My Road Warrior Survival Guide

Being a consultant for VMware, I spend about 70% of my time on the road in hotel rooms across the world. Recently, I spent over a month straight in a German hotel room while going to work and doing a job far away from the norm of my every day life. It can be intense at times and I’d be lying if I didn’t get home sick but over the past year, I’ve found a few things that have helped keep me grounded and happy while living on the road. This post is going to detail a few of those things in an effort that maybe it will help someone out there like me.

Walking Score of Hotel
One of the most important choices to make your time away comfortable and exciting. I typically seek out a hotel near places I might find interesting in a new city. After a day of work in a new place, what better way to discover the city but by walking around. Before booking, I do a quick search of the city and what it might be known for. A few hot restaurants, museums, or other points of interest and then see if my preferred hotel chain has a spot nearby. This allows me to get back, change, and go exploring. Some people also find driving in a different place a bit daunting, so this helps alleviate that as well.

Hit the Gym
I am not a gym rat, by any stretch of the imagination. I avoid going to the gym at all costs when I am at home because I want to just relax after a week away and enjoy the fruits of my labor and bask in the fruits of my home I am away from for so long. But while away, you have limited excuses for not getting off your ass and at the least just walking on a treadmill. It’s a great way to wind down, it keeps off the weight of typically having to eat out for all your meals, and it’s good for you!

Portable Router with OpenVPN
This one goes without saying. Hopping on hotel wifi is a risk. It’s open and a security risk. If you’re like me and travel with a laptop, phone, and tablet, having to sign into the hotel wifi on each device and then connect to your vpn can be a hassle. Getting a small, portable router fixes this problem. They’re $20-$30 on Amazon and can give you a peace of mind while leveraging these open networks. Mine is always on VPN mode when powered on so I know that in the very least, my communications are secure.

Explore
Yelp, Google, TripAdvisor, the concierge… all are great for finding things to do between getting out of the office and sleeping. Find an awesome local coffee roaster, a mom and pop restaurant serving the local food scenes best dishes, a craft beer bar slinging beers from the region of the country you are in. All are great ways to get a feel for where you are calling home for however many days or weeks ahead.

Meditate
There have been plenty of blogs and books about mindfulness and its benefits so this won’t go into that. With the surplus of alone time, you might as well use it to better yourself (see Hit the Gym above). Learning the act of meditation can aid in getting over a rough day at the office or even just coping with being away from your family and loved ones. It takes a bit to get going but try to build into a part of your daily routine and you will thank me later.

Be Picky with your Flights
I know some people are completely brand loyal to their air carrier of choice but sometimes your project lands you in a place they might not have great routes to. Some will put up with 2+ layovers for the segments and miles but your relaxation at home is at risk! I personally will give up the miles in a heartbeat if it means I can get home 5 hours sooner. If it is a long term project you will be traveling to for the foreseeable future, maybe it’s time to change flight preferences. Open a credit card under the new airline, call them up and say you aren’t happy with your current provider and would like your status matched on their airline. Sometimes it works, sometimes it doesn’t. In the end, it’s all up to you but I know that I want to be home ASAP.

Read
Read comics, read tech books, read blogs, read whatever you want. Get your mind going on something you care about. Your household chores are waiting at home, use this time to catch up on something that interest you. Maybe even sprinkle in some gaming with a Nvidia Shield or Nintendo Switch, but you didn’t hear that from me.

By no means is this an exhaustive list but these are my personal list of things I try to do each project/week I am away from home.

Custom Certificate Replacement Guide

I recently put this together for a customer of mine and figured I’d put it here for archival purposes and maybe some of you can use it as a full walkthrough of replacing vCenter, PSC, and ESXi host certificates with custom (non-VMCA) certificates from an external CA.

Nothing in here is new or revolutionary, but it’s all in one place and could be handed to a level 1 engineer to complete, as we did.

