are only four certificates, with each one responsible for a set of components. The Platform Services Controller is responsible for signing and storing certificates in this new architecture.

joliveira_vcenter-architecture

In the PSC, each active certificate must be unique. A certificate is composed of the following: Common Name (CN), Organization (O), Organizational Unit (OU), Locality (L), State/Province (ST), and Country (C).

Initially, I had assigned the name “Web-Client” for all certificates generated for the Web Client service, which crashed my PSC. Based on my experience, I learned that each certificate’s Subject Name must be unique!

joliveira_certificate-details

Keeping this in mind, I used the following naming conventions:

Common Name (CN): Server FQDN
Organization (O): My organization’s name
Organizational Unit (OU): I used the “certificate service name”; for example, VPXD, VPXD-Ext, Web-Client, Machine, and so on
State/Province (ST): Sao Paulo
Country (C): BR

The next step is to join the PSC to the Active Directory domain. In the Manage/Settings/Active directory, click the Join button and enter the proper authentication as shown in the following screen.

joliveira_active-directory

Be sure to restart your PSC to apply the change.

Then, prepare the Microsoft Root Certificate Server. In my lab, I used a Windows Server 2003 R2 as a Root Certification Authority, so I had to configure it using “Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)”.

My next step was to replace the PSC SSL root certificate with the certificate signed by my Microsoft Root Certificate authority, and then replace all machine and solution certificates.

To do this, I connected to my PSC through SSH. If you have trouble enabling the Bash shell, please follow “Toggling the vCenter Server Appliance 6.x default shell (2100508)”.

I located the folder, /usr/lib/vmware-vmca/bin, and ran the command, ./certificate-manager, selecting Option 2, “Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates”. You can review the following choices I made, and replace them with the correct values for your environment.

  • Do you wish to generate all certificates using configuration file: Option[Y/N] ?: Y Select Y.
  • Please provide valid SSO and VC privileged user credential to perform certificate operations.
  • Enter username [Administrator@vsphere.local]:  Enter your administrator username.
  • Enter password:  Enter the password.
  • MACHINE_SSL_CERT.cfg file exists, Do you wish to reconfigure: Option[Y/N] ?: Y Select Y to reconfigure the answer file.
  • Enter proper value for ‘Country’ [Previous value: US]: BR
  • Enter proper value for ‘Name’ [Previous value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Previous value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Previous value: VMware]: Machine-SSL I used the Service Name.
  • Enter proper value for ‘State’ [Previous value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Previous value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Previous value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
  • Please configure machine.cfg with proper values before proceeding to next step.
  • Enter proper value for ‘Country’ [Previous value: US]: BR
  • Enter proper value for ‘Name’ [Default value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Default value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Default value: VMware]: Machine I used the Service Name.
  • Enter proper value for ‘State’ [Default value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Default value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Default value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
  • Please configure vsphere-webclient.cfg with proper values before proceeding to next step.
  • Enter proper value for ‘Country’ [Default value: US]: BR
  • Enter proper value for ‘Name’ [Default value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Default value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Default value: VMware]: vsphere-webclient I used the Service Name
  • Enter proper value for ‘State’ [Default value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Default value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Default value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
    • Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
    • Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate
  • Option [1 or 2]: 1 Select Option 1 to generate the certificate request for the Root Certificate Server.
  • Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
  • Output directory path: /tmp/ca
  • Please configure certool.cfg with proper values before proceeding to next step.
  • Enter proper value for ‘Country’ [Default value: US]: BR
  • Enter proper value for ‘Name’ [Default value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Default value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Default value: VMware]: certtool I used the Service Name.
  • Enter proper value for ‘State’ [Default value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Default value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Default value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
  • CSR generated at: /tmp/ca/vmca_issued_csr.csr Save this path and name!

I used WinSCP to copy the file vmca_issued_csr.csr from my PSC Server to my Windows Root Certification Authority Server, C:\Users\Administrator\Desktop.

As stated earlier, in my lab I used a Windows 2003 R2 Root Certification Authority server and, in this Windows version, V3 certificate templates are NOT visible in the Certificate Web Server. Therefore, I had to use the command line to issue the certificates. If you are using Windows 2008 and later, this is not a problem. If you are using Windows 2003 as I was, let me save you some research time! Below are the command line steps to issue the certificates.

Before submitting the request, I had to find the vSphere 6.0 VMCA template name. To find a list of all templates, open a command prompt in the Root Certificate Server, and type:

C:\Users\Administrator\Desktop>certutil –CATemplates

After locating the vSphere 6.0 VMCA name, “vSphere6.0VMCA,” I entered the following command to request the VMCA certificate:

C:\Users\Administrator\Desktop>certreq -attrib “CertificateTemplate:vSphere6.0VMCA” -submit vmca_issued_csr.csr

I saved the certificate file as vmca_issued_cert.cer.

The next step was to create the certificate chain, which included the VMCA Certificate (generated in the previous step), and the Domain Root certificate. To complete this step, I did the following:

  • Created a new empty file, server-root.cer
  • Opened the vmca_issued_cert.cer in Notepad and copied all information to the file, server-root.cer
  • Opened the certenew.cer in Notepad and copied all information to the file, server-root.cer
  • Saved the file server-root.cer

Now I had a full chain certificate file that I copied it to my PSC Server, folder /tmp/ca.