Creating a new Microsoft Certificate Signing template for vSphere 6.x products

    1. Connecting to the CA server you will be generating the certificates from.
    2. Click Start > Run, type certtmpl.msc and click OK.
    3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
    4. In the Duplicate Template window, select Windows Server 2008 Enterprise.
    5. Click the General tab.
    6. In the Template display name field, enter VMware vSphere as the name of the new template.
    7. Click the Extensions tab.
    8. Select Application Policies and click Edit.
    9. Select Server Authentication and click Remove, then OK.

    Note: If Client Authentication exists, remove this from Application Policies as well.

    10. Select Key Usage and click Edit.
    11. Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.
    12. Click OK.
    13. Click the Subject Name tab.
    14. Ensure that the Supply in the request option is selected.
    15. Click OK to save the template.
    16. Click Start > Run, type certsrv.msc, and click OK
    17. In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon
    18. Right-click Certificate Templates and click New > Certificate Template to Issue
    19. Locate VMware vSphere template under the Name column
    20. Click OK

Generating a Certificate Signing Request (CSR) file for vCenter Appliance and PSC

    1. Use Putty to SSH into your vCenter Appliance by IP or FQDN.
    2. Login with username root and supply the password
    3. Type shell and hit Enter
    4. Type cd /usr/lib/vmware-vmca/bin/ and hit Enter
    5. Type ./certificate-manager and hit Enter
    6. Select 1 and then Y and supply the SSO administrator username and password
    7. Fill out each question with the appropriate information for your department and organization
    8. Select 1 Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
    9. Type /tmp for Output directory path and hit Enter
    10. After completion, Select 2. Exit certificate-manager
    11. Type more /tmp/vmca_issued_csr.csr and hit Enter
    12. Copy and paste everything outputted including the lines —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into a text file on your desktop


Obtain certificate from Microsoft Certificate Authority

    1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
    2. Click the Request a certificate (.csr ) link.
    3. Click advanced certificate request.
    4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    5. Open the certificate request from the previous step and copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
    6. Select the VMware vSphere template.
    7. Click Submit to submit the request
    8. Click Base 64 encoded on the Certificate issued screen
    9. Click the Download Certificate link
    10. Save the certificate as vcenter.crt

Obtain and Create CA Cert Chain from Microsoft Certificate Authority

    1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv and click Download a CA certificate, certificate chain or CRL
    2. Select the Base 64 option.
    3. Click the Download CA Certificate chain link.
    4. Save the certificate chain as cachain.p7b
    5. Double-click the cachain.p7b file to open it in the Certificate Manager.
    6. Navigate to cachain.p7b > Certificates.
    7. Right-click the Root certificate listed and click All Actions > Export.
    8. Click Next.
    9. Select Base-64 encoded X.509 (.CER), and then click Next
    10. Save the export as Root64.cer and click Next.
    11. Click Finish
    12. Repeat steps 17-21 for the Intermediate CA Certificates and save them as Int1.cer and Int2.cer as appropriate
    13. Click Start > Run > cmd and hit Enter
    14. Type cd C:\path\to\saved\certs
    15. Type type Int1.cer Int2.cer Root64.cer > cachain.cer and hit Enter

Replacing Certificate on vCenter/PSC Server

    1. Use Putty to SSH into your vCenter Appliance by IP or FQDN.
    2. Login with username root and supply the password
    3. Type shell and hit Enter
    4. Type cd /usr/lib/vmware-vmca/bin/ and hit Enter
    5. Open cachain.cer in Notepad and select all text (Ctrl+A) and copy
    6. In Putty, type vi /tmp/Root64.cer, hit i, right click (you should see your cachain.cer information paste in), hit Escape, then type :wq and hit Enter
    7. Open vcenter.crt in Notepad and select all text (Ctrl+A) and copy
    8. In Putty, type vi /tmp/vcenter.cer, hit i, right click (you should see your vcenter.crt information paste in), hit Escape, then type :wq and hit Enter
    9. Type cat vcenter.cer Root64.cer > machine.cer and hit Enter
    10. Type ./certificate-manager and hit Enter
    11. Select Option 1. (Replace Machine SSL certificate with Custom Certificate)
    12. Provide SSO administrator username and password.
    13. Select Option 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
    14. Type /tmp/machine.cer hit Enter
    15. Type /tmp/vmca_issued_key.key hit Enter
    16. Type /tmp/Root64.cer hit Enter
    17. Type Y to confirm
    18. Verify success by navigating to the vSphere Web Client and confirming SSL lock is now green and valid

Generating a Certificate Signing Request (CSR) file for ESXi Host(s)

    1. Log into the ESXi host through your web browser using https://IP_or_FQDN/ui
    2. Enter root and the password
    3. Click Manage > Services > TSM-SSH and click Start
    4. Open Putty and log into the host via FQDN or IP
    5. Type vi /tmp/openssl.cfg, hit i, right click (paste) in the following replacing the red with your organizations information:

[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = US
countryName_default = US
stateOrProvinceName = Virginia
stateOrProvinceName_default = Virginia
localityName = Annandale
0.organizationName = VMware
0.organizationName_default = VMware
organizationalUnitName = IT
commonName = esxi01.local
emailAddress = email@local.com

    6. Hit Escape, :wq and Enter
    7. Type cd /tmp/ and Enter
    8. Type openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config /tmp/openssl.cfg
    9. Type openssl rsa -in rui-orig.key -out rui.key
    10. Type more /tmp/rui.csr
    11. Copy and paste everything outputted including the lines —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into a text file on your desktop
    Obtain certificate from Microsoft Certificate Authority
    11. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
    12. Click the Request a certificate (.csr ) link.
    13. Click advanced certificate request.
    14. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    15. Open the certificate request from the previous step and copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
    16. Select the VMware vSphere template.
    17. Click Submit to submit the request
    18. Click Base 64 encoded on the Certificate issued screen
    19. Click the Download Certificate link
    20. Save the certificate as host01.crt

Change the Certificate Mode of vCenter

    1. Log into vCenter through the web client.
    2. Click Settings > Advanced Settings, and click Edit.
    3. In the Filter box, enter certmgmt to display only certificate management keys.
    4. Change the value of vpxd.certmgmt.mode to custom.
    5. Restart the vCenter Server service by logging into https://vCenter:5480

Replace ESXi Certificates

    1. Log in to vCenter Server with the web client.
    2. Put the host into Maintenance Mode.
    3. Using Putty, log in to the host
    4. Type cd /etc/vmware/ssl and hit Enter
    5. Type mv rui.key rui.key.bak and hit Enter.
    6. Type mv rui.crt rui.crt.bak and hit Enter
    7. Type cp /tmp/rui.key . and hit enter
    8. Type vi rui.crt and hit Enter
    9. Open host01.crt in Notepad and select all text (Ctrl+A) and copy
    10. In Putty, hit i, right click (you should see your host01.crt information paste in), hit Escape, then type :wq and hit Enter
    11. Type services.sh restart and hit Enter
    12. Exit the host from Maintenance Mode.

VMware Cloud on AWS – Your Enterprise’s Stepstool to Cloud

Last year’s VMworld teased the upcoming release of VMware Cloud on AWS and the partnership between VMware and Amazon but until this week, it was largely kept under wraps. This week, at VMworld 2017, VMware announced the initial GA of VMware Cloud on AWS so the wait is finally over for some of us.

When this was initially announced last year, I immediately became excited as one of the hardest things to explain to colleagues and potential cloud consumers is all the intracacies of AWS’ platform. Every month they are pushing new features and enhancements and unless you are an IT shop that lives day in and day out up there, it becomes very daunting to keep up with. The beauty of VMware Cloud on AWS is in it’s familiarity to your staff. It allows you to put your workloads on AWS without having to re-train your entire staff on the inner workings of AWS itself… they simply continue using their years of vSphere knowledge in a friendly web portal and leave the hardware worries to VMware and Amazon.