Moving on, I returned to the SSH session and chose option 1 below:

  • CSR generated at: /tmp/ca/vmca_issued_csr.csr
    • Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate
    • Exit certificate-manager
  • Please provide valid custom certificate for Root.
  • File: /tmp/ca/server-root.cer Enter the full path and name to the file, server-root.cer.
  • Please provide valid custom key for Root.
  • Please provide valid custom certificate for Root.
  • File: /tmp/ca/root_signing_cert.cer The path is the same as above, and the file name is default.
  • Please provide valid custom key for Root.
  • File: /tmp/ca/vmca_issued_key.key The path is the same as above, and the file name is default.
  • You are going to replace Root Certificate with custom certificate and regenerate all other certificates
  • Continue operation: Option[Y/N] ?: Y Select Y.
  • Get site nameCompleted [Replacing Machine SSL Cert…]
  • default-site
  • Updated 9 service(s)
  • Status: 100% Completed [All tasks completed successfully]

When it finished, I restarted all services by running service-control –stop –all, and then service-control –start –all.

To verify everything was working, I looked in the certificate store.

VMware has also a good KB you can use as a guide, “Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016)”.

Stay tuned for Part Two, when I will walk you through the process for replacing vCenter certificates with VMCA signed certificates. Talk to you then!


Jean Oliveira is a Technical Account Manager for VMware based in São Paulo, Brazil. For the last +5 years he is helping their customers in the hybrid-cloud journey, saving money and achieving a higher IT maturity. When not working, he loves to be with his wife Shirley. You can connect with Jean on LinkedIn.

VMworld 2016 for TAMs: What to Know Before You Go

Joining us at VMworld this week in Las Vegas? We’re excited to see you! Here on the ground as we set up, time seems to be moving extra slowly. The party’s about to start and the guests are on their way—but for now, we have to wait. (Talk to us Thursday as we wonder where all the time went!)

For our TAM customers, we’ve made sure there’s no limit to the opportunities to learn more about the latest in IT. Whether it’s your first, second, or tenth VMworld, you’re in for a whirlwind week. There’s a lot going on the next few days—plan wisely.

A TAM Customer with a Plan

Here’s a rundown of key VMworld moments:

  • VMworld: Sunday, August 28–Thursday, September 1 at the Mandalay Bay Hotel and Convention Center, Las Vegas
  • TAM Customer Day: Sunday, August 28
  • TAM Lounge: Monday, August 29–Thursday, September 1
  • TAM Customer Central: Monday, August 29–Thursday, September 1

Now, you may have already registered for VMworld. But have you checked in with your TAM? We’ve got countless breakout sessions, deep dives, and panels planned, and your TAM can help orient you toward those events most relevant to your business.

This year, we’re continuing the VMworld tradition of TAM Customer Day. We’ll talk through your issues, work collaboratively to find resolutions, and introduce you to experts on VMware best practices. This year’s TAM Customer Day falls on Sunday, August 28, the day before VMworld starts.

Something for Everyone

This year, we’re bringing in VMware thought leaders for Office Hours at TAM Customer Central (TCC) Headquarters. Stop by, chat, and ask questions—we’re all ears. There really is something for everyone:

In the TAM Lounge and TCC:

  • Monday
    • Troubleshooting Storage Performance in vSphere: Walk through the vSphere storage stack, configuration suggestions, and diagnostic advice.
    • CLEAR Insights: Get a sneak preview of the CLEAR report, detailing the progress and challenges of mature TAM customers.
    • Overview of Virtual Technical Advisor Service: Join us for a journey through the VTA Service with real-world examples.
    • TCC Office Hours: Chat with Nisha Rai, VMware Tools Product Manager.
  • Tuesday
    • Real-World Maturity Analytics Trends and Discussion: This session highlights key findings and broad analyses from the TAM CLEAR report.
    • Premier Support Services: Learn the differences between Mission Critical and Business Critical offerings in Premier Support, VMware’s top technical assistance solution.
    • Introduction to TAM Services: New to the VMware TAM ecosystem? Drop in for the low-down on all things technical.
    • TCC Office Hours: Chat with Yiting Jin, vSphere Senior Product Manager.
  • Wednesday
    • A Customer’s Perspective on Driving IT Transformation: Take a look at real-world IT transformation challenges—from the customer perspective.
    • TAM Family Program Analytics: Want to learn how TAM Family customers use our team’s analytics? See how TAMs help set up their customers for success.
    • Production is Down—So Are My Tools: Explore a production outage use-case to see VMware solutions in action.
    • TCC Office Hours: Chat with Amanda Blevins, Director of Technology, Office of the CTO.
  • Thursday
    • Overview of Virtual Technical Advisor Service: See Monday’s description.

… That’s Not All, Folks

Get social! Throughout the event you can find us on Twitter and Facebook. Follow along for updates from the TAM Lounge, or join the conversation with #VMwareTAM.

And of course, remember to keep some extra space open in your luggage. How else will you cart home all your fantastic VMware swag? We’ve got two daily prizes up for grabs—one slick VMworld aviator jacket and a voucher good for any VCP exam. You could be one of our lucky, random winners.

That’s all for now. We look forward to seeing faces both familiar and new at VMworld. Until Sunday!