There are a few limitations in it’s current state but as with most things in the cloud, will be enhanced at a rapid rate. Below I will share what I think are the most important takeaways for potential users of VMware Cloud on AWS:

Pricing

Nothing too surprising here in terms of seeing substantial discounts going reserved versus on-demand. This is a standard practice in the AWS and all cloud providers pricing schemes so it is nice to see they followed suit here as well.

Note, the above prices are for a minimum deployment of 4 hosts and scale up from there based upon host count.

Hosting

At the time of writing, AWS-West is the only region available for VMware Cloud on AWS.

Since we are currently stuck to a single region, the minimum VMware Cloud on AWS deployment is 4 hosts. This allows for the SDDC cluster to have HA and DRS enabled as well as the VSAN cluster supporting FTT=1. Currently, you cannot modify the HA/DRS rules for VMware Cloud on AWS.

As said above, the minimum cluster size is 4 hosts to a maximum of 16. This means at minimum you will have 8 CPUs, 144 vCPUs, 2TB RAM, and 42.8TB of NVMe VSAN storage. Fully maxed out, you will have 32 CPUs, 576 vCPUs, 8TB RAM, and 171.2 TB NVMe VSAN storage.

Hybrid vCenter Linked Mode is also supported. You will need to open the proper ports on your firewall as well as configuring a VPN tunnel between your AWS VPC and on-premises datacenter.

You can find a few videos on showing ease of deployment of your SDDC cluster on AWS as well as more information here, on the VMware Cloud on AWS official website.

Removing a broken/stale PSC from vCenter System Configuration

Recently, I had a customer who had one of the PSC’s in their cluster lose its database. We are still investigating how this occurred since it was paired to another PSC and this environment is mostly untouched as it is not in production yet.

Thankfully, it is faster to redeploy a new PSC and re-add it to the cluster than analyze a downed PSC for hours on end. If you and your team wish to do investigative work, make sure to pull a support bundle down from the VAMI before doing these steps.

  • Verify none of your vCenters are using the PSC to be removed:
  • If a vCenter is still pointed to the PSC, re-point it to the functional one:
  • Power down the broken PSC
  • SSH into functional PSC and attempt to remove the broken PSC:
  • If you get the error ‘Could not find a host id which maps BROKEN-PSC-FQDN to in Component Manager Failed’, run this command:
  • If completed successfully, you should see the message:

    vRealize Automation 7.3 Upgrade Issue – Missing Endpoints Fix / Workaround

    Last week we saw the GA of vRA/vRO 7.3 which added an absolute ton of features for a ‘dot’ release. You can read more about that here but I won’t be diving into that as there are plenty of other postings about that floating around by now.

    Unfortunately, there is a relatively wide-spread bug going around post-upgrade that has to do with endpoint access and creation. Basically the endpoints available for selection are dwindled down from what you may be used to seeing to a non-standard set of options.

    Thankfully the fix is quite simple and can be resolved with a single command! Also, there is a PR and Bugzilla internal to VMware so engineering is fully aware of the issue and are working towards a patch resolution.

    Steps are as follows:

  • Log onto IaaS VM
  • Open administrator command prompt and browse to C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe
  • vcac-config.exe RegisterCatalogTypesAsync -v
  • vcac-config.exe UpgradeEndpoints -v
  • That’s it, after that you should have all your endpoints back.

    Protecting your browsing history from S.J.Res 34 – Tips and Tricks

    This is typically a blog centralized around virtualization but with several posts on Facebook amongst friends discussing this ruling, I thought it’d be worthy of a blog post and a few of my cents on the matter.

    Now that the Senate and House have both passed the controversial overruling of the FCC allowing ISP’s to use your browsing habits for targeted ads (we’re going to ignore the other obvious, possibilties), the only person to stop this from becoming official is President Trump. Reports have said that he is being advised to sign S.J.Res 34, so buckle up and let’s go over a few ways you can limit what is exposed in your households.

    VPN’s
    This is the most obvious way to try and keep your anonymity online while you browse. If you do a search for a VPN provider, you’ll see hits for a slew of different ones offering up all kinds of price points and packages. The problem here is that not all VPN providers are created equal. Some keep transaction logs of when you connect, what external IP you used, and what internal IP they assigned you. Sounds like a quick subpoena away from having all your “private” information sent in a nice, neat PDF to the asking parties. The likelihood of this happening to someone simply shopping Amazon or checking e-mail is nil but paying for a form of privacy that isn’t all that private seems like a waste to me.

    I’ve been using TorGuard for a few years now without issue. No logging, kill switches, and DNS leak protection are a few of the features they offer along with a wide connection footprint to connect to a location of your choosing, no matter where you reside.

    TorrentFreak did an extensive VPN review and the companies on their list have been vetted by a group of people who like to keep their internet access as private as possible… pirates! You can take a look at the review here: 2017 VPN Review

    I know most people have used a VPN by now and if you’re reading this, you more than likely used it to connect to an employer’s network to access internal materials and didn’t do it for reasons like personal security. A personal VPN isn’t worth a damn if it’s not properly protecting you while browsing. Thankfully if you use a VPN on that above list, you’re good to go. But a habit I always make is to check for DNS leaks upon connecting to the VPN. Simply go to DNSLeakTest.com and the IP and location displayed should match your VPN client connection status. If not, you may have a lacking VPN and should look into switching providers.

    Now, a VPN is only useful if it’s connected and routing your bits and bytes through it. We all have a ton of connected devices in our homes in the form of laptops, tablets, phones, and perhaps even some IoT so how do we VPN all of that at the same time? You could install the VPN app of your provider for quick setup but that’s a fair bit of maintenance if you ask me, so let’s get into part 2…

    AlwaysOn VPN Routers
    These type of routers allow you to plug in the VPN provider credentials for your account which then keeps all traffic on your network private without the need for connecting each time, on each device.

    I’ve been a huge proponent of routers that support DD-WRT, which is an open source, feature-rich firmware you flash on a consumer router. This isn’t the only option though, several lower-end enterprise routers have the ability to setup an always-on VPN as well. Some of my favorite network gear is made by Ubiquiti who has a line of edge routers that support this type of setup along with a ton of awesome enterprise grade features at a consumer price point. Their Edgerouter-X starts at about $35 and for a simple setup, takes only 15 minutes to get up and going. If you are a Verizon FiOS customer like myself, you have to set the FiOS router in bridge mode to allow passthrough to your personal router unless you want to deal with double-NAT’ing. There are a handful of guides out there on how to do this, depending on your model. If you have cable internet and didn’t “rent” the all-in-one wireless router from your provider, all you need to do is a re-cabling and powercycle of your cable modem to introduce your new router into the mix.

    Browser Extensions
    Everything I’ve discussed above has a monetary cost associated with it. This section will outline a few free options you can add to your Firefox or Chrome to make it a bit more secure. At the end of the day, a combination of tools is going to be the safest way to go about keeping you secure.

    HTTPS Everywhere : Chrome | Firefox This extension will auto-forward your URLs to known SSL enabled URL’s of the same shit. For instance, if you type in ebay.com, it will automatically send you to https://www.ebay.com instead of http://www.ebay.com

    As long as you are on a SSL enabled website, your privacy and transactions are kept safe. The only thing your ISP can log is that you requested a certain URL of say, your bank. All data and information after you get to your bank’s website, is fully encrypted and protected. Of course the ISPs could get really shady and put SSL packet de-crypytors and try to pull apart all of their customers’ information but that is a huge investment and not entirely practical at this point.

    U-Block Origin : Chrome | Firefox U-Block Origin has become pretty much the defacto blocker for browsers these days. It’s lightweight and does a great job of weeding out unnecessary tracking and ad displays during your browsing sessions. You will sometimes run into certain websites not displaying properly due to some objects being blocked but it is quick to pick and choose which objects to see or hide.

    This has gotten pretty long winded at this point so I will wrap it up as quick as possible. This bill, soon to be law, isn’t good for anyone beyond the ISP’s and elected representatives who supported it but thankfully there are ways we can make their attempts to procure our privacy and flash targeted ads across our screens a bit more difficult. Security isn’t free and neither are some of these options I’ve outlined above. But $50/year for VPN and $150 in networking gear isn’t too big of an ask for a greater sense of security.

    In summary:

  • Use a VPN as much as possible
  • Make sure the websites you visit support SSL
  • Make sure said SSL is valid, look for the green lock icon!
  • Teach your friends and family the importance of security while online, regardless of the looming rulings
  • How To: Upgrade vCSA 6.0 to vCSA 6.5

    Today marks the release of vSphere 6.5 and with that, a new vCenter Server Appliance that is worth paying attention to. Beyond the traditional boost of configuration maximums and security, this version comes loaded with features that have been requested over the past few years. Some highlights include:

  • Built-in migration tool to go from vCenter Server 5.5 or 6.0 to vCSA 6.5
  • Built-in VMware Update Manager
  • Native HA support deployed in Active-Passive-Witness architecture
  • No Client Integration Browser Plug-in
  • Adobe Flex AND HTML5 web clients
  • API Explorer via vCSA portal page for your automation needs
  • Tons of other little enhancements that you can read about here
  • This post will be a guide on getting you from vCSA 6 to 6.5 with setting up vCSA HA at a later date.

    Crack open the ISO in your preferred flavor of OS and run the vCenter Server Appliance Installer. You’ll be greeted by this step1

    Hit next, accept the EULA, and fill out your environmental info. FQDN/IP of 6.0 vCSA, SSO details, and the ESXi host info that is currently housing your 6.0 vCSA. step2

    Now, if you are running VUM on a Windows server in your environment, you will see the following error: Unable to retrieve the migration assistant extension on source vCenter Server. Make sure migration assistant is running on the VUM server. Copy the ‘migration-assistant’ folder to the VUM server and run ‘VMware-Migration-Assistant.exe’, type in the password for the VUM service account and return back to the vCSA 6.5 Installer. step4

    The next few pages are choosing your cluster resources, folder organization, and general deployment information. Since this was done in my lab, I chose to stick with the ‘tiny’ vCenter deployment since I do not expect to ever need anything larger than that… hopefully. step7step8step9step10step11

    Once all that is done and dusted, you will get to the confirmation page to verify you didn’t fat finger any settings. If they all look good, click Finish. step12

    Assuming everything was chosen properly, you will see this lovely screen step16
    Congrats, you now have 2 vCSA’s running… but that’s not what we are here for. We want to decommission the 6.0 in favor of 6.5 with all of our lovely settings. So let’s get that crackin’

    step17

    Hit next and fill in your vCSA 6.0 info as well as the host that is running your 6.0 vCSA. You may get a warning about DRS being enabled on the cluster so feel free to change that setting depending on if your settings are set too aggressively.

    Next you will choose what data you wish to migrate from your old 6.0 to your new 6.5. I wanted all that lovely historical data so I went with the longer, last option. step19

    After that, you should be good to go! You will see some progress bars and then greeted with links to your shiny, new 6.5 vCSA. *Hint* It’s the same info as your 6.0, thanks migrations!

    step20step21step22

    After you login, check out your About vSphere menu and you should see vSphere 6.5 listed as current build. You will also notice that your original 6.0 VM is powered off and can be decommissioned to your liking. step23

    From there, you can hop into the Update Manager tab and upgrade your hosts to 6.5 automatically as well! Happy trails, friends and enjoy all the new awesomeness that vCSA 6.5 has dropped into your lap.

    DISA Approves STIGs for VMware NSX on DoD Networks

    NSX STIG Photo credit: @_stump

    There a lot of abbreviations in this title so I will give a very brief rundown on what it all means and why some of you should care.

    In the public sector, our systems are hardened (locked down) a bit more drastically than your traditional private company might do things. Simply deploying a fresh copy of Windows from ISO is prohibited unless strictly spelled out in your lab environment. The governing body who regulates these mandatory compliance settings is known as the Defense Information Systems Agency, or DISA for short. They work closely with the product teams to ensure that when said product is deployed onto a network, it is as secure as possible while still maintaining functionality. These guides are known as STIGs or security technical implementation guides.

    With DISA approving the NSX STIGs, VMware’s NSX becomes the first software-defined network solution to do so.

    Now, as anyone who has deployed STIGs knows, sometimes the settings within them have a tendency to break previous functionality. With that said, take your time, test everything as you implement, and don’t be afraid to take note of any exemptions your project may need to adjust. Work closely with your ISSO’s and document everything up front as it will save you pain as you go along.

    Here are links to the direct zip’s for the STIGs above:

    VMware NSX STIG Overview, Version 1
    VMware NSX Manager STIG, Version 1
    VMware NSX Distributed Firewall STIG, Version 1
    VMware NSX Distributed Logical Router STIG, Version 1

    VMware Cloud Foundation – At a glance

    Today was the first day of VMworld 2016 in Las Vegas and within the first of two General Sessions at the conference, VMware announced a new product dubbed Cloud Foundation. Cloud Foundation is a full stack integrated solution that will allow for seamless transition of your enterprise to utilize private and public clouds all in an automated, easily managed solution.

    Here is what you need to know about it:

    • Integrates vSphere, NSX, and VSAN into a unified stack managed by a new tool called SDDC Manager
    • SDDC Manager automates and simplifies the deployment of the entire stack
    • SDDC Manager does NOT take the place of vCenter
    • Cloud Foundation minimum requirements are 8 nodes as of writing (min. 4 nodes coming soon)
    • 1 vCenter per SDDC Manager
    • SDDC Manager can manage up to 192 nodes
    • vRA does not come with Cloud Foundation but can be used in conjunction with vCF (SDDC Manager handles the underlying infrastructure, vRA handles VM’s)
    • vCF via NSX extensibility allows for seamless migration between private and public clouds
    • As of writing, IBM Softlayer is only public cloud supported (Obviously, Azure and AWS enroute) and VCE VxRack 1000 is the only full rack supported solution
    • Cisco and Arista are your ToR and Spine supported network solutions for the time being
    • vCF supports VSAN Ready Nodes (8 of them minimum) as well
    • Licensing is per CPU
    • GA is September 1, 2016

    There ya have it, the quick and dirty rundown of what vCF brings to the table. VMware has teased this type of solution before in regards to EVO SDDC which is being retired as of September 1 in lieu of vCF. vCF is bringing more IP to the table and is what EVO SDDC should have been when first announced.

    Fixing crashed alerts service in Nutanix Prism

    This week I ran across this issue randomly when I went to resolve some alerts through a STIG applied version of IE11. Prism itself was fully functional with the exception of any place where ‘Alerts’ would appear, I was met with:
    alertmanager_error

    In order to properly troubleshoot, I SSH’d into a CVM, ran ‘cluster status’ to verify all components were up on each CVM… when I found they were, it was log parsing time. Thankfully Nutanix has an awesome log system in place to troubleshoot things like this. All logs are kept in /home/nutanix/data/logs and are organized in such a way that it makes it very easy to sift through what you need. Each major component has an INFO, WARNING, ERROR, and FATAL log to expedite the hunt.

    With this issue, I knew the problem was with the alert_manager since that was the component not functioning properly in Prism. I changed directors, grep’d the alert_manager files, and then tail’d the alert_manager.FATAL log.

    The FATAL log only contained 1 line:

    This verified that the alert_manager was crashed and since the last thing I did was try to clear an alert, it made sense to manually clear the alerts from SSH and restart the service.

    Close and re-open your flavor of browser and re-login to Prism and you should see that your Alerts are now empty, but displaying information properly